monocul.us/de4dot-cex
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Use version from ConfusedBy attribute on module/asm to narrow down the detected version

Browse Source
This commit is contained in:
de4dot 2012-08-16 01:12:10 +02:00
parent 9e4fa4511b
commit 6bf54bbae2
2 changed files with 42 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
de4dot.code/deobfuscators/Confuser/Deobfuscator.cs
View File

@ -69,6 +69,7 @@ namespace de4dot.code.deobfuscators.Confuser {
class Deobfuscator : DeobfuscatorBase {
Options options;
string obfuscatorName = DeobfuscatorInfo.THE_NAME;
Version approxVersion;
List<EmbeddedAssemblyInfo> embeddedAssemblyInfos = new List<EmbeddedAssemblyInfo>();
JitMethodsDecrypter jitMethodsDecrypter;
@ -149,6 +150,7 @@ namespace de4dot.code.deobfuscators.Confuser {
}
protected override void scanForObfuscator() {
removeObfuscatorAttribute();
jitMethodsDecrypter = new JitMethodsDecrypter(module, DeobfuscatedFile);
try {
jitMethodsDecrypter.find();
@ -215,6 +217,7 @@ namespace de4dot.code.deobfuscators.Confuser {
obfuscatorName = string.Format("{0} {1}", DeobfuscatorInfo.THE_NAME, versionString);
}
const bool useAttributeVersion = true;
string getVersionString() {
var versionProviders = new IVersionProvider[] {
jitMethodsDecrypter,
@ -243,6 +246,8 @@ namespace de4dot.code.deobfuscators.Confuser {
vd.addRevs(minRev, maxRev);
}
}
if (useAttributeVersion)
vd.setVersion(approxVersion);
return vd.getVersionString();
}
@ -332,6 +337,7 @@ namespace de4dot.code.deobfuscators.Confuser {
newOne.ModuleBytes = ModuleBytes;
newOne.embeddedAssemblyInfos.AddRange(embeddedAssemblyInfos);
newOne.setModule(module);
newOne.removeObfuscatorAttribute();
newOne.jitMethodsDecrypter = hasUnpacked ? new JitMethodsDecrypter(module, DeobfuscatedFile) :
new JitMethodsDecrypter(module, DeobfuscatedFile, jitMethodsDecrypter);
if ((newOne.decryptState & DecryptState.CanDecryptMethods) != 0) {
@ -359,7 +365,6 @@ namespace de4dot.code.deobfuscators.Confuser {
Log.v("Detected {0}", obfuscatorName);
removeObfuscatorAttribute();
initializeConstantsDecrypterV18();
initializeConstantsDecrypterV17();
initializeConstantsDecrypterV15();
@ -539,11 +544,27 @@ namespace de4dot.code.deobfuscators.Confuser {
void removeObfuscatorAttribute() {
foreach (var type in module.Types) {
if (type.FullName == "ConfusedByAttribute")
if (type.FullName == "ConfusedByAttribute") {
setConfuserVersion(type);
addAttributeToBeRemoved(type, "Obfuscator attribute");
break;
}
}
}
void setConfuserVersion(TypeDefinition type) {
var s = DotNetUtils.getCustomArgAsString(getModuleAttribute(type) ?? getAssemblyAttribute(type), 0);
if (s == null)
return;
var val = System.Text.RegularExpressions.Regex.Match(s, @"^Confuser v(\d+)\.(\d+)\.(\d+)\.(\d+)$");
if (val.Groups.Count < 5)
return;
approxVersion = new Version(int.Parse(val.Groups[1].ToString()),
int.Parse(val.Groups[2].ToString()),
int.Parse(val.Groups[3].ToString()),
int.Parse(val.Groups[4].ToString()));
}
public override void deobfuscateMethodEnd(Blocks blocks) {
if (proxyCallFixer != null)
proxyCallFixer.deobfuscate(blocks);

19
de4dot.code/deobfuscators/Confuser/VersionDetector.cs
View File

@ -87,6 +87,25 @@ namespace de4dot.code.deobfuscators.Confuser {
maxRev = max;
}
public void setVersion(Version version) {
if (version == null)
return;
int minRev = int.MaxValue, maxRev = int.MinValue;
foreach (var kv in revToVersion) {
if (kv.Value.Major != version.Major || kv.Value.Minor != version.Minor)
continue;
if (minRev > kv.Key)
minRev = kv.Key;
if (maxRev < kv.Key)
maxRev = kv.Key;
}
if (minRev == int.MaxValue)
return;
if (maxRev == revs[revs.Length - 1])
maxRev = int.MaxValue;
addRevs(minRev, maxRev);
}
public string getVersionString() {
if (minRev > maxRev || minRev < 0)
return null;