monocul.us/de4dot-cex
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add support for Confuser 1.5 r60785 constants encrypter (normal mode)

Browse Source
This commit is contained in:
de4dot 2012-08-01 22:38:54 +02:00
parent d888ffd8e5
commit 6e262eb621
4 changed files with 386 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
de4dot.code/de4dot.code.csproj
View File

@ -71,6 +71,7 @@
<Compile Include="deobfuscators\Confuser\AntiDumping.cs" />
<Compile Include="deobfuscators\Confuser\ConfuserUtils.cs" />
<Compile Include="deobfuscators\Confuser\ConstantsDecrypter.cs" />
<Compile Include="deobfuscators\Confuser\ConstantsDecrypterV15.cs" />
<Compile Include="deobfuscators\Confuser\ConstantsFolder.cs" />
<Compile Include="deobfuscators\Confuser\ConstantsInliner.cs" />
<Compile Include="deobfuscators\Confuser\Deobfuscator.cs" />

10
de4dot.code/deobfuscators/Confuser/ConfuserUtils.cs
View File

@ -34,6 +34,16 @@ namespace de4dot.code.deobfuscators.Confuser {
return -1;
}
public static int findCallMethod(IList<Instr> instrs, int index, Code callCode, string methodFullName) {
for (int i = index; i < instrs.Count; i++) {
if (!isCallMethod(instrs[i].Instruction, callCode, methodFullName))
continue;
return i;
}
return -1;
}
public static bool isCallMethod(Instruction instr, Code callCode, string methodFullName) {
if (instr.OpCode.Code != callCode)
return false;

330
de4dot.code/deobfuscators/Confuser/ConstantsDecrypterV15.cs Normal file
View File

@ -0,0 +1,330 @@
/*
Copyright (C) 2011-2012 de4dot@gmail.com
This file is part of de4dot.
de4dot is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
de4dot is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with de4dot. If not, see <http://www.gnu.org/licenses/>.
*/
using System;
using System.Collections.Generic;
using System.IO;
using System.Text;
using Mono.Cecil;
using Mono.Cecil.Cil;
using de4dot.blocks;
namespace de4dot.code.deobfuscators.Confuser {
class ConstantsDecrypterV15 {
ModuleDefinition module;
ISimpleDeobfuscator simpleDeobfuscator;
MethodDefinition decryptMethod;
EmbeddedResource resource;
uint key0, key1, key2, key3;
byte doubleType, singleType, int32Type, int64Type, stringType;
BinaryReader reader;
public MethodDefinition Method {
get { return decryptMethod; }
}
public EmbeddedResource Resource {
get { return resource; }
}
public bool Detected {
get { return decryptMethod != null; }
}
public ConstantsDecrypterV15(ModuleDefinition module, ISimpleDeobfuscator simpleDeobfuscator) {
this.module = module;
this.simpleDeobfuscator = simpleDeobfuscator;
}
static readonly string[] requiredLocals = new string[] {
"System.Byte[]",
"System.Collections.Generic.Dictionary`2<System.UInt32,System.Object>",
"System.IO.BinaryReader",
"System.IO.Compression.DeflateStream",
"System.IO.MemoryStream",
"System.Random",
"System.Reflection.Assembly",
};
public void find() {
var type = DotNetUtils.getModuleType(module);
if (type == null)
return;
foreach (var method in type.Methods) {
if (!method.IsStatic || method.Body == null)
continue;
if (!DotNetUtils.isMethod(method, "System.Object", "(System.UInt32)"))
continue;
var localTypes = new LocalTypes(method);
if (!localTypes.all(requiredLocals))
continue;
decryptMethod = method;
break;
}
}
public void initialize() {
if ((resource = findResource(decryptMethod)) == null)
throw new ApplicationException("Could not find encrypted consts resource");
if (!initializeKeys())
throw new ApplicationException("Could not find all keys");
if (!initializeTypeCodes())
throw new ApplicationException("Could not find all type codes");
var constants = DeobUtils.inflate(resource.GetResourceData(), true);
reader = new BinaryReader(new MemoryStream(constants));
}
bool initializeKeys() {
if (!findKey0(decryptMethod, out key0))
return false;
if (!findKey1(decryptMethod, out key1))
return false;
if (!findKey2Key3(decryptMethod, out key2, out key3))
return false;
return true;
}
static bool findKey0(MethodDefinition method, out uint key) {
var instrs = method.Body.Instructions;
for (int i = 0; i < instrs.Count - 5; i++) {
if (!DotNetUtils.isLdloc(instrs[i]))
continue;
if (instrs[i + 1].OpCode.Code != Code.Or)
continue;
var ldci4 = instrs[i + 2];
if (!DotNetUtils.isLdcI4(ldci4))
continue;
if (instrs[i + 3].OpCode.Code != Code.Xor)
continue;
if (instrs[i + 4].OpCode.Code != Code.Add)
continue;
if (!DotNetUtils.isStloc(instrs[i + 5]))
continue;
key = (uint)DotNetUtils.getLdcI4Value(ldci4);
return true;
}
key = 0;
return false;
}
static bool findKey1(MethodDefinition method, out uint key) {
var instrs = method.Body.Instructions;
for (int i = 0; i < instrs.Count; i++) {
int index = ConfuserUtils.findCallMethod(instrs, i, Code.Callvirt, "System.Int32 System.Reflection.MemberInfo::get_MetadataToken()");
if (index < 0)
break;
if (index + 2 > instrs.Count)
break;
if (!DotNetUtils.isStloc(instrs[index + 1]))
continue;
var ldci4 = instrs[index + 2];
if (!DotNetUtils.isLdcI4(ldci4))
continue;
key = (uint)DotNetUtils.getLdcI4Value(ldci4);
return true;
}
key = 0;
return false;
}
static bool findKey2Key3(MethodDefinition method, out uint key2, out uint key3) {
var instrs = method.Body.Instructions;
for (int i = 0; i < instrs.Count - 3; i++) {
var ldci4_1 = instrs[i];
if (!DotNetUtils.isLdcI4(ldci4_1))
continue;
if (!DotNetUtils.isStloc(instrs[i + 1]))
continue;
var ldci4_2 = instrs[i + 2];
if (!DotNetUtils.isLdcI4(ldci4_2))
continue;
if (!DotNetUtils.isStloc(instrs[i + 3]))
continue;
key2 = (uint)DotNetUtils.getLdcI4Value(ldci4_1);
key3 = (uint)DotNetUtils.getLdcI4Value(ldci4_2);
return true;
}
key2 = 0;
key3 = 0;
return false;
}
bool initializeTypeCodes() {
var allBlocks = new Blocks(decryptMethod).MethodBlocks.getAllBlocks();
if (!findTypeCode(allBlocks, out doubleType, Code.Call, "System.Double System.BitConverter::ToDouble(System.Byte[],System.Int32)"))
return false;
if (!findTypeCode(allBlocks, out singleType, Code.Call, "System.Single System.BitConverter::ToSingle(System.Byte[],System.Int32)"))
return false;
if (!findTypeCode(allBlocks, out int32Type, Code.Call, "System.Int32 System.BitConverter::ToInt32(System.Byte[],System.Int32)"))
return false;
if (!findTypeCode(allBlocks, out int64Type, Code.Call, "System.Int64 System.BitConverter::ToInt64(System.Byte[],System.Int32)"))
return false;
if (!findTypeCode(allBlocks, out stringType, Code.Callvirt, "System.String System.Text.Encoding::GetString(System.Byte[])"))
return false;
return true;
}
static bool findTypeCode(IList<Block> allBlocks, out byte typeCode, Code callCode, string bitConverterMethod) {
foreach (var block in allBlocks) {
if (block.Sources.Count != 1)
continue;
int index = ConfuserUtils.findCallMethod(block.Instructions, 0, callCode, bitConverterMethod);
if (index < 0)
continue;
if (!findTypeCode(block.Sources[0], out typeCode))
continue;
return true;
}
typeCode = 0;
return false;
}
static bool findTypeCode(Block block, out byte typeCode) {
var instrs = block.Instructions;
int numCeq = 0;
for (int i = instrs.Count - 1; i >= 0; i--) {
var instr = instrs[i];
if (instr.OpCode.Code == Code.Ceq) {
numCeq++;
continue;
}
if (!DotNetUtils.isLdcI4(instr.Instruction))
continue;
if (numCeq != 0 && numCeq != 2)
continue;
typeCode = (byte)DotNetUtils.getLdcI4Value(instr.Instruction);
return true;
}
typeCode = 0;
return false;
}
EmbeddedResource findResource(MethodDefinition method) {
return DotNetUtils.getResource(module, DotNetUtils.getCodeStrings(method)) as EmbeddedResource;
}
public object decryptInt32(MethodDefinition caller, uint magic) {
byte typeCode;
var data = decryptData(caller, magic, out typeCode);
if (typeCode != int32Type)
return null;
if (data.Length != 4)
throw new ApplicationException("Invalid data length");
return BitConverter.ToInt32(data, 0);
}
public object decryptInt64(MethodDefinition caller, uint magic) {
byte typeCode;
var data = decryptData(caller, magic, out typeCode);
if (typeCode != int64Type)
return null;
if (data.Length != 8)
throw new ApplicationException("Invalid data length");
return BitConverter.ToInt64(data, 0);
}
public object decryptSingle(MethodDefinition caller, uint magic) {
byte typeCode;
var data = decryptData(caller, magic, out typeCode);
if (typeCode != singleType)
return null;
if (data.Length != 4)
throw new ApplicationException("Invalid data length");
return BitConverter.ToSingle(data, 0);
}
public object decryptDouble(MethodDefinition caller, uint magic) {
byte typeCode;
var data = decryptData(caller, magic, out typeCode);
if (typeCode != doubleType)
return null;
if (data.Length != 8)
throw new ApplicationException("Invalid data length");
return BitConverter.ToDouble(data, 0);
}
public string decryptString(MethodDefinition caller, uint magic) {
byte typeCode;
var data = decryptData(caller, magic, out typeCode);
if (typeCode != stringType)
return null;
return Encoding.UTF8.GetString(data);
}
byte[] decryptData(MethodDefinition caller, uint magic, out byte typeCode) {
uint offs = calcHash(caller.MetadataToken.ToUInt32()) ^ magic;
reader.BaseStream.Position = offs;
typeCode = reader.ReadByte();
if (typeCode != int32Type && typeCode != int64Type &&
typeCode != singleType && typeCode != doubleType &&
typeCode != stringType)
throw new ApplicationException("Invalid type code");
var encrypted = reader.ReadBytes(reader.ReadInt32());
var rand = new Random((int)(key0 ^ offs));
var decrypted = new byte[encrypted.Length];
rand.NextBytes(decrypted);
for (int i = 0; i < decrypted.Length; i++)
decrypted[i] ^= encrypted[i];
return decrypted;
}
uint calcHash(uint x) {
uint h0 = key1 ^ x;
uint h1 = key2;
uint h2 = key3;
for (uint i = 1; i <= 64; i++) {
h0 = (h0 << 8) | (h0 >> 24);
uint n = h0 & 0x3F;
if (n >= 0 && n < 16) {
h1 |= ((byte)(h0 >> 8) & (h0 >> 16)) ^ (byte)~h0;
h2 ^= (h0 * i + 1) & 0xF;
h0 += (h1 | h2) ^ key0;
}
else if (n >= 16 && n < 32) {
h1 ^= ((h0 & 0x00FF00FF) << 8) ^ (ushort)((h0 >> 8) | ~h0);
h2 += (h0 * i) & 0x1F;
h0 |= (h1 + ~h2) & key0;
}
else if (n >= 32 && n < 48) {
h1 += (byte)(h0 | (h0 >> 16)) + (~h0 & 0xFF);
h2 -= ~(h0 + n) % 48;
h0 ^= (h1 % h2) | key0;
}
else if (n >= 48 && n < 64) {
h1 ^= ((byte)(h0 >> 16) | ~(h0 & 0xFF)) * (~h0 & 0x00FF0000);
h2 += (h0 ^ (i - 1)) % n;
h0 -= ~(h1 ^ h2) + key0;
}
}
return h0;
}
}
}

56
de4dot.code/deobfuscators/Confuser/Deobfuscator.cs
View File

@ -79,6 +79,7 @@ namespace de4dot.code.deobfuscators.Confuser {
AntiDumping antiDumping;
ResourceDecrypter resourceDecrypter;
ConstantsDecrypter constantsDecrypter;
ConstantsDecrypterV15 constantsDecrypterV15;
Int32ValueInliner int32ValueInliner;
Int64ValueInliner int64ValueInliner;
SingleValueInliner singleValueInliner;
@ -137,6 +138,7 @@ namespace de4dot.code.deobfuscators.Confuser {
toInt32(antiDumping != null ? antiDumping.Detected : false) +
toInt32(resourceDecrypter != null ? resourceDecrypter.Detected : false) +
toInt32(constantsDecrypter != null ? constantsDecrypter.Detected : false) +
toInt32(constantsDecrypterV15 != null ? constantsDecrypterV15.Detected : false) +
toInt32(stringDecrypter != null ? stringDecrypter.Detected : false) +
toInt32(unpacker != null ? unpacker.Detected : false);
if (sum > 0)
@ -166,8 +168,13 @@ namespace de4dot.code.deobfuscators.Confuser {
resourceDecrypter.find();
constantsDecrypter = new ConstantsDecrypter(module, getFileData(), DeobfuscatedFile);
constantsDecrypter.find();
constantsDecrypterV15 = new ConstantsDecrypterV15(module, DeobfuscatedFile);
if (!constantsDecrypter.Detected)
constantsDecrypterV15.find();
if (constantsDecrypter.Detected)
initializeConstantsDecrypter();
else if (constantsDecrypterV15.Detected)
initializeConstantsDecrypter15();
proxyCallFixer = new ProxyCallFixer(module, getFileData(), DeobfuscatedFile);
proxyCallFixer.findDelegateCreator();
if (!proxyCallFixer.Detected) {
@ -279,6 +286,7 @@ namespace de4dot.code.deobfuscators.Confuser {
removeObfuscatorAttribute();
initializeConstantsDecrypter();
initializeConstantsDecrypter15();
initializeStringDecrypter();
if (jitMethodsDecrypter != null) {
@ -340,20 +348,18 @@ namespace de4dot.code.deobfuscators.Confuser {
bool hasInitializedStringDecrypter = false;
void initializeStringDecrypter() {
if (hasInitializedStringDecrypter)
if (hasInitializedStringDecrypter || (stringDecrypter== null || !stringDecrypter.Detected))
return;
hasInitializedStringDecrypter = true;
if (stringDecrypter != null && stringDecrypter.Detected) {
decryptResources();
stringDecrypter.initialize();
staticStringInliner.add(stringDecrypter.Method, (method, gim, args) => stringDecrypter.decrypt(staticStringInliner.Method, (int)args[0]));
}
decryptResources();
stringDecrypter.initialize();
staticStringInliner.add(stringDecrypter.Method, (method, gim, args) => stringDecrypter.decrypt(staticStringInliner.Method, (int)args[0]));
}
bool hasInitializedConstantsDecrypter = false;
void initializeConstantsDecrypter() {
if (hasInitializedConstantsDecrypter)
if (hasInitializedConstantsDecrypter || (constantsDecrypter == null || !constantsDecrypter.Detected))
return;
hasInitializedConstantsDecrypter = true;
@ -377,6 +383,32 @@ namespace de4dot.code.deobfuscators.Confuser {
addResourceToBeRemoved(constantsDecrypter.Resource, "Encrypted constants");
}
bool hasInitializedConstantsDecrypter15 = false;
void initializeConstantsDecrypter15() {
if (hasInitializedConstantsDecrypter15 || (constantsDecrypterV15 == null || !constantsDecrypterV15.Detected))
return;
hasInitializedConstantsDecrypter15 = true;
decryptResources();
constantsDecrypterV15.initialize();
int32ValueInliner = new Int32ValueInliner();
int64ValueInliner = new Int64ValueInliner();
singleValueInliner = new SingleValueInliner();
doubleValueInliner = new DoubleValueInliner();
staticStringInliner.add(constantsDecrypterV15.Method, (method, gim, args) => constantsDecrypterV15.decryptString(staticStringInliner.Method, (uint)args[0]));
int32ValueInliner.add(constantsDecrypterV15.Method, (method, gim, args) => constantsDecrypterV15.decryptInt32(int32ValueInliner.Method, (uint)args[0]));
int64ValueInliner.add(constantsDecrypterV15.Method, (method, gim, args) => constantsDecrypterV15.decryptInt64(int64ValueInliner.Method, (uint)args[0]));
singleValueInliner.add(constantsDecrypterV15.Method, (method, gim, args) => constantsDecrypterV15.decryptSingle(singleValueInliner.Method, (uint)args[0]));
doubleValueInliner.add(constantsDecrypterV15.Method, (method, gim, args) => constantsDecrypterV15.decryptDouble(doubleValueInliner.Method, (uint)args[0]));
int32ValueInliner.RemoveUnbox = true;
int64ValueInliner.RemoveUnbox = true;
singleValueInliner.RemoveUnbox = true;
doubleValueInliner.RemoveUnbox = true;
DeobfuscatedFile.stringDecryptersAdded();
addMethodToBeRemoved(constantsDecrypterV15.Method, "Constants decrypter method");
addResourceToBeRemoved(constantsDecrypterV15.Resource, "Encrypted constants");
}
void decryptResources() {
var rsrc = resourceDecrypter.mergeResources();
if (rsrc == null)
@ -400,10 +432,12 @@ namespace de4dot.code.deobfuscators.Confuser {
proxyCallFixerV1.deobfuscate(blocks);
resourceDecrypter.deobfuscate(blocks);
unpacker.deobfuscate(blocks);
int32ValueInliner.decrypt(blocks);
int64ValueInliner.decrypt(blocks);
singleValueInliner.decrypt(blocks);
doubleValueInliner.decrypt(blocks);
if (int32ValueInliner != null) {
int32ValueInliner.decrypt(blocks);
int64ValueInliner.decrypt(blocks);
singleValueInliner.decrypt(blocks);
doubleValueInliner.decrypt(blocks);
}
base.deobfuscateMethodEnd(blocks);
}