Merge branch 'co' into new_code
Conflicts: de4dot.code/de4dot.code.csproj de4dot.code/deobfuscators/CryptoObfuscator/Deobfuscator.cs
This commit is contained in:
commit
762e043236
|
@ -78,6 +78,7 @@
|
||||||
<Compile Include="deobfuscators\MaxtoCode\McKey.cs" />
|
<Compile Include="deobfuscators\MaxtoCode\McKey.cs" />
|
||||||
<Compile Include="deobfuscators\MaxtoCode\PeHeader.cs" />
|
<Compile Include="deobfuscators\MaxtoCode\PeHeader.cs" />
|
||||||
<Compile Include="deobfuscators\MaxtoCode\StringDecrypter.cs" />
|
<Compile Include="deobfuscators\MaxtoCode\StringDecrypter.cs" />
|
||||||
|
<Compile Include="deobfuscators\CryptoObfuscator\ConstantsDecrypter.cs" />
|
||||||
<Compile Include="deobfuscators\MethodBodyReaderBase.cs" />
|
<Compile Include="deobfuscators\MethodBodyReaderBase.cs" />
|
||||||
<Compile Include="deobfuscators\Babel_NET\MethodsDecrypter.cs" />
|
<Compile Include="deobfuscators\Babel_NET\MethodsDecrypter.cs" />
|
||||||
<Compile Include="deobfuscators\Babel_NET\ProxyCallFixer.cs" />
|
<Compile Include="deobfuscators\Babel_NET\ProxyCallFixer.cs" />
|
||||||
|
|
|
@ -63,7 +63,8 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
||||||
continue;
|
continue;
|
||||||
deobfuscate(method);
|
deobfuscate(method);
|
||||||
if (!containsString(method, "debugger is activ") &&
|
if (!containsString(method, "debugger is activ") &&
|
||||||
!containsString(method, "debugger is running"))
|
!containsString(method, "debugger is running") &&
|
||||||
|
!containsString(method, "run under a debugger"))
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
antiDebuggerType = type;
|
antiDebuggerType = type;
|
||||||
|
|
145
de4dot.code/deobfuscators/CryptoObfuscator/ConstantsDecrypter.cs
Normal file
145
de4dot.code/deobfuscators/CryptoObfuscator/ConstantsDecrypter.cs
Normal file
|
@ -0,0 +1,145 @@
|
||||||
|
/*
|
||||||
|
Copyright (C) 2011-2012 de4dot@gmail.com
|
||||||
|
|
||||||
|
This file is part of de4dot.
|
||||||
|
|
||||||
|
de4dot is free software: you can redistribute it and/or modify
|
||||||
|
it under the terms of the GNU General Public License as published by
|
||||||
|
the Free Software Foundation, either version 3 of the License, or
|
||||||
|
(at your option) any later version.
|
||||||
|
|
||||||
|
de4dot is distributed in the hope that it will be useful,
|
||||||
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
GNU General Public License for more details.
|
||||||
|
|
||||||
|
You should have received a copy of the GNU General Public License
|
||||||
|
along with de4dot. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
*/
|
||||||
|
|
||||||
|
using System;
|
||||||
|
using System.Collections.Generic;
|
||||||
|
using System.Text;
|
||||||
|
using Mono.Cecil;
|
||||||
|
using de4dot.blocks;
|
||||||
|
|
||||||
|
namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
||||||
|
class ConstantsDecrypter {
|
||||||
|
ModuleDefinition module;
|
||||||
|
TypeDefinition decrypterType;
|
||||||
|
MethodDefinition methodI4;
|
||||||
|
MethodDefinition methodI8;
|
||||||
|
MethodDefinition methodR4;
|
||||||
|
MethodDefinition methodR8;
|
||||||
|
EmbeddedResource encryptedResource;
|
||||||
|
byte[] constantsData;
|
||||||
|
|
||||||
|
public TypeDefinition Type {
|
||||||
|
get { return decrypterType; }
|
||||||
|
}
|
||||||
|
|
||||||
|
public EmbeddedResource Resource {
|
||||||
|
get { return encryptedResource; }
|
||||||
|
}
|
||||||
|
|
||||||
|
public MethodDefinition Int32Decrypter {
|
||||||
|
get { return methodI4; }
|
||||||
|
}
|
||||||
|
|
||||||
|
public MethodDefinition Int64Decrypter {
|
||||||
|
get { return methodI8; }
|
||||||
|
}
|
||||||
|
|
||||||
|
public MethodDefinition SingleDecrypter {
|
||||||
|
get { return methodR4; }
|
||||||
|
}
|
||||||
|
|
||||||
|
public MethodDefinition DoubleDecrypter {
|
||||||
|
get { return methodR8; }
|
||||||
|
}
|
||||||
|
|
||||||
|
public bool Detected {
|
||||||
|
get { return decrypterType != null; }
|
||||||
|
}
|
||||||
|
|
||||||
|
public ConstantsDecrypter(ModuleDefinition module) {
|
||||||
|
this.module = module;
|
||||||
|
}
|
||||||
|
|
||||||
|
public void find() {
|
||||||
|
foreach (var type in module.Types) {
|
||||||
|
if (!checkType(type))
|
||||||
|
continue;
|
||||||
|
|
||||||
|
decrypterType = type;
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
static readonly string[] requiredTypes = new string[] {
|
||||||
|
"System.Byte[]",
|
||||||
|
};
|
||||||
|
bool checkType(TypeDefinition type) {
|
||||||
|
if (type.Methods.Count != 7)
|
||||||
|
return false;
|
||||||
|
if (type.Fields.Count != 1)
|
||||||
|
return false;
|
||||||
|
if (!new FieldTypes(type).all(requiredTypes))
|
||||||
|
return false;
|
||||||
|
if (!checkMethods(type))
|
||||||
|
return false;
|
||||||
|
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
bool checkMethods(TypeDefinition type) {
|
||||||
|
methodI4 = DotNetUtils.getMethod(type, "System.Int32", "(System.Int32)");
|
||||||
|
methodI8 = DotNetUtils.getMethod(type, "System.Int64", "(System.Int32)");
|
||||||
|
methodR4 = DotNetUtils.getMethod(type, "System.Single", "(System.Int32)");
|
||||||
|
methodR8 = DotNetUtils.getMethod(type, "System.Double", "(System.Int32)");
|
||||||
|
|
||||||
|
return methodI4 != null && methodI8 != null &&
|
||||||
|
methodR4 != null && methodR8 != null;
|
||||||
|
}
|
||||||
|
|
||||||
|
public void init(ResourceDecrypter resourceDecrypter) {
|
||||||
|
if (decrypterType == null)
|
||||||
|
return;
|
||||||
|
|
||||||
|
encryptedResource = getResource(module, DotNetUtils.getCodeStrings(DotNetUtils.getMethod(decrypterType, ".cctor")));
|
||||||
|
constantsData = resourceDecrypter.decrypt(encryptedResource.GetResourceStream());
|
||||||
|
}
|
||||||
|
|
||||||
|
static EmbeddedResource getResource(ModuleDefinition module, IEnumerable<string> names) {
|
||||||
|
foreach (var name in names) {
|
||||||
|
var resource = DotNetUtils.getResource(module, name) as EmbeddedResource;
|
||||||
|
if (resource != null)
|
||||||
|
return resource;
|
||||||
|
try {
|
||||||
|
resource = DotNetUtils.getResource(module, Encoding.UTF8.GetString(Convert.FromBase64String(name))) as EmbeddedResource;
|
||||||
|
if (resource != null)
|
||||||
|
return resource;
|
||||||
|
}
|
||||||
|
catch {
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
|
||||||
|
public int decryptInt32(int index) {
|
||||||
|
return BitConverter.ToInt32(constantsData, index);
|
||||||
|
}
|
||||||
|
|
||||||
|
public long decryptInt64(int index) {
|
||||||
|
return BitConverter.ToInt64(constantsData, index);
|
||||||
|
}
|
||||||
|
|
||||||
|
public float decryptSingle(int index) {
|
||||||
|
return BitConverter.ToSingle(constantsData, index);
|
||||||
|
}
|
||||||
|
|
||||||
|
public double decryptDouble(int index) {
|
||||||
|
return BitConverter.ToDouble(constantsData, index);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
|
@ -29,10 +29,12 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
||||||
public const string THE_TYPE = "co";
|
public const string THE_TYPE = "co";
|
||||||
const string DEFAULT_REGEX = @"!^(get_|set_|add_|remove_)?[A-Z]{1,3}(?:`\d+)?$&!^(get_|set_|add_|remove_)?c[0-9a-f]{32}(?:`\d+)?$&" + DeobfuscatorBase.DEFAULT_VALID_NAME_REGEX;
|
const string DEFAULT_REGEX = @"!^(get_|set_|add_|remove_)?[A-Z]{1,3}(?:`\d+)?$&!^(get_|set_|add_|remove_)?c[0-9a-f]{32}(?:`\d+)?$&" + DeobfuscatorBase.DEFAULT_VALID_NAME_REGEX;
|
||||||
BoolOption removeTamperProtection;
|
BoolOption removeTamperProtection;
|
||||||
|
BoolOption decryptConstants;
|
||||||
|
|
||||||
public DeobfuscatorInfo()
|
public DeobfuscatorInfo()
|
||||||
: base(DEFAULT_REGEX) {
|
: base(DEFAULT_REGEX) {
|
||||||
removeTamperProtection = new BoolOption(null, makeArgName("tamper"), "Remove tamper protection code", true);
|
removeTamperProtection = new BoolOption(null, makeArgName("tamper"), "Remove tamper protection code", true);
|
||||||
|
decryptConstants = new BoolOption(null, makeArgName("consts"), "Decrypt constants", true);
|
||||||
}
|
}
|
||||||
|
|
||||||
public override string Name {
|
public override string Name {
|
||||||
|
@ -47,12 +49,14 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
||||||
return new Deobfuscator(new Deobfuscator.Options {
|
return new Deobfuscator(new Deobfuscator.Options {
|
||||||
ValidNameRegex = validNameRegex.get(),
|
ValidNameRegex = validNameRegex.get(),
|
||||||
RemoveTamperProtection = removeTamperProtection.get(),
|
RemoveTamperProtection = removeTamperProtection.get(),
|
||||||
|
DecryptConstants = decryptConstants.get(),
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
protected override IEnumerable<Option> getOptionsInternal() {
|
protected override IEnumerable<Option> getOptionsInternal() {
|
||||||
return new List<Option>() {
|
return new List<Option>() {
|
||||||
removeTamperProtection,
|
removeTamperProtection,
|
||||||
|
decryptConstants,
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -71,9 +75,15 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
||||||
StringDecrypter stringDecrypter;
|
StringDecrypter stringDecrypter;
|
||||||
TamperDetection tamperDetection;
|
TamperDetection tamperDetection;
|
||||||
AntiDebugger antiDebugger;
|
AntiDebugger antiDebugger;
|
||||||
|
ConstantsDecrypter constantsDecrypter;
|
||||||
|
Int32ValueInliner int32ValueInliner;
|
||||||
|
Int64ValueInliner int64ValueInliner;
|
||||||
|
SingleValueInliner singleValueInliner;
|
||||||
|
DoubleValueInliner doubleValueInliner;
|
||||||
|
|
||||||
internal class Options : OptionsBase {
|
internal class Options : OptionsBase {
|
||||||
public bool RemoveTamperProtection { get; set; }
|
public bool RemoveTamperProtection { get; set; }
|
||||||
|
public bool DecryptConstants { get; set; }
|
||||||
}
|
}
|
||||||
|
|
||||||
public override string Type {
|
public override string Type {
|
||||||
|
@ -103,7 +113,8 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
||||||
|
|
||||||
int sum = toInt32(stringDecrypter.Detected) +
|
int sum = toInt32(stringDecrypter.Detected) +
|
||||||
toInt32(tamperDetection.Detected) +
|
toInt32(tamperDetection.Detected) +
|
||||||
toInt32(proxyCallFixer.Detected);
|
toInt32(proxyCallFixer.Detected) +
|
||||||
|
toInt32(constantsDecrypter.Detected);
|
||||||
if (sum > 0)
|
if (sum > 0)
|
||||||
val += 100 + 10 * (sum - 1);
|
val += 100 + 10 * (sum - 1);
|
||||||
if (foundCryptoObfuscatorAttribute || foundObfuscatedSymbols || foundObfuscatorUserString)
|
if (foundCryptoObfuscatorAttribute || foundObfuscatedSymbols || foundObfuscatorUserString)
|
||||||
|
@ -129,6 +140,8 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
||||||
stringDecrypter.find();
|
stringDecrypter.find();
|
||||||
tamperDetection = new TamperDetection(module);
|
tamperDetection = new TamperDetection(module);
|
||||||
tamperDetection.find();
|
tamperDetection.find();
|
||||||
|
constantsDecrypter = new ConstantsDecrypter(module);
|
||||||
|
constantsDecrypter.find();
|
||||||
foundObfuscatorUserString = Utils.StartsWith(module.GetUserString(1), "\u0011\"3D9B94A98B-76A8-4810-B1A0-4BE7C4F9C98D", StringComparison.Ordinal);
|
foundObfuscatorUserString = Utils.StartsWith(module.GetUserString(1), "\u0011\"3D9B94A98B-76A8-4810-B1A0-4BE7C4F9C98D", StringComparison.Ordinal);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -180,6 +193,20 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
||||||
antiDebugger = new AntiDebugger(module, DeobfuscatedFile, this);
|
antiDebugger = new AntiDebugger(module, DeobfuscatedFile, this);
|
||||||
antiDebugger.find();
|
antiDebugger.find();
|
||||||
|
|
||||||
|
if (options.DecryptConstants) {
|
||||||
|
constantsDecrypter.init(resourceDecrypter);
|
||||||
|
int32ValueInliner = new Int32ValueInliner();
|
||||||
|
int32ValueInliner.add(constantsDecrypter.Int32Decrypter, (method, args) => constantsDecrypter.decryptInt32((int)args[0]));
|
||||||
|
int64ValueInliner = new Int64ValueInliner();
|
||||||
|
int64ValueInliner.add(constantsDecrypter.Int64Decrypter, (method, args) => constantsDecrypter.decryptInt64((int)args[0]));
|
||||||
|
singleValueInliner = new SingleValueInliner();
|
||||||
|
singleValueInliner.add(constantsDecrypter.SingleDecrypter, (method, args) => constantsDecrypter.decryptSingle((int)args[0]));
|
||||||
|
doubleValueInliner = new DoubleValueInliner();
|
||||||
|
doubleValueInliner.add(constantsDecrypter.DoubleDecrypter, (method, args) => constantsDecrypter.decryptDouble((int)args[0]));
|
||||||
|
addTypeToBeRemoved(constantsDecrypter.Type, "Constants decrypter type");
|
||||||
|
addResourceToBeRemoved(constantsDecrypter.Resource, "Encrypted constants");
|
||||||
|
}
|
||||||
|
|
||||||
addModuleCctorInitCallToBeRemoved(resourceResolver.Method);
|
addModuleCctorInitCallToBeRemoved(resourceResolver.Method);
|
||||||
addModuleCctorInitCallToBeRemoved(assemblyResolver.Method);
|
addModuleCctorInitCallToBeRemoved(assemblyResolver.Method);
|
||||||
addCallToBeRemoved(module.EntryPoint, tamperDetection.Method);
|
addCallToBeRemoved(module.EntryPoint, tamperDetection.Method);
|
||||||
|
@ -198,6 +225,12 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
||||||
|
|
||||||
public override void deobfuscateMethodEnd(Blocks blocks) {
|
public override void deobfuscateMethodEnd(Blocks blocks) {
|
||||||
proxyCallFixer.deobfuscate(blocks);
|
proxyCallFixer.deobfuscate(blocks);
|
||||||
|
if (options.DecryptConstants) {
|
||||||
|
int32ValueInliner.decrypt(blocks);
|
||||||
|
int64ValueInliner.decrypt(blocks);
|
||||||
|
singleValueInliner.decrypt(blocks);
|
||||||
|
doubleValueInliner.decrypt(blocks);
|
||||||
|
}
|
||||||
base.deobfuscateMethodEnd(blocks);
|
base.deobfuscateMethodEnd(blocks);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -129,7 +129,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
||||||
MethodDefinition getProxyCreateMethod(TypeDefinition type) {
|
MethodDefinition getProxyCreateMethod(TypeDefinition type) {
|
||||||
if (DotNetUtils.findFieldType(type, "System.ModuleHandle", true) == null)
|
if (DotNetUtils.findFieldType(type, "System.ModuleHandle", true) == null)
|
||||||
return null;
|
return null;
|
||||||
if (type.Fields.Count < 1 || type.Fields.Count > 6)
|
if (type.Fields.Count < 1 || type.Fields.Count > 7)
|
||||||
return null;
|
return null;
|
||||||
|
|
||||||
MethodDefinition createMethod = null;
|
MethodDefinition createMethod = null;
|
||||||
|
|
|
@ -302,6 +302,8 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
||||||
return method;
|
return method;
|
||||||
if (DotNetUtils.isMethod(method, "System.Byte[]", "(System.Int16,System.IO.Stream)"))
|
if (DotNetUtils.isMethod(method, "System.Byte[]", "(System.Int16,System.IO.Stream)"))
|
||||||
return method;
|
return method;
|
||||||
|
if (DotNetUtils.isMethod(method, "System.Byte[]", "(System.Byte,System.IO.Stream)"))
|
||||||
|
return method;
|
||||||
}
|
}
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
|
|
|
@ -84,7 +84,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
||||||
|
|
||||||
if (!method.IsStatic || !DotNetUtils.isMethod(method, "System.Void", "()"))
|
if (!method.IsStatic || !DotNetUtils.isMethod(method, "System.Void", "()"))
|
||||||
return false;
|
return false;
|
||||||
if (type.Methods.Count < 3 || type.Methods.Count > 8)
|
if (type.Methods.Count < 3 || type.Methods.Count > 9)
|
||||||
return false;
|
return false;
|
||||||
if (DotNetUtils.getPInvokeMethod(type, "mscoree", "StrongNameSignatureVerificationEx") != null) {
|
if (DotNetUtils.getPInvokeMethod(type, "mscoree", "StrongNameSignatureVerificationEx") != null) {
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue
Block a user