Remove tamper detection code

de4dot.code/de4dot.code.csproj

@@ -85,6 +85,7 @@
     <Compile Include="deobfuscators\dotNET_Reactor\QuickLZ.cs" />
     <Compile Include="deobfuscators\dotNET_Reactor\ResourceResolver.cs" />
     <Compile Include="deobfuscators\dotNET_Reactor\StringDecrypter.cs" />
+    <Compile Include="deobfuscators\dotNET_Reactor\TamperDetection.cs" />
     <Compile Include="deobfuscators\Eazfuscator\Deobfuscator.cs" />
     <Compile Include="deobfuscators\ExceptionLoggerRemover.cs" />
     <Compile Include="deobfuscators\IDeobfuscatedFile.cs" />

de4dot.code/deobfuscators/dotNET_Reactor/Deobfuscator.cs

@@ -38,6 +38,7 @@ namespace de4dot.deobfuscators.dotNET_Reactor {
 		BoolOption dumpEmbeddedAssemblies;
 		BoolOption decryptResources;
 		BoolOption removeNamespaces;
+		BoolOption removeTamperDetection;
 
 		public DeobfuscatorInfo()
 			: base(DEFAULT_REGEX) {
@@ -49,6 +50,7 @@ namespace de4dot.deobfuscators.dotNET_Reactor {
 			dumpEmbeddedAssemblies = new BoolOption(null, makeArgName("embedded"), "Dump embedded assemblies", true);
 			decryptResources = new BoolOption(null, makeArgName("rsrc"), "Decrypt resources", true);
 			removeNamespaces = new BoolOption(null, makeArgName("ns1"), "Clear namespace if there's only one class in it", true);
+			removeTamperDetection = new BoolOption(null, makeArgName("tamper"), "Remove tamper detection code", true);
 		}
 
 		public override string Name {
@@ -70,6 +72,7 @@ namespace de4dot.deobfuscators.dotNET_Reactor {
 				DumpEmbeddedAssemblies = dumpEmbeddedAssemblies.get(),
 				DecryptResources = decryptResources.get(),
 				RemoveNamespaces = removeNamespaces.get(),
+				RemoveTamperDetection = removeTamperDetection.get(),
 			});
 		}
 
@@ -83,6 +86,7 @@ namespace de4dot.deobfuscators.dotNET_Reactor {
 				dumpEmbeddedAssemblies,
 				decryptResources,
 				removeNamespaces,
+				removeTamperDetection,
 			};
 		}
 	}
@@ -100,6 +104,7 @@ namespace de4dot.deobfuscators.dotNET_Reactor {
 		MetadataTokenObfuscator metadataTokenObfuscator;
 		AssemblyResolver assemblyResolver;
 		ResourceResolver resourceResolver;
+		TamperDetection tamperDetection;
 
 		bool canRemoveDecrypterType = true;
 		bool startedDeobfuscating = false;
@@ -113,6 +118,7 @@ namespace de4dot.deobfuscators.dotNET_Reactor {
 			public bool DumpEmbeddedAssemblies { get; set; }
 			public bool DecryptResources { get; set; }
 			public bool RemoveNamespaces { get; set; }
+			public bool RemoveTamperDetection { get; set; }
 		}
 
 		public override string Type {
@@ -359,6 +365,7 @@ namespace de4dot.deobfuscators.dotNET_Reactor {
 			DeobfuscatedFile.stringDecryptersAdded();
 
 			metadataTokenObfuscator = new MetadataTokenObfuscator(module);
+			tamperDetection = new TamperDetection(getDecrypterType());
 
 			bool removeResourceResolver = false;
 			if (options.DecryptResources) {
@@ -391,6 +398,9 @@ namespace de4dot.deobfuscators.dotNET_Reactor {
 			else
 				canRemoveDecrypterType = false;
 
+			if (!options.RemoveTamperDetection)
+				canRemoveDecrypterType = false;
+
 			// The inlined methods may contain calls to the decrypter class
 			if (!options.InlineMethods)
 				canRemoveDecrypterType = false;
@@ -435,11 +445,23 @@ namespace de4dot.deobfuscators.dotNET_Reactor {
 		public override void deobfuscateMethodEnd(Blocks blocks) {
 			metadataTokenObfuscator.deobfuscate(blocks);
 			fixTypeofDecrypterInstructions(blocks);
+			removeTamperDetection(blocks);
 			base.deobfuscateMethodEnd(blocks);
 		}
 
+		void removeTamperDetection(Blocks blocks) {
+			if (!options.RemoveTamperDetection)
+				return;
+			if (tamperDetection.remove(blocks))
+				Log.v("Removed Tamper Detection code");
+		}
+
+		TypeDefinition getDecrypterType() {
+			return methodsDecrypter.DecrypterType ?? stringDecrypter.DecrypterType ?? booleanDecrypter.DecrypterType;
+		}
+
 		void fixTypeofDecrypterInstructions(Blocks blocks) {
-			var type = methodsDecrypter.DecrypterType ?? stringDecrypter.DecrypterType ?? booleanDecrypter.DecrypterType;
+			var type = getDecrypterType();
 			if (type == null)
 				return;
 
@@ -460,8 +482,12 @@ namespace de4dot.deobfuscators.dotNET_Reactor {
 			removeInlinedMethods();
 			if (options.RestoreTypes)
 				new TypesRestorer(module).deobfuscate();
-			if (canRemoveDecrypterType && methodsDecrypter.Method != null)
-				addTypeToBeRemoved(methodsDecrypter.Method.DeclaringType, "Decrypter type");
+			if (canRemoveDecrypterType) {
+				if (methodsDecrypter.Method != null)
+					addTypeToBeRemoved(methodsDecrypter.Method.DeclaringType, "Decrypter type");
+			}
+			else
+				Log.v("Could not remove decrypter type");
 			base.deobfuscateEnd();
 		}
 

de4dot.code/deobfuscators/dotNET_Reactor/TamperDetection.cs

@@ -0,0 +1,158 @@
+/*
+    Copyright (C) 2011 de4dot@gmail.com
+
+    This file is part of de4dot.
+
+    de4dot is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    de4dot is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with de4dot.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+using System;
+using Mono.Cecil;
+using Mono.Cecil.Cil;
+using de4dot.blocks;
+
+namespace de4dot.deobfuscators.dotNET_Reactor {
+	class TamperDetection {
+		TypeDefinition decrypterType;
+		MethodDefinition tamperMethod;
+
+		public TamperDetection(TypeDefinition decrypterType) {
+			this.decrypterType = decrypterType;
+			find();
+		}
+
+		public void find() {
+			if (decrypterType == null)
+				return;
+
+			var requiredTypes = new string[] {
+				"System.Byte[]",
+				"System.IO.MemoryStream",
+				"System.Security.Cryptography.CryptoStream",
+				"System.Security.Cryptography.MD5",
+				"System.Security.Cryptography.Rijndael",
+			};
+
+			foreach (var method in decrypterType.Methods) {
+				if (!method.IsStatic || method.Body == null)
+					continue;
+				if (method.Parameters.Count != 2)
+					continue;
+				if (!checkType(method.MethodReturnType.ReturnType.FullName, "System.String"))
+					continue;
+				if (!checkType(method.Parameters[0].ParameterType.FullName, "System.String"))
+					continue;
+				if (!checkType(method.Parameters[1].ParameterType.FullName, "System.String"))
+					continue;
+
+				var localTypes = new LocalTypes(method);
+				if (!localTypes.all(requiredTypes))
+					continue;
+
+				tamperMethod = method;
+				break;
+			}
+		}
+
+		static bool checkType(string type, string expectedType) {
+			return type == "System.Object" || type == expectedType;
+		}
+
+		public bool remove(Blocks blocks) {
+			if (tamperMethod == null)
+				return false;
+
+			Block tamperBlock;
+			int numInstructions;
+			if (!findBlock(blocks, out tamperBlock, out numInstructions))
+				return false;
+
+			if (tamperBlock.FallThrough == null || tamperBlock.Targets == null || tamperBlock.Targets.Count != 1)
+				throw new ApplicationException("Invalid state");
+
+			var goodBlock = tamperBlock.Targets[0];
+			var badBlock = tamperBlock.FallThrough;
+
+			tamperBlock.replaceLastInstrsWithBranch(numInstructions, goodBlock);
+
+			if (badBlock.FallThrough != badBlock || badBlock.Sources.Count != 1 || badBlock.Targets != null)
+				throw new ApplicationException("Invalid state");
+			((ScopeBlock)badBlock.Parent).removeGuaranteedDeadBlock(badBlock);
+
+			return true;
+		}
+
+		bool findBlock(Blocks blocks, out Block foundBlock, out int numInstructions) {
+			const int NUM_INSTRS = 11;
+
+			foreach (var block in blocks.MethodBlocks.getAllBlocks()) {
+				if (!block.LastInstr.isBrfalse())
+					continue;
+
+				var instructions = block.Instructions;
+				if (instructions.Count < NUM_INSTRS)
+					continue;
+				int i = instructions.Count - NUM_INSTRS;
+				if (instructions[i].OpCode.Code != Code.Ldtoken)
+					continue;
+				if (!(instructions[i].Operand is TypeReference))
+					continue;
+				if (!checkCall(instructions[i + 1], "System.Type System.Type::GetTypeFromHandle(System.RuntimeTypeHandle)"))
+					continue;
+				if (!checkCall(instructions[i + 2], "System.Reflection.Assembly System.Type::get_Assembly()"))
+					continue;
+				if (!checkCall(instructions[i + 3], "System.Reflection.AssemblyName System.Reflection.Assembly::GetName()"))
+					continue;
+				if (!checkCall(instructions[i + 4], "System.Byte[] System.Reflection.AssemblyName::GetPublicKeyToken()"))
+					continue;
+				if (!checkCall(instructions[i + 5], "System.String System.Convert::ToBase64String(System.Byte[])"))
+					continue;
+				if (instructions[i + 6].OpCode.Code != Code.Ldstr)
+					continue;
+				if (!checkCall(instructions[i + 7], tamperMethod))
+					continue;
+				if (instructions[i + 8].OpCode.Code != Code.Ldstr)
+					continue;
+				if (!checkCall(instructions[i + 9], "System.Boolean System.String::op_Inequality(System.String,System.String)"))
+					continue;
+
+				numInstructions = NUM_INSTRS;
+				foundBlock = block;
+				return true;
+			}
+
+			foundBlock = null;
+			numInstructions = 0;
+			return false;
+		}
+
+		static bool checkCall(Instr instr, string methodFullName) {
+			if (instr.OpCode.Code != Code.Call && instr.OpCode.Code != Code.Callvirt)
+				return false;
+			var calledMethod = instr.Operand as MethodReference;
+			if (calledMethod == null)
+				return false;
+			return calledMethod.FullName == methodFullName;
+		}
+
+		static bool checkCall(Instr instr, MethodReference expectedMethod) {
+			if (instr.OpCode.Code != Code.Call && instr.OpCode.Code != Code.Callvirt)
+				return false;
+			var calledMethod = instr.Operand as MethodReference;
+			if (calledMethod == null)
+				return false;
+			return MemberReferenceHelper.compareMethodReferenceAndDeclaringType(calledMethod, expectedMethod);
+		}
+	}
+}