From 7e9e691ef3cafe3ddb22788227154137912e1fc7 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Thu, 13 Dec 2012 12:03:25 +0100
Subject: [PATCH] Support ILProtector 1.0.6.0 - 1.0.6.7

---
 .../deobfuscators/ILProtector/Deobfuscator.cs |  32 +-
 .../ILProtector/MethodsDecrypter.cs           | 298 +++++++++++++-----
 2 files changed, 231 insertions(+), 99 deletions(-)

diff --git a/de4dot.code/deobfuscators/ILProtector/Deobfuscator.cs b/de4dot.code/deobfuscators/ILProtector/Deobfuscator.cs
index 45593e47..db55962a 100644
--- a/de4dot.code/deobfuscators/ILProtector/Deobfuscator.cs
+++ b/de4dot.code/deobfuscators/ILProtector/Deobfuscator.cs
@@ -86,30 +86,30 @@ namespace de4dot.code.deobfuscators.ILProtector {
 			mainType = new MainType(module);
 			mainType.find();
 			methodsDecrypter = new MethodsDecrypter(module, mainType);
-			methodsDecrypter.find();
+			if (mainType.Detected)
+				methodsDecrypter.find();
 
 			if (mainType.Detected && methodsDecrypter.Detected && methodsDecrypter.Version != null)
-				obfuscatorName += " " + getVersion(methodsDecrypter.Version);
-		}
-
-		static string getVersion(Version version) {
-			if (version.Revision == 0)
-				return string.Format("{0}.{1}.{2}", version.Major, version.Minor, version.Build);
-			return version.ToString();
+				obfuscatorName += " " + methodsDecrypter.Version;
 		}
 
 		public override void deobfuscateBegin() {
 			base.deobfuscateBegin();
 
-			methodsDecrypter.decrypt();
-			addTypesToBeRemoved(methodsDecrypter.DelegateTypes, "Obfuscator method delegate type");
-			addResourceToBeRemoved(methodsDecrypter.Resource, "Encrypted methods resource");
-			addTypeToBeRemoved(mainType.InvokerDelegate, "Invoker delegate type");
-			addFieldToBeRemoved(mainType.InvokerInstanceField, "Invoker delegate instance field");
-			foreach (var pm in mainType.ProtectMethods) {
-				addMethodToBeRemoved(pm, "Obfuscator 'Protect' init method");
+			if (mainType.Detected) {
+				if (methodsDecrypter.Detected) {
+					methodsDecrypter.decrypt();
+					addTypesToBeRemoved(methodsDecrypter.DelegateTypes, "Obfuscator method delegate type");
+					addResourceToBeRemoved(methodsDecrypter.Resource, "Encrypted methods resource");
+					addTypeToBeRemoved(mainType.InvokerDelegate, "Invoker delegate type");
+					addFieldToBeRemoved(mainType.InvokerInstanceField, "Invoker delegate instance field");
+					foreach (var pm in mainType.ProtectMethods)
+						addMethodToBeRemoved(pm, "Obfuscator 'Protect' init method");
+					mainType.cleanUp();
+				}
+				else
+					Logger.w("New ILProtector version. Can't decrypt methods (yet)");
 			}
-			mainType.cleanUp();
 		}
 
 		public override IEnumerable<int> getStringDecrypterMethods() {
diff --git a/de4dot.code/deobfuscators/ILProtector/MethodsDecrypter.cs b/de4dot.code/deobfuscators/ILProtector/MethodsDecrypter.cs
index 7fc944c9..aaefcd51 100644
--- a/de4dot.code/deobfuscators/ILProtector/MethodsDecrypter.cs
+++ b/de4dot.code/deobfuscators/ILProtector/MethodsDecrypter.cs
@@ -19,6 +19,7 @@
 
 using System;
 using System.Collections.Generic;
+using System.IO;
 using dot10.IO;
 using dot10.DotNet;
 using dot10.DotNet.Emit;
@@ -26,20 +27,210 @@ using de4dot.blocks;
 
 namespace de4dot.code.deobfuscators.ILProtector {
 	class MethodsDecrypter {
-		public static readonly byte[] ilpPublicKeyToken = new byte[8] { 0x20, 0x12, 0xD3, 0xC0, 0x55, 0x1F, 0xE0, 0x3D };
-
-		// This is the first four bytes of ILProtector's public key token
-		const uint RESOURCE_MAGIC = 0xC0D31220;
-
 		ModuleDefMD module;
 		MainType mainType;
 		EmbeddedResource methodsResource;
-		Version ilpVersion;
 		Dictionary<int, MethodInfo2> methodInfos = new Dictionary<int, MethodInfo2>();
 		List<TypeDef> delegateTypes = new List<TypeDef>();
-		int startOffset;
-		byte[] decryptionKey;
-		int decryptionKeyMod;
+		IDecrypter decrypter;
+
+		interface IDecrypter {
+			string Version { get; }
+			byte[] getMethodsData(EmbeddedResource resource);
+		}
+
+		class DecrypterBase : IDecrypter {
+			protected static readonly byte[] ilpPublicKeyToken = new byte[8] { 0x20, 0x12, 0xD3, 0xC0, 0x55, 0x1F, 0xE0, 0x3D };
+
+			protected string ilpVersion;
+			protected int startOffset;
+			protected byte[] decryptionKey;
+			protected int decryptionKeyMod;
+
+			public string Version {
+				get { return ilpVersion; }
+			}
+
+			protected void setVersion(Version version) {
+				if (version.Revision == 0)
+					ilpVersion = string.Format("{0}.{1}.{2}", version.Major, version.Minor, version.Build);
+				else
+					ilpVersion = version.ToString();
+			}
+
+			public virtual byte[] getMethodsData(EmbeddedResource resource) {
+				var reader = resource.Data;
+				reader.Position = startOffset;
+				if ((reader.ReadInt32() & 1) != 0)
+					return decompress(reader);
+				else
+					return reader.ReadRemainingBytes();
+			}
+
+			byte[] decompress(IBinaryReader reader) {
+				return decompress(reader, decryptionKey, decryptionKeyMod);
+			}
+
+			static void copy(byte[] src, int srcIndex, byte[] dst, int dstIndex, int size) {
+				for (int i = 0; i < size; i++)
+					dst[dstIndex++] = src[srcIndex++];
+			}
+
+			static byte[] decompress(IBinaryReader reader, byte[] key, int keyMod) {
+				return decompress(new byte[reader.Read7BitEncodedUInt32()], reader, key, keyMod);
+			}
+
+			protected static byte[] decompress(byte[] decrypted, IBinaryReader reader, byte[] key, int keyMod) {
+				int destIndex = 0;
+				while (reader.Position < reader.Length) {
+					if (destIndex >= decrypted.Length)
+						break;
+					byte flags = reader.ReadByte();
+					for (int mask = 1; mask != 0x100; mask <<= 1) {
+						if (reader.Position >= reader.Length)
+							break;
+						if (destIndex >= decrypted.Length)
+							break;
+						if ((flags & mask) != 0) {
+							int displ = (int)reader.Read7BitEncodedUInt32();
+							int size = (int)reader.Read7BitEncodedUInt32();
+							copy(decrypted, destIndex - displ, decrypted, destIndex, size);
+							destIndex += size;
+						}
+						else {
+							byte b = reader.ReadByte();
+							if (key != null)
+								b ^= key[destIndex % keyMod];
+							decrypted[destIndex++] = b;
+						}
+					}
+				}
+
+				return decrypted;
+			}
+		}
+
+		// 1.0.0 - 1.0.4
+		class DecrypterV100 : DecrypterBase {
+			// This is the first four bytes of ILProtector's public key token
+			const uint RESOURCE_MAGIC = 0xC0D31220;
+
+			DecrypterV100(Version ilpVersion) {
+				setVersion(ilpVersion);
+				this.startOffset = 8;
+				this.decryptionKey = ilpPublicKeyToken;
+				this.decryptionKeyMod = 8;
+			}
+
+			public static DecrypterV100 create(IBinaryReader reader) {
+				reader.Position = 0;
+				if (reader.Length < 12)
+					return null;
+				if (reader.ReadUInt32() != RESOURCE_MAGIC)
+					return null;
+
+				return new DecrypterV100(new Version(reader.ReadByte(), reader.ReadByte(), reader.ReadByte(), reader.ReadByte()));
+			}
+		}
+
+		// 1.0.5
+		class DecrypterV105 : DecrypterBase {
+			DecrypterV105(Version ilpVersion, byte[] key) {
+				setVersion(ilpVersion);
+				this.startOffset = 0xA0;
+				this.decryptionKey = key;
+				this.decryptionKeyMod = key.Length - 1;
+			}
+
+			public static DecrypterV105 create(IBinaryReader reader) {
+				reader.Position = 0;
+				if (reader.Length < 0xA4)
+					return null;
+				var key = reader.ReadBytes(0x94);
+				if (!Utils.compare(reader.ReadBytes(8), ilpPublicKeyToken))
+					return null;
+				return new DecrypterV105(new Version(reader.ReadByte(), reader.ReadByte(), reader.ReadByte(), reader.ReadByte()), key);
+			}
+		}
+
+		// 1.0.6
+		class DecrypterV106 : DecrypterBase {
+			byte[] decryptionKey6;
+			byte[] decryptionKey7;
+
+			DecrypterV106(byte[] key0, byte[] key6, byte[] key7, int startOffset) {
+				this.ilpVersion = "1.0.6";
+				this.startOffset = startOffset;
+				this.decryptionKey = key0;
+				this.decryptionKey6 = key6;
+				this.decryptionKey7 = key7;
+				this.decryptionKeyMod = key0.Length - 1;
+			}
+
+			public static DecrypterV106 create(IBinaryReader reader) {
+				try {
+					int keyXorOffs2 = (ReadByteAt(reader, 0) ^ ReadByteAt(reader, 2)) + 2;
+					reader.Position = keyXorOffs2 + (ReadByteAt(reader, 1) ^ ReadByteAt(reader, keyXorOffs2));
+
+					int sha1DataLen = reader.Read7BitEncodedInt32() + 0x80;
+					int keyXorOffs1 = (int)reader.Position;
+					int encryptedOffs = (int)reader.Position + sha1DataLen;
+					var sha1Data = reader.ReadBytes(sha1DataLen);
+					uint crc32 = CRC32.checksum(sha1Data);
+
+					reader.Position = reader.Length - 0x18;
+					uint origCrc32 = reader.ReadUInt32();
+					if (crc32 != origCrc32)
+						return null;
+
+					var key0 = DeobUtils.sha1Sum(sha1Data);			// 1.0.6.0
+					var key6 = getKey(reader, key0, keyXorOffs1);	// 1.0.6.6
+					var key7 = getKey(reader, key0, keyXorOffs2);	// 1.0.6.7
+					return new DecrypterV106(key0, key6, key7, encryptedOffs);
+				}
+				catch (IOException) {
+					return null;
+				}
+			}
+
+			static byte[] getKey(IBinaryReader reader, byte[] sha1Sum, int offs) {
+				var key = (byte[])sha1Sum.Clone();
+				reader.Position = offs;
+				for (int i = 0; i < key.Length; i++) {
+					byte b = reader.ReadByte();
+					key[i] ^= b;
+				}
+				return key;
+			}
+
+			static byte ReadByteAt(IBinaryReader reader, int offs) {
+				reader.Position = offs;
+				byte b = reader.ReadByte();
+				return b;
+			}
+
+			public override byte[] getMethodsData(EmbeddedResource resource) {
+				var reader = resource.Data;
+				var keys = new byte[][] { decryptionKey, decryptionKey6, decryptionKey7 };
+				foreach (var key in keys) {
+					try {
+						reader.Position = startOffset;
+						var decrypted = new byte[reader.Read7BitEncodedUInt32()];
+						uint origCrc32 = reader.ReadUInt32();
+						decompress(decrypted, reader, key, decryptionKeyMod);
+						uint crc32 = CRC32.checksum(decrypted);
+						if (crc32 == origCrc32)
+							return decrypted;
+					}
+					catch (OutOfMemoryException) {
+					}
+					catch (IOException) {
+					}
+				}
+
+				throw new ApplicationException("Could not decrypt methods data");
+			}
+		}
 
 		class MethodInfo2 {
 			public int id;
@@ -64,8 +255,8 @@ namespace de4dot.code.deobfuscators.ILProtector {
 			get { return delegateTypes; }
 		}
 
-		public Version Version {
-			get { return ilpVersion; }
+		public string Version {
+			get { return decrypter == null ? null : decrypter.Version; }
 		}
 
 		public bool Detected {
@@ -85,7 +276,8 @@ namespace de4dot.code.deobfuscators.ILProtector {
 				var reader = resource.Data;
 				reader.Position = 0;
 				if (!checkResourceV100(reader) &&
-					!checkResourceV105(reader))
+					!checkResourceV105(reader) &&
+					!checkResourceV106(reader))
 					continue;
 
 				methodsResource = resource;
@@ -93,91 +285,31 @@ namespace de4dot.code.deobfuscators.ILProtector {
 			}
 		}
 
-		// 1.0.0 - 1.0.4
 		bool checkResourceV100(IBinaryReader reader) {
-			reader.Position = 0;
-			if (reader.Length < 12)
-				return false;
-			if (reader.ReadUInt32() != RESOURCE_MAGIC)
-				return false;
-			ilpVersion = new Version(reader.ReadByte(), reader.ReadByte(), reader.ReadByte(), reader.ReadByte());
-			startOffset = 8;
-			decryptionKey = ilpPublicKeyToken;
-			decryptionKeyMod = 8;
-			return true;
+			decrypter = DecrypterV100.create(reader);
+			return decrypter != null;
 		}
 
-		// 1.0.5+
 		bool checkResourceV105(IBinaryReader reader) {
-			reader.Position = 0;
-			if (reader.Length < 0xA4)
-				return false;
-			var key = reader.ReadBytes(0x94);
-			if (!Utils.compare(reader.ReadBytes(8), ilpPublicKeyToken))
-				return false;
-			ilpVersion = new Version(reader.ReadByte(), reader.ReadByte(), reader.ReadByte(), reader.ReadByte());
-			startOffset = 0xA0;
-			decryptionKey = key;
-			decryptionKeyMod = key.Length - 1;
-			return true;
+			decrypter = DecrypterV105.create(reader);
+			return decrypter != null;
+		}
+
+		bool checkResourceV106(IBinaryReader reader) {
+			decrypter = DecrypterV106.create(reader);
+			return decrypter != null;
 		}
 
 		public void decrypt() {
-			if (methodsResource == null)
+			if (methodsResource == null || decrypter == null)
 				return;
 
-			foreach (var info in readMethodInfos(getMethodsData(methodsResource)))
+			foreach (var info in readMethodInfos(decrypter.getMethodsData(methodsResource)))
 				methodInfos[info.id] = info;
 
 			restoreMethods();
 		}
 
-		byte[] getMethodsData(EmbeddedResource resource) {
-			var reader = resource.Data;
-			reader.Position = 0;
-			reader.Position = startOffset;
-			if ((reader.ReadInt32() & 1) != 0)
-				return decompress(reader);
-			else
-				return reader.ReadRemainingBytes();
-		}
-
-		byte[] decompress(IBinaryReader reader) {
-			return decompress(reader, decryptionKey, decryptionKeyMod);
-		}
-
-		static void copy(byte[] src, int srcIndex, byte[] dst, int dstIndex, int size) {
-			for (int i = 0; i < size; i++)
-				dst[dstIndex++] = src[srcIndex++];
-		}
-
-		static byte[] decompress(IBinaryReader reader, byte[] key, int keyMod) {
-			var decrypted = new byte[reader.Read7BitEncodedUInt32()];
-
-			int destIndex = 0;
-			while (reader.Position < reader.Length) {
-				byte flags = reader.ReadByte();
-				for (int mask = 1; mask != 0x100; mask <<= 1) {
-					if (reader.Position >= reader.Length)
-						break;
-					if ((flags & mask) != 0) {
-						int displ = (int)reader.Read7BitEncodedUInt32();
-						int size = (int)reader.Read7BitEncodedUInt32();
-						copy(decrypted, destIndex - displ, decrypted, destIndex, size);
-						destIndex += size;
-					}
-					else {
-						byte b = reader.ReadByte();
-						if (key != null)
-							b ^= key[destIndex % keyMod];
-						decrypted[destIndex++] = b;
-					}
-				}
-			}
-
-			return decrypted;
-		}
-
 		static MethodInfo2[] readMethodInfos(byte[] data) {
 			var reader = MemoryImageStream.Create(data);
 			int numMethods = (int)reader.Read7BitEncodedUInt32();