Support ILProtector 1.0.6.0 - 1.0.6.7
This commit is contained in:
parent
1dd572f2ef
commit
7e9e691ef3
|
@ -86,30 +86,30 @@ namespace de4dot.code.deobfuscators.ILProtector {
|
||||||
mainType = new MainType(module);
|
mainType = new MainType(module);
|
||||||
mainType.find();
|
mainType.find();
|
||||||
methodsDecrypter = new MethodsDecrypter(module, mainType);
|
methodsDecrypter = new MethodsDecrypter(module, mainType);
|
||||||
methodsDecrypter.find();
|
if (mainType.Detected)
|
||||||
|
methodsDecrypter.find();
|
||||||
|
|
||||||
if (mainType.Detected && methodsDecrypter.Detected && methodsDecrypter.Version != null)
|
if (mainType.Detected && methodsDecrypter.Detected && methodsDecrypter.Version != null)
|
||||||
obfuscatorName += " " + getVersion(methodsDecrypter.Version);
|
obfuscatorName += " " + methodsDecrypter.Version;
|
||||||
}
|
|
||||||
|
|
||||||
static string getVersion(Version version) {
|
|
||||||
if (version.Revision == 0)
|
|
||||||
return string.Format("{0}.{1}.{2}", version.Major, version.Minor, version.Build);
|
|
||||||
return version.ToString();
|
|
||||||
}
|
}
|
||||||
|
|
||||||
public override void deobfuscateBegin() {
|
public override void deobfuscateBegin() {
|
||||||
base.deobfuscateBegin();
|
base.deobfuscateBegin();
|
||||||
|
|
||||||
methodsDecrypter.decrypt();
|
if (mainType.Detected) {
|
||||||
addTypesToBeRemoved(methodsDecrypter.DelegateTypes, "Obfuscator method delegate type");
|
if (methodsDecrypter.Detected) {
|
||||||
addResourceToBeRemoved(methodsDecrypter.Resource, "Encrypted methods resource");
|
methodsDecrypter.decrypt();
|
||||||
addTypeToBeRemoved(mainType.InvokerDelegate, "Invoker delegate type");
|
addTypesToBeRemoved(methodsDecrypter.DelegateTypes, "Obfuscator method delegate type");
|
||||||
addFieldToBeRemoved(mainType.InvokerInstanceField, "Invoker delegate instance field");
|
addResourceToBeRemoved(methodsDecrypter.Resource, "Encrypted methods resource");
|
||||||
foreach (var pm in mainType.ProtectMethods) {
|
addTypeToBeRemoved(mainType.InvokerDelegate, "Invoker delegate type");
|
||||||
addMethodToBeRemoved(pm, "Obfuscator 'Protect' init method");
|
addFieldToBeRemoved(mainType.InvokerInstanceField, "Invoker delegate instance field");
|
||||||
|
foreach (var pm in mainType.ProtectMethods)
|
||||||
|
addMethodToBeRemoved(pm, "Obfuscator 'Protect' init method");
|
||||||
|
mainType.cleanUp();
|
||||||
|
}
|
||||||
|
else
|
||||||
|
Logger.w("New ILProtector version. Can't decrypt methods (yet)");
|
||||||
}
|
}
|
||||||
mainType.cleanUp();
|
|
||||||
}
|
}
|
||||||
|
|
||||||
public override IEnumerable<int> getStringDecrypterMethods() {
|
public override IEnumerable<int> getStringDecrypterMethods() {
|
||||||
|
|
|
@ -19,6 +19,7 @@
|
||||||
|
|
||||||
using System;
|
using System;
|
||||||
using System.Collections.Generic;
|
using System.Collections.Generic;
|
||||||
|
using System.IO;
|
||||||
using dot10.IO;
|
using dot10.IO;
|
||||||
using dot10.DotNet;
|
using dot10.DotNet;
|
||||||
using dot10.DotNet.Emit;
|
using dot10.DotNet.Emit;
|
||||||
|
@ -26,20 +27,210 @@ using de4dot.blocks;
|
||||||
|
|
||||||
namespace de4dot.code.deobfuscators.ILProtector {
|
namespace de4dot.code.deobfuscators.ILProtector {
|
||||||
class MethodsDecrypter {
|
class MethodsDecrypter {
|
||||||
public static readonly byte[] ilpPublicKeyToken = new byte[8] { 0x20, 0x12, 0xD3, 0xC0, 0x55, 0x1F, 0xE0, 0x3D };
|
|
||||||
|
|
||||||
// This is the first four bytes of ILProtector's public key token
|
|
||||||
const uint RESOURCE_MAGIC = 0xC0D31220;
|
|
||||||
|
|
||||||
ModuleDefMD module;
|
ModuleDefMD module;
|
||||||
MainType mainType;
|
MainType mainType;
|
||||||
EmbeddedResource methodsResource;
|
EmbeddedResource methodsResource;
|
||||||
Version ilpVersion;
|
|
||||||
Dictionary<int, MethodInfo2> methodInfos = new Dictionary<int, MethodInfo2>();
|
Dictionary<int, MethodInfo2> methodInfos = new Dictionary<int, MethodInfo2>();
|
||||||
List<TypeDef> delegateTypes = new List<TypeDef>();
|
List<TypeDef> delegateTypes = new List<TypeDef>();
|
||||||
int startOffset;
|
IDecrypter decrypter;
|
||||||
byte[] decryptionKey;
|
|
||||||
int decryptionKeyMod;
|
interface IDecrypter {
|
||||||
|
string Version { get; }
|
||||||
|
byte[] getMethodsData(EmbeddedResource resource);
|
||||||
|
}
|
||||||
|
|
||||||
|
class DecrypterBase : IDecrypter {
|
||||||
|
protected static readonly byte[] ilpPublicKeyToken = new byte[8] { 0x20, 0x12, 0xD3, 0xC0, 0x55, 0x1F, 0xE0, 0x3D };
|
||||||
|
|
||||||
|
protected string ilpVersion;
|
||||||
|
protected int startOffset;
|
||||||
|
protected byte[] decryptionKey;
|
||||||
|
protected int decryptionKeyMod;
|
||||||
|
|
||||||
|
public string Version {
|
||||||
|
get { return ilpVersion; }
|
||||||
|
}
|
||||||
|
|
||||||
|
protected void setVersion(Version version) {
|
||||||
|
if (version.Revision == 0)
|
||||||
|
ilpVersion = string.Format("{0}.{1}.{2}", version.Major, version.Minor, version.Build);
|
||||||
|
else
|
||||||
|
ilpVersion = version.ToString();
|
||||||
|
}
|
||||||
|
|
||||||
|
public virtual byte[] getMethodsData(EmbeddedResource resource) {
|
||||||
|
var reader = resource.Data;
|
||||||
|
reader.Position = startOffset;
|
||||||
|
if ((reader.ReadInt32() & 1) != 0)
|
||||||
|
return decompress(reader);
|
||||||
|
else
|
||||||
|
return reader.ReadRemainingBytes();
|
||||||
|
}
|
||||||
|
|
||||||
|
byte[] decompress(IBinaryReader reader) {
|
||||||
|
return decompress(reader, decryptionKey, decryptionKeyMod);
|
||||||
|
}
|
||||||
|
|
||||||
|
static void copy(byte[] src, int srcIndex, byte[] dst, int dstIndex, int size) {
|
||||||
|
for (int i = 0; i < size; i++)
|
||||||
|
dst[dstIndex++] = src[srcIndex++];
|
||||||
|
}
|
||||||
|
|
||||||
|
static byte[] decompress(IBinaryReader reader, byte[] key, int keyMod) {
|
||||||
|
return decompress(new byte[reader.Read7BitEncodedUInt32()], reader, key, keyMod);
|
||||||
|
}
|
||||||
|
|
||||||
|
protected static byte[] decompress(byte[] decrypted, IBinaryReader reader, byte[] key, int keyMod) {
|
||||||
|
int destIndex = 0;
|
||||||
|
while (reader.Position < reader.Length) {
|
||||||
|
if (destIndex >= decrypted.Length)
|
||||||
|
break;
|
||||||
|
byte flags = reader.ReadByte();
|
||||||
|
for (int mask = 1; mask != 0x100; mask <<= 1) {
|
||||||
|
if (reader.Position >= reader.Length)
|
||||||
|
break;
|
||||||
|
if (destIndex >= decrypted.Length)
|
||||||
|
break;
|
||||||
|
if ((flags & mask) != 0) {
|
||||||
|
int displ = (int)reader.Read7BitEncodedUInt32();
|
||||||
|
int size = (int)reader.Read7BitEncodedUInt32();
|
||||||
|
copy(decrypted, destIndex - displ, decrypted, destIndex, size);
|
||||||
|
destIndex += size;
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
byte b = reader.ReadByte();
|
||||||
|
if (key != null)
|
||||||
|
b ^= key[destIndex % keyMod];
|
||||||
|
decrypted[destIndex++] = b;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return decrypted;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// 1.0.0 - 1.0.4
|
||||||
|
class DecrypterV100 : DecrypterBase {
|
||||||
|
// This is the first four bytes of ILProtector's public key token
|
||||||
|
const uint RESOURCE_MAGIC = 0xC0D31220;
|
||||||
|
|
||||||
|
DecrypterV100(Version ilpVersion) {
|
||||||
|
setVersion(ilpVersion);
|
||||||
|
this.startOffset = 8;
|
||||||
|
this.decryptionKey = ilpPublicKeyToken;
|
||||||
|
this.decryptionKeyMod = 8;
|
||||||
|
}
|
||||||
|
|
||||||
|
public static DecrypterV100 create(IBinaryReader reader) {
|
||||||
|
reader.Position = 0;
|
||||||
|
if (reader.Length < 12)
|
||||||
|
return null;
|
||||||
|
if (reader.ReadUInt32() != RESOURCE_MAGIC)
|
||||||
|
return null;
|
||||||
|
|
||||||
|
return new DecrypterV100(new Version(reader.ReadByte(), reader.ReadByte(), reader.ReadByte(), reader.ReadByte()));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// 1.0.5
|
||||||
|
class DecrypterV105 : DecrypterBase {
|
||||||
|
DecrypterV105(Version ilpVersion, byte[] key) {
|
||||||
|
setVersion(ilpVersion);
|
||||||
|
this.startOffset = 0xA0;
|
||||||
|
this.decryptionKey = key;
|
||||||
|
this.decryptionKeyMod = key.Length - 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
public static DecrypterV105 create(IBinaryReader reader) {
|
||||||
|
reader.Position = 0;
|
||||||
|
if (reader.Length < 0xA4)
|
||||||
|
return null;
|
||||||
|
var key = reader.ReadBytes(0x94);
|
||||||
|
if (!Utils.compare(reader.ReadBytes(8), ilpPublicKeyToken))
|
||||||
|
return null;
|
||||||
|
return new DecrypterV105(new Version(reader.ReadByte(), reader.ReadByte(), reader.ReadByte(), reader.ReadByte()), key);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// 1.0.6
|
||||||
|
class DecrypterV106 : DecrypterBase {
|
||||||
|
byte[] decryptionKey6;
|
||||||
|
byte[] decryptionKey7;
|
||||||
|
|
||||||
|
DecrypterV106(byte[] key0, byte[] key6, byte[] key7, int startOffset) {
|
||||||
|
this.ilpVersion = "1.0.6";
|
||||||
|
this.startOffset = startOffset;
|
||||||
|
this.decryptionKey = key0;
|
||||||
|
this.decryptionKey6 = key6;
|
||||||
|
this.decryptionKey7 = key7;
|
||||||
|
this.decryptionKeyMod = key0.Length - 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
public static DecrypterV106 create(IBinaryReader reader) {
|
||||||
|
try {
|
||||||
|
int keyXorOffs2 = (ReadByteAt(reader, 0) ^ ReadByteAt(reader, 2)) + 2;
|
||||||
|
reader.Position = keyXorOffs2 + (ReadByteAt(reader, 1) ^ ReadByteAt(reader, keyXorOffs2));
|
||||||
|
|
||||||
|
int sha1DataLen = reader.Read7BitEncodedInt32() + 0x80;
|
||||||
|
int keyXorOffs1 = (int)reader.Position;
|
||||||
|
int encryptedOffs = (int)reader.Position + sha1DataLen;
|
||||||
|
var sha1Data = reader.ReadBytes(sha1DataLen);
|
||||||
|
uint crc32 = CRC32.checksum(sha1Data);
|
||||||
|
|
||||||
|
reader.Position = reader.Length - 0x18;
|
||||||
|
uint origCrc32 = reader.ReadUInt32();
|
||||||
|
if (crc32 != origCrc32)
|
||||||
|
return null;
|
||||||
|
|
||||||
|
var key0 = DeobUtils.sha1Sum(sha1Data); // 1.0.6.0
|
||||||
|
var key6 = getKey(reader, key0, keyXorOffs1); // 1.0.6.6
|
||||||
|
var key7 = getKey(reader, key0, keyXorOffs2); // 1.0.6.7
|
||||||
|
return new DecrypterV106(key0, key6, key7, encryptedOffs);
|
||||||
|
}
|
||||||
|
catch (IOException) {
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
static byte[] getKey(IBinaryReader reader, byte[] sha1Sum, int offs) {
|
||||||
|
var key = (byte[])sha1Sum.Clone();
|
||||||
|
reader.Position = offs;
|
||||||
|
for (int i = 0; i < key.Length; i++) {
|
||||||
|
byte b = reader.ReadByte();
|
||||||
|
key[i] ^= b;
|
||||||
|
}
|
||||||
|
return key;
|
||||||
|
}
|
||||||
|
|
||||||
|
static byte ReadByteAt(IBinaryReader reader, int offs) {
|
||||||
|
reader.Position = offs;
|
||||||
|
byte b = reader.ReadByte();
|
||||||
|
return b;
|
||||||
|
}
|
||||||
|
|
||||||
|
public override byte[] getMethodsData(EmbeddedResource resource) {
|
||||||
|
var reader = resource.Data;
|
||||||
|
var keys = new byte[][] { decryptionKey, decryptionKey6, decryptionKey7 };
|
||||||
|
foreach (var key in keys) {
|
||||||
|
try {
|
||||||
|
reader.Position = startOffset;
|
||||||
|
var decrypted = new byte[reader.Read7BitEncodedUInt32()];
|
||||||
|
uint origCrc32 = reader.ReadUInt32();
|
||||||
|
decompress(decrypted, reader, key, decryptionKeyMod);
|
||||||
|
uint crc32 = CRC32.checksum(decrypted);
|
||||||
|
if (crc32 == origCrc32)
|
||||||
|
return decrypted;
|
||||||
|
}
|
||||||
|
catch (OutOfMemoryException) {
|
||||||
|
}
|
||||||
|
catch (IOException) {
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
throw new ApplicationException("Could not decrypt methods data");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
class MethodInfo2 {
|
class MethodInfo2 {
|
||||||
public int id;
|
public int id;
|
||||||
|
@ -64,8 +255,8 @@ namespace de4dot.code.deobfuscators.ILProtector {
|
||||||
get { return delegateTypes; }
|
get { return delegateTypes; }
|
||||||
}
|
}
|
||||||
|
|
||||||
public Version Version {
|
public string Version {
|
||||||
get { return ilpVersion; }
|
get { return decrypter == null ? null : decrypter.Version; }
|
||||||
}
|
}
|
||||||
|
|
||||||
public bool Detected {
|
public bool Detected {
|
||||||
|
@ -85,7 +276,8 @@ namespace de4dot.code.deobfuscators.ILProtector {
|
||||||
var reader = resource.Data;
|
var reader = resource.Data;
|
||||||
reader.Position = 0;
|
reader.Position = 0;
|
||||||
if (!checkResourceV100(reader) &&
|
if (!checkResourceV100(reader) &&
|
||||||
!checkResourceV105(reader))
|
!checkResourceV105(reader) &&
|
||||||
|
!checkResourceV106(reader))
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
methodsResource = resource;
|
methodsResource = resource;
|
||||||
|
@ -93,91 +285,31 @@ namespace de4dot.code.deobfuscators.ILProtector {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// 1.0.0 - 1.0.4
|
|
||||||
bool checkResourceV100(IBinaryReader reader) {
|
bool checkResourceV100(IBinaryReader reader) {
|
||||||
reader.Position = 0;
|
decrypter = DecrypterV100.create(reader);
|
||||||
if (reader.Length < 12)
|
return decrypter != null;
|
||||||
return false;
|
|
||||||
if (reader.ReadUInt32() != RESOURCE_MAGIC)
|
|
||||||
return false;
|
|
||||||
ilpVersion = new Version(reader.ReadByte(), reader.ReadByte(), reader.ReadByte(), reader.ReadByte());
|
|
||||||
startOffset = 8;
|
|
||||||
decryptionKey = ilpPublicKeyToken;
|
|
||||||
decryptionKeyMod = 8;
|
|
||||||
return true;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// 1.0.5+
|
|
||||||
bool checkResourceV105(IBinaryReader reader) {
|
bool checkResourceV105(IBinaryReader reader) {
|
||||||
reader.Position = 0;
|
decrypter = DecrypterV105.create(reader);
|
||||||
if (reader.Length < 0xA4)
|
return decrypter != null;
|
||||||
return false;
|
}
|
||||||
var key = reader.ReadBytes(0x94);
|
|
||||||
if (!Utils.compare(reader.ReadBytes(8), ilpPublicKeyToken))
|
bool checkResourceV106(IBinaryReader reader) {
|
||||||
return false;
|
decrypter = DecrypterV106.create(reader);
|
||||||
ilpVersion = new Version(reader.ReadByte(), reader.ReadByte(), reader.ReadByte(), reader.ReadByte());
|
return decrypter != null;
|
||||||
startOffset = 0xA0;
|
|
||||||
decryptionKey = key;
|
|
||||||
decryptionKeyMod = key.Length - 1;
|
|
||||||
return true;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
public void decrypt() {
|
public void decrypt() {
|
||||||
if (methodsResource == null)
|
if (methodsResource == null || decrypter == null)
|
||||||
return;
|
return;
|
||||||
|
|
||||||
foreach (var info in readMethodInfos(getMethodsData(methodsResource)))
|
foreach (var info in readMethodInfos(decrypter.getMethodsData(methodsResource)))
|
||||||
methodInfos[info.id] = info;
|
methodInfos[info.id] = info;
|
||||||
|
|
||||||
restoreMethods();
|
restoreMethods();
|
||||||
}
|
}
|
||||||
|
|
||||||
byte[] getMethodsData(EmbeddedResource resource) {
|
|
||||||
var reader = resource.Data;
|
|
||||||
reader.Position = 0;
|
|
||||||
reader.Position = startOffset;
|
|
||||||
if ((reader.ReadInt32() & 1) != 0)
|
|
||||||
return decompress(reader);
|
|
||||||
else
|
|
||||||
return reader.ReadRemainingBytes();
|
|
||||||
}
|
|
||||||
|
|
||||||
byte[] decompress(IBinaryReader reader) {
|
|
||||||
return decompress(reader, decryptionKey, decryptionKeyMod);
|
|
||||||
}
|
|
||||||
|
|
||||||
static void copy(byte[] src, int srcIndex, byte[] dst, int dstIndex, int size) {
|
|
||||||
for (int i = 0; i < size; i++)
|
|
||||||
dst[dstIndex++] = src[srcIndex++];
|
|
||||||
}
|
|
||||||
|
|
||||||
static byte[] decompress(IBinaryReader reader, byte[] key, int keyMod) {
|
|
||||||
var decrypted = new byte[reader.Read7BitEncodedUInt32()];
|
|
||||||
|
|
||||||
int destIndex = 0;
|
|
||||||
while (reader.Position < reader.Length) {
|
|
||||||
byte flags = reader.ReadByte();
|
|
||||||
for (int mask = 1; mask != 0x100; mask <<= 1) {
|
|
||||||
if (reader.Position >= reader.Length)
|
|
||||||
break;
|
|
||||||
if ((flags & mask) != 0) {
|
|
||||||
int displ = (int)reader.Read7BitEncodedUInt32();
|
|
||||||
int size = (int)reader.Read7BitEncodedUInt32();
|
|
||||||
copy(decrypted, destIndex - displ, decrypted, destIndex, size);
|
|
||||||
destIndex += size;
|
|
||||||
}
|
|
||||||
else {
|
|
||||||
byte b = reader.ReadByte();
|
|
||||||
if (key != null)
|
|
||||||
b ^= key[destIndex % keyMod];
|
|
||||||
decrypted[destIndex++] = b;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
return decrypted;
|
|
||||||
}
|
|
||||||
|
|
||||||
static MethodInfo2[] readMethodInfos(byte[] data) {
|
static MethodInfo2[] readMethodInfos(byte[] data) {
|
||||||
var reader = MemoryImageStream.Create(data);
|
var reader = MemoryImageStream.Create(data);
|
||||||
int numMethods = (int)reader.Read7BitEncodedUInt32();
|
int numMethods = (int)reader.Read7BitEncodedUInt32();
|
||||||
|
|
Loading…
Reference in New Issue
Block a user