Refactor string decrypter
This commit is contained in:
de4dot
parent
d24da2f24c
commit
823d3b07a7
|
|
@ -77,6 +77,7 @@
|
|||
<Compile Include="deobfuscators\DeobfuscatorInfoBase.cs" />
|
||||
<Compile Include="deobfuscators\DeobUtils.cs" />
|
||||
<Compile Include="deobfuscators\Dotfuscator\Deobfuscator.cs" />
|
||||
<Compile Include="deobfuscators\Dotfuscator\StringDecrypter.cs" />
|
||||
<Compile Include="deobfuscators\dotNET_Reactor\v3\AntiStrongName.cs" />
|
||||
<Compile Include="deobfuscators\dotNET_Reactor\v3\ApplicationModeDecrypter.cs" />
|
||||
<Compile Include="deobfuscators\dotNET_Reactor\v3\ApplicationModeUnpacker.cs" />
|
||||
|
|
|
|||
|
|
@ -19,7 +19,6 @@
|
|||
|
||||
using System.Collections.Generic;
|
||||
using Mono.Cecil;
|
||||
using Mono.Cecil.Cil;
|
||||
using de4dot.blocks;
|
||||
|
||||
namespace de4dot.code.deobfuscators.Dotfuscator {
|
||||
|
|
@ -50,17 +49,9 @@ namespace de4dot.code.deobfuscators.Dotfuscator {
|
|||
class Deobfuscator : DeobfuscatorBase {
|
||||
Options options;
|
||||
string obfuscatorName = "Dotfuscator";
|
||||
Dictionary<MethodReference, StringDecrypterInfo> stringDecrypterMethods = new Dictionary<MethodReference, StringDecrypterInfo>();
|
||||
bool foundDotfuscatorAttribute = false;
|
||||
|
||||
class StringDecrypterInfo {
|
||||
public MethodDefinition method;
|
||||
public int magic;
|
||||
public StringDecrypterInfo(MethodDefinition method, int magic) {
|
||||
this.method = method;
|
||||
this.magic = magic;
|
||||
}
|
||||
}
|
||||
StringDecrypter stringDecrypter;
|
||||
bool foundDotfuscatorAttribute = false;
|
||||
|
||||
internal class Options : OptionsBase {
|
||||
}
|
||||
|
|
@ -85,17 +76,18 @@ namespace de4dot.code.deobfuscators.Dotfuscator {
|
|||
protected override int detectInternal() {
|
||||
int val = 0;
|
||||
|
||||
if (foundDotfuscatorAttribute)
|
||||
val += 100;
|
||||
if (stringDecrypterMethods.Count > 0)
|
||||
val += 10;
|
||||
int sum = convert(foundDotfuscatorAttribute) +
|
||||
convert(stringDecrypter.Detected);
|
||||
if (sum > 0)
|
||||
val += 100 + 10 * (sum - 1);
|
||||
|
||||
return val;
|
||||
}
|
||||
|
||||
protected override void scanForObfuscator() {
|
||||
stringDecrypter = new StringDecrypter(module);
|
||||
stringDecrypter.find(DeobfuscatedFile);
|
||||
findDotfuscatorAttribute();
|
||||
findStringDecrypterMethods();
|
||||
}
|
||||
|
||||
void findDotfuscatorAttribute() {
|
||||
|
|
@ -120,66 +112,22 @@ namespace de4dot.code.deobfuscators.Dotfuscator {
|
|||
obfuscatorName = "Dotfuscator " + val.Groups[1].ToString();
|
||||
}
|
||||
|
||||
void findStringDecrypterMethods() {
|
||||
foreach (var type in module.GetTypes())
|
||||
findStringDecrypterMethods(type);
|
||||
}
|
||||
|
||||
void findStringDecrypterMethods(TypeDefinition type) {
|
||||
foreach (var method in DotNetUtils.findMethods(type.Methods, "System.String", new string[] { "System.String", "System.Int32" })) {
|
||||
if (method.Body.HasExceptionHandlers)
|
||||
continue;
|
||||
|
||||
var methodCalls = DotNetUtils.getMethodCallCounts(method);
|
||||
if (methodCalls.count("System.Char[] System.String::ToCharArray()") != 1)
|
||||
continue;
|
||||
if (methodCalls.count("System.String System.String::Intern(System.String)") != 1)
|
||||
continue;
|
||||
|
||||
DeobfuscatedFile.deobfuscate(method);
|
||||
var instructions = method.Body.Instructions;
|
||||
for (int i = 0; i <= instructions.Count - 3; i++) {
|
||||
var ldci4 = method.Body.Instructions[i];
|
||||
if (!DotNetUtils.isLdcI4(ldci4))
|
||||
continue;
|
||||
if (instructions[i + 1].OpCode.Code != Code.Ldarg_1)
|
||||
continue;
|
||||
if (instructions[i + 2].OpCode.Code != Code.Add)
|
||||
continue;
|
||||
|
||||
var info = new StringDecrypterInfo(method, DotNetUtils.getLdcI4Value(ldci4));
|
||||
Log.v("Found string decrypter method: {0}, magic: 0x{1:X8}", info.method, info.magic);
|
||||
stringDecrypterMethods[info.method] = info;
|
||||
staticStringDecrypter.add(info.method, (method2, args) => decryptString(stringDecrypterMethods[method2], (string)args[0], (int)args[1]));
|
||||
break;
|
||||
}
|
||||
}
|
||||
public override void deobfuscateBegin() {
|
||||
base.deobfuscateBegin();
|
||||
foreach (var info in stringDecrypter.StringDecrypterInfos)
|
||||
staticStringDecrypter.add(info.method, (method, args) => stringDecrypter.decrypt(method, (string)args[0], (int)args[1]));
|
||||
}
|
||||
|
||||
public override void deobfuscateEnd() {
|
||||
if (Operations.DecryptStrings != OpDecryptString.None) {
|
||||
foreach (var method in stringDecrypterMethods.Keys)
|
||||
addMethodToBeRemoved(stringDecrypterMethods[method].method, "String decrypter method");
|
||||
}
|
||||
if (Operations.DecryptStrings != OpDecryptString.None)
|
||||
addMethodsToBeRemoved(stringDecrypter.StringDecrypters, "String decrypter method");
|
||||
|
||||
base.deobfuscateEnd();
|
||||
}
|
||||
|
||||
static string decryptString(StringDecrypterInfo info, string encrypted, int value) {
|
||||
char[] chars = encrypted.ToCharArray();
|
||||
byte key = (byte)(info.magic + value);
|
||||
for (int i = 0; i < chars.Length; i++) {
|
||||
char c = chars[i];
|
||||
byte b1 = (byte)((byte)c ^ key++);
|
||||
byte b2 = (byte)((byte)(c >> 8) ^ key++);
|
||||
chars[i] = (char)((b1 << 8) | b2);
|
||||
}
|
||||
return new string(chars);
|
||||
}
|
||||
|
||||
public override IEnumerable<string> getStringDecrypterMethods() {
|
||||
var list = new List<string>();
|
||||
foreach (var method in stringDecrypterMethods.Keys)
|
||||
foreach (var method in stringDecrypter.StringDecrypters)
|
||||
list.Add(method.MetadataToken.ToInt32().ToString("X8"));
|
||||
return list;
|
||||
}
|
||||
|
|
|
|||
108
de4dot.code/deobfuscators/Dotfuscator/StringDecrypter.cs
Normal file
108
de4dot.code/deobfuscators/Dotfuscator/StringDecrypter.cs
Normal file
|
|
@ -0,0 +1,108 @@
|
|||
/*
|
||||
Copyright (C) 2011 de4dot@gmail.com
|
||||
|
||||
This file is part of de4dot.
|
||||
|
||||
de4dot is free software: you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
the Free Software Foundation, either version 3 of the License, or
|
||||
(at your option) any later version.
|
||||
|
||||
de4dot is distributed in the hope that it will be useful,
|
||||
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
GNU General Public License for more details.
|
||||
|
||||
You should have received a copy of the GNU General Public License
|
||||
along with de4dot. If not, see <http://www.gnu.org/licenses/>.
|
||||
*/
|
||||
|
||||
using System.Collections.Generic;
|
||||
using Mono.Cecil;
|
||||
using Mono.Cecil.Cil;
|
||||
using de4dot.blocks;
|
||||
|
||||
namespace de4dot.code.deobfuscators.Dotfuscator {
|
||||
class StringDecrypter {
|
||||
ModuleDefinition module;
|
||||
Dictionary<MethodReference, StringDecrypterInfo> stringDecrypterMethods = new Dictionary<MethodReference, StringDecrypterInfo>();
|
||||
|
||||
public class StringDecrypterInfo {
|
||||
public MethodDefinition method;
|
||||
public int magic;
|
||||
public StringDecrypterInfo(MethodDefinition method, int magic) {
|
||||
this.method = method;
|
||||
this.magic = magic;
|
||||
}
|
||||
}
|
||||
|
||||
public bool Detected {
|
||||
get { return stringDecrypterMethods.Count > 0; }
|
||||
}
|
||||
|
||||
public IEnumerable<MethodDefinition> StringDecrypters {
|
||||
get {
|
||||
var list = new List<MethodDefinition>(stringDecrypterMethods.Count);
|
||||
foreach (var info in stringDecrypterMethods)
|
||||
list.Add(info.Value.method);
|
||||
return list;
|
||||
}
|
||||
}
|
||||
|
||||
public IEnumerable<StringDecrypterInfo> StringDecrypterInfos {
|
||||
get { return stringDecrypterMethods.Values; }
|
||||
}
|
||||
|
||||
public StringDecrypter(ModuleDefinition module) {
|
||||
this.module = module;
|
||||
}
|
||||
|
||||
public void find(ISimpleDeobfuscator simpleDeobfuscator) {
|
||||
foreach (var type in module.GetTypes())
|
||||
findStringDecrypterMethods(type, simpleDeobfuscator);
|
||||
}
|
||||
|
||||
void findStringDecrypterMethods(TypeDefinition type, ISimpleDeobfuscator simpleDeobfuscator) {
|
||||
foreach (var method in DotNetUtils.findMethods(type.Methods, "System.String", new string[] { "System.String", "System.Int32" })) {
|
||||
if (method.Body.HasExceptionHandlers)
|
||||
continue;
|
||||
|
||||
var methodCalls = DotNetUtils.getMethodCallCounts(method);
|
||||
if (methodCalls.count("System.Char[] System.String::ToCharArray()") != 1)
|
||||
continue;
|
||||
if (methodCalls.count("System.String System.String::Intern(System.String)") != 1)
|
||||
continue;
|
||||
|
||||
simpleDeobfuscator.deobfuscate(method);
|
||||
var instructions = method.Body.Instructions;
|
||||
for (int i = 0; i <= instructions.Count - 3; i++) {
|
||||
var ldci4 = method.Body.Instructions[i];
|
||||
if (!DotNetUtils.isLdcI4(ldci4))
|
||||
continue;
|
||||
if (instructions[i + 1].OpCode.Code != Code.Ldarg_1)
|
||||
continue;
|
||||
if (instructions[i + 2].OpCode.Code != Code.Add)
|
||||
continue;
|
||||
|
||||
var info = new StringDecrypterInfo(method, DotNetUtils.getLdcI4Value(ldci4));
|
||||
stringDecrypterMethods[info.method] = info;
|
||||
Log.v("Found string decrypter method: {0}, magic: 0x{1:X8}", info.method, info.magic);
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
public string decrypt(MethodReference method, string encrypted, int value) {
|
||||
var info = stringDecrypterMethods[method];
|
||||
char[] chars = encrypted.ToCharArray();
|
||||
byte key = (byte)(info.magic + value);
|
||||
for (int i = 0; i < chars.Length; i++) {
|
||||
char c = chars[i];
|
||||
byte b1 = (byte)((byte)c ^ key++);
|
||||
byte b2 = (byte)((byte)(c >> 8) ^ key++);
|
||||
chars[i] = (char)((b1 << 8) | b2);
|
||||
}
|
||||
return new string(chars);
|
||||
}
|
||||
}
|
||||
}
|
||||
Loading…
Reference in New Issue
Block a user