Fix the calculation of magic

It seems that Eazfuscator.NET sometimes calculates the magic with different constants so I had to get them programmatically
2016-01-23 22:55:29 +02:00 · 2016-01-23 22:55:29 +02:00 · 84e0aa0b77
parent 63607a6678
commit 84e0aa0b77
1 changed files with 62 additions and 9 deletions
--- a/de4dot.code/deobfuscators/Eazfuscator_NET/DecrypterType.cs
+++ b/de4dot.code/deobfuscators/Eazfuscator_NET/DecrypterType.cs
@ -216,6 +216,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
 			return false;
 		}

+		
 		static List<MethodDef> GetBinaryIntMethods(TypeDef type) {
 			var list = new List<MethodDef>();
 			foreach (var method in type.Methods) {
@ -336,6 +337,51 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
 			return BinOp1(efConstMethods[5].DeclaringType.MDToken.ToInt32(), BinOp3(BinOp2(efConstMethods[4].DeclaringType.MDToken.ToInt32(), efConstMethods[0].DeclaringType.MDToken.ToInt32()), BinOp3(efConstMethods[2].DeclaringType.MDToken.ToInt32() ^ i3, ConstMethod5())));
 		}

+		bool FindShiftInts(MethodDef method, out List<int> bytes) {
+			var instrs = method.Body.Instructions;
+			var constantsReader = new EfConstantsReader(method);
+			bytes = new List<int>(8);
+
+			for (int i = 0; i < instrs.Count - 4; i++) {
+				if (bytes.Count >= 8)
+					return true;
+
+				var ldloc1 = instrs[i];
+				if (ldloc1.OpCode.Code != Code.Ldloc_1)
+					continue;
+
+				var ldlocs = instrs[i + 1];
+				if (ldlocs.OpCode.Code != Code.Ldloc_S)
+					continue;
+
+				var maybe = instrs[i + 2];
+				if (maybe.OpCode.Code == Code.Conv_U1) {
+					var callvirt = instrs[i + 3];
+					if (callvirt.OpCode.Code != Code.Callvirt)
+						return false;
+
+					bytes.Add(0);
+					continue;
+				}
+				var shr = instrs[i + 3];
+				if (shr.OpCode.Code != Code.Shr)
+					return false;
+
+				var convu1 = instrs[i + 4];
+				if (convu1.OpCode.Code != Code.Conv_U1)
+					return false;
+
+				int constant;
+				int index = i + 2;
+				if (!constantsReader.GetInt32(ref index, out constant))
+					return false;
+
+				bytes.Add(constant);
+			}
+
+			return false;
+		}
+
 		public ulong GetMagic() {
 			if (type == null)
 				throw new ApplicationException("Can't calculate magic since type isn't initialized");
@ -346,15 +392,22 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
 					bytes.AddRange(module.Assembly.PublicKeyToken.Data);
 				bytes.AddRange(Encoding.Unicode.GetBytes(module.Assembly.Name.String));
 			}
-			int cm1 = ConstMethod1();
-			bytes.Add((byte)(type.MDToken.ToInt32() >> 24));
-			bytes.Add((byte)(cm1 >> 16));
-			bytes.Add((byte)(type.MDToken.ToInt32() >> 8));
-			bytes.Add((byte)cm1);
-			bytes.Add((byte)(type.MDToken.ToInt32() >> 16));
-			bytes.Add((byte)(cm1 >> 8));
-			bytes.Add((byte)type.MDToken.ToInt32());
-			bytes.Add((byte)(cm1 >> 24));
+
+			List<int> shiftConsts;
+			if (!FindShiftInts(int64Method, out shiftConsts))
+				throw new ApplicationException("Could not extract magic constants");
+
+			int num3 = ConstMethod1();
+			int num2 = type.MDToken.ToInt32();
+
+			bytes.Add((byte)(num2 >> shiftConsts[0]));
+			bytes.Add((byte)(num3 >> shiftConsts[1]));
+			bytes.Add((byte)(num2 >> shiftConsts[2]));
+			bytes.Add((byte)(num3 >> shiftConsts[3]));
+			bytes.Add((byte)(num2 >> shiftConsts[4]));
+			bytes.Add((byte)(num3 >> shiftConsts[5]));
+			bytes.Add((byte)(num2 >> shiftConsts[6]));
+			bytes.Add((byte)(num3 >> shiftConsts[7]));

 			ulong magic = 0;
 			foreach (var b in bytes) {