From 84e0aa0b77b6bdeb73108b9c63032f6da7b1e9a6 Mon Sep 17 00:00:00 2001 From: PythEch Date: Sat, 23 Jan 2016 22:55:29 +0200 Subject: [PATCH] Fix the calculation of magic It seems that Eazfuscator.NET sometimes calculates the magic with different constants so I had to get them programmatically --- .../Eazfuscator_NET/DecrypterType.cs | 71 ++++++++++++++++--- 1 file changed, 62 insertions(+), 9 deletions(-) diff --git a/de4dot.code/deobfuscators/Eazfuscator_NET/DecrypterType.cs b/de4dot.code/deobfuscators/Eazfuscator_NET/DecrypterType.cs index 06e48893..17151949 100644 --- a/de4dot.code/deobfuscators/Eazfuscator_NET/DecrypterType.cs +++ b/de4dot.code/deobfuscators/Eazfuscator_NET/DecrypterType.cs @@ -216,6 +216,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET { return false; } + static List GetBinaryIntMethods(TypeDef type) { var list = new List(); foreach (var method in type.Methods) { @@ -336,6 +337,51 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET { return BinOp1(efConstMethods[5].DeclaringType.MDToken.ToInt32(), BinOp3(BinOp2(efConstMethods[4].DeclaringType.MDToken.ToInt32(), efConstMethods[0].DeclaringType.MDToken.ToInt32()), BinOp3(efConstMethods[2].DeclaringType.MDToken.ToInt32() ^ i3, ConstMethod5()))); } + bool FindShiftInts(MethodDef method, out List bytes) { + var instrs = method.Body.Instructions; + var constantsReader = new EfConstantsReader(method); + bytes = new List(8); + + for (int i = 0; i < instrs.Count - 4; i++) { + if (bytes.Count >= 8) + return true; + + var ldloc1 = instrs[i]; + if (ldloc1.OpCode.Code != Code.Ldloc_1) + continue; + + var ldlocs = instrs[i + 1]; + if (ldlocs.OpCode.Code != Code.Ldloc_S) + continue; + + var maybe = instrs[i + 2]; + if (maybe.OpCode.Code == Code.Conv_U1) { + var callvirt = instrs[i + 3]; + if (callvirt.OpCode.Code != Code.Callvirt) + return false; + + bytes.Add(0); + continue; + } + var shr = instrs[i + 3]; + if (shr.OpCode.Code != Code.Shr) + return false; + + var convu1 = instrs[i + 4]; + if (convu1.OpCode.Code != Code.Conv_U1) + return false; + + int constant; + int index = i + 2; + if (!constantsReader.GetInt32(ref index, out constant)) + return false; + + bytes.Add(constant); + } + + return false; + } + public ulong GetMagic() { if (type == null) throw new ApplicationException("Can't calculate magic since type isn't initialized"); @@ -346,15 +392,22 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET { bytes.AddRange(module.Assembly.PublicKeyToken.Data); bytes.AddRange(Encoding.Unicode.GetBytes(module.Assembly.Name.String)); } - int cm1 = ConstMethod1(); - bytes.Add((byte)(type.MDToken.ToInt32() >> 24)); - bytes.Add((byte)(cm1 >> 16)); - bytes.Add((byte)(type.MDToken.ToInt32() >> 8)); - bytes.Add((byte)cm1); - bytes.Add((byte)(type.MDToken.ToInt32() >> 16)); - bytes.Add((byte)(cm1 >> 8)); - bytes.Add((byte)type.MDToken.ToInt32()); - bytes.Add((byte)(cm1 >> 24)); + + List shiftConsts; + if (!FindShiftInts(int64Method, out shiftConsts)) + throw new ApplicationException("Could not extract magic constants"); + + int num3 = ConstMethod1(); + int num2 = type.MDToken.ToInt32(); + + bytes.Add((byte)(num2 >> shiftConsts[0])); + bytes.Add((byte)(num3 >> shiftConsts[1])); + bytes.Add((byte)(num2 >> shiftConsts[2])); + bytes.Add((byte)(num3 >> shiftConsts[3])); + bytes.Add((byte)(num2 >> shiftConsts[4])); + bytes.Add((byte)(num3 >> shiftConsts[5])); + bytes.Add((byte)(num2 >> shiftConsts[6])); + bytes.Add((byte)(num3 >> shiftConsts[7])); ulong magic = 0; foreach (var b in bytes) {