Fix the calculation of magic
It seems that Eazfuscator.NET sometimes calculates the magic with different constants so I had to get them programmatically
This commit is contained in:
parent
63607a6678
commit
84e0aa0b77
|
@ -216,6 +216,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
static List<MethodDef> GetBinaryIntMethods(TypeDef type) {
|
static List<MethodDef> GetBinaryIntMethods(TypeDef type) {
|
||||||
var list = new List<MethodDef>();
|
var list = new List<MethodDef>();
|
||||||
foreach (var method in type.Methods) {
|
foreach (var method in type.Methods) {
|
||||||
|
@ -336,6 +337,51 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
return BinOp1(efConstMethods[5].DeclaringType.MDToken.ToInt32(), BinOp3(BinOp2(efConstMethods[4].DeclaringType.MDToken.ToInt32(), efConstMethods[0].DeclaringType.MDToken.ToInt32()), BinOp3(efConstMethods[2].DeclaringType.MDToken.ToInt32() ^ i3, ConstMethod5())));
|
return BinOp1(efConstMethods[5].DeclaringType.MDToken.ToInt32(), BinOp3(BinOp2(efConstMethods[4].DeclaringType.MDToken.ToInt32(), efConstMethods[0].DeclaringType.MDToken.ToInt32()), BinOp3(efConstMethods[2].DeclaringType.MDToken.ToInt32() ^ i3, ConstMethod5())));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
bool FindShiftInts(MethodDef method, out List<int> bytes) {
|
||||||
|
var instrs = method.Body.Instructions;
|
||||||
|
var constantsReader = new EfConstantsReader(method);
|
||||||
|
bytes = new List<int>(8);
|
||||||
|
|
||||||
|
for (int i = 0; i < instrs.Count - 4; i++) {
|
||||||
|
if (bytes.Count >= 8)
|
||||||
|
return true;
|
||||||
|
|
||||||
|
var ldloc1 = instrs[i];
|
||||||
|
if (ldloc1.OpCode.Code != Code.Ldloc_1)
|
||||||
|
continue;
|
||||||
|
|
||||||
|
var ldlocs = instrs[i + 1];
|
||||||
|
if (ldlocs.OpCode.Code != Code.Ldloc_S)
|
||||||
|
continue;
|
||||||
|
|
||||||
|
var maybe = instrs[i + 2];
|
||||||
|
if (maybe.OpCode.Code == Code.Conv_U1) {
|
||||||
|
var callvirt = instrs[i + 3];
|
||||||
|
if (callvirt.OpCode.Code != Code.Callvirt)
|
||||||
|
return false;
|
||||||
|
|
||||||
|
bytes.Add(0);
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
var shr = instrs[i + 3];
|
||||||
|
if (shr.OpCode.Code != Code.Shr)
|
||||||
|
return false;
|
||||||
|
|
||||||
|
var convu1 = instrs[i + 4];
|
||||||
|
if (convu1.OpCode.Code != Code.Conv_U1)
|
||||||
|
return false;
|
||||||
|
|
||||||
|
int constant;
|
||||||
|
int index = i + 2;
|
||||||
|
if (!constantsReader.GetInt32(ref index, out constant))
|
||||||
|
return false;
|
||||||
|
|
||||||
|
bytes.Add(constant);
|
||||||
|
}
|
||||||
|
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
public ulong GetMagic() {
|
public ulong GetMagic() {
|
||||||
if (type == null)
|
if (type == null)
|
||||||
throw new ApplicationException("Can't calculate magic since type isn't initialized");
|
throw new ApplicationException("Can't calculate magic since type isn't initialized");
|
||||||
|
@ -346,15 +392,22 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
bytes.AddRange(module.Assembly.PublicKeyToken.Data);
|
bytes.AddRange(module.Assembly.PublicKeyToken.Data);
|
||||||
bytes.AddRange(Encoding.Unicode.GetBytes(module.Assembly.Name.String));
|
bytes.AddRange(Encoding.Unicode.GetBytes(module.Assembly.Name.String));
|
||||||
}
|
}
|
||||||
int cm1 = ConstMethod1();
|
|
||||||
bytes.Add((byte)(type.MDToken.ToInt32() >> 24));
|
List<int> shiftConsts;
|
||||||
bytes.Add((byte)(cm1 >> 16));
|
if (!FindShiftInts(int64Method, out shiftConsts))
|
||||||
bytes.Add((byte)(type.MDToken.ToInt32() >> 8));
|
throw new ApplicationException("Could not extract magic constants");
|
||||||
bytes.Add((byte)cm1);
|
|
||||||
bytes.Add((byte)(type.MDToken.ToInt32() >> 16));
|
int num3 = ConstMethod1();
|
||||||
bytes.Add((byte)(cm1 >> 8));
|
int num2 = type.MDToken.ToInt32();
|
||||||
bytes.Add((byte)type.MDToken.ToInt32());
|
|
||||||
bytes.Add((byte)(cm1 >> 24));
|
bytes.Add((byte)(num2 >> shiftConsts[0]));
|
||||||
|
bytes.Add((byte)(num3 >> shiftConsts[1]));
|
||||||
|
bytes.Add((byte)(num2 >> shiftConsts[2]));
|
||||||
|
bytes.Add((byte)(num3 >> shiftConsts[3]));
|
||||||
|
bytes.Add((byte)(num2 >> shiftConsts[4]));
|
||||||
|
bytes.Add((byte)(num3 >> shiftConsts[5]));
|
||||||
|
bytes.Add((byte)(num2 >> shiftConsts[6]));
|
||||||
|
bytes.Add((byte)(num3 >> shiftConsts[7]));
|
||||||
|
|
||||||
ulong magic = 0;
|
ulong magic = 0;
|
||||||
foreach (var b in bytes) {
|
foreach (var b in bytes) {
|
||||||
|
|
Loading…
Reference in New Issue