monocul.us/de4dot-cex
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add Confuser 1.0 proxy call fixer

Browse Source
This commit is contained in:
de4dot 2012-07-30 09:16:52 +02:00
parent 1e7be5c619
commit 85ce802131
3 changed files with 357 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
de4dot.code/de4dot.code.csproj
View File

@ -78,6 +78,7 @@
<Compile Include="deobfuscators\Confuser\MemoryMethodsDecrypter.cs" />
<Compile Include="deobfuscators\Confuser\MethodsDecrypterBase.cs" />
<Compile Include="deobfuscators\Confuser\ProxyCallFixer.cs" />
<Compile Include="deobfuscators\Confuser\ProxyCallFixerV1.cs" />
<Compile Include="deobfuscators\Confuser\ResourceDecrypter.cs" />
<Compile Include="deobfuscators\Confuser\x86Emulator.cs" />
<Compile Include="deobfuscators\dotNET_Reactor\v4\ProxyCallFixer.cs" />

24
de4dot.code/deobfuscators/Confuser/Deobfuscator.cs
View File

@ -69,6 +69,7 @@ namespace de4dot.code.deobfuscators.Confuser {
JitMethodsDecrypter jitMethodsDecrypter;
MemoryMethodsDecrypter memoryMethodsDecrypter;
ProxyCallFixer proxyCallFixer;
ProxyCallFixerV1 proxyCallFixerV1;
AntiDebugger antiDebugger;
AntiDumping antiDumping;
ResourceDecrypter resourceDecrypter;
@ -122,6 +123,7 @@ namespace de4dot.code.deobfuscators.Confuser {
int sum = toInt32(jitMethodsDecrypter != null ? jitMethodsDecrypter.Detected : false) +
toInt32(memoryMethodsDecrypter != null ? memoryMethodsDecrypter.Detected : false) +
toInt32(proxyCallFixer != null ? proxyCallFixer.Detected : false) +
toInt32(proxyCallFixerV1 != null ? proxyCallFixerV1.Detected : false) +
toInt32(antiDebugger != null ? antiDebugger.Detected : false) +
toInt32(antiDumping != null ? antiDumping.Detected : false) +
toInt32(resourceDecrypter != null ? resourceDecrypter.Detected : false) +
@ -157,6 +159,10 @@ namespace de4dot.code.deobfuscators.Confuser {
initializeConstantsDecrypter();
proxyCallFixer = new ProxyCallFixer(module, getFileData(), DeobfuscatedFile);
proxyCallFixer.findDelegateCreator();
if (!proxyCallFixer.Detected) {
proxyCallFixerV1 = new ProxyCallFixerV1(module);
proxyCallFixerV1.findDelegateCreator();
}
antiDebugger = new AntiDebugger(module);
antiDebugger.find();
antiDumping = new AntiDumping(module);
@ -235,7 +241,10 @@ namespace de4dot.code.deobfuscators.Confuser {
addTypeToBeRemoved(antiDumping.Type, "Anti dumping type");
}
proxyCallFixer.find();
if (proxyCallFixer != null)
proxyCallFixer.find();
if (proxyCallFixerV1 != null)
proxyCallFixerV1.find();
startedDeobfuscating = true;
}
@ -283,7 +292,10 @@ namespace de4dot.code.deobfuscators.Confuser {
}
public override void deobfuscateMethodEnd(Blocks blocks) {
proxyCallFixer.deobfuscate(blocks);
if (proxyCallFixer != null)
proxyCallFixer.deobfuscate(blocks);
if (proxyCallFixerV1 != null)
proxyCallFixerV1.deobfuscate(blocks);
resourceDecrypter.deobfuscate(blocks);
int32ValueInliner.decrypt(blocks);
int64ValueInliner.decrypt(blocks);
@ -293,7 +305,13 @@ namespace de4dot.code.deobfuscators.Confuser {
}
public override void deobfuscateEnd() {
removeProxyDelegates(proxyCallFixer);
if (proxyCallFixer != null)
removeProxyDelegates(proxyCallFixer);
if (proxyCallFixerV1 != null) {
if (removeProxyDelegates(proxyCallFixerV1))
addFieldsToBeRemoved(proxyCallFixerV1.Fields, "Proxy delegate instance field");
proxyCallFixerV1.cleanUp();
}
constantsDecrypter.cleanUp();
base.deobfuscateEnd();

335
de4dot.code/deobfuscators/Confuser/ProxyCallFixerV1.cs Normal file
View File

@ -0,0 +1,335 @@
/*
Copyright (C) 2011-2012 de4dot@gmail.com
This file is part of de4dot.
de4dot is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
de4dot is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with de4dot. If not, see <http://www.gnu.org/licenses/>.
*/
using System;
using System.Collections.Generic;
using System.IO;
using System.Text;
using Mono.Cecil;
using Mono.Cecil.Cil;
using de4dot.blocks;
namespace de4dot.code.deobfuscators.Confuser {
class ProxyCallFixerV1 : ProxyCallFixer2 {
MethodDefinitionAndDeclaringTypeDict<ProxyCreatorInfo> methodToInfo = new MethodDefinitionAndDeclaringTypeDict<ProxyCreatorInfo>();
FieldDefinitionAndDeclaringTypeDict<MethodDefinition> fieldToMethod = new FieldDefinitionAndDeclaringTypeDict<MethodDefinition>();
string ourAsm;
enum ProxyCreatorType {
None,
CallOrCallvirt,
Newobj,
}
class ProxyCreatorInfo {
public readonly MethodDefinition creatorMethod;
public readonly ProxyCreatorType proxyCreatorType;
public ProxyCreatorInfo(MethodDefinition creatorMethod, ProxyCreatorType proxyCreatorType) {
this.creatorMethod = creatorMethod;
this.proxyCreatorType = proxyCreatorType;
}
}
class DelegateInitInfo {
public readonly byte[] data;
public readonly FieldDefinition field;
public readonly MethodDefinition creatorMethod;
public DelegateInitInfo(string data, FieldDefinition field, MethodDefinition creatorMethod) {
this.data = Convert.FromBase64String(data);
this.field = field;
this.creatorMethod = creatorMethod;
}
}
protected override bool ProxyCallIsObfuscated {
get { return true; }
}
public IEnumerable<FieldDefinition> Fields {
get { return fieldToMethod.getKeys(); }
}
public override IEnumerable<Tuple<MethodDefinition, string>> OtherMethods {
get {
var list = new List<Tuple<MethodDefinition, string>>();
foreach (var creatorMethod in methodToInfo.getKeys()) {
list.Add(new Tuple<MethodDefinition, string> {
Item1 = creatorMethod,
Item2 = "Delegate creator method",
});
}
foreach (var method in fieldToMethod.getValues()) {
list.Add(new Tuple<MethodDefinition, string> {
Item1 = method,
Item2 = "Proxy delegate method",
});
}
return list;
}
}
public ProxyCallFixerV1(ModuleDefinition module)
: base(module) {
ourAsm = (module.Assembly.Name ?? new AssemblyNameReference(" -1-1-1-1-1- ", new Version(1, 2, 3, 4))).FullName;
}
protected override object checkCctor(TypeDefinition type, MethodDefinition cctor) {
throw new NotSupportedException();
}
protected override void getCallInfo(object context, FieldDefinition field, out MethodReference calledMethod, out OpCode callOpcode) {
var info = (DelegateInitInfo)context;
var creatorInfo = methodToInfo.find(info.creatorMethod);
var reader = new BinaryReader(new MemoryStream(info.data));
bool isCallvirt = false;
if (creatorInfo.proxyCreatorType == ProxyCreatorType.CallOrCallvirt)
isCallvirt = reader.ReadBoolean();
var asmRef = readAssemblyNameReference(reader);
uint token = reader.ReadUInt32();
if (reader.BaseStream.Position != reader.BaseStream.Length)
throw new ApplicationException("Extra data");
if (asmRef.FullName == ourAsm)
calledMethod = (MethodReference)module.LookupToken((int)token);
else
calledMethod = createMethodReference(asmRef, token);
callOpcode = getCallOpCode(creatorInfo, isCallvirt);
}
// A method token is not a stable value so this method can fail to return the correct method!
// There's nothing I can do about that. It's an obfuscator bug.
MethodReference createMethodReference(AssemblyNameReference asmRef, uint methodToken) {
var asm = AssemblyResolver.Instance.Resolve(asmRef);
if (asm == null)
return null;
var method = asm.MainModule.LookupToken((int)methodToken) as MethodDefinition;
if (method == null)
return null;
return module.Import(method);
}
static AssemblyNameReference readAssemblyNameReference(BinaryReader reader) {
var name = readString(reader);
var version = new Version(reader.ReadInt16(), reader.ReadInt16(), reader.ReadInt16(), reader.ReadInt16());
var culture = readString(reader);
byte[] pkt = reader.ReadBoolean() ? reader.ReadBytes(8) : null;
return new AssemblyNameReference(name, version) {
Culture = culture,
PublicKeyToken = pkt,
};
}
static string readString(BinaryReader reader) {
int len = reader.ReadByte();
var bytes = new byte[len];
for (int i = 0; i < len; i++)
bytes[i] = (byte)(reader.ReadByte() ^ len);
return Encoding.UTF8.GetString(bytes);
}
static OpCode getCallOpCode(ProxyCreatorInfo info, bool isCallvirt) {
switch (info.proxyCreatorType) {
case ProxyCreatorType.Newobj:
return OpCodes.Newobj;
case ProxyCreatorType.CallOrCallvirt:
return isCallvirt ? OpCodes.Callvirt : OpCodes.Call;
default: throw new NotImplementedException();
}
}
public void findDelegateCreator() {
var type = DotNetUtils.getModuleType(module);
foreach (var method in type.Methods) {
if (method.Body == null || !method.IsStatic || !method.IsAssembly)
continue;
if (!DotNetUtils.isMethod(method, "System.Void", "(System.String,System.RuntimeFieldHandle)"))
continue;
var proxyType = getProxyCreatorType(method);
if (proxyType == ProxyCreatorType.None)
continue;
setDelegateCreatorMethod(method);
methodToInfo.add(method, new ProxyCreatorInfo(method, proxyType));
}
}
static ProxyCreatorType getProxyCreatorType(MethodDefinition method) {
foreach (var instr in method.Body.Instructions) {
var field = instr.Operand as FieldReference;
if (field == null)
continue;
switch (field.FullName) {
case "System.Reflection.Emit.OpCode System.Reflection.Emit.OpCodes::Call":
case "System.Reflection.Emit.OpCode System.Reflection.Emit.OpCodes::Callvirt":
return ProxyCreatorType.CallOrCallvirt;
case "System.Reflection.Emit.OpCode System.Reflection.Emit.OpCodes::Newobj":
return ProxyCreatorType.Newobj;
}
}
return ProxyCreatorType.None;
}
public new void find() {
if (delegateCreatorMethods.Count == 0)
return;
var cctor = DotNetUtils.getModuleTypeCctor(module);
if (cctor == null)
return;
Log.v("Finding all proxy delegates");
var delegateInfos = createDelegateInitInfos(cctor);
fieldToMethod = createFieldToMethodDictionary(cctor.DeclaringType);
if (delegateInfos.Count != fieldToMethod.Count)
throw new ApplicationException("Missing proxy delegates");
var delegateToFields = new Dictionary<TypeDefinition, List<FieldDefinition>>();
foreach (var field in fieldToMethod.getKeys()) {
List<FieldDefinition> list;
if (!delegateToFields.TryGetValue((TypeDefinition)field.FieldType, out list))
delegateToFields[(TypeDefinition)field.FieldType] = list = new List<FieldDefinition>();
list.Add(field);
}
foreach (var kv in delegateToFields) {
var type = kv.Key;
var fields = kv.Value;
Log.v("Found proxy delegate: {0} ({1:X8})", Utils.removeNewlines(type), type.MetadataToken.ToInt32());
RemovedDelegateCreatorCalls++;
Log.indent();
foreach (var field in fields) {
var proxyMethod = fieldToMethod.find(field);
if (proxyMethod == null)
continue;
var info = delegateInfos.find(field);
if (info == null)
throw new ApplicationException("Missing proxy info");
MethodReference calledMethod;
OpCode callOpcode;
getCallInfo(info, field, out calledMethod, out callOpcode);
if (calledMethod == null)
continue;
add(proxyMethod, new DelegateInfo(field, calledMethod, callOpcode));
Log.v("Field: {0}, Opcode: {1}, Method: {2} ({3:X8})",
Utils.removeNewlines(field.Name),
callOpcode,
Utils.removeNewlines(calledMethod),
calledMethod.MetadataToken.ToUInt32());
}
Log.deIndent();
delegateTypesDict[type] = true;
}
}
FieldDefinitionAndDeclaringTypeDict<DelegateInitInfo> createDelegateInitInfos(MethodDefinition method) {
var infos = new FieldDefinitionAndDeclaringTypeDict<DelegateInitInfo>();
var instrs = method.Body.Instructions;
for (int i = 0; i < instrs.Count - 2; i++) {
var ldstr = instrs[i];
if (ldstr.OpCode.Code != Code.Ldstr)
continue;
var info = ldstr.Operand as string;
if (info == null)
continue;
var ldtoken = instrs[i + 1];
if (ldtoken.OpCode.Code != Code.Ldtoken)
continue;
var delegateField = ldtoken.Operand as FieldDefinition;
if (delegateField == null)
continue;
var delegateType = delegateField.FieldType as TypeDefinition;
if (!DotNetUtils.derivesFromDelegate(delegateType))
continue;
var call = instrs[i + 2];
if (call.OpCode.Code != Code.Call)
continue;
var delegateCreatorMethod = call.Operand as MethodDefinition;
if (delegateCreatorMethod == null || !isDelegateCreatorMethod(delegateCreatorMethod))
continue;
infos.add(delegateField, new DelegateInitInfo(info, delegateField, delegateCreatorMethod));
i += 2;
}
return infos;
}
static FieldDefinitionAndDeclaringTypeDict<MethodDefinition> createFieldToMethodDictionary(TypeDefinition type) {
var dict = new FieldDefinitionAndDeclaringTypeDict<MethodDefinition>();
foreach (var method in type.Methods) {
if (!method.IsStatic || method.Body == null || method.Name == ".cctor")
continue;
var delegateField = getDelegateField(method);
if (delegateField == null)
continue;
dict.add(delegateField, method);
}
return dict;
}
static FieldDefinition getDelegateField(MethodDefinition method) {
if (method == null || method.Body == null)
return null;
FieldDefinition field = null;
bool foundInvoke = false;
foreach (var instr in method.Body.Instructions) {
if (instr.OpCode.Code == Code.Ldsfld) {
var field2 = instr.Operand as FieldDefinition;
if (field2 == null || field2.DeclaringType != method.DeclaringType)
continue;
if (field != null)
return null;
if (!DotNetUtils.derivesFromDelegate(field2.FieldType as TypeDefinition))
continue;
field = field2;
}
else if (instr.OpCode.Code == Code.Call || instr.OpCode.Code == Code.Callvirt) {
var calledMethod = instr.Operand as MethodReference;
foundInvoke |= calledMethod != null && calledMethod.Name == "Invoke";
}
}
return foundInvoke ? field : null;
}
public void cleanUp() {
if (!Detected)
return;
var cctor = DotNetUtils.getModuleTypeCctor(module);
if (cctor == null)
return;
cctor.Body.Instructions.Clear();
cctor.Body.Instructions.Add(Instruction.Create(OpCodes.Ret));
}
}
}