From a34b3f7855911ff61a76f64b0ba6cfc0495e666b Mon Sep 17 00:00:00 2001 From: de4dot Date: Wed, 22 Aug 2012 18:33:27 +0200 Subject: [PATCH 1/4] Support latest CO build --- de4dot.code/deobfuscators/CryptoObfuscator/AntiDebugger.cs | 3 ++- de4dot.code/deobfuscators/CryptoObfuscator/ProxyCallFixer.cs | 2 +- .../deobfuscators/CryptoObfuscator/ResourceDecrypter.cs | 5 +++-- .../deobfuscators/CryptoObfuscator/TamperDetection.cs | 2 +- 4 files changed, 7 insertions(+), 5 deletions(-) diff --git a/de4dot.code/deobfuscators/CryptoObfuscator/AntiDebugger.cs b/de4dot.code/deobfuscators/CryptoObfuscator/AntiDebugger.cs index 1704aa20..7b43c0ee 100644 --- a/de4dot.code/deobfuscators/CryptoObfuscator/AntiDebugger.cs +++ b/de4dot.code/deobfuscators/CryptoObfuscator/AntiDebugger.cs @@ -67,7 +67,8 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator { !containsString(method, "run under a debugger") && !containsString(method, "run under debugger") && !containsString(method, "Debugger detected") && - !containsString(method, "Debugger was detected")) + !containsString(method, "Debugger was detected") && + !containsString(method, "{0} was detected")) continue; antiDebuggerType = type; diff --git a/de4dot.code/deobfuscators/CryptoObfuscator/ProxyCallFixer.cs b/de4dot.code/deobfuscators/CryptoObfuscator/ProxyCallFixer.cs index 52288048..36110571 100644 --- a/de4dot.code/deobfuscators/CryptoObfuscator/ProxyCallFixer.cs +++ b/de4dot.code/deobfuscators/CryptoObfuscator/ProxyCallFixer.cs @@ -110,7 +110,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator { MethodDefinition getProxyCreateMethod(TypeDefinition type) { if (DotNetUtils.findFieldType(type, "System.ModuleHandle", true) == null) return null; - if (type.Fields.Count < 1 || type.Fields.Count > 10) + if (type.Fields.Count < 1 || type.Fields.Count > 12) return null; MethodDefinition createMethod = null; diff --git a/de4dot.code/deobfuscators/CryptoObfuscator/ResourceDecrypter.cs b/de4dot.code/deobfuscators/CryptoObfuscator/ResourceDecrypter.cs index 0e84de0d..406c9804 100644 --- a/de4dot.code/deobfuscators/CryptoObfuscator/ResourceDecrypter.cs +++ b/de4dot.code/deobfuscators/CryptoObfuscator/ResourceDecrypter.cs @@ -272,12 +272,13 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator { var ldci4 = instrs[i]; if (!DotNetUtils.isLdcI4(ldci4)) continue; - if (DotNetUtils.getLdcI4Value(ldci4) != 2) + int loopCount = DotNetUtils.getLdcI4Value(ldci4); + if (loopCount < 2 || loopCount > 3) continue; var blt = instrs[i + 1]; if (blt.OpCode.Code != Code.Blt && blt.OpCode.Code != Code.Blt_S) continue; - return 1; + return loopCount - 1; } return 0; } diff --git a/de4dot.code/deobfuscators/CryptoObfuscator/TamperDetection.cs b/de4dot.code/deobfuscators/CryptoObfuscator/TamperDetection.cs index e2512da4..be7f0e6e 100644 --- a/de4dot.code/deobfuscators/CryptoObfuscator/TamperDetection.cs +++ b/de4dot.code/deobfuscators/CryptoObfuscator/TamperDetection.cs @@ -84,7 +84,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator { if (!method.IsStatic || !DotNetUtils.isMethod(method, "System.Void", "()")) return false; - if (type.Methods.Count < 3 || type.Methods.Count > 12) + if (type.Methods.Count < 3 || type.Methods.Count > 14) return false; if (DotNetUtils.getPInvokeMethod(type, "mscoree", "StrongNameSignatureVerificationEx") != null) { } From 30a73371c803fb6865c4d6af20d451e028d39219 Mon Sep 17 00:00:00 2001 From: de4dot Date: Thu, 23 Aug 2012 11:48:11 +0200 Subject: [PATCH 2/4] Fat header type is encoded in the lower 3 bits --- de4dot.code/deobfuscators/MethodBodyParser.cs | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/de4dot.code/deobfuscators/MethodBodyParser.cs b/de4dot.code/deobfuscators/MethodBodyParser.cs index 2163e4a1..7b5a7b1e 100644 --- a/de4dot.code/deobfuscators/MethodBodyParser.cs +++ b/de4dot.code/deobfuscators/MethodBodyParser.cs @@ -71,16 +71,15 @@ namespace de4dot.code.deobfuscators { var mbHeader = new MethodBodyHeader(); uint codeOffset; - switch (peek(reader) & 3) { - case 2: + byte b = peek(reader); + if ((b & 3) == 2) { mbHeader.flags = 2; mbHeader.maxStack = 8; mbHeader.codeSize = (uint)(reader.ReadByte() >> 2); mbHeader.localVarSigTok = 0; codeOffset = 1; - break; - - case 3: + } + else if ((b & 7) == 3) { mbHeader.flags = reader.ReadUInt16(); codeOffset = (uint)(4 * (mbHeader.flags >> 12)); if (codeOffset != 12) @@ -92,11 +91,9 @@ namespace de4dot.code.deobfuscators { mbHeader.localVarSigTok = reader.ReadUInt32(); if (mbHeader.localVarSigTok != 0 && (mbHeader.localVarSigTok >> 24) != 0x11) throw new InvalidMethodBody(); - break; - - default: - throw new InvalidMethodBody(); } + else + throw new InvalidMethodBody(); if (mbHeader.codeSize + codeOffset > reader.BaseStream.Length) throw new InvalidMethodBody(); From 26e4aa4e1d47e8b7d4fa8da0a5567389c5934fe8 Mon Sep 17 00:00:00 2001 From: de4dot Date: Fri, 31 Aug 2012 00:23:27 +0200 Subject: [PATCH 3/4] Add updated submodule --- cecil | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cecil b/cecil index 86e21d47..119a3d40 160000 --- a/cecil +++ b/cecil @@ -1 +1 @@ -Subproject commit 86e21d470a0232f6b746ee2b8b7a9483c1842fea +Subproject commit 119a3d404ab12a8a19a249e97c1e5f6ca0850b6a From 13a5fd8ff0d47e2228853672f6fbf0ed882061bc Mon Sep 17 00:00:00 2001 From: de4dot Date: Fri, 31 Aug 2012 00:24:42 +0200 Subject: [PATCH 4/4] Add a fix for when type.Scope is null --- AssemblyData/methodsrewriter/ResolverUtils.cs | 2 +- blocks/DotNetUtils.cs | 5 ++++- de4dot.code/ExternalAssemblies.cs | 2 ++ de4dot.code/renamer/asmmodules/Modules.cs | 2 ++ 4 files changed, 9 insertions(+), 2 deletions(-) diff --git a/AssemblyData/methodsrewriter/ResolverUtils.cs b/AssemblyData/methodsrewriter/ResolverUtils.cs index 59a3b5a0..43659cf5 100644 --- a/AssemblyData/methodsrewriter/ResolverUtils.cs +++ b/AssemblyData/methodsrewriter/ResolverUtils.cs @@ -146,7 +146,7 @@ namespace AssemblyData.methodsrewriter { var asmRef = DotNetUtils.getAssemblyNameReference(b); var asmName = a.Assembly.GetName(); - if (asmRef.Name != asmName.Name) + if (asmRef == null || asmRef.Name != asmName.Name) return false; return compareTypes(a.DeclaringType, b.DeclaringType); diff --git a/blocks/DotNetUtils.cs b/blocks/DotNetUtils.cs index 98868692..0c310b86 100644 --- a/blocks/DotNetUtils.cs +++ b/blocks/DotNetUtils.cs @@ -926,6 +926,9 @@ namespace de4dot.blocks { public static AssemblyNameReference getAssemblyNameReference(TypeReference type) { var scope = type.Scope; + if (scope == null) + return null; + if (scope is ModuleDefinition) { var moduleDefinition = (ModuleDefinition)scope; return moduleDefinition.Assembly.Name; @@ -946,7 +949,7 @@ namespace de4dot.blocks { public static string getFullAssemblyName(TypeReference type) { var asmRef = getAssemblyNameReference(type); - return asmRef.FullName; + return asmRef == null ? null : asmRef.FullName; } public static bool isAssembly(IMetadataScope scope, string assemblySimpleName) { diff --git a/de4dot.code/ExternalAssemblies.cs b/de4dot.code/ExternalAssemblies.cs index 3913f491..8c29764b 100644 --- a/de4dot.code/ExternalAssemblies.cs +++ b/de4dot.code/ExternalAssemblies.cs @@ -56,6 +56,8 @@ namespace de4dot.code { ExternalAssembly load(TypeReference type) { var asmFullName = DotNetUtils.getFullAssemblyName(type); + if (asmFullName == null) + return null; ExternalAssembly asm; if (assemblies.TryGetValue(asmFullName, out asm)) return asm; diff --git a/de4dot.code/renamer/asmmodules/Modules.cs b/de4dot.code/renamer/asmmodules/Modules.cs index 8550f9e5..9cc0bd1d 100644 --- a/de4dot.code/renamer/asmmodules/Modules.cs +++ b/de4dot.code/renamer/asmmodules/Modules.cs @@ -390,6 +390,8 @@ namespace de4dot.code.renamer.asmmodules { // Returns null if it's a non-loaded module/assembly IEnumerable findModules(TypeReference type) { var scope = type.Scope; + if (scope == null) + return null; if (scope is AssemblyNameReference) return findModules((AssemblyNameReference)scope);