Support .NET Reactor 4.5
This commit is contained in:
parent
faf37a4a47
commit
8e69452edb
|
@ -345,8 +345,14 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
|
||||||
return DeobfuscatorInfo.THE_NAME + " 4.1";
|
return DeobfuscatorInfo.THE_NAME + " 4.1";
|
||||||
return DeobfuscatorInfo.THE_NAME + " 4.0";
|
return DeobfuscatorInfo.THE_NAME + " 4.0";
|
||||||
}
|
}
|
||||||
if (!hasCorEnableProfilingString)
|
if (!hasCorEnableProfilingString) {
|
||||||
|
// 4.x or 4.5
|
||||||
|
bool callsReverse = DotNetUtils.callsMethod(methodsDecrypter.Method, "System.Void System.Array::Reverse(System.Array)");
|
||||||
|
if (!callsReverse)
|
||||||
return DeobfuscatorInfo.THE_NAME + " 4.x";
|
return DeobfuscatorInfo.THE_NAME + " 4.x";
|
||||||
|
return DeobfuscatorInfo.THE_NAME + " 4.5";
|
||||||
|
}
|
||||||
|
|
||||||
// 4.2-4.4
|
// 4.2-4.4
|
||||||
|
|
||||||
if (!localTypes.exists("System.Byte&"))
|
if (!localTypes.exists("System.Byte&"))
|
||||||
|
|
|
@ -116,6 +116,8 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
|
||||||
iv = ArrayFinder.getInitializedByteArray(resourceDecrypterMethod, 16);
|
iv = ArrayFinder.getInitializedByteArray(resourceDecrypterMethod, 16);
|
||||||
if (iv == null)
|
if (iv == null)
|
||||||
throw new ApplicationException("Could not find resource decrypter IV");
|
throw new ApplicationException("Could not find resource decrypter IV");
|
||||||
|
if (needReverse())
|
||||||
|
Array.Reverse(iv); // DNR 4.5.0.0
|
||||||
if (usesPublicKeyToken()) {
|
if (usesPublicKeyToken()) {
|
||||||
var publicKeyToken = module.Assembly.PublicKeyToken;
|
var publicKeyToken = module.Assembly.PublicKeyToken;
|
||||||
if (publicKeyToken != null && publicKeyToken.Data.Length > 0) {
|
if (publicKeyToken != null && publicKeyToken.Data.Length > 0) {
|
||||||
|
@ -146,6 +148,10 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
bool needReverse() {
|
||||||
|
return DotNetUtils.callsMethod(resourceDecrypterMethod, "System.Void System.Array::Reverse(System.Array)");
|
||||||
|
}
|
||||||
|
|
||||||
EmbeddedResource findMethodsDecrypterResource(MethodDef method) {
|
EmbeddedResource findMethodsDecrypterResource(MethodDef method) {
|
||||||
foreach (var s in DotNetUtils.getCodeStrings(method)) {
|
foreach (var s in DotNetUtils.getCodeStrings(method)) {
|
||||||
var resource = DotNetUtils.getResource(module, s) as EmbeddedResource;
|
var resource = DotNetUtils.getResource(module, s) as EmbeddedResource;
|
||||||
|
|
|
@ -168,7 +168,7 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
// DNR 4.0 - 4.4 (jitter is hooked)
|
// DNR 4.0 - 4.5 (jitter is hooked)
|
||||||
|
|
||||||
var methodDef = peImage.DotNetFile.MetaData.TablesStream.MethodTable;
|
var methodDef = peImage.DotNetFile.MetaData.TablesStream.MethodTable;
|
||||||
var rvaToIndex = new Dictionary<uint, int>((int)methodDef.Rows);
|
var rvaToIndex = new Dictionary<uint, int>((int)methodDef.Rows);
|
||||||
|
|
|
@ -22,11 +22,13 @@ using System.IO;
|
||||||
using ICSharpCode.SharpZipLib.Zip.Compression;
|
using ICSharpCode.SharpZipLib.Zip.Compression;
|
||||||
using dot10.PE;
|
using dot10.PE;
|
||||||
using dot10.IO;
|
using dot10.IO;
|
||||||
|
using dot10.DotNet;
|
||||||
|
|
||||||
namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
|
namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
|
||||||
class NativeImageUnpacker {
|
class NativeImageUnpacker {
|
||||||
MyPEImage peImage;
|
MyPEImage peImage;
|
||||||
bool isNet1x;
|
bool isNet1x;
|
||||||
|
const int loaderHeaderSizeV45 = 14;
|
||||||
|
|
||||||
public NativeImageUnpacker(IPEImage peImage) {
|
public NativeImageUnpacker(IPEImage peImage) {
|
||||||
this.peImage = new MyPEImage(peImage);
|
this.peImage = new MyPEImage(peImage);
|
||||||
|
@ -60,18 +62,44 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (BitConverter.ToInt16(inflatedData, 0) != 0x5A4D)
|
// CLR 1.x or DNR v4.0 - v4.4
|
||||||
return null;
|
if (BitConverter.ToInt16(inflatedData, 0) == 0x5A4D)
|
||||||
|
|
||||||
return inflatedData;
|
return inflatedData;
|
||||||
|
|
||||||
|
// DNR v4.5
|
||||||
|
if (BitConverter.ToInt16(inflatedData, loaderHeaderSizeV45) == 0x5A4D)
|
||||||
|
return unpackLoader(inflatedData);
|
||||||
|
|
||||||
|
return null;
|
||||||
}
|
}
|
||||||
|
|
||||||
static uint[] baseOffsets = new uint[] {
|
static byte[] unpackLoader(byte[] loaderData) {
|
||||||
|
var loaderBytes = new byte[loaderData.Length - loaderHeaderSizeV45];
|
||||||
|
Array.Copy(loaderData, loaderHeaderSizeV45, loaderBytes, 0, loaderBytes.Length);
|
||||||
|
|
||||||
|
try {
|
||||||
|
using (var asmLoader = ModuleDefMD.Load(loaderBytes)) {
|
||||||
|
if (asmLoader.Resources.Count == 0)
|
||||||
|
return null;
|
||||||
|
var resource = asmLoader.Resources[0] as EmbeddedResource;
|
||||||
|
if (resource == null)
|
||||||
|
return null;
|
||||||
|
|
||||||
|
return resource.Data.ReadAllBytes();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
catch {
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
static readonly uint[] baseOffsets = new uint[] {
|
||||||
0x1C00, // DNR 4.0 & 4.1
|
0x1C00, // DNR 4.0 & 4.1
|
||||||
0x1900, // DNR 4.2.7.5
|
0x1900, // DNR 4.2.7.5
|
||||||
0x1B60, // DNR 4.2.8.4, 4.3 & 4.4
|
0x1B60, // DNR 4.2.8.4, 4.3, 4.4, 4.5
|
||||||
|
0x700, // DNR 4.5.0.0
|
||||||
};
|
};
|
||||||
static short[] decryptMethodPattern = new short[] {
|
static readonly short[] decryptMethodPattern = new short[] {
|
||||||
/* 00 */ 0x83, 0xEC, 0x38, // sub esp, 38h
|
/* 00 */ 0x83, 0xEC, 0x38, // sub esp, 38h
|
||||||
/* 03 */ 0x53, // push ebx
|
/* 03 */ 0x53, // push ebx
|
||||||
/* 04 */ 0xB0, -1, // mov al, ??h
|
/* 04 */ 0xB0, -1, // mov al, ??h
|
||||||
|
@ -84,7 +112,7 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
|
||||||
/* 1C */ 0x55, // push ebp
|
/* 1C */ 0x55, // push ebp
|
||||||
/* 1D */ 0x56, // push esi
|
/* 1D */ 0x56, // push esi
|
||||||
};
|
};
|
||||||
static short[] startMethodNet1xPattern = new short[] {
|
static readonly short[] startMethodNet1xPattern = new short[] {
|
||||||
/* 00 */ 0x55, // push ebp
|
/* 00 */ 0x55, // push ebp
|
||||||
/* 01 */ 0x8B, 0xEC, // mov ebp, esp
|
/* 01 */ 0x8B, 0xEC, // mov ebp, esp
|
||||||
/* 03 */ 0xB9, 0x14, 0x00, 0x00, 0x00, // mov ecx, 14h
|
/* 03 */ 0xB9, 0x14, 0x00, 0x00, 0x00, // mov ecx, 14h
|
||||||
|
|
Loading…
Reference in New Issue
Block a user