monocul.us/de4dot-cex
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix merge

Browse Source
This commit is contained in:
de4dot 2016-02-11 20:50:54 +01:00
parent 71eddd4689
commit 958ad86ceb
3 changed files with 31 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

56
de4dot.code/deobfuscators/CryptoObfuscator/CoUtils.cs
View File

@ -49,66 +49,64 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
} }
public static string XorCipher(string text, int key) { public static string XorCipher(string text, int key) {
char[] array = text.ToCharArray(); var array = text.ToCharArray();
int num = array.Length; int len = array.Length;
char cKey = Convert.ToChar(key); char cKey = Convert.ToChar(key);
while (--num >= 0) { while (--len >= 0)
array[num] ^= cKey; array[len] ^= cKey;
}
return new string(array); return new string(array);
} }
public static string DecryptResourceName(string resourceName, int key, byte[] coddedBytes) { public static string DecryptResourceName(string resourceName, int key, byte[] coddedBytes) {
int num = resourceName.Length; int len = resourceName.Length;
char[] array = resourceName.ToCharArray(); var array = resourceName.ToCharArray();
while (--num >= 0) { while (--len >= 0)
array[num] = (char)((int)array[num] ^ ((int)coddedBytes[key & 15] | key)); array[len] = (char)((int)array[len] ^ ((int)coddedBytes[key & 15] | key));
}
return new string(array); return new string(array);
} }
public static string DecryptResourceName(ModuleDefMD module ,MethodDef method) { public static string DecryptResourceName(ModuleDefMD module, MethodDef method) {
string resourceName = ""; string resourceName = "";
MethodDef cctor = method, orginalResMethod = null; MethodDef cctor = method, orginalResMethod = null;
//retrive key and encrypted resource name // retrive key and encrypted resource name
int key = 0; int key = 0;
var ils = cctor.Body.Instructions; var instrs = cctor.Body.Instructions;
for (int i = 0; i < ils.Count - 2; i++) { for (int i = 0; i < instrs.Count - 2; i++) {
if (ils[i].OpCode != OpCodes.Ldstr) if (instrs[i].OpCode != OpCodes.Ldstr)
continue; continue;
if (!ils[i + 1].IsLdcI4()) if (!instrs[i + 1].IsLdcI4())
break; break;
key = ils[i + 1].GetLdcI4Value(); key = instrs[i + 1].GetLdcI4Value();
resourceName = ils[i].Operand as String; resourceName = instrs[i].Operand as String;
cctor = ils[i + 2].Operand as MethodDef; cctor = instrs[i + 2].Operand as MethodDef;
break; break;
} }
//Find the method that contains resource name // Find the method that contains resource name
while (orginalResMethod == null) { while (orginalResMethod == null) {
foreach (var IL in cctor.Body.Instructions) { foreach (var instr in cctor.Body.Instructions) {
if (IL.OpCode == OpCodes.Ldftn) { if (instr.OpCode == OpCodes.Ldftn) {
MethodDef tempMethod = IL.Operand as MethodDef; MethodDef tempMethod = instr.Operand as MethodDef;
if (tempMethod.ReturnType.FullName != "System.String") if (tempMethod.ReturnType.FullName != "System.String")
continue; continue;
orginalResMethod = tempMethod; orginalResMethod = tempMethod;
break; break;
} else if (IL.OpCode == OpCodes.Callvirt) { }
cctor = IL.Operand as MethodDef; else if (instr.OpCode == OpCodes.Callvirt) {
cctor = instr.Operand as MethodDef;
cctor = cctor.DeclaringType.FindStaticConstructor(); cctor = cctor.DeclaringType.FindStaticConstructor();
break; break;
} }
} }
} }
//Get encrypted Resource name // Get encrypted Resource name
string encResourcename = DotNetUtils.GetCodeStrings(orginalResMethod)[0]; string encResourcename = DotNetUtils.GetCodeStrings(orginalResMethod)[0];
//get Decryption key // get Decryption key
int xorKey = 0; int xorKey = 0;
for (int i = 0; i < orginalResMethod.Body.Instructions.Count; i++) { for (int i = 0; i < orginalResMethod.Body.Instructions.Count; i++) {
if (orginalResMethod.Body.Instructions[i].OpCode == OpCodes.Xor) { if (orginalResMethod.Body.Instructions[i].OpCode == OpCodes.Xor)
xorKey = orginalResMethod.Body.Instructions[i - 1].GetLdcI4Value(); xorKey = orginalResMethod.Body.Instructions[i - 1].GetLdcI4Value();
}
} }
encResourcename = XorCipher(encResourcename, xorKey); encResourcename = XorCipher(encResourcename, xorKey);

5
de4dot.code/deobfuscators/CryptoObfuscator/ConstantsDecrypter.cs
View File

@ -19,7 +19,6 @@
using System; using System;
using System.Collections.Generic; using System.Collections.Generic;
using System.Text;
using dnlib.IO; using dnlib.IO;
using dnlib.DotNet; using dnlib.DotNet;
using dnlib.DotNet.Emit; using dnlib.DotNet.Emit;
@ -118,8 +117,8 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
//if the return value is null, it is possible that resource name is encrypted //if the return value is null, it is possible that resource name is encrypted
if (encryptedResource == null) { if (encryptedResource == null) {
var Resources = new string[] { CoUtils.DecryptResourceName(module,cctor) }; var Resources = new string[] { CoUtils.DecryptResourceName(module, cctor) };
encryptedResource = CoUtils.GetResource(module, Resources); encryptedResource = CoUtils.GetResource(module, Resources);
} }
encryptedResource.Data.Position = 0; encryptedResource.Data.Position = 0;

3
de4dot.code/deobfuscators/CryptoObfuscator/StringDecrypter.cs
View File

@ -21,7 +21,6 @@ using System;
using System.Text; using System.Text;
using dnlib.DotNet; using dnlib.DotNet;
using de4dot.blocks; using de4dot.blocks;
using dnlib.DotNet.Emit;
namespace de4dot.code.deobfuscators.CryptoObfuscator { namespace de4dot.code.deobfuscators.CryptoObfuscator {
class StringDecrypter { class StringDecrypter {
@ -90,7 +89,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
catch { catch {
string s2 = CoUtils.DecryptResourceName(module, cctor); string s2 = CoUtils.DecryptResourceName(module, cctor);
try { try {
return Encoding.UTF8.GetString(Convert.FromBase64String(s2)); return Encoding.UTF8.GetString(Convert.FromBase64String(s2));
} }
catch { catch {
} }