From 9b591c68d3b7df4657727e3e8e729e23ec2b98cc Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Tue, 29 May 2012 19:14:41 +0200
Subject: [PATCH] Fix CF proxy calls

---
 de4dot.code/de4dot.code.csproj                |   3 +
 .../CodeFort/CfMethodCallInliner.cs           |  43 ++++++
 .../deobfuscators/CodeFort/Deobfuscator.cs    | 124 ++++++++++++++++++
 .../deobfuscators/CodeFort/ProxyCallFixer.cs  | 116 ++++++++++++++++
 .../deobfuscators/Unknown/Deobfuscator.cs     |   2 -
 de4dot.cui/Program.cs                         |   1 +
 6 files changed, 287 insertions(+), 2 deletions(-)
 create mode 100644 de4dot.code/deobfuscators/CodeFort/CfMethodCallInliner.cs
 create mode 100644 de4dot.code/deobfuscators/CodeFort/Deobfuscator.cs
 create mode 100644 de4dot.code/deobfuscators/CodeFort/ProxyCallFixer.cs

diff --git a/de4dot.code/de4dot.code.csproj b/de4dot.code/de4dot.code.csproj
index 42ecf34c..bacb2128 100644
--- a/de4dot.code/de4dot.code.csproj
+++ b/de4dot.code/de4dot.code.csproj
@@ -92,6 +92,9 @@
     <Compile Include="deobfuscators\CliSecure\vm\UnknownHandlerInfo.cs" />
     <Compile Include="deobfuscators\CliSecure\vm\VmOpCodeHandlerDetector.cs" />
     <Compile Include="deobfuscators\CliSecure\vm\VmOperands.cs" />
+    <Compile Include="deobfuscators\CodeFort\CfMethodCallInliner.cs" />
+    <Compile Include="deobfuscators\CodeFort\Deobfuscator.cs" />
+    <Compile Include="deobfuscators\CodeFort\ProxyCallFixer.cs" />
     <Compile Include="deobfuscators\CodeVeil\AssemblyResolver.cs" />
     <Compile Include="deobfuscators\CodeVeil\ErexResourceReader.cs" />
     <Compile Include="deobfuscators\CodeVeil\InvalidDataException.cs" />
diff --git a/de4dot.code/deobfuscators/CodeFort/CfMethodCallInliner.cs b/de4dot.code/deobfuscators/CodeFort/CfMethodCallInliner.cs
new file mode 100644
index 00000000..4d4ecbe2
--- /dev/null
+++ b/de4dot.code/deobfuscators/CodeFort/CfMethodCallInliner.cs
@@ -0,0 +1,43 @@
+/*
+    Copyright (C) 2011-2012 de4dot@gmail.com
+
+    This file is part of de4dot.
+
+    de4dot is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    de4dot is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with de4dot.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+using Mono.Cecil;
+using de4dot.blocks;
+using de4dot.blocks.cflow;
+
+namespace de4dot.code.deobfuscators.CodeFort {
+	class CfMethodCallInliner : MethodCallInliner {
+		public CfMethodCallInliner()
+			: base(false) {
+		}
+
+		protected override bool canInline(MethodDefinition method) {
+			if (method.GenericParameters.Count > 0)
+				return false;
+			if (method == blocks.Method)
+				return false;
+
+			if (method.IsStatic)
+				return true;
+			if (method.IsVirtual)
+				return false;
+			return inlineInstanceMethods;
+		}
+	}
+}
diff --git a/de4dot.code/deobfuscators/CodeFort/Deobfuscator.cs b/de4dot.code/deobfuscators/CodeFort/Deobfuscator.cs
new file mode 100644
index 00000000..db33f85e
--- /dev/null
+++ b/de4dot.code/deobfuscators/CodeFort/Deobfuscator.cs
@@ -0,0 +1,124 @@
+/*
+    Copyright (C) 2011-2012 de4dot@gmail.com
+
+    This file is part of de4dot.
+
+    de4dot is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    de4dot is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with de4dot.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+using System;
+using System.Collections.Generic;
+using Mono.Cecil;
+using Mono.MyStuff;
+using de4dot.blocks;
+using de4dot.PE;
+
+namespace de4dot.code.deobfuscators.CodeFort {
+	public class DeobfuscatorInfo : DeobfuscatorInfoBase {
+		public const string THE_NAME = "CodeFort";
+		public const string THE_TYPE = "cf";
+		const string DEFAULT_REGEX = @"!^[_<>{}$.`-]$&" + DeobfuscatorBase.DEFAULT_VALID_NAME_REGEX;
+
+		public DeobfuscatorInfo()
+			: base(DEFAULT_REGEX) {
+		}
+
+		public override string Name {
+			get { return THE_NAME; }
+		}
+
+		public override string Type {
+			get { return THE_TYPE; }
+		}
+
+		public override IDeobfuscator createDeobfuscator() {
+			return new Deobfuscator(new Deobfuscator.Options {
+				ValidNameRegex = validNameRegex.get(),
+			});
+		}
+
+		protected override IEnumerable<Option> getOptionsInternal() {
+			return new List<Option>() {
+			};
+		}
+	}
+
+	class Deobfuscator : DeobfuscatorBase {
+		Options options;
+		ProxyCallFixer proxyCallFixer;
+
+		internal class Options : OptionsBase {
+		}
+
+		public override string Type {
+			get { return DeobfuscatorInfo.THE_TYPE; }
+		}
+
+		public override string TypeLong {
+			get { return DeobfuscatorInfo.THE_NAME; }
+		}
+
+		public override string Name {
+			get { return DeobfuscatorInfo.THE_NAME; }
+		}
+
+		public Deobfuscator(Options options)
+			: base(options) {
+			this.options = options;
+		}
+
+		protected override int detectInternal() {
+			int val = 0;
+
+			int sum = toInt32(proxyCallFixer.Detected);
+			if (sum > 0)
+				val += 100 + 10 * (sum - 1);
+
+			return val;
+		}
+
+		protected override void scanForObfuscator() {
+			proxyCallFixer = new ProxyCallFixer(module);
+			proxyCallFixer.findDelegateCreator();
+		}
+
+		public override void deobfuscateBegin() {
+			base.deobfuscateBegin();
+
+			proxyCallFixer.find();
+		}
+
+		public override void deobfuscateMethodEnd(Blocks blocks) {
+			proxyCallFixer.deobfuscate(blocks);
+			inlineMethods(blocks);
+			base.deobfuscateMethodEnd(blocks);
+		}
+
+		void inlineMethods(Blocks blocks) {
+			var inliner = new CfMethodCallInliner();
+			inliner.deobfuscateBegin(blocks);
+			inliner.deobfuscate(blocks.MethodBlocks.getAllBlocks());
+		}
+
+		public override void deobfuscateEnd() {
+			removeProxyDelegates(proxyCallFixer);
+			base.deobfuscateEnd();
+		}
+
+		public override IEnumerable<int> getStringDecrypterMethods() {
+			var list = new List<int>();
+			return list;
+		}
+	}
+}
diff --git a/de4dot.code/deobfuscators/CodeFort/ProxyCallFixer.cs b/de4dot.code/deobfuscators/CodeFort/ProxyCallFixer.cs
new file mode 100644
index 00000000..196c09d7
--- /dev/null
+++ b/de4dot.code/deobfuscators/CodeFort/ProxyCallFixer.cs
@@ -0,0 +1,116 @@
+/*
+    Copyright (C) 2011-2012 de4dot@gmail.com
+
+    This file is part of de4dot.
+
+    de4dot is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    de4dot is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with de4dot.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+using System;
+using System.Collections.Generic;
+using Mono.Cecil;
+using Mono.Cecil.Cil;
+using de4dot.blocks;
+
+namespace de4dot.code.deobfuscators.CodeFort {
+	class ProxyCallFixer : ProxyCallFixer3 {
+		IList<MemberReference> memberReferences;
+
+		public ProxyCallFixer(ModuleDefinition module)
+			: base(module) {
+		}
+
+		public void findDelegateCreator() {
+			foreach (var type in module.Types) {
+				var creatorMethod = checkType(type);
+				if (creatorMethod == null)
+					continue;
+
+				setDelegateCreatorMethod(creatorMethod);
+				return;
+			}
+		}
+
+		static MethodDefinition checkType(TypeDefinition type) {
+			if (type.Fields.Count != 1)
+				return null;
+			if (type.Fields[0].FieldType.FullName != "System.Reflection.Module")
+				return null;
+			return checkMethods(type);
+		}
+
+		static MethodDefinition checkMethods(TypeDefinition type) {
+			if (type.Methods.Count != 3)
+				return null;
+
+			MethodDefinition creatorMethod = null;
+			foreach (var method in type.Methods) {
+				if (method.Name == ".cctor")
+					continue;
+				if (DotNetUtils.isMethod(method, "System.Void", "(System.Int32)")) {
+					creatorMethod = method;
+					continue;
+				}
+				if (DotNetUtils.isMethod(method, "System.MulticastDelegate", "(System.Type,System.Reflection.MethodInfo,System.Int32)"))
+					continue;
+
+				return null;
+			}
+			return creatorMethod;
+		}
+
+		protected override object checkCctor(TypeDefinition type, MethodDefinition cctor) {
+			var instrs = cctor.Body.Instructions;
+			if (instrs.Count != 3)
+				return null;
+			var ldci4 = instrs[0];
+			if (!DotNetUtils.isLdcI4(ldci4))
+				return null;
+			var call = instrs[1];
+			if (call.OpCode.Code != Code.Call)
+				return null;
+			if (!isDelegateCreatorMethod(call.Operand as MethodDefinition))
+				return null;
+			int rid = DotNetUtils.getLdcI4Value(ldci4);
+			if (cctor.DeclaringType.MetadataToken.RID != rid)
+				throw new ApplicationException("Invalid rid");
+			return rid;
+		}
+
+		protected override void getCallInfo(object context, FieldDefinition field, out MethodReference calledMethod, out OpCode callOpcode) {
+			if (memberReferences == null)
+				memberReferences = new List<MemberReference>(module.GetMemberReferences());
+
+			int rid = 0;
+			foreach (var c in field.Name)
+				rid = (rid << 4) + hexToInt((char)((byte)c + 0x2F));
+			rid &= 0x00FFFFFF;
+			calledMethod = (MethodReference)memberReferences[rid - 1];
+			var calledMethodDef = DotNetUtils.getMethod(module, calledMethod);
+			if (calledMethodDef != null)
+				calledMethod = calledMethodDef;
+			callOpcode = OpCodes.Call;
+		}
+
+		static int hexToInt(char c) {
+			if ('0' <= c && c <= '9')
+				return c - '0';
+			if ('a' <= c && c <= 'f')
+				return c - 'a' + 10;
+			if ('A' <= c && c <= 'F')
+				return c - 'A' + 10;
+			throw new ApplicationException("Invalid hex digit");
+		}
+	}
+}
diff --git a/de4dot.code/deobfuscators/Unknown/Deobfuscator.cs b/de4dot.code/deobfuscators/Unknown/Deobfuscator.cs
index f17d42b3..e6e7fb7a 100644
--- a/de4dot.code/deobfuscators/Unknown/Deobfuscator.cs
+++ b/de4dot.code/deobfuscators/Unknown/Deobfuscator.cs
@@ -98,8 +98,6 @@ namespace de4dot.code.deobfuscators.Unknown {
 
 		string scanTypes() {
 			foreach (var type in module.Types) {
-				if (type.Namespace == "___codefort")
-					return "CodeFort";
 				if (type.FullName == "ZYXDNGuarder")
 					return "DNGuard HVM";
 				if (type.Name.Contains("();\t"))
diff --git a/de4dot.cui/Program.cs b/de4dot.cui/Program.cs
index e869b01a..806cd773 100644
--- a/de4dot.cui/Program.cs
+++ b/de4dot.cui/Program.cs
@@ -40,6 +40,7 @@ namespace de4dot.cui {
 				new de4dot.code.deobfuscators.Babel_NET.DeobfuscatorInfo(),
 				new de4dot.code.deobfuscators.CliSecure.DeobfuscatorInfo(),
 				new de4dot.code.deobfuscators.CodeVeil.DeobfuscatorInfo(),
+				new de4dot.code.deobfuscators.CodeFort.DeobfuscatorInfo(),
 				new de4dot.code.deobfuscators.CodeWall.DeobfuscatorInfo(),
 				new de4dot.code.deobfuscators.CryptoObfuscator.DeobfuscatorInfo(),
 				new de4dot.code.deobfuscators.DeepSea.DeobfuscatorInfo(),