monocul.us/de4dot-cex
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Refactor

Browse Source
This commit is contained in:
de4dot 2012-02-27 12:55:37 +01:00
parent 3c480f4c6c
commit 9bab65640c
5 changed files with 499 additions and 377 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
de4dot.code/de4dot.code.csproj
View File

@ -138,7 +138,9 @@
<Compile Include="deobfuscators\dotNET_Reactor\v3\AssemblyResolver.cs" />
<Compile Include="deobfuscators\dotNET_Reactor\v3\DecryptMethod.cs" />
<Compile Include="deobfuscators\dotNET_Reactor\v3\MemoryPatcher.cs" />
<Compile Include="deobfuscators\Eazfuscator_NET\DecrypterType.cs" />
<Compile Include="deobfuscators\Eazfuscator_NET\Deobfuscator.cs" />
<Compile Include="deobfuscators\Eazfuscator_NET\EfUtils.cs" />
<Compile Include="deobfuscators\Eazfuscator_NET\StringDecrypter.cs" />
<Compile Include="deobfuscators\ExceptionLoggerRemover.cs" />
<Compile Include="deobfuscators\Goliath_NET\ArrayDecrypter.cs" />

328
de4dot.code/deobfuscators/Eazfuscator_NET/DecrypterType.cs Normal file
View File

@ -0,0 +1,328 @@
/*
Copyright (C) 2011-2012 de4dot@gmail.com
This file is part of de4dot.
de4dot is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
de4dot is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with de4dot. If not, see <http://www.gnu.org/licenses/>.
*/
using System;
using System.Collections.Generic;
using System.Text;
using Mono.Cecil;
using Mono.Cecil.Cil;
using de4dot.blocks;
namespace de4dot.code.deobfuscators.Eazfuscator_NET {
class DecrypterType {
TypeDefinition type;
MethodDefinition int64Method;
bool initialized;
ulong l1;
int i1, i2;
int m1_i1, m2_i1, m2_i2, m3_i1;
int token1, token2, token3, token4, token5, token6;
public TypeDefinition Type {
get { return type; }
set {
if (type == null)
type = value;
else if (type != value)
throw new ApplicationException("Found another one");
}
}
public bool Detected {
get { return type != null; }
}
public bool initialize() {
if (initialized)
return true;
int64Method = findInt64Method();
if (int64Method == null)
return false;
if (!findInt1())
return false;
if (!findInt2())
return false;
if (!findMethodInts())
return false;
token1 = getToken(-1509110933);
token2 = getToken(-82806859);
token3 = getToken(1294352278);
token4 = getToken(402344241);
token5 = getToken(-56237163);
token6 = getToken(1106695601);
if (token1 == 0 || token2 == 0 || token3 == 0)
return false;
if (token4 == 0 || token5 == 0 || token6 == 0)
return false;
initialized = true;
return true;
}
MethodDefinition findInt64Method() {
if (type == null)
return null;
foreach (var method in type.Methods) {
if (!method.IsStatic || method.Body == null || method.HasGenericParameters)
continue;
if (!DotNetUtils.isMethod(method, "System.Int64", "()"))
continue;
if (!findInt64(method))
continue;
return method;
}
return null;
}
bool findInt64(MethodDefinition method) {
var instrs = method.Body.Instructions;
for (int i = 0; i < instrs.Count - 1; i++) {
var ldci8 = instrs[i];
if (ldci8.OpCode.Code != Code.Ldc_I8)
continue;
if (instrs[i + 1].OpCode.Code != Code.Xor)
continue;
l1 = (ulong)(long)ldci8.Operand;
return true;
}
return false;
}
bool findInt1() {
var consts = getConstants(findNestedTypeMethod(1294352278));
if (consts.Count != 2)
return false;
i1 = consts[1];
return true;
}
bool findInt2() {
var consts = getConstants(findNestedTypeMethod(1106695601));
if (consts.Count != 1)
return false;
i2 = consts[0];
return true;
}
bool findMethodInts() {
foreach (var nestedType in type.NestedTypes) {
var methods = getBinaryIntMethods(nestedType);
if (methods.Count < 3)
continue;
if (!findMethod1Int(methods))
continue;
if (!findMethod2Int(methods))
continue;
if (!findMethod3Int(methods))
continue;
return true;
}
return false;
}
static List<MethodDefinition> getBinaryIntMethods(TypeDefinition type) {
var list = new List<MethodDefinition>();
foreach (var method in type.Methods) {
if (!method.IsStatic || method.Body == null)
continue;
if (!DotNetUtils.isMethod(method, "System.Int32", "(System.Int32,System.Int32)"))
continue;
list.Add(method);
}
return list;
}
bool findMethod1Int(IEnumerable<MethodDefinition> methods) {
foreach (var method in methods) {
if (countInstructions(method, Code.Ldarg_0) != 1)
continue;
var constants = getConstants(method);
if (constants.Count != 1)
continue;
m1_i1 = constants[0];
return true;
}
return false;
}
bool findMethod2Int(IEnumerable<MethodDefinition> methods) {
foreach (var method in methods) {
var constants = getConstants(method);
if (constants.Count != 2)
continue;
m2_i1 = constants[0];
m2_i2 = constants[1];
return true;
}
return false;
}
bool findMethod3Int(IEnumerable<MethodDefinition> methods) {
foreach (var method in methods) {
if (countInstructions(method, Code.Ldarg_0) != 2)
continue;
var constants = getConstants(method);
if (constants.Count != 1)
continue;
m3_i1 = constants[0];
return true;
}
return false;
}
static int countInstructions(MethodDefinition method, Code code) {
int count = 0;
foreach (var instr in method.Body.Instructions) {
if (instr.OpCode.Code == code)
count++;
}
return count;
}
static List<int> getConstants(MethodDefinition method) {
var list = new List<int>();
if (method == null)
return list;
int index = 0;
var instrs = method.Body.Instructions;
while (true) {
int val;
if (!EfUtils.getNextInt32(method, ref index, out val))
break;
if (index + 1 < instrs.Count && instrs[index].OpCode.Code != Code.Ret)
list.Add(val);
}
return list;
}
MethodDefinition findNestedTypeMethod(int constant) {
foreach (var nestedType in type.NestedTypes) {
foreach (var method in nestedType.Methods) {
if (!method.IsStatic || method.Body == null)
continue;
var instrs = method.Body.Instructions;
for (int i = 0; i < instrs.Count - 1; i++) {
var ldci4 = instrs[i];
if (!DotNetUtils.isLdcI4(ldci4))
continue;
if (DotNetUtils.getLdcI4Value(ldci4) != constant)
continue;
if (instrs[i + 1].OpCode.Code != Code.Ret)
continue;
return method;
}
}
}
return null;
}
int getToken(int constant) {
var method = findNestedTypeMethod(constant);
if (method == null)
return 0;
return method.DeclaringType.MetadataToken.ToInt32();
}
int binOp1(int a, int b) {
return a ^ (b - m1_i1);
}
int binOp2(int a, int b) {
return (a - m2_i1) ^ (b + m2_i2);
}
int binOp3(int a, int b) {
return a ^ (b - m3_i1) ^ (a - b);
}
int constMethod1() {
return binOp3(binOp2(token2, binOp3(token1, token5)), constMethod6());
}
int constMethod2() {
return binOp1(token3, token4 ^ binOp2(token2, binOp3(token6, constMethod4())));
}
int constMethod3() {
return binOp3(binOp1(constMethod2() ^ 0x1F74F46E, token4), binOp2(token1 ^ token6, i1));
}
int constMethod4() {
return binOp3(token4, binOp1(token1, binOp2(token2, binOp3(token3, binOp1(token5, token6)))));
}
int constMethod5() {
return binOp2(binOp2(constMethod3(), binOp1(token5, constMethod2())), token6);
}
int constMethod6() {
return binOp1(token6, binOp3(binOp2(token5, token1), binOp3(token3 ^ i2, constMethod5())));
}
public ulong getMagic() {
if (type == null)
throw new ApplicationException("Can't calculate magic since type isn't initialized");
var module = type.Module;
var bytes = new List<byte>();
if (module.Assembly != null) {
if (module.Assembly.Name.PublicKeyToken != null)
bytes.AddRange(module.Assembly.Name.PublicKeyToken);
bytes.AddRange(Encoding.Unicode.GetBytes(module.Assembly.Name.Name));
}
int cm1 = constMethod1();
bytes.Add((byte)(type.MetadataToken.ToInt32() >> 24));
bytes.Add((byte)(cm1 >> 16));
bytes.Add((byte)(type.MetadataToken.ToInt32() >> 8));
bytes.Add((byte)cm1);
bytes.Add((byte)(type.MetadataToken.ToInt32() >> 16));
bytes.Add((byte)(cm1 >> 8));
bytes.Add((byte)type.MetadataToken.ToInt32());
bytes.Add((byte)(cm1 >> 24));
ulong magic = 0;
foreach (var b in bytes) {
magic += b;
magic += magic << 20;
magic ^= magic >> 12;
}
magic += magic << 6;
magic ^= magic >> 22;
magic += magic << 30;
return magic ^ l1;
}
}
}

8
de4dot.code/deobfuscators/Eazfuscator_NET/Deobfuscator.cs
View File

@ -51,6 +51,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
string obfuscatorName = DeobfuscatorInfo.THE_NAME;
bool detectedVersion = false;
DecrypterType decrypterType;
StringDecrypter stringDecrypter;
internal class Options : OptionsBase {
@ -85,8 +86,9 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
}
protected override void scanForObfuscator() {
stringDecrypter = new StringDecrypter(module);
stringDecrypter.find(DeobfuscatedFile);
decrypterType = new DecrypterType();
stringDecrypter = new StringDecrypter(module, decrypterType);
stringDecrypter.find();
if (stringDecrypter.Detected)
detectVersion();
}
@ -579,6 +581,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
public override void deobfuscateBegin() {
base.deobfuscateBegin();
stringDecrypter.initialize(DeobfuscatedFile);
staticStringInliner.add(stringDecrypter.Method, (method2, args) => {
return stringDecrypter.decrypt((int)args[0]);
});
@ -588,6 +591,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
public override void deobfuscateEnd() {
if (CanRemoveStringDecrypterType) {
addTypesToBeRemoved(stringDecrypter.Types, "String decrypter type");
addTypeToBeRemoved(decrypterType.Type, "Decrypter type");
addResourceToBeRemoved(stringDecrypter.Resource, "Encrypted strings");
}

106
de4dot.code/deobfuscators/Eazfuscator_NET/EfUtils.cs Normal file
View File

@ -0,0 +1,106 @@
/*
Copyright (C) 2011-2012 de4dot@gmail.com
This file is part of de4dot.
de4dot is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
de4dot is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with de4dot. If not, see <http://www.gnu.org/licenses/>.
*/
using System.Collections.Generic;
using Mono.Cecil;
using Mono.Cecil.Cil;
using de4dot.blocks;
namespace de4dot.code.deobfuscators.Eazfuscator_NET {
static class EfUtils {
public static bool getNextInt32(MethodDefinition method, ref int index, out int val) {
for (; index < method.Body.Instructions.Count; index++) {
var instr = method.Body.Instructions[index];
if (instr.OpCode.Code != Code.Ldc_I4_S && instr.OpCode.Code != Code.Ldc_I4)
continue;
return getInt32(method, ref index, out val);
}
val = 0;
return false;
}
public static bool getInt16(MethodDefinition method, ref int index, ref short s) {
int val;
if (!getInt32(method, ref index, out val))
return false;
s = (short)val;
return true;
}
public static bool getInt32(MethodDefinition method, ref int index, out int val) {
val = 0;
var instrs = method.Body.Instructions;
if (index >= instrs.Count)
return false;
var ldci4 = instrs[index];
if (ldci4.OpCode.Code != Code.Ldc_I4_S && ldci4.OpCode.Code != Code.Ldc_I4)
return false;
var stack = new Stack<int>();
stack.Push(DotNetUtils.getLdcI4Value(ldci4));
index++;
for (; index < instrs.Count; index++) {
int l = stack.Count - 1;
var instr = instrs[index];
switch (instr.OpCode.Code) {
case Code.Not:
stack.Push(~stack.Pop());
break;
case Code.Neg:
stack.Push(-stack.Pop());
break;
case Code.Ldc_I4:
case Code.Ldc_I4_S:
case Code.Ldc_I4_0:
case Code.Ldc_I4_1:
case Code.Ldc_I4_2:
case Code.Ldc_I4_3:
case Code.Ldc_I4_4:
case Code.Ldc_I4_5:
case Code.Ldc_I4_6:
case Code.Ldc_I4_7:
case Code.Ldc_I4_8:
case Code.Ldc_I4_M1:
stack.Push(DotNetUtils.getLdcI4Value(instr));
break;
case Code.Xor:
if (stack.Count < 2)
goto done;
stack.Push(stack.Pop() ^ stack.Pop());
break;
default:
goto done;
}
}
done:
while (stack.Count > 1)
stack.Pop();
val = stack.Pop();
return true;
}
}
}

432
de4dot.code/deobfuscators/Eazfuscator_NET/StringDecrypter.cs
View File

@ -27,15 +27,11 @@ using de4dot.blocks;
namespace de4dot.code.deobfuscators.Eazfuscator_NET {
class StringDecrypter {
ModuleDefinition module;
TypeDefinition decryptType;
MethodDefinition decryptMethod;
TypeDefinition stringType;
MethodDefinition stringMethod;
TypeDefinition dataDecrypterType;
MethodDefinition int64Method;
short s1, s2, s3;
int i1, i2, i3, i4, i5, i6, i7;
ulong l1;
int m1_i1, m2_i1, m2_i2, m3_i1;
int token1, token2, token3, token4, token5, token6;
int i1, i2, i3, i4, i5;
bool checkMinus2;
bool usePublicKeyToken;
int keyLen;
@ -43,9 +39,10 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
int magic1;
EmbeddedResource encryptedResource;
BinaryReader reader;
DecrypterType decrypterType;
public TypeDefinition Type {
get { return decryptType; }
get { return stringType; }
}
public EmbeddedResource Resource {
@ -54,28 +51,27 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
public IEnumerable<TypeDefinition> Types {
get {
var list = new List<TypeDefinition>();
list.Add(decryptType);
list.Add(dataDecrypterType);
if (int64Method != null)
list.Add(int64Method.DeclaringType);
return list;
return new List<TypeDefinition> {
stringType,
dataDecrypterType,
};
}
}
public MethodDefinition Method {
get { return decryptMethod; }
get { return stringMethod; }
}
public bool Detected {
get { return decryptType != null; }
get { return stringType != null; }
}
public StringDecrypter(ModuleDefinition module) {
public StringDecrypter(ModuleDefinition module, DecrypterType decrypterType) {
this.module = module;
this.decrypterType = decrypterType;
}
public void find(ISimpleDeobfuscator simpleDeobfuscator) {
public void find() {
foreach (var type in module.Types) {
if (DotNetUtils.findFieldType(type, "System.IO.BinaryReader", true) == null)
continue;
@ -86,14 +82,8 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
if (!checkDecrypterMethod(method))
continue;
decryptType = type;
decryptMethod = method;
if (!findConstants(simpleDeobfuscator)) {
if (encryptedResource == null)
Log.w("Could not find encrypted resource. Strings cannot be decrypted.");
else
Log.w("Can't decrypt strings. Possibly a new Eazfuscator.NET version.");
}
stringType = type;
stringMethod = method;
return;
}
}
@ -115,49 +105,48 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
return false;
}
public void initialize(ISimpleDeobfuscator simpleDeobfuscator) {
if (stringType == null)
return;
if (!findConstants(simpleDeobfuscator)) {
if (encryptedResource == null)
Log.w("Could not find encrypted resource. Strings cannot be decrypted.");
else
Log.w("Can't decrypt strings. Possibly a new Eazfuscator.NET version.");
return;
}
}
public bool findConstants(ISimpleDeobfuscator simpleDeobfuscator) {
if (!findResource(decryptMethod))
if (!findResource(stringMethod))
return false;
simpleDeobfuscator.deobfuscate(decryptMethod);
simpleDeobfuscator.deobfuscate(stringMethod);
checkMinus2 = DeobUtils.hasInteger(decryptMethod, -2);
usePublicKeyToken = callsGetPublicKeyToken(decryptMethod);
checkMinus2 = DeobUtils.hasInteger(stringMethod, -2);
usePublicKeyToken = callsGetPublicKeyToken(stringMethod);
int64Method = findInt64Method(decryptMethod);
var int64Method = findInt64Method(stringMethod);
if (int64Method != null)
decrypterType.Type = int64Method.DeclaringType;
if (!findShorts(decryptMethod))
if (!findShorts(stringMethod))
return false;
if (!findInt3(decryptMethod))
if (!findInt3(stringMethod))
return false;
if (!findInt4(decryptMethod))
if (!findInt4(stringMethod))
return false;
if (checkMinus2 && !findInt7(decryptMethod))
if (checkMinus2 && !findInt5(stringMethod))
return false;
dataDecrypterType = findDataDecrypterType(decryptMethod);
dataDecrypterType = findDataDecrypterType(stringMethod);
if (dataDecrypterType == null)
return false;
if (int64Method != null) {
if (!findInts(decryptMethod))
if (decrypterType.Detected) {
if (!findInts(stringMethod))
return false;
if (!findInt64(int64Method))
return false;
if (!findInt5())
return false;
if (!findInt6())
return false;
if (!findMethodInts())
return false;
token1 = getToken(-1509110933);
token2 = getToken(-82806859);
token3 = getToken(1294352278);
token4 = getToken(402344241);
token5 = getToken(-56237163);
token6 = getToken(1106695601);
if (token1 == 0 || token2 == 0 || token3 == 0)
return false;
if (token4 == 0 || token5 == 0 || token6 == 0)
if (!decrypterType.initialize())
return false;
}
@ -174,8 +163,8 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
else
keyLen = reader.ReadInt16() ^ s2;
if (int64Method != null)
magic1 = (int)getMagic() ^ i1 ^ i2;
if (decrypterType.Detected)
magic1 = (int)decrypterType.getMagic() ^ i1 ^ i2;
}
public string decrypt(int val) {
@ -185,7 +174,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
byte[] tmpKey;
if (theKey == null) {
tmpKey = reader.ReadBytes(keyLen == -1 ? (short)(reader.ReadInt16() ^ s3 ^ offset) : keyLen);
if (int64Method != null) {
if (decrypterType.Detected) {
for (int i = 0; i < tmpKey.Length; i++)
tmpKey[i] ^= (byte)(magic1 >> ((i & 3) << 3));
}
@ -196,7 +185,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
int flags = i4 ^ magic1 ^ offset ^ reader.ReadInt32();
if (checkMinus2 && flags == -2) {
var ary2 = reader.ReadBytes(4);
val = -(magic1 ^ i7) ^ (ary2[2] | (ary2[0] << 8) | (ary2[3] << 16) | (ary2[1] << 24));
val = -(magic1 ^ i5) ^ (ary2[2] | (ary2[0] << 8) | (ary2[3] << 16) | (ary2[1] << 24));
continue;
}
@ -272,203 +261,11 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
return lcg * 214013 + 2531011;
}
uint getMagic() {
var bytes = new List<byte>();
if (module.Assembly != null) {
if (module.Assembly.Name.PublicKeyToken != null)
bytes.AddRange(module.Assembly.Name.PublicKeyToken);
bytes.AddRange(Encoding.Unicode.GetBytes(module.Assembly.Name.Name));
}
int cm1 = constMethod1();
int token = int64Method.DeclaringType.MetadataToken.ToInt32();
bytes.Add((byte)(token >> 24));
bytes.Add((byte)(cm1 >> 16));
bytes.Add((byte)(token >> 8));
bytes.Add((byte)cm1);
bytes.Add((byte)(token >> 16));
bytes.Add((byte)(cm1 >> 8));
bytes.Add((byte)token);
bytes.Add((byte)(cm1 >> 24));
ulong magic = 0;
foreach (var b in bytes) {
magic += b;
magic += magic << 20;
magic ^= magic >> 12;
}
magic += magic << 6;
magic ^= magic >> 22;
magic += magic << 30;
return (uint)magic ^ (uint)l1;
}
bool findResource(MethodDefinition method) {
encryptedResource = DotNetUtils.getResource(module, DotNetUtils.getCodeStrings(method)) as EmbeddedResource;
return encryptedResource != null;
}
int getToken(int constant) {
var method = findNestedTypeMethod(constant);
if (method == null)
return 0;
return method.DeclaringType.MetadataToken.ToInt32();
}
bool findInt5() {
var consts = getConstants(findNestedTypeMethod(1294352278));
if (consts.Count != 2)
return false;
i5 = consts[1];
return true;
}
bool findInt6() {
var consts = getConstants(findNestedTypeMethod(1106695601));
if (consts.Count != 1)
return false;
i6 = consts[0];
return true;
}
bool findMethodInts() {
foreach (var type in int64Method.DeclaringType.NestedTypes) {
var methods = getBinaryIntMethods(type);
if (methods.Count < 3)
continue;
if (!findMethod1Int(methods))
continue;
if (!findMethod2Int(methods))
continue;
if (!findMethod3Int(methods))
continue;
return true;
}
return false;
}
static List<MethodDefinition> getBinaryIntMethods(TypeDefinition type) {
var list = new List<MethodDefinition>();
foreach (var method in type.Methods) {
if (!method.IsStatic || method.Body == null)
continue;
if (!DotNetUtils.isMethod(method, "System.Int32", "(System.Int32,System.Int32)"))
continue;
list.Add(method);
}
return list;
}
bool findMethod1Int(IEnumerable<MethodDefinition> methods) {
foreach (var method in methods) {
if (countInstructions(method, Code.Ldarg_0) != 1)
continue;
var constants = getConstants(method);
if (constants.Count != 1)
continue;
m1_i1 = constants[0];
return true;
}
return false;
}
bool findMethod2Int(IEnumerable<MethodDefinition> methods) {
foreach (var method in methods) {
var constants = getConstants(method);
if (constants.Count != 2)
continue;
m2_i1 = constants[0];
m2_i2 = constants[1];
return true;
}
return false;
}
bool findMethod3Int(IEnumerable<MethodDefinition> methods) {
foreach (var method in methods) {
if (countInstructions(method, Code.Ldarg_0) != 2)
continue;
var constants = getConstants(method);
if (constants.Count != 1)
continue;
m3_i1 = constants[0];
return true;
}
return false;
}
static int countInstructions(MethodDefinition method, Code code) {
int count = 0;
foreach (var instr in method.Body.Instructions) {
if (instr.OpCode.Code == code)
count++;
}
return count;
}
static List<int> getConstants(MethodDefinition method) {
var list = new List<int>();
if (method == null)
return list;
int index = 0;
var instrs = method.Body.Instructions;
while (true) {
int val;
if (!getNextInt32(method, ref index, out val))
break;
if (index + 1 < instrs.Count && instrs[index].OpCode.Code != Code.Ret)
list.Add(val);
}
return list;
}
MethodDefinition findNestedTypeMethod(int constant) {
foreach (var type in int64Method.DeclaringType.NestedTypes) {
foreach (var method in type.Methods) {
if (!method.IsStatic || method.Body == null)
continue;
var instrs = method.Body.Instructions;
for (int i = 0; i < instrs.Count - 1; i++) {
var ldci4 = instrs[i];
if (!DotNetUtils.isLdcI4(ldci4))
continue;
if (DotNetUtils.getLdcI4Value(ldci4) != constant)
continue;
if (instrs[i + 1].OpCode.Code != Code.Ret)
continue;
return method;
}
}
}
return null;
}
bool findInt64(MethodDefinition method) {
var instrs = method.Body.Instructions;
for (int i = 0; i < instrs.Count - 1; i++) {
var ldci8 = instrs[i];
if (ldci8.OpCode.Code != Code.Ldc_I8)
continue;
if (instrs[i + 1].OpCode.Code != Code.Xor)
continue;
l1 = (ulong)(long)ldci8.Operand;
return true;
}
return false;
}
static MethodDefinition findInt64Method(MethodDefinition method) {
foreach (var instr in method.Body.Instructions) {
if (instr.OpCode.Code != Code.Call)
@ -515,7 +312,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
if (!findCallReadInt16(method, ref index))
return false;
index++;
return getInt16(method, ref index, ref s);
return EfUtils.getInt16(method, ref index, ref s);
}
bool findInts(MethodDefinition method) {
@ -523,19 +320,19 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
if (index < 0)
return false;
if (!getNextInt32(method, ref index, out i1))
if (!EfUtils.getNextInt32(method, ref index, out i1))
return false;
int tmp;
if (!getNextInt32(method, ref index, out tmp))
if (!EfUtils.getNextInt32(method, ref index, out tmp))
return false;
if (!getNextInt32(method, ref index, out i2))
if (!EfUtils.getNextInt32(method, ref index, out i2))
return false;
return true;
}
bool findInt3(MethodDefinition method) {
if (int64Method == null)
if (!decrypterType.Detected)
return findInt3Old(method);
return findInt3New(method);
}
@ -554,7 +351,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
int index = i + 1;
int value;
if (!getInt32(method, ref index, out value))
if (!EfUtils.getInt32(method, ref index, out value))
continue;
if (index >= instrs.Count)
continue;
@ -601,13 +398,13 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
int index = 0;
if (!findCallReadInt32(method, ref index))
return false;
if (!getNextInt32(method, ref index, out i4))
if (!EfUtils.getNextInt32(method, ref index, out i4))
return false;
return true;
}
bool findInt7(MethodDefinition method) {
bool findInt5(MethodDefinition method) {
int index = -1;
while (true) {
index++;
@ -620,7 +417,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
continue;
if (DotNetUtils.getLdcI4Value(ldci4) != 4)
continue;
if (!getNextInt32(method, ref index, out i7))
if (!EfUtils.getNextInt32(method, ref index, out i5))
return false;
return true;
@ -653,85 +450,6 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
return -1;
}
static bool getNextInt32(MethodDefinition method, ref int index, out int val) {
for (; index < method.Body.Instructions.Count; index++) {
var instr = method.Body.Instructions[index];
if (instr.OpCode.Code != Code.Ldc_I4_S && instr.OpCode.Code != Code.Ldc_I4)
continue;
return getInt32(method, ref index, out val);
}
val = 0;
return false;
}
static bool getInt16(MethodDefinition method, ref int index, ref short s) {
int val;
if (!getInt32(method, ref index, out val))
return false;
s = (short)val;
return true;
}
static bool getInt32(MethodDefinition method, ref int index, out int val) {
val = 0;
var instrs = method.Body.Instructions;
if (index >= instrs.Count)
return false;
var ldci4 = instrs[index];
if (ldci4.OpCode.Code != Code.Ldc_I4_S && ldci4.OpCode.Code != Code.Ldc_I4)
return false;
var stack = new Stack<int>();
stack.Push(DotNetUtils.getLdcI4Value(ldci4));
index++;
for (; index < instrs.Count; index++) {
int l = stack.Count - 1;
var instr = instrs[index];
switch (instr.OpCode.Code) {
case Code.Not:
stack.Push(~stack.Pop());
break;
case Code.Neg:
stack.Push(-stack.Pop());
break;
case Code.Ldc_I4:
case Code.Ldc_I4_S:
case Code.Ldc_I4_0:
case Code.Ldc_I4_1:
case Code.Ldc_I4_2:
case Code.Ldc_I4_3:
case Code.Ldc_I4_4:
case Code.Ldc_I4_5:
case Code.Ldc_I4_6:
case Code.Ldc_I4_7:
case Code.Ldc_I4_8:
case Code.Ldc_I4_M1:
stack.Push(DotNetUtils.getLdcI4Value(instr));
break;
case Code.Xor:
if (stack.Count < 2)
goto done;
stack.Push(stack.Pop() ^ stack.Pop());
break;
default:
goto done;
}
}
done:
while (stack.Count > 1)
stack.Pop();
val = stack.Pop();
return true;
}
static bool callsGetPublicKeyToken(MethodDefinition method) {
int index = 0;
return findCall(method, ref index, "System.Byte[] System.Reflection.AssemblyName::GetPublicKeyToken()");
@ -777,41 +495,5 @@ done:
return false;
}
int binOp1(int a, int b) {
return a ^ (b - m1_i1);
}
int binOp2(int a, int b) {
return (a - m2_i1) ^ (b + m2_i2);
}
int binOp3(int a, int b) {
return a ^ (b - m3_i1) ^ (a - b);
}
int constMethod1() {
return binOp3(binOp2(token2, binOp3(token1, token5)), constMethod6());
}
int constMethod2() {
return binOp1(token3, token4 ^ binOp2(token2, binOp3(token6, constMethod4())));
}
int constMethod3() {
return binOp3(binOp1(constMethod2() ^ 0x1F74F46E, token4), binOp2(token1 ^ token6, i5));
}
int constMethod4() {
return binOp3(token4, binOp1(token1, binOp2(token2, binOp3(token3, binOp1(token5, token6)))));
}
int constMethod5() {
return binOp2(binOp2(constMethod3(), binOp1(token5, constMethod2())), token6);
}
int constMethod6() {
return binOp1(token6, binOp3(binOp2(token5, token1), binOp3(token3 ^ i6, constMethod5())));
}
}
}