Support Confuser 1.7 r75076 compressor (lzma)
This commit is contained in:
parent
e7f3828078
commit
ade379c20b
|
@ -24,6 +24,7 @@ using Mono.Cecil;
|
||||||
using Mono.Cecil.Cil;
|
using Mono.Cecil.Cil;
|
||||||
using Mono.Cecil.Metadata;
|
using Mono.Cecil.Metadata;
|
||||||
using de4dot.blocks;
|
using de4dot.blocks;
|
||||||
|
using SevenZip.Compression.LZMA;
|
||||||
|
|
||||||
namespace de4dot.code.deobfuscators.Confuser {
|
namespace de4dot.code.deobfuscators.Confuser {
|
||||||
class RealAssemblyInfo {
|
class RealAssemblyInfo {
|
||||||
|
@ -80,6 +81,7 @@ namespace de4dot.code.deobfuscators.Confuser {
|
||||||
v15_r60785,
|
v15_r60785,
|
||||||
v17_r73404,
|
v17_r73404,
|
||||||
v17_r73477,
|
v17_r73477,
|
||||||
|
v17_r75076,
|
||||||
}
|
}
|
||||||
|
|
||||||
public bool Detected {
|
public bool Detected {
|
||||||
|
@ -108,7 +110,12 @@ namespace de4dot.code.deobfuscators.Confuser {
|
||||||
var type = entryPoint.DeclaringType;
|
var type = entryPoint.DeclaringType;
|
||||||
if (!new FieldTypes(type).all(requiredFields))
|
if (!new FieldTypes(type).all(requiredFields))
|
||||||
return;
|
return;
|
||||||
var decyptMethod = findDecryptMethod(type);
|
bool use7zip = type.NestedTypes.Count == 6;
|
||||||
|
MethodDefinition decyptMethod;
|
||||||
|
if (use7zip)
|
||||||
|
decyptMethod = findDecryptMethod_7zip(type);
|
||||||
|
else
|
||||||
|
decyptMethod = findDecryptMethod_inflate(type);
|
||||||
if (decyptMethod == null)
|
if (decyptMethod == null)
|
||||||
return;
|
return;
|
||||||
var decryptLocals = new LocalTypes(decyptMethod);
|
var decryptLocals = new LocalTypes(decyptMethod);
|
||||||
|
@ -142,7 +149,9 @@ namespace de4dot.code.deobfuscators.Confuser {
|
||||||
version = ConfuserVersion.v14_r58852;
|
version = ConfuserVersion.v14_r58852;
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
if (isDecryptMethod_v17_r73404(decyptMethod))
|
if (use7zip)
|
||||||
|
version = ConfuserVersion.v17_r75076;
|
||||||
|
else if (isDecryptMethod_v17_r73404(decyptMethod))
|
||||||
version = ConfuserVersion.v17_r73404;
|
version = ConfuserVersion.v17_r73404;
|
||||||
else
|
else
|
||||||
version = ConfuserVersion.v15_r60785;
|
version = ConfuserVersion.v15_r60785;
|
||||||
|
@ -157,7 +166,7 @@ namespace de4dot.code.deobfuscators.Confuser {
|
||||||
simpleDeobfuscator.deobfuscate(cctor);
|
simpleDeobfuscator.deobfuscate(cctor);
|
||||||
simpleDeobfuscator.decryptStrings(cctor, deob);
|
simpleDeobfuscator.decryptStrings(cctor, deob);
|
||||||
|
|
||||||
if (findEntryPointToken(simpleDeobfuscator, cctor, entryPoint, out entryPointToken))
|
if (findEntryPointToken(simpleDeobfuscator, cctor, entryPoint, out entryPointToken) && !use7zip)
|
||||||
version = ConfuserVersion.v17_r73477;
|
version = ConfuserVersion.v17_r73477;
|
||||||
|
|
||||||
mainAsmResource = findResource(cctor);
|
mainAsmResource = findResource(cctor);
|
||||||
|
@ -332,17 +341,39 @@ namespace de4dot.code.deobfuscators.Confuser {
|
||||||
return DotNetUtils.getResource(module, DotNetUtils.getCodeStrings(method)) as EmbeddedResource;
|
return DotNetUtils.getResource(module, DotNetUtils.getCodeStrings(method)) as EmbeddedResource;
|
||||||
}
|
}
|
||||||
|
|
||||||
static string[] requiredDecryptLocals = new string[] {
|
static string[] requiredDecryptLocals_inflate = new string[] {
|
||||||
"System.Byte[]",
|
"System.Byte[]",
|
||||||
"System.IO.Compression.DeflateStream",
|
"System.IO.Compression.DeflateStream",
|
||||||
};
|
};
|
||||||
static MethodDefinition findDecryptMethod(TypeDefinition type) {
|
static MethodDefinition findDecryptMethod_inflate(TypeDefinition type) {
|
||||||
foreach (var method in type.Methods) {
|
foreach (var method in type.Methods) {
|
||||||
if (!method.IsStatic || method.Body == null)
|
if (!method.IsStatic || method.Body == null)
|
||||||
continue;
|
continue;
|
||||||
if (!DotNetUtils.isMethod(method, "System.Byte[]", "(System.Byte[])"))
|
if (!DotNetUtils.isMethod(method, "System.Byte[]", "(System.Byte[])"))
|
||||||
continue;
|
continue;
|
||||||
if (!new LocalTypes(method).all(requiredDecryptLocals))
|
if (!new LocalTypes(method).all(requiredDecryptLocals_inflate))
|
||||||
|
continue;
|
||||||
|
|
||||||
|
return method;
|
||||||
|
}
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
|
||||||
|
static string[] requiredDecryptLocals_7zip = new string[] {
|
||||||
|
"System.Byte[]",
|
||||||
|
"System.Int64",
|
||||||
|
"System.IO.BinaryReader",
|
||||||
|
"System.IO.MemoryStream",
|
||||||
|
"System.Security.Cryptography.CryptoStream",
|
||||||
|
"System.Security.Cryptography.RijndaelManaged",
|
||||||
|
};
|
||||||
|
static MethodDefinition findDecryptMethod_7zip(TypeDefinition type) {
|
||||||
|
foreach (var method in type.Methods) {
|
||||||
|
if (!method.IsStatic || method.Body == null)
|
||||||
|
continue;
|
||||||
|
if (!DotNetUtils.isMethod(method, "System.Byte[]", "(System.Byte[])"))
|
||||||
|
continue;
|
||||||
|
if (!new LocalTypes(method).all(requiredDecryptLocals_7zip))
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
return method;
|
return method;
|
||||||
|
@ -400,6 +431,7 @@ namespace de4dot.code.deobfuscators.Confuser {
|
||||||
case ConfuserVersion.v15_r60785: return decrypt_v15_r60785(data);
|
case ConfuserVersion.v15_r60785: return decrypt_v15_r60785(data);
|
||||||
case ConfuserVersion.v17_r73404: return decrypt_v17_r73404(data);
|
case ConfuserVersion.v17_r73404: return decrypt_v17_r73404(data);
|
||||||
case ConfuserVersion.v17_r73477: return decrypt_v17_r73404(data);
|
case ConfuserVersion.v17_r73477: return decrypt_v17_r73404(data);
|
||||||
|
case ConfuserVersion.v17_r75076: return decrypt_v17_r75076(data);
|
||||||
default: throw new ApplicationException("Unknown version");
|
default: throw new ApplicationException("Unknown version");
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -457,6 +489,27 @@ namespace de4dot.code.deobfuscators.Confuser {
|
||||||
return reader.ReadBytes(reader.ReadInt32());
|
return reader.ReadBytes(reader.ReadInt32());
|
||||||
}
|
}
|
||||||
|
|
||||||
|
byte[] decrypt_v17_r75076(byte[] data) {
|
||||||
|
var reader = new BinaryReader(new MemoryStream(data));
|
||||||
|
byte[] key, iv;
|
||||||
|
data = decrypt_v15_r60785(reader, out key, out iv);
|
||||||
|
return sevenzipDecompress(DeobUtils.aesDecrypt(data, key, iv));
|
||||||
|
}
|
||||||
|
|
||||||
|
static byte[] sevenzipDecompress(byte[] data) {
|
||||||
|
var reader = new BinaryReader(new MemoryStream(data));
|
||||||
|
int totalSize = reader.ReadInt32();
|
||||||
|
var props = reader.ReadBytes(5);
|
||||||
|
var decoder = new Decoder();
|
||||||
|
decoder.SetDecoderProperties(props);
|
||||||
|
if ((long)totalSize != reader.ReadInt64())
|
||||||
|
throw new ApplicationException("Invalid total size");
|
||||||
|
long compressedSize = data.Length - props.Length - 8;
|
||||||
|
var decompressed = new byte[totalSize];
|
||||||
|
decoder.Code(reader.BaseStream, new MemoryStream(decompressed, true), compressedSize, totalSize, null);
|
||||||
|
return decompressed;
|
||||||
|
}
|
||||||
|
|
||||||
public void deobfuscate(Blocks blocks) {
|
public void deobfuscate(Blocks blocks) {
|
||||||
if (asmResolverMethod == null)
|
if (asmResolverMethod == null)
|
||||||
return;
|
return;
|
||||||
|
|
Loading…
Reference in New Issue
Block a user