Update code for SA 1.x-3.x obfuscated assemblies
This commit is contained in:
parent
f468aebda5
commit
c14eef2750
|
@ -105,8 +105,11 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
|
||||||
return true;
|
return true;
|
||||||
|
|
||||||
foreach (var field in type.Fields) {
|
foreach (var field in type.Fields) {
|
||||||
if (!DotNetUtils.derivesFromDelegate(DotNetUtils.getType(module, field.FieldType)))
|
if (DotNetUtils.derivesFromDelegate(DotNetUtils.getType(module, field.FieldType)))
|
||||||
return false;
|
continue;
|
||||||
|
if (field.IsLiteral && field.FieldType.ToString() == "System.String")
|
||||||
|
continue;
|
||||||
|
return false;
|
||||||
}
|
}
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
|
@ -83,6 +83,7 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
if (isV0(type)) {
|
if (isV0(type)) {
|
||||||
|
aerVersion = AerVersion.V0;
|
||||||
foreach (var method in type.Methods) {
|
foreach (var method in type.Methods) {
|
||||||
if (method.IsStatic)
|
if (method.IsStatic)
|
||||||
exceptionLoggerRemover.add(method);
|
exceptionLoggerRemover.add(method);
|
||||||
|
@ -206,9 +207,14 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
|
||||||
bool isAutomatedErrorReportingMethod(MethodDefinition method) {
|
bool isAutomatedErrorReportingMethod(MethodDefinition method) {
|
||||||
if (!method.HasBody || !method.IsStatic || method.Name == ".ctor")
|
if (!method.HasBody || !method.IsStatic || method.Name == ".ctor")
|
||||||
return false;
|
return false;
|
||||||
return DotNetUtils.isMethod(method, "System.Void", "(System.Exception,System.Object[])") ||
|
return
|
||||||
|
// 5.x-6.x
|
||||||
|
DotNetUtils.isMethod(method, "System.Void", "(System.Exception,System.Object[])") ||
|
||||||
|
// 5.x-6.x
|
||||||
|
DotNetUtils.isMethod(method, "System.Void", "(System.Exception,System.Int32,System.Object[])") ||
|
||||||
|
// 3.x-4.x
|
||||||
DotNetUtils.isMethod(method, "System.Exception", "(System.Exception,System.Object[])") ||
|
DotNetUtils.isMethod(method, "System.Exception", "(System.Exception,System.Object[])") ||
|
||||||
// 2.x
|
// 2.x-4.x
|
||||||
DotNetUtils.isMethod(method, "System.Exception", "(System.Exception,System.Int32,System.Object[])") ||
|
DotNetUtils.isMethod(method, "System.Exception", "(System.Exception,System.Int32,System.Object[])") ||
|
||||||
// 1.x
|
// 1.x
|
||||||
DotNetUtils.isMethod(method, "System.Exception", "(System.Int32,System.Exception,System.Object[])");
|
DotNetUtils.isMethod(method, "System.Exception", "(System.Int32,System.Exception,System.Object[])");
|
||||||
|
|
|
@ -112,7 +112,7 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
|
||||||
if (!findDecrypterMethod())
|
if (!findDecrypterMethod())
|
||||||
throw new ApplicationException("Could not find string decrypter method");
|
throw new ApplicationException("Could not find string decrypter method");
|
||||||
|
|
||||||
if (!findStringsResource(deob, simpleDeobfuscator, cctor ?? stringDecrypterMethod))
|
if (!findStringsResource(deob, simpleDeobfuscator, cctor))
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
if (decrypterVersion <= StringDecrypterVersion.V3) {
|
if (decrypterVersion <= StringDecrypterVersion.V3) {
|
||||||
|
@ -126,10 +126,12 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
|
||||||
|
|
||||||
stringOffset = 0;
|
stringOffset = 0;
|
||||||
if (decrypterVersion != StringDecrypterVersion.V1) {
|
if (decrypterVersion != StringDecrypterVersion.V1) {
|
||||||
var pkt = module.Assembly.Name.PublicKeyToken;
|
if (callsGetPublicKeyToken(initMethod)) {
|
||||||
if (pkt != null) {
|
var pkt = module.Assembly.Name.PublicKeyToken;
|
||||||
for (int i = 0; i < pkt.Length - 1; i += 2)
|
if (pkt != null) {
|
||||||
stringOffset ^= ((int)pkt[i] << 8) + pkt[i + 1];
|
for (int i = 0; i < pkt.Length - 1; i += 2)
|
||||||
|
stringOffset ^= ((int)pkt[i] << 8) + pkt[i + 1];
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if (DotNetUtils.findLdcI4Constant(initMethod, 0xFFFFFF) &&
|
if (DotNetUtils.findLdcI4Constant(initMethod, 0xFFFFFF) &&
|
||||||
|
@ -146,14 +148,22 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
|
||||||
decrypterVersion = StringDecrypterVersion.V4;
|
decrypterVersion = StringDecrypterVersion.V4;
|
||||||
}
|
}
|
||||||
|
|
||||||
simpleZipType = cctor == null ? null : findSimpleZipType(cctor);
|
simpleZipType = findSimpleZipType(cctor) ?? findSimpleZipType(stringDecrypterMethod);
|
||||||
if (simpleZipType != null)
|
if (simpleZipType != null)
|
||||||
resourceDecrypter = new ResourceDecrypter(new ResourceDecrypterInfo(module, simpleZipType, simpleDeobfuscator));
|
resourceDecrypter = new ResourceDecrypter(new ResourceDecrypterInfo(module, simpleZipType, simpleDeobfuscator));
|
||||||
|
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
bool findStringsResource(IDeobfuscator deob, ISimpleDeobfuscator simpleDeobfuscator, MethodDefinition initMethod) {
|
bool callsGetPublicKeyToken(MethodDefinition method) {
|
||||||
|
foreach (var calledMethod in DotNetUtils.getMethodCalls(method)) {
|
||||||
|
if (calledMethod.ToString() == "System.Byte[] System.Reflection.AssemblyName::GetPublicKeyToken()")
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
bool findStringsResource(IDeobfuscator deob, ISimpleDeobfuscator simpleDeobfuscator, MethodDefinition cctor) {
|
||||||
if (stringsResource != null)
|
if (stringsResource != null)
|
||||||
return true;
|
return true;
|
||||||
|
|
||||||
|
@ -163,16 +173,26 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (initMethod != null) {
|
if (findStringsResource2(deob, simpleDeobfuscator, cctor))
|
||||||
stringsResource = findStringResource(initMethod);
|
return true;
|
||||||
if (stringsResource != null)
|
if (findStringsResource2(deob, simpleDeobfuscator, stringDecrypterMethod))
|
||||||
return true;
|
return true;
|
||||||
|
|
||||||
simpleDeobfuscator.decryptStrings(initMethod, deob);
|
return false;
|
||||||
stringsResource = findStringResource(initMethod);
|
}
|
||||||
if (stringsResource != null)
|
|
||||||
return true;
|
bool findStringsResource2(IDeobfuscator deob, ISimpleDeobfuscator simpleDeobfuscator, MethodDefinition initMethod) {
|
||||||
}
|
if (initMethod == null)
|
||||||
|
return false;
|
||||||
|
|
||||||
|
stringsResource = findStringResource(initMethod);
|
||||||
|
if (stringsResource != null)
|
||||||
|
return true;
|
||||||
|
|
||||||
|
simpleDeobfuscator.decryptStrings(initMethod, deob);
|
||||||
|
stringsResource = findStringResource(initMethod);
|
||||||
|
if (stringsResource != null)
|
||||||
|
return true;
|
||||||
|
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
@ -270,6 +290,8 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
|
||||||
// Find SmartAssembly.Zip.SimpleZip, which is the class that decrypts and inflates
|
// Find SmartAssembly.Zip.SimpleZip, which is the class that decrypts and inflates
|
||||||
// data in the resources.
|
// data in the resources.
|
||||||
TypeDefinition findSimpleZipType(MethodDefinition method) {
|
TypeDefinition findSimpleZipType(MethodDefinition method) {
|
||||||
|
if (method == null || method.Body == null)
|
||||||
|
return null;
|
||||||
var instructions = method.Body.Instructions;
|
var instructions = method.Body.Instructions;
|
||||||
for (int i = 0; i <= instructions.Count - 2; i++) {
|
for (int i = 0; i <= instructions.Count - 2; i++) {
|
||||||
var call = instructions[i];
|
var call = instructions[i];
|
||||||
|
|
Loading…
Reference in New Issue
Block a user