Update code for SA 1.x-3.x obfuscated assemblies
This commit is contained in:
parent
f468aebda5
commit
c14eef2750
|
@ -105,7 +105,10 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
|
|||
return true;
|
||||
|
||||
foreach (var field in type.Fields) {
|
||||
if (!DotNetUtils.derivesFromDelegate(DotNetUtils.getType(module, field.FieldType)))
|
||||
if (DotNetUtils.derivesFromDelegate(DotNetUtils.getType(module, field.FieldType)))
|
||||
continue;
|
||||
if (field.IsLiteral && field.FieldType.ToString() == "System.String")
|
||||
continue;
|
||||
return false;
|
||||
}
|
||||
return true;
|
||||
|
|
|
@ -83,6 +83,7 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
|
|||
return false;
|
||||
|
||||
if (isV0(type)) {
|
||||
aerVersion = AerVersion.V0;
|
||||
foreach (var method in type.Methods) {
|
||||
if (method.IsStatic)
|
||||
exceptionLoggerRemover.add(method);
|
||||
|
@ -206,9 +207,14 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
|
|||
bool isAutomatedErrorReportingMethod(MethodDefinition method) {
|
||||
if (!method.HasBody || !method.IsStatic || method.Name == ".ctor")
|
||||
return false;
|
||||
return DotNetUtils.isMethod(method, "System.Void", "(System.Exception,System.Object[])") ||
|
||||
return
|
||||
// 5.x-6.x
|
||||
DotNetUtils.isMethod(method, "System.Void", "(System.Exception,System.Object[])") ||
|
||||
// 5.x-6.x
|
||||
DotNetUtils.isMethod(method, "System.Void", "(System.Exception,System.Int32,System.Object[])") ||
|
||||
// 3.x-4.x
|
||||
DotNetUtils.isMethod(method, "System.Exception", "(System.Exception,System.Object[])") ||
|
||||
// 2.x
|
||||
// 2.x-4.x
|
||||
DotNetUtils.isMethod(method, "System.Exception", "(System.Exception,System.Int32,System.Object[])") ||
|
||||
// 1.x
|
||||
DotNetUtils.isMethod(method, "System.Exception", "(System.Int32,System.Exception,System.Object[])");
|
||||
|
|
|
@ -112,7 +112,7 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
|
|||
if (!findDecrypterMethod())
|
||||
throw new ApplicationException("Could not find string decrypter method");
|
||||
|
||||
if (!findStringsResource(deob, simpleDeobfuscator, cctor ?? stringDecrypterMethod))
|
||||
if (!findStringsResource(deob, simpleDeobfuscator, cctor))
|
||||
return false;
|
||||
|
||||
if (decrypterVersion <= StringDecrypterVersion.V3) {
|
||||
|
@ -126,11 +126,13 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
|
|||
|
||||
stringOffset = 0;
|
||||
if (decrypterVersion != StringDecrypterVersion.V1) {
|
||||
if (callsGetPublicKeyToken(initMethod)) {
|
||||
var pkt = module.Assembly.Name.PublicKeyToken;
|
||||
if (pkt != null) {
|
||||
for (int i = 0; i < pkt.Length - 1; i += 2)
|
||||
stringOffset ^= ((int)pkt[i] << 8) + pkt[i + 1];
|
||||
}
|
||||
}
|
||||
|
||||
if (DotNetUtils.findLdcI4Constant(initMethod, 0xFFFFFF) &&
|
||||
DotNetUtils.findLdcI4Constant(initMethod, 0xFFFF)) {
|
||||
|
@ -146,14 +148,22 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
|
|||
decrypterVersion = StringDecrypterVersion.V4;
|
||||
}
|
||||
|
||||
simpleZipType = cctor == null ? null : findSimpleZipType(cctor);
|
||||
simpleZipType = findSimpleZipType(cctor) ?? findSimpleZipType(stringDecrypterMethod);
|
||||
if (simpleZipType != null)
|
||||
resourceDecrypter = new ResourceDecrypter(new ResourceDecrypterInfo(module, simpleZipType, simpleDeobfuscator));
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
bool findStringsResource(IDeobfuscator deob, ISimpleDeobfuscator simpleDeobfuscator, MethodDefinition initMethod) {
|
||||
bool callsGetPublicKeyToken(MethodDefinition method) {
|
||||
foreach (var calledMethod in DotNetUtils.getMethodCalls(method)) {
|
||||
if (calledMethod.ToString() == "System.Byte[] System.Reflection.AssemblyName::GetPublicKeyToken()")
|
||||
return true;
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
bool findStringsResource(IDeobfuscator deob, ISimpleDeobfuscator simpleDeobfuscator, MethodDefinition cctor) {
|
||||
if (stringsResource != null)
|
||||
return true;
|
||||
|
||||
|
@ -163,7 +173,18 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
|
|||
return true;
|
||||
}
|
||||
|
||||
if (initMethod != null) {
|
||||
if (findStringsResource2(deob, simpleDeobfuscator, cctor))
|
||||
return true;
|
||||
if (findStringsResource2(deob, simpleDeobfuscator, stringDecrypterMethod))
|
||||
return true;
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
bool findStringsResource2(IDeobfuscator deob, ISimpleDeobfuscator simpleDeobfuscator, MethodDefinition initMethod) {
|
||||
if (initMethod == null)
|
||||
return false;
|
||||
|
||||
stringsResource = findStringResource(initMethod);
|
||||
if (stringsResource != null)
|
||||
return true;
|
||||
|
@ -172,7 +193,6 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
|
|||
stringsResource = findStringResource(initMethod);
|
||||
if (stringsResource != null)
|
||||
return true;
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
|
@ -270,6 +290,8 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
|
|||
// Find SmartAssembly.Zip.SimpleZip, which is the class that decrypts and inflates
|
||||
// data in the resources.
|
||||
TypeDefinition findSimpleZipType(MethodDefinition method) {
|
||||
if (method == null || method.Body == null)
|
||||
return null;
|
||||
var instructions = method.Body.Instructions;
|
||||
for (int i = 0; i <= instructions.Count - 2; i++) {
|
||||
var call = instructions[i];
|
||||
|
|
Loading…
Reference in New Issue
Block a user