From cca8eba9edf2987141c923d7b9611148aae05613 Mon Sep 17 00:00:00 2001 From: de4dot Date: Sun, 18 Nov 2012 08:13:51 +0100 Subject: [PATCH] Port ILProtector deobfuscator --- de4dot.code/de4dot.code.csproj | 8 +- .../CryptoObfuscator/MethodBodyReader.cs | 2 +- .../deobfuscators/ILProtector/Deobfuscator.cs | 1 - .../deobfuscators/ILProtector/MainType.cs | 10 +- .../deobfuscators/ILProtector/MethodReader.cs | 148 +++++++++--------- .../ILProtector/MethodsDecrypter.cs | 66 ++++---- de4dot.cui/Program.cs | 2 - dot10 | 2 +- 8 files changed, 120 insertions(+), 119 deletions(-) diff --git a/de4dot.code/de4dot.code.csproj b/de4dot.code/de4dot.code.csproj index a47ba12f..42e5e11a 100644 --- a/de4dot.code/de4dot.code.csproj +++ b/de4dot.code/de4dot.code.csproj @@ -201,10 +201,10 @@ - - - - + + + + diff --git a/de4dot.code/deobfuscators/CryptoObfuscator/MethodBodyReader.cs b/de4dot.code/deobfuscators/CryptoObfuscator/MethodBodyReader.cs index c37cfb78..5a60d4f4 100644 --- a/de4dot.code/deobfuscators/CryptoObfuscator/MethodBodyReader.cs +++ b/de4dot.code/deobfuscators/CryptoObfuscator/MethodBodyReader.cs @@ -118,7 +118,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator { return eh; } - public new void RestoreMethod(MethodDef method) { + public override void RestoreMethod(MethodDef method) { base.RestoreMethod(method); method.Body.MaxStack = maxStackSize; } diff --git a/de4dot.code/deobfuscators/ILProtector/Deobfuscator.cs b/de4dot.code/deobfuscators/ILProtector/Deobfuscator.cs index 7da40551..45593e47 100644 --- a/de4dot.code/deobfuscators/ILProtector/Deobfuscator.cs +++ b/de4dot.code/deobfuscators/ILProtector/Deobfuscator.cs @@ -108,7 +108,6 @@ namespace de4dot.code.deobfuscators.ILProtector { addFieldToBeRemoved(mainType.InvokerInstanceField, "Invoker delegate instance field"); foreach (var pm in mainType.ProtectMethods) { addMethodToBeRemoved(pm, "Obfuscator 'Protect' init method"); - addModuleReferenceToBeRemoved(pm.PInvokeInfo.Module, "Obfuscator native protection file"); } mainType.cleanUp(); } diff --git a/de4dot.code/deobfuscators/ILProtector/MainType.cs b/de4dot.code/deobfuscators/ILProtector/MainType.cs index d7f3f571..bcdbe4f9 100644 --- a/de4dot.code/deobfuscators/ILProtector/MainType.cs +++ b/de4dot.code/deobfuscators/ILProtector/MainType.cs @@ -24,7 +24,7 @@ using de4dot.blocks; namespace de4dot.code.deobfuscators.ILProtector { class MainType { - ModuleDefinition module; + ModuleDefMD module; List protectMethods; TypeDef invokerDelegate; FieldDef invokerInstanceField; @@ -45,7 +45,7 @@ namespace de4dot.code.deobfuscators.ILProtector { get { return protectMethods != null; } } - public MainType(ModuleDefinition module) { + public MainType(ModuleDefMD module) { this.module = module; } @@ -74,7 +74,7 @@ namespace de4dot.code.deobfuscators.ILProtector { return false; var theField = type.Fields[0]; - var theDelegate = theField.FieldType as TypeDef; + var theDelegate = theField.FieldType.TryGetTypeDef(); if (theDelegate == null || !DotNetUtils.derivesFromDelegate(theDelegate)) return false; @@ -87,7 +87,7 @@ namespace de4dot.code.deobfuscators.ILProtector { static List getPinvokeMethods(TypeDef type, string name) { var list = new List(); foreach (var method in type.Methods) { - if (method.PInvokeInfo != null && method.PInvokeInfo.EntryPoint == name) + if (method.ImplMap != null && method.ImplMap.Name == name) list.Add(method); } return list; @@ -97,7 +97,7 @@ namespace de4dot.code.deobfuscators.ILProtector { var cctor = DotNetUtils.getModuleTypeCctor(module); if (cctor != null) { cctor.Body.InitLocals = false; - cctor.Body.Variables.Clear(); + cctor.Body.LocalList.Clear(); cctor.Body.Instructions.Clear(); cctor.Body.Instructions.Add(Instruction.Create(OpCodes.Ret)); cctor.Body.ExceptionHandlers.Clear(); diff --git a/de4dot.code/deobfuscators/ILProtector/MethodReader.cs b/de4dot.code/deobfuscators/ILProtector/MethodReader.cs index 1231f902..b3d311c4 100644 --- a/de4dot.code/deobfuscators/ILProtector/MethodReader.cs +++ b/de4dot.code/deobfuscators/ILProtector/MethodReader.cs @@ -20,14 +20,15 @@ using System; using System.Collections.Generic; using System.IO; +using dot10.IO; using dot10.DotNet; +using dot10.DotNet.MD; using dot10.DotNet.Emit; -using Mono.Cecil.Metadata; using de4dot.blocks; namespace de4dot.code.deobfuscators.ILProtector { class MethodReader : MethodBodyReaderBase { - ModuleDefinition module; + ModuleDefMD module; MethodFlags flags; TypeDef delegateType; @@ -59,10 +60,9 @@ namespace de4dot.code.deobfuscators.ILProtector { get { return (flags & MethodFlags.HasExceptionHandlers) != 0; } } - public MethodReader(ModuleDefinition module, byte[] data, IList parameters) - : base(new BinaryReader(new MemoryStream(data))) { + public MethodReader(ModuleDefMD module, byte[] data, IList parameters) + : base(MemoryImageStream.Create(data), parameters) { this.module = module; - this.parameters = parameters; } public void read() { @@ -71,11 +71,11 @@ namespace de4dot.code.deobfuscators.ILProtector { if (!DotNetUtils.derivesFromDelegate(delegateType)) throw new ApplicationException("Invalid delegate type"); if (HasLocals) - readLocals(Utils.readEncodedInt32(reader)); + readLocals((int)reader.Read7BitEncodedUInt32()); if (HasInstructions) - readInstructions(Utils.readEncodedInt32(reader)); + ReadInstructions((int)reader.Read7BitEncodedUInt32()); if (HasExceptionHandlers) - readExceptionHandlers(Utils.readEncodedInt32(reader)); + readExceptionHandlers((int)reader.Read7BitEncodedUInt32()); } int getTypeDefOrRefToken(uint token) { @@ -88,123 +88,127 @@ namespace de4dot.code.deobfuscators.ILProtector { } void readLocals(int numLocals) { - var localsTypes = new List(); + var localsTypes = new List(); for (int i = 0; i < numLocals; i++) localsTypes.Add(readType()); - setLocals(localsTypes); + SetLocals(localsTypes); } T resolve(int token) { - return (T)module.LookupToken(token); + return (T)module.ResolveToken(token); } int readTypeToken() { - return getTypeDefOrRefToken(Utils.readEncodedUInt32(reader)); + return getTypeDefOrRefToken(reader.Read7BitEncodedUInt32()); } - TypeReference readType() { - TypeReference elementType; + TypeSig readType() { switch ((ElementType)reader.ReadByte()) { - case ElementType.Void: return module.TypeSystem.Void; - case ElementType.Boolean: return module.TypeSystem.Boolean; - case ElementType.Char: return module.TypeSystem.Char; - case ElementType.I1: return module.TypeSystem.SByte; - case ElementType.U1: return module.TypeSystem.Byte; - case ElementType.I2: return module.TypeSystem.Int16; - case ElementType.U2: return module.TypeSystem.UInt16; - case ElementType.I4: return module.TypeSystem.Int32; - case ElementType.U4: return module.TypeSystem.UInt32; - case ElementType.I8: return module.TypeSystem.Int64; - case ElementType.U8: return module.TypeSystem.UInt64; - case ElementType.R4: return module.TypeSystem.Single; - case ElementType.R8: return module.TypeSystem.Double; - case ElementType.String: return module.TypeSystem.String; - case ElementType.Ptr: return new PointerType(readType()); - case ElementType.ByRef: return new ByReferenceType(readType()); - case ElementType.TypedByRef: return module.TypeSystem.TypedReference; - case ElementType.I: return module.TypeSystem.IntPtr; - case ElementType.U: return module.TypeSystem.UIntPtr; - case ElementType.Object: return module.TypeSystem.Object; - case ElementType.SzArray: return new ArrayType(readType()); - case ElementType.Sentinel: return new SentinelType(readType()); - case ElementType.Pinned: return new PinnedType(readType()); + case ElementType.Void: return module.CorLibTypes.Void; + case ElementType.Boolean: return module.CorLibTypes.Boolean; + case ElementType.Char: return module.CorLibTypes.Char; + case ElementType.I1: return module.CorLibTypes.SByte; + case ElementType.U1: return module.CorLibTypes.Byte; + case ElementType.I2: return module.CorLibTypes.Int16; + case ElementType.U2: return module.CorLibTypes.UInt16; + case ElementType.I4: return module.CorLibTypes.Int32; + case ElementType.U4: return module.CorLibTypes.UInt32; + case ElementType.I8: return module.CorLibTypes.Int64; + case ElementType.U8: return module.CorLibTypes.UInt64; + case ElementType.R4: return module.CorLibTypes.Single; + case ElementType.R8: return module.CorLibTypes.Double; + case ElementType.String: return module.CorLibTypes.String; + case ElementType.Ptr: return new PtrSig(readType()); + case ElementType.ByRef: return new ByRefSig(readType()); + case ElementType.TypedByRef: return module.CorLibTypes.TypedReference; + case ElementType.I: return module.CorLibTypes.IntPtr; + case ElementType.U: return module.CorLibTypes.UIntPtr; + case ElementType.Object: return module.CorLibTypes.Object; + case ElementType.SZArray: return new SZArraySig(readType()); + case ElementType.Sentinel: readType(); return new SentinelSig(); + case ElementType.Pinned: return new PinnedSig(readType()); case ElementType.ValueType: case ElementType.Class: - return resolve(readTypeToken()); + return resolve(readTypeToken()).ToTypeSig(); case ElementType.Array: - elementType = readType(); - int rank = Utils.readEncodedInt32(reader); - return new ArrayType(elementType, rank); + var arrayType = readType(); + uint rank = reader.Read7BitEncodedUInt32(); + return new ArraySig(arrayType, rank); case ElementType.GenericInst: reader.ReadByte(); - elementType = resolve(readTypeToken()); - int numGenericArgs = Utils.readEncodedInt32(reader); - var git = new GenericInstanceType(elementType); + var genericType = resolve(readTypeToken()); + int numGenericArgs = (int)reader.Read7BitEncodedUInt32(); + var git = new GenericInstSig(genericType.ToTypeSig() as ClassOrValueTypeSig); for (int i = 0; i < numGenericArgs; i++) git.GenericArguments.Add(readType()); return git; - case ElementType.None: case ElementType.Var: case ElementType.MVar: case ElementType.FnPtr: - case ElementType.CModReqD: + case ElementType.CModReqd: case ElementType.CModOpt: case ElementType.Internal: - case ElementType.Modifier: - case ElementType.Type: - case ElementType.Boxed: - case ElementType.Enum: default: throw new ApplicationException("Invalid local element type"); } } - protected override FieldReference readInlineField(Instruction instr) { - return resolve(reader.ReadInt32()); + protected override IField ReadInlineField(Instruction instr) { + return resolve(reader.ReadInt32()); } - protected override MethodReference readInlineMethod(Instruction instr) { - return resolve(reader.ReadInt32()); + protected override IMethod ReadInlineMethod(Instruction instr) { + return resolve(reader.ReadInt32()); } - protected override CallSite readInlineSig(Instruction instr) { - return module.ReadCallSite(new MetadataToken(reader.ReadUInt32())); + protected override MethodSig ReadInlineSig(Instruction instr) { + var token = reader.ReadUInt32(); + if (MDToken.ToTable(token) != Table.StandAloneSig) + return null; + var sas = module.ResolveStandAloneSig(MDToken.ToRID(token)); + return sas == null ? null : sas.MethodSig; } - protected override string readInlineString(Instruction instr) { - return module.GetUserString(reader.ReadUInt32()); + protected override string ReadInlineString(Instruction instr) { + return module.ReadUserString(reader.ReadUInt32()); } - protected override MemberReference readInlineTok(Instruction instr) { - return resolve(reader.ReadInt32()); + protected override ITokenOperand ReadInlineTok(Instruction instr) { + return resolve(reader.ReadInt32()); } - protected override TypeReference readInlineType(Instruction instr) { - return resolve(reader.ReadInt32()); + protected override ITypeDefOrRef ReadInlineType(Instruction instr) { + return resolve(reader.ReadInt32()); } - protected override ExceptionHandler readExceptionHandler() { - var eh = new ExceptionHandler((ExceptionHandlerType)(Utils.readEncodedInt32(reader) & 7)); + void readExceptionHandlers(int numExceptionHandlers) { + exceptionHandlers = new List(numExceptionHandlers); + for (int i = 0; i < numExceptionHandlers; i++) + Add(readExceptionHandler()); + } - int tryOffset = Utils.readEncodedInt32(reader); - eh.TryStart = getInstruction(tryOffset); - eh.TryEnd = getInstructionOrNull(tryOffset + Utils.readEncodedInt32(reader)); + ExceptionHandler readExceptionHandler() { + var eh = new ExceptionHandler((ExceptionHandlerType)(reader.Read7BitEncodedUInt32() & 7)); - int handlerOffset = Utils.readEncodedInt32(reader); - eh.HandlerStart = getInstruction(handlerOffset); - eh.HandlerEnd = getInstructionOrNull(handlerOffset + Utils.readEncodedInt32(reader)); + uint tryOffset = reader.Read7BitEncodedUInt32(); + eh.TryStart = GetInstructionThrow(tryOffset); + eh.TryEnd = GetInstruction(tryOffset + reader.Read7BitEncodedUInt32()); + + uint handlerOffset = reader.Read7BitEncodedUInt32(); + eh.HandlerStart = GetInstructionThrow(handlerOffset); + eh.HandlerEnd = GetInstruction(handlerOffset + reader.Read7BitEncodedUInt32()); switch (eh.HandlerType) { case ExceptionHandlerType.Catch: - eh.CatchType = resolve(reader.ReadInt32()); + eh.CatchType = resolve(reader.ReadInt32()); break; case ExceptionHandlerType.Filter: - eh.FilterStart = getInstruction(reader.ReadInt32()); + eh.FilterStart = GetInstructionThrow(reader.ReadUInt32()); break; case ExceptionHandlerType.Finally: diff --git a/de4dot.code/deobfuscators/ILProtector/MethodsDecrypter.cs b/de4dot.code/deobfuscators/ILProtector/MethodsDecrypter.cs index 2e0ee9ec..bc40d6cc 100644 --- a/de4dot.code/deobfuscators/ILProtector/MethodsDecrypter.cs +++ b/de4dot.code/deobfuscators/ILProtector/MethodsDecrypter.cs @@ -19,7 +19,7 @@ using System; using System.Collections.Generic; -using System.IO; +using dot10.IO; using dot10.DotNet; using dot10.DotNet.Emit; using de4dot.blocks; @@ -31,7 +31,7 @@ namespace de4dot.code.deobfuscators.ILProtector { // This is the first four bytes of ILProtector's public key token const uint RESOURCE_MAGIC = 0xC0D31220; - ModuleDefinition module; + ModuleDefMD module; MainType mainType; EmbeddedResource methodsResource; Version ilpVersion; @@ -72,7 +72,7 @@ namespace de4dot.code.deobfuscators.ILProtector { get { return methodsResource != null; } } - public MethodsDecrypter(ModuleDefinition module, MainType mainType) { + public MethodsDecrypter(ModuleDefMD module, MainType mainType) { this.module = module; this.mainType = mainType; } @@ -82,7 +82,7 @@ namespace de4dot.code.deobfuscators.ILProtector { var resource = tmp as EmbeddedResource; if (resource == null) continue; - var reader = new BinaryReader(resource.GetResourceStream()); + var reader = resource.Data; if (!checkResourceV100(reader) && !checkResourceV105(reader)) continue; @@ -93,9 +93,9 @@ namespace de4dot.code.deobfuscators.ILProtector { } // 1.0.0 - 1.0.4 - bool checkResourceV100(BinaryReader reader) { - reader.BaseStream.Position = 0; - if (reader.BaseStream.Length < 12) + bool checkResourceV100(IBinaryReader reader) { + reader.Position = 0; + if (reader.Length < 12) return false; if (reader.ReadUInt32() != RESOURCE_MAGIC) return false; @@ -107,9 +107,9 @@ namespace de4dot.code.deobfuscators.ILProtector { } // 1.0.5+ - bool checkResourceV105(BinaryReader reader) { - reader.BaseStream.Position = 0; - if (reader.BaseStream.Length < 0xA4) + bool checkResourceV105(IBinaryReader reader) { + reader.Position = 0; + if (reader.Length < 0xA4) return false; var key = reader.ReadBytes(0x94); if (!Utils.compare(reader.ReadBytes(8), ilpPublicKeyToken)) @@ -132,15 +132,15 @@ namespace de4dot.code.deobfuscators.ILProtector { } byte[] getMethodsData(EmbeddedResource resource) { - var reader = new BinaryReader(resource.GetResourceStream()); - reader.BaseStream.Position = startOffset; + var reader = resource.Data; + reader.Position = startOffset; if ((reader.ReadInt32() & 1) != 0) return decompress(reader); else - return reader.ReadBytes((int)(reader.BaseStream.Length - reader.BaseStream.Position)); + return reader.ReadRemainingBytes(); } - byte[] decompress(BinaryReader reader) { + byte[] decompress(IBinaryReader reader) { return decompress(reader, decryptionKey, decryptionKeyMod); } @@ -149,18 +149,18 @@ namespace de4dot.code.deobfuscators.ILProtector { dst[dstIndex++] = src[srcIndex++]; } - static byte[] decompress(BinaryReader reader, byte[] key, int keyMod) { - var decrypted = new byte[Utils.readEncodedInt32(reader)]; + static byte[] decompress(IBinaryReader reader, byte[] key, int keyMod) { + var decrypted = new byte[reader.Read7BitEncodedUInt32()]; int destIndex = 0; - while (reader.BaseStream.Position < reader.BaseStream.Length) { + while (reader.Position < reader.Length) { byte flags = reader.ReadByte(); for (int mask = 1; mask != 0x100; mask <<= 1) { - if (reader.BaseStream.Position >= reader.BaseStream.Length) + if (reader.Position >= reader.Length) break; if ((flags & mask) != 0) { - int displ = Utils.readEncodedInt32(reader); - int size = Utils.readEncodedInt32(reader); + int displ = (int)reader.Read7BitEncodedUInt32(); + int size = (int)reader.Read7BitEncodedUInt32(); copy(decrypted, destIndex - displ, decrypted, destIndex, size); destIndex += size; } @@ -177,21 +177,21 @@ namespace de4dot.code.deobfuscators.ILProtector { } static MethodInfo2[] readMethodInfos(byte[] data) { - var reader = new BinaryReader(new MemoryStream(data)); - int numMethods = Utils.readEncodedInt32(reader); - int totalCodeSize = Utils.readEncodedInt32(reader); + var reader = MemoryImageStream.Create(data); + int numMethods = (int)reader.Read7BitEncodedUInt32(); + int totalCodeSize = (int)reader.Read7BitEncodedUInt32(); var methodInfos = new MethodInfo2[numMethods]; int offset = 0; for (int i = 0; i < numMethods; i++) { - int id = Utils.readEncodedInt32(reader); - int size = Utils.readEncodedInt32(reader); + int id = (int)reader.Read7BitEncodedUInt32(); + int size = (int)reader.Read7BitEncodedUInt32(); methodInfos[i] = new MethodInfo2(id, offset, size); offset += size; } - long dataOffset = reader.BaseStream.Position; + long dataOffset = reader.Position; foreach (var info in methodInfos) { - reader.BaseStream.Position = dataOffset + info.offset; - reader.BaseStream.Read(info.data, 0, info.data.Length); + reader.Position = dataOffset + info.offset; + reader.Read(info.data, 0, info.data.Length); } return methodInfos; } @@ -212,7 +212,7 @@ namespace de4dot.code.deobfuscators.ILProtector { Utils.removeNewlines(method.FullName), method.MDToken.ToInt32(), method.Body.Instructions.Count, - method.Body.Variables.Count, + method.Body.LocalList.Count, method.Body.ExceptionHandlers.Count); } } @@ -228,7 +228,7 @@ namespace de4dot.code.deobfuscators.ILProtector { if (methodId == INVALID_METHOD_ID) return false; - var parameters = DotNetUtils.getParameters(method); + var parameters = method.Parameters; var methodInfo = methodInfos[methodId]; methodInfos.Remove(methodId); var methodReader = new MethodReader(module, methodInfo.data, parameters); @@ -243,7 +243,7 @@ namespace de4dot.code.deobfuscators.ILProtector { static void restoreMethod(MethodDef method, MethodReader methodReader) { // body.MaxStackSize = method.Body.InitLocals = methodReader.InitLocals; - methodReader.restoreMethod(method); + methodReader.RestoreMethod(method); } int getMethodId(MethodDef method) { @@ -257,14 +257,14 @@ namespace de4dot.code.deobfuscators.ILProtector { continue; var ldci4 = instrs[i + 1]; - if (!DotNetUtils.isLdcI4(ldci4)) + if (!ldci4.IsLdcI4()) continue; var field = ldsfld.Operand as FieldDef; if (field == null || field != mainType.InvokerInstanceField) continue; - return DotNetUtils.getLdcI4Value(ldci4); + return ldci4.GetLdcI4Value(); } return INVALID_METHOD_ID; diff --git a/de4dot.cui/Program.cs b/de4dot.cui/Program.cs index 2aff2fb5..d4ffb3d4 100644 --- a/de4dot.cui/Program.cs +++ b/de4dot.cui/Program.cs @@ -50,9 +50,7 @@ namespace de4dot.cui { new de4dot.code.deobfuscators.dotNET_Reactor.v4.DeobfuscatorInfo(), new de4dot.code.deobfuscators.Eazfuscator_NET.DeobfuscatorInfo(), new de4dot.code.deobfuscators.Goliath_NET.DeobfuscatorInfo(), -#if PORT new de4dot.code.deobfuscators.ILProtector.DeobfuscatorInfo(), -#endif new de4dot.code.deobfuscators.MaxtoCode.DeobfuscatorInfo(), new de4dot.code.deobfuscators.MPRESS.DeobfuscatorInfo(), new de4dot.code.deobfuscators.Rummage.DeobfuscatorInfo(), diff --git a/dot10 b/dot10 index 4abefc92..2bad4b56 160000 --- a/dot10 +++ b/dot10 @@ -1 +1 @@ -Subproject commit 4abefc928d63ffe8b7d6c5b4646b2205e684c1c4 +Subproject commit 2bad4b5692ecbb412e679bf1c01a4313d32b8856