From 236b1768f4d2aca1324dbfa1551b106d30fb0395 Mon Sep 17 00:00:00 2001 From: xode0 Date: Tue, 16 Feb 2016 23:47:14 +0100 Subject: [PATCH 1/5] Fix for the last .NETReactor. --- de4dot.blocks/cflow/Int32Value.cs | 4 ++-- .../deobfuscators/dotNET_Reactor/v4/EncryptedResource.cs | 1 + 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/de4dot.blocks/cflow/Int32Value.cs b/de4dot.blocks/cflow/Int32Value.cs index ba03a9a0..a0960114 100644 --- a/de4dot.blocks/cflow/Int32Value.cs +++ b/de4dot.blocks/cflow/Int32Value.cs @@ -333,13 +333,13 @@ namespace de4dot.blocks.cflow { public static Real8Value Conv_R_Un(Int32Value a) { if (a.AllBitsValid()) - return new Real8Value((float)(uint)a.Value); + return new Real8Value((double)(uint)a.Value); return Real8Value.CreateUnknown(); } public static Real8Value Conv_R4(Int32Value a) { if (a.AllBitsValid()) - return new Real8Value((float)(int)a.Value); + return new Real8Value((double)(int)a.Value); return Real8Value.CreateUnknown(); } diff --git a/de4dot.code/deobfuscators/dotNET_Reactor/v4/EncryptedResource.cs b/de4dot.code/deobfuscators/dotNET_Reactor/v4/EncryptedResource.cs index 6fc7cee1..0256a903 100644 --- a/de4dot.code/deobfuscators/dotNET_Reactor/v4/EncryptedResource.cs +++ b/de4dot.code/deobfuscators/dotNET_Reactor/v4/EncryptedResource.cs @@ -202,6 +202,7 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 { "System.Byte[]", "System.IO.BinaryReader", "System.IO.MemoryStream", + "System.Reflection.Assembly", "System.Security.Cryptography.CryptoStream", "System.Security.Cryptography.ICryptoTransform", }; From f6a107c9bf41fca2a4c2c829181705a4d0a52161 Mon Sep 17 00:00:00 2001 From: XODE0 Date: Sat, 19 Mar 2016 16:16:22 +0100 Subject: [PATCH 2/5] Support dotNETReactor v5.0.0.0 --- .../dotNET_Reactor/v4/EncryptedResource.cs | 60 +++++++++++++++++-- 1 file changed, 54 insertions(+), 6 deletions(-) diff --git a/de4dot.code/deobfuscators/dotNET_Reactor/v4/EncryptedResource.cs b/de4dot.code/deobfuscators/dotNET_Reactor/v4/EncryptedResource.cs index 0256a903..d6acf7cd 100644 --- a/de4dot.code/deobfuscators/dotNET_Reactor/v4/EncryptedResource.cs +++ b/de4dot.code/deobfuscators/dotNET_Reactor/v4/EncryptedResource.cs @@ -271,13 +271,13 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 { key[i] ^= iv[i]; var origInstrs = method.Body.Instructions; - - int emuStartIndex; - if (!FindStart(origInstrs, out emuStartIndex, out emuLocal)) - return false; int emuEndIndex; - if (!FindEnd(origInstrs, emuStartIndex, out emuEndIndex)) - return false; + int emuStartIndex; + + if (!Find(origInstrs, out emuStartIndex, out emuEndIndex, out emuLocal)) { + if (!FindStartEnd(origInstrs, out emuStartIndex, out emuEndIndex, out emuLocal)) + return false; + } int count = emuEndIndex - emuStartIndex + 1; instructions = new List(count); @@ -287,6 +287,54 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 { return true; } + bool Find(IList instrs, out int startIndex, out int endIndex, out Local tmpLocal) { + int emuStartIndex; + startIndex = 0; + endIndex = 0; + tmpLocal = null; + + if (!FindStart(instrs, out emuStartIndex, out emuLocal)) + return false; + int emuEndIndex; + if (!FindEnd(instrs, emuStartIndex, out emuEndIndex)) + return false; + startIndex = emuStartIndex; + endIndex = emuEndIndex; + tmpLocal = emuLocal; + return true; + } + + bool FindStartEnd(IList instrs, out int startIndex, out int endIndex, out Local tmpLocal) { + for (int i = 0; i + 8 < instrs.Count; i++) { + if (instrs[i].OpCode.Code != Code.Conv_R_Un) + continue; + if (instrs[i + 1].OpCode.Code != Code.Conv_R8) + continue; + if (instrs[i + 2].OpCode.Code != Code.Conv_U4) + continue; + if (instrs[i + 3].OpCode.Code != Code.Add) + continue; + int newEndIndex = i + 3; + int newStartIndex = 0; + for (int x = newEndIndex; x > 0; x--) + if (instrs[x].OpCode.FlowControl != FlowControl.Next) { + newStartIndex = x + 1; + break; + } + if (newStartIndex < 0) + continue; + + endIndex = newEndIndex; + startIndex = newStartIndex; + tmpLocal = CheckLocal(instrs[startIndex], true); + return true; + } + endIndex = 0; + startIndex = 0; + tmpLocal = null; + return false; + } + bool FindStart(IList instrs, out int startIndex, out Local tmpLocal) { for (int i = 0; i + 8 < instrs.Count; i++) { if (instrs[i].OpCode.Code != Code.Conv_U) From 38cfc6507ad1cb83d74b6043950f98795a2e1596 Mon Sep 17 00:00:00 2001 From: XODE0 Date: Sat, 19 Mar 2016 16:26:05 +0100 Subject: [PATCH 3/5] Update EncryptedResource.cs --- .../deobfuscators/dotNET_Reactor/v4/EncryptedResource.cs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/de4dot.code/deobfuscators/dotNET_Reactor/v4/EncryptedResource.cs b/de4dot.code/deobfuscators/dotNET_Reactor/v4/EncryptedResource.cs index d6acf7cd..14d8dcf4 100644 --- a/de4dot.code/deobfuscators/dotNET_Reactor/v4/EncryptedResource.cs +++ b/de4dot.code/deobfuscators/dotNET_Reactor/v4/EncryptedResource.cs @@ -315,7 +315,7 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 { if (instrs[i + 3].OpCode.Code != Code.Add) continue; int newEndIndex = i + 3; - int newStartIndex = 0; + int newStartIndex = -1; for (int x = newEndIndex; x > 0; x--) if (instrs[x].OpCode.FlowControl != FlowControl.Next) { newStartIndex = x + 1; From bbe3d325fbde034e2c6fe43f34710aacc73a38af Mon Sep 17 00:00:00 2001 From: XODE0 Date: Sat, 19 Mar 2016 18:25:48 +0100 Subject: [PATCH 4/5] Fix for old .NETReactor versions. --- .../deobfuscators/dotNET_Reactor/v4/EncryptedResource.cs | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/de4dot.code/deobfuscators/dotNET_Reactor/v4/EncryptedResource.cs b/de4dot.code/deobfuscators/dotNET_Reactor/v4/EncryptedResource.cs index 14d8dcf4..32d14b9a 100644 --- a/de4dot.code/deobfuscators/dotNET_Reactor/v4/EncryptedResource.cs +++ b/de4dot.code/deobfuscators/dotNET_Reactor/v4/EncryptedResource.cs @@ -202,13 +202,16 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 { "System.Byte[]", "System.IO.BinaryReader", "System.IO.MemoryStream", - "System.Reflection.Assembly", "System.Security.Cryptography.CryptoStream", "System.Security.Cryptography.ICryptoTransform", }; requiredTypes.AddRange(additionalTypes); if (!localTypes.All(requiredTypes)) return false; + + if (DotNetUtils.GetMethod(method.DeclaringType, "System.Security.Cryptography.SymmetricAlgorithm", "()") != null) + return false; + if (!localTypes.Exists("System.Security.Cryptography.RijndaelManaged") && !localTypes.Exists("System.Security.Cryptography.AesManaged") && !localTypes.Exists("System.Security.Cryptography.SymmetricAlgorithm")) From be964e163709e21b9b20b1fddee435a3acdff914 Mon Sep 17 00:00:00 2001 From: XODE0 Date: Sat, 19 Mar 2016 20:13:02 +0100 Subject: [PATCH 5/5] Fix for .NETReactor versions(4.7+). --- .../deobfuscators/dotNET_Reactor/v4/EncryptedResource.cs | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/de4dot.code/deobfuscators/dotNET_Reactor/v4/EncryptedResource.cs b/de4dot.code/deobfuscators/dotNET_Reactor/v4/EncryptedResource.cs index 32d14b9a..b2ea398f 100644 --- a/de4dot.code/deobfuscators/dotNET_Reactor/v4/EncryptedResource.cs +++ b/de4dot.code/deobfuscators/dotNET_Reactor/v4/EncryptedResource.cs @@ -210,7 +210,8 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 { return false; if (DotNetUtils.GetMethod(method.DeclaringType, "System.Security.Cryptography.SymmetricAlgorithm", "()") != null) - return false; + if (localTypes.Exists("System.UInt64")) + return false; if (!localTypes.Exists("System.Security.Cryptography.RijndaelManaged") && !localTypes.Exists("System.Security.Cryptography.AesManaged") &&