diff --git a/blocks/cflow/MethodCallInliner.cs b/blocks/cflow/MethodCallInliner.cs index 023c06d0..5b27c5ee 100644 --- a/blocks/cflow/MethodCallInliner.cs +++ b/blocks/cflow/MethodCallInliner.cs @@ -41,6 +41,8 @@ namespace de4dot.blocks.cflow { } protected virtual bool canInline(MethodDefinition method) { + if (method.GenericParameters.Count > 0) + return false; if (MemberReferenceHelper.compareMethodReferenceAndDeclaringType(method, blocks.Method)) return false; if (!MemberReferenceHelper.compareTypes(method.DeclaringType, blocks.Method.DeclaringType)) diff --git a/cecil b/cecil index e7184059..a9c9bd7f 160000 --- a/cecil +++ b/cecil @@ -1 +1 @@ -Subproject commit e71840599636807d69b0b39e164ab7292b10fe23 +Subproject commit a9c9bd7f0cb8271c287e83d8a70678770ca0d078 diff --git a/de4dot.code/AssemblyModule.cs b/de4dot.code/AssemblyModule.cs index 6bc7856e..457f5aa7 100644 --- a/de4dot.code/AssemblyModule.cs +++ b/de4dot.code/AssemblyModule.cs @@ -62,7 +62,7 @@ namespace de4dot.code { module.Write(newFilename, writerParams); } - public ModuleDefinition reload(byte[] newModuleData, Dictionary dumpedMethods) { + public ModuleDefinition reload(byte[] newModuleData, DumpedMethods dumpedMethods) { AssemblyResolver.Instance.removeModule(module); DotNetUtils.typeCaches.invalidate(module); return setModule(ModuleDefinition.ReadModule(new MemoryStream(newModuleData), getReaderParameters(), dumpedMethods)); diff --git a/de4dot.code/ObfuscatedFile.cs b/de4dot.code/ObfuscatedFile.cs index 4212c792..3330636e 100644 --- a/de4dot.code/ObfuscatedFile.cs +++ b/de4dot.code/ObfuscatedFile.cs @@ -363,7 +363,7 @@ namespace de4dot.code { initAssemblyClient(); byte[] fileData = null; - Dictionary dumpedMethods = null; + DumpedMethods dumpedMethods = null; if (deob.getDecryptedModule(ref fileData, ref dumpedMethods)) reloadModule(fileData, dumpedMethods); @@ -372,7 +372,7 @@ namespace de4dot.code { deob.deobfuscateEnd(); } - void reloadModule(byte[] newModuleData, Dictionary dumpedMethods) { + void reloadModule(byte[] newModuleData, DumpedMethods dumpedMethods) { Log.v("Reloading decrypted assembly (original filename: {0})", Filename); simpleDeobfuscatorFlags.Clear(); module = assemblyModule.reload(newModuleData, dumpedMethods); @@ -407,12 +407,10 @@ namespace de4dot.code { } IEnumerable getMethodTokens() { - var tokens = new List(); + if (!userStringDecrypterMethods) + return deob.getStringDecrypterMethods(); - if (!userStringDecrypterMethods) { - options.StringDecrypterMethods.Clear(); - options.StringDecrypterMethods.AddRange(deob.getStringDecrypterMethods()); - } + var tokens = new List(); foreach (var val in options.StringDecrypterMethods) { var tokenStr = val.Trim(); @@ -542,6 +540,7 @@ namespace de4dot.code { Log.v("Deobfuscating {0} ({1:X8})", Utils.removeNewlines(method), method.MetadataToken.ToUInt32()); Log.indent(); + int oldIndentLevel = Log.indentLevel; try { deobfuscate(method, cflowDeobfuscator, methodPrinter); } @@ -553,6 +552,9 @@ namespace de4dot.code { method.MetadataToken.ToInt32(), ex.GetType()); } + finally { + Log.indentLevel = oldIndentLevel; + } removeNoInliningAttribute(method); Log.deIndent(); diff --git a/de4dot.code/de4dot.code.csproj b/de4dot.code/de4dot.code.csproj index 46dad4c5..02258206 100644 --- a/de4dot.code/de4dot.code.csproj +++ b/de4dot.code/de4dot.code.csproj @@ -139,6 +139,7 @@ + diff --git a/de4dot.code/deobfuscators/Babel_NET/Deobfuscator.cs b/de4dot.code/deobfuscators/Babel_NET/Deobfuscator.cs index e8bb9ed0..36472ad6 100644 --- a/de4dot.code/deobfuscators/Babel_NET/Deobfuscator.cs +++ b/de4dot.code/deobfuscators/Babel_NET/Deobfuscator.cs @@ -259,10 +259,10 @@ namespace de4dot.code.deobfuscators.Babel_NET { base.deobfuscateEnd(); } - public override IEnumerable getStringDecrypterMethods() { - var list = new List(); + public override IEnumerable getStringDecrypterMethods() { + var list = new List(); if (stringDecrypter.DecryptMethod != null) - list.Add(stringDecrypter.DecryptMethod.MetadataToken.ToInt32().ToString("X8")); + list.Add(stringDecrypter.DecryptMethod.MetadataToken.ToInt32()); return list; } } diff --git a/de4dot.code/deobfuscators/CliSecure/Deobfuscator.cs b/de4dot.code/deobfuscators/CliSecure/Deobfuscator.cs index 018cce9a..ba1113c1 100644 --- a/de4dot.code/deobfuscators/CliSecure/Deobfuscator.cs +++ b/de4dot.code/deobfuscators/CliSecure/Deobfuscator.cs @@ -135,7 +135,7 @@ namespace de4dot.code.deobfuscators.CliSecure { } } - public override bool getDecryptedModule(ref byte[] newFileData, ref Dictionary dumpedMethods) { + public override bool getDecryptedModule(ref byte[] newFileData, ref DumpedMethods dumpedMethods) { if (!options.DecryptMethods) return false; @@ -225,10 +225,10 @@ namespace de4dot.code.deobfuscators.CliSecure { base.deobfuscateEnd(); } - public override IEnumerable getStringDecrypterMethods() { - var list = new List(); + public override IEnumerable getStringDecrypterMethods() { + var list = new List(); if (stringDecrypter.Method != null) - list.Add(stringDecrypter.Method.MetadataToken.ToInt32().ToString("X8")); + list.Add(stringDecrypter.Method.MetadataToken.ToInt32()); return list; } diff --git a/de4dot.code/deobfuscators/CliSecure/MethodsDecrypter.cs b/de4dot.code/deobfuscators/CliSecure/MethodsDecrypter.cs index 5eee8586..0cf3974f 100644 --- a/de4dot.code/deobfuscators/CliSecure/MethodsDecrypter.cs +++ b/de4dot.code/deobfuscators/CliSecure/MethodsDecrypter.cs @@ -155,7 +155,7 @@ namespace de4dot.code.deobfuscators.CliSecure { } } - public bool decrypt(PeImage peImage, ref Dictionary dumpedMethods) { + public bool decrypt(PeImage peImage, ref DumpedMethods dumpedMethods) { this.peImage = peImage; uint offset = peImage.rvaToOffset(peImage.Cor20Header.metadataDirectory.virtualAddress + peImage.Cor20Header.metadataDirectory.size); @@ -179,7 +179,7 @@ namespace de4dot.code.deobfuscators.CliSecure { peImage.writeUint32(rva + 8, methodInfo.localVarSigTok); } - dumpedMethods = new Dictionary(); + dumpedMethods = new DumpedMethods(); offset = methodDefTable.fileOffset; for (int i = 0; i < methodInfos.Count; i++, offset += methodDefTable.totalSize) { var methodInfo = methodInfos[i]; @@ -211,7 +211,7 @@ namespace de4dot.code.deobfuscators.CliSecure { dm.mhLocalVarSigTok = peImage.readUInt32(rva + 8); } - dumpedMethods[dm.token] = dm; + dumpedMethods.add(dm); } return true; diff --git a/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs b/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs index e331fd83..4dd868aa 100644 --- a/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs +++ b/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs @@ -151,7 +151,7 @@ namespace de4dot.code.deobfuscators.CodeVeil { } } - public override bool getDecryptedModule(ref byte[] newFileData, ref Dictionary dumpedMethods) { + public override bool getDecryptedModule(ref byte[] newFileData, ref DumpedMethods dumpedMethods) { if (!methodsDecrypter.Detected) return false; @@ -266,8 +266,6 @@ namespace de4dot.code.deobfuscators.CodeVeil { } } - removeTypesWithInvalidBaseTypes(); - removeProxyDelegates(proxyDelegateFinder, canRemoveProxyTypes); if (canRemoveProxyTypes) { addTypeToBeRemoved(proxyDelegateFinder.IlGeneratorType, "Obfuscator proxy method ILGenerator type"); @@ -280,10 +278,10 @@ namespace de4dot.code.deobfuscators.CodeVeil { base.deobfuscateEnd(); } - public override IEnumerable getStringDecrypterMethods() { - var list = new List(); + public override IEnumerable getStringDecrypterMethods() { + var list = new List(); if (stringDecrypter.DecryptMethod != null) - list.Add(stringDecrypter.DecryptMethod.MetadataToken.ToInt32().ToString("X8")); + list.Add(stringDecrypter.DecryptMethod.MetadataToken.ToInt32()); return list; } } diff --git a/de4dot.code/deobfuscators/CodeVeil/MethodsDecrypter.cs b/de4dot.code/deobfuscators/CodeVeil/MethodsDecrypter.cs index c1249b54..a8ffccfb 100644 --- a/de4dot.code/deobfuscators/CodeVeil/MethodsDecrypter.cs +++ b/de4dot.code/deobfuscators/CodeVeil/MethodsDecrypter.cs @@ -160,7 +160,7 @@ namespace de4dot.code.deobfuscators.CodeVeil { } } - public bool decrypt(byte[] fileData, ref Dictionary dumpedMethods) { + public bool decrypt(byte[] fileData, ref DumpedMethods dumpedMethods) { if (decrypter == null) return false; @@ -181,8 +181,8 @@ namespace de4dot.code.deobfuscators.CodeVeil { return true; } - Dictionary createDumpedMethods(PeImage peImage, byte[] fileData, byte[] methodsData) { - var dumpedMethods = new Dictionary(); + DumpedMethods createDumpedMethods(PeImage peImage, byte[] fileData, byte[] methodsData) { + var dumpedMethods = new DumpedMethods(); var methodsDataReader = new BinaryReader(new MemoryStream(methodsData)); var fileDataReader = new BinaryReader(new MemoryStream(fileData)); @@ -229,7 +229,7 @@ namespace de4dot.code.deobfuscators.CodeVeil { if (!decrypter.decrypt(fileDataReader, dm)) continue; - dumpedMethods[dm.token] = dm; + dumpedMethods.add(dm); } return dumpedMethods; diff --git a/de4dot.code/deobfuscators/CryptoObfuscator/Deobfuscator.cs b/de4dot.code/deobfuscators/CryptoObfuscator/Deobfuscator.cs index 43c0922c..0238c936 100644 --- a/de4dot.code/deobfuscators/CryptoObfuscator/Deobfuscator.cs +++ b/de4dot.code/deobfuscators/CryptoObfuscator/Deobfuscator.cs @@ -231,10 +231,10 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator { addResourceToBeRemoved(resource, reason); } - public override IEnumerable getStringDecrypterMethods() { - var list = new List(); + public override IEnumerable getStringDecrypterMethods() { + var list = new List(); if (stringDecrypter.Method != null) - list.Add(stringDecrypter.Method.MetadataToken.ToInt32().ToString("X8")); + list.Add(stringDecrypter.Method.MetadataToken.ToInt32()); return list; } } diff --git a/de4dot.code/deobfuscators/DeepSea/Deobfuscator.cs b/de4dot.code/deobfuscators/DeepSea/Deobfuscator.cs index 3d495b03..98af2ec1 100644 --- a/de4dot.code/deobfuscators/DeepSea/Deobfuscator.cs +++ b/de4dot.code/deobfuscators/DeepSea/Deobfuscator.cs @@ -253,10 +253,10 @@ done: removeInlinedMethods(DsInlinedMethodsFinder.find(module)); } - public override IEnumerable getStringDecrypterMethods() { - var list = new List(); + public override IEnumerable getStringDecrypterMethods() { + var list = new List(); foreach (var method in stringDecrypter.DecrypterMethods) - list.Add(method.MetadataToken.ToInt32().ToString("X8")); + list.Add(method.MetadataToken.ToInt32()); return list; } } diff --git a/de4dot.code/deobfuscators/DeepSea/MethodCallInliner.cs b/de4dot.code/deobfuscators/DeepSea/MethodCallInliner.cs index e10bfc3d..2590f2f9 100644 --- a/de4dot.code/deobfuscators/DeepSea/MethodCallInliner.cs +++ b/de4dot.code/deobfuscators/DeepSea/MethodCallInliner.cs @@ -166,6 +166,8 @@ checkInline: public static bool canInline(MethodDefinition method) { if (method == null || method.Body == null) return false; + if (method.GenericParameters.Count > 0) + return false; if (method.Body.ExceptionHandlers.Count > 0) return false; var parameters = method.Parameters; diff --git a/de4dot.code/deobfuscators/DeobfuscatorBase.cs b/de4dot.code/deobfuscators/DeobfuscatorBase.cs index 1c1a8b1d..d7909d58 100644 --- a/de4dot.code/deobfuscators/DeobfuscatorBase.cs +++ b/de4dot.code/deobfuscators/DeobfuscatorBase.cs @@ -137,7 +137,7 @@ namespace de4dot.code.deobfuscators { protected abstract void scanForObfuscator(); protected abstract int detectInternal(); - public virtual bool getDecryptedModule(ref byte[] newFileData, ref Dictionary dumpedMethods) { + public virtual bool getDecryptedModule(ref byte[] newFileData, ref DumpedMethods dumpedMethods) { return false; } @@ -166,6 +166,8 @@ namespace de4dot.code.deobfuscators { public virtual void deobfuscateEnd() { if (!Operations.KeepObfuscatorTypes && !KeepTypes) { + removeTypesWithInvalidBaseTypes(); + deleteEmptyCctors(); deleteMethods(); deleteFields(); @@ -200,7 +202,7 @@ namespace de4dot.code.deobfuscators { } } - protected void removeTypesWithInvalidBaseTypes() { + void removeTypesWithInvalidBaseTypes() { var moduleType = DotNetUtils.getModuleType(module); foreach (var type in module.GetTypes()) { if (!isTypeWithInvalidBaseType(moduleType, type)) @@ -209,10 +211,21 @@ namespace de4dot.code.deobfuscators { } } - public virtual IEnumerable getStringDecrypterMethods() { - return new List(); + protected void fixEnumTypes() { + foreach (var type in module.GetTypes()) { + if (!type.IsEnum) + continue; + foreach (var field in type.Fields) { + if (field.IsStatic) + continue; + field.IsRuntimeSpecialName = true; + field.IsSpecialName = true; + } + } } + public abstract IEnumerable getStringDecrypterMethods(); + class MethodCallRemover { Dictionary> methodNameInfos = new Dictionary>(); MethodDefinitionAndDeclaringTypeDict> methodRefInfos = new MethodDefinitionAndDeclaringTypeDict>(); diff --git a/de4dot.code/deobfuscators/Dotfuscator/Deobfuscator.cs b/de4dot.code/deobfuscators/Dotfuscator/Deobfuscator.cs index 25813070..4e332fb6 100644 --- a/de4dot.code/deobfuscators/Dotfuscator/Deobfuscator.cs +++ b/de4dot.code/deobfuscators/Dotfuscator/Deobfuscator.cs @@ -126,10 +126,10 @@ namespace de4dot.code.deobfuscators.Dotfuscator { base.deobfuscateEnd(); } - public override IEnumerable getStringDecrypterMethods() { - var list = new List(); + public override IEnumerable getStringDecrypterMethods() { + var list = new List(); foreach (var method in stringDecrypter.StringDecrypters) - list.Add(method.MetadataToken.ToInt32().ToString("X8")); + list.Add(method.MetadataToken.ToInt32()); return list; } } diff --git a/de4dot.code/deobfuscators/Eazfuscator_NET/Deobfuscator.cs b/de4dot.code/deobfuscators/Eazfuscator_NET/Deobfuscator.cs index 8d742ad9..5a0f6f82 100644 --- a/de4dot.code/deobfuscators/Eazfuscator_NET/Deobfuscator.cs +++ b/de4dot.code/deobfuscators/Eazfuscator_NET/Deobfuscator.cs @@ -48,11 +48,11 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET { class Deobfuscator : DeobfuscatorBase { Options options; - TypeDefinition decryptStringType; - MethodDefinition decryptStringMethod; string obfuscatorName = DeobfuscatorInfo.THE_NAME; bool detectedVersion = false; + StringDecrypter stringDecrypter; + internal class Options : OptionsBase { } @@ -71,13 +71,12 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET { public Deobfuscator(Options options) : base(options) { this.options = options; - DefaultDecrypterType = DecrypterType.Emulate; } protected override int detectInternal() { int val = 0; - if (decryptStringMethod != null) + if (stringDecrypter.Detected) val += 100; if (detectedVersion) val += 10; @@ -86,36 +85,12 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET { } protected override void scanForObfuscator() { - findStringDecrypterMethod(); - if (decryptStringType != null) + stringDecrypter = new StringDecrypter(module); + stringDecrypter.find(DeobfuscatedFile); + if (stringDecrypter.Detected) detectVersion(); } - void findStringDecrypterMethod() { - foreach (var type in module.Types) { - if (DotNetUtils.findFieldType(type, "System.IO.BinaryReader", true) == null) - continue; - if (DotNetUtils.findFieldType(type, "System.Collections.Generic.Dictionary`2", true) == null) - continue; - - foreach (var method in type.Methods) { - if (method.IsStatic && method.HasBody && method.MethodReturnType.ReturnType.FullName == "System.String" && - method.Parameters.Count == 1 && method.Parameters[0].ParameterType.FullName == "System.Int32") { - foreach (var instr in method.Body.Instructions) { - if (instr.OpCode != OpCodes.Callvirt) - continue; - var calledMethod = instr.Operand as MethodReference; - if (calledMethod != null && calledMethod.FullName == "System.IO.Stream System.Reflection.Assembly::GetManifestResourceStream(System.String)") { - decryptStringType = type; - decryptStringMethod = method; - return; - } - } - } - } - } - } - void detectVersion() { var name = detectVersion2(); if (name == null) @@ -126,6 +101,11 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET { } string detectVersion2() { + var decryptStringType = stringDecrypter.Type; + var decryptStringMethod = stringDecrypter.Method; + if (decryptStringType == null || decryptStringMethod == null) + return null; + var otherMethods = new List(); MethodDefinition cctor = null; foreach (var method in decryptStringType.Methods) { @@ -139,6 +119,8 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET { if (cctor == null) return null; + bool hasConstantM2 = DeobUtils.hasInteger(decryptStringMethod, -2); + ///////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////// @@ -160,6 +142,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET { "System.String", }; if (otherMethods.Count == 0 && + !hasConstantM2 && !decryptStringMethod.NoInlining && decryptStringMethod.IsPublic && decryptStringMethod.IsSynchronized && @@ -194,6 +177,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET { "System.String", }; if (otherMethods.Count == 0 && + !hasConstantM2 && !decryptStringMethod.NoInlining && decryptStringMethod.IsPublic && decryptStringMethod.IsSynchronized && @@ -228,6 +212,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET { "System.String", }; if (otherMethods.Count == 0 && + !hasConstantM2 && !decryptStringMethod.NoInlining && decryptStringMethod.IsPublic && decryptStringMethod.IsSynchronized && @@ -263,6 +248,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET { "System.String", }; if (otherMethods.Count == 0 && + !hasConstantM2 && !decryptStringMethod.NoInlining && decryptStringMethod.IsPublic && decryptStringMethod.IsSynchronized && @@ -299,6 +285,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET { "System.String", }; if (otherMethods.Count == 0 && + !hasConstantM2 && !decryptStringMethod.NoInlining && decryptStringMethod.IsPublic && !decryptStringMethod.IsSynchronized && @@ -335,6 +322,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET { "System.String", }; if (otherMethods.Count == 0 && + !hasConstantM2 && decryptStringMethod.NoInlining && decryptStringMethod.IsPublic && !decryptStringMethod.IsSynchronized && @@ -372,6 +360,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET { "System.String", }; if (otherMethods.Count == 0 && + !hasConstantM2 && decryptStringMethod.NoInlining && decryptStringMethod.IsAssembly && !decryptStringMethod.IsSynchronized && @@ -413,6 +402,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET { "System.Type", }; if (otherMethods.Count == 0 && + !hasConstantM2 && decryptStringMethod.NoInlining && decryptStringMethod.IsAssembly && !decryptStringMethod.IsSynchronized && @@ -461,6 +451,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET { otherMethods[0].IsPrivate && otherMethods[0].IsStatic && new LocalTypes(otherMethods[0]).exactly(olocals30) && + !hasConstantM2 && decryptStringMethod.NoInlining && decryptStringMethod.IsAssembly && !decryptStringMethod.IsSynchronized && @@ -469,7 +460,56 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET { decryptStringMethod.Body.ExceptionHandlers.Count == 2 && new LocalTypes(decryptStringMethod).exactly(locals30) && checkTypeFields(fields30)) { - return "3.0 - 3.1"; + return "3.0"; + } + + ///////////////////////////////////////////////////////////////// + ///////////////////////////////////////////////////////////////// + ///////////////////////////////////////////////////////////////// + + var fields31 = new string[] { + "System.Collections.Generic.Dictionary`2", + "System.IO.BinaryReader", + "System.Byte[]", + "System.Int16", + "System.Int32", + "System.Byte[]", + }; + var locals31 = new string[] { + "System.Boolean", + "System.Byte", + "System.Byte[]", + "System.Char[]", + "System.Collections.Generic.Dictionary`2", + "System.Diagnostics.StackFrame", + "System.Diagnostics.StackTrace", + "System.Int16", + "System.Int32", + "System.IO.Stream", + "System.Reflection.Assembly", + "System.Reflection.AssemblyName", + "System.Reflection.MethodBase", + "System.String", + "System.Type", + }; + var olocals31 = new string[] { + "System.Int32", + }; + if (otherMethods.Count == 1 && + DotNetUtils.isMethod(otherMethods[0], "System.Int32", "(System.Byte[],System.Int32,System.Byte[])") && + otherMethods[0].IsPrivate && + otherMethods[0].IsStatic && + new LocalTypes(otherMethods[0]).exactly(olocals31) && + hasConstantM2 && + decryptStringMethod.NoInlining && + decryptStringMethod.IsAssembly && + !decryptStringMethod.IsSynchronized && + decryptStringMethod.Body.MaxStackSize >= 1 && + decryptStringMethod.Body.MaxStackSize <= 8 && + decryptStringMethod.Body.ExceptionHandlers.Count == 2 && + new LocalTypes(decryptStringMethod).exactly(locals31) && + checkTypeFields(fields31)) { + return "3.1"; } ///////////////////////////////////////////////////////////////// @@ -511,6 +551,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET { otherMethods[0].IsPrivate && otherMethods[0].IsStatic && new LocalTypes(otherMethods[0]).exactly(olocals32) && + hasConstantM2 && decryptStringMethod.NoInlining && decryptStringMethod.IsAssembly && !decryptStringMethod.IsSynchronized && @@ -526,29 +567,37 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET { } bool checkTypeFields(string[] fieldTypes) { - if (fieldTypes.Length != decryptStringType.Fields.Count) + if (fieldTypes.Length != stringDecrypter.Type.Fields.Count) return false; for (int i = 0; i < fieldTypes.Length; i++) { - if (fieldTypes[i] != decryptStringType.Fields[i].FieldType.FullName) + if (fieldTypes[i] != stringDecrypter.Type.Fields[i].FieldType.FullName) return false; } return true; } + public override void deobfuscateBegin() { + base.deobfuscateBegin(); + + staticStringInliner.add(stringDecrypter.Method, (method2, args) => { + return stringDecrypter.decrypt((int)args[0]); + }); + DeobfuscatedFile.stringDecryptersAdded(); + } + public override void deobfuscateEnd() { - if (Operations.DecryptStrings == OpDecryptString.Dynamic && CanRemoveStringDecrypterType) { - addTypeToBeRemoved(decryptStringType, "String decrypter type"); - findPossibleNamesToRemove(decryptStringMethod); - addResources("Encrypted strings"); + if (CanRemoveStringDecrypterType) { + addTypesToBeRemoved(stringDecrypter.Types, "String decrypter type"); + addResourceToBeRemoved(stringDecrypter.Resource, "Encrypted strings"); } base.deobfuscateEnd(); } - public override IEnumerable getStringDecrypterMethods() { - var list = new List(); - if (decryptStringMethod != null) - list.Add(decryptStringMethod.MetadataToken.ToInt32().ToString("X8")); + public override IEnumerable getStringDecrypterMethods() { + var list = new List(); + if (stringDecrypter.Method != null) + list.Add(stringDecrypter.Method.MetadataToken.ToInt32()); return list; } } diff --git a/de4dot.code/deobfuscators/Eazfuscator_NET/StringDecrypter.cs b/de4dot.code/deobfuscators/Eazfuscator_NET/StringDecrypter.cs new file mode 100644 index 00000000..cd3d32ce --- /dev/null +++ b/de4dot.code/deobfuscators/Eazfuscator_NET/StringDecrypter.cs @@ -0,0 +1,813 @@ +/* + Copyright (C) 2011-2012 de4dot@gmail.com + + This file is part of de4dot. + + de4dot is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + de4dot is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with de4dot. If not, see . +*/ + +using System.Collections.Generic; +using System.IO; +using System.Text; +using Mono.Cecil; +using Mono.Cecil.Cil; +using de4dot.blocks; + +namespace de4dot.code.deobfuscators.Eazfuscator_NET { + class StringDecrypter { + ModuleDefinition module; + TypeDefinition decryptType; + MethodDefinition decryptMethod; + TypeDefinition dataDecrypterType; + MethodDefinition int64Method; + short s1, s2, s3; + int i1, i2, i3, i4, i5, i6, i7; + ulong l1; + int m1_i1, m2_i1, m2_i2, m3_i1; + int token1, token2, token3, token4, token5, token6; + bool checkMinus2; + bool usePublicKeyToken; + int keyLen; + byte[] theKey; + int magic1; + EmbeddedResource encryptedResource; + BinaryReader reader; + + public TypeDefinition Type { + get { return decryptType; } + } + + public EmbeddedResource Resource { + get { return encryptedResource; } + } + + public IEnumerable Types { + get { + var list = new List(); + list.Add(decryptType); + list.Add(dataDecrypterType); + if (int64Method != null) + list.Add(int64Method.DeclaringType); + return list; + } + } + + public MethodDefinition Method { + get { return decryptMethod; } + } + + public bool Detected { + get { return decryptType != null; } + } + + public StringDecrypter(ModuleDefinition module) { + this.module = module; + } + + public void find(ISimpleDeobfuscator simpleDeobfuscator) { + foreach (var type in module.Types) { + if (DotNetUtils.findFieldType(type, "System.IO.BinaryReader", true) == null) + continue; + if (DotNetUtils.findFieldType(type, "System.Collections.Generic.Dictionary`2", true) == null) + continue; + + foreach (var method in type.Methods) { + if (!checkDecrypterMethod(method)) + continue; + + decryptType = type; + decryptMethod = method; + if (!findConstants(simpleDeobfuscator)) + Log.w("Can't decrypt strings. Possibly a new Eazfuscator.NET version."); + return; + } + } + } + + static bool checkDecrypterMethod(MethodDefinition method) { + if (method == null || !method.IsStatic || method.Body == null) + return false; + if (!DotNetUtils.isMethod(method, "System.String", "(System.Int32)")) + return false; + + foreach (var instr in method.Body.Instructions) { + if (instr.OpCode != OpCodes.Callvirt) + continue; + var calledMethod = instr.Operand as MethodReference; + if (calledMethod != null && calledMethod.FullName == "System.IO.Stream System.Reflection.Assembly::GetManifestResourceStream(System.String)") + return true; + } + return false; + } + + public bool findConstants(ISimpleDeobfuscator simpleDeobfuscator) { + if (!findResource(decryptMethod)) + return false; + + simpleDeobfuscator.deobfuscate(decryptMethod); + + checkMinus2 = DeobUtils.hasInteger(decryptMethod, -2); + usePublicKeyToken = callsGetPublicKeyToken(decryptMethod); + + int64Method = findInt64Method(decryptMethod); + + if (!findShorts(decryptMethod)) + return false; + if (!findInt3(decryptMethod)) + return false; + if (!findInt4(decryptMethod)) + return false; + if (checkMinus2 && !findInt7(decryptMethod)) + return false; + dataDecrypterType = findDataDecrypterType(decryptMethod); + if (dataDecrypterType == null) + return false; + + if (int64Method != null) { + if (!findInts(decryptMethod)) + return false; + if (!findInt64(int64Method)) + return false; + if (!findInt5()) + return false; + if (!findInt6()) + return false; + if (!findMethodInts()) + return false; + token1 = getToken(-1509110933); + token2 = getToken(-82806859); + token3 = getToken(1294352278); + token4 = getToken(402344241); + token5 = getToken(-56237163); + token6 = getToken(1106695601); + if (token1 == 0 || token2 == 0 || token3 == 0) + return false; + if (token4 == 0 || token5 == 0 || token6 == 0) + return false; + } + + initialize(); + + return true; + } + + void initialize() { + reader = new BinaryReader(encryptedResource.GetResourceStream()); + short len = (short)(reader.ReadInt16() ^ s1); + if (len != 0) + theKey = reader.ReadBytes(len); + else + keyLen = reader.ReadInt16() ^ s2; + + if (int64Method != null) + magic1 = (int)getMagic() ^ i1 ^ i2; + } + + public string decrypt(int val) { + while (true) { + int offset = magic1 ^ i3 ^ val; + reader.BaseStream.Position = offset; + byte[] tmpKey; + if (theKey == null) { + tmpKey = reader.ReadBytes(keyLen == -1 ? (short)(reader.ReadInt16() ^ s3 ^ offset) : keyLen); + if (int64Method != null) { + for (int i = 0; i < tmpKey.Length; i++) + tmpKey[i] ^= (byte)(magic1 >> ((i & 3) << 3)); + } + } + else + tmpKey = theKey; + + int flags = i4 ^ magic1 ^ offset ^ reader.ReadInt32(); + if (checkMinus2 && flags == -2) { + var ary2 = reader.ReadBytes(4); + val = -(magic1 ^ i7) ^ (ary2[2] | (ary2[0] << 8) | (ary2[3] << 16) | (ary2[1] << 24)); + continue; + } + + var bytes = reader.ReadBytes(flags & 0x1FFFFFFF); + decrypt1(bytes, tmpKey); + var pkt = module.Assembly.Name.PublicKeyToken; + if (usePublicKeyToken && pkt != null && pkt.Length != 0) { + for (int i = 0; i < bytes.Length; i++) + bytes[i] ^= (byte)((pkt[i & 7] >> 5) + (pkt[i & 7] << 3)); + } + + if ((flags & 0x40000000) != 0) + bytes = rld(bytes); + if ((flags & 0x80000000) != 0) { + var sb = new StringBuilder(bytes.Length); + foreach (var b in bytes) + sb.Append((char)b); + return sb.ToString(); + } + else + return Encoding.Unicode.GetString(bytes); + } + } + + static byte[] rld(byte[] src) { + var dst = new byte[src[2] + (src[3] << 8) + (src[0] << 16) + (src[1] << 24)]; + int srcIndex = 4; + int dstIndex = 0; + int flags = 0; + int bit = 128; + while (dstIndex < dst.Length) { + bit <<= 1; + if (bit == 256) { + bit = 1; + flags = src[srcIndex++]; + } + + if ((flags & bit) == 0) { + dst[dstIndex++] = src[srcIndex++]; + continue; + } + + int numBytes = (src[srcIndex] >> 2) + 3; + int copyIndex = dstIndex - ((src[srcIndex + 1] + (src[srcIndex] << 8)) & 0x3FF); + if (copyIndex < 0) + break; + while (dstIndex < dst.Length && numBytes-- > 0) + dst[dstIndex++] = dst[copyIndex++]; + srcIndex += 2; + } + + return dst; + } + + static void decrypt1(byte[] dest, byte[] key) { + byte b = (byte)((key[1] + 7) ^ (dest.Length + 11)); + uint lcg = (uint)((key[0] | key[2] << 8) + (b << 3)); + b += 3; + ushort xn = 0; + for (int i = 0; i < dest.Length; i++) { + if ((i & 1) == 0) { + lcg = lcgNext(lcg); + xn = (ushort)(lcg >> 16); + } + byte tmp = dest[i]; + dest[i] ^= (byte)(key[1] ^ (byte)xn ^ b); + b = (byte)(tmp + 3); + xn >>= 8; + } + } + + static uint lcgNext(uint lcg) { + return lcg * 214013 + 2531011; + } + + uint getMagic() { + var bytes = new List(); + if (module.Assembly != null) { + if (module.Assembly.Name.PublicKeyToken != null) + bytes.AddRange(module.Assembly.Name.PublicKeyToken); + bytes.AddRange(Encoding.Unicode.GetBytes(module.Assembly.Name.Name)); + } + int cm1 = constMethod1(); + int token = int64Method.DeclaringType.MetadataToken.ToInt32(); + bytes.Add((byte)(token >> 24)); + bytes.Add((byte)(cm1 >> 16)); + bytes.Add((byte)(token >> 8)); + bytes.Add((byte)cm1); + bytes.Add((byte)(token >> 16)); + bytes.Add((byte)(cm1 >> 8)); + bytes.Add((byte)token); + bytes.Add((byte)(cm1 >> 24)); + + ulong magic = 0; + foreach (var b in bytes) { + magic += b; + magic += magic << 20; + magic ^= magic >> 12; + } + magic += magic << 6; + magic ^= magic >> 22; + magic += magic << 30; + return (uint)magic ^ (uint)l1; + } + + bool findResource(MethodDefinition method) { + encryptedResource = DotNetUtils.getResource(module, DotNetUtils.getCodeStrings(method)) as EmbeddedResource; + return encryptedResource != null; + } + + int getToken(int constant) { + var method = findNestedTypeMethod(constant); + if (method == null) + return 0; + return method.DeclaringType.MetadataToken.ToInt32(); + } + + bool findInt5() { + var consts = getConstants(findNestedTypeMethod(1294352278)); + if (consts.Count != 2) + return false; + i5 = consts[1]; + return true; + } + + bool findInt6() { + var consts = getConstants(findNestedTypeMethod(1106695601)); + if (consts.Count != 1) + return false; + i6 = consts[0]; + return true; + } + + bool findMethodInts() { + foreach (var type in int64Method.DeclaringType.NestedTypes) { + var methods = getBinaryIntMethods(type); + if (methods.Count < 3) + continue; + if (!findMethod1Int(methods)) + continue; + if (!findMethod2Int(methods)) + continue; + if (!findMethod3Int(methods)) + continue; + + return true; + } + return false; + } + + static List getBinaryIntMethods(TypeDefinition type) { + var list = new List(); + foreach (var method in type.Methods) { + if (!method.IsStatic || method.Body == null) + continue; + if (!DotNetUtils.isMethod(method, "System.Int32", "(System.Int32,System.Int32)")) + continue; + + list.Add(method); + } + return list; + } + + bool findMethod1Int(IEnumerable methods) { + foreach (var method in methods) { + if (countInstructions(method, Code.Ldarg_0) != 1) + continue; + var constants = getConstants(method); + if (constants.Count != 1) + continue; + + m1_i1 = constants[0]; + return true; + } + return false; + } + + bool findMethod2Int(IEnumerable methods) { + foreach (var method in methods) { + var constants = getConstants(method); + if (constants.Count != 2) + continue; + + m2_i1 = constants[0]; + m2_i2 = constants[1]; + return true; + } + return false; + } + + bool findMethod3Int(IEnumerable methods) { + foreach (var method in methods) { + if (countInstructions(method, Code.Ldarg_0) != 2) + continue; + var constants = getConstants(method); + if (constants.Count != 1) + continue; + + m3_i1 = constants[0]; + return true; + } + return false; + } + + static int countInstructions(MethodDefinition method, Code code) { + int count = 0; + foreach (var instr in method.Body.Instructions) { + if (instr.OpCode.Code == code) + count++; + } + return count; + } + + static List getConstants(MethodDefinition method) { + var list = new List(); + + if (method == null) + return list; + + int index = 0; + var instrs = method.Body.Instructions; + while (true) { + int val; + if (!getNextInt32(method, ref index, out val)) + break; + + if (index + 1 < instrs.Count && instrs[index].OpCode.Code != Code.Ret) + list.Add(val); + } + + return list; + } + + MethodDefinition findNestedTypeMethod(int constant) { + foreach (var type in int64Method.DeclaringType.NestedTypes) { + foreach (var method in type.Methods) { + if (!method.IsStatic || method.Body == null) + continue; + + var instrs = method.Body.Instructions; + for (int i = 0; i < instrs.Count - 1; i++) { + var ldci4 = instrs[i]; + if (!DotNetUtils.isLdcI4(ldci4)) + continue; + if (DotNetUtils.getLdcI4Value(ldci4) != constant) + continue; + if (instrs[i + 1].OpCode.Code != Code.Ret) + continue; + + return method; + } + } + } + return null; + } + + bool findInt64(MethodDefinition method) { + var instrs = method.Body.Instructions; + for (int i = 0; i < instrs.Count - 1; i++) { + var ldci8 = instrs[i]; + if (ldci8.OpCode.Code != Code.Ldc_I8) + continue; + + if (instrs[i + 1].OpCode.Code != Code.Xor) + continue; + + l1 = (ulong)(long)ldci8.Operand; + return true; + } + return false; + } + + static MethodDefinition findInt64Method(MethodDefinition method) { + foreach (var instr in method.Body.Instructions) { + if (instr.OpCode.Code != Code.Call) + continue; + var calledMethod = instr.Operand as MethodDefinition; + if (calledMethod == null) + continue; + if (!DotNetUtils.isMethod(calledMethod, "System.Int64", "()")) + continue; + + return calledMethod; + } + return null; + } + + static TypeDefinition findDataDecrypterType(MethodDefinition method) { + foreach (var instr in method.Body.Instructions) { + if (instr.OpCode.Code != Code.Call) + continue; + var calledMethod = instr.Operand as MethodDefinition; + if (calledMethod == null) + continue; + if (!DotNetUtils.isMethod(calledMethod, "System.Byte[]", "(System.Byte[],System.Byte[])")) + continue; + + return calledMethod.DeclaringType; + } + return null; + } + + bool findShorts(MethodDefinition method) { + int index = 0; + if (!findShort(method, ref index, ref s1)) + return false; + if (!findShort(method, ref index, ref s2)) + return false; + if (!findShort(method, ref index, ref s3)) + return false; + + return true; + } + + bool findShort(MethodDefinition method, ref int index, ref short s) { + if (!findCallReadInt16(method, ref index)) + return false; + index++; + return getInt16(method, ref index, ref s); + } + + bool findInts(MethodDefinition method) { + int index = findIndexFirstIntegerConstant(method); + if (index < 0) + return false; + + if (!getNextInt32(method, ref index, out i1)) + return false; + int tmp; + if (!getNextInt32(method, ref index, out tmp)) + return false; + if (!getNextInt32(method, ref index, out i2)) + return false; + + return true; + } + + bool findInt3(MethodDefinition method) { + if (int64Method == null) + return findInt3Old(method); + return findInt3New(method); + } + + // <= 3.1 + bool findInt3Old(MethodDefinition method) { + var instrs = method.Body.Instructions; + for (int i = 0; i < instrs.Count - 4; i++) { + var ldarg0 = instrs[i]; + if (ldarg0.OpCode.Code != Code.Ldarg_0) + continue; + + var ldci4 = instrs[i + 1]; + if (!DotNetUtils.isLdcI4(ldci4)) + continue; + + int index = i + 1; + int value; + if (!getInt32(method, ref index, out value)) + continue; + if (index >= instrs.Count) + continue; + + if (instrs[index].OpCode.Code != Code.Xor) + continue; + + i3 = value; + return true; + } + + return false; + } + + // 3.2+ + bool findInt3New(MethodDefinition method) { + var instrs = method.Body.Instructions; + for (int i = 0; i < instrs.Count - 4; i++) { + var ldarg0 = instrs[i]; + if (ldarg0.OpCode.Code != Code.Ldarg_0) + continue; + + var ldci4 = instrs[i + 1]; + if (!DotNetUtils.isLdcI4(ldci4)) + continue; + + if (instrs[i + 2].OpCode.Code != Code.Xor) + continue; + + if (!DotNetUtils.isLdloc(instrs[i + 3])) + continue; + + if (instrs[i + 4].OpCode.Code != Code.Xor) + continue; + + i3 = DotNetUtils.getLdcI4Value(ldci4); + return true; + } + + return false; + } + + bool findInt4(MethodDefinition method) { + int index = 0; + if (!findCallReadInt32(method, ref index)) + return false; + if (!getNextInt32(method, ref index, out i4)) + return false; + + return true; + } + + bool findInt7(MethodDefinition method) { + int index = -1; + while (true) { + index++; + if (!findCallReadBytes(method, ref index)) + return false; + if (index <= 0) + continue; + var ldci4 = method.Body.Instructions[index - 1]; + if (!DotNetUtils.isLdcI4(ldci4)) + continue; + if (DotNetUtils.getLdcI4Value(ldci4) != 4) + continue; + if (!getNextInt32(method, ref index, out i7)) + return false; + + return true; + } + } + + static int findIndexFirstIntegerConstant(MethodDefinition method) { + var instrs = method.Body.Instructions; + for (int i = 0; i < instrs.Count - 2; i++) { + var ldci4 = instrs[i]; + if (!DotNetUtils.isLdcI4(ldci4)) + continue; + + var stloc = instrs[i + 1]; + if (!DotNetUtils.isStloc(stloc)) + continue; + + var call = instrs[i + 2]; + if (call.OpCode.Code != Code.Call) + continue; + var calledMethod = call.Operand as MethodDefinition; + if (calledMethod == null) + continue; + if (!DotNetUtils.isMethod(calledMethod, "System.Int64", "()")) + continue; + + return i; + } + + return -1; + } + + static bool getNextInt32(MethodDefinition method, ref int index, out int val) { + for (; index < method.Body.Instructions.Count; index++) { + var instr = method.Body.Instructions[index]; + if (instr.OpCode.Code != Code.Ldc_I4_S && instr.OpCode.Code != Code.Ldc_I4) + continue; + + return getInt32(method, ref index, out val); + } + + val = 0; + return false; + } + + static bool getInt16(MethodDefinition method, ref int index, ref short s) { + int val; + if (!getInt32(method, ref index, out val)) + return false; + s = (short)val; + return true; + } + + static bool getInt32(MethodDefinition method, ref int index, out int val) { + val = 0; + var instrs = method.Body.Instructions; + if (index >= instrs.Count) + return false; + var ldci4 = instrs[index]; + if (ldci4.OpCode.Code != Code.Ldc_I4_S && ldci4.OpCode.Code != Code.Ldc_I4) + return false; + + var stack = new Stack(); + stack.Push(DotNetUtils.getLdcI4Value(ldci4)); + + index++; + for (; index < instrs.Count; index++) { + int l = stack.Count - 1; + + var instr = instrs[index]; + switch (instr.OpCode.Code) { + case Code.Not: + stack.Push(~stack.Pop()); + break; + + case Code.Neg: + stack.Push(-stack.Pop()); + break; + + case Code.Ldc_I4: + case Code.Ldc_I4_S: + case Code.Ldc_I4_0: + case Code.Ldc_I4_1: + case Code.Ldc_I4_2: + case Code.Ldc_I4_3: + case Code.Ldc_I4_4: + case Code.Ldc_I4_5: + case Code.Ldc_I4_6: + case Code.Ldc_I4_7: + case Code.Ldc_I4_8: + case Code.Ldc_I4_M1: + stack.Push(DotNetUtils.getLdcI4Value(instr)); + break; + + case Code.Xor: + if (stack.Count < 2) + goto done; + stack.Push(stack.Pop() ^ stack.Pop()); + break; + + default: + goto done; + } + } +done: + while (stack.Count > 1) + stack.Pop(); + val = stack.Pop(); + return true; + } + + static bool callsGetPublicKeyToken(MethodDefinition method) { + int index = 0; + return findCall(method, ref index, "System.Byte[] System.Reflection.AssemblyName::GetPublicKeyToken()"); + } + + static bool findCallReadInt16(MethodDefinition method, ref int index) { + return findCall(method, ref index, "System.Int16 System.IO.BinaryReader::ReadInt16()"); + } + + static bool findCallReadInt32(MethodDefinition method, ref int index) { + return findCall(method, ref index, "System.Int32 System.IO.BinaryReader::ReadInt32()"); + } + + static bool findCallReadBytes(MethodDefinition method, ref int index) { + return findCall(method, ref index, "System.Byte[] System.IO.BinaryReader::ReadBytes(System.Int32)"); + } + + static bool findCall(MethodDefinition method, ref int index, string methodFullName) { + for (; index < method.Body.Instructions.Count; index++) { + if (!findCallvirt(method, ref index)) + return false; + + var calledMethod = method.Body.Instructions[index].Operand as MethodReference; + if (calledMethod == null) + continue; + if (calledMethod.ToString() != methodFullName) + continue; + + return true; + } + return false; + } + + static bool findCallvirt(MethodDefinition method, ref int index) { + var instrs = method.Body.Instructions; + for (; index < instrs.Count; index++) { + var instr = instrs[index]; + if (instr.OpCode.Code != Code.Callvirt) + continue; + + return true; + } + + return false; + } + + int binOp1(int a, int b) { + return a ^ (b - m1_i1); + } + + int binOp2(int a, int b) { + return (a - m2_i1) ^ (b + m2_i2); + } + + int binOp3(int a, int b) { + return a ^ (b - m3_i1) ^ (a - b); + } + + int constMethod1() { + return binOp3(binOp2(token2, binOp3(token1, token5)), constMethod6()); + } + + int constMethod2() { + return binOp1(token3, token4 ^ binOp2(token2, binOp3(token6, constMethod4()))); + } + + int constMethod3() { + return binOp3(binOp1(constMethod2() ^ 0x1F74F46E, token4), binOp2(token1 ^ token6, i5)); + } + + int constMethod4() { + return binOp3(token4, binOp1(token1, binOp2(token2, binOp3(token3, binOp1(token5, token6))))); + } + + int constMethod5() { + return binOp2(binOp2(constMethod3(), binOp1(token5, constMethod2())), token6); + } + + int constMethod6() { + return binOp1(token6, binOp3(binOp2(token5, token1), binOp3(token3 ^ i6, constMethod5()))); + } + } +} diff --git a/de4dot.code/deobfuscators/Goliath_NET/Deobfuscator.cs b/de4dot.code/deobfuscators/Goliath_NET/Deobfuscator.cs index ac15032e..d4ce0294 100644 --- a/de4dot.code/deobfuscators/Goliath_NET/Deobfuscator.cs +++ b/de4dot.code/deobfuscators/Goliath_NET/Deobfuscator.cs @@ -270,10 +270,10 @@ namespace de4dot.code.deobfuscators.Goliath_NET { findAndRemoveInlinedMethods(); } - public override IEnumerable getStringDecrypterMethods() { - var list = new List(); + public override IEnumerable getStringDecrypterMethods() { + var list = new List(); foreach (var method in stringDecrypter.getMethods()) - list.Add(method.MetadataToken.ToInt32().ToString("X8")); + list.Add(method.MetadataToken.ToInt32()); return list; } } diff --git a/de4dot.code/deobfuscators/IDeobfuscator.cs b/de4dot.code/deobfuscators/IDeobfuscator.cs index 6786cf1e..21b2b882 100644 --- a/de4dot.code/deobfuscators/IDeobfuscator.cs +++ b/de4dot.code/deobfuscators/IDeobfuscator.cs @@ -82,7 +82,7 @@ namespace de4dot.code.deobfuscators { // If the obfuscator has encrypted parts of the file, then this method should return the // decrypted file. true is returned if args have been initialized, false otherwise. - bool getDecryptedModule(ref byte[] newFileData, ref Dictionary dumpedMethods); + bool getDecryptedModule(ref byte[] newFileData, ref DumpedMethods dumpedMethods); // This is only called if getDecryptedModule() != null, and after the module has been // reloaded. Should return a new IDeobfuscator with the same options and the new module. @@ -107,6 +107,6 @@ namespace de4dot.code.deobfuscators { void deobfuscateEnd(); // Called to get method token / pattern of string decrypters - IEnumerable getStringDecrypterMethods(); + IEnumerable getStringDecrypterMethods(); } } diff --git a/de4dot.code/deobfuscators/Skater_NET/Deobfuscator.cs b/de4dot.code/deobfuscators/Skater_NET/Deobfuscator.cs index 5d16c19f..3d09eb37 100644 --- a/de4dot.code/deobfuscators/Skater_NET/Deobfuscator.cs +++ b/de4dot.code/deobfuscators/Skater_NET/Deobfuscator.cs @@ -113,12 +113,13 @@ namespace de4dot.code.deobfuscators.Skater_NET { public override void deobfuscateEnd() { if (Operations.DecryptStrings != OpDecryptString.None && stringDecrypter.CanRemoveType) addTypeToBeRemoved(stringDecrypter.Type, "String decrypter type"); + fixEnumTypes(); base.deobfuscateEnd(); } - public override IEnumerable getStringDecrypterMethods() { - var list = new List(); + public override IEnumerable getStringDecrypterMethods() { + var list = new List(); return list; } } diff --git a/de4dot.code/deobfuscators/SmartAssembly/Deobfuscator.cs b/de4dot.code/deobfuscators/SmartAssembly/Deobfuscator.cs index 03e09fd7..e226c4f7 100644 --- a/de4dot.code/deobfuscators/SmartAssembly/Deobfuscator.cs +++ b/de4dot.code/deobfuscators/SmartAssembly/Deobfuscator.cs @@ -542,10 +542,10 @@ namespace de4dot.code.deobfuscators.SmartAssembly { } } - public override IEnumerable getStringDecrypterMethods() { - var list = new List(); + public override IEnumerable getStringDecrypterMethods() { + var list = new List(); foreach (var method in staticStringInliner.Methods) - list.Add(method.MetadataToken.ToInt32().ToString("X8")); + list.Add(method.MetadataToken.ToInt32()); return list; } } diff --git a/de4dot.code/deobfuscators/Spices_Net/Deobfuscator.cs b/de4dot.code/deobfuscators/Spices_Net/Deobfuscator.cs index ec0067f2..b26ca06c 100644 --- a/de4dot.code/deobfuscators/Spices_Net/Deobfuscator.cs +++ b/de4dot.code/deobfuscators/Spices_Net/Deobfuscator.cs @@ -208,10 +208,10 @@ namespace de4dot.code.deobfuscators.Spices_Net { } } - public override IEnumerable getStringDecrypterMethods() { - var list = new List(); + public override IEnumerable getStringDecrypterMethods() { + var list = new List(); foreach (var info in stringDecrypter.DecrypterInfos) - list.Add(info.method.MetadataToken.ToInt32().ToString("X8")); + list.Add(info.method.MetadataToken.ToInt32()); return list; } } diff --git a/de4dot.code/deobfuscators/Unknown/Deobfuscator.cs b/de4dot.code/deobfuscators/Unknown/Deobfuscator.cs index a7e471ff..f17d42b3 100644 --- a/de4dot.code/deobfuscators/Unknown/Deobfuscator.cs +++ b/de4dot.code/deobfuscators/Unknown/Deobfuscator.cs @@ -17,6 +17,7 @@ along with de4dot. If not, see . */ +using System.Collections.Generic; using System.Text.RegularExpressions; namespace de4dot.code.deobfuscators.Unknown { @@ -110,5 +111,9 @@ namespace de4dot.code.deobfuscators.Unknown { } return null; } + + public override IEnumerable getStringDecrypterMethods() { + return new List(); + } } } diff --git a/de4dot.code/deobfuscators/Xenocode/Deobfuscator.cs b/de4dot.code/deobfuscators/Xenocode/Deobfuscator.cs index 2cde2af0..fc4cba7e 100644 --- a/de4dot.code/deobfuscators/Xenocode/Deobfuscator.cs +++ b/de4dot.code/deobfuscators/Xenocode/Deobfuscator.cs @@ -109,10 +109,10 @@ namespace de4dot.code.deobfuscators.Xenocode { base.deobfuscateEnd(); } - public override IEnumerable getStringDecrypterMethods() { - var list = new List(); + public override IEnumerable getStringDecrypterMethods() { + var list = new List(); if (stringDecrypter.Method != null) - list.Add(stringDecrypter.Method.MetadataToken.ToInt32().ToString("X8")); + list.Add(stringDecrypter.Method.MetadataToken.ToInt32()); return list; } } diff --git a/de4dot.code/deobfuscators/dotNET_Reactor/v3/Deobfuscator.cs b/de4dot.code/deobfuscators/dotNET_Reactor/v3/Deobfuscator.cs index 1089cbd6..55e9931b 100644 --- a/de4dot.code/deobfuscators/dotNET_Reactor/v3/Deobfuscator.cs +++ b/de4dot.code/deobfuscators/dotNET_Reactor/v3/Deobfuscator.cs @@ -141,7 +141,7 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v3 { return decrypterType.LinkedResource != null || nativeLibSaver.Resource != null; } - public override bool getDecryptedModule(ref byte[] newFileData, ref Dictionary dumpedMethods) { + public override bool getDecryptedModule(ref byte[] newFileData, ref DumpedMethods dumpedMethods) { if (!needsPatching()) return false; @@ -329,10 +329,10 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v3 { findAndRemoveInlinedMethods(); } - public override IEnumerable getStringDecrypterMethods() { - var list = new List(); + public override IEnumerable getStringDecrypterMethods() { + var list = new List(); foreach (var method in decrypterType.StringDecrypters) - list.Add(method.MetadataToken.ToInt32().ToString("X8")); + list.Add(method.MetadataToken.ToInt32()); return list; } } diff --git a/de4dot.code/deobfuscators/dotNET_Reactor/v4/Deobfuscator.cs b/de4dot.code/deobfuscators/dotNET_Reactor/v4/Deobfuscator.cs index 637602a4..4e76bd32 100644 --- a/de4dot.code/deobfuscators/dotNET_Reactor/v4/Deobfuscator.cs +++ b/de4dot.code/deobfuscators/dotNET_Reactor/v4/Deobfuscator.cs @@ -362,7 +362,7 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 { return false; } - public override bool getDecryptedModule(ref byte[] newFileData, ref Dictionary dumpedMethods) { + public override bool getDecryptedModule(ref byte[] newFileData, ref DumpedMethods dumpedMethods) { fileData = ModuleBytes ?? DeobUtils.readModule(module); peImage = new PeImage(fileData); @@ -580,12 +580,12 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 { findAndRemoveInlinedMethods(); } - public override IEnumerable getStringDecrypterMethods() { - var list = new List(); + public override IEnumerable getStringDecrypterMethods() { + var list = new List(); foreach (var info in stringDecrypter.DecrypterInfos) - list.Add(info.method.MetadataToken.ToInt32().ToString("X8")); + list.Add(info.method.MetadataToken.ToInt32()); if (stringDecrypter.OtherStringDecrypter != null) - list.Add(stringDecrypter.OtherStringDecrypter.MetadataToken.ToInt32().ToString("X8")); + list.Add(stringDecrypter.OtherStringDecrypter.MetadataToken.ToInt32()); return list; } diff --git a/de4dot.code/deobfuscators/dotNET_Reactor/v4/MethodsDecrypter.cs b/de4dot.code/deobfuscators/dotNET_Reactor/v4/MethodsDecrypter.cs index 81848e98..e7c1ae8b 100644 --- a/de4dot.code/deobfuscators/dotNET_Reactor/v4/MethodsDecrypter.cs +++ b/de4dot.code/deobfuscators/dotNET_Reactor/v4/MethodsDecrypter.cs @@ -123,7 +123,7 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 { static short[] nativeLdci4 = new short[] { 0x55, 0x8B, 0xEC, 0xB8, -1, -1, -1, -1, 0x5D, 0xC3 }; static short[] nativeLdci4_0 = new short[] { 0x55, 0x8B, 0xEC, 0x33, 0xC0, 0x5D, 0xC3 }; - public bool decrypt(PeImage peImage, ISimpleDeobfuscator simpleDeobfuscator, ref Dictionary dumpedMethods, Dictionary tokenToNativeCode) { + public bool decrypt(PeImage peImage, ISimpleDeobfuscator simpleDeobfuscator, ref DumpedMethods dumpedMethods, Dictionary tokenToNativeCode) { if (encryptedResource.Method == null) return false; @@ -189,7 +189,7 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 { patchDwords(peImage, methodsDataReader, patchCount); int count = methodsDataReader.ReadInt32(); - dumpedMethods = new Dictionary(); + dumpedMethods = new DumpedMethods(); while (methodsDataReader.BaseStream.Position < methodsData.Length - 1) { uint rva = methodsDataReader.ReadUInt32(); uint index = methodsDataReader.ReadUInt32(); @@ -257,7 +257,7 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 { dm.mhLocalVarSigTok = peImage.readUInt32(rva + 8); } - dumpedMethods[dm.token] = dm; + dumpedMethods.add(dm); } } diff --git a/de4dot.cui/FilesDeobfuscator.cs b/de4dot.cui/FilesDeobfuscator.cs index f18dd9a1..15ce4718 100644 --- a/de4dot.cui/FilesDeobfuscator.cs +++ b/de4dot.cui/FilesDeobfuscator.cs @@ -183,6 +183,7 @@ namespace de4dot.cui { } allFiles[key] = true; + int oldIndentLevel = Log.indentLevel; try { file.load(options.CreateDeobfuscators()); } @@ -199,6 +200,9 @@ namespace de4dot.cui { Log.w("Could not load file ({0}): {1}", ex.GetType(), file.Filename); return false; } + finally { + Log.indentLevel = oldIndentLevel; + } var deob = file.Deobfuscator; if (skipUnknownObfuscator && deob.Type == "un") {