Merge branch 'master' into mc
This commit is contained in:
commit
cf76c14b4b
|
@ -41,6 +41,8 @@ namespace de4dot.blocks.cflow {
|
||||||
}
|
}
|
||||||
|
|
||||||
protected virtual bool canInline(MethodDefinition method) {
|
protected virtual bool canInline(MethodDefinition method) {
|
||||||
|
if (method.GenericParameters.Count > 0)
|
||||||
|
return false;
|
||||||
if (MemberReferenceHelper.compareMethodReferenceAndDeclaringType(method, blocks.Method))
|
if (MemberReferenceHelper.compareMethodReferenceAndDeclaringType(method, blocks.Method))
|
||||||
return false;
|
return false;
|
||||||
if (!MemberReferenceHelper.compareTypes(method.DeclaringType, blocks.Method.DeclaringType))
|
if (!MemberReferenceHelper.compareTypes(method.DeclaringType, blocks.Method.DeclaringType))
|
||||||
|
|
2
cecil
2
cecil
|
@ -1 +1 @@
|
||||||
Subproject commit e71840599636807d69b0b39e164ab7292b10fe23
|
Subproject commit a9c9bd7f0cb8271c287e83d8a70678770ca0d078
|
|
@ -62,7 +62,7 @@ namespace de4dot.code {
|
||||||
module.Write(newFilename, writerParams);
|
module.Write(newFilename, writerParams);
|
||||||
}
|
}
|
||||||
|
|
||||||
public ModuleDefinition reload(byte[] newModuleData, Dictionary<uint, DumpedMethod> dumpedMethods) {
|
public ModuleDefinition reload(byte[] newModuleData, DumpedMethods dumpedMethods) {
|
||||||
AssemblyResolver.Instance.removeModule(module);
|
AssemblyResolver.Instance.removeModule(module);
|
||||||
DotNetUtils.typeCaches.invalidate(module);
|
DotNetUtils.typeCaches.invalidate(module);
|
||||||
return setModule(ModuleDefinition.ReadModule(new MemoryStream(newModuleData), getReaderParameters(), dumpedMethods));
|
return setModule(ModuleDefinition.ReadModule(new MemoryStream(newModuleData), getReaderParameters(), dumpedMethods));
|
||||||
|
|
|
@ -363,7 +363,7 @@ namespace de4dot.code {
|
||||||
initAssemblyClient();
|
initAssemblyClient();
|
||||||
|
|
||||||
byte[] fileData = null;
|
byte[] fileData = null;
|
||||||
Dictionary<uint, DumpedMethod> dumpedMethods = null;
|
DumpedMethods dumpedMethods = null;
|
||||||
if (deob.getDecryptedModule(ref fileData, ref dumpedMethods))
|
if (deob.getDecryptedModule(ref fileData, ref dumpedMethods))
|
||||||
reloadModule(fileData, dumpedMethods);
|
reloadModule(fileData, dumpedMethods);
|
||||||
|
|
||||||
|
@ -372,7 +372,7 @@ namespace de4dot.code {
|
||||||
deob.deobfuscateEnd();
|
deob.deobfuscateEnd();
|
||||||
}
|
}
|
||||||
|
|
||||||
void reloadModule(byte[] newModuleData, Dictionary<uint, DumpedMethod> dumpedMethods) {
|
void reloadModule(byte[] newModuleData, DumpedMethods dumpedMethods) {
|
||||||
Log.v("Reloading decrypted assembly (original filename: {0})", Filename);
|
Log.v("Reloading decrypted assembly (original filename: {0})", Filename);
|
||||||
simpleDeobfuscatorFlags.Clear();
|
simpleDeobfuscatorFlags.Clear();
|
||||||
module = assemblyModule.reload(newModuleData, dumpedMethods);
|
module = assemblyModule.reload(newModuleData, dumpedMethods);
|
||||||
|
@ -407,12 +407,10 @@ namespace de4dot.code {
|
||||||
}
|
}
|
||||||
|
|
||||||
IEnumerable<int> getMethodTokens() {
|
IEnumerable<int> getMethodTokens() {
|
||||||
var tokens = new List<int>();
|
if (!userStringDecrypterMethods)
|
||||||
|
return deob.getStringDecrypterMethods();
|
||||||
|
|
||||||
if (!userStringDecrypterMethods) {
|
var tokens = new List<int>();
|
||||||
options.StringDecrypterMethods.Clear();
|
|
||||||
options.StringDecrypterMethods.AddRange(deob.getStringDecrypterMethods());
|
|
||||||
}
|
|
||||||
|
|
||||||
foreach (var val in options.StringDecrypterMethods) {
|
foreach (var val in options.StringDecrypterMethods) {
|
||||||
var tokenStr = val.Trim();
|
var tokenStr = val.Trim();
|
||||||
|
@ -542,6 +540,7 @@ namespace de4dot.code {
|
||||||
Log.v("Deobfuscating {0} ({1:X8})", Utils.removeNewlines(method), method.MetadataToken.ToUInt32());
|
Log.v("Deobfuscating {0} ({1:X8})", Utils.removeNewlines(method), method.MetadataToken.ToUInt32());
|
||||||
Log.indent();
|
Log.indent();
|
||||||
|
|
||||||
|
int oldIndentLevel = Log.indentLevel;
|
||||||
try {
|
try {
|
||||||
deobfuscate(method, cflowDeobfuscator, methodPrinter);
|
deobfuscate(method, cflowDeobfuscator, methodPrinter);
|
||||||
}
|
}
|
||||||
|
@ -553,6 +552,9 @@ namespace de4dot.code {
|
||||||
method.MetadataToken.ToInt32(),
|
method.MetadataToken.ToInt32(),
|
||||||
ex.GetType());
|
ex.GetType());
|
||||||
}
|
}
|
||||||
|
finally {
|
||||||
|
Log.indentLevel = oldIndentLevel;
|
||||||
|
}
|
||||||
removeNoInliningAttribute(method);
|
removeNoInliningAttribute(method);
|
||||||
|
|
||||||
Log.deIndent();
|
Log.deIndent();
|
||||||
|
|
|
@ -139,6 +139,7 @@
|
||||||
<Compile Include="deobfuscators\dotNET_Reactor\v3\DecryptMethod.cs" />
|
<Compile Include="deobfuscators\dotNET_Reactor\v3\DecryptMethod.cs" />
|
||||||
<Compile Include="deobfuscators\dotNET_Reactor\v3\MemoryPatcher.cs" />
|
<Compile Include="deobfuscators\dotNET_Reactor\v3\MemoryPatcher.cs" />
|
||||||
<Compile Include="deobfuscators\Eazfuscator_NET\Deobfuscator.cs" />
|
<Compile Include="deobfuscators\Eazfuscator_NET\Deobfuscator.cs" />
|
||||||
|
<Compile Include="deobfuscators\Eazfuscator_NET\StringDecrypter.cs" />
|
||||||
<Compile Include="deobfuscators\ExceptionLoggerRemover.cs" />
|
<Compile Include="deobfuscators\ExceptionLoggerRemover.cs" />
|
||||||
<Compile Include="deobfuscators\Goliath_NET\ArrayDecrypter.cs" />
|
<Compile Include="deobfuscators\Goliath_NET\ArrayDecrypter.cs" />
|
||||||
<Compile Include="deobfuscators\Goliath_NET\ArrayValueInliner.cs" />
|
<Compile Include="deobfuscators\Goliath_NET\ArrayValueInliner.cs" />
|
||||||
|
|
|
@ -259,10 +259,10 @@ namespace de4dot.code.deobfuscators.Babel_NET {
|
||||||
base.deobfuscateEnd();
|
base.deobfuscateEnd();
|
||||||
}
|
}
|
||||||
|
|
||||||
public override IEnumerable<string> getStringDecrypterMethods() {
|
public override IEnumerable<int> getStringDecrypterMethods() {
|
||||||
var list = new List<string>();
|
var list = new List<int>();
|
||||||
if (stringDecrypter.DecryptMethod != null)
|
if (stringDecrypter.DecryptMethod != null)
|
||||||
list.Add(stringDecrypter.DecryptMethod.MetadataToken.ToInt32().ToString("X8"));
|
list.Add(stringDecrypter.DecryptMethod.MetadataToken.ToInt32());
|
||||||
return list;
|
return list;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -135,7 +135,7 @@ namespace de4dot.code.deobfuscators.CliSecure {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
public override bool getDecryptedModule(ref byte[] newFileData, ref Dictionary<uint, DumpedMethod> dumpedMethods) {
|
public override bool getDecryptedModule(ref byte[] newFileData, ref DumpedMethods dumpedMethods) {
|
||||||
if (!options.DecryptMethods)
|
if (!options.DecryptMethods)
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
|
@ -225,10 +225,10 @@ namespace de4dot.code.deobfuscators.CliSecure {
|
||||||
base.deobfuscateEnd();
|
base.deobfuscateEnd();
|
||||||
}
|
}
|
||||||
|
|
||||||
public override IEnumerable<string> getStringDecrypterMethods() {
|
public override IEnumerable<int> getStringDecrypterMethods() {
|
||||||
var list = new List<string>();
|
var list = new List<int>();
|
||||||
if (stringDecrypter.Method != null)
|
if (stringDecrypter.Method != null)
|
||||||
list.Add(stringDecrypter.Method.MetadataToken.ToInt32().ToString("X8"));
|
list.Add(stringDecrypter.Method.MetadataToken.ToInt32());
|
||||||
return list;
|
return list;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -155,7 +155,7 @@ namespace de4dot.code.deobfuscators.CliSecure {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
public bool decrypt(PeImage peImage, ref Dictionary<uint, DumpedMethod> dumpedMethods) {
|
public bool decrypt(PeImage peImage, ref DumpedMethods dumpedMethods) {
|
||||||
this.peImage = peImage;
|
this.peImage = peImage;
|
||||||
|
|
||||||
uint offset = peImage.rvaToOffset(peImage.Cor20Header.metadataDirectory.virtualAddress + peImage.Cor20Header.metadataDirectory.size);
|
uint offset = peImage.rvaToOffset(peImage.Cor20Header.metadataDirectory.virtualAddress + peImage.Cor20Header.metadataDirectory.size);
|
||||||
|
@ -179,7 +179,7 @@ namespace de4dot.code.deobfuscators.CliSecure {
|
||||||
peImage.writeUint32(rva + 8, methodInfo.localVarSigTok);
|
peImage.writeUint32(rva + 8, methodInfo.localVarSigTok);
|
||||||
}
|
}
|
||||||
|
|
||||||
dumpedMethods = new Dictionary<uint, DumpedMethod>();
|
dumpedMethods = new DumpedMethods();
|
||||||
offset = methodDefTable.fileOffset;
|
offset = methodDefTable.fileOffset;
|
||||||
for (int i = 0; i < methodInfos.Count; i++, offset += methodDefTable.totalSize) {
|
for (int i = 0; i < methodInfos.Count; i++, offset += methodDefTable.totalSize) {
|
||||||
var methodInfo = methodInfos[i];
|
var methodInfo = methodInfos[i];
|
||||||
|
@ -211,7 +211,7 @@ namespace de4dot.code.deobfuscators.CliSecure {
|
||||||
dm.mhLocalVarSigTok = peImage.readUInt32(rva + 8);
|
dm.mhLocalVarSigTok = peImage.readUInt32(rva + 8);
|
||||||
}
|
}
|
||||||
|
|
||||||
dumpedMethods[dm.token] = dm;
|
dumpedMethods.add(dm);
|
||||||
}
|
}
|
||||||
|
|
||||||
return true;
|
return true;
|
||||||
|
|
|
@ -151,7 +151,7 @@ namespace de4dot.code.deobfuscators.CodeVeil {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
public override bool getDecryptedModule(ref byte[] newFileData, ref Dictionary<uint, DumpedMethod> dumpedMethods) {
|
public override bool getDecryptedModule(ref byte[] newFileData, ref DumpedMethods dumpedMethods) {
|
||||||
if (!methodsDecrypter.Detected)
|
if (!methodsDecrypter.Detected)
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
|
@ -266,8 +266,6 @@ namespace de4dot.code.deobfuscators.CodeVeil {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
removeTypesWithInvalidBaseTypes();
|
|
||||||
|
|
||||||
removeProxyDelegates(proxyDelegateFinder, canRemoveProxyTypes);
|
removeProxyDelegates(proxyDelegateFinder, canRemoveProxyTypes);
|
||||||
if (canRemoveProxyTypes) {
|
if (canRemoveProxyTypes) {
|
||||||
addTypeToBeRemoved(proxyDelegateFinder.IlGeneratorType, "Obfuscator proxy method ILGenerator type");
|
addTypeToBeRemoved(proxyDelegateFinder.IlGeneratorType, "Obfuscator proxy method ILGenerator type");
|
||||||
|
@ -280,10 +278,10 @@ namespace de4dot.code.deobfuscators.CodeVeil {
|
||||||
base.deobfuscateEnd();
|
base.deobfuscateEnd();
|
||||||
}
|
}
|
||||||
|
|
||||||
public override IEnumerable<string> getStringDecrypterMethods() {
|
public override IEnumerable<int> getStringDecrypterMethods() {
|
||||||
var list = new List<string>();
|
var list = new List<int>();
|
||||||
if (stringDecrypter.DecryptMethod != null)
|
if (stringDecrypter.DecryptMethod != null)
|
||||||
list.Add(stringDecrypter.DecryptMethod.MetadataToken.ToInt32().ToString("X8"));
|
list.Add(stringDecrypter.DecryptMethod.MetadataToken.ToInt32());
|
||||||
return list;
|
return list;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -160,7 +160,7 @@ namespace de4dot.code.deobfuscators.CodeVeil {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
public bool decrypt(byte[] fileData, ref Dictionary<uint, DumpedMethod> dumpedMethods) {
|
public bool decrypt(byte[] fileData, ref DumpedMethods dumpedMethods) {
|
||||||
if (decrypter == null)
|
if (decrypter == null)
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
|
@ -181,8 +181,8 @@ namespace de4dot.code.deobfuscators.CodeVeil {
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
Dictionary<uint, DumpedMethod> createDumpedMethods(PeImage peImage, byte[] fileData, byte[] methodsData) {
|
DumpedMethods createDumpedMethods(PeImage peImage, byte[] fileData, byte[] methodsData) {
|
||||||
var dumpedMethods = new Dictionary<uint, DumpedMethod>();
|
var dumpedMethods = new DumpedMethods();
|
||||||
|
|
||||||
var methodsDataReader = new BinaryReader(new MemoryStream(methodsData));
|
var methodsDataReader = new BinaryReader(new MemoryStream(methodsData));
|
||||||
var fileDataReader = new BinaryReader(new MemoryStream(fileData));
|
var fileDataReader = new BinaryReader(new MemoryStream(fileData));
|
||||||
|
@ -229,7 +229,7 @@ namespace de4dot.code.deobfuscators.CodeVeil {
|
||||||
if (!decrypter.decrypt(fileDataReader, dm))
|
if (!decrypter.decrypt(fileDataReader, dm))
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
dumpedMethods[dm.token] = dm;
|
dumpedMethods.add(dm);
|
||||||
}
|
}
|
||||||
|
|
||||||
return dumpedMethods;
|
return dumpedMethods;
|
||||||
|
|
|
@ -231,10 +231,10 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
||||||
addResourceToBeRemoved(resource, reason);
|
addResourceToBeRemoved(resource, reason);
|
||||||
}
|
}
|
||||||
|
|
||||||
public override IEnumerable<string> getStringDecrypterMethods() {
|
public override IEnumerable<int> getStringDecrypterMethods() {
|
||||||
var list = new List<string>();
|
var list = new List<int>();
|
||||||
if (stringDecrypter.Method != null)
|
if (stringDecrypter.Method != null)
|
||||||
list.Add(stringDecrypter.Method.MetadataToken.ToInt32().ToString("X8"));
|
list.Add(stringDecrypter.Method.MetadataToken.ToInt32());
|
||||||
return list;
|
return list;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -253,10 +253,10 @@ done:
|
||||||
removeInlinedMethods(DsInlinedMethodsFinder.find(module));
|
removeInlinedMethods(DsInlinedMethodsFinder.find(module));
|
||||||
}
|
}
|
||||||
|
|
||||||
public override IEnumerable<string> getStringDecrypterMethods() {
|
public override IEnumerable<int> getStringDecrypterMethods() {
|
||||||
var list = new List<string>();
|
var list = new List<int>();
|
||||||
foreach (var method in stringDecrypter.DecrypterMethods)
|
foreach (var method in stringDecrypter.DecrypterMethods)
|
||||||
list.Add(method.MetadataToken.ToInt32().ToString("X8"));
|
list.Add(method.MetadataToken.ToInt32());
|
||||||
return list;
|
return list;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -166,6 +166,8 @@ checkInline:
|
||||||
public static bool canInline(MethodDefinition method) {
|
public static bool canInline(MethodDefinition method) {
|
||||||
if (method == null || method.Body == null)
|
if (method == null || method.Body == null)
|
||||||
return false;
|
return false;
|
||||||
|
if (method.GenericParameters.Count > 0)
|
||||||
|
return false;
|
||||||
if (method.Body.ExceptionHandlers.Count > 0)
|
if (method.Body.ExceptionHandlers.Count > 0)
|
||||||
return false;
|
return false;
|
||||||
var parameters = method.Parameters;
|
var parameters = method.Parameters;
|
||||||
|
|
|
@ -137,7 +137,7 @@ namespace de4dot.code.deobfuscators {
|
||||||
protected abstract void scanForObfuscator();
|
protected abstract void scanForObfuscator();
|
||||||
protected abstract int detectInternal();
|
protected abstract int detectInternal();
|
||||||
|
|
||||||
public virtual bool getDecryptedModule(ref byte[] newFileData, ref Dictionary<uint, DumpedMethod> dumpedMethods) {
|
public virtual bool getDecryptedModule(ref byte[] newFileData, ref DumpedMethods dumpedMethods) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -166,6 +166,8 @@ namespace de4dot.code.deobfuscators {
|
||||||
|
|
||||||
public virtual void deobfuscateEnd() {
|
public virtual void deobfuscateEnd() {
|
||||||
if (!Operations.KeepObfuscatorTypes && !KeepTypes) {
|
if (!Operations.KeepObfuscatorTypes && !KeepTypes) {
|
||||||
|
removeTypesWithInvalidBaseTypes();
|
||||||
|
|
||||||
deleteEmptyCctors();
|
deleteEmptyCctors();
|
||||||
deleteMethods();
|
deleteMethods();
|
||||||
deleteFields();
|
deleteFields();
|
||||||
|
@ -200,7 +202,7 @@ namespace de4dot.code.deobfuscators {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
protected void removeTypesWithInvalidBaseTypes() {
|
void removeTypesWithInvalidBaseTypes() {
|
||||||
var moduleType = DotNetUtils.getModuleType(module);
|
var moduleType = DotNetUtils.getModuleType(module);
|
||||||
foreach (var type in module.GetTypes()) {
|
foreach (var type in module.GetTypes()) {
|
||||||
if (!isTypeWithInvalidBaseType(moduleType, type))
|
if (!isTypeWithInvalidBaseType(moduleType, type))
|
||||||
|
@ -209,10 +211,21 @@ namespace de4dot.code.deobfuscators {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
public virtual IEnumerable<string> getStringDecrypterMethods() {
|
protected void fixEnumTypes() {
|
||||||
return new List<string>();
|
foreach (var type in module.GetTypes()) {
|
||||||
|
if (!type.IsEnum)
|
||||||
|
continue;
|
||||||
|
foreach (var field in type.Fields) {
|
||||||
|
if (field.IsStatic)
|
||||||
|
continue;
|
||||||
|
field.IsRuntimeSpecialName = true;
|
||||||
|
field.IsSpecialName = true;
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public abstract IEnumerable<int> getStringDecrypterMethods();
|
||||||
|
|
||||||
class MethodCallRemover {
|
class MethodCallRemover {
|
||||||
Dictionary<string, MethodDefinitionAndDeclaringTypeDict<bool>> methodNameInfos = new Dictionary<string, MethodDefinitionAndDeclaringTypeDict<bool>>();
|
Dictionary<string, MethodDefinitionAndDeclaringTypeDict<bool>> methodNameInfos = new Dictionary<string, MethodDefinitionAndDeclaringTypeDict<bool>>();
|
||||||
MethodDefinitionAndDeclaringTypeDict<MethodDefinitionAndDeclaringTypeDict<bool>> methodRefInfos = new MethodDefinitionAndDeclaringTypeDict<MethodDefinitionAndDeclaringTypeDict<bool>>();
|
MethodDefinitionAndDeclaringTypeDict<MethodDefinitionAndDeclaringTypeDict<bool>> methodRefInfos = new MethodDefinitionAndDeclaringTypeDict<MethodDefinitionAndDeclaringTypeDict<bool>>();
|
||||||
|
|
|
@ -126,10 +126,10 @@ namespace de4dot.code.deobfuscators.Dotfuscator {
|
||||||
base.deobfuscateEnd();
|
base.deobfuscateEnd();
|
||||||
}
|
}
|
||||||
|
|
||||||
public override IEnumerable<string> getStringDecrypterMethods() {
|
public override IEnumerable<int> getStringDecrypterMethods() {
|
||||||
var list = new List<string>();
|
var list = new List<int>();
|
||||||
foreach (var method in stringDecrypter.StringDecrypters)
|
foreach (var method in stringDecrypter.StringDecrypters)
|
||||||
list.Add(method.MetadataToken.ToInt32().ToString("X8"));
|
list.Add(method.MetadataToken.ToInt32());
|
||||||
return list;
|
return list;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -48,11 +48,11 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
|
|
||||||
class Deobfuscator : DeobfuscatorBase {
|
class Deobfuscator : DeobfuscatorBase {
|
||||||
Options options;
|
Options options;
|
||||||
TypeDefinition decryptStringType;
|
|
||||||
MethodDefinition decryptStringMethod;
|
|
||||||
string obfuscatorName = DeobfuscatorInfo.THE_NAME;
|
string obfuscatorName = DeobfuscatorInfo.THE_NAME;
|
||||||
bool detectedVersion = false;
|
bool detectedVersion = false;
|
||||||
|
|
||||||
|
StringDecrypter stringDecrypter;
|
||||||
|
|
||||||
internal class Options : OptionsBase {
|
internal class Options : OptionsBase {
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -71,13 +71,12 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
public Deobfuscator(Options options)
|
public Deobfuscator(Options options)
|
||||||
: base(options) {
|
: base(options) {
|
||||||
this.options = options;
|
this.options = options;
|
||||||
DefaultDecrypterType = DecrypterType.Emulate;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
protected override int detectInternal() {
|
protected override int detectInternal() {
|
||||||
int val = 0;
|
int val = 0;
|
||||||
|
|
||||||
if (decryptStringMethod != null)
|
if (stringDecrypter.Detected)
|
||||||
val += 100;
|
val += 100;
|
||||||
if (detectedVersion)
|
if (detectedVersion)
|
||||||
val += 10;
|
val += 10;
|
||||||
|
@ -86,36 +85,12 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
}
|
}
|
||||||
|
|
||||||
protected override void scanForObfuscator() {
|
protected override void scanForObfuscator() {
|
||||||
findStringDecrypterMethod();
|
stringDecrypter = new StringDecrypter(module);
|
||||||
if (decryptStringType != null)
|
stringDecrypter.find(DeobfuscatedFile);
|
||||||
|
if (stringDecrypter.Detected)
|
||||||
detectVersion();
|
detectVersion();
|
||||||
}
|
}
|
||||||
|
|
||||||
void findStringDecrypterMethod() {
|
|
||||||
foreach (var type in module.Types) {
|
|
||||||
if (DotNetUtils.findFieldType(type, "System.IO.BinaryReader", true) == null)
|
|
||||||
continue;
|
|
||||||
if (DotNetUtils.findFieldType(type, "System.Collections.Generic.Dictionary`2<System.Int32,System.String>", true) == null)
|
|
||||||
continue;
|
|
||||||
|
|
||||||
foreach (var method in type.Methods) {
|
|
||||||
if (method.IsStatic && method.HasBody && method.MethodReturnType.ReturnType.FullName == "System.String" &&
|
|
||||||
method.Parameters.Count == 1 && method.Parameters[0].ParameterType.FullName == "System.Int32") {
|
|
||||||
foreach (var instr in method.Body.Instructions) {
|
|
||||||
if (instr.OpCode != OpCodes.Callvirt)
|
|
||||||
continue;
|
|
||||||
var calledMethod = instr.Operand as MethodReference;
|
|
||||||
if (calledMethod != null && calledMethod.FullName == "System.IO.Stream System.Reflection.Assembly::GetManifestResourceStream(System.String)") {
|
|
||||||
decryptStringType = type;
|
|
||||||
decryptStringMethod = method;
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
void detectVersion() {
|
void detectVersion() {
|
||||||
var name = detectVersion2();
|
var name = detectVersion2();
|
||||||
if (name == null)
|
if (name == null)
|
||||||
|
@ -126,6 +101,11 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
}
|
}
|
||||||
|
|
||||||
string detectVersion2() {
|
string detectVersion2() {
|
||||||
|
var decryptStringType = stringDecrypter.Type;
|
||||||
|
var decryptStringMethod = stringDecrypter.Method;
|
||||||
|
if (decryptStringType == null || decryptStringMethod == null)
|
||||||
|
return null;
|
||||||
|
|
||||||
var otherMethods = new List<MethodDefinition>();
|
var otherMethods = new List<MethodDefinition>();
|
||||||
MethodDefinition cctor = null;
|
MethodDefinition cctor = null;
|
||||||
foreach (var method in decryptStringType.Methods) {
|
foreach (var method in decryptStringType.Methods) {
|
||||||
|
@ -139,6 +119,8 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
if (cctor == null)
|
if (cctor == null)
|
||||||
return null;
|
return null;
|
||||||
|
|
||||||
|
bool hasConstantM2 = DeobUtils.hasInteger(decryptStringMethod, -2);
|
||||||
|
|
||||||
/////////////////////////////////////////////////////////////////
|
/////////////////////////////////////////////////////////////////
|
||||||
/////////////////////////////////////////////////////////////////
|
/////////////////////////////////////////////////////////////////
|
||||||
/////////////////////////////////////////////////////////////////
|
/////////////////////////////////////////////////////////////////
|
||||||
|
@ -160,6 +142,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
"System.String",
|
"System.String",
|
||||||
};
|
};
|
||||||
if (otherMethods.Count == 0 &&
|
if (otherMethods.Count == 0 &&
|
||||||
|
!hasConstantM2 &&
|
||||||
!decryptStringMethod.NoInlining &&
|
!decryptStringMethod.NoInlining &&
|
||||||
decryptStringMethod.IsPublic &&
|
decryptStringMethod.IsPublic &&
|
||||||
decryptStringMethod.IsSynchronized &&
|
decryptStringMethod.IsSynchronized &&
|
||||||
|
@ -194,6 +177,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
"System.String",
|
"System.String",
|
||||||
};
|
};
|
||||||
if (otherMethods.Count == 0 &&
|
if (otherMethods.Count == 0 &&
|
||||||
|
!hasConstantM2 &&
|
||||||
!decryptStringMethod.NoInlining &&
|
!decryptStringMethod.NoInlining &&
|
||||||
decryptStringMethod.IsPublic &&
|
decryptStringMethod.IsPublic &&
|
||||||
decryptStringMethod.IsSynchronized &&
|
decryptStringMethod.IsSynchronized &&
|
||||||
|
@ -228,6 +212,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
"System.String",
|
"System.String",
|
||||||
};
|
};
|
||||||
if (otherMethods.Count == 0 &&
|
if (otherMethods.Count == 0 &&
|
||||||
|
!hasConstantM2 &&
|
||||||
!decryptStringMethod.NoInlining &&
|
!decryptStringMethod.NoInlining &&
|
||||||
decryptStringMethod.IsPublic &&
|
decryptStringMethod.IsPublic &&
|
||||||
decryptStringMethod.IsSynchronized &&
|
decryptStringMethod.IsSynchronized &&
|
||||||
|
@ -263,6 +248,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
"System.String",
|
"System.String",
|
||||||
};
|
};
|
||||||
if (otherMethods.Count == 0 &&
|
if (otherMethods.Count == 0 &&
|
||||||
|
!hasConstantM2 &&
|
||||||
!decryptStringMethod.NoInlining &&
|
!decryptStringMethod.NoInlining &&
|
||||||
decryptStringMethod.IsPublic &&
|
decryptStringMethod.IsPublic &&
|
||||||
decryptStringMethod.IsSynchronized &&
|
decryptStringMethod.IsSynchronized &&
|
||||||
|
@ -299,6 +285,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
"System.String",
|
"System.String",
|
||||||
};
|
};
|
||||||
if (otherMethods.Count == 0 &&
|
if (otherMethods.Count == 0 &&
|
||||||
|
!hasConstantM2 &&
|
||||||
!decryptStringMethod.NoInlining &&
|
!decryptStringMethod.NoInlining &&
|
||||||
decryptStringMethod.IsPublic &&
|
decryptStringMethod.IsPublic &&
|
||||||
!decryptStringMethod.IsSynchronized &&
|
!decryptStringMethod.IsSynchronized &&
|
||||||
|
@ -335,6 +322,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
"System.String",
|
"System.String",
|
||||||
};
|
};
|
||||||
if (otherMethods.Count == 0 &&
|
if (otherMethods.Count == 0 &&
|
||||||
|
!hasConstantM2 &&
|
||||||
decryptStringMethod.NoInlining &&
|
decryptStringMethod.NoInlining &&
|
||||||
decryptStringMethod.IsPublic &&
|
decryptStringMethod.IsPublic &&
|
||||||
!decryptStringMethod.IsSynchronized &&
|
!decryptStringMethod.IsSynchronized &&
|
||||||
|
@ -372,6 +360,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
"System.String",
|
"System.String",
|
||||||
};
|
};
|
||||||
if (otherMethods.Count == 0 &&
|
if (otherMethods.Count == 0 &&
|
||||||
|
!hasConstantM2 &&
|
||||||
decryptStringMethod.NoInlining &&
|
decryptStringMethod.NoInlining &&
|
||||||
decryptStringMethod.IsAssembly &&
|
decryptStringMethod.IsAssembly &&
|
||||||
!decryptStringMethod.IsSynchronized &&
|
!decryptStringMethod.IsSynchronized &&
|
||||||
|
@ -413,6 +402,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
"System.Type",
|
"System.Type",
|
||||||
};
|
};
|
||||||
if (otherMethods.Count == 0 &&
|
if (otherMethods.Count == 0 &&
|
||||||
|
!hasConstantM2 &&
|
||||||
decryptStringMethod.NoInlining &&
|
decryptStringMethod.NoInlining &&
|
||||||
decryptStringMethod.IsAssembly &&
|
decryptStringMethod.IsAssembly &&
|
||||||
!decryptStringMethod.IsSynchronized &&
|
!decryptStringMethod.IsSynchronized &&
|
||||||
|
@ -461,6 +451,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
otherMethods[0].IsPrivate &&
|
otherMethods[0].IsPrivate &&
|
||||||
otherMethods[0].IsStatic &&
|
otherMethods[0].IsStatic &&
|
||||||
new LocalTypes(otherMethods[0]).exactly(olocals30) &&
|
new LocalTypes(otherMethods[0]).exactly(olocals30) &&
|
||||||
|
!hasConstantM2 &&
|
||||||
decryptStringMethod.NoInlining &&
|
decryptStringMethod.NoInlining &&
|
||||||
decryptStringMethod.IsAssembly &&
|
decryptStringMethod.IsAssembly &&
|
||||||
!decryptStringMethod.IsSynchronized &&
|
!decryptStringMethod.IsSynchronized &&
|
||||||
|
@ -469,7 +460,56 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
decryptStringMethod.Body.ExceptionHandlers.Count == 2 &&
|
decryptStringMethod.Body.ExceptionHandlers.Count == 2 &&
|
||||||
new LocalTypes(decryptStringMethod).exactly(locals30) &&
|
new LocalTypes(decryptStringMethod).exactly(locals30) &&
|
||||||
checkTypeFields(fields30)) {
|
checkTypeFields(fields30)) {
|
||||||
return "3.0 - 3.1";
|
return "3.0";
|
||||||
|
}
|
||||||
|
|
||||||
|
/////////////////////////////////////////////////////////////////
|
||||||
|
/////////////////////////////////////////////////////////////////
|
||||||
|
/////////////////////////////////////////////////////////////////
|
||||||
|
|
||||||
|
var fields31 = new string[] {
|
||||||
|
"System.Collections.Generic.Dictionary`2<System.Int32,System.String>",
|
||||||
|
"System.IO.BinaryReader",
|
||||||
|
"System.Byte[]",
|
||||||
|
"System.Int16",
|
||||||
|
"System.Int32",
|
||||||
|
"System.Byte[]",
|
||||||
|
};
|
||||||
|
var locals31 = new string[] {
|
||||||
|
"System.Boolean",
|
||||||
|
"System.Byte",
|
||||||
|
"System.Byte[]",
|
||||||
|
"System.Char[]",
|
||||||
|
"System.Collections.Generic.Dictionary`2<System.Int32,System.String>",
|
||||||
|
"System.Diagnostics.StackFrame",
|
||||||
|
"System.Diagnostics.StackTrace",
|
||||||
|
"System.Int16",
|
||||||
|
"System.Int32",
|
||||||
|
"System.IO.Stream",
|
||||||
|
"System.Reflection.Assembly",
|
||||||
|
"System.Reflection.AssemblyName",
|
||||||
|
"System.Reflection.MethodBase",
|
||||||
|
"System.String",
|
||||||
|
"System.Type",
|
||||||
|
};
|
||||||
|
var olocals31 = new string[] {
|
||||||
|
"System.Int32",
|
||||||
|
};
|
||||||
|
if (otherMethods.Count == 1 &&
|
||||||
|
DotNetUtils.isMethod(otherMethods[0], "System.Int32", "(System.Byte[],System.Int32,System.Byte[])") &&
|
||||||
|
otherMethods[0].IsPrivate &&
|
||||||
|
otherMethods[0].IsStatic &&
|
||||||
|
new LocalTypes(otherMethods[0]).exactly(olocals31) &&
|
||||||
|
hasConstantM2 &&
|
||||||
|
decryptStringMethod.NoInlining &&
|
||||||
|
decryptStringMethod.IsAssembly &&
|
||||||
|
!decryptStringMethod.IsSynchronized &&
|
||||||
|
decryptStringMethod.Body.MaxStackSize >= 1 &&
|
||||||
|
decryptStringMethod.Body.MaxStackSize <= 8 &&
|
||||||
|
decryptStringMethod.Body.ExceptionHandlers.Count == 2 &&
|
||||||
|
new LocalTypes(decryptStringMethod).exactly(locals31) &&
|
||||||
|
checkTypeFields(fields31)) {
|
||||||
|
return "3.1";
|
||||||
}
|
}
|
||||||
|
|
||||||
/////////////////////////////////////////////////////////////////
|
/////////////////////////////////////////////////////////////////
|
||||||
|
@ -511,6 +551,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
otherMethods[0].IsPrivate &&
|
otherMethods[0].IsPrivate &&
|
||||||
otherMethods[0].IsStatic &&
|
otherMethods[0].IsStatic &&
|
||||||
new LocalTypes(otherMethods[0]).exactly(olocals32) &&
|
new LocalTypes(otherMethods[0]).exactly(olocals32) &&
|
||||||
|
hasConstantM2 &&
|
||||||
decryptStringMethod.NoInlining &&
|
decryptStringMethod.NoInlining &&
|
||||||
decryptStringMethod.IsAssembly &&
|
decryptStringMethod.IsAssembly &&
|
||||||
!decryptStringMethod.IsSynchronized &&
|
!decryptStringMethod.IsSynchronized &&
|
||||||
|
@ -526,29 +567,37 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
}
|
}
|
||||||
|
|
||||||
bool checkTypeFields(string[] fieldTypes) {
|
bool checkTypeFields(string[] fieldTypes) {
|
||||||
if (fieldTypes.Length != decryptStringType.Fields.Count)
|
if (fieldTypes.Length != stringDecrypter.Type.Fields.Count)
|
||||||
return false;
|
return false;
|
||||||
for (int i = 0; i < fieldTypes.Length; i++) {
|
for (int i = 0; i < fieldTypes.Length; i++) {
|
||||||
if (fieldTypes[i] != decryptStringType.Fields[i].FieldType.FullName)
|
if (fieldTypes[i] != stringDecrypter.Type.Fields[i].FieldType.FullName)
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public override void deobfuscateBegin() {
|
||||||
|
base.deobfuscateBegin();
|
||||||
|
|
||||||
|
staticStringInliner.add(stringDecrypter.Method, (method2, args) => {
|
||||||
|
return stringDecrypter.decrypt((int)args[0]);
|
||||||
|
});
|
||||||
|
DeobfuscatedFile.stringDecryptersAdded();
|
||||||
|
}
|
||||||
|
|
||||||
public override void deobfuscateEnd() {
|
public override void deobfuscateEnd() {
|
||||||
if (Operations.DecryptStrings == OpDecryptString.Dynamic && CanRemoveStringDecrypterType) {
|
if (CanRemoveStringDecrypterType) {
|
||||||
addTypeToBeRemoved(decryptStringType, "String decrypter type");
|
addTypesToBeRemoved(stringDecrypter.Types, "String decrypter type");
|
||||||
findPossibleNamesToRemove(decryptStringMethod);
|
addResourceToBeRemoved(stringDecrypter.Resource, "Encrypted strings");
|
||||||
addResources("Encrypted strings");
|
|
||||||
}
|
}
|
||||||
|
|
||||||
base.deobfuscateEnd();
|
base.deobfuscateEnd();
|
||||||
}
|
}
|
||||||
|
|
||||||
public override IEnumerable<string> getStringDecrypterMethods() {
|
public override IEnumerable<int> getStringDecrypterMethods() {
|
||||||
var list = new List<string>();
|
var list = new List<int>();
|
||||||
if (decryptStringMethod != null)
|
if (stringDecrypter.Method != null)
|
||||||
list.Add(decryptStringMethod.MetadataToken.ToInt32().ToString("X8"));
|
list.Add(stringDecrypter.Method.MetadataToken.ToInt32());
|
||||||
return list;
|
return list;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
813
de4dot.code/deobfuscators/Eazfuscator_NET/StringDecrypter.cs
Normal file
813
de4dot.code/deobfuscators/Eazfuscator_NET/StringDecrypter.cs
Normal file
|
@ -0,0 +1,813 @@
|
||||||
|
/*
|
||||||
|
Copyright (C) 2011-2012 de4dot@gmail.com
|
||||||
|
|
||||||
|
This file is part of de4dot.
|
||||||
|
|
||||||
|
de4dot is free software: you can redistribute it and/or modify
|
||||||
|
it under the terms of the GNU General Public License as published by
|
||||||
|
the Free Software Foundation, either version 3 of the License, or
|
||||||
|
(at your option) any later version.
|
||||||
|
|
||||||
|
de4dot is distributed in the hope that it will be useful,
|
||||||
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
GNU General Public License for more details.
|
||||||
|
|
||||||
|
You should have received a copy of the GNU General Public License
|
||||||
|
along with de4dot. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
*/
|
||||||
|
|
||||||
|
using System.Collections.Generic;
|
||||||
|
using System.IO;
|
||||||
|
using System.Text;
|
||||||
|
using Mono.Cecil;
|
||||||
|
using Mono.Cecil.Cil;
|
||||||
|
using de4dot.blocks;
|
||||||
|
|
||||||
|
namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
|
class StringDecrypter {
|
||||||
|
ModuleDefinition module;
|
||||||
|
TypeDefinition decryptType;
|
||||||
|
MethodDefinition decryptMethod;
|
||||||
|
TypeDefinition dataDecrypterType;
|
||||||
|
MethodDefinition int64Method;
|
||||||
|
short s1, s2, s3;
|
||||||
|
int i1, i2, i3, i4, i5, i6, i7;
|
||||||
|
ulong l1;
|
||||||
|
int m1_i1, m2_i1, m2_i2, m3_i1;
|
||||||
|
int token1, token2, token3, token4, token5, token6;
|
||||||
|
bool checkMinus2;
|
||||||
|
bool usePublicKeyToken;
|
||||||
|
int keyLen;
|
||||||
|
byte[] theKey;
|
||||||
|
int magic1;
|
||||||
|
EmbeddedResource encryptedResource;
|
||||||
|
BinaryReader reader;
|
||||||
|
|
||||||
|
public TypeDefinition Type {
|
||||||
|
get { return decryptType; }
|
||||||
|
}
|
||||||
|
|
||||||
|
public EmbeddedResource Resource {
|
||||||
|
get { return encryptedResource; }
|
||||||
|
}
|
||||||
|
|
||||||
|
public IEnumerable<TypeDefinition> Types {
|
||||||
|
get {
|
||||||
|
var list = new List<TypeDefinition>();
|
||||||
|
list.Add(decryptType);
|
||||||
|
list.Add(dataDecrypterType);
|
||||||
|
if (int64Method != null)
|
||||||
|
list.Add(int64Method.DeclaringType);
|
||||||
|
return list;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
public MethodDefinition Method {
|
||||||
|
get { return decryptMethod; }
|
||||||
|
}
|
||||||
|
|
||||||
|
public bool Detected {
|
||||||
|
get { return decryptType != null; }
|
||||||
|
}
|
||||||
|
|
||||||
|
public StringDecrypter(ModuleDefinition module) {
|
||||||
|
this.module = module;
|
||||||
|
}
|
||||||
|
|
||||||
|
public void find(ISimpleDeobfuscator simpleDeobfuscator) {
|
||||||
|
foreach (var type in module.Types) {
|
||||||
|
if (DotNetUtils.findFieldType(type, "System.IO.BinaryReader", true) == null)
|
||||||
|
continue;
|
||||||
|
if (DotNetUtils.findFieldType(type, "System.Collections.Generic.Dictionary`2<System.Int32,System.String>", true) == null)
|
||||||
|
continue;
|
||||||
|
|
||||||
|
foreach (var method in type.Methods) {
|
||||||
|
if (!checkDecrypterMethod(method))
|
||||||
|
continue;
|
||||||
|
|
||||||
|
decryptType = type;
|
||||||
|
decryptMethod = method;
|
||||||
|
if (!findConstants(simpleDeobfuscator))
|
||||||
|
Log.w("Can't decrypt strings. Possibly a new Eazfuscator.NET version.");
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
static bool checkDecrypterMethod(MethodDefinition method) {
|
||||||
|
if (method == null || !method.IsStatic || method.Body == null)
|
||||||
|
return false;
|
||||||
|
if (!DotNetUtils.isMethod(method, "System.String", "(System.Int32)"))
|
||||||
|
return false;
|
||||||
|
|
||||||
|
foreach (var instr in method.Body.Instructions) {
|
||||||
|
if (instr.OpCode != OpCodes.Callvirt)
|
||||||
|
continue;
|
||||||
|
var calledMethod = instr.Operand as MethodReference;
|
||||||
|
if (calledMethod != null && calledMethod.FullName == "System.IO.Stream System.Reflection.Assembly::GetManifestResourceStream(System.String)")
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
public bool findConstants(ISimpleDeobfuscator simpleDeobfuscator) {
|
||||||
|
if (!findResource(decryptMethod))
|
||||||
|
return false;
|
||||||
|
|
||||||
|
simpleDeobfuscator.deobfuscate(decryptMethod);
|
||||||
|
|
||||||
|
checkMinus2 = DeobUtils.hasInteger(decryptMethod, -2);
|
||||||
|
usePublicKeyToken = callsGetPublicKeyToken(decryptMethod);
|
||||||
|
|
||||||
|
int64Method = findInt64Method(decryptMethod);
|
||||||
|
|
||||||
|
if (!findShorts(decryptMethod))
|
||||||
|
return false;
|
||||||
|
if (!findInt3(decryptMethod))
|
||||||
|
return false;
|
||||||
|
if (!findInt4(decryptMethod))
|
||||||
|
return false;
|
||||||
|
if (checkMinus2 && !findInt7(decryptMethod))
|
||||||
|
return false;
|
||||||
|
dataDecrypterType = findDataDecrypterType(decryptMethod);
|
||||||
|
if (dataDecrypterType == null)
|
||||||
|
return false;
|
||||||
|
|
||||||
|
if (int64Method != null) {
|
||||||
|
if (!findInts(decryptMethod))
|
||||||
|
return false;
|
||||||
|
if (!findInt64(int64Method))
|
||||||
|
return false;
|
||||||
|
if (!findInt5())
|
||||||
|
return false;
|
||||||
|
if (!findInt6())
|
||||||
|
return false;
|
||||||
|
if (!findMethodInts())
|
||||||
|
return false;
|
||||||
|
token1 = getToken(-1509110933);
|
||||||
|
token2 = getToken(-82806859);
|
||||||
|
token3 = getToken(1294352278);
|
||||||
|
token4 = getToken(402344241);
|
||||||
|
token5 = getToken(-56237163);
|
||||||
|
token6 = getToken(1106695601);
|
||||||
|
if (token1 == 0 || token2 == 0 || token3 == 0)
|
||||||
|
return false;
|
||||||
|
if (token4 == 0 || token5 == 0 || token6 == 0)
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
initialize();
|
||||||
|
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
void initialize() {
|
||||||
|
reader = new BinaryReader(encryptedResource.GetResourceStream());
|
||||||
|
short len = (short)(reader.ReadInt16() ^ s1);
|
||||||
|
if (len != 0)
|
||||||
|
theKey = reader.ReadBytes(len);
|
||||||
|
else
|
||||||
|
keyLen = reader.ReadInt16() ^ s2;
|
||||||
|
|
||||||
|
if (int64Method != null)
|
||||||
|
magic1 = (int)getMagic() ^ i1 ^ i2;
|
||||||
|
}
|
||||||
|
|
||||||
|
public string decrypt(int val) {
|
||||||
|
while (true) {
|
||||||
|
int offset = magic1 ^ i3 ^ val;
|
||||||
|
reader.BaseStream.Position = offset;
|
||||||
|
byte[] tmpKey;
|
||||||
|
if (theKey == null) {
|
||||||
|
tmpKey = reader.ReadBytes(keyLen == -1 ? (short)(reader.ReadInt16() ^ s3 ^ offset) : keyLen);
|
||||||
|
if (int64Method != null) {
|
||||||
|
for (int i = 0; i < tmpKey.Length; i++)
|
||||||
|
tmpKey[i] ^= (byte)(magic1 >> ((i & 3) << 3));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
else
|
||||||
|
tmpKey = theKey;
|
||||||
|
|
||||||
|
int flags = i4 ^ magic1 ^ offset ^ reader.ReadInt32();
|
||||||
|
if (checkMinus2 && flags == -2) {
|
||||||
|
var ary2 = reader.ReadBytes(4);
|
||||||
|
val = -(magic1 ^ i7) ^ (ary2[2] | (ary2[0] << 8) | (ary2[3] << 16) | (ary2[1] << 24));
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
|
var bytes = reader.ReadBytes(flags & 0x1FFFFFFF);
|
||||||
|
decrypt1(bytes, tmpKey);
|
||||||
|
var pkt = module.Assembly.Name.PublicKeyToken;
|
||||||
|
if (usePublicKeyToken && pkt != null && pkt.Length != 0) {
|
||||||
|
for (int i = 0; i < bytes.Length; i++)
|
||||||
|
bytes[i] ^= (byte)((pkt[i & 7] >> 5) + (pkt[i & 7] << 3));
|
||||||
|
}
|
||||||
|
|
||||||
|
if ((flags & 0x40000000) != 0)
|
||||||
|
bytes = rld(bytes);
|
||||||
|
if ((flags & 0x80000000) != 0) {
|
||||||
|
var sb = new StringBuilder(bytes.Length);
|
||||||
|
foreach (var b in bytes)
|
||||||
|
sb.Append((char)b);
|
||||||
|
return sb.ToString();
|
||||||
|
}
|
||||||
|
else
|
||||||
|
return Encoding.Unicode.GetString(bytes);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
static byte[] rld(byte[] src) {
|
||||||
|
var dst = new byte[src[2] + (src[3] << 8) + (src[0] << 16) + (src[1] << 24)];
|
||||||
|
int srcIndex = 4;
|
||||||
|
int dstIndex = 0;
|
||||||
|
int flags = 0;
|
||||||
|
int bit = 128;
|
||||||
|
while (dstIndex < dst.Length) {
|
||||||
|
bit <<= 1;
|
||||||
|
if (bit == 256) {
|
||||||
|
bit = 1;
|
||||||
|
flags = src[srcIndex++];
|
||||||
|
}
|
||||||
|
|
||||||
|
if ((flags & bit) == 0) {
|
||||||
|
dst[dstIndex++] = src[srcIndex++];
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
|
int numBytes = (src[srcIndex] >> 2) + 3;
|
||||||
|
int copyIndex = dstIndex - ((src[srcIndex + 1] + (src[srcIndex] << 8)) & 0x3FF);
|
||||||
|
if (copyIndex < 0)
|
||||||
|
break;
|
||||||
|
while (dstIndex < dst.Length && numBytes-- > 0)
|
||||||
|
dst[dstIndex++] = dst[copyIndex++];
|
||||||
|
srcIndex += 2;
|
||||||
|
}
|
||||||
|
|
||||||
|
return dst;
|
||||||
|
}
|
||||||
|
|
||||||
|
static void decrypt1(byte[] dest, byte[] key) {
|
||||||
|
byte b = (byte)((key[1] + 7) ^ (dest.Length + 11));
|
||||||
|
uint lcg = (uint)((key[0] | key[2] << 8) + (b << 3));
|
||||||
|
b += 3;
|
||||||
|
ushort xn = 0;
|
||||||
|
for (int i = 0; i < dest.Length; i++) {
|
||||||
|
if ((i & 1) == 0) {
|
||||||
|
lcg = lcgNext(lcg);
|
||||||
|
xn = (ushort)(lcg >> 16);
|
||||||
|
}
|
||||||
|
byte tmp = dest[i];
|
||||||
|
dest[i] ^= (byte)(key[1] ^ (byte)xn ^ b);
|
||||||
|
b = (byte)(tmp + 3);
|
||||||
|
xn >>= 8;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
static uint lcgNext(uint lcg) {
|
||||||
|
return lcg * 214013 + 2531011;
|
||||||
|
}
|
||||||
|
|
||||||
|
uint getMagic() {
|
||||||
|
var bytes = new List<byte>();
|
||||||
|
if (module.Assembly != null) {
|
||||||
|
if (module.Assembly.Name.PublicKeyToken != null)
|
||||||
|
bytes.AddRange(module.Assembly.Name.PublicKeyToken);
|
||||||
|
bytes.AddRange(Encoding.Unicode.GetBytes(module.Assembly.Name.Name));
|
||||||
|
}
|
||||||
|
int cm1 = constMethod1();
|
||||||
|
int token = int64Method.DeclaringType.MetadataToken.ToInt32();
|
||||||
|
bytes.Add((byte)(token >> 24));
|
||||||
|
bytes.Add((byte)(cm1 >> 16));
|
||||||
|
bytes.Add((byte)(token >> 8));
|
||||||
|
bytes.Add((byte)cm1);
|
||||||
|
bytes.Add((byte)(token >> 16));
|
||||||
|
bytes.Add((byte)(cm1 >> 8));
|
||||||
|
bytes.Add((byte)token);
|
||||||
|
bytes.Add((byte)(cm1 >> 24));
|
||||||
|
|
||||||
|
ulong magic = 0;
|
||||||
|
foreach (var b in bytes) {
|
||||||
|
magic += b;
|
||||||
|
magic += magic << 20;
|
||||||
|
magic ^= magic >> 12;
|
||||||
|
}
|
||||||
|
magic += magic << 6;
|
||||||
|
magic ^= magic >> 22;
|
||||||
|
magic += magic << 30;
|
||||||
|
return (uint)magic ^ (uint)l1;
|
||||||
|
}
|
||||||
|
|
||||||
|
bool findResource(MethodDefinition method) {
|
||||||
|
encryptedResource = DotNetUtils.getResource(module, DotNetUtils.getCodeStrings(method)) as EmbeddedResource;
|
||||||
|
return encryptedResource != null;
|
||||||
|
}
|
||||||
|
|
||||||
|
int getToken(int constant) {
|
||||||
|
var method = findNestedTypeMethod(constant);
|
||||||
|
if (method == null)
|
||||||
|
return 0;
|
||||||
|
return method.DeclaringType.MetadataToken.ToInt32();
|
||||||
|
}
|
||||||
|
|
||||||
|
bool findInt5() {
|
||||||
|
var consts = getConstants(findNestedTypeMethod(1294352278));
|
||||||
|
if (consts.Count != 2)
|
||||||
|
return false;
|
||||||
|
i5 = consts[1];
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
bool findInt6() {
|
||||||
|
var consts = getConstants(findNestedTypeMethod(1106695601));
|
||||||
|
if (consts.Count != 1)
|
||||||
|
return false;
|
||||||
|
i6 = consts[0];
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
bool findMethodInts() {
|
||||||
|
foreach (var type in int64Method.DeclaringType.NestedTypes) {
|
||||||
|
var methods = getBinaryIntMethods(type);
|
||||||
|
if (methods.Count < 3)
|
||||||
|
continue;
|
||||||
|
if (!findMethod1Int(methods))
|
||||||
|
continue;
|
||||||
|
if (!findMethod2Int(methods))
|
||||||
|
continue;
|
||||||
|
if (!findMethod3Int(methods))
|
||||||
|
continue;
|
||||||
|
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
static List<MethodDefinition> getBinaryIntMethods(TypeDefinition type) {
|
||||||
|
var list = new List<MethodDefinition>();
|
||||||
|
foreach (var method in type.Methods) {
|
||||||
|
if (!method.IsStatic || method.Body == null)
|
||||||
|
continue;
|
||||||
|
if (!DotNetUtils.isMethod(method, "System.Int32", "(System.Int32,System.Int32)"))
|
||||||
|
continue;
|
||||||
|
|
||||||
|
list.Add(method);
|
||||||
|
}
|
||||||
|
return list;
|
||||||
|
}
|
||||||
|
|
||||||
|
bool findMethod1Int(IEnumerable<MethodDefinition> methods) {
|
||||||
|
foreach (var method in methods) {
|
||||||
|
if (countInstructions(method, Code.Ldarg_0) != 1)
|
||||||
|
continue;
|
||||||
|
var constants = getConstants(method);
|
||||||
|
if (constants.Count != 1)
|
||||||
|
continue;
|
||||||
|
|
||||||
|
m1_i1 = constants[0];
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
bool findMethod2Int(IEnumerable<MethodDefinition> methods) {
|
||||||
|
foreach (var method in methods) {
|
||||||
|
var constants = getConstants(method);
|
||||||
|
if (constants.Count != 2)
|
||||||
|
continue;
|
||||||
|
|
||||||
|
m2_i1 = constants[0];
|
||||||
|
m2_i2 = constants[1];
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
bool findMethod3Int(IEnumerable<MethodDefinition> methods) {
|
||||||
|
foreach (var method in methods) {
|
||||||
|
if (countInstructions(method, Code.Ldarg_0) != 2)
|
||||||
|
continue;
|
||||||
|
var constants = getConstants(method);
|
||||||
|
if (constants.Count != 1)
|
||||||
|
continue;
|
||||||
|
|
||||||
|
m3_i1 = constants[0];
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
static int countInstructions(MethodDefinition method, Code code) {
|
||||||
|
int count = 0;
|
||||||
|
foreach (var instr in method.Body.Instructions) {
|
||||||
|
if (instr.OpCode.Code == code)
|
||||||
|
count++;
|
||||||
|
}
|
||||||
|
return count;
|
||||||
|
}
|
||||||
|
|
||||||
|
static List<int> getConstants(MethodDefinition method) {
|
||||||
|
var list = new List<int>();
|
||||||
|
|
||||||
|
if (method == null)
|
||||||
|
return list;
|
||||||
|
|
||||||
|
int index = 0;
|
||||||
|
var instrs = method.Body.Instructions;
|
||||||
|
while (true) {
|
||||||
|
int val;
|
||||||
|
if (!getNextInt32(method, ref index, out val))
|
||||||
|
break;
|
||||||
|
|
||||||
|
if (index + 1 < instrs.Count && instrs[index].OpCode.Code != Code.Ret)
|
||||||
|
list.Add(val);
|
||||||
|
}
|
||||||
|
|
||||||
|
return list;
|
||||||
|
}
|
||||||
|
|
||||||
|
MethodDefinition findNestedTypeMethod(int constant) {
|
||||||
|
foreach (var type in int64Method.DeclaringType.NestedTypes) {
|
||||||
|
foreach (var method in type.Methods) {
|
||||||
|
if (!method.IsStatic || method.Body == null)
|
||||||
|
continue;
|
||||||
|
|
||||||
|
var instrs = method.Body.Instructions;
|
||||||
|
for (int i = 0; i < instrs.Count - 1; i++) {
|
||||||
|
var ldci4 = instrs[i];
|
||||||
|
if (!DotNetUtils.isLdcI4(ldci4))
|
||||||
|
continue;
|
||||||
|
if (DotNetUtils.getLdcI4Value(ldci4) != constant)
|
||||||
|
continue;
|
||||||
|
if (instrs[i + 1].OpCode.Code != Code.Ret)
|
||||||
|
continue;
|
||||||
|
|
||||||
|
return method;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
|
||||||
|
bool findInt64(MethodDefinition method) {
|
||||||
|
var instrs = method.Body.Instructions;
|
||||||
|
for (int i = 0; i < instrs.Count - 1; i++) {
|
||||||
|
var ldci8 = instrs[i];
|
||||||
|
if (ldci8.OpCode.Code != Code.Ldc_I8)
|
||||||
|
continue;
|
||||||
|
|
||||||
|
if (instrs[i + 1].OpCode.Code != Code.Xor)
|
||||||
|
continue;
|
||||||
|
|
||||||
|
l1 = (ulong)(long)ldci8.Operand;
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
static MethodDefinition findInt64Method(MethodDefinition method) {
|
||||||
|
foreach (var instr in method.Body.Instructions) {
|
||||||
|
if (instr.OpCode.Code != Code.Call)
|
||||||
|
continue;
|
||||||
|
var calledMethod = instr.Operand as MethodDefinition;
|
||||||
|
if (calledMethod == null)
|
||||||
|
continue;
|
||||||
|
if (!DotNetUtils.isMethod(calledMethod, "System.Int64", "()"))
|
||||||
|
continue;
|
||||||
|
|
||||||
|
return calledMethod;
|
||||||
|
}
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
|
||||||
|
static TypeDefinition findDataDecrypterType(MethodDefinition method) {
|
||||||
|
foreach (var instr in method.Body.Instructions) {
|
||||||
|
if (instr.OpCode.Code != Code.Call)
|
||||||
|
continue;
|
||||||
|
var calledMethod = instr.Operand as MethodDefinition;
|
||||||
|
if (calledMethod == null)
|
||||||
|
continue;
|
||||||
|
if (!DotNetUtils.isMethod(calledMethod, "System.Byte[]", "(System.Byte[],System.Byte[])"))
|
||||||
|
continue;
|
||||||
|
|
||||||
|
return calledMethod.DeclaringType;
|
||||||
|
}
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
|
||||||
|
bool findShorts(MethodDefinition method) {
|
||||||
|
int index = 0;
|
||||||
|
if (!findShort(method, ref index, ref s1))
|
||||||
|
return false;
|
||||||
|
if (!findShort(method, ref index, ref s2))
|
||||||
|
return false;
|
||||||
|
if (!findShort(method, ref index, ref s3))
|
||||||
|
return false;
|
||||||
|
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
bool findShort(MethodDefinition method, ref int index, ref short s) {
|
||||||
|
if (!findCallReadInt16(method, ref index))
|
||||||
|
return false;
|
||||||
|
index++;
|
||||||
|
return getInt16(method, ref index, ref s);
|
||||||
|
}
|
||||||
|
|
||||||
|
bool findInts(MethodDefinition method) {
|
||||||
|
int index = findIndexFirstIntegerConstant(method);
|
||||||
|
if (index < 0)
|
||||||
|
return false;
|
||||||
|
|
||||||
|
if (!getNextInt32(method, ref index, out i1))
|
||||||
|
return false;
|
||||||
|
int tmp;
|
||||||
|
if (!getNextInt32(method, ref index, out tmp))
|
||||||
|
return false;
|
||||||
|
if (!getNextInt32(method, ref index, out i2))
|
||||||
|
return false;
|
||||||
|
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
bool findInt3(MethodDefinition method) {
|
||||||
|
if (int64Method == null)
|
||||||
|
return findInt3Old(method);
|
||||||
|
return findInt3New(method);
|
||||||
|
}
|
||||||
|
|
||||||
|
// <= 3.1
|
||||||
|
bool findInt3Old(MethodDefinition method) {
|
||||||
|
var instrs = method.Body.Instructions;
|
||||||
|
for (int i = 0; i < instrs.Count - 4; i++) {
|
||||||
|
var ldarg0 = instrs[i];
|
||||||
|
if (ldarg0.OpCode.Code != Code.Ldarg_0)
|
||||||
|
continue;
|
||||||
|
|
||||||
|
var ldci4 = instrs[i + 1];
|
||||||
|
if (!DotNetUtils.isLdcI4(ldci4))
|
||||||
|
continue;
|
||||||
|
|
||||||
|
int index = i + 1;
|
||||||
|
int value;
|
||||||
|
if (!getInt32(method, ref index, out value))
|
||||||
|
continue;
|
||||||
|
if (index >= instrs.Count)
|
||||||
|
continue;
|
||||||
|
|
||||||
|
if (instrs[index].OpCode.Code != Code.Xor)
|
||||||
|
continue;
|
||||||
|
|
||||||
|
i3 = value;
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
// 3.2+
|
||||||
|
bool findInt3New(MethodDefinition method) {
|
||||||
|
var instrs = method.Body.Instructions;
|
||||||
|
for (int i = 0; i < instrs.Count - 4; i++) {
|
||||||
|
var ldarg0 = instrs[i];
|
||||||
|
if (ldarg0.OpCode.Code != Code.Ldarg_0)
|
||||||
|
continue;
|
||||||
|
|
||||||
|
var ldci4 = instrs[i + 1];
|
||||||
|
if (!DotNetUtils.isLdcI4(ldci4))
|
||||||
|
continue;
|
||||||
|
|
||||||
|
if (instrs[i + 2].OpCode.Code != Code.Xor)
|
||||||
|
continue;
|
||||||
|
|
||||||
|
if (!DotNetUtils.isLdloc(instrs[i + 3]))
|
||||||
|
continue;
|
||||||
|
|
||||||
|
if (instrs[i + 4].OpCode.Code != Code.Xor)
|
||||||
|
continue;
|
||||||
|
|
||||||
|
i3 = DotNetUtils.getLdcI4Value(ldci4);
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
bool findInt4(MethodDefinition method) {
|
||||||
|
int index = 0;
|
||||||
|
if (!findCallReadInt32(method, ref index))
|
||||||
|
return false;
|
||||||
|
if (!getNextInt32(method, ref index, out i4))
|
||||||
|
return false;
|
||||||
|
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
bool findInt7(MethodDefinition method) {
|
||||||
|
int index = -1;
|
||||||
|
while (true) {
|
||||||
|
index++;
|
||||||
|
if (!findCallReadBytes(method, ref index))
|
||||||
|
return false;
|
||||||
|
if (index <= 0)
|
||||||
|
continue;
|
||||||
|
var ldci4 = method.Body.Instructions[index - 1];
|
||||||
|
if (!DotNetUtils.isLdcI4(ldci4))
|
||||||
|
continue;
|
||||||
|
if (DotNetUtils.getLdcI4Value(ldci4) != 4)
|
||||||
|
continue;
|
||||||
|
if (!getNextInt32(method, ref index, out i7))
|
||||||
|
return false;
|
||||||
|
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
static int findIndexFirstIntegerConstant(MethodDefinition method) {
|
||||||
|
var instrs = method.Body.Instructions;
|
||||||
|
for (int i = 0; i < instrs.Count - 2; i++) {
|
||||||
|
var ldci4 = instrs[i];
|
||||||
|
if (!DotNetUtils.isLdcI4(ldci4))
|
||||||
|
continue;
|
||||||
|
|
||||||
|
var stloc = instrs[i + 1];
|
||||||
|
if (!DotNetUtils.isStloc(stloc))
|
||||||
|
continue;
|
||||||
|
|
||||||
|
var call = instrs[i + 2];
|
||||||
|
if (call.OpCode.Code != Code.Call)
|
||||||
|
continue;
|
||||||
|
var calledMethod = call.Operand as MethodDefinition;
|
||||||
|
if (calledMethod == null)
|
||||||
|
continue;
|
||||||
|
if (!DotNetUtils.isMethod(calledMethod, "System.Int64", "()"))
|
||||||
|
continue;
|
||||||
|
|
||||||
|
return i;
|
||||||
|
}
|
||||||
|
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
static bool getNextInt32(MethodDefinition method, ref int index, out int val) {
|
||||||
|
for (; index < method.Body.Instructions.Count; index++) {
|
||||||
|
var instr = method.Body.Instructions[index];
|
||||||
|
if (instr.OpCode.Code != Code.Ldc_I4_S && instr.OpCode.Code != Code.Ldc_I4)
|
||||||
|
continue;
|
||||||
|
|
||||||
|
return getInt32(method, ref index, out val);
|
||||||
|
}
|
||||||
|
|
||||||
|
val = 0;
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
static bool getInt16(MethodDefinition method, ref int index, ref short s) {
|
||||||
|
int val;
|
||||||
|
if (!getInt32(method, ref index, out val))
|
||||||
|
return false;
|
||||||
|
s = (short)val;
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
static bool getInt32(MethodDefinition method, ref int index, out int val) {
|
||||||
|
val = 0;
|
||||||
|
var instrs = method.Body.Instructions;
|
||||||
|
if (index >= instrs.Count)
|
||||||
|
return false;
|
||||||
|
var ldci4 = instrs[index];
|
||||||
|
if (ldci4.OpCode.Code != Code.Ldc_I4_S && ldci4.OpCode.Code != Code.Ldc_I4)
|
||||||
|
return false;
|
||||||
|
|
||||||
|
var stack = new Stack<int>();
|
||||||
|
stack.Push(DotNetUtils.getLdcI4Value(ldci4));
|
||||||
|
|
||||||
|
index++;
|
||||||
|
for (; index < instrs.Count; index++) {
|
||||||
|
int l = stack.Count - 1;
|
||||||
|
|
||||||
|
var instr = instrs[index];
|
||||||
|
switch (instr.OpCode.Code) {
|
||||||
|
case Code.Not:
|
||||||
|
stack.Push(~stack.Pop());
|
||||||
|
break;
|
||||||
|
|
||||||
|
case Code.Neg:
|
||||||
|
stack.Push(-stack.Pop());
|
||||||
|
break;
|
||||||
|
|
||||||
|
case Code.Ldc_I4:
|
||||||
|
case Code.Ldc_I4_S:
|
||||||
|
case Code.Ldc_I4_0:
|
||||||
|
case Code.Ldc_I4_1:
|
||||||
|
case Code.Ldc_I4_2:
|
||||||
|
case Code.Ldc_I4_3:
|
||||||
|
case Code.Ldc_I4_4:
|
||||||
|
case Code.Ldc_I4_5:
|
||||||
|
case Code.Ldc_I4_6:
|
||||||
|
case Code.Ldc_I4_7:
|
||||||
|
case Code.Ldc_I4_8:
|
||||||
|
case Code.Ldc_I4_M1:
|
||||||
|
stack.Push(DotNetUtils.getLdcI4Value(instr));
|
||||||
|
break;
|
||||||
|
|
||||||
|
case Code.Xor:
|
||||||
|
if (stack.Count < 2)
|
||||||
|
goto done;
|
||||||
|
stack.Push(stack.Pop() ^ stack.Pop());
|
||||||
|
break;
|
||||||
|
|
||||||
|
default:
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
done:
|
||||||
|
while (stack.Count > 1)
|
||||||
|
stack.Pop();
|
||||||
|
val = stack.Pop();
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
static bool callsGetPublicKeyToken(MethodDefinition method) {
|
||||||
|
int index = 0;
|
||||||
|
return findCall(method, ref index, "System.Byte[] System.Reflection.AssemblyName::GetPublicKeyToken()");
|
||||||
|
}
|
||||||
|
|
||||||
|
static bool findCallReadInt16(MethodDefinition method, ref int index) {
|
||||||
|
return findCall(method, ref index, "System.Int16 System.IO.BinaryReader::ReadInt16()");
|
||||||
|
}
|
||||||
|
|
||||||
|
static bool findCallReadInt32(MethodDefinition method, ref int index) {
|
||||||
|
return findCall(method, ref index, "System.Int32 System.IO.BinaryReader::ReadInt32()");
|
||||||
|
}
|
||||||
|
|
||||||
|
static bool findCallReadBytes(MethodDefinition method, ref int index) {
|
||||||
|
return findCall(method, ref index, "System.Byte[] System.IO.BinaryReader::ReadBytes(System.Int32)");
|
||||||
|
}
|
||||||
|
|
||||||
|
static bool findCall(MethodDefinition method, ref int index, string methodFullName) {
|
||||||
|
for (; index < method.Body.Instructions.Count; index++) {
|
||||||
|
if (!findCallvirt(method, ref index))
|
||||||
|
return false;
|
||||||
|
|
||||||
|
var calledMethod = method.Body.Instructions[index].Operand as MethodReference;
|
||||||
|
if (calledMethod == null)
|
||||||
|
continue;
|
||||||
|
if (calledMethod.ToString() != methodFullName)
|
||||||
|
continue;
|
||||||
|
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
static bool findCallvirt(MethodDefinition method, ref int index) {
|
||||||
|
var instrs = method.Body.Instructions;
|
||||||
|
for (; index < instrs.Count; index++) {
|
||||||
|
var instr = instrs[index];
|
||||||
|
if (instr.OpCode.Code != Code.Callvirt)
|
||||||
|
continue;
|
||||||
|
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
int binOp1(int a, int b) {
|
||||||
|
return a ^ (b - m1_i1);
|
||||||
|
}
|
||||||
|
|
||||||
|
int binOp2(int a, int b) {
|
||||||
|
return (a - m2_i1) ^ (b + m2_i2);
|
||||||
|
}
|
||||||
|
|
||||||
|
int binOp3(int a, int b) {
|
||||||
|
return a ^ (b - m3_i1) ^ (a - b);
|
||||||
|
}
|
||||||
|
|
||||||
|
int constMethod1() {
|
||||||
|
return binOp3(binOp2(token2, binOp3(token1, token5)), constMethod6());
|
||||||
|
}
|
||||||
|
|
||||||
|
int constMethod2() {
|
||||||
|
return binOp1(token3, token4 ^ binOp2(token2, binOp3(token6, constMethod4())));
|
||||||
|
}
|
||||||
|
|
||||||
|
int constMethod3() {
|
||||||
|
return binOp3(binOp1(constMethod2() ^ 0x1F74F46E, token4), binOp2(token1 ^ token6, i5));
|
||||||
|
}
|
||||||
|
|
||||||
|
int constMethod4() {
|
||||||
|
return binOp3(token4, binOp1(token1, binOp2(token2, binOp3(token3, binOp1(token5, token6)))));
|
||||||
|
}
|
||||||
|
|
||||||
|
int constMethod5() {
|
||||||
|
return binOp2(binOp2(constMethod3(), binOp1(token5, constMethod2())), token6);
|
||||||
|
}
|
||||||
|
|
||||||
|
int constMethod6() {
|
||||||
|
return binOp1(token6, binOp3(binOp2(token5, token1), binOp3(token3 ^ i6, constMethod5())));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
|
@ -270,10 +270,10 @@ namespace de4dot.code.deobfuscators.Goliath_NET {
|
||||||
findAndRemoveInlinedMethods();
|
findAndRemoveInlinedMethods();
|
||||||
}
|
}
|
||||||
|
|
||||||
public override IEnumerable<string> getStringDecrypterMethods() {
|
public override IEnumerable<int> getStringDecrypterMethods() {
|
||||||
var list = new List<string>();
|
var list = new List<int>();
|
||||||
foreach (var method in stringDecrypter.getMethods())
|
foreach (var method in stringDecrypter.getMethods())
|
||||||
list.Add(method.MetadataToken.ToInt32().ToString("X8"));
|
list.Add(method.MetadataToken.ToInt32());
|
||||||
return list;
|
return list;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -82,7 +82,7 @@ namespace de4dot.code.deobfuscators {
|
||||||
|
|
||||||
// If the obfuscator has encrypted parts of the file, then this method should return the
|
// If the obfuscator has encrypted parts of the file, then this method should return the
|
||||||
// decrypted file. true is returned if args have been initialized, false otherwise.
|
// decrypted file. true is returned if args have been initialized, false otherwise.
|
||||||
bool getDecryptedModule(ref byte[] newFileData, ref Dictionary<uint, DumpedMethod> dumpedMethods);
|
bool getDecryptedModule(ref byte[] newFileData, ref DumpedMethods dumpedMethods);
|
||||||
|
|
||||||
// This is only called if getDecryptedModule() != null, and after the module has been
|
// This is only called if getDecryptedModule() != null, and after the module has been
|
||||||
// reloaded. Should return a new IDeobfuscator with the same options and the new module.
|
// reloaded. Should return a new IDeobfuscator with the same options and the new module.
|
||||||
|
@ -107,6 +107,6 @@ namespace de4dot.code.deobfuscators {
|
||||||
void deobfuscateEnd();
|
void deobfuscateEnd();
|
||||||
|
|
||||||
// Called to get method token / pattern of string decrypters
|
// Called to get method token / pattern of string decrypters
|
||||||
IEnumerable<string> getStringDecrypterMethods();
|
IEnumerable<int> getStringDecrypterMethods();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -113,12 +113,13 @@ namespace de4dot.code.deobfuscators.Skater_NET {
|
||||||
public override void deobfuscateEnd() {
|
public override void deobfuscateEnd() {
|
||||||
if (Operations.DecryptStrings != OpDecryptString.None && stringDecrypter.CanRemoveType)
|
if (Operations.DecryptStrings != OpDecryptString.None && stringDecrypter.CanRemoveType)
|
||||||
addTypeToBeRemoved(stringDecrypter.Type, "String decrypter type");
|
addTypeToBeRemoved(stringDecrypter.Type, "String decrypter type");
|
||||||
|
fixEnumTypes();
|
||||||
|
|
||||||
base.deobfuscateEnd();
|
base.deobfuscateEnd();
|
||||||
}
|
}
|
||||||
|
|
||||||
public override IEnumerable<string> getStringDecrypterMethods() {
|
public override IEnumerable<int> getStringDecrypterMethods() {
|
||||||
var list = new List<string>();
|
var list = new List<int>();
|
||||||
return list;
|
return list;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -542,10 +542,10 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
public override IEnumerable<string> getStringDecrypterMethods() {
|
public override IEnumerable<int> getStringDecrypterMethods() {
|
||||||
var list = new List<string>();
|
var list = new List<int>();
|
||||||
foreach (var method in staticStringInliner.Methods)
|
foreach (var method in staticStringInliner.Methods)
|
||||||
list.Add(method.MetadataToken.ToInt32().ToString("X8"));
|
list.Add(method.MetadataToken.ToInt32());
|
||||||
return list;
|
return list;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -208,10 +208,10 @@ namespace de4dot.code.deobfuscators.Spices_Net {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
public override IEnumerable<string> getStringDecrypterMethods() {
|
public override IEnumerable<int> getStringDecrypterMethods() {
|
||||||
var list = new List<string>();
|
var list = new List<int>();
|
||||||
foreach (var info in stringDecrypter.DecrypterInfos)
|
foreach (var info in stringDecrypter.DecrypterInfos)
|
||||||
list.Add(info.method.MetadataToken.ToInt32().ToString("X8"));
|
list.Add(info.method.MetadataToken.ToInt32());
|
||||||
return list;
|
return list;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -17,6 +17,7 @@
|
||||||
along with de4dot. If not, see <http://www.gnu.org/licenses/>.
|
along with de4dot. If not, see <http://www.gnu.org/licenses/>.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
|
using System.Collections.Generic;
|
||||||
using System.Text.RegularExpressions;
|
using System.Text.RegularExpressions;
|
||||||
|
|
||||||
namespace de4dot.code.deobfuscators.Unknown {
|
namespace de4dot.code.deobfuscators.Unknown {
|
||||||
|
@ -110,5 +111,9 @@ namespace de4dot.code.deobfuscators.Unknown {
|
||||||
}
|
}
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public override IEnumerable<int> getStringDecrypterMethods() {
|
||||||
|
return new List<int>();
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -109,10 +109,10 @@ namespace de4dot.code.deobfuscators.Xenocode {
|
||||||
base.deobfuscateEnd();
|
base.deobfuscateEnd();
|
||||||
}
|
}
|
||||||
|
|
||||||
public override IEnumerable<string> getStringDecrypterMethods() {
|
public override IEnumerable<int> getStringDecrypterMethods() {
|
||||||
var list = new List<string>();
|
var list = new List<int>();
|
||||||
if (stringDecrypter.Method != null)
|
if (stringDecrypter.Method != null)
|
||||||
list.Add(stringDecrypter.Method.MetadataToken.ToInt32().ToString("X8"));
|
list.Add(stringDecrypter.Method.MetadataToken.ToInt32());
|
||||||
return list;
|
return list;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -141,7 +141,7 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v3 {
|
||||||
return decrypterType.LinkedResource != null || nativeLibSaver.Resource != null;
|
return decrypterType.LinkedResource != null || nativeLibSaver.Resource != null;
|
||||||
}
|
}
|
||||||
|
|
||||||
public override bool getDecryptedModule(ref byte[] newFileData, ref Dictionary<uint, DumpedMethod> dumpedMethods) {
|
public override bool getDecryptedModule(ref byte[] newFileData, ref DumpedMethods dumpedMethods) {
|
||||||
if (!needsPatching())
|
if (!needsPatching())
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
|
@ -329,10 +329,10 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v3 {
|
||||||
findAndRemoveInlinedMethods();
|
findAndRemoveInlinedMethods();
|
||||||
}
|
}
|
||||||
|
|
||||||
public override IEnumerable<string> getStringDecrypterMethods() {
|
public override IEnumerable<int> getStringDecrypterMethods() {
|
||||||
var list = new List<string>();
|
var list = new List<int>();
|
||||||
foreach (var method in decrypterType.StringDecrypters)
|
foreach (var method in decrypterType.StringDecrypters)
|
||||||
list.Add(method.MetadataToken.ToInt32().ToString("X8"));
|
list.Add(method.MetadataToken.ToInt32());
|
||||||
return list;
|
return list;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -362,7 +362,7 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
public override bool getDecryptedModule(ref byte[] newFileData, ref Dictionary<uint, DumpedMethod> dumpedMethods) {
|
public override bool getDecryptedModule(ref byte[] newFileData, ref DumpedMethods dumpedMethods) {
|
||||||
fileData = ModuleBytes ?? DeobUtils.readModule(module);
|
fileData = ModuleBytes ?? DeobUtils.readModule(module);
|
||||||
peImage = new PeImage(fileData);
|
peImage = new PeImage(fileData);
|
||||||
|
|
||||||
|
@ -580,12 +580,12 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
|
||||||
findAndRemoveInlinedMethods();
|
findAndRemoveInlinedMethods();
|
||||||
}
|
}
|
||||||
|
|
||||||
public override IEnumerable<string> getStringDecrypterMethods() {
|
public override IEnumerable<int> getStringDecrypterMethods() {
|
||||||
var list = new List<string>();
|
var list = new List<int>();
|
||||||
foreach (var info in stringDecrypter.DecrypterInfos)
|
foreach (var info in stringDecrypter.DecrypterInfos)
|
||||||
list.Add(info.method.MetadataToken.ToInt32().ToString("X8"));
|
list.Add(info.method.MetadataToken.ToInt32());
|
||||||
if (stringDecrypter.OtherStringDecrypter != null)
|
if (stringDecrypter.OtherStringDecrypter != null)
|
||||||
list.Add(stringDecrypter.OtherStringDecrypter.MetadataToken.ToInt32().ToString("X8"));
|
list.Add(stringDecrypter.OtherStringDecrypter.MetadataToken.ToInt32());
|
||||||
return list;
|
return list;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -123,7 +123,7 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
|
||||||
|
|
||||||
static short[] nativeLdci4 = new short[] { 0x55, 0x8B, 0xEC, 0xB8, -1, -1, -1, -1, 0x5D, 0xC3 };
|
static short[] nativeLdci4 = new short[] { 0x55, 0x8B, 0xEC, 0xB8, -1, -1, -1, -1, 0x5D, 0xC3 };
|
||||||
static short[] nativeLdci4_0 = new short[] { 0x55, 0x8B, 0xEC, 0x33, 0xC0, 0x5D, 0xC3 };
|
static short[] nativeLdci4_0 = new short[] { 0x55, 0x8B, 0xEC, 0x33, 0xC0, 0x5D, 0xC3 };
|
||||||
public bool decrypt(PeImage peImage, ISimpleDeobfuscator simpleDeobfuscator, ref Dictionary<uint, DumpedMethod> dumpedMethods, Dictionary<uint,byte[]> tokenToNativeCode) {
|
public bool decrypt(PeImage peImage, ISimpleDeobfuscator simpleDeobfuscator, ref DumpedMethods dumpedMethods, Dictionary<uint, byte[]> tokenToNativeCode) {
|
||||||
if (encryptedResource.Method == null)
|
if (encryptedResource.Method == null)
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
|
@ -189,7 +189,7 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
|
||||||
|
|
||||||
patchDwords(peImage, methodsDataReader, patchCount);
|
patchDwords(peImage, methodsDataReader, patchCount);
|
||||||
int count = methodsDataReader.ReadInt32();
|
int count = methodsDataReader.ReadInt32();
|
||||||
dumpedMethods = new Dictionary<uint, DumpedMethod>();
|
dumpedMethods = new DumpedMethods();
|
||||||
while (methodsDataReader.BaseStream.Position < methodsData.Length - 1) {
|
while (methodsDataReader.BaseStream.Position < methodsData.Length - 1) {
|
||||||
uint rva = methodsDataReader.ReadUInt32();
|
uint rva = methodsDataReader.ReadUInt32();
|
||||||
uint index = methodsDataReader.ReadUInt32();
|
uint index = methodsDataReader.ReadUInt32();
|
||||||
|
@ -257,7 +257,7 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
|
||||||
dm.mhLocalVarSigTok = peImage.readUInt32(rva + 8);
|
dm.mhLocalVarSigTok = peImage.readUInt32(rva + 8);
|
||||||
}
|
}
|
||||||
|
|
||||||
dumpedMethods[dm.token] = dm;
|
dumpedMethods.add(dm);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -183,6 +183,7 @@ namespace de4dot.cui {
|
||||||
}
|
}
|
||||||
allFiles[key] = true;
|
allFiles[key] = true;
|
||||||
|
|
||||||
|
int oldIndentLevel = Log.indentLevel;
|
||||||
try {
|
try {
|
||||||
file.load(options.CreateDeobfuscators());
|
file.load(options.CreateDeobfuscators());
|
||||||
}
|
}
|
||||||
|
@ -199,6 +200,9 @@ namespace de4dot.cui {
|
||||||
Log.w("Could not load file ({0}): {1}", ex.GetType(), file.Filename);
|
Log.w("Could not load file ({0}): {1}", ex.GetType(), file.Filename);
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
finally {
|
||||||
|
Log.indentLevel = oldIndentLevel;
|
||||||
|
}
|
||||||
|
|
||||||
var deob = file.Deobfuscator;
|
var deob = file.Deobfuscator;
|
||||||
if (skipUnknownObfuscator && deob.Type == "un") {
|
if (skipUnknownObfuscator && deob.Type == "un") {
|
||||||
|
|
Loading…
Reference in New Issue
Block a user