Port MaxtoCode deobfuscator
This commit is contained in:
de4dot
parent
2e61a8a757
commit
db223d089b
|
|
@ -208,16 +208,16 @@
|
|||
<Compile Include="deobfuscators\InitializedDataCreator.cs" />
|
||||
<Compile Include="deobfuscators\InlinedMethodsFinder.cs" />
|
||||
<Compile Include="deobfuscators\ISimpleDeobfuscator.cs" />
|
||||
<None Include="deobfuscators\MaxtoCode\CryptDecrypter.cs" />
|
||||
<None Include="deobfuscators\MaxtoCode\Decrypter6.cs" />
|
||||
<None Include="deobfuscators\MaxtoCode\DecrypterInfo.cs" />
|
||||
<None Include="deobfuscators\MaxtoCode\Deobfuscator.cs" />
|
||||
<None Include="deobfuscators\MaxtoCode\EncryptionInfos.cs" />
|
||||
<None Include="deobfuscators\MaxtoCode\MainType.cs" />
|
||||
<None Include="deobfuscators\MaxtoCode\McKey.cs" />
|
||||
<None Include="deobfuscators\MaxtoCode\MethodsDecrypter.cs" />
|
||||
<None Include="deobfuscators\MaxtoCode\PeHeader.cs" />
|
||||
<None Include="deobfuscators\MaxtoCode\StringDecrypter.cs" />
|
||||
<Compile Include="deobfuscators\MaxtoCode\CryptDecrypter.cs" />
|
||||
<Compile Include="deobfuscators\MaxtoCode\Decrypter6.cs" />
|
||||
<Compile Include="deobfuscators\MaxtoCode\DecrypterInfo.cs" />
|
||||
<Compile Include="deobfuscators\MaxtoCode\Deobfuscator.cs" />
|
||||
<Compile Include="deobfuscators\MaxtoCode\EncryptionInfos.cs" />
|
||||
<Compile Include="deobfuscators\MaxtoCode\MainType.cs" />
|
||||
<Compile Include="deobfuscators\MaxtoCode\McKey.cs" />
|
||||
<Compile Include="deobfuscators\MaxtoCode\MethodsDecrypter.cs" />
|
||||
<Compile Include="deobfuscators\MaxtoCode\PeHeader.cs" />
|
||||
<Compile Include="deobfuscators\MaxtoCode\StringDecrypter.cs" />
|
||||
<Compile Include="deobfuscators\MemberReferenceBuilder.cs" />
|
||||
<Compile Include="deobfuscators\MethodBodyParser.cs" />
|
||||
<Compile Include="deobfuscators\MethodCallRestorerBase.cs" />
|
||||
|
|
|
|||
|
|
@ -21,7 +21,7 @@ using de4dot.PE;
|
|||
|
||||
namespace de4dot.code.deobfuscators.MaxtoCode {
|
||||
class DecrypterInfo {
|
||||
public readonly MainType mainType;
|
||||
public MainType mainType;
|
||||
public readonly PeImage peImage;
|
||||
public readonly PeHeader peHeader;
|
||||
public readonly McKey mcKey;
|
||||
|
|
|
|||
|
|
@ -21,7 +21,7 @@ using System;
|
|||
using System.Collections.Generic;
|
||||
using System.Text;
|
||||
using dot10.DotNet;
|
||||
using Mono.MyStuff;
|
||||
using de4dot.blocks;
|
||||
|
||||
namespace de4dot.code.deobfuscators.MaxtoCode {
|
||||
public class DeobfuscatorInfo : DeobfuscatorInfoBase {
|
||||
|
|
@ -115,11 +115,12 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
|
|||
return true;
|
||||
}
|
||||
|
||||
public override IDeobfuscator moduleReloaded(ModuleDefinition module) {
|
||||
public override IDeobfuscator moduleReloaded(ModuleDefMD module) {
|
||||
var newOne = new Deobfuscator(options);
|
||||
newOne.setModule(module);
|
||||
newOne.mainType = new MainType(module, mainType);
|
||||
newOne.decrypterInfo = decrypterInfo;
|
||||
newOne.decrypterInfo.mainType = newOne.mainType;
|
||||
return newOne;
|
||||
}
|
||||
|
||||
|
|
@ -137,7 +138,6 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
|
|||
foreach (var method in mainType.InitMethods)
|
||||
addCctorInitCallToBeRemoved(method);
|
||||
addTypeToBeRemoved(mainType.Type, "Obfuscator type");
|
||||
addModuleReferencesToBeRemoved(mainType.ModuleReferences, "MC runtime module reference");
|
||||
removeDuplicateEmbeddedResources();
|
||||
}
|
||||
|
||||
|
|
@ -159,18 +159,22 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
|
|||
}
|
||||
|
||||
public override int GetHashCode() {
|
||||
return resource._GetHashCode();
|
||||
int hash = 0;
|
||||
hash ^= (int)resource.Data.Position;
|
||||
hash ^= (int)resource.Data.Length;
|
||||
return hash;
|
||||
}
|
||||
|
||||
public override bool Equals(object obj) {
|
||||
var other = obj as ResourceKey;
|
||||
if (other == null)
|
||||
return false;
|
||||
return resource._Equals(other.resource);
|
||||
return resource.Data.FileOffset == other.resource.Data.FileOffset &&
|
||||
resource.Data.Length == other.resource.Data.Length;
|
||||
}
|
||||
|
||||
public override string ToString() {
|
||||
return resource.Name;
|
||||
return resource.Name.String;
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -180,7 +184,7 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
|
|||
var rsrc = tmp as EmbeddedResource;
|
||||
if (rsrc == null)
|
||||
continue;
|
||||
if (rsrc.Offset == null)
|
||||
if (rsrc.Data.FileOffset == 0)
|
||||
continue;
|
||||
List<EmbeddedResource> list;
|
||||
var key = new ResourceKey(rsrc);
|
||||
|
|
@ -195,7 +199,7 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
|
|||
|
||||
EmbeddedResource resourceToKeep = null;
|
||||
foreach (var rsrc in list) {
|
||||
if (string.IsNullOrEmpty(rsrc.Name))
|
||||
if (UTF8String.IsNullOrEmpty(rsrc.Name))
|
||||
continue;
|
||||
|
||||
resourceToKeep = rsrc;
|
||||
|
|
|
|||
|
|
@ -24,9 +24,8 @@ using de4dot.blocks;
|
|||
|
||||
namespace de4dot.code.deobfuscators.MaxtoCode {
|
||||
class MainType {
|
||||
ModuleDefinition module;
|
||||
ModuleDefMD module;
|
||||
TypeDef mcType;
|
||||
ModuleReference mcModule1, mcModule2;
|
||||
bool isOld;
|
||||
|
||||
public bool IsOld {
|
||||
|
|
@ -37,17 +36,6 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
|
|||
get { return mcType; }
|
||||
}
|
||||
|
||||
public IEnumerable<ModuleReference> ModuleReferences {
|
||||
get {
|
||||
var list = new List<ModuleReference>();
|
||||
if (mcModule1 != null)
|
||||
list.Add(mcModule1);
|
||||
if (mcModule2 != null)
|
||||
list.Add(mcModule2);
|
||||
return list;
|
||||
}
|
||||
}
|
||||
|
||||
public IEnumerable<MethodDef> InitMethods {
|
||||
get {
|
||||
var list = new List<MethodDef>();
|
||||
|
|
@ -65,15 +53,13 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
|
|||
get { return mcType != null; }
|
||||
}
|
||||
|
||||
public MainType(ModuleDefinition module) {
|
||||
public MainType(ModuleDefMD module) {
|
||||
this.module = module;
|
||||
}
|
||||
|
||||
public MainType(ModuleDefinition module, MainType oldOne) {
|
||||
public MainType(ModuleDefMD module, MainType oldOne) {
|
||||
this.module = module;
|
||||
this.mcType = lookup(oldOne.mcType, "Could not find main type");
|
||||
this.mcModule1 = DeobUtils.lookup(module, oldOne.mcModule1, "Could not find MC runtime module ref #1");
|
||||
this.mcModule2 = DeobUtils.lookup(module, oldOne.mcModule2, "Could not find MC runtime module ref #2");
|
||||
}
|
||||
|
||||
T lookup<T>(T def, string errorMessage) where T : class, ICodedToken {
|
||||
|
|
@ -94,14 +80,12 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
|
|||
if (!DotNetUtils.isMethod(method, "System.Void", "()"))
|
||||
continue;
|
||||
|
||||
ModuleReference module1, module2;
|
||||
ModuleRef module1, module2;
|
||||
bool isOldTmp;
|
||||
if (!checkType(method.DeclaringType, out module1, out module2, out isOldTmp))
|
||||
continue;
|
||||
|
||||
mcType = method.DeclaringType;
|
||||
mcModule1 = module1;
|
||||
mcModule2 = module2;
|
||||
isOld = isOldTmp;
|
||||
return true;
|
||||
}
|
||||
|
|
@ -109,11 +93,11 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
|
|||
return false;
|
||||
}
|
||||
|
||||
static bool checkType(TypeDef type, out ModuleReference module1, out ModuleReference module2, out bool isOld) {
|
||||
static bool checkType(TypeDef type, out ModuleRef module1, out ModuleRef module2, out bool isOld) {
|
||||
module1 = module2 = null;
|
||||
isOld = false;
|
||||
|
||||
if (DotNetUtils.getMethod(type, "Startup") == null)
|
||||
if (type.FindMethod("Startup") == null)
|
||||
return false;
|
||||
|
||||
var pinvokes = getPinvokes(type);
|
||||
|
|
@ -126,20 +110,20 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
|
|||
// Newer versions (3.4+ ???) also have GetModuleBase()
|
||||
isOld = getPinvokeList(pinvokes, "GetModuleBase") == null;
|
||||
|
||||
module1 = pinvokeList[0].PInvokeInfo.Module;
|
||||
module2 = pinvokeList[1].PInvokeInfo.Module;
|
||||
module1 = pinvokeList[0].ImplMap.Module;
|
||||
module2 = pinvokeList[1].ImplMap.Module;
|
||||
return true;
|
||||
}
|
||||
|
||||
static Dictionary<string, List<MethodDef>> getPinvokes(TypeDef type) {
|
||||
var pinvokes = new Dictionary<string, List<MethodDef>>(StringComparer.Ordinal);
|
||||
foreach (var method in type.Methods) {
|
||||
var info = method.PInvokeInfo;
|
||||
if (info == null || info.EntryPoint == null)
|
||||
var info = method.ImplMap;
|
||||
if (info == null || UTF8String.IsNullOrEmpty(info.Name))
|
||||
continue;
|
||||
List<MethodDef> list;
|
||||
if (!pinvokes.TryGetValue(info.EntryPoint, out list))
|
||||
pinvokes[info.EntryPoint] = list = new List<MethodDef>();
|
||||
if (!pinvokes.TryGetValue(info.Name.String, out list))
|
||||
pinvokes[info.Name.String] = list = new List<MethodDef>();
|
||||
list.Add(method);
|
||||
}
|
||||
return pinvokes;
|
||||
|
|
|
|||
|
|
@ -21,8 +21,8 @@ using System;
|
|||
using System.Collections.Generic;
|
||||
using System.IO;
|
||||
using System.Text;
|
||||
using Mono.MyStuff;
|
||||
using de4dot.PE;
|
||||
using de4dot.blocks;
|
||||
|
||||
namespace de4dot.code.deobfuscators.MaxtoCode {
|
||||
// Decrypts methods, resources and strings (#US heap)
|
||||
|
|
|
|||
|
|
@ -52,8 +52,8 @@ namespace de4dot.cui {
|
|||
new de4dot.code.deobfuscators.Goliath_NET.DeobfuscatorInfo(),
|
||||
#if PORT
|
||||
new de4dot.code.deobfuscators.ILProtector.DeobfuscatorInfo(),
|
||||
new de4dot.code.deobfuscators.MaxtoCode.DeobfuscatorInfo(),
|
||||
#endif
|
||||
new de4dot.code.deobfuscators.MaxtoCode.DeobfuscatorInfo(),
|
||||
new de4dot.code.deobfuscators.MPRESS.DeobfuscatorInfo(),
|
||||
new de4dot.code.deobfuscators.Rummage.DeobfuscatorInfo(),
|
||||
new de4dot.code.deobfuscators.Skater_NET.DeobfuscatorInfo(),
|
||||
|
|
|
|||
Loading…
Reference in New Issue
Block a user