Port MaxtoCode deobfuscator
This commit is contained in:
parent
2e61a8a757
commit
db223d089b
|
@ -208,16 +208,16 @@
|
||||||
<Compile Include="deobfuscators\InitializedDataCreator.cs" />
|
<Compile Include="deobfuscators\InitializedDataCreator.cs" />
|
||||||
<Compile Include="deobfuscators\InlinedMethodsFinder.cs" />
|
<Compile Include="deobfuscators\InlinedMethodsFinder.cs" />
|
||||||
<Compile Include="deobfuscators\ISimpleDeobfuscator.cs" />
|
<Compile Include="deobfuscators\ISimpleDeobfuscator.cs" />
|
||||||
<None Include="deobfuscators\MaxtoCode\CryptDecrypter.cs" />
|
<Compile Include="deobfuscators\MaxtoCode\CryptDecrypter.cs" />
|
||||||
<None Include="deobfuscators\MaxtoCode\Decrypter6.cs" />
|
<Compile Include="deobfuscators\MaxtoCode\Decrypter6.cs" />
|
||||||
<None Include="deobfuscators\MaxtoCode\DecrypterInfo.cs" />
|
<Compile Include="deobfuscators\MaxtoCode\DecrypterInfo.cs" />
|
||||||
<None Include="deobfuscators\MaxtoCode\Deobfuscator.cs" />
|
<Compile Include="deobfuscators\MaxtoCode\Deobfuscator.cs" />
|
||||||
<None Include="deobfuscators\MaxtoCode\EncryptionInfos.cs" />
|
<Compile Include="deobfuscators\MaxtoCode\EncryptionInfos.cs" />
|
||||||
<None Include="deobfuscators\MaxtoCode\MainType.cs" />
|
<Compile Include="deobfuscators\MaxtoCode\MainType.cs" />
|
||||||
<None Include="deobfuscators\MaxtoCode\McKey.cs" />
|
<Compile Include="deobfuscators\MaxtoCode\McKey.cs" />
|
||||||
<None Include="deobfuscators\MaxtoCode\MethodsDecrypter.cs" />
|
<Compile Include="deobfuscators\MaxtoCode\MethodsDecrypter.cs" />
|
||||||
<None Include="deobfuscators\MaxtoCode\PeHeader.cs" />
|
<Compile Include="deobfuscators\MaxtoCode\PeHeader.cs" />
|
||||||
<None Include="deobfuscators\MaxtoCode\StringDecrypter.cs" />
|
<Compile Include="deobfuscators\MaxtoCode\StringDecrypter.cs" />
|
||||||
<Compile Include="deobfuscators\MemberReferenceBuilder.cs" />
|
<Compile Include="deobfuscators\MemberReferenceBuilder.cs" />
|
||||||
<Compile Include="deobfuscators\MethodBodyParser.cs" />
|
<Compile Include="deobfuscators\MethodBodyParser.cs" />
|
||||||
<Compile Include="deobfuscators\MethodCallRestorerBase.cs" />
|
<Compile Include="deobfuscators\MethodCallRestorerBase.cs" />
|
||||||
|
|
|
@ -21,7 +21,7 @@ using de4dot.PE;
|
||||||
|
|
||||||
namespace de4dot.code.deobfuscators.MaxtoCode {
|
namespace de4dot.code.deobfuscators.MaxtoCode {
|
||||||
class DecrypterInfo {
|
class DecrypterInfo {
|
||||||
public readonly MainType mainType;
|
public MainType mainType;
|
||||||
public readonly PeImage peImage;
|
public readonly PeImage peImage;
|
||||||
public readonly PeHeader peHeader;
|
public readonly PeHeader peHeader;
|
||||||
public readonly McKey mcKey;
|
public readonly McKey mcKey;
|
||||||
|
|
|
@ -21,7 +21,7 @@ using System;
|
||||||
using System.Collections.Generic;
|
using System.Collections.Generic;
|
||||||
using System.Text;
|
using System.Text;
|
||||||
using dot10.DotNet;
|
using dot10.DotNet;
|
||||||
using Mono.MyStuff;
|
using de4dot.blocks;
|
||||||
|
|
||||||
namespace de4dot.code.deobfuscators.MaxtoCode {
|
namespace de4dot.code.deobfuscators.MaxtoCode {
|
||||||
public class DeobfuscatorInfo : DeobfuscatorInfoBase {
|
public class DeobfuscatorInfo : DeobfuscatorInfoBase {
|
||||||
|
@ -115,11 +115,12 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
public override IDeobfuscator moduleReloaded(ModuleDefinition module) {
|
public override IDeobfuscator moduleReloaded(ModuleDefMD module) {
|
||||||
var newOne = new Deobfuscator(options);
|
var newOne = new Deobfuscator(options);
|
||||||
newOne.setModule(module);
|
newOne.setModule(module);
|
||||||
newOne.mainType = new MainType(module, mainType);
|
newOne.mainType = new MainType(module, mainType);
|
||||||
newOne.decrypterInfo = decrypterInfo;
|
newOne.decrypterInfo = decrypterInfo;
|
||||||
|
newOne.decrypterInfo.mainType = newOne.mainType;
|
||||||
return newOne;
|
return newOne;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -137,7 +138,6 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
|
||||||
foreach (var method in mainType.InitMethods)
|
foreach (var method in mainType.InitMethods)
|
||||||
addCctorInitCallToBeRemoved(method);
|
addCctorInitCallToBeRemoved(method);
|
||||||
addTypeToBeRemoved(mainType.Type, "Obfuscator type");
|
addTypeToBeRemoved(mainType.Type, "Obfuscator type");
|
||||||
addModuleReferencesToBeRemoved(mainType.ModuleReferences, "MC runtime module reference");
|
|
||||||
removeDuplicateEmbeddedResources();
|
removeDuplicateEmbeddedResources();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -159,18 +159,22 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
|
||||||
}
|
}
|
||||||
|
|
||||||
public override int GetHashCode() {
|
public override int GetHashCode() {
|
||||||
return resource._GetHashCode();
|
int hash = 0;
|
||||||
|
hash ^= (int)resource.Data.Position;
|
||||||
|
hash ^= (int)resource.Data.Length;
|
||||||
|
return hash;
|
||||||
}
|
}
|
||||||
|
|
||||||
public override bool Equals(object obj) {
|
public override bool Equals(object obj) {
|
||||||
var other = obj as ResourceKey;
|
var other = obj as ResourceKey;
|
||||||
if (other == null)
|
if (other == null)
|
||||||
return false;
|
return false;
|
||||||
return resource._Equals(other.resource);
|
return resource.Data.FileOffset == other.resource.Data.FileOffset &&
|
||||||
|
resource.Data.Length == other.resource.Data.Length;
|
||||||
}
|
}
|
||||||
|
|
||||||
public override string ToString() {
|
public override string ToString() {
|
||||||
return resource.Name;
|
return resource.Name.String;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -180,7 +184,7 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
|
||||||
var rsrc = tmp as EmbeddedResource;
|
var rsrc = tmp as EmbeddedResource;
|
||||||
if (rsrc == null)
|
if (rsrc == null)
|
||||||
continue;
|
continue;
|
||||||
if (rsrc.Offset == null)
|
if (rsrc.Data.FileOffset == 0)
|
||||||
continue;
|
continue;
|
||||||
List<EmbeddedResource> list;
|
List<EmbeddedResource> list;
|
||||||
var key = new ResourceKey(rsrc);
|
var key = new ResourceKey(rsrc);
|
||||||
|
@ -195,7 +199,7 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
|
||||||
|
|
||||||
EmbeddedResource resourceToKeep = null;
|
EmbeddedResource resourceToKeep = null;
|
||||||
foreach (var rsrc in list) {
|
foreach (var rsrc in list) {
|
||||||
if (string.IsNullOrEmpty(rsrc.Name))
|
if (UTF8String.IsNullOrEmpty(rsrc.Name))
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
resourceToKeep = rsrc;
|
resourceToKeep = rsrc;
|
||||||
|
|
|
@ -24,9 +24,8 @@ using de4dot.blocks;
|
||||||
|
|
||||||
namespace de4dot.code.deobfuscators.MaxtoCode {
|
namespace de4dot.code.deobfuscators.MaxtoCode {
|
||||||
class MainType {
|
class MainType {
|
||||||
ModuleDefinition module;
|
ModuleDefMD module;
|
||||||
TypeDef mcType;
|
TypeDef mcType;
|
||||||
ModuleReference mcModule1, mcModule2;
|
|
||||||
bool isOld;
|
bool isOld;
|
||||||
|
|
||||||
public bool IsOld {
|
public bool IsOld {
|
||||||
|
@ -37,17 +36,6 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
|
||||||
get { return mcType; }
|
get { return mcType; }
|
||||||
}
|
}
|
||||||
|
|
||||||
public IEnumerable<ModuleReference> ModuleReferences {
|
|
||||||
get {
|
|
||||||
var list = new List<ModuleReference>();
|
|
||||||
if (mcModule1 != null)
|
|
||||||
list.Add(mcModule1);
|
|
||||||
if (mcModule2 != null)
|
|
||||||
list.Add(mcModule2);
|
|
||||||
return list;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
public IEnumerable<MethodDef> InitMethods {
|
public IEnumerable<MethodDef> InitMethods {
|
||||||
get {
|
get {
|
||||||
var list = new List<MethodDef>();
|
var list = new List<MethodDef>();
|
||||||
|
@ -65,15 +53,13 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
|
||||||
get { return mcType != null; }
|
get { return mcType != null; }
|
||||||
}
|
}
|
||||||
|
|
||||||
public MainType(ModuleDefinition module) {
|
public MainType(ModuleDefMD module) {
|
||||||
this.module = module;
|
this.module = module;
|
||||||
}
|
}
|
||||||
|
|
||||||
public MainType(ModuleDefinition module, MainType oldOne) {
|
public MainType(ModuleDefMD module, MainType oldOne) {
|
||||||
this.module = module;
|
this.module = module;
|
||||||
this.mcType = lookup(oldOne.mcType, "Could not find main type");
|
this.mcType = lookup(oldOne.mcType, "Could not find main type");
|
||||||
this.mcModule1 = DeobUtils.lookup(module, oldOne.mcModule1, "Could not find MC runtime module ref #1");
|
|
||||||
this.mcModule2 = DeobUtils.lookup(module, oldOne.mcModule2, "Could not find MC runtime module ref #2");
|
|
||||||
}
|
}
|
||||||
|
|
||||||
T lookup<T>(T def, string errorMessage) where T : class, ICodedToken {
|
T lookup<T>(T def, string errorMessage) where T : class, ICodedToken {
|
||||||
|
@ -94,14 +80,12 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
|
||||||
if (!DotNetUtils.isMethod(method, "System.Void", "()"))
|
if (!DotNetUtils.isMethod(method, "System.Void", "()"))
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
ModuleReference module1, module2;
|
ModuleRef module1, module2;
|
||||||
bool isOldTmp;
|
bool isOldTmp;
|
||||||
if (!checkType(method.DeclaringType, out module1, out module2, out isOldTmp))
|
if (!checkType(method.DeclaringType, out module1, out module2, out isOldTmp))
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
mcType = method.DeclaringType;
|
mcType = method.DeclaringType;
|
||||||
mcModule1 = module1;
|
|
||||||
mcModule2 = module2;
|
|
||||||
isOld = isOldTmp;
|
isOld = isOldTmp;
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
@ -109,11 +93,11 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
static bool checkType(TypeDef type, out ModuleReference module1, out ModuleReference module2, out bool isOld) {
|
static bool checkType(TypeDef type, out ModuleRef module1, out ModuleRef module2, out bool isOld) {
|
||||||
module1 = module2 = null;
|
module1 = module2 = null;
|
||||||
isOld = false;
|
isOld = false;
|
||||||
|
|
||||||
if (DotNetUtils.getMethod(type, "Startup") == null)
|
if (type.FindMethod("Startup") == null)
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
var pinvokes = getPinvokes(type);
|
var pinvokes = getPinvokes(type);
|
||||||
|
@ -126,20 +110,20 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
|
||||||
// Newer versions (3.4+ ???) also have GetModuleBase()
|
// Newer versions (3.4+ ???) also have GetModuleBase()
|
||||||
isOld = getPinvokeList(pinvokes, "GetModuleBase") == null;
|
isOld = getPinvokeList(pinvokes, "GetModuleBase") == null;
|
||||||
|
|
||||||
module1 = pinvokeList[0].PInvokeInfo.Module;
|
module1 = pinvokeList[0].ImplMap.Module;
|
||||||
module2 = pinvokeList[1].PInvokeInfo.Module;
|
module2 = pinvokeList[1].ImplMap.Module;
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
static Dictionary<string, List<MethodDef>> getPinvokes(TypeDef type) {
|
static Dictionary<string, List<MethodDef>> getPinvokes(TypeDef type) {
|
||||||
var pinvokes = new Dictionary<string, List<MethodDef>>(StringComparer.Ordinal);
|
var pinvokes = new Dictionary<string, List<MethodDef>>(StringComparer.Ordinal);
|
||||||
foreach (var method in type.Methods) {
|
foreach (var method in type.Methods) {
|
||||||
var info = method.PInvokeInfo;
|
var info = method.ImplMap;
|
||||||
if (info == null || info.EntryPoint == null)
|
if (info == null || UTF8String.IsNullOrEmpty(info.Name))
|
||||||
continue;
|
continue;
|
||||||
List<MethodDef> list;
|
List<MethodDef> list;
|
||||||
if (!pinvokes.TryGetValue(info.EntryPoint, out list))
|
if (!pinvokes.TryGetValue(info.Name.String, out list))
|
||||||
pinvokes[info.EntryPoint] = list = new List<MethodDef>();
|
pinvokes[info.Name.String] = list = new List<MethodDef>();
|
||||||
list.Add(method);
|
list.Add(method);
|
||||||
}
|
}
|
||||||
return pinvokes;
|
return pinvokes;
|
||||||
|
|
|
@ -21,8 +21,8 @@ using System;
|
||||||
using System.Collections.Generic;
|
using System.Collections.Generic;
|
||||||
using System.IO;
|
using System.IO;
|
||||||
using System.Text;
|
using System.Text;
|
||||||
using Mono.MyStuff;
|
|
||||||
using de4dot.PE;
|
using de4dot.PE;
|
||||||
|
using de4dot.blocks;
|
||||||
|
|
||||||
namespace de4dot.code.deobfuscators.MaxtoCode {
|
namespace de4dot.code.deobfuscators.MaxtoCode {
|
||||||
// Decrypts methods, resources and strings (#US heap)
|
// Decrypts methods, resources and strings (#US heap)
|
||||||
|
|
|
@ -52,8 +52,8 @@ namespace de4dot.cui {
|
||||||
new de4dot.code.deobfuscators.Goliath_NET.DeobfuscatorInfo(),
|
new de4dot.code.deobfuscators.Goliath_NET.DeobfuscatorInfo(),
|
||||||
#if PORT
|
#if PORT
|
||||||
new de4dot.code.deobfuscators.ILProtector.DeobfuscatorInfo(),
|
new de4dot.code.deobfuscators.ILProtector.DeobfuscatorInfo(),
|
||||||
new de4dot.code.deobfuscators.MaxtoCode.DeobfuscatorInfo(),
|
|
||||||
#endif
|
#endif
|
||||||
|
new de4dot.code.deobfuscators.MaxtoCode.DeobfuscatorInfo(),
|
||||||
new de4dot.code.deobfuscators.MPRESS.DeobfuscatorInfo(),
|
new de4dot.code.deobfuscators.MPRESS.DeobfuscatorInfo(),
|
||||||
new de4dot.code.deobfuscators.Rummage.DeobfuscatorInfo(),
|
new de4dot.code.deobfuscators.Rummage.DeobfuscatorInfo(),
|
||||||
new de4dot.code.deobfuscators.Skater_NET.DeobfuscatorInfo(),
|
new de4dot.code.deobfuscators.Skater_NET.DeobfuscatorInfo(),
|
||||||
|
|
Loading…
Reference in New Issue
Block a user