Decrypt strings
This commit is contained in:
parent
dfafc4a94b
commit
e05bfc9c8a
|
@ -74,6 +74,7 @@
|
|||
<Compile Include="deobfuscators\MaxtoCode\EncryptionInfos.cs" />
|
||||
<Compile Include="deobfuscators\MaxtoCode\McKey.cs" />
|
||||
<Compile Include="deobfuscators\MaxtoCode\PeHeader.cs" />
|
||||
<Compile Include="deobfuscators\MaxtoCode\StringDecrypter.cs" />
|
||||
<Compile Include="deobfuscators\MethodBodyReaderBase.cs" />
|
||||
<Compile Include="deobfuscators\Babel_NET\MethodsDecrypter.cs" />
|
||||
<Compile Include="deobfuscators\Babel_NET\ProxyDelegateFinder.cs" />
|
||||
|
|
|
@ -17,7 +17,9 @@
|
|||
along with de4dot. If not, see <http://www.gnu.org/licenses/>.
|
||||
*/
|
||||
|
||||
using System;
|
||||
using System.Collections.Generic;
|
||||
using System.Text;
|
||||
using Mono.Cecil;
|
||||
using Mono.MyStuff;
|
||||
|
||||
|
@ -26,8 +28,11 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
|
|||
public const string THE_NAME = "MaxtoCode";
|
||||
public const string THE_TYPE = "mc";
|
||||
const string DEFAULT_REGEX = @"!^[oO01l]+$&" + DeobfuscatorBase.DEFAULT_VALID_NAME_REGEX;
|
||||
IntOption stringCodePage;
|
||||
|
||||
public DeobfuscatorInfo()
|
||||
: base(DEFAULT_REGEX) {
|
||||
stringCodePage = new IntOption(null, makeArgName("cp"), "String code page", 936);
|
||||
}
|
||||
|
||||
public override string Name {
|
||||
|
@ -42,16 +47,25 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
|
|||
return new Deobfuscator(new Deobfuscator.Options {
|
||||
RenameResourcesInCode = false,
|
||||
ValidNameRegex = validNameRegex.get(),
|
||||
StringCodePage = stringCodePage.get(),
|
||||
});
|
||||
}
|
||||
|
||||
protected override IEnumerable<Option> getOptionsInternal() {
|
||||
return new List<Option>() {
|
||||
stringCodePage,
|
||||
};
|
||||
}
|
||||
}
|
||||
|
||||
class Deobfuscator : DeobfuscatorBase {
|
||||
Options options;
|
||||
MainType mainType;
|
||||
DecrypterInfo decrypterInfo;
|
||||
StringDecrypter stringDecrypter;
|
||||
|
||||
internal class Options : OptionsBase {
|
||||
public int StringCodePage { get; set; }
|
||||
}
|
||||
|
||||
public override string Type {
|
||||
|
@ -69,6 +83,7 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
|
|||
internal Deobfuscator(Options options)
|
||||
: base(options) {
|
||||
this.options = options;
|
||||
StringFeatures = StringFeatures.AllowStaticDecryption | StringFeatures.AllowDynamicDecryption;
|
||||
}
|
||||
|
||||
protected override int detectInternal() {
|
||||
|
@ -111,14 +126,34 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
|
|||
public override void deobfuscateBegin() {
|
||||
base.deobfuscateBegin();
|
||||
|
||||
stringDecrypter = new StringDecrypter(decrypterInfo);
|
||||
stringDecrypter.find();
|
||||
if (stringDecrypter.Detected) {
|
||||
stringDecrypter.initialize(getEncoding(options.StringCodePage));
|
||||
staticStringInliner.add(stringDecrypter.Method, (method, args) => stringDecrypter.decrypt((uint)args[0]));
|
||||
DeobfuscatedFile.stringDecryptersAdded();
|
||||
}
|
||||
|
||||
foreach (var method in mainType.InitMethods)
|
||||
addCctorInitCallToBeRemoved(method);
|
||||
addTypeToBeRemoved(mainType.Type, "Obfuscator type");
|
||||
addModuleReferencesToBeRemoved(mainType.ModuleReferences, "MC runtime module reference");
|
||||
}
|
||||
|
||||
static Encoding getEncoding(int cp) {
|
||||
try {
|
||||
return Encoding.GetEncoding(cp);
|
||||
}
|
||||
catch {
|
||||
throw new UserException(string.Format("Code page {0} doesn't exist", cp));
|
||||
}
|
||||
}
|
||||
|
||||
public override IEnumerable<int> getStringDecrypterMethods() {
|
||||
return new List<int>();
|
||||
var list = new List<int>();
|
||||
if (stringDecrypter != null && stringDecrypter.Detected)
|
||||
list.Add(stringDecrypter.Method.MetadataToken.ToInt32());
|
||||
return list;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
128
de4dot.code/deobfuscators/MaxtoCode/StringDecrypter.cs
Normal file
128
de4dot.code/deobfuscators/MaxtoCode/StringDecrypter.cs
Normal file
|
@ -0,0 +1,128 @@
|
|||
/*
|
||||
Copyright (C) 2011-2012 de4dot@gmail.com
|
||||
|
||||
This file is part of de4dot.
|
||||
|
||||
de4dot is free software: you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
the Free Software Foundation, either version 3 of the License, or
|
||||
(at your option) any later version.
|
||||
|
||||
de4dot is distributed in the hope that it will be useful,
|
||||
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
GNU General Public License for more details.
|
||||
|
||||
You should have received a copy of the GNU General Public License
|
||||
along with de4dot. If not, see <http://www.gnu.org/licenses/>.
|
||||
*/
|
||||
|
||||
using System;
|
||||
using System.Collections.Generic;
|
||||
using System.Text;
|
||||
using Mono.Cecil;
|
||||
using de4dot.blocks;
|
||||
|
||||
namespace de4dot.code.deobfuscators.MaxtoCode {
|
||||
class StringDecrypter {
|
||||
DecrypterInfo decrypterInfo;
|
||||
MethodDefinition decryptMethod;
|
||||
string[] decryptedStrings;
|
||||
Encoding encoding;
|
||||
|
||||
public MethodDefinition Method {
|
||||
get { return decryptMethod; }
|
||||
}
|
||||
|
||||
public bool Detected {
|
||||
get { return decryptMethod != null; }
|
||||
}
|
||||
|
||||
public StringDecrypter(DecrypterInfo decrypterInfo) {
|
||||
this.decrypterInfo = decrypterInfo;
|
||||
}
|
||||
|
||||
public void find() {
|
||||
if (decrypterInfo == null)
|
||||
return;
|
||||
decryptMethod = findDecryptMethod(decrypterInfo.mainType.Type);
|
||||
if (decryptMethod == null)
|
||||
return;
|
||||
}
|
||||
|
||||
static MethodDefinition findDecryptMethod(TypeDefinition type) {
|
||||
if (type == null)
|
||||
return null;
|
||||
foreach (var method in type.Methods) {
|
||||
if (method.Body == null || !method.IsStatic || method.IsPrivate)
|
||||
continue;
|
||||
if (!DotNetUtils.isMethod(method, "System.String", "(System.UInt32)"))
|
||||
continue;
|
||||
if (!DotNetUtils.callsMethod(method, "System.String System.Runtime.InteropServices.Marshal::PtrToStringAnsi(System.IntPtr)"))
|
||||
continue;
|
||||
|
||||
return method;
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
||||
public void initialize(Encoding encoding) {
|
||||
this.encoding = encoding;
|
||||
}
|
||||
|
||||
void initializeStrings() {
|
||||
if (decryptedStrings != null)
|
||||
return;
|
||||
var peImage = decrypterInfo.peImage;
|
||||
var peHeader = decrypterInfo.peHeader;
|
||||
var mcKey = decrypterInfo.mcKey;
|
||||
var fileData = decrypterInfo.fileData;
|
||||
|
||||
var stringsRva = peHeader.getRva(0x0AF0, mcKey.readUInt32(0x46));
|
||||
if (stringsRva == 0)
|
||||
return;
|
||||
int stringsOffset = (int)peImage.rvaToOffset(stringsRva);
|
||||
|
||||
int numStrings = peImage.readInt32(stringsRva) ^ (int)mcKey.readUInt32(0);
|
||||
decryptedStrings = new string[numStrings];
|
||||
for (int i = 0, ki = 2, soffs = stringsOffset + 4; i < numStrings; i++) {
|
||||
int stringLen = BitConverter.ToInt32(fileData, soffs) ^ (int)mcKey.readUInt32(ki);
|
||||
ki += 2;
|
||||
if (ki >= 0x1FF0)
|
||||
ki = 0;
|
||||
soffs += 4;
|
||||
var bytes = new byte[stringLen];
|
||||
for (int j = 0; j < stringLen; j++, soffs++) {
|
||||
byte b = (byte)(fileData[soffs] ^ mcKey.readByte(ki));
|
||||
ki = add(ki, 1);
|
||||
bytes[j] = b;
|
||||
}
|
||||
|
||||
decryptedStrings[i] = decode(encoding, bytes);
|
||||
}
|
||||
}
|
||||
|
||||
string decode(Encoding encoding, byte[] bytes) {
|
||||
string s = encoding.GetString(bytes);
|
||||
int len = s.Length;
|
||||
if (len == 0 || s[len - 1] != 0)
|
||||
return s;
|
||||
for (; len > 0; len--) {
|
||||
if (s[len - 1] != 0)
|
||||
break;
|
||||
}
|
||||
if (len <= 0)
|
||||
return string.Empty;
|
||||
return s.Substring(0, len);
|
||||
}
|
||||
|
||||
static int add(int ki, int size) {
|
||||
return (ki + size) % 0x1FF0;
|
||||
}
|
||||
|
||||
public string decrypt(uint id) {
|
||||
initializeStrings();
|
||||
return decryptedStrings[(int)id - 1];
|
||||
}
|
||||
}
|
||||
}
|
Loading…
Reference in New Issue
Block a user