Support type=dynamic const decryption
This commit is contained in:
parent
5d1aefec16
commit
e225a342ae
|
@ -464,23 +464,88 @@ namespace de4dot.code.deobfuscators.Confuser {
|
||||||
return DeobUtils.inflate(DeobUtils.aesDecrypt(decrypted, key, DeobUtils.md5Sum(key)), true);
|
return DeobUtils.inflate(DeobUtils.aesDecrypt(decrypted, key, DeobUtils.md5Sum(key)), true);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static int getDynamicStartIndex(IList<Instruction> instrs, int ldlocIndex) {
|
||||||
|
for (int i = ldlocIndex - 1; i >= 0; i--) {
|
||||||
|
if (instrs[i].OpCode.FlowControl != FlowControl.Next)
|
||||||
|
return i + 1;
|
||||||
|
}
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
int getDynamicEndIndex(int startIndex, VariableDefinition local) {
|
||||||
|
var instrs = installMethod.Body.Instructions;
|
||||||
|
for (int i = startIndex; i < instrs.Count; i++) {
|
||||||
|
var instr = instrs[i];
|
||||||
|
if (DotNetUtils.isStloc(instr) && DotNetUtils.getLocalVar(installMethod.Body.Variables, instr) == local)
|
||||||
|
return i;
|
||||||
|
}
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
VariableDefinition getDynamicLocal(out int instrIndex) {
|
||||||
|
var instrs = installMethod.Body.Instructions;
|
||||||
|
for (int i = 0; i < instrs.Count; i++) {
|
||||||
|
i = ConfuserUtils.findCallMethod(instrs, i, Code.Callvirt, "System.Void System.IO.BinaryWriter::Write(System.Byte)");
|
||||||
|
if (i < 0)
|
||||||
|
break;
|
||||||
|
int index = i - 2;
|
||||||
|
if (index < 0)
|
||||||
|
continue;
|
||||||
|
var ldloc = instrs[index];
|
||||||
|
if (!DotNetUtils.isLdloc(ldloc))
|
||||||
|
continue;
|
||||||
|
if (instrs[index + 1].OpCode.Code != Code.Conv_U1)
|
||||||
|
continue;
|
||||||
|
|
||||||
|
instrIndex = index;
|
||||||
|
return DotNetUtils.getLocalVar(installMethod.Body.Variables, ldloc);
|
||||||
|
}
|
||||||
|
instrIndex = 0;
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
|
||||||
byte[] decryptDynamic(byte[] encrypted) {
|
byte[] decryptDynamic(byte[] encrypted) {
|
||||||
throw new NotSupportedException(); //TODO:
|
int ldlocIndex;
|
||||||
|
var local = getDynamicLocal(out ldlocIndex);
|
||||||
|
if (local == null)
|
||||||
|
throw new ApplicationException("Could not find local");
|
||||||
|
|
||||||
|
var instrs = installMethod.Body.Instructions;
|
||||||
|
int startIndex = getDynamicStartIndex(instrs, ldlocIndex);
|
||||||
|
int endIndex = getDynamicEndIndex(startIndex, local);
|
||||||
|
if (endIndex < 0)
|
||||||
|
throw new ApplicationException("Could not find endIndex");
|
||||||
|
|
||||||
|
var constReader = new ConstantsReader(installMethod);
|
||||||
|
|
||||||
|
return decrypt(encrypted, magic => {
|
||||||
|
constReader.setConstant32(local, magic);
|
||||||
|
int index = startIndex, result;
|
||||||
|
if (!constReader.getNextInt32(ref index, out result))
|
||||||
|
throw new ApplicationException("Could not get constant");
|
||||||
|
if (index != endIndex)
|
||||||
|
throw new ApplicationException("Wrong constant");
|
||||||
|
return (byte)result;
|
||||||
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
byte[] decryptNative(byte[] encrypted) {
|
byte[] decryptNative(byte[] encrypted) {
|
||||||
|
var x86Emu = new x86Emulator(new PeImage(fileData));
|
||||||
|
return decrypt(encrypted, magic => (byte)x86Emu.emulate((uint)nativeMethod.RVA, magic));
|
||||||
|
}
|
||||||
|
|
||||||
|
byte[] decrypt(byte[] encrypted, Func<uint, byte> decryptFunc) {
|
||||||
var key = getSigKey();
|
var key = getSigKey();
|
||||||
|
|
||||||
var decrypted = DeobUtils.aesDecrypt(encrypted, key, DeobUtils.md5Sum(key));
|
var decrypted = DeobUtils.aesDecrypt(encrypted, key, DeobUtils.md5Sum(key));
|
||||||
decrypted = DeobUtils.inflate(decrypted, true);
|
decrypted = DeobUtils.inflate(decrypted, true);
|
||||||
|
|
||||||
var x86Emu = new x86Emulator(new PeImage(fileData));
|
|
||||||
var reader = new BinaryReader(new MemoryStream(decrypted));
|
var reader = new BinaryReader(new MemoryStream(decrypted));
|
||||||
var result = new MemoryStream();
|
var result = new MemoryStream();
|
||||||
var writer = new BinaryWriter(result);
|
var writer = new BinaryWriter(result);
|
||||||
while (reader.BaseStream.Position < reader.BaseStream.Length) {
|
while (reader.BaseStream.Position < reader.BaseStream.Length) {
|
||||||
uint magic = Utils.readEncodedUInt32(reader);
|
uint magic = Utils.readEncodedUInt32(reader);
|
||||||
writer.Write((byte)x86Emu.emulate((uint)nativeMethod.RVA, magic));
|
writer.Write(decryptFunc(magic));
|
||||||
}
|
}
|
||||||
|
|
||||||
return result.ToArray();
|
return result.ToArray();
|
||||||
|
|
Loading…
Reference in New Issue
Block a user