From e4f2af221aaa302dd5110d5b4562f86e46a25e31 Mon Sep 17 00:00:00 2001 From: de4dot Date: Wed, 26 Oct 2011 20:23:45 +0200 Subject: [PATCH] Add BooleanDecrypter class --- de4dot.code/de4dot.code.csproj | 1 + .../dotNET_Reactor/BooleanDecrypter.cs | 80 +++++++++++++++++++ .../dotNET_Reactor/Deobfuscator.cs | 22 +++-- 3 files changed, 98 insertions(+), 5 deletions(-) create mode 100644 de4dot.code/deobfuscators/dotNET_Reactor/BooleanDecrypter.cs diff --git a/de4dot.code/de4dot.code.csproj b/de4dot.code/de4dot.code.csproj index 9c415ea5..5e4d4ea9 100644 --- a/de4dot.code/de4dot.code.csproj +++ b/de4dot.code/de4dot.code.csproj @@ -69,6 +69,7 @@ + diff --git a/de4dot.code/deobfuscators/dotNET_Reactor/BooleanDecrypter.cs b/de4dot.code/deobfuscators/dotNET_Reactor/BooleanDecrypter.cs new file mode 100644 index 00000000..0c68c7d4 --- /dev/null +++ b/de4dot.code/deobfuscators/dotNET_Reactor/BooleanDecrypter.cs @@ -0,0 +1,80 @@ +/* + Copyright (C) 2011 de4dot@gmail.com + + This file is part of de4dot. + + de4dot is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + de4dot is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with de4dot. If not, see . +*/ + +using System; +using Mono.Cecil; +using de4dot.blocks; + +namespace de4dot.deobfuscators.dotNET_Reactor { + class BooleanDecrypter { + ModuleDefinition module; + EncryptedResource encryptedResource; + byte[] fileData; + byte[] decryptedData; + + public bool Detected { + get { return encryptedResource.ResourceDecrypterMethod != null; } + } + + public BooleanDecrypter(ModuleDefinition module) { + this.module = module; + this.encryptedResource = new EncryptedResource(module); + } + + public BooleanDecrypter(ModuleDefinition module, BooleanDecrypter oldOne) { + this.module = module; + this.encryptedResource = new EncryptedResource(module, oldOne.encryptedResource); + } + + public void find() { + var additionalTypes = new string[] { + "System.Boolean", + }; + foreach (var type in module.Types) { + if (type.BaseType == null || type.BaseType.FullName != "System.Object") + continue; + foreach (var method in type.Methods) { + if (!method.IsStatic || !method.HasBody) + continue; + if (!DotNetUtils.isMethod(method, "System.Boolean", "(System.Int32)")) + continue; + if (!encryptedResource.couldBeResourceDecrypter(method, additionalTypes)) + continue; + + encryptedResource.ResourceDecrypterMethod = method; + break; + } + } + } + + public void init(byte[] fileData, ISimpleDeobfuscator simpleDeobfuscator) { + if (encryptedResource.ResourceDecrypterMethod == null) + return; + this.fileData = fileData; + + encryptedResource.init(simpleDeobfuscator); + decryptedData = encryptedResource.decrypt(); + } + + public bool decrypt(int offset) { + uint byteOffset = BitConverter.ToUInt32(decryptedData, offset); + return fileData[byteOffset] == 0x80; + } + } +} diff --git a/de4dot.code/deobfuscators/dotNET_Reactor/Deobfuscator.cs b/de4dot.code/deobfuscators/dotNET_Reactor/Deobfuscator.cs index 99c2b14f..51d10097 100644 --- a/de4dot.code/deobfuscators/dotNET_Reactor/Deobfuscator.cs +++ b/de4dot.code/deobfuscators/dotNET_Reactor/Deobfuscator.cs @@ -55,6 +55,7 @@ namespace de4dot.deobfuscators.dotNET_Reactor { byte[] fileData; MethodsDecrypter methodsDecrypter; StringDecrypter stringDecrypter; + BooleanDecrypter booleanDecrypter; internal class Options : OptionsBase { } @@ -79,21 +80,29 @@ namespace de4dot.deobfuscators.dotNET_Reactor { protected override int detectInternal() { int val = 0; - if (methodsDecrypter.Detected) + if (methodsDecrypter.Detected || stringDecrypter.Detected || booleanDecrypter.Detected) val += 100; - else if (stringDecrypter.Detected) - val += 100; - if (methodsDecrypter.Detected && stringDecrypter.Detected) - val += 10; + + int sum = convert(methodsDecrypter.Detected) + + convert(stringDecrypter.Detected) + + convert(booleanDecrypter.Detected); + if (sum > 1) + val += 10 * (sum - 1); return val; } + static int convert(bool b) { + return b ? 1 : 0; + } + protected override void scanForObfuscator() { methodsDecrypter = new MethodsDecrypter(module); methodsDecrypter.find(); stringDecrypter = new StringDecrypter(module); stringDecrypter.find(); + booleanDecrypter = new BooleanDecrypter(module); + booleanDecrypter.find(); } public override byte[] getDecryptedModule() { @@ -112,9 +121,11 @@ namespace de4dot.deobfuscators.dotNET_Reactor { public override IDeobfuscator moduleReloaded(ModuleDefinition module) { var newOne = new Deobfuscator(options); newOne.setModule(module); + newOne.fileData = fileData; newOne.peImage = new PE.PeImage(fileData); newOne.methodsDecrypter = new MethodsDecrypter(module, methodsDecrypter); newOne.stringDecrypter = new StringDecrypter(module, stringDecrypter); + newOne.booleanDecrypter = new BooleanDecrypter(module, booleanDecrypter); return newOne; } @@ -122,6 +133,7 @@ namespace de4dot.deobfuscators.dotNET_Reactor { base.deobfuscateBegin(); stringDecrypter.init(peImage, DeobfuscatedFile); + booleanDecrypter.init(fileData, DeobfuscatedFile); foreach (var info in stringDecrypter.DecrypterInfos) { staticStringDecrypter.add(info.method, (method2, args) => {