Make the embedded (original) start up assembly the new decrypted assembly
This commit is contained in:
parent
4374a08020
commit
e54b026ae7
|
@ -233,5 +233,17 @@ namespace de4dot.code.deobfuscators.CodeWall {
|
|||
var keyGenerator = new PasswordDeriveBytes(resourcePassword, Encoding.ASCII.GetBytes(resourceSalt));
|
||||
return DeobUtils.inflate(DeobUtils.aesDecrypt(encrypted, keyGenerator.GetBytes(32), keyGenerator.GetBytes(16)), false);
|
||||
}
|
||||
|
||||
public AssemblyInfo findMain(string asmFullName) {
|
||||
foreach (var asmInfo in assemblyInfos) {
|
||||
if (asmInfo.isEntryPointAssembly && asmInfo.assemblyFullName == asmFullName)
|
||||
return asmInfo;
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
||||
public void remove(AssemblyInfo asmInfo) {
|
||||
assemblyInfos.Remove(asmInfo);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -62,6 +62,7 @@ namespace de4dot.code.deobfuscators.CodeWall {
|
|||
Options options;
|
||||
MethodsDecrypter methodsDecrypter;
|
||||
StringDecrypter stringDecrypter;
|
||||
AssemblyDecrypter assemblyDecrypter;
|
||||
string obfuscatorName = DeobfuscatorInfo.THE_NAME;
|
||||
|
||||
internal class Options : OptionsBase {
|
||||
|
@ -126,9 +127,35 @@ namespace de4dot.code.deobfuscators.CodeWall {
|
|||
return null;
|
||||
}
|
||||
|
||||
[Flags]
|
||||
enum DecryptState {
|
||||
CanDecryptMethods = 1,
|
||||
CanGetMainAssembly = 2,
|
||||
}
|
||||
DecryptState decryptState = DecryptState.CanDecryptMethods | DecryptState.CanGetMainAssembly;
|
||||
public override bool getDecryptedModule(int count, ref byte[] newFileData, ref DumpedMethods dumpedMethods) {
|
||||
if (count != 0)
|
||||
if ((decryptState & DecryptState.CanDecryptMethods) != 0) {
|
||||
if (decryptModule(ref newFileData, ref dumpedMethods)) {
|
||||
ModuleBytes = newFileData;
|
||||
decryptState &= ~DecryptState.CanDecryptMethods;
|
||||
return true;
|
||||
}
|
||||
}
|
||||
|
||||
if ((decryptState & DecryptState.CanGetMainAssembly) != 0) {
|
||||
newFileData = getMainAssemblyBytes();
|
||||
if (newFileData != null) {
|
||||
ModuleBytes = newFileData;
|
||||
decryptState &= ~DecryptState.CanGetMainAssembly;
|
||||
decryptState |= DecryptState.CanDecryptMethods;
|
||||
return true;
|
||||
}
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
bool decryptModule(ref byte[] newFileData, ref DumpedMethods dumpedMethods) {
|
||||
if (!methodsDecrypter.Detected)
|
||||
return false;
|
||||
|
||||
|
@ -142,11 +169,36 @@ namespace de4dot.code.deobfuscators.CodeWall {
|
|||
return true;
|
||||
}
|
||||
|
||||
byte[] getMainAssemblyBytes() {
|
||||
try {
|
||||
initializeStringDecrypter();
|
||||
initializeAssemblyDecrypter();
|
||||
}
|
||||
catch {
|
||||
return null;
|
||||
}
|
||||
|
||||
var asm = module.Assembly;
|
||||
if (asm == null || assemblyDecrypter == null)
|
||||
return null;
|
||||
var asmInfo = assemblyDecrypter.findMain(asm.FullName);
|
||||
if (asmInfo == null)
|
||||
return null;
|
||||
|
||||
assemblyDecrypter.remove(asmInfo);
|
||||
return asmInfo.data;
|
||||
}
|
||||
|
||||
public override IDeobfuscator moduleReloaded(ModuleDefinition module) {
|
||||
var newOne = new Deobfuscator(options);
|
||||
newOne.setModule(module);
|
||||
newOne.methodsDecrypter = new MethodsDecrypter(module, methodsDecrypter);
|
||||
newOne.stringDecrypter = new StringDecrypter(module, stringDecrypter);
|
||||
newOne.methodsDecrypter = new MethodsDecrypter(module);
|
||||
newOne.methodsDecrypter.find();
|
||||
newOne.stringDecrypter = new StringDecrypter(module);
|
||||
newOne.stringDecrypter.find();
|
||||
newOne.assemblyDecrypter = assemblyDecrypter;
|
||||
newOne.ModuleBytes = ModuleBytes;
|
||||
newOne.decryptState = decryptState;
|
||||
return newOne;
|
||||
}
|
||||
|
||||
|
@ -154,20 +206,33 @@ namespace de4dot.code.deobfuscators.CodeWall {
|
|||
base.deobfuscateBegin();
|
||||
addAssemblyReferenceToBeRemoved(methodsDecrypter.AssemblyNameReference, "Obfuscator decrypter DLL reference");
|
||||
|
||||
initializeStringDecrypter();
|
||||
initializeAssemblyDecrypter();
|
||||
dumpEmbeddedAssemblies();
|
||||
}
|
||||
|
||||
bool hasInitializedStringDecrypter = false;
|
||||
void initializeStringDecrypter() {
|
||||
if (hasInitializedStringDecrypter)
|
||||
return;
|
||||
stringDecrypter.initialize(DeobfuscatedFile);
|
||||
foreach (var info in stringDecrypter.Infos)
|
||||
staticStringInliner.add(info.Method, (method, args) => stringDecrypter.decrypt(method, (int)args[0], (int)args[1], (int)args[2]));
|
||||
DeobfuscatedFile.stringDecryptersAdded();
|
||||
hasInitializedStringDecrypter = true;
|
||||
}
|
||||
|
||||
dumpEmbeddedAssemblies();
|
||||
void initializeAssemblyDecrypter() {
|
||||
if (!options.DumpEmbeddedAssemblies || assemblyDecrypter != null)
|
||||
return;
|
||||
assemblyDecrypter = new AssemblyDecrypter(module, DeobfuscatedFile, this);
|
||||
assemblyDecrypter.find();
|
||||
}
|
||||
|
||||
void dumpEmbeddedAssemblies() {
|
||||
if (!options.DumpEmbeddedAssemblies)
|
||||
if (assemblyDecrypter == null)
|
||||
return;
|
||||
var asmDecrypter = new AssemblyDecrypter(module, DeobfuscatedFile, this);
|
||||
asmDecrypter.find();
|
||||
foreach (var info in asmDecrypter.AssemblyInfos) {
|
||||
foreach (var info in assemblyDecrypter.AssemblyInfos) {
|
||||
var asmName = info.assemblySimpleName;
|
||||
if (info.isEntryPointAssembly)
|
||||
asmName += "_real";
|
||||
|
|
|
@ -44,15 +44,6 @@ namespace de4dot.code.deobfuscators.CodeWall {
|
|||
this.module = module;
|
||||
}
|
||||
|
||||
public MethodsDecrypter(ModuleDefinition module, MethodsDecrypter oldOne) {
|
||||
this.module = module;
|
||||
initMethod = lookup(oldOne.initMethod, "Could not find initMethod");
|
||||
}
|
||||
|
||||
T lookup<T>(T def, string errorMessage) where T : MemberReference {
|
||||
return DeobUtils.lookup(module, def, errorMessage);
|
||||
}
|
||||
|
||||
public void find() {
|
||||
foreach (var cctor in DeobUtils.getInitCctors(module, 3)) {
|
||||
if (checkCctor(cctor))
|
||||
|
|
|
@ -122,18 +122,6 @@ namespace de4dot.code.deobfuscators.CodeWall {
|
|||
this.module = module;
|
||||
}
|
||||
|
||||
public StringDecrypter(ModuleDefinition module, StringDecrypter oldOne) {
|
||||
this.module = module;
|
||||
foreach (var oldInfo in oldOne.stringEncrypterInfos.getValues()) {
|
||||
var method = lookup(oldInfo.Method, "Could not find string decrypter method");
|
||||
stringEncrypterInfos.add(method, new StringEncrypterInfo(method));
|
||||
}
|
||||
}
|
||||
|
||||
T lookup<T>(T def, string errorMessage) where T : MemberReference {
|
||||
return DeobUtils.lookup(module, def, errorMessage);
|
||||
}
|
||||
|
||||
public void find() {
|
||||
foreach (var type in module.Types) {
|
||||
MethodDefinition decrypterMethod;
|
||||
|
|
Loading…
Reference in New Issue
Block a user