monocul.us/de4dot-cex
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Remember detected compressor version

Browse Source
This commit is contained in:
de4dot 2012-08-11 01:15:25 +02:00
parent ed919ee528
commit e9125616b9
2 changed files with 25 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
de4dot.code/deobfuscators/Confuser/Deobfuscator.cs
View File

@ -162,12 +162,12 @@ namespace de4dot.code.deobfuscators.Confuser {
memoryMethodsDecrypter.find(); memoryMethodsDecrypter.find();
if (memoryMethodsDecrypter.Detected) if (memoryMethodsDecrypter.Detected)
break; break;
initTheRest(); initTheRest(null);
} while (false); } while (false);
initializeObfuscatorName(); initializeObfuscatorName();
} }
void initTheRest() { void initTheRest(Deobfuscator oldOne) {
resourceDecrypter = new ResourceDecrypter(module, DeobfuscatedFile); resourceDecrypter = new ResourceDecrypter(module, DeobfuscatedFile);
resourceDecrypter.find(); resourceDecrypter.find();
@ -201,7 +201,7 @@ namespace de4dot.code.deobfuscators.Confuser {
stringDecrypter = new StringDecrypter(module); stringDecrypter = new StringDecrypter(module);
stringDecrypter.find(DeobfuscatedFile); stringDecrypter.find(DeobfuscatedFile);
initializeStringDecrypter(); initializeStringDecrypter();
unpacker = new Unpacker(module); unpacker = new Unpacker(module, oldOne == null ? null : oldOne.unpacker);
unpacker.find(DeobfuscatedFile, this); unpacker.find(DeobfuscatedFile, this);
initializeObfuscatorName(); initializeObfuscatorName();
} }
@ -344,7 +344,7 @@ namespace de4dot.code.deobfuscators.Confuser {
if (newOne.memoryMethodsDecrypter.Detected) if (newOne.memoryMethodsDecrypter.Detected)
return newOne; return newOne;
} }
newOne.initTheRest(); newOne.initTheRest(this);
return newOne; return newOne;
} }

36
de4dot.code/deobfuscators/Confuser/Unpacker.cs
View File

@ -93,8 +93,10 @@ namespace de4dot.code.deobfuscators.Confuser {
get { return mainAsmResource != null; } get { return mainAsmResource != null; }
} }
public Unpacker(ModuleDefinition module) { public Unpacker(ModuleDefinition module, Unpacker other) {
this.module = module; this.module = module;
if (other != null)
this.version = other.version;
} }
static string[] requiredFields = new string[] { static string[] requiredFields = new string[] {
@ -115,6 +117,7 @@ namespace de4dot.code.deobfuscators.Confuser {
var type = entryPoint.DeclaringType; var type = entryPoint.DeclaringType;
if (!new FieldTypes(type).all(requiredFields)) if (!new FieldTypes(type).all(requiredFields))
return; return;
bool use7zip = type.NestedTypes.Count == 6; bool use7zip = type.NestedTypes.Count == 6;
MethodDefinition decyptMethod; MethodDefinition decyptMethod;
if (use7zip) if (use7zip)
@ -123,30 +126,32 @@ namespace de4dot.code.deobfuscators.Confuser {
decyptMethod = findDecryptMethod_inflate(type); decyptMethod = findDecryptMethod_inflate(type);
if (decyptMethod == null) if (decyptMethod == null)
return; return;
ConfuserVersion theVersion = ConfuserVersion.Unknown;
var decryptLocals = new LocalTypes(decyptMethod); var decryptLocals = new LocalTypes(decyptMethod);
if (decryptLocals.exists("System.IO.MemoryStream")) { if (decryptLocals.exists("System.IO.MemoryStream")) {
if (DotNetUtils.callsMethod(entryPoint, "System.Void", "(System.String,System.Byte[])")) if (DotNetUtils.callsMethod(entryPoint, "System.Void", "(System.String,System.Byte[])"))
version = ConfuserVersion.v10_r42915; theVersion = ConfuserVersion.v10_r42915;
else if (DotNetUtils.callsMethod(entryPoint, "System.Void", "(System.Security.Permissions.PermissionState)")) else if (DotNetUtils.callsMethod(entryPoint, "System.Void", "(System.Security.Permissions.PermissionState)"))
version = ConfuserVersion.v10_r48717; theVersion = ConfuserVersion.v10_r48717;
else else
version = ConfuserVersion.v14_r57778; theVersion = ConfuserVersion.v14_r57778;
} }
else else
version = ConfuserVersion.v14_r58564; theVersion = ConfuserVersion.v14_r58564;
var cctor = DotNetUtils.getMethod(type, ".cctor"); var cctor = DotNetUtils.getMethod(type, ".cctor");
if (cctor == null) if (cctor == null)
return; return;
if ((asmResolverMethod = findAssemblyResolverMethod(entryPoint.DeclaringType)) != null) { if ((asmResolverMethod = findAssemblyResolverMethod(entryPoint.DeclaringType)) != null) {
version = ConfuserVersion.v14_r58802; theVersion = ConfuserVersion.v14_r58802;
simpleDeobfuscator.deobfuscate(asmResolverMethod); simpleDeobfuscator.deobfuscate(asmResolverMethod);
if (!findKey1(asmResolverMethod, out key1)) if (!findKey1(asmResolverMethod, out key1))
return; return;
} }
switch (version) { switch (theVersion) {
case ConfuserVersion.v10_r42915: case ConfuserVersion.v10_r42915:
case ConfuserVersion.v10_r48717: case ConfuserVersion.v10_r48717:
case ConfuserVersion.v14_r57778: case ConfuserVersion.v14_r57778:
@ -159,21 +164,21 @@ namespace de4dot.code.deobfuscators.Confuser {
break; break;
if (findKey0_v14_r58852(decyptMethod, out key0)) { if (findKey0_v14_r58852(decyptMethod, out key0)) {
if (!decryptLocals.exists("System.Security.Cryptography.RijndaelManaged")) { if (!decryptLocals.exists("System.Security.Cryptography.RijndaelManaged")) {
version = ConfuserVersion.v14_r58852; theVersion = ConfuserVersion.v14_r58852;
break; break;
} }
if (use7zip) { if (use7zip) {
if (new LocalTypes(decyptMethod).exists("System.IO.MemoryStream")) if (new LocalTypes(decyptMethod).exists("System.IO.MemoryStream"))
version = ConfuserVersion.v17_r75076; theVersion = ConfuserVersion.v17_r75076;
else if (module.Name == "Stub.exe") else if (module.Name == "Stub.exe")
version = ConfuserVersion.v18_r75184; theVersion = ConfuserVersion.v18_r75184;
else else
version = ConfuserVersion.v18_r75367; theVersion = ConfuserVersion.v18_r75367;
} }
else if (isDecryptMethod_v17_r73404(decyptMethod)) else if (isDecryptMethod_v17_r73404(decyptMethod))
version = ConfuserVersion.v17_r73404; theVersion = ConfuserVersion.v17_r73404;
else else
version = ConfuserVersion.v15_r60785; theVersion = ConfuserVersion.v15_r60785;
break; break;
} }
throw new ApplicationException("Could not find magic"); throw new ApplicationException("Could not find magic");
@ -187,14 +192,15 @@ namespace de4dot.code.deobfuscators.Confuser {
if (findEntryPointToken(simpleDeobfuscator, cctor, entryPoint, out entryPointToken) && !use7zip) { if (findEntryPointToken(simpleDeobfuscator, cctor, entryPoint, out entryPointToken) && !use7zip) {
if (DotNetUtils.callsMethod(asmResolverMethod, "System.Void", "(System.String)")) if (DotNetUtils.callsMethod(asmResolverMethod, "System.Void", "(System.String)"))
version = ConfuserVersion.v17_r73477; theVersion = ConfuserVersion.v17_r73477;
else else
version = ConfuserVersion.v17_r73566; theVersion = ConfuserVersion.v17_r73566;
} }
mainAsmResource = findResource(cctor); mainAsmResource = findResource(cctor);
if (mainAsmResource == null) if (mainAsmResource == null)
throw new ApplicationException("Could not find main assembly resource"); throw new ApplicationException("Could not find main assembly resource");
version = theVersion;
} }
bool findEntryPointToken(ISimpleDeobfuscator simpleDeobfuscator, MethodDefinition cctor, MethodDefinition entryPoint, out uint token) { bool findEntryPointToken(ISimpleDeobfuscator simpleDeobfuscator, MethodDefinition cctor, MethodDefinition entryPoint, out uint token) {