Support old CW 2.x
This commit is contained in:
de4dot
parent
baddb63d32
commit
eebb090827
|
|
@ -37,6 +37,7 @@ namespace de4dot.code.deobfuscators.CodeWall {
|
||||||
string resourcePassword;
|
string resourcePassword;
|
||||||
string resourceSalt;
|
string resourceSalt;
|
||||||
EmbeddedResource assemblyResource;
|
EmbeddedResource assemblyResource;
|
||||||
|
ModuleDefinition resourceModule;
|
||||||
|
|
||||||
public class AssemblyInfo {
|
public class AssemblyInfo {
|
||||||
public readonly byte[] data;
|
public readonly byte[] data;
|
||||||
|
|
@ -68,10 +69,6 @@ namespace de4dot.code.deobfuscators.CodeWall {
|
||||||
this.deob = deob;
|
this.deob = deob;
|
||||||
}
|
}
|
||||||
|
|
||||||
static readonly string[] requiredLocals = new string[] {
|
|
||||||
"System.AppDomain",
|
|
||||||
"System.DateTime",
|
|
||||||
};
|
|
||||||
public void find() {
|
public void find() {
|
||||||
var method = module.EntryPoint;
|
var method = module.EntryPoint;
|
||||||
if (!checkEntryPoint(method))
|
if (!checkEntryPoint(method))
|
||||||
|
|
@ -83,7 +80,8 @@ namespace de4dot.code.deobfuscators.CodeWall {
|
||||||
return;
|
return;
|
||||||
|
|
||||||
deobfuscateAll(decryptAssemblyMethod);
|
deobfuscateAll(decryptAssemblyMethod);
|
||||||
var resource = getResource(decryptAssemblyMethod);
|
ModuleDefinition theResourceModule;
|
||||||
|
var resource = getResource(decryptAssemblyMethod, out theResourceModule);
|
||||||
if (resource == null)
|
if (resource == null)
|
||||||
return;
|
return;
|
||||||
string password, salt;
|
string password, salt;
|
||||||
|
|
@ -94,9 +92,14 @@ namespace de4dot.code.deobfuscators.CodeWall {
|
||||||
resourcePassword = password;
|
resourcePassword = password;
|
||||||
resourceSalt = salt;
|
resourceSalt = salt;
|
||||||
assemblyResource = resource;
|
assemblyResource = resource;
|
||||||
|
resourceModule = theResourceModule;
|
||||||
decryptAllAssemblies();
|
decryptAllAssemblies();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static readonly string[] requiredLocals = new string[] {
|
||||||
|
"System.AppDomain",
|
||||||
|
"System.DateTime",
|
||||||
|
};
|
||||||
bool checkEntryPoint(MethodDefinition method) {
|
bool checkEntryPoint(MethodDefinition method) {
|
||||||
if (method == null)
|
if (method == null)
|
||||||
return false;
|
return false;
|
||||||
|
|
@ -152,15 +155,43 @@ namespace de4dot.code.deobfuscators.CodeWall {
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
|
|
||||||
EmbeddedResource getResource(MethodDefinition method) {
|
EmbeddedResource getResource(MethodDefinition method, out ModuleDefinition theResourceModule) {
|
||||||
|
string resourceDllFileName = null;
|
||||||
|
theResourceModule = module;
|
||||||
foreach (var s in DotNetUtils.getCodeStrings(method)) {
|
foreach (var s in DotNetUtils.getCodeStrings(method)) {
|
||||||
var resource = DotNetUtils.getResource(module, s + ".resources") as EmbeddedResource;
|
if (s.Length > 0 && s[0] == '\\')
|
||||||
|
resourceDllFileName = s;
|
||||||
|
var resource = DotNetUtils.getResource(theResourceModule, s + ".resources") as EmbeddedResource;
|
||||||
if (resource != null)
|
if (resource != null)
|
||||||
return resource;
|
return resource;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (resourceDllFileName == null)
|
||||||
|
return null;
|
||||||
|
// Here if CW 2.x
|
||||||
|
theResourceModule = getResourceModule(resourceDllFileName);
|
||||||
|
if (theResourceModule == null)
|
||||||
|
return null;
|
||||||
|
foreach (var s in DotNetUtils.getCodeStrings(method)) {
|
||||||
|
var resource = DotNetUtils.getResource(theResourceModule, s + ".resources") as EmbeddedResource;
|
||||||
|
if (resource != null)
|
||||||
|
return resource;
|
||||||
|
}
|
||||||
|
|
||||||
|
theResourceModule = null;
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
ModuleDefinition getResourceModule(string name) {
|
||||||
|
try {
|
||||||
|
var resourceDllFileName = Path.Combine(Path.GetDirectoryName(module.FullyQualifiedName), name.Substring(1));
|
||||||
|
return ModuleDefinition.ReadModule(resourceDllFileName);
|
||||||
|
}
|
||||||
|
catch {
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
bool getPassword(MethodDefinition method, out string password, out string salt) {
|
bool getPassword(MethodDefinition method, out string password, out string salt) {
|
||||||
var instrs = method.Body.Instructions;
|
var instrs = method.Body.Instructions;
|
||||||
for (int i = 0; i < instrs.Count - 1; i++) {
|
for (int i = 0; i < instrs.Count - 1; i++) {
|
||||||
|
|
@ -186,7 +217,7 @@ namespace de4dot.code.deobfuscators.CodeWall {
|
||||||
void decryptAllAssemblies() {
|
void decryptAllAssemblies() {
|
||||||
if (assemblyResource == null)
|
if (assemblyResource == null)
|
||||||
return;
|
return;
|
||||||
var resourceSet = ResourceReader.read(module, assemblyResource.GetResourceStream());
|
var resourceSet = ResourceReader.read(resourceModule, assemblyResource.GetResourceStream());
|
||||||
foreach (var resourceElement in resourceSet.ResourceElements) {
|
foreach (var resourceElement in resourceSet.ResourceElements) {
|
||||||
if (resourceElement.ResourceData.Code != ResourceTypeCode.ByteArray)
|
if (resourceElement.ResourceData.Code != ResourceTypeCode.ByteArray)
|
||||||
throw new ApplicationException("Invalid resource");
|
throw new ApplicationException("Invalid resource");
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue
Block a user