Support latest EF 3.3.143
This commit is contained in:
parent
8ca040f0da
commit
efd317489d
|
@ -26,13 +26,14 @@ using de4dot.blocks;
|
||||||
|
|
||||||
namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
class DecrypterType {
|
class DecrypterType {
|
||||||
|
ModuleDefinition module;
|
||||||
TypeDefinition type;
|
TypeDefinition type;
|
||||||
MethodDefinition int64Method;
|
MethodDefinition int64Method;
|
||||||
bool initialized;
|
bool initialized;
|
||||||
ulong l1;
|
ulong l1;
|
||||||
int i1, i2, i3;
|
int i1, i2, i3;
|
||||||
int m1_i1, m2_i1, m2_i2, m3_i1;
|
int m1_i1, m2_i1, m2_i2, m3_i1;
|
||||||
int token1, token2, token3, token4, token5, token6;
|
MethodDefinition[] efConstMethods;
|
||||||
|
|
||||||
public TypeDefinition Type {
|
public TypeDefinition Type {
|
||||||
get { return type; }
|
get { return type; }
|
||||||
|
@ -48,6 +49,10 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
get { return type != null; }
|
get { return type != null; }
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public DecrypterType(ModuleDefinition module) {
|
||||||
|
this.module = module;
|
||||||
|
}
|
||||||
|
|
||||||
public bool initialize() {
|
public bool initialize() {
|
||||||
if (initialized)
|
if (initialized)
|
||||||
return true;
|
return true;
|
||||||
|
@ -56,27 +61,66 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
if (int64Method == null)
|
if (int64Method == null)
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
|
if (!initializeEfConstMethods())
|
||||||
|
return false;
|
||||||
if (!findInt1And2())
|
if (!findInt1And2())
|
||||||
return false;
|
return false;
|
||||||
if (!findInt3())
|
if (!findInt3())
|
||||||
return false;
|
return false;
|
||||||
if (!findMethodInts())
|
if (!findMethodInts())
|
||||||
return false;
|
return false;
|
||||||
token1 = getToken(-1509110933);
|
|
||||||
token2 = getToken(-82806859);
|
|
||||||
token3 = getToken(1294352278);
|
|
||||||
token4 = getToken(402344241);
|
|
||||||
token5 = getToken(-56237163);
|
|
||||||
token6 = getToken(1106695601);
|
|
||||||
if (token1 == 0 || token2 == 0 || token3 == 0)
|
|
||||||
return false;
|
|
||||||
if (token4 == 0 || token5 == 0 || token6 == 0)
|
|
||||||
return false;
|
|
||||||
|
|
||||||
initialized = true;
|
initialized = true;
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
bool initializeEfConstMethods() {
|
||||||
|
if (type == null)
|
||||||
|
return false;
|
||||||
|
foreach (var instr in int64Method.Body.Instructions) {
|
||||||
|
if (instr.OpCode.Code != Code.Call)
|
||||||
|
continue;
|
||||||
|
var calledMethod = instr.Operand as MethodDefinition;
|
||||||
|
if (calledMethod == null || !calledMethod.IsStatic || calledMethod.Body == null)
|
||||||
|
continue;
|
||||||
|
if (!DotNetUtils.isMethod(calledMethod, "System.Int32", "()"))
|
||||||
|
continue;
|
||||||
|
int index = type.NestedTypes.IndexOf(calledMethod.DeclaringType);
|
||||||
|
if (index < 0)
|
||||||
|
continue;
|
||||||
|
if (!initializeEfConstMethods(index))
|
||||||
|
continue;
|
||||||
|
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
bool initializeEfConstMethods(int index) {
|
||||||
|
efConstMethods = new MethodDefinition[6];
|
||||||
|
for (int i = 0; i < efConstMethods.Length; i++) {
|
||||||
|
var constMethod = getEfConstMethod(type.NestedTypes[index++]);
|
||||||
|
if (constMethod == null)
|
||||||
|
return false;
|
||||||
|
efConstMethods[i] = constMethod;
|
||||||
|
}
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
MethodDefinition getEfConstMethod(TypeDefinition nestedType) {
|
||||||
|
foreach (var method in nestedType.Methods) {
|
||||||
|
if (!method.IsStatic || method.Body == null)
|
||||||
|
continue;
|
||||||
|
if (!DotNetUtils.isMethod(method, "System.Int32", "()"))
|
||||||
|
continue;
|
||||||
|
|
||||||
|
return method;
|
||||||
|
}
|
||||||
|
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
|
||||||
MethodDefinition findInt64Method() {
|
MethodDefinition findInt64Method() {
|
||||||
if (type == null)
|
if (type == null)
|
||||||
return null;
|
return null;
|
||||||
|
@ -111,7 +155,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
}
|
}
|
||||||
|
|
||||||
bool findInt1And2() {
|
bool findInt1And2() {
|
||||||
var consts = getConstants(findNestedTypeMethod(1294352278));
|
var consts = getConstants(efConstMethods[2]);
|
||||||
if (consts.Count != 2)
|
if (consts.Count != 2)
|
||||||
return false;
|
return false;
|
||||||
i1 = consts[0];
|
i1 = consts[0];
|
||||||
|
@ -120,7 +164,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
}
|
}
|
||||||
|
|
||||||
bool findInt3() {
|
bool findInt3() {
|
||||||
var consts = getConstants(findNestedTypeMethod(1106695601));
|
var consts = getConstants(efConstMethods[5]);
|
||||||
if (consts.Count != 1)
|
if (consts.Count != 1)
|
||||||
return false;
|
return false;
|
||||||
i3 = consts[0];
|
i3 = consts[0];
|
||||||
|
@ -227,36 +271,6 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
return list;
|
return list;
|
||||||
}
|
}
|
||||||
|
|
||||||
MethodDefinition findNestedTypeMethod(int constant) {
|
|
||||||
foreach (var nestedType in type.NestedTypes) {
|
|
||||||
foreach (var method in nestedType.Methods) {
|
|
||||||
if (!method.IsStatic || method.Body == null)
|
|
||||||
continue;
|
|
||||||
|
|
||||||
var instrs = method.Body.Instructions;
|
|
||||||
for (int i = 0; i < instrs.Count - 1; i++) {
|
|
||||||
var ldci4 = instrs[i];
|
|
||||||
if (!DotNetUtils.isLdcI4(ldci4))
|
|
||||||
continue;
|
|
||||||
if (DotNetUtils.getLdcI4Value(ldci4) != constant)
|
|
||||||
continue;
|
|
||||||
if (instrs[i + 1].OpCode.Code != Code.Ret)
|
|
||||||
continue;
|
|
||||||
|
|
||||||
return method;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return null;
|
|
||||||
}
|
|
||||||
|
|
||||||
int getToken(int constant) {
|
|
||||||
var method = findNestedTypeMethod(constant);
|
|
||||||
if (method == null)
|
|
||||||
return 0;
|
|
||||||
return method.DeclaringType.MetadataToken.ToInt32();
|
|
||||||
}
|
|
||||||
|
|
||||||
int binOp1(int a, int b) {
|
int binOp1(int a, int b) {
|
||||||
return a ^ (b - m1_i1);
|
return a ^ (b - m1_i1);
|
||||||
}
|
}
|
||||||
|
@ -270,33 +284,32 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
}
|
}
|
||||||
|
|
||||||
int constMethod1() {
|
int constMethod1() {
|
||||||
return binOp3(binOp2(token2, binOp3(token1, token5)), constMethod6());
|
return binOp3(binOp2(efConstMethods[1].DeclaringType.MetadataToken.ToInt32(), binOp3(efConstMethods[0].DeclaringType.MetadataToken.ToInt32(), efConstMethods[4].DeclaringType.MetadataToken.ToInt32())), constMethod6());
|
||||||
}
|
}
|
||||||
|
|
||||||
int constMethod2() {
|
int constMethod2() {
|
||||||
return binOp1(token3, token4 ^ binOp2(token2, binOp3(token6, constMethod4())));
|
return binOp1(efConstMethods[2].DeclaringType.MetadataToken.ToInt32(), efConstMethods[3].DeclaringType.MetadataToken.ToInt32() ^ binOp2(efConstMethods[1].DeclaringType.MetadataToken.ToInt32(), binOp3(efConstMethods[5].DeclaringType.MetadataToken.ToInt32(), constMethod4())));
|
||||||
}
|
}
|
||||||
|
|
||||||
int constMethod3() {
|
int constMethod3() {
|
||||||
return binOp3(binOp1(constMethod2() ^ i1, token4), binOp2(token1 ^ token6, i2));
|
return binOp3(binOp1(constMethod2() ^ i1, efConstMethods[3].DeclaringType.MetadataToken.ToInt32()), binOp2(efConstMethods[0].DeclaringType.MetadataToken.ToInt32() ^ efConstMethods[5].DeclaringType.MetadataToken.ToInt32(), i2));
|
||||||
}
|
}
|
||||||
|
|
||||||
int constMethod4() {
|
int constMethod4() {
|
||||||
return binOp3(token4, binOp1(token1, binOp2(token2, binOp3(token3, binOp1(token5, token6)))));
|
return binOp3(efConstMethods[3].DeclaringType.MetadataToken.ToInt32(), binOp1(efConstMethods[0].DeclaringType.MetadataToken.ToInt32(), binOp2(efConstMethods[1].DeclaringType.MetadataToken.ToInt32(), binOp3(efConstMethods[2].DeclaringType.MetadataToken.ToInt32(), binOp1(efConstMethods[4].DeclaringType.MetadataToken.ToInt32(), efConstMethods[5].DeclaringType.MetadataToken.ToInt32())))));
|
||||||
}
|
}
|
||||||
|
|
||||||
int constMethod5() {
|
int constMethod5() {
|
||||||
return binOp2(binOp2(constMethod3(), binOp1(token5, constMethod2())), token6);
|
return binOp2(binOp2(constMethod3(), binOp1(efConstMethods[4].DeclaringType.MetadataToken.ToInt32(), constMethod2())), efConstMethods[5].DeclaringType.MetadataToken.ToInt32());
|
||||||
}
|
}
|
||||||
|
|
||||||
int constMethod6() {
|
int constMethod6() {
|
||||||
return binOp1(token6, binOp3(binOp2(token5, token1), binOp3(token3 ^ i3, constMethod5())));
|
return binOp1(efConstMethods[5].DeclaringType.MetadataToken.ToInt32(), binOp3(binOp2(efConstMethods[4].DeclaringType.MetadataToken.ToInt32(), efConstMethods[0].DeclaringType.MetadataToken.ToInt32()), binOp3(efConstMethods[2].DeclaringType.MetadataToken.ToInt32() ^ i3, constMethod5())));
|
||||||
}
|
}
|
||||||
|
|
||||||
public ulong getMagic() {
|
public ulong getMagic() {
|
||||||
if (type == null)
|
if (type == null)
|
||||||
throw new ApplicationException("Can't calculate magic since type isn't initialized");
|
throw new ApplicationException("Can't calculate magic since type isn't initialized");
|
||||||
var module = type.Module;
|
|
||||||
|
|
||||||
var bytes = new List<byte>();
|
var bytes = new List<byte>();
|
||||||
if (module.Assembly != null) {
|
if (module.Assembly != null) {
|
||||||
|
|
|
@ -91,7 +91,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
}
|
}
|
||||||
|
|
||||||
protected override void scanForObfuscator() {
|
protected override void scanForObfuscator() {
|
||||||
decrypterType = new DecrypterType();
|
decrypterType = new DecrypterType(module);
|
||||||
stringDecrypter = new StringDecrypter(module, decrypterType);
|
stringDecrypter = new StringDecrypter(module, decrypterType);
|
||||||
stringDecrypter.find();
|
stringDecrypter.find();
|
||||||
assemblyResolver = new AssemblyResolver(module, decrypterType);
|
assemblyResolver = new AssemblyResolver(module, decrypterType);
|
||||||
|
|
Loading…
Reference in New Issue
Block a user