Decrypt strings
This commit is contained in:
parent
03a8372319
commit
f37a46a02b
|
@ -73,6 +73,7 @@
|
||||||
<Compile Include="deobfuscators\dotNET_Reactor\EncryptedResource.cs" />
|
<Compile Include="deobfuscators\dotNET_Reactor\EncryptedResource.cs" />
|
||||||
<Compile Include="deobfuscators\dotNET_Reactor\LocalTypes.cs" />
|
<Compile Include="deobfuscators\dotNET_Reactor\LocalTypes.cs" />
|
||||||
<Compile Include="deobfuscators\dotNET_Reactor\MethodsDecrypter.cs" />
|
<Compile Include="deobfuscators\dotNET_Reactor\MethodsDecrypter.cs" />
|
||||||
|
<Compile Include="deobfuscators\dotNET_Reactor\StringDecrypter.cs" />
|
||||||
<Compile Include="deobfuscators\Eazfuscator\Deobfuscator.cs" />
|
<Compile Include="deobfuscators\Eazfuscator\Deobfuscator.cs" />
|
||||||
<Compile Include="deobfuscators\ExceptionLoggerRemover.cs" />
|
<Compile Include="deobfuscators\ExceptionLoggerRemover.cs" />
|
||||||
<Compile Include="deobfuscators\IDeobfuscatedFile.cs" />
|
<Compile Include="deobfuscators\IDeobfuscatedFile.cs" />
|
||||||
|
|
|
@ -17,6 +17,7 @@
|
||||||
along with de4dot. If not, see <http://www.gnu.org/licenses/>.
|
along with de4dot. If not, see <http://www.gnu.org/licenses/>.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
|
using System.IO;
|
||||||
using System.Collections.Generic;
|
using System.Collections.Generic;
|
||||||
using Mono.Cecil;
|
using Mono.Cecil;
|
||||||
using de4dot.blocks;
|
using de4dot.blocks;
|
||||||
|
@ -50,7 +51,10 @@ namespace de4dot.deobfuscators.dotNET_Reactor {
|
||||||
class Deobfuscator : DeobfuscatorBase {
|
class Deobfuscator : DeobfuscatorBase {
|
||||||
Options options;
|
Options options;
|
||||||
|
|
||||||
|
PE.PeImage peImage;
|
||||||
|
byte[] fileData;
|
||||||
MethodsDecrypter methodsDecrypter;
|
MethodsDecrypter methodsDecrypter;
|
||||||
|
StringDecrypter stringDecrypter;
|
||||||
|
|
||||||
internal class Options : OptionsBase {
|
internal class Options : OptionsBase {
|
||||||
}
|
}
|
||||||
|
@ -76,7 +80,11 @@ namespace de4dot.deobfuscators.dotNET_Reactor {
|
||||||
int val = 0;
|
int val = 0;
|
||||||
|
|
||||||
if (methodsDecrypter.Detected)
|
if (methodsDecrypter.Detected)
|
||||||
val = 100;
|
val += 100;
|
||||||
|
else if (stringDecrypter.Detected)
|
||||||
|
val += 100;
|
||||||
|
if (methodsDecrypter.Detected && stringDecrypter.Detected)
|
||||||
|
val += 10;
|
||||||
|
|
||||||
return val;
|
return val;
|
||||||
}
|
}
|
||||||
|
@ -84,21 +92,43 @@ namespace de4dot.deobfuscators.dotNET_Reactor {
|
||||||
protected override void scanForObfuscator() {
|
protected override void scanForObfuscator() {
|
||||||
methodsDecrypter = new MethodsDecrypter(module);
|
methodsDecrypter = new MethodsDecrypter(module);
|
||||||
methodsDecrypter.find();
|
methodsDecrypter.find();
|
||||||
|
stringDecrypter = new StringDecrypter(module);
|
||||||
|
stringDecrypter.find();
|
||||||
}
|
}
|
||||||
|
|
||||||
public override byte[] getDecryptedModule() {
|
public override byte[] getDecryptedModule() {
|
||||||
return methodsDecrypter.decrypt(DeobfuscatedFile);
|
using (var fileStream = new FileStream(module.FullyQualifiedName, FileMode.Open, FileAccess.Read, FileShare.Read)) {
|
||||||
|
fileData = new byte[(int)fileStream.Length];
|
||||||
|
fileStream.Read(fileData, 0, fileData.Length);
|
||||||
|
}
|
||||||
|
peImage = new PE.PeImage(fileData);
|
||||||
|
|
||||||
|
if (!methodsDecrypter.decrypt(peImage, DeobfuscatedFile))
|
||||||
|
return null;
|
||||||
|
|
||||||
|
return fileData;
|
||||||
}
|
}
|
||||||
|
|
||||||
public override IDeobfuscator moduleReloaded(ModuleDefinition module) {
|
public override IDeobfuscator moduleReloaded(ModuleDefinition module) {
|
||||||
var newOne = new Deobfuscator(options);
|
var newOne = new Deobfuscator(options);
|
||||||
newOne.setModule(module);
|
newOne.setModule(module);
|
||||||
|
newOne.peImage = new PE.PeImage(fileData);
|
||||||
newOne.methodsDecrypter = new MethodsDecrypter(module, methodsDecrypter);
|
newOne.methodsDecrypter = new MethodsDecrypter(module, methodsDecrypter);
|
||||||
|
newOne.stringDecrypter = new StringDecrypter(module, stringDecrypter);
|
||||||
return newOne;
|
return newOne;
|
||||||
}
|
}
|
||||||
|
|
||||||
public override void deobfuscateBegin() {
|
public override void deobfuscateBegin() {
|
||||||
base.deobfuscateBegin();
|
base.deobfuscateBegin();
|
||||||
|
|
||||||
|
stringDecrypter.init(peImage, DeobfuscatedFile);
|
||||||
|
|
||||||
|
foreach (var info in stringDecrypter.DecrypterInfos) {
|
||||||
|
staticStringDecrypter.add(info.method, (method2, args) => {
|
||||||
|
return stringDecrypter.decrypt(method2, (int)args[0]);
|
||||||
|
});
|
||||||
|
}
|
||||||
|
DeobfuscatedFile.stringDecryptersAdded();
|
||||||
}
|
}
|
||||||
|
|
||||||
public override void deobfuscateMethodEnd(Blocks blocks) {
|
public override void deobfuscateMethodEnd(Blocks blocks) {
|
||||||
|
@ -111,6 +141,8 @@ namespace de4dot.deobfuscators.dotNET_Reactor {
|
||||||
|
|
||||||
public override IEnumerable<string> getStringDecrypterMethods() {
|
public override IEnumerable<string> getStringDecrypterMethods() {
|
||||||
var list = new List<string>();
|
var list = new List<string>();
|
||||||
|
foreach (var info in stringDecrypter.DecrypterInfos)
|
||||||
|
list.Add(info.method.MetadataToken.ToInt32().ToString("X8"));
|
||||||
return list;
|
return list;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -44,16 +44,20 @@ namespace de4dot.deobfuscators.dotNET_Reactor {
|
||||||
|
|
||||||
public EncryptedResource(ModuleDefinition module, EncryptedResource oldOne) {
|
public EncryptedResource(ModuleDefinition module, EncryptedResource oldOne) {
|
||||||
this.module = module;
|
this.module = module;
|
||||||
resourceDecrypterMethod = module.LookupToken(oldOne.resourceDecrypterMethod.MetadataToken.ToInt32()) as MethodDefinition;
|
if (oldOne.resourceDecrypterMethod != null)
|
||||||
encryptedDataResource = DotNetUtils.getResource(module, oldOne.encryptedDataResource.Name) as EmbeddedResource;
|
resourceDecrypterMethod = module.LookupToken(oldOne.resourceDecrypterMethod.MetadataToken.ToInt32()) as MethodDefinition;
|
||||||
|
if (oldOne.encryptedDataResource != null)
|
||||||
|
encryptedDataResource = DotNetUtils.getResource(module, oldOne.encryptedDataResource.Name) as EmbeddedResource;
|
||||||
key = oldOne.key;
|
key = oldOne.key;
|
||||||
iv = oldOne.iv;
|
iv = oldOne.iv;
|
||||||
|
|
||||||
if (resourceDecrypterMethod == null || encryptedDataResource == null || key == null || iv == null)
|
if (resourceDecrypterMethod == null && oldOne.resourceDecrypterMethod != null)
|
||||||
|
throw new ApplicationException("Could not initialize EncryptedResource");
|
||||||
|
if (encryptedDataResource == null && oldOne.encryptedDataResource != null)
|
||||||
throw new ApplicationException("Could not initialize EncryptedResource");
|
throw new ApplicationException("Could not initialize EncryptedResource");
|
||||||
}
|
}
|
||||||
|
|
||||||
public bool couldBeResourceDecrypter(MethodDefinition method) {
|
public bool couldBeResourceDecrypter(MethodDefinition method, IList<string> additionalTypes) {
|
||||||
if (!method.IsStatic)
|
if (!method.IsStatic)
|
||||||
return false;
|
return false;
|
||||||
if (method.Body == null)
|
if (method.Body == null)
|
||||||
|
@ -61,18 +65,16 @@ namespace de4dot.deobfuscators.dotNET_Reactor {
|
||||||
if (method.Body.Instructions.Count < 1000)
|
if (method.Body.Instructions.Count < 1000)
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
var localTypes = new LocalTypes(method.Body.Variables);
|
var localTypes = new LocalTypes(method);
|
||||||
var requiredTypes = new string[] {
|
var requiredTypes = new List<string> {
|
||||||
"System.Byte[]",
|
"System.Byte[]",
|
||||||
"System.Diagnostics.StackFrame",
|
|
||||||
"System.IntPtr",
|
|
||||||
"System.IO.BinaryReader",
|
"System.IO.BinaryReader",
|
||||||
"System.IO.MemoryStream",
|
"System.IO.MemoryStream",
|
||||||
"System.Reflection.Assembly",
|
|
||||||
"System.Security.Cryptography.CryptoStream",
|
"System.Security.Cryptography.CryptoStream",
|
||||||
"System.Security.Cryptography.ICryptoTransform",
|
"System.Security.Cryptography.ICryptoTransform",
|
||||||
"System.Security.Cryptography.RijndaelManaged",
|
"System.Security.Cryptography.RijndaelManaged",
|
||||||
};
|
};
|
||||||
|
requiredTypes.AddRange(additionalTypes);
|
||||||
if (!localTypes.all(requiredTypes))
|
if (!localTypes.all(requiredTypes))
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
|
|
|
@ -19,12 +19,17 @@
|
||||||
|
|
||||||
using System;
|
using System;
|
||||||
using System.Collections.Generic;
|
using System.Collections.Generic;
|
||||||
|
using Mono.Cecil;
|
||||||
using Mono.Cecil.Cil;
|
using Mono.Cecil.Cil;
|
||||||
|
|
||||||
namespace de4dot.deobfuscators.dotNET_Reactor {
|
namespace de4dot.deobfuscators.dotNET_Reactor {
|
||||||
class LocalTypes {
|
class LocalTypes {
|
||||||
Dictionary<string, int> localTypes = new Dictionary<string, int>(StringComparer.Ordinal);
|
Dictionary<string, int> localTypes = new Dictionary<string, int>(StringComparer.Ordinal);
|
||||||
|
|
||||||
|
public LocalTypes(MethodDefinition method)
|
||||||
|
: this(method.Body.Variables) {
|
||||||
|
}
|
||||||
|
|
||||||
public LocalTypes(IList<VariableDefinition> locals) {
|
public LocalTypes(IList<VariableDefinition> locals) {
|
||||||
foreach (var local in locals) {
|
foreach (var local in locals) {
|
||||||
var key = local.VariableType.FullName;
|
var key = local.VariableType.FullName;
|
||||||
|
@ -38,7 +43,7 @@ namespace de4dot.deobfuscators.dotNET_Reactor {
|
||||||
return localTypes.ContainsKey(typeFullName);
|
return localTypes.ContainsKey(typeFullName);
|
||||||
}
|
}
|
||||||
|
|
||||||
public bool all(string[] types) {
|
public bool all(IList<string> types) {
|
||||||
foreach (var typeName in types) {
|
foreach (var typeName in types) {
|
||||||
if (!exists(typeName))
|
if (!exists(typeName))
|
||||||
return false;
|
return false;
|
||||||
|
|
|
@ -46,6 +46,11 @@ namespace de4dot.deobfuscators.dotNET_Reactor {
|
||||||
}
|
}
|
||||||
|
|
||||||
public void find() {
|
public void find() {
|
||||||
|
var additionalTypes = new string[] {
|
||||||
|
"System.Diagnostics.StackFrame",
|
||||||
|
"System.IntPtr",
|
||||||
|
"System.Reflection.Assembly",
|
||||||
|
};
|
||||||
var checkedMethods = new Dictionary<MethodReferenceAndDeclaringTypeKey, bool>();
|
var checkedMethods = new Dictionary<MethodReferenceAndDeclaringTypeKey, bool>();
|
||||||
var callCounter = new CallCounter();
|
var callCounter = new CallCounter();
|
||||||
int typesLeft = 30;
|
int typesLeft = 30;
|
||||||
|
@ -63,7 +68,7 @@ namespace de4dot.deobfuscators.dotNET_Reactor {
|
||||||
checkedMethods[key] = true;
|
checkedMethods[key] = true;
|
||||||
if (!DotNetUtils.isMethod(method, "System.Void", "()"))
|
if (!DotNetUtils.isMethod(method, "System.Void", "()"))
|
||||||
continue;
|
continue;
|
||||||
if (!encryptedResource.couldBeResourceDecrypter(method))
|
if (!encryptedResource.couldBeResourceDecrypter(method, additionalTypes))
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
callCounter.add(method);
|
callCounter.add(method);
|
||||||
|
@ -73,9 +78,9 @@ namespace de4dot.deobfuscators.dotNET_Reactor {
|
||||||
encryptedResource.ResourceDecrypterMethod = (MethodDefinition)callCounter.most();
|
encryptedResource.ResourceDecrypterMethod = (MethodDefinition)callCounter.most();
|
||||||
}
|
}
|
||||||
|
|
||||||
public byte[] decrypt(ISimpleDeobfuscator simpleDeobfuscator) {
|
public bool decrypt(PE.PeImage peImage, ISimpleDeobfuscator simpleDeobfuscator) {
|
||||||
if (encryptedResource.ResourceDecrypterMethod == null)
|
if (encryptedResource.ResourceDecrypterMethod == null)
|
||||||
return null;
|
return false;
|
||||||
|
|
||||||
encryptedResource.init(simpleDeobfuscator);
|
encryptedResource.init(simpleDeobfuscator);
|
||||||
initXorKey();
|
initXorKey();
|
||||||
|
@ -94,46 +99,40 @@ namespace de4dot.deobfuscators.dotNET_Reactor {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
using (var fileStream = new FileStream(module.FullyQualifiedName, FileMode.Open, FileAccess.Read, FileShare.Read)) {
|
var methodsDataReader = new BinaryReader(new MemoryStream(methodsData));
|
||||||
byte[] fileData = new byte[(int)fileStream.Length];
|
int patchCount = methodsDataReader.ReadInt32();
|
||||||
fileStream.Read(fileData, 0, fileData.Length);
|
int mode = methodsDataReader.ReadInt32();
|
||||||
var peImage = new PE.PeImage(fileData);
|
if (!useXorKey || mode == 1) {
|
||||||
|
for (int i = 0; i < patchCount; i++) {
|
||||||
var methodsDataReader = new BinaryReader(new MemoryStream(methodsData));
|
uint rva = methodsDataReader.ReadUInt32();
|
||||||
int patchCount = methodsDataReader.ReadInt32();
|
uint data = methodsDataReader.ReadUInt32();
|
||||||
int mode = methodsDataReader.ReadInt32();
|
peImage.write(rva, BitConverter.GetBytes(data));
|
||||||
if (!useXorKey || mode == 1) {
|
|
||||||
for (int i = 0; i < patchCount; i++) {
|
|
||||||
uint rva = methodsDataReader.ReadUInt32();
|
|
||||||
uint data = methodsDataReader.ReadUInt32();
|
|
||||||
peImage.write(rva, BitConverter.GetBytes(data));
|
|
||||||
}
|
|
||||||
while (methodsDataReader.BaseStream.Position < methodsData.Length - 1) {
|
|
||||||
uint rva = methodsDataReader.ReadUInt32();
|
|
||||||
uint token = methodsDataReader.ReadUInt32();
|
|
||||||
int size = methodsDataReader.ReadInt32();
|
|
||||||
if (size > 0)
|
|
||||||
peImage.write(rva, methodsDataReader.ReadBytes(size));
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
else {
|
while (methodsDataReader.BaseStream.Position < methodsData.Length - 1) {
|
||||||
for (int i = 0; i < patchCount; i++) {
|
uint rva = methodsDataReader.ReadUInt32();
|
||||||
uint rva = methodsDataReader.ReadUInt32();
|
uint token = methodsDataReader.ReadUInt32();
|
||||||
uint data = methodsDataReader.ReadUInt32();
|
int size = methodsDataReader.ReadInt32();
|
||||||
peImage.write(rva, BitConverter.GetBytes(data));
|
if (size > 0)
|
||||||
}
|
peImage.write(rva, methodsDataReader.ReadBytes(size));
|
||||||
int count = methodsDataReader.ReadInt32();
|
|
||||||
while (methodsDataReader.BaseStream.Position < methodsData.Length - 1) {
|
|
||||||
uint rva = methodsDataReader.ReadUInt32();
|
|
||||||
uint token = methodsDataReader.ReadUInt32();
|
|
||||||
int size = methodsDataReader.ReadInt32();
|
|
||||||
if (size > 0)
|
|
||||||
peImage.write(rva, methodsDataReader.ReadBytes(size));
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
return fileData;
|
|
||||||
}
|
}
|
||||||
|
else {
|
||||||
|
for (int i = 0; i < patchCount; i++) {
|
||||||
|
uint rva = methodsDataReader.ReadUInt32();
|
||||||
|
uint data = methodsDataReader.ReadUInt32();
|
||||||
|
peImage.write(rva, BitConverter.GetBytes(data));
|
||||||
|
}
|
||||||
|
int count = methodsDataReader.ReadInt32();
|
||||||
|
while (methodsDataReader.BaseStream.Position < methodsData.Length - 1) {
|
||||||
|
uint rva = methodsDataReader.ReadUInt32();
|
||||||
|
uint token = methodsDataReader.ReadUInt32();
|
||||||
|
int size = methodsDataReader.ReadInt32();
|
||||||
|
if (size > 0)
|
||||||
|
peImage.write(rva, methodsDataReader.ReadBytes(size));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
void initXorKey() {
|
void initXorKey() {
|
||||||
|
|
186
de4dot.code/deobfuscators/dotNET_Reactor/StringDecrypter.cs
Normal file
186
de4dot.code/deobfuscators/dotNET_Reactor/StringDecrypter.cs
Normal file
|
@ -0,0 +1,186 @@
|
||||||
|
/*
|
||||||
|
Copyright (C) 2011 de4dot@gmail.com
|
||||||
|
|
||||||
|
This file is part of de4dot.
|
||||||
|
|
||||||
|
de4dot is free software: you can redistribute it and/or modify
|
||||||
|
it under the terms of the GNU General Public License as published by
|
||||||
|
the Free Software Foundation, either version 3 of the License, or
|
||||||
|
(at your option) any later version.
|
||||||
|
|
||||||
|
de4dot is distributed in the hope that it will be useful,
|
||||||
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
GNU General Public License for more details.
|
||||||
|
|
||||||
|
You should have received a copy of the GNU General Public License
|
||||||
|
along with de4dot. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
*/
|
||||||
|
|
||||||
|
using System;
|
||||||
|
using System.Text;
|
||||||
|
using System.Collections.Generic;
|
||||||
|
using System.Security.Cryptography;
|
||||||
|
using Mono.Cecil;
|
||||||
|
using Mono.Cecil.Cil;
|
||||||
|
using de4dot.blocks;
|
||||||
|
|
||||||
|
namespace de4dot.deobfuscators.dotNET_Reactor {
|
||||||
|
class StringDecrypter {
|
||||||
|
ModuleDefinition module;
|
||||||
|
EncryptedResource encryptedResource;
|
||||||
|
List<DecrypterInfo> decrypterInfos = new List<DecrypterInfo>();
|
||||||
|
byte[] decryptedData;
|
||||||
|
PE.PeImage peImage;
|
||||||
|
|
||||||
|
public class DecrypterInfo {
|
||||||
|
public MethodDefinition method;
|
||||||
|
public byte[] key;
|
||||||
|
public byte[] iv;
|
||||||
|
|
||||||
|
public DecrypterInfo(MethodDefinition method, byte[] key, byte[] iv) {
|
||||||
|
this.method = method;
|
||||||
|
this.key = key;
|
||||||
|
this.iv = iv;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
public bool Detected {
|
||||||
|
get { return encryptedResource.ResourceDecrypterMethod != null; }
|
||||||
|
}
|
||||||
|
|
||||||
|
public IEnumerable<DecrypterInfo> DecrypterInfos {
|
||||||
|
get { return decrypterInfos; }
|
||||||
|
}
|
||||||
|
|
||||||
|
public StringDecrypter(ModuleDefinition module) {
|
||||||
|
this.module = module;
|
||||||
|
this.encryptedResource = new EncryptedResource(module);
|
||||||
|
}
|
||||||
|
|
||||||
|
public StringDecrypter(ModuleDefinition module, StringDecrypter oldOne) {
|
||||||
|
this.module = module;
|
||||||
|
this.encryptedResource = new EncryptedResource(module, oldOne.encryptedResource);
|
||||||
|
foreach (var oldInfo in oldOne.decrypterInfos) {
|
||||||
|
var method = module.LookupToken(oldInfo.method.MetadataToken.ToInt32()) as MethodDefinition;
|
||||||
|
if (method == null)
|
||||||
|
throw new ApplicationException("Could not find string decrypter method");
|
||||||
|
decrypterInfos.Add(new DecrypterInfo(method, oldInfo.key, oldInfo.iv));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
public void find() {
|
||||||
|
var additionalTypes = new string[] {
|
||||||
|
"System.String",
|
||||||
|
};
|
||||||
|
EmbeddedResource stringsResource = null;
|
||||||
|
foreach (var type in module.Types) {
|
||||||
|
if (type.BaseType == null || type.BaseType.FullName != "System.Object")
|
||||||
|
continue;
|
||||||
|
foreach (var method in type.Methods) {
|
||||||
|
if (!method.IsStatic || !method.HasBody)
|
||||||
|
continue;
|
||||||
|
if (!DotNetUtils.isMethod(method, "System.String", "(System.Int32)"))
|
||||||
|
continue;
|
||||||
|
if (!encryptedResource.couldBeResourceDecrypter(method, additionalTypes))
|
||||||
|
continue;
|
||||||
|
|
||||||
|
var resource = DotNetUtils.getResource(module, DotNetUtils.getCodeStrings(method)) as EmbeddedResource;
|
||||||
|
if (resource == null)
|
||||||
|
throw new ApplicationException("Could not find strings resource");
|
||||||
|
if (stringsResource != null && stringsResource != resource)
|
||||||
|
throw new ApplicationException("Two different string resources found");
|
||||||
|
|
||||||
|
stringsResource = resource;
|
||||||
|
encryptedResource.ResourceDecrypterMethod = method;
|
||||||
|
decrypterInfos.Add(new DecrypterInfo(method, null, null));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
public void init(PE.PeImage peImage, ISimpleDeobfuscator simpleDeobfuscator) {
|
||||||
|
if (encryptedResource.ResourceDecrypterMethod == null)
|
||||||
|
return;
|
||||||
|
this.peImage = peImage;
|
||||||
|
|
||||||
|
foreach (var info in decrypterInfos)
|
||||||
|
findKeyIv(info.method, out info.key, out info.iv);
|
||||||
|
|
||||||
|
encryptedResource.init(simpleDeobfuscator);
|
||||||
|
decryptedData = encryptedResource.decrypt();
|
||||||
|
}
|
||||||
|
|
||||||
|
void findKeyIv(MethodDefinition method, out byte[] key, out byte[] iv) {
|
||||||
|
key = null;
|
||||||
|
iv = null;
|
||||||
|
|
||||||
|
var requiredTypes = new string[] {
|
||||||
|
"System.Byte[]",
|
||||||
|
"System.IO.MemoryStream",
|
||||||
|
"System.Security.Cryptography.CryptoStream",
|
||||||
|
"System.Security.Cryptography.Rijndael",
|
||||||
|
};
|
||||||
|
foreach (var info in DotNetUtils.getCalledMethods(module, method)) {
|
||||||
|
var calledMethod = info.Item2;
|
||||||
|
if (calledMethod.DeclaringType != method.DeclaringType)
|
||||||
|
continue;
|
||||||
|
var localTypes = new LocalTypes(calledMethod);
|
||||||
|
if (!localTypes.all(requiredTypes))
|
||||||
|
continue;
|
||||||
|
|
||||||
|
var instructions = calledMethod.Body.Instructions;
|
||||||
|
byte[] newKey = null, newIv = null;
|
||||||
|
for (int i = 0; i < instructions.Count && (newKey == null || newIv == null); i++) {
|
||||||
|
var instr = instructions[i];
|
||||||
|
if (instr.OpCode.Code != Code.Ldtoken)
|
||||||
|
continue;
|
||||||
|
var field = instr.Operand as FieldDefinition;
|
||||||
|
if (field == null)
|
||||||
|
continue;
|
||||||
|
if (field.InitialValue == null)
|
||||||
|
continue;
|
||||||
|
if (field.InitialValue.Length == 32)
|
||||||
|
newKey = field.InitialValue;
|
||||||
|
else if (field.InitialValue.Length == 16)
|
||||||
|
newIv = field.InitialValue;
|
||||||
|
}
|
||||||
|
if (newKey == null || newIv == null)
|
||||||
|
continue;
|
||||||
|
|
||||||
|
key = newKey;
|
||||||
|
iv = newIv;
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
DecrypterInfo getDecrypterInfo(MethodDefinition method) {
|
||||||
|
foreach (var info in decrypterInfos) {
|
||||||
|
if (info.method == method)
|
||||||
|
return info;
|
||||||
|
}
|
||||||
|
throw new ApplicationException("Invalid string decrypter method");
|
||||||
|
}
|
||||||
|
|
||||||
|
public string decrypt(MethodDefinition method, int offset) {
|
||||||
|
var info = getDecrypterInfo(method);
|
||||||
|
|
||||||
|
if (info.key == null) {
|
||||||
|
int length = BitConverter.ToInt32(decryptedData, offset);
|
||||||
|
return Encoding.Unicode.GetString(decryptedData, offset + 4, length);
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
uint rva = BitConverter.ToUInt32(decryptedData, offset);
|
||||||
|
int length = peImage.readInt32(rva);
|
||||||
|
var encryptedStringData = peImage.readBytes(rva + 4, length);
|
||||||
|
byte[] decryptedStringData;
|
||||||
|
using (var aes = new RijndaelManaged()) {
|
||||||
|
aes.Mode = CipherMode.CBC;
|
||||||
|
using (var transform = aes.CreateDecryptor(info.key, info.iv)) {
|
||||||
|
decryptedStringData = transform.TransformFinalBlock(encryptedStringData, 0, encryptedStringData.Length);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return Encoding.Unicode.GetString(decryptedStringData, 0, decryptedStringData.Length);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
Loading…
Reference in New Issue
Block a user