Move detection of CV main type to its own class
This commit is contained in:
parent
bb89ce2983
commit
fa6b0d4054
|
@ -80,6 +80,7 @@
|
||||||
<Compile Include="deobfuscators\CliSecure\StackFrameHelper.cs" />
|
<Compile Include="deobfuscators\CliSecure\StackFrameHelper.cs" />
|
||||||
<Compile Include="deobfuscators\CliSecure\StringDecrypter.cs" />
|
<Compile Include="deobfuscators\CliSecure\StringDecrypter.cs" />
|
||||||
<Compile Include="deobfuscators\CodeVeil\AssemblyResolver.cs" />
|
<Compile Include="deobfuscators\CodeVeil\AssemblyResolver.cs" />
|
||||||
|
<Compile Include="deobfuscators\CodeVeil\MainType.cs" />
|
||||||
<Compile Include="deobfuscators\CodeVeil\MethodsDecrypter.cs" />
|
<Compile Include="deobfuscators\CodeVeil\MethodsDecrypter.cs" />
|
||||||
<Compile Include="deobfuscators\CodeVeil\ObfuscatorVersion.cs" />
|
<Compile Include="deobfuscators\CodeVeil\ObfuscatorVersion.cs" />
|
||||||
<Compile Include="deobfuscators\CodeVeil\StringDecrypter.cs" />
|
<Compile Include="deobfuscators\CodeVeil\StringDecrypter.cs" />
|
||||||
|
|
|
@ -57,6 +57,7 @@ namespace de4dot.code.deobfuscators.CodeVeil {
|
||||||
string obfuscatorName = DeobfuscatorInfo.THE_NAME;
|
string obfuscatorName = DeobfuscatorInfo.THE_NAME;
|
||||||
bool foundKillType = false;
|
bool foundKillType = false;
|
||||||
|
|
||||||
|
MainType mainType;
|
||||||
MethodsDecrypter methodsDecrypter;
|
MethodsDecrypter methodsDecrypter;
|
||||||
ProxyDelegateFinder proxyDelegateFinder;
|
ProxyDelegateFinder proxyDelegateFinder;
|
||||||
StringDecrypter stringDecrypter;
|
StringDecrypter stringDecrypter;
|
||||||
|
@ -85,7 +86,8 @@ namespace de4dot.code.deobfuscators.CodeVeil {
|
||||||
protected override int detectInternal() {
|
protected override int detectInternal() {
|
||||||
int val = 0;
|
int val = 0;
|
||||||
|
|
||||||
int sum = toInt32(methodsDecrypter.Detected) +
|
int sum = toInt32(mainType.Detected) +
|
||||||
|
toInt32(methodsDecrypter.Detected) +
|
||||||
toInt32(stringDecrypter.Detected) +
|
toInt32(stringDecrypter.Detected) +
|
||||||
toInt32(proxyDelegateFinder.Detected);
|
toInt32(proxyDelegateFinder.Detected);
|
||||||
if (sum > 0)
|
if (sum > 0)
|
||||||
|
@ -98,11 +100,13 @@ namespace de4dot.code.deobfuscators.CodeVeil {
|
||||||
|
|
||||||
protected override void scanForObfuscator() {
|
protected override void scanForObfuscator() {
|
||||||
findKillType();
|
findKillType();
|
||||||
proxyDelegateFinder = new ProxyDelegateFinder(module);
|
mainType = new MainType(module);
|
||||||
|
mainType.find();
|
||||||
|
proxyDelegateFinder = new ProxyDelegateFinder(module, mainType);
|
||||||
proxyDelegateFinder.findDelegateCreator();
|
proxyDelegateFinder.findDelegateCreator();
|
||||||
methodsDecrypter = new MethodsDecrypter(module);
|
methodsDecrypter = new MethodsDecrypter(mainType);
|
||||||
methodsDecrypter.find();
|
methodsDecrypter.find();
|
||||||
stringDecrypter = new StringDecrypter(module);
|
stringDecrypter = new StringDecrypter(module, mainType);
|
||||||
stringDecrypter.find();
|
stringDecrypter.find();
|
||||||
var version = detectVersion();
|
var version = detectVersion();
|
||||||
if (!string.IsNullOrEmpty(version))
|
if (!string.IsNullOrEmpty(version))
|
||||||
|
@ -110,8 +114,8 @@ namespace de4dot.code.deobfuscators.CodeVeil {
|
||||||
}
|
}
|
||||||
|
|
||||||
string detectVersion() {
|
string detectVersion() {
|
||||||
if (methodsDecrypter.Detected) {
|
if (mainType.Detected) {
|
||||||
switch (methodsDecrypter.Version) {
|
switch (mainType.Version) {
|
||||||
case ObfuscatorVersion.Unknown:
|
case ObfuscatorVersion.Unknown:
|
||||||
return null;
|
return null;
|
||||||
|
|
||||||
|
@ -160,9 +164,10 @@ namespace de4dot.code.deobfuscators.CodeVeil {
|
||||||
public override IDeobfuscator moduleReloaded(ModuleDefinition module) {
|
public override IDeobfuscator moduleReloaded(ModuleDefinition module) {
|
||||||
var newOne = new Deobfuscator(options);
|
var newOne = new Deobfuscator(options);
|
||||||
newOne.setModule(module);
|
newOne.setModule(module);
|
||||||
newOne.methodsDecrypter = new MethodsDecrypter(module, methodsDecrypter);
|
newOne.mainType = new MainType(module, mainType);
|
||||||
newOne.stringDecrypter = new StringDecrypter(module, stringDecrypter);
|
newOne.methodsDecrypter = new MethodsDecrypter(mainType, methodsDecrypter);
|
||||||
newOne.proxyDelegateFinder = new ProxyDelegateFinder(module, proxyDelegateFinder);
|
newOne.stringDecrypter = new StringDecrypter(module, newOne.mainType, stringDecrypter);
|
||||||
|
newOne.proxyDelegateFinder = new ProxyDelegateFinder(module, newOne.mainType, proxyDelegateFinder);
|
||||||
return newOne;
|
return newOne;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
169
de4dot.code/deobfuscators/CodeVeil/MainType.cs
Normal file
169
de4dot.code/deobfuscators/CodeVeil/MainType.cs
Normal file
|
@ -0,0 +1,169 @@
|
||||||
|
/*
|
||||||
|
Copyright (C) 2011-2012 de4dot@gmail.com
|
||||||
|
|
||||||
|
This file is part of de4dot.
|
||||||
|
|
||||||
|
de4dot is free software: you can redistribute it and/or modify
|
||||||
|
it under the terms of the GNU General Public License as published by
|
||||||
|
the Free Software Foundation, either version 3 of the License, or
|
||||||
|
(at your option) any later version.
|
||||||
|
|
||||||
|
de4dot is distributed in the hope that it will be useful,
|
||||||
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
GNU General Public License for more details.
|
||||||
|
|
||||||
|
You should have received a copy of the GNU General Public License
|
||||||
|
along with de4dot. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
*/
|
||||||
|
|
||||||
|
using System.Collections.Generic;
|
||||||
|
using Mono.Cecil;
|
||||||
|
using Mono.Cecil.Cil;
|
||||||
|
using Mono.Cecil.Metadata;
|
||||||
|
using de4dot.blocks;
|
||||||
|
|
||||||
|
namespace de4dot.code.deobfuscators.CodeVeil {
|
||||||
|
// Detects the type CV adds to the assembly that gets called from <Module>::.cctor.
|
||||||
|
class MainType {
|
||||||
|
ModuleDefinition module;
|
||||||
|
TypeDefinition theType;
|
||||||
|
MethodDefinition initMethod;
|
||||||
|
ObfuscatorVersion obfuscatorVersion = ObfuscatorVersion.Unknown;
|
||||||
|
List<int> rvas; // _stub and _executive
|
||||||
|
|
||||||
|
public bool Detected {
|
||||||
|
get { return theType != null; }
|
||||||
|
}
|
||||||
|
|
||||||
|
public ObfuscatorVersion Version {
|
||||||
|
get { return obfuscatorVersion; }
|
||||||
|
}
|
||||||
|
|
||||||
|
public TypeDefinition Type {
|
||||||
|
get { return theType; }
|
||||||
|
}
|
||||||
|
|
||||||
|
public MethodDefinition InitMethod {
|
||||||
|
get { return initMethod; }
|
||||||
|
}
|
||||||
|
|
||||||
|
public List<int> Rvas {
|
||||||
|
get { return rvas; }
|
||||||
|
}
|
||||||
|
|
||||||
|
public MainType(ModuleDefinition module) {
|
||||||
|
this.module = module;
|
||||||
|
}
|
||||||
|
|
||||||
|
public MainType(ModuleDefinition module, MainType oldOne) {
|
||||||
|
this.module = module;
|
||||||
|
this.theType = lookup(oldOne.theType, "Could not find main type");
|
||||||
|
this.initMethod = lookup(oldOne.initMethod, "Could not find main type init method");
|
||||||
|
this.obfuscatorVersion = oldOne.obfuscatorVersion;
|
||||||
|
this.rvas = oldOne.rvas;
|
||||||
|
}
|
||||||
|
|
||||||
|
T lookup<T>(T def, string errorMessage) where T : MemberReference {
|
||||||
|
return DeobUtils.lookup(module, def, errorMessage);
|
||||||
|
}
|
||||||
|
|
||||||
|
public void find() {
|
||||||
|
var cctor = DotNetUtils.getModuleTypeCctor(module);
|
||||||
|
if (cctor == null)
|
||||||
|
return;
|
||||||
|
|
||||||
|
var instrs = cctor.Body.Instructions;
|
||||||
|
for (int i = 0; i < instrs.Count - 2; i++) {
|
||||||
|
var ldci4_1 = instrs[i];
|
||||||
|
if (!DotNetUtils.isLdcI4(ldci4_1))
|
||||||
|
continue;
|
||||||
|
|
||||||
|
var ldci4_2 = instrs[i + 1];
|
||||||
|
if (!DotNetUtils.isLdcI4(ldci4_2))
|
||||||
|
continue;
|
||||||
|
|
||||||
|
var call = instrs[i + 2];
|
||||||
|
if (call.OpCode.Code != Code.Call)
|
||||||
|
continue;
|
||||||
|
var initMethodTmp = call.Operand as MethodDefinition;
|
||||||
|
ObfuscatorVersion obfuscatorVersionTmp;
|
||||||
|
if (!checkInitMethod(initMethodTmp, out obfuscatorVersionTmp))
|
||||||
|
continue;
|
||||||
|
if (!checkMethodsType(initMethodTmp.DeclaringType))
|
||||||
|
continue;
|
||||||
|
|
||||||
|
obfuscatorVersion = obfuscatorVersionTmp;
|
||||||
|
theType = initMethodTmp.DeclaringType;
|
||||||
|
initMethod = initMethodTmp;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
static string[] fieldTypesV5 = new string[] {
|
||||||
|
"System.Byte[]",
|
||||||
|
"System.Collections.Generic.List`1<System.Delegate>",
|
||||||
|
"System.Runtime.InteropServices.GCHandle",
|
||||||
|
};
|
||||||
|
bool checkInitMethod(MethodDefinition initMethod, out ObfuscatorVersion obfuscatorVersionTmp) {
|
||||||
|
obfuscatorVersionTmp = ObfuscatorVersion.Unknown;
|
||||||
|
|
||||||
|
if (initMethod == null)
|
||||||
|
return false;
|
||||||
|
|
||||||
|
if (initMethod.Body == null)
|
||||||
|
return false;
|
||||||
|
if (!initMethod.IsStatic)
|
||||||
|
return false;
|
||||||
|
if (!DotNetUtils.isMethod(initMethod, "System.Void", "(System.Boolean,System.Boolean)"))
|
||||||
|
return false;
|
||||||
|
|
||||||
|
if (hasCodeString(initMethod, "E_FullTrust")) {
|
||||||
|
if (DotNetUtils.getPInvokeMethod(initMethod.DeclaringType, "user32", "CallWindowProcW") != null)
|
||||||
|
obfuscatorVersionTmp = ObfuscatorVersion.V4_1;
|
||||||
|
else
|
||||||
|
obfuscatorVersionTmp = ObfuscatorVersion.V4_0;
|
||||||
|
}
|
||||||
|
else if (hasCodeString(initMethod, "Full Trust Required"))
|
||||||
|
obfuscatorVersionTmp = ObfuscatorVersion.V3;
|
||||||
|
else if (initMethod.DeclaringType.HasNestedTypes && new FieldTypes(initMethod.DeclaringType).all(fieldTypesV5))
|
||||||
|
obfuscatorVersionTmp = ObfuscatorVersion.V5_0;
|
||||||
|
else
|
||||||
|
return false;
|
||||||
|
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
static bool hasCodeString(MethodDefinition method, string str) {
|
||||||
|
foreach (var s in DotNetUtils.getCodeStrings(method)) {
|
||||||
|
if (s == str)
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
bool checkMethodsType(TypeDefinition type) {
|
||||||
|
var fields = getRvaFields(type);
|
||||||
|
if (fields.Count < 2) // RVAs for executive and stub are always present if encrypted methods
|
||||||
|
return true;
|
||||||
|
|
||||||
|
rvas = new List<int>(fields.Count);
|
||||||
|
foreach (var field in fields)
|
||||||
|
rvas.Add(field.RVA);
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
static List<FieldDefinition> getRvaFields(TypeDefinition type) {
|
||||||
|
var fields = new List<FieldDefinition>();
|
||||||
|
foreach (var field in type.Fields) {
|
||||||
|
if (field.FieldType.EType != ElementType.U1 && field.FieldType.EType != ElementType.U4)
|
||||||
|
continue;
|
||||||
|
if (field.RVA == 0)
|
||||||
|
continue;
|
||||||
|
|
||||||
|
fields.Add(field);
|
||||||
|
}
|
||||||
|
return fields;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
|
@ -29,33 +29,17 @@ using de4dot.code.PE;
|
||||||
|
|
||||||
namespace de4dot.code.deobfuscators.CodeVeil {
|
namespace de4dot.code.deobfuscators.CodeVeil {
|
||||||
class MethodsDecrypter {
|
class MethodsDecrypter {
|
||||||
ModuleDefinition module;
|
MainType mainType;
|
||||||
TypeDefinition methodsType;
|
|
||||||
List<int> rvas; // _stub and _executive
|
|
||||||
IDecrypter decrypter;
|
IDecrypter decrypter;
|
||||||
|
|
||||||
public ObfuscatorVersion Version {
|
|
||||||
get { return decrypter == null ? ObfuscatorVersion.Unknown : decrypter.Version; }
|
|
||||||
}
|
|
||||||
|
|
||||||
interface IDecrypter {
|
interface IDecrypter {
|
||||||
ObfuscatorVersion Version { get; }
|
|
||||||
void initialize(byte[] methodsData);
|
void initialize(byte[] methodsData);
|
||||||
bool decrypt(BinaryReader fileDataReader, DumpedMethod dm);
|
bool decrypt(BinaryReader fileDataReader, DumpedMethod dm);
|
||||||
}
|
}
|
||||||
|
|
||||||
class Decrypter : IDecrypter {
|
class Decrypter : IDecrypter {
|
||||||
ObfuscatorVersion obfuscatorVersion;
|
|
||||||
BinaryReader methodsDataReader;
|
BinaryReader methodsDataReader;
|
||||||
|
|
||||||
public ObfuscatorVersion Version {
|
|
||||||
get { return obfuscatorVersion; }
|
|
||||||
}
|
|
||||||
|
|
||||||
public Decrypter(ObfuscatorVersion obfuscatorVersion) {
|
|
||||||
this.obfuscatorVersion = obfuscatorVersion;
|
|
||||||
}
|
|
||||||
|
|
||||||
public virtual void initialize(byte[] methodsData) {
|
public virtual void initialize(byte[] methodsData) {
|
||||||
methodsDataReader = new BinaryReader(new MemoryStream(methodsData));
|
methodsDataReader = new BinaryReader(new MemoryStream(methodsData));
|
||||||
}
|
}
|
||||||
|
@ -121,10 +105,6 @@ namespace de4dot.code.deobfuscators.CodeVeil {
|
||||||
class DecrypterV5 : Decrypter {
|
class DecrypterV5 : Decrypter {
|
||||||
byte[] decryptKey;
|
byte[] decryptKey;
|
||||||
|
|
||||||
public DecrypterV5()
|
|
||||||
: base(ObfuscatorVersion.V5_0) {
|
|
||||||
}
|
|
||||||
|
|
||||||
public override void initialize(byte[] methodsData) {
|
public override void initialize(byte[] methodsData) {
|
||||||
var data = DeobUtils.inflate(methodsData, true);
|
var data = DeobUtils.inflate(methodsData, true);
|
||||||
decryptKey = BitConverter.GetBytes(BitConverter.ToUInt32(data, 0));
|
decryptKey = BitConverter.GetBytes(BitConverter.ToUInt32(data, 0));
|
||||||
|
@ -146,117 +126,42 @@ namespace de4dot.code.deobfuscators.CodeVeil {
|
||||||
}
|
}
|
||||||
|
|
||||||
public bool Detected {
|
public bool Detected {
|
||||||
get { return methodsType != null; }
|
get { return decrypter != null; }
|
||||||
}
|
}
|
||||||
|
|
||||||
public MethodsDecrypter(ModuleDefinition module) {
|
public MethodsDecrypter(MainType mainType) {
|
||||||
this.module = module;
|
this.mainType = mainType;
|
||||||
}
|
}
|
||||||
|
|
||||||
public MethodsDecrypter(ModuleDefinition module, MethodsDecrypter oldOne) {
|
public MethodsDecrypter(MainType mainType, MethodsDecrypter oldOne) {
|
||||||
this.module = module;
|
this.mainType = mainType;
|
||||||
this.methodsType = lookup(oldOne.methodsType, "Could not find methods type");
|
|
||||||
}
|
|
||||||
|
|
||||||
T lookup<T>(T def, string errorMessage) where T : MemberReference {
|
|
||||||
return DeobUtils.lookup(module, def, errorMessage);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
public void find() {
|
public void find() {
|
||||||
var cctor = DotNetUtils.getModuleTypeCctor(module);
|
if (!mainType.Detected)
|
||||||
if (cctor == null)
|
|
||||||
return;
|
return;
|
||||||
|
|
||||||
var instrs = cctor.Body.Instructions;
|
switch (mainType.Version) {
|
||||||
for (int i = 0; i < instrs.Count - 2; i++) {
|
case ObfuscatorVersion.Unknown:
|
||||||
var ldci4_1 = instrs[i];
|
|
||||||
if (!DotNetUtils.isLdcI4(ldci4_1))
|
|
||||||
continue;
|
|
||||||
|
|
||||||
var ldci4_2 = instrs[i + 1];
|
|
||||||
if (!DotNetUtils.isLdcI4(ldci4_2))
|
|
||||||
continue;
|
|
||||||
|
|
||||||
var call = instrs[i + 2];
|
|
||||||
if (call.OpCode.Code != Code.Call)
|
|
||||||
continue;
|
|
||||||
var initMethod = call.Operand as MethodDefinition;
|
|
||||||
if (!checkInitMethod(initMethod))
|
|
||||||
continue;
|
|
||||||
if (!checkMethodsType(initMethod.DeclaringType))
|
|
||||||
continue;
|
|
||||||
|
|
||||||
methodsType = initMethod.DeclaringType;
|
|
||||||
break;
|
break;
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
static string[] fieldTypesV5 = new string[] {
|
case ObfuscatorVersion.V3:
|
||||||
"System.Byte[]",
|
case ObfuscatorVersion.V4_0:
|
||||||
"System.Collections.Generic.List`1<System.Delegate>",
|
case ObfuscatorVersion.V4_1:
|
||||||
"System.Runtime.InteropServices.GCHandle",
|
decrypter = new Decrypter();
|
||||||
};
|
break;
|
||||||
bool checkInitMethod(MethodDefinition initMethod) {
|
|
||||||
if (initMethod == null)
|
|
||||||
return false;
|
|
||||||
|
|
||||||
if (initMethod.Body == null)
|
case ObfuscatorVersion.V5_0:
|
||||||
return false;
|
|
||||||
if (!initMethod.IsStatic)
|
|
||||||
return false;
|
|
||||||
if (!DotNetUtils.isMethod(initMethod, "System.Void", "(System.Boolean,System.Boolean)"))
|
|
||||||
return false;
|
|
||||||
|
|
||||||
if (hasCodeString(initMethod, "E_FullTrust")) {
|
|
||||||
if (DotNetUtils.getPInvokeMethod(initMethod.DeclaringType, "user32", "CallWindowProcW") != null)
|
|
||||||
decrypter = new Decrypter(ObfuscatorVersion.V4_1);
|
|
||||||
else
|
|
||||||
decrypter = new Decrypter(ObfuscatorVersion.V4_0);
|
|
||||||
}
|
|
||||||
else if (hasCodeString(initMethod, "Full Trust Required"))
|
|
||||||
decrypter = new Decrypter(ObfuscatorVersion.V3);
|
|
||||||
else if (initMethod.DeclaringType.HasNestedTypes && new FieldTypes(initMethod.DeclaringType).all(fieldTypesV5))
|
|
||||||
decrypter = new DecrypterV5();
|
decrypter = new DecrypterV5();
|
||||||
else
|
break;
|
||||||
return false;
|
|
||||||
|
|
||||||
return true;
|
default:
|
||||||
|
throw new ApplicationException("Unknown version");
|
||||||
}
|
}
|
||||||
|
|
||||||
static bool hasCodeString(MethodDefinition method, string str) {
|
|
||||||
foreach (var s in DotNetUtils.getCodeStrings(method)) {
|
|
||||||
if (s == str)
|
|
||||||
return true;
|
|
||||||
}
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
|
|
||||||
bool checkMethodsType(TypeDefinition type) {
|
|
||||||
var fields = getRvaFields(type);
|
|
||||||
if (fields.Count < 2)
|
|
||||||
return false;
|
|
||||||
|
|
||||||
rvas = new List<int>(fields.Count);
|
|
||||||
foreach (var field in fields)
|
|
||||||
rvas.Add(field.RVA);
|
|
||||||
return true;
|
|
||||||
}
|
|
||||||
|
|
||||||
static List<FieldDefinition> getRvaFields(TypeDefinition type) {
|
|
||||||
var fields = new List<FieldDefinition>();
|
|
||||||
foreach (var field in type.Fields) {
|
|
||||||
if (field.FieldType.EType != ElementType.U1 && field.FieldType.EType != ElementType.U4)
|
|
||||||
continue;
|
|
||||||
if (field.RVA == 0)
|
|
||||||
continue;
|
|
||||||
|
|
||||||
fields.Add(field);
|
|
||||||
}
|
|
||||||
return fields;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
public bool decrypt(byte[] fileData, ref Dictionary<uint, DumpedMethod> dumpedMethods) {
|
public bool decrypt(byte[] fileData, ref Dictionary<uint, DumpedMethod> dumpedMethods) {
|
||||||
if (methodsType == null)
|
if (decrypter == null)
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
var peImage = new PeImage(fileData);
|
var peImage = new PeImage(fileData);
|
||||||
|
@ -356,7 +261,7 @@ namespace de4dot.code.deobfuscators.CodeVeil {
|
||||||
return null;
|
return null;
|
||||||
|
|
||||||
int rva = BitConverter.ToInt32(fileData, offset + RVA_EXECUTIVE_OFFSET);
|
int rva = BitConverter.ToInt32(fileData, offset + RVA_EXECUTIVE_OFFSET);
|
||||||
if (rvas.IndexOf(rva) < 0)
|
if (mainType.Rvas.IndexOf(rva) < 0)
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
int relOffs = BitConverter.ToInt32(fileData, offset + ENC_CODE_OFFSET);
|
int relOffs = BitConverter.ToInt32(fileData, offset + ENC_CODE_OFFSET);
|
||||||
|
@ -377,7 +282,7 @@ namespace de4dot.code.deobfuscators.CodeVeil {
|
||||||
|
|
||||||
int getStartOffset(PeImage peImage) {
|
int getStartOffset(PeImage peImage) {
|
||||||
int minOffset = int.MaxValue;
|
int minOffset = int.MaxValue;
|
||||||
foreach (var rva in rvas) {
|
foreach (var rva in mainType.Rvas) {
|
||||||
int rvaOffs = (int)peImage.rvaToOffset((uint)rva);
|
int rvaOffs = (int)peImage.rvaToOffset((uint)rva);
|
||||||
if (rvaOffs < minOffset)
|
if (rvaOffs < minOffset)
|
||||||
minOffset = rvaOffs;
|
minOffset = rvaOffs;
|
||||||
|
|
|
@ -26,11 +26,11 @@ using de4dot.blocks;
|
||||||
|
|
||||||
namespace de4dot.code.deobfuscators.CodeVeil {
|
namespace de4dot.code.deobfuscators.CodeVeil {
|
||||||
class ProxyDelegateFinder : ProxyDelegateFinderBase {
|
class ProxyDelegateFinder : ProxyDelegateFinderBase {
|
||||||
|
MainType mainType;
|
||||||
Info info = new Info();
|
Info info = new Info();
|
||||||
BinaryReader reader;
|
BinaryReader reader;
|
||||||
|
|
||||||
class Info {
|
class Info {
|
||||||
public TypeDefinition mainType;
|
|
||||||
public TypeDefinition proxyType;
|
public TypeDefinition proxyType;
|
||||||
public MethodDefinition initMethod;
|
public MethodDefinition initMethod;
|
||||||
public FieldDefinition dataField;
|
public FieldDefinition dataField;
|
||||||
|
@ -44,13 +44,14 @@ namespace de4dot.code.deobfuscators.CodeVeil {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
public ProxyDelegateFinder(ModuleDefinition module)
|
public ProxyDelegateFinder(ModuleDefinition module, MainType mainType)
|
||||||
: base(module) {
|
: base(module) {
|
||||||
|
this.mainType = mainType;
|
||||||
}
|
}
|
||||||
|
|
||||||
public ProxyDelegateFinder(ModuleDefinition module, ProxyDelegateFinder oldOne)
|
public ProxyDelegateFinder(ModuleDefinition module, MainType mainType, ProxyDelegateFinder oldOne)
|
||||||
: base(module, oldOne) {
|
: base(module, oldOne) {
|
||||||
info.mainType = lookup(oldOne.info.mainType, "Could not find mainType");
|
this.mainType = mainType;
|
||||||
info.proxyType = lookup(oldOne.info.proxyType, "Could not find proxyType");
|
info.proxyType = lookup(oldOne.info.proxyType, "Could not find proxyType");
|
||||||
info.initMethod = lookup(oldOne.info.initMethod, "Could not find initMethod");
|
info.initMethod = lookup(oldOne.info.initMethod, "Could not find initMethod");
|
||||||
info.dataField = lookup(oldOne.info.dataField, "Could not find dataField");
|
info.dataField = lookup(oldOne.info.dataField, "Could not find dataField");
|
||||||
|
@ -97,22 +98,15 @@ namespace de4dot.code.deobfuscators.CodeVeil {
|
||||||
}
|
}
|
||||||
|
|
||||||
public void findDelegateCreator() {
|
public void findDelegateCreator() {
|
||||||
var moduleCctor = DotNetUtils.getModuleTypeCctor(module);
|
if (!mainType.Detected)
|
||||||
if (moduleCctor == null)
|
|
||||||
return;
|
return;
|
||||||
foreach (var call in DotNetUtils.getCalledMethods(module, moduleCctor)) {
|
|
||||||
if (!call.Item2.IsStatic)
|
|
||||||
continue;
|
|
||||||
if (!DotNetUtils.isMethod(call.Item2, "System.Void", "(System.Boolean,System.Boolean)"))
|
|
||||||
continue;
|
|
||||||
var infoTmp = new Info();
|
var infoTmp = new Info();
|
||||||
if (!initializeInfo(infoTmp, call.Item1))
|
if (!initializeInfo(infoTmp, mainType.Type))
|
||||||
continue;
|
return;
|
||||||
|
|
||||||
info = infoTmp;
|
info = infoTmp;
|
||||||
setDelegateCreatorMethod(info.initMethod);
|
setDelegateCreatorMethod(info.initMethod);
|
||||||
return;
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
bool initializeInfo(Info infoTmp, TypeDefinition type) {
|
bool initializeInfo(Info infoTmp, TypeDefinition type) {
|
||||||
|
@ -123,7 +117,6 @@ namespace de4dot.code.deobfuscators.CodeVeil {
|
||||||
if (!initProxyType(infoTmp, cctor))
|
if (!initProxyType(infoTmp, cctor))
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
infoTmp.mainType = type;
|
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -184,7 +177,9 @@ namespace de4dot.code.deobfuscators.CodeVeil {
|
||||||
}
|
}
|
||||||
|
|
||||||
protected override IEnumerable<TypeDefinition> getDelegateTypes() {
|
protected override IEnumerable<TypeDefinition> getDelegateTypes() {
|
||||||
return info.mainType.NestedTypes;
|
if (!mainType.Detected)
|
||||||
|
return new List<TypeDefinition>();
|
||||||
|
return mainType.Type.NestedTypes;
|
||||||
}
|
}
|
||||||
|
|
||||||
public void initialize() {
|
public void initialize() {
|
||||||
|
|
|
@ -26,6 +26,7 @@ using de4dot.blocks;
|
||||||
namespace de4dot.code.deobfuscators.CodeVeil {
|
namespace de4dot.code.deobfuscators.CodeVeil {
|
||||||
class StringDecrypter {
|
class StringDecrypter {
|
||||||
ModuleDefinition module;
|
ModuleDefinition module;
|
||||||
|
MainType mainType;
|
||||||
TypeDefinition decrypterType;
|
TypeDefinition decrypterType;
|
||||||
FieldDefinition stringDataField;
|
FieldDefinition stringDataField;
|
||||||
MethodDefinition initMethod;
|
MethodDefinition initMethod;
|
||||||
|
@ -40,12 +41,14 @@ namespace de4dot.code.deobfuscators.CodeVeil {
|
||||||
get { return decrypterMethod; }
|
get { return decrypterMethod; }
|
||||||
}
|
}
|
||||||
|
|
||||||
public StringDecrypter(ModuleDefinition module) {
|
public StringDecrypter(ModuleDefinition module, MainType mainType) {
|
||||||
this.module = module;
|
this.module = module;
|
||||||
|
this.mainType = mainType;
|
||||||
}
|
}
|
||||||
|
|
||||||
public StringDecrypter(ModuleDefinition module, StringDecrypter oldOne) {
|
public StringDecrypter(ModuleDefinition module, MainType mainType, StringDecrypter oldOne) {
|
||||||
this.module = module;
|
this.module = module;
|
||||||
|
this.mainType = mainType;
|
||||||
this.decrypterType = lookup(oldOne.decrypterType, "Could not find string decrypter type");
|
this.decrypterType = lookup(oldOne.decrypterType, "Could not find string decrypter type");
|
||||||
this.stringDataField = lookup(oldOne.stringDataField, "Could not find string data field");
|
this.stringDataField = lookup(oldOne.stringDataField, "Could not find string data field");
|
||||||
this.initMethod = lookup(oldOne.initMethod, "Could not find string decrypter init method");
|
this.initMethod = lookup(oldOne.initMethod, "Could not find string decrypter init method");
|
||||||
|
@ -95,23 +98,13 @@ namespace de4dot.code.deobfuscators.CodeVeil {
|
||||||
|
|
||||||
// The main decrypter type calls the string decrypter init method inside its init method
|
// The main decrypter type calls the string decrypter init method inside its init method
|
||||||
void find_V5(MethodDefinition method) {
|
void find_V5(MethodDefinition method) {
|
||||||
var instrs = method.Body.Instructions;
|
if (!mainType.Detected)
|
||||||
for (int i = 0; i < instrs.Count; i++) {
|
return;
|
||||||
var call = instrs[i];
|
foreach (var info in DotNetUtils.getCalledMethods(module, mainType.InitMethod)) {
|
||||||
if (call.OpCode.Code != Code.Call)
|
|
||||||
continue;
|
|
||||||
var mainTypeInitMethod = call.Operand as MethodDefinition;
|
|
||||||
if (mainTypeInitMethod == null || mainTypeInitMethod.Body == null || !mainTypeInitMethod.IsStatic)
|
|
||||||
continue;
|
|
||||||
if (!DotNetUtils.isMethod(mainTypeInitMethod, "System.Void", "(System.Boolean,System.Boolean)"))
|
|
||||||
continue;
|
|
||||||
|
|
||||||
foreach (var info in DotNetUtils.getCalledMethods(module, mainTypeInitMethod)) {
|
|
||||||
if (find(info.Item2))
|
if (find(info.Item2))
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
|
||||||
|
|
||||||
bool checkType(TypeDefinition type) {
|
bool checkType(TypeDefinition type) {
|
||||||
if (!type.HasNestedTypes)
|
if (!type.HasNestedTypes)
|
||||||
|
|
Loading…
Reference in New Issue
Block a user