From fbba6a2aa89e4f27f04ff17b80b7a451eba94139 Mon Sep 17 00:00:00 2001 From: de4dot Date: Sun, 22 Apr 2012 16:18:41 +0200 Subject: [PATCH] Decrypt methods (CS RT is embedded inside the assembly) --- .../deobfuscators/CliSecure/CliSecureRtType.cs | 18 ++++++++++++++++-- .../CliSecure/MethodsDecrypter.cs | 17 ++++++++++++++++- 2 files changed, 32 insertions(+), 3 deletions(-) diff --git a/de4dot.code/deobfuscators/CliSecure/CliSecureRtType.cs b/de4dot.code/deobfuscators/CliSecure/CliSecureRtType.cs index efa942b9..dfa95762 100644 --- a/de4dot.code/deobfuscators/CliSecure/CliSecureRtType.cs +++ b/de4dot.code/deobfuscators/CliSecure/CliSecureRtType.cs @@ -18,8 +18,10 @@ */ using System; +using System.IO; using Mono.Cecil; using de4dot.blocks; +using de4dot.PE; namespace de4dot.code.deobfuscators.CliSecure { class CliSecureRtType { @@ -29,9 +31,10 @@ namespace de4dot.code.deobfuscators.CliSecure { MethodDefinition initializeMethod; MethodDefinition stringDecrypterMethod; MethodDefinition loadMethod; + bool foundSig; public bool Detected { - get { return cliSecureRtType != null; } + get { return foundSig || cliSecureRtType != null; } } public TypeDefinition Type { @@ -76,7 +79,9 @@ namespace de4dot.code.deobfuscators.CliSecure { return; if (find2()) return; - findOld(); + if (findOld()) + return; + findNativeCode(); } bool find2() { @@ -143,6 +148,15 @@ namespace de4dot.code.deobfuscators.CliSecure { return false; } + bool findNativeCode() { + if ((module.Attributes & ModuleAttributes.ILOnly) != 0) + return false; + + var peImage = new PeImage(new FileStream(module.FullyQualifiedName, FileMode.Open, FileAccess.Read, FileShare.Read)); + foundSig = MethodsDecrypter.detect(peImage); + return foundSig; + } + static bool hasPinvokeMethod(TypeDefinition type, string methodName) { foreach (var method in type.Methods) { if (method.PInvokeInfo == null) diff --git a/de4dot.code/deobfuscators/CliSecure/MethodsDecrypter.cs b/de4dot.code/deobfuscators/CliSecure/MethodsDecrypter.cs index 302035f4..7d8a8955 100644 --- a/de4dot.code/deobfuscators/CliSecure/MethodsDecrypter.cs +++ b/de4dot.code/deobfuscators/CliSecure/MethodsDecrypter.cs @@ -278,8 +278,12 @@ namespace de4dot.code.deobfuscators.CliSecure { return new CsHeader5(this); } + static uint getCodeHeaderOffset(PeImage peImage) { + return peImage.rvaToOffset(peImage.Cor20Header.metadataDirectory.virtualAddress + peImage.Cor20Header.metadataDirectory.size); + } + public bool decrypt2(ref DumpedMethods dumpedMethods) { - uint codeHeaderOffset = peImage.rvaToOffset(peImage.Cor20Header.metadataDirectory.virtualAddress + peImage.Cor20Header.metadataDirectory.size); + uint codeHeaderOffset = getCodeHeaderOffset(peImage); if (!readCodeHeader(codeHeaderOffset)) return false; @@ -350,5 +354,16 @@ namespace de4dot.code.deobfuscators.CliSecure { return true; } + + public static bool detect(PeImage peImage) { + try { + uint codeHeaderOffset = getCodeHeaderOffset(peImage); + var sig = peImage.offsetReadBytes(codeHeaderOffset, 16); + return Utils.compare(sig, normalSignature) || Utils.compare(sig, proSignature); + } + catch { + return false; + } + } } }