225 lines
5.9 KiB
C#
225 lines
5.9 KiB
C#
/*
|
|
Copyright (C) 2011-2012 de4dot@gmail.com
|
|
|
|
This file is part of de4dot.
|
|
|
|
de4dot is free software: you can redistribute it and/or modify
|
|
it under the terms of the GNU General Public License as published by
|
|
the Free Software Foundation, either version 3 of the License, or
|
|
(at your option) any later version.
|
|
|
|
de4dot is distributed in the hope that it will be useful,
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
GNU General Public License for more details.
|
|
|
|
You should have received a copy of the GNU General Public License
|
|
along with de4dot. If not, see <http://www.gnu.org/licenses/>.
|
|
*/
|
|
|
|
using System;
|
|
using System.Collections.Generic;
|
|
using System.IO;
|
|
using System.Reflection;
|
|
using System.Reflection.Emit;
|
|
using dot10.DotNet;
|
|
|
|
namespace de4dot.code.deobfuscators.CodeFort {
|
|
class PasswordInfo {
|
|
public string passphrase;
|
|
public string salt;
|
|
public string iv;
|
|
|
|
public PasswordInfo(string passphrase, string salt, string iv) {
|
|
this.passphrase = passphrase;
|
|
this.salt = salt;
|
|
this.iv = iv;
|
|
}
|
|
|
|
public override string ToString() {
|
|
return string.Format("P:{0}, S:{1}, I:{2}", passphrase, salt, iv);
|
|
}
|
|
}
|
|
|
|
class PasswordFinder {
|
|
byte[] serializedData;
|
|
System.Collections.IList asmTypes;
|
|
|
|
class Obj {
|
|
object obj;
|
|
|
|
public Obj(object obj) {
|
|
this.obj = obj;
|
|
}
|
|
|
|
public string Name {
|
|
get { return (string)readField("Name"); }
|
|
}
|
|
|
|
public List<Obj> Members {
|
|
get { return getList("Members"); }
|
|
}
|
|
|
|
public List<Obj> Instructions {
|
|
get { return getList("Instructions"); }
|
|
}
|
|
|
|
public object Operand {
|
|
get { return readField("Operand"); }
|
|
}
|
|
|
|
public string OpCode {
|
|
get { return (string)readField("OpCode"); }
|
|
}
|
|
|
|
public Obj MemberDef {
|
|
get { return new Obj(readField("MemberDef")); }
|
|
}
|
|
|
|
protected object readField(string name) {
|
|
return PasswordFinder.readField(obj, name);
|
|
}
|
|
|
|
public Obj findMethod(string name) {
|
|
foreach (var member in Members) {
|
|
if (member.obj.GetType().ToString() != "MethodDef")
|
|
continue;
|
|
if (member.Name != name)
|
|
continue;
|
|
|
|
return member;
|
|
}
|
|
|
|
throw new ApplicationException(string.Format("Could not find method {0}", name));
|
|
}
|
|
|
|
List<Obj> getList(string name) {
|
|
return convertList((System.Collections.IList)readField(name));
|
|
}
|
|
|
|
static List<Obj> convertList(System.Collections.IList inList) {
|
|
var outList = new List<Obj>(inList.Count);
|
|
foreach (var e in inList)
|
|
outList.Add(new Obj(e));
|
|
return outList;
|
|
}
|
|
|
|
public override string ToString() {
|
|
return Name;
|
|
}
|
|
}
|
|
|
|
public PasswordFinder(byte[] serializedData) {
|
|
this.serializedData = serializedData;
|
|
}
|
|
|
|
static object readField(object instance, string name) {
|
|
return instance.GetType().GetField(name).GetValue(instance);
|
|
}
|
|
|
|
static System.Collections.IList toList(object obj) {
|
|
return (System.Collections.IList)obj;
|
|
}
|
|
|
|
public void find(out PasswordInfo mainAsmPassword, out PasswordInfo embedPassword) {
|
|
var asmBuilder = AppDomain.CurrentDomain.DefineDynamicAssembly(new AssemblyName("asm"), AssemblyBuilderAccess.Run);
|
|
var moduleBuilder = asmBuilder.DefineDynamicModule("mod");
|
|
var serializedTypes = new SerializedTypes(moduleBuilder);
|
|
var allTypes = serializedTypes.deserialize(serializedData);
|
|
asmTypes = toList(readField(allTypes, "Types"));
|
|
|
|
mainAsmPassword = findMainAssemblyPassword();
|
|
embedPassword = findEmbedPassword();
|
|
}
|
|
|
|
Obj findType(string name) {
|
|
foreach (var tmp in asmTypes) {
|
|
var type = new Obj(tmp);
|
|
if (type.Name == name)
|
|
return type;
|
|
}
|
|
return null;
|
|
}
|
|
|
|
PasswordInfo findMainAssemblyPassword() {
|
|
var type = findType("BootstrapDynArguments");
|
|
var cctor = type.findMethod(".cctor");
|
|
var instrs = cctor.Instructions;
|
|
var passphrase = findStringStoreValue(instrs, "KeyPassphrase");
|
|
var salt = findStringStoreValue(instrs, "KeySaltValue");
|
|
var iv = findStringStoreValue(instrs, "KeyIV");
|
|
return new PasswordInfo(passphrase, salt, iv);
|
|
}
|
|
|
|
static string findStringStoreValue(List<Obj> instrs, string fieldName) {
|
|
for (int i = 0; i < instrs.Count - 1; i++) {
|
|
var ldstr = instrs[i];
|
|
if (ldstr.OpCode != "ldstr")
|
|
continue;
|
|
var stsfld = instrs[i + 1];
|
|
if (stsfld.OpCode != "stsfld")
|
|
continue;
|
|
var memberRef = new Obj(stsfld.Operand);
|
|
if (memberRef.MemberDef == null)
|
|
continue;
|
|
if (memberRef.MemberDef.Name != fieldName)
|
|
continue;
|
|
|
|
return (string)ldstr.Operand;
|
|
}
|
|
|
|
return null;
|
|
}
|
|
|
|
PasswordInfo findEmbedPassword() {
|
|
var type = findType("CilEmbeddingHelper");
|
|
if (type == null)
|
|
return null;
|
|
var method = type.findMethod("CurrentDomain_AssemblyResolve");
|
|
var instrs = method.Instructions;
|
|
for (int i = 0; i < instrs.Count - 3; i++) {
|
|
int index = i;
|
|
|
|
var ldstr1 = instrs[index++];
|
|
if (ldstr1.OpCode != "ldstr")
|
|
continue;
|
|
var passphrase = getString(ldstr1, instrs, ref index);
|
|
|
|
var ldstr2 = instrs[index++];
|
|
if (ldstr2.OpCode != "ldstr")
|
|
continue;
|
|
var salt = getString(ldstr2, instrs, ref index);
|
|
|
|
var ldc = instrs[index++];
|
|
if (!ldc.OpCode.StartsWith("ldc.i4"))
|
|
continue;
|
|
|
|
var ldstr3 = instrs[index++];
|
|
if (ldstr3.OpCode != "ldstr")
|
|
continue;
|
|
var iv = getString(ldstr3, instrs, ref index);
|
|
|
|
return new PasswordInfo(passphrase, salt, iv);
|
|
}
|
|
|
|
return null;
|
|
}
|
|
|
|
static string getString(Obj ldstr, List<Obj> instrs, ref int index) {
|
|
var s = (string)ldstr.Operand;
|
|
if (index >= instrs.Count)
|
|
return s;
|
|
var call = instrs[index];
|
|
if (call.OpCode != "call" && call.OpCode != "callvirt")
|
|
return s;
|
|
index++;
|
|
var op = new Obj(call.Operand);
|
|
if (op.Name == "ToUpper")
|
|
return s.ToUpper();
|
|
if (op.Name == "ToLower")
|
|
return s.ToLower();
|
|
throw new ApplicationException(string.Format("Unknown method {0}", op.Name));
|
|
}
|
|
}
|
|
}
|