monocul.us/de4dot-cex
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
4be5776da7
de4dot-cex/de4dot.code/deobfuscators/CryptoObfuscator/MethodsDecrypter.cs
de4dot b152362088 Update logger 
- It's not static anymore
- It implements ILogger
- It can ignore errors/warnings but an option to disable it
2012-11-11 05:41:54 +01:00

206 lines
6.0 KiB
C#
Raw Blame History

/*
Copyright (C) 2011-2012 de4dot@gmail.com
This file is part of de4dot.
de4dot is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
de4dot is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with de4dot. If not, see <http://www.gnu.org/licenses/>.
*/
using System;
using System.Collections.Generic;
using dot10.IO;
using dot10.DotNet;
using dot10.DotNet.Emit;
using de4dot.blocks;
namespace de4dot.code.deobfuscators.CryptoObfuscator {
class MethodsDecrypter {
ModuleDefMD module;
TypeDef decrypterType;
MethodDef decryptMethod;
MethodDef decrypterCctor;
EmbeddedResource resource;
List<TypeDef> delegateTypes = new List<TypeDef>();
public TypeDef Type {
get { return decrypterType; }
}
public IEnumerable<TypeDef> DelegateTypes {
get { return delegateTypes; }
}
public EmbeddedResource Resource {
get { return resource; }
}
public bool Detected {
get { return decrypterType != null; }
}
public MethodsDecrypter(ModuleDefMD module) {
this.module = module;
}
public void find() {
foreach (var type in module.Types) {
if (check(type))
break;
}
}
static readonly string[] requiredFields = new string[] {
"System.Byte[]",
"System.Collections.Generic.Dictionary`2<System.Int32,System.Int32>",
"System.ModuleHandle",
};
bool check(TypeDef type) {
if (type.NestedTypes.Count != 1)
return false;
if (type.Fields.Count != 3)
return false;
if (!new FieldTypes(type).all(requiredFields))
return false;
var cctor = type.FindClassConstructor();
if (cctor == null)
return false;
var decryptMethodTmp = findDecryptMethod(type);
if (decryptMethodTmp == null)
return false;
decryptMethod = decryptMethodTmp;
decrypterCctor = cctor;
decrypterType = type;
return true;
}
static readonly string[] requiredLocals = new string[] {
"System.Delegate",
"System.ModuleHandle",
"System.Reflection.Emit.DynamicILInfo",
"System.Reflection.Emit.DynamicMethod",
"System.Reflection.FieldInfo",
"System.Reflection.FieldInfo[]",
"System.Reflection.MethodBase",
"System.Reflection.MethodBody",
"System.Type",
"System.Type[]",
};
static MethodDef findDecryptMethod(TypeDef type) {
foreach (var method in type.Methods) {
if (!method.IsStatic || method.Body == null)
continue;
if (!new LocalTypes(method).all(requiredLocals))
continue;
if (!DotNetUtils.isMethod(method, "System.Void", "(System.Int32,System.Int32,System.Int32)"))
continue;
return method;
}
return null;
}
public void decrypt(ResourceDecrypter resourceDecrypter) {
if (decryptMethod == null)
return;
resource = CoUtils.getResource(module, decrypterCctor);
if (resource == null)
return;
var decrypted = resourceDecrypter.decrypt(resource.GetResourceStream());
var reader = MemoryImageStream.Create(decrypted);
int numEncrypted = reader.ReadInt32();
Logger.v("Restoring {0} encrypted methods", numEncrypted);
Logger.Instance.indent();
for (int i = 0; i < numEncrypted; i++) {
int delegateTypeToken = reader.ReadInt32();
uint codeOffset = reader.ReadUInt32();
var origOffset = reader.Position;
reader.Position = codeOffset;
decrypt(reader, delegateTypeToken);
reader.Position = origOffset;
}
Logger.Instance.deIndent();
}
void decrypt(IBinaryReader reader, int delegateTypeToken) {
var delegateType = module.ResolveToken(delegateTypeToken) as TypeDef;
if (delegateType == null)
throw new ApplicationException("Couldn't find delegate type");
int delToken, encMethToken, encDeclToken;
if (!getTokens(delegateType, out delToken, out encMethToken, out encDeclToken))
throw new ApplicationException("Could not find encrypted method tokens");
if (delToken != delegateTypeToken)
throw new ApplicationException("Invalid delegate type token");
var encType = module.ResolveToken(encDeclToken) as ITypeDefOrRef;
if (encType == null)
throw new ApplicationException("Invalid declaring type token");
var encMethod = module.ResolveToken(encMethToken) as MethodDef;
if (encMethod == null)
throw new ApplicationException("Invalid encrypted method token");
var bodyReader = new MethodBodyReader(module, reader);
bodyReader.read(encMethod);
bodyReader.RestoreMethod(encMethod);
Logger.v("Restored method {0} ({1:X8}). Instrs:{2}, Locals:{3}, Exceptions:{4}",
Utils.removeNewlines(encMethod.FullName),
encMethod.MDToken.ToInt32(),
encMethod.Body.Instructions.Count,
encMethod.Body.LocalList.Count,
encMethod.Body.ExceptionHandlers.Count);
delegateTypes.Add(delegateType);
}
bool getTokens(TypeDef delegateType, out int delegateToken, out int encMethodToken, out int encDeclaringTypeToken) {
delegateToken = 0;
encMethodToken = 0;
encDeclaringTypeToken = 0;
var cctor = delegateType.FindClassConstructor();
if (cctor == null)
return false;
var instrs = cctor.Body.Instructions;
for (int i = 0; i < instrs.Count - 3; i++) {
var ldci4_1 = instrs[i];
if (!ldci4_1.IsLdcI4())
continue;
var ldci4_2 = instrs[i + 1];
if (!ldci4_2.IsLdcI4())
continue;
var ldci4_3 = instrs[i + 2];
if (!ldci4_3.IsLdcI4())
continue;
var call = instrs[i + 3];
if (call.OpCode.Code != Code.Call)
continue;
var calledMethod = call.Operand as MethodDef;
if (calledMethod == null)
continue;
if (calledMethod != decryptMethod)
continue;
delegateToken = ldci4_1.GetLdcI4Value();
encMethodToken = ldci4_2.GetLdcI4Value();
encDeclaringTypeToken = ldci4_3.GetLdcI4Value();
return true;
}
return false;
}
}
}
Reference in New Issue View Git Blame Copy Permalink