7adf818194
Move BeaEngine.dll to /bin/ Make sure BeaEngine.dll is loaded when the working directory is different Disable file deobfuscation exception handler Don't remove LZMA methods by default Trim version read from ConfuserAttribute Minor refactoring
843 lines
25 KiB
C#
843 lines
25 KiB
C#
/*
|
|
Copyright (C) 2011-2015 de4dot@gmail.com
|
|
|
|
This file is part of de4dot.
|
|
|
|
de4dot is free software: you can redistribute it and/or modify
|
|
it under the terms of the GNU General Public License as published by
|
|
the Free Software Foundation, either version 3 of the License, or
|
|
(at your option) any later version.
|
|
|
|
de4dot is distributed in the hope that it will be useful,
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
GNU General Public License for more details.
|
|
|
|
You should have received a copy of the GNU General Public License
|
|
along with de4dot. If not, see <http://www.gnu.org/licenses/>.
|
|
*/
|
|
|
|
using System;
|
|
using System.Collections.Generic;
|
|
using System.Globalization;
|
|
using System.IO;
|
|
using System.Text;
|
|
using dnlib.DotNet;
|
|
using dnlib.DotNet.Emit;
|
|
using dnlib.DotNet.Writer;
|
|
using dnlib.PE;
|
|
using AssemblyData;
|
|
using de4dot.code.deobfuscators;
|
|
using de4dot.blocks;
|
|
using de4dot.blocks.cflow;
|
|
using de4dot.code.AssemblyClient;
|
|
using de4dot.code.renamer;
|
|
|
|
namespace de4dot.code {
|
|
public class ObfuscatedFile : IObfuscatedFile, IDeobfuscatedFile {
|
|
Options options;
|
|
ModuleDefMD module;
|
|
IDeobfuscator deob;
|
|
IDeobfuscatorContext deobfuscatorContext;
|
|
AssemblyModule assemblyModule;
|
|
IAssemblyClient assemblyClient;
|
|
DynamicStringInliner dynamicStringInliner;
|
|
IAssemblyClientFactory assemblyClientFactory;
|
|
SavedMethodBodies savedMethodBodies;
|
|
bool userStringDecrypterMethods = false;
|
|
|
|
class SavedMethodBodies {
|
|
Dictionary<MethodDef, SavedMethodBody> savedMethodBodies = new Dictionary<MethodDef, SavedMethodBody>();
|
|
|
|
class SavedMethodBody {
|
|
MethodDef method;
|
|
IList<Instruction> instructions;
|
|
IList<ExceptionHandler> exceptionHandlers;
|
|
|
|
public SavedMethodBody(MethodDef method) {
|
|
this.method = method;
|
|
DotNetUtils.CopyBody(method, out instructions, out exceptionHandlers);
|
|
}
|
|
|
|
public void Restore() {
|
|
DotNetUtils.RestoreBody(method, instructions, exceptionHandlers);
|
|
}
|
|
}
|
|
|
|
public void Save(MethodDef method) {
|
|
if (IsSaved(method))
|
|
return;
|
|
savedMethodBodies[method] = new SavedMethodBody(method);
|
|
}
|
|
|
|
public void RestoreAll() {
|
|
foreach (var smb in savedMethodBodies.Values)
|
|
smb.Restore();
|
|
savedMethodBodies.Clear();
|
|
}
|
|
|
|
public bool IsSaved(MethodDef method) {
|
|
return savedMethodBodies.ContainsKey(method);
|
|
}
|
|
}
|
|
|
|
public class Options {
|
|
public string Filename { get; set; }
|
|
public string NewFilename { get; set; }
|
|
public string ForcedObfuscatorType { get; set; }
|
|
public DecrypterType StringDecrypterType { get; set; }
|
|
public List<string> StringDecrypterMethods { get; private set; }
|
|
public bool ControlFlowDeobfuscation { get; set; }
|
|
public bool KeepObfuscatorTypes { get; set; }
|
|
public bool PreserveTokens { get; set; }
|
|
public MetaDataFlags MetaDataFlags { get; set; }
|
|
public RenamerFlags RenamerFlags { get; set; }
|
|
|
|
public Options() {
|
|
StringDecrypterType = DecrypterType.Default;
|
|
StringDecrypterMethods = new List<string>();
|
|
}
|
|
}
|
|
|
|
public string Filename {
|
|
get { return options.Filename; }
|
|
}
|
|
|
|
public string NewFilename {
|
|
get { return options.NewFilename; }
|
|
}
|
|
|
|
public ModuleDefMD ModuleDefMD {
|
|
get { return module; }
|
|
}
|
|
|
|
public INameChecker NameChecker {
|
|
get { return deob; }
|
|
}
|
|
|
|
public bool RenameResourcesInCode {
|
|
get { return deob.TheOptions.RenameResourcesInCode; }
|
|
}
|
|
|
|
public bool RemoveNamespaceWithOneType {
|
|
get { return (deob.RenamingOptions & RenamingOptions.RemoveNamespaceIfOneType) != 0; }
|
|
}
|
|
|
|
public bool RenameResourceKeys {
|
|
get { return (deob.RenamingOptions & RenamingOptions.RenameResourceKeys) != 0; }
|
|
}
|
|
|
|
public IDeobfuscator Deobfuscator {
|
|
get { return deob; }
|
|
}
|
|
|
|
public IDeobfuscatorContext DeobfuscatorContext {
|
|
get { return deobfuscatorContext; }
|
|
set { deobfuscatorContext = value; }
|
|
}
|
|
|
|
public ObfuscatedFile(Options options, ModuleContext moduleContext, IAssemblyClientFactory assemblyClientFactory) {
|
|
this.assemblyClientFactory = assemblyClientFactory;
|
|
this.options = options;
|
|
userStringDecrypterMethods = options.StringDecrypterMethods.Count > 0;
|
|
options.Filename = Utils.GetFullPath(options.Filename);
|
|
assemblyModule = new AssemblyModule(options.Filename, moduleContext);
|
|
|
|
if (options.NewFilename == null)
|
|
options.NewFilename = GetDefaultNewFilename();
|
|
|
|
if (string.Equals(options.Filename, options.NewFilename, StringComparison.OrdinalIgnoreCase))
|
|
throw new UserException(string.Format("filename is same as new filename! ({0})", options.Filename));
|
|
}
|
|
|
|
string GetDefaultNewFilename() {
|
|
string newFilename = Path.GetFileNameWithoutExtension(options.Filename) + "-cleaned" + Path.GetExtension(options.Filename);
|
|
return Path.Combine(Path.GetDirectoryName(options.Filename), newFilename);
|
|
}
|
|
|
|
public void Load(IList<IDeobfuscator> deobfuscators) {
|
|
try {
|
|
LoadModule(deobfuscators);
|
|
TheAssemblyResolver.Instance.AddSearchDirectory(Utils.GetDirName(Filename));
|
|
TheAssemblyResolver.Instance.AddSearchDirectory(Utils.GetDirName(NewFilename));
|
|
DetectObfuscator(deobfuscators);
|
|
if (deob == null)
|
|
throw new ApplicationException("Could not detect obfuscator!");
|
|
InitializeDeobfuscator();
|
|
}
|
|
finally {
|
|
foreach (var d in deobfuscators) {
|
|
if (d != deob && d != null)
|
|
d.Dispose();
|
|
}
|
|
}
|
|
}
|
|
|
|
void LoadModule(IEnumerable<IDeobfuscator> deobfuscators) {
|
|
ModuleDefMD oldModule = module;
|
|
try {
|
|
module = assemblyModule.Load();
|
|
}
|
|
catch (BadImageFormatException) {
|
|
if (!UnpackNativeImage(deobfuscators))
|
|
throw new BadImageFormatException();
|
|
Logger.v("Unpacked native file");
|
|
}
|
|
finally {
|
|
if (oldModule != null)
|
|
oldModule.Dispose();
|
|
}
|
|
}
|
|
|
|
bool UnpackNativeImage(IEnumerable<IDeobfuscator> deobfuscators) {
|
|
using (var peImage = new PEImage(Filename)) {
|
|
foreach (var deob in deobfuscators) {
|
|
byte[] unpackedData = null;
|
|
try {
|
|
unpackedData = deob.UnpackNativeFile(peImage);
|
|
}
|
|
catch {
|
|
}
|
|
if (unpackedData == null)
|
|
continue;
|
|
|
|
var oldModule = module;
|
|
try {
|
|
module = assemblyModule.Load(unpackedData);
|
|
}
|
|
catch {
|
|
Logger.w("Could not load unpacked data. File: {0}, deobfuscator: {0}", peImage.FileName ?? "(unknown filename)", deob.TypeLong);
|
|
continue;
|
|
}
|
|
finally {
|
|
if (oldModule != null)
|
|
oldModule.Dispose();
|
|
}
|
|
this.deob = deob;
|
|
return true;
|
|
}
|
|
}
|
|
|
|
return false;
|
|
}
|
|
|
|
void InitializeDeobfuscator() {
|
|
if (options.StringDecrypterType == DecrypterType.Default)
|
|
options.StringDecrypterType = deob.DefaultDecrypterType;
|
|
if (options.StringDecrypterType == DecrypterType.Default)
|
|
options.StringDecrypterType = DecrypterType.Static;
|
|
|
|
deob.Operations = CreateOperations();
|
|
}
|
|
|
|
IOperations CreateOperations() {
|
|
var op = new Operations();
|
|
|
|
switch (options.StringDecrypterType) {
|
|
case DecrypterType.None:
|
|
op.DecryptStrings = OpDecryptString.None;
|
|
break;
|
|
case DecrypterType.Static:
|
|
op.DecryptStrings = OpDecryptString.Static;
|
|
break;
|
|
default:
|
|
op.DecryptStrings = OpDecryptString.Dynamic;
|
|
break;
|
|
}
|
|
|
|
op.KeepObfuscatorTypes = options.KeepObfuscatorTypes;
|
|
op.MetaDataFlags = options.MetaDataFlags;
|
|
op.RenamerFlags = options.RenamerFlags;
|
|
|
|
return op;
|
|
}
|
|
|
|
void DetectObfuscator(IEnumerable<IDeobfuscator> deobfuscators) {
|
|
|
|
// The deobfuscators may call methods to deobfuscate control flow and decrypt
|
|
// strings (statically) in order to detect the obfuscator.
|
|
if (!options.ControlFlowDeobfuscation || options.StringDecrypterType == DecrypterType.None)
|
|
savedMethodBodies = new SavedMethodBodies();
|
|
|
|
// It's not null if it unpacked a native file
|
|
if (this.deob != null) {
|
|
deob.Initialize(module);
|
|
deob.DeobfuscatedFile = this;
|
|
deob.Detect();
|
|
return;
|
|
}
|
|
|
|
foreach (var deob in deobfuscators) {
|
|
deob.Initialize(module);
|
|
deob.DeobfuscatedFile = this;
|
|
}
|
|
|
|
if (options.ForcedObfuscatorType != null) {
|
|
foreach (var deob in deobfuscators) {
|
|
if (string.Equals(options.ForcedObfuscatorType, deob.Type, StringComparison.OrdinalIgnoreCase)) {
|
|
this.deob = deob;
|
|
deob.Detect();
|
|
return;
|
|
}
|
|
}
|
|
}
|
|
else
|
|
this.deob = DetectObfuscator2(deobfuscators);
|
|
}
|
|
|
|
IDeobfuscator DetectObfuscator2(IEnumerable<IDeobfuscator> deobfuscators) {
|
|
var allDetected = new List<IDeobfuscator>();
|
|
IDeobfuscator detected = null;
|
|
int detectVal = 0;
|
|
foreach (var deob in deobfuscators) {
|
|
this.deob = deob; // So we can call deob.CanInlineMethods in deobfuscate()
|
|
int val;
|
|
//TODO: Re-enable exception handler
|
|
//try {
|
|
val = deob.Detect();
|
|
/*}
|
|
catch {
|
|
val = deob.Type == "un" ? 1 : 0;
|
|
}*/
|
|
Logger.v("{0,3}: {1}", val, deob.TypeLong);
|
|
if (val > 0 && deob.Type != "un")
|
|
allDetected.Add(deob);
|
|
if (val > detectVal) {
|
|
detectVal = val;
|
|
detected = deob;
|
|
}
|
|
}
|
|
this.deob = null;
|
|
|
|
if (allDetected.Count > 1) {
|
|
Logger.n("More than one obfuscator detected:");
|
|
Logger.Instance.Indent();
|
|
foreach (var deob in allDetected)
|
|
Logger.n("{0} (use: -p {1})", deob.Name, deob.Type);
|
|
Logger.Instance.DeIndent();
|
|
}
|
|
|
|
return detected;
|
|
}
|
|
|
|
MetaDataFlags GetMetaDataFlags() {
|
|
var mdFlags = options.MetaDataFlags | deob.MetaDataFlags;
|
|
|
|
// Always preserve tokens if it's an unknown obfuscator
|
|
if (deob.Type == "un") {
|
|
mdFlags |= MetaDataFlags.PreserveRids |
|
|
MetaDataFlags.PreserveUSOffsets |
|
|
MetaDataFlags.PreserveBlobOffsets |
|
|
MetaDataFlags.PreserveExtraSignatureData;
|
|
}
|
|
|
|
return mdFlags;
|
|
}
|
|
|
|
public void Save() {
|
|
Logger.n("Saving {0}", options.NewFilename);
|
|
var mdFlags = GetMetaDataFlags();
|
|
if (!options.ControlFlowDeobfuscation)
|
|
mdFlags |= MetaDataFlags.KeepOldMaxStack;
|
|
assemblyModule.Save(options.NewFilename, mdFlags, new PrintNewTokens(module, deob as IModuleWriterListener));
|
|
}
|
|
|
|
IList<MethodDef> GetAllMethods() {
|
|
var list = new List<MethodDef>();
|
|
|
|
foreach (var type in module.GetTypes()) {
|
|
foreach (var method in type.Methods)
|
|
list.Add(method);
|
|
}
|
|
|
|
return list;
|
|
}
|
|
|
|
public void DeobfuscateBegin() {
|
|
switch (options.StringDecrypterType) {
|
|
case DecrypterType.None:
|
|
CheckSupportedStringDecrypter(StringFeatures.AllowNoDecryption);
|
|
break;
|
|
|
|
case DecrypterType.Static:
|
|
CheckSupportedStringDecrypter(StringFeatures.AllowStaticDecryption);
|
|
break;
|
|
|
|
case DecrypterType.Delegate:
|
|
case DecrypterType.Emulate:
|
|
CheckSupportedStringDecrypter(StringFeatures.AllowDynamicDecryption);
|
|
var newProcFactory = assemblyClientFactory as NewProcessAssemblyClientFactory;
|
|
if (newProcFactory != null)
|
|
assemblyClient = newProcFactory.Create(AssemblyServiceType.StringDecrypter, module);
|
|
else
|
|
assemblyClient = assemblyClientFactory.Create(AssemblyServiceType.StringDecrypter);
|
|
assemblyClient.Connect();
|
|
break;
|
|
|
|
default:
|
|
throw new ApplicationException(string.Format("Invalid string decrypter type '{0}'", options.StringDecrypterType));
|
|
}
|
|
}
|
|
|
|
public void CheckSupportedStringDecrypter(StringFeatures feature) {
|
|
if ((deob.StringFeatures & feature) == feature)
|
|
return;
|
|
throw new UserException(string.Format("Deobfuscator {0} does not support this string decryption type", deob.TypeLong));
|
|
}
|
|
|
|
public void Deobfuscate() {
|
|
Logger.n("Cleaning {0}", options.Filename);
|
|
InitAssemblyClient();
|
|
|
|
for (int i = 0; ; i++) {
|
|
byte[] fileData = null;
|
|
DumpedMethods dumpedMethods = null;
|
|
if (!deob.GetDecryptedModule(i, ref fileData, ref dumpedMethods))
|
|
break;
|
|
ReloadModule(fileData, dumpedMethods);
|
|
}
|
|
|
|
deob.DeobfuscateBegin();
|
|
DeobfuscateMethods();
|
|
deob.DeobfuscateEnd();
|
|
}
|
|
|
|
void ReloadModule(byte[] newModuleData, DumpedMethods dumpedMethods) {
|
|
Logger.v("Reloading decrypted assembly (original filename: {0})", Filename);
|
|
simpleDeobfuscatorFlags.Clear();
|
|
using (var oldModule = module) {
|
|
module = assemblyModule.Reload(newModuleData, CreateDumpedMethodsRestorer(dumpedMethods), deob as IStringDecrypter);
|
|
deob = deob.ModuleReloaded(module);
|
|
}
|
|
InitializeDeobfuscator();
|
|
deob.DeobfuscatedFile = this;
|
|
UpdateDynamicStringInliner();
|
|
}
|
|
|
|
DumpedMethodsRestorer CreateDumpedMethodsRestorer(DumpedMethods dumpedMethods) {
|
|
if (dumpedMethods == null || dumpedMethods.Count == 0)
|
|
return null;
|
|
return new DumpedMethodsRestorer(dumpedMethods);
|
|
}
|
|
|
|
void InitAssemblyClient() {
|
|
if (assemblyClient == null)
|
|
return;
|
|
|
|
assemblyClient.WaitConnected();
|
|
assemblyClient.StringDecrypterService.LoadAssembly(options.Filename);
|
|
|
|
if (options.StringDecrypterType == DecrypterType.Delegate)
|
|
assemblyClient.StringDecrypterService.SetStringDecrypterType(AssemblyData.StringDecrypterType.Delegate);
|
|
else if (options.StringDecrypterType == DecrypterType.Emulate)
|
|
assemblyClient.StringDecrypterService.SetStringDecrypterType(AssemblyData.StringDecrypterType.Emulate);
|
|
else
|
|
throw new ApplicationException(string.Format("Invalid string decrypter type '{0}'", options.StringDecrypterType));
|
|
|
|
dynamicStringInliner = new DynamicStringInliner(assemblyClient);
|
|
UpdateDynamicStringInliner();
|
|
}
|
|
|
|
void UpdateDynamicStringInliner() {
|
|
if (dynamicStringInliner != null)
|
|
dynamicStringInliner.Initialize(GetMethodTokens());
|
|
}
|
|
|
|
IEnumerable<int> GetMethodTokens() {
|
|
if (!userStringDecrypterMethods)
|
|
return deob.GetStringDecrypterMethods();
|
|
|
|
var tokens = new List<int>();
|
|
|
|
foreach (var val in options.StringDecrypterMethods) {
|
|
var tokenStr = val.Trim();
|
|
if (Utils.StartsWith(tokenStr, "0x", StringComparison.OrdinalIgnoreCase))
|
|
tokenStr = tokenStr.Substring(2);
|
|
int methodToken;
|
|
if (int.TryParse(tokenStr, NumberStyles.HexNumber, null, out methodToken))
|
|
tokens.Add(methodToken);
|
|
else
|
|
tokens.AddRange(FindMethodTokens(val));
|
|
}
|
|
|
|
return tokens;
|
|
}
|
|
|
|
IEnumerable<int> FindMethodTokens(string methodDesc) {
|
|
var tokens = new List<int>();
|
|
|
|
string typeString, methodName;
|
|
string[] argsStrings;
|
|
SplitMethodDesc(methodDesc, out typeString, out methodName, out argsStrings);
|
|
|
|
foreach (var type in module.GetTypes()) {
|
|
if (typeString != null && typeString != type.FullName)
|
|
continue;
|
|
foreach (var method in type.Methods) {
|
|
if (!method.IsStatic)
|
|
continue;
|
|
if (method.MethodSig.GetRetType().GetElementType() != ElementType.String && method.MethodSig.GetRetType().GetElementType() != ElementType.Object)
|
|
continue;
|
|
if (methodName != null && methodName != method.Name)
|
|
continue;
|
|
|
|
var sig = method.MethodSig;
|
|
if (argsStrings == null) {
|
|
if (sig.Params.Count == 0)
|
|
continue;
|
|
}
|
|
else {
|
|
if (argsStrings.Length != sig.Params.Count)
|
|
continue;
|
|
for (int i = 0; i < argsStrings.Length; i++) {
|
|
if (argsStrings[i] != sig.Params[i].FullName)
|
|
continue;
|
|
}
|
|
}
|
|
|
|
Logger.v("Adding string decrypter; token: {0:X8}, method: {1}", method.MDToken.ToInt32(), Utils.RemoveNewlines(method.FullName));
|
|
tokens.Add(method.MDToken.ToInt32());
|
|
}
|
|
}
|
|
|
|
return tokens;
|
|
}
|
|
|
|
static void SplitMethodDesc(string methodDesc, out string type, out string name, out string[] args) {
|
|
string stringArgs = null;
|
|
args = null;
|
|
type = null;
|
|
name = null;
|
|
|
|
var remaining = methodDesc;
|
|
int index = remaining.LastIndexOf("::");
|
|
if (index >= 0) {
|
|
type = remaining.Substring(0, index);
|
|
remaining = remaining.Substring(index + 2);
|
|
}
|
|
|
|
index = remaining.IndexOf('(');
|
|
if (index >= 0) {
|
|
name = remaining.Substring(0, index);
|
|
remaining = remaining.Substring(index);
|
|
}
|
|
else {
|
|
name = remaining;
|
|
remaining = "";
|
|
}
|
|
|
|
if (Utils.StartsWith(remaining, "(", StringComparison.Ordinal)) {
|
|
stringArgs = remaining;
|
|
}
|
|
else if (remaining.Length > 0)
|
|
throw new UserException(string.Format("Invalid method desc: '{0}'", methodDesc));
|
|
|
|
if (stringArgs != null) {
|
|
if (Utils.StartsWith(stringArgs, "(", StringComparison.Ordinal))
|
|
stringArgs = stringArgs.Substring(1);
|
|
if (stringArgs.EndsWith(")", StringComparison.Ordinal))
|
|
stringArgs = stringArgs.Substring(0, stringArgs.Length - 1);
|
|
args = stringArgs.Split(',');
|
|
for (int i = 0; i < args.Length; i++)
|
|
args[i] = args[i].Trim();
|
|
}
|
|
|
|
if (type == "")
|
|
type = null;
|
|
if (name == "")
|
|
name = null;
|
|
}
|
|
|
|
public void DeobfuscateEnd() {
|
|
DeobfuscateCleanUp();
|
|
}
|
|
|
|
public void DeobfuscateCleanUp() {
|
|
if (assemblyClient != null) {
|
|
assemblyClient.Dispose();
|
|
assemblyClient = null;
|
|
}
|
|
}
|
|
|
|
void DeobfuscateMethods() {
|
|
if (savedMethodBodies != null) {
|
|
savedMethodBodies.RestoreAll();
|
|
savedMethodBodies = null;
|
|
}
|
|
deob.DeobfuscatedFile = null;
|
|
|
|
if (!options.ControlFlowDeobfuscation) {
|
|
if (options.KeepObfuscatorTypes || deob.Type == "un")
|
|
return;
|
|
}
|
|
|
|
bool isVerbose = !Logger.Instance.IgnoresEvent(LoggerEvent.Verbose);
|
|
bool isVV = !Logger.Instance.IgnoresEvent(LoggerEvent.VeryVerbose);
|
|
if (isVerbose)
|
|
Logger.v("Deobfuscating methods");
|
|
var methodPrinter = new MethodPrinter();
|
|
var cflowDeobfuscator = new BlocksCflowDeobfuscator(deob.BlocksDeobfuscators);
|
|
foreach (var method in GetAllMethods()) {
|
|
if (isVerbose) {
|
|
Logger.v("Deobfuscating {0} ({1:X8})", Utils.RemoveNewlines(method), method.MDToken.ToUInt32());
|
|
Logger.Instance.Indent();
|
|
}
|
|
|
|
int oldIndentLevel = Logger.Instance.IndentLevel;
|
|
//TODO: Re-enable exception handler
|
|
//try {
|
|
Deobfuscate(method, cflowDeobfuscator, methodPrinter, isVerbose, isVV);
|
|
/*}
|
|
catch (Exception ex) {
|
|
if (!CanLoadMethodBody(method)) {
|
|
if (isVerbose)
|
|
Logger.v("Invalid method body. {0:X8}", method.MDToken.ToInt32());
|
|
method.Body = new CilBody();
|
|
}
|
|
else {
|
|
Logger.w("Could not deobfuscate method {0:X8}. Hello, E.T.: {1}", // E.T. = exception type
|
|
method.MDToken.ToInt32(),
|
|
ex.GetType());
|
|
}
|
|
}
|
|
finally {
|
|
Logger.Instance.IndentLevel = oldIndentLevel;
|
|
}*/
|
|
|
|
RemoveNoInliningAttribute(method);
|
|
|
|
if (isVerbose)
|
|
Logger.Instance.DeIndent();
|
|
}
|
|
}
|
|
|
|
static bool CanLoadMethodBody(MethodDef method) {
|
|
try {
|
|
var body = method.Body;
|
|
return true;
|
|
}
|
|
catch {
|
|
return false;
|
|
}
|
|
}
|
|
|
|
bool CanOptimizeLocals() {
|
|
// Don't remove any locals if we must preserve StandAloneSig table
|
|
return (GetMetaDataFlags() & MetaDataFlags.PreserveStandAloneSigRids) == 0;
|
|
}
|
|
|
|
void Deobfuscate(MethodDef method, BlocksCflowDeobfuscator cflowDeobfuscator, MethodPrinter methodPrinter, bool isVerbose, bool isVV) {
|
|
if (!HasNonEmptyBody(method))
|
|
return;
|
|
|
|
var blocks = new Blocks(method);
|
|
int numRemovedLocals = 0;
|
|
int oldNumInstructions = method.Body.Instructions.Count;
|
|
|
|
deob.DeobfuscateMethodBegin(blocks);
|
|
if (options.ControlFlowDeobfuscation) {
|
|
cflowDeobfuscator.Initialize(blocks);
|
|
cflowDeobfuscator.Deobfuscate();
|
|
}
|
|
|
|
if (deob.DeobfuscateOther(blocks) && options.ControlFlowDeobfuscation)
|
|
cflowDeobfuscator.Deobfuscate();
|
|
|
|
if (options.ControlFlowDeobfuscation) {
|
|
if (CanOptimizeLocals())
|
|
numRemovedLocals = blocks.OptimizeLocals();
|
|
blocks.RepartitionBlocks();
|
|
}
|
|
|
|
DeobfuscateStrings(blocks);
|
|
deob.DeobfuscateMethodEnd(blocks);
|
|
|
|
IList<Instruction> allInstructions;
|
|
IList<ExceptionHandler> allExceptionHandlers;
|
|
blocks.GetCode(out allInstructions, out allExceptionHandlers);
|
|
DotNetUtils.RestoreBody(method, allInstructions, allExceptionHandlers);
|
|
|
|
if (isVerbose && numRemovedLocals > 0)
|
|
Logger.v("Removed {0} unused local(s)", numRemovedLocals);
|
|
int numRemovedInstructions = oldNumInstructions - method.Body.Instructions.Count;
|
|
if (isVerbose && numRemovedInstructions > 0)
|
|
Logger.v("Removed {0} dead instruction(s)", numRemovedInstructions);
|
|
|
|
if (isVV) {
|
|
Logger.Log(LoggerEvent.VeryVerbose, "Deobfuscated code:");
|
|
Logger.Instance.Indent();
|
|
methodPrinter.Print(LoggerEvent.VeryVerbose, allInstructions, allExceptionHandlers);
|
|
Logger.Instance.DeIndent();
|
|
}
|
|
}
|
|
|
|
bool HasNonEmptyBody(MethodDef method) {
|
|
return method.HasBody && method.Body.Instructions.Count > 0;
|
|
}
|
|
|
|
void DeobfuscateStrings(Blocks blocks) {
|
|
switch (options.StringDecrypterType) {
|
|
case DecrypterType.None:
|
|
break;
|
|
|
|
case DecrypterType.Static:
|
|
deob.DeobfuscateStrings(blocks);
|
|
break;
|
|
|
|
case DecrypterType.Delegate:
|
|
case DecrypterType.Emulate:
|
|
dynamicStringInliner.Decrypt(blocks);
|
|
break;
|
|
|
|
default:
|
|
throw new ApplicationException(string.Format("Invalid string decrypter type '{0}'", options.StringDecrypterType));
|
|
}
|
|
}
|
|
|
|
void RemoveNoInliningAttribute(MethodDef method) {
|
|
method.IsNoInlining = false;
|
|
for (int i = 0; i < method.CustomAttributes.Count; i++) {
|
|
var cattr = method.CustomAttributes[i];
|
|
if (cattr.TypeFullName != "System.Runtime.CompilerServices.MethodImplAttribute")
|
|
continue;
|
|
int options = 0;
|
|
if (!GetMethodImplOptions(cattr, ref options))
|
|
continue;
|
|
if (options != 0 && options != (int)MethodImplAttributes.NoInlining)
|
|
continue;
|
|
method.CustomAttributes.RemoveAt(i);
|
|
i--;
|
|
}
|
|
}
|
|
|
|
static bool GetMethodImplOptions(CustomAttribute cattr, ref int value) {
|
|
if (cattr.IsRawBlob)
|
|
return false;
|
|
if (cattr.ConstructorArguments.Count != 1)
|
|
return false;
|
|
if (cattr.ConstructorArguments[0].Type.ElementType != ElementType.I2 &&
|
|
cattr.ConstructorArguments[0].Type.FullName != "System.Runtime.CompilerServices.MethodImplOptions")
|
|
return false;
|
|
|
|
var arg = cattr.ConstructorArguments[0].Value;
|
|
if (arg is short) {
|
|
value = (short)arg;
|
|
return true;
|
|
}
|
|
if (arg is int) {
|
|
value = (int)arg;
|
|
return true;
|
|
}
|
|
|
|
return false;
|
|
}
|
|
|
|
public override string ToString() {
|
|
if (options == null || options.Filename == null)
|
|
return base.ToString();
|
|
return options.Filename;
|
|
}
|
|
|
|
[Flags]
|
|
enum SimpleDeobFlags {
|
|
HasDeobfuscated = 0x1,
|
|
}
|
|
Dictionary<MethodDef, SimpleDeobFlags> simpleDeobfuscatorFlags = new Dictionary<MethodDef, SimpleDeobFlags>();
|
|
bool Check(MethodDef method, SimpleDeobFlags flag) {
|
|
if (method == null)
|
|
return false;
|
|
SimpleDeobFlags oldFlags;
|
|
simpleDeobfuscatorFlags.TryGetValue(method, out oldFlags);
|
|
simpleDeobfuscatorFlags[method] = oldFlags | flag;
|
|
return (oldFlags & flag) == flag;
|
|
}
|
|
bool Clear(MethodDef method, SimpleDeobFlags flag) {
|
|
if (method == null)
|
|
return false;
|
|
SimpleDeobFlags oldFlags;
|
|
if (!simpleDeobfuscatorFlags.TryGetValue(method, out oldFlags))
|
|
return false;
|
|
simpleDeobfuscatorFlags[method] = oldFlags & ~flag;
|
|
return true;
|
|
}
|
|
|
|
void Deobfuscate(MethodDef method, string msg, Action<Blocks> handler) {
|
|
if (savedMethodBodies != null)
|
|
savedMethodBodies.Save(method);
|
|
|
|
Logger.v("{0}: {1} ({2:X8})", msg, Utils.RemoveNewlines(method), method.MDToken.ToUInt32());
|
|
Logger.Instance.Indent();
|
|
|
|
if (HasNonEmptyBody(method)) {
|
|
try {
|
|
var blocks = new Blocks(method);
|
|
|
|
handler(blocks);
|
|
|
|
IList<Instruction> allInstructions;
|
|
IList<ExceptionHandler> allExceptionHandlers;
|
|
blocks.GetCode(out allInstructions, out allExceptionHandlers);
|
|
DotNetUtils.RestoreBody(method, allInstructions, allExceptionHandlers);
|
|
}
|
|
catch {
|
|
Logger.v("Could not deobfuscate {0:X8}", method.MDToken.ToInt32());
|
|
}
|
|
}
|
|
|
|
Logger.Instance.DeIndent();
|
|
}
|
|
|
|
void ISimpleDeobfuscator.MethodModified(MethodDef method) {
|
|
Clear(method, SimpleDeobFlags.HasDeobfuscated);
|
|
}
|
|
|
|
void ISimpleDeobfuscator.Deobfuscate(MethodDef method) {
|
|
((ISimpleDeobfuscator)this).Deobfuscate(method, 0);
|
|
}
|
|
|
|
void ISimpleDeobfuscator.Deobfuscate(MethodDef method, SimpleDeobfuscatorFlags flags) {
|
|
bool force = (flags & SimpleDeobfuscatorFlags.Force) != 0;
|
|
if (method == null || (!force && Check(method, SimpleDeobFlags.HasDeobfuscated)))
|
|
return;
|
|
|
|
Deobfuscate(method, "Deobfuscating control flow", (blocks) => {
|
|
bool disableNewCFCode = (flags & SimpleDeobfuscatorFlags.DisableConstantsFolderExtraInstrs) != 0;
|
|
var cflowDeobfuscator = new BlocksCflowDeobfuscator(deob.BlocksDeobfuscators, disableNewCFCode);
|
|
cflowDeobfuscator.Initialize(blocks);
|
|
cflowDeobfuscator.Deobfuscate();
|
|
});
|
|
}
|
|
|
|
void ISimpleDeobfuscator.DecryptStrings(MethodDef method, IDeobfuscator theDeob) {
|
|
Deobfuscate(method, "Static string decryption", (blocks) => theDeob.DeobfuscateStrings(blocks));
|
|
}
|
|
|
|
void IDeobfuscatedFile.CreateAssemblyFile(byte[] data, string assemblyName, string extension) {
|
|
if (extension == null)
|
|
extension = ".dll";
|
|
var baseDir = Utils.GetDirName(options.NewFilename);
|
|
var newName = Path.Combine(baseDir, assemblyName + extension);
|
|
Logger.n("Creating file {0}", newName);
|
|
File.WriteAllBytes(newName, data);
|
|
}
|
|
|
|
void IDeobfuscatedFile.StringDecryptersAdded() {
|
|
UpdateDynamicStringInliner();
|
|
}
|
|
|
|
void IDeobfuscatedFile.SetDeobfuscator(IDeobfuscator deob) {
|
|
this.deob = deob;
|
|
}
|
|
|
|
public void Dispose() {
|
|
DeobfuscateCleanUp();
|
|
if (module != null)
|
|
module.Dispose();
|
|
if (deob != null)
|
|
deob.Dispose();
|
|
module = null;
|
|
deob = null;
|
|
}
|
|
}
|
|
}
|