public static void DeobfuscateFlow(TestDeobfOptions options, MethodDefinition method)
{
if (options == null || options.Rows == null || options.Rows.Length == 0) return;
TestDeobfuscator deobf = new TestDeobfuscator(options);
deobf.DeobfFlow(options.Rows[0], method);
}
public void Reflector65_FullTest()
{
TestDeobfOptions options = new TestDeobfOptions();
options.Rows = new string[] { "Reflector.6.5.exe" };
options.ApplyFrom("Name, String and Boolean Function");
TestDeobfuscator deobf = new TestDeobfuscator(options);
deobf.Go();
string outputFile = options.OutputFiles[0];
TestDeobfOptions options2 = new TestDeobfOptions();
options2.SourceDir = Path.GetDirectoryName(outputFile);
options2.Rows = new string[] { outputFile };
options2.ApplyFrom("Flow without Boolean Function");
options2.LoopCount = 3;
//options2.chkReflectorFixChecked = true;
options2.ExceptionHandlerFile = new ExceptionHandlerFile(ExceptionHandlerFile.Default.FileName);
options2.ExceptionHandlerFile.Keywords.Add("NS006.c000021::m000");
TestDeobfuscator deobf2 = new TestDeobfuscator(options2);
deobf2.Go();
string outputFile2 = options2.OutputFiles[0];
TestUtils.CheckAndOutput(new string[] { outputFile2 },
new string[] { TestUtils.ObfuscatedCommentText, TestUtils.ObfuscatedForeachText }
);
Utils.DeleteFile(outputFile);
Utils.DeleteFile(outputFile2);
}
public void Test021()
{
TestDeobfOptions options = new TestDeobfOptions();
options.Rows = new string[] { "Assembly021.exe" };
options.ApplyFrom("Flow without Boolean Function");
TestDeobfuscator deobf = new TestDeobfuscator(options);
deobf.Go();
TestUtils.CheckAndOutput(options.OutputFiles);
Utils.DeleteFile(options.OutputFiles);
}
public static void Deobfuscate(TestDeobfOptions options)
{
if (options == null || options.Rows == null || options.Rows.Length == 0) return;
TestDeobfuscator deobf = new TestDeobfuscator(options);
deobf.Go();
if (deobf.Errors.Count > 0)
{
foreach (DeobfError de in deobf.Errors)
{
Utils.ConsoleOutput("{0}\r\n\r\n", de.ToString());
}
Assert.AreEqual(0, deobf.Errors.Count, "Deobfuscate error found.");
}
}
public void Test015_NameOnly()
{
TestDeobfOptions options = new TestDeobfOptions();
options.Rows = new string[] { "Assembly015.dll" };
options.ApplyFrom("Name Only");
TestUtils.Deobfuscate(options);
string outputFile = options.OutputFiles[0];
TestPEVerifyOptions vo = new TestPEVerifyOptions();
vo.Rows = new string[] { outputFile };
TestUtils.PEVerify(vo);
Utils.DeleteFile(outputFile);
}
public void Test008()
{
TestDeobfOptions options = new TestDeobfOptions();
options.Rows = new string[] { "Assembly008.exe" };
options.ApplyFrom("Name and Flow");
options.chkRemoveAttributeChecked = true;
options.LoopCount = 2;
options.AttributeFile = new AttributeFile(AttributeFile.Default.FileName);
options.AttributeFile.AllLevelStrings.Add("kv7DOvvcwZoqq2qW3V");
TestUtils.DeobfuscateAndCheck(options);
string outputFile = options.OutputFiles[0];
Utils.DeleteFile(outputFile);
}
public void Test017()
{
TestDeobfOptions options = new TestDeobfOptions();
options.Rows = new string[] { "Assembly017.exe" };
options.ApplyFrom("Flow without Boolean Function");
options.LoopCount = 2;
TestUtils.Deobfuscate(options);
List <MethodDeclarationInfo> list = TestUtils.FindMethods(options.OutputFiles,
new string[] { TestUtils.ObfuscatedCommentText },
null);
int unexpected = 0;
int expected = 0;
foreach (MethodDeclarationInfo mdi in list)
{
switch (mdi.Name)
{
case "ak.g() : Int32 (0x060000a5)":
//case "ap.a(bv, ar&, String) : Void (0x0600042c)":
//nop invalid pop
expected++;
break;
//case "ap.am(Object, EventArgs) : Void":
case "n.a(MailMessage, IPAddress, Boolean, ArrayList, String, String, String, Boolean, String, Hashtable, ah) : String[] (0x06000592)":
case "dd.a(DataSet, String, Boolean) : Void (0x060005fd)":
//flow without conditional branch 3 => conditional branch only 1
expected++;
break;
default:
TestUtils.Output(mdi, null);
unexpected++;
break;
}
}
TestUtils.AssertFail(3, expected, unexpected);
string outputFile = options.OutputFiles[0];
Utils.DeleteFile(outputFile);
}
public void Test007_NameOnly()
{
TestDeobfOptions options = new TestDeobfOptions();
options.Rows = new string[] { "Assembly007.exe" };
options.ApplyFrom("Name Only");
TestUtils.Deobfuscate(options);
string outputFile = options.OutputFiles[0];
AssemblyDefinition ad = AssemblyDefinition.ReadAssembly(outputFile);
string errorMsg = "Failed to find Dispose method in {0}";
string methodName = "Dispose";
string[] parameterTypes = new string[] { "System.Boolean" };
string returnType = "System.Void";
TypeDefinition td;
MethodDefinition md;
string typeName;
typeName = "c0000a0";
td = ad.MainModule.GetType(typeName);
md = TestUtils.FindMethod(td, methodName, parameterTypes, returnType);
Assert.IsNotNull(md, String.Format(errorMsg, typeName));
typeName = "c00009d";
td = ad.MainModule.GetType(typeName);
md = TestUtils.FindMethod(td, methodName, parameterTypes, returnType);
Assert.IsNotNull(md, String.Format(errorMsg, typeName));
typeName = "c00005b";
td = ad.MainModule.GetType(typeName);
md = TestUtils.FindMethod(td, methodName, parameterTypes, returnType);
Assert.IsNotNull(md, String.Format(errorMsg, typeName));
Assert.IsTrue(md.HasOverrides, "Failed to find Overrides for method " + md.ToString());
Assert.AreEqual(methodName, md.Overrides[0].Name, "Failed to find Override Dispose for method " + md.ToString());
typeName = "c00002b";
td = ad.MainModule.GetType(typeName);
md = TestUtils.FindMethod(td, "CompareTo", new string[] { "System.Object" }, "System.Int32");
Assert.IsNotNull(md, String.Format("Failed to find CompareTo method in {0}", typeName));
TestPEVerifyOptions vo = new TestPEVerifyOptions();
vo.Rows = new string[] { outputFile };
TestUtils.PEVerify(vo);
Utils.DeleteFile(outputFile);
}
public void Test024()
{
TestDeobfOptions options = new TestDeobfOptions();
options.Rows = new string[] { "Assembly024.exe" };
options.ApplyFrom("Name and String");
options.chkDirectCallChecked = true;
TestDeobfuscator deobf = new TestDeobfuscator(options);
deobf.Go();
string outputFile = options.OutputFiles[0];
AssemblyDefinition ad = AssemblyDefinition.ReadAssembly(outputFile);
string typeName;
TypeDefinition td;
MethodDefinition md;
//duplicate property name
typeName = "NS014.c000031";
td = TestUtils.FindType(ad, typeName);
Assert.IsNotNull(td, "Failed to find type: " + typeName);
Assert.AreEqual(5, td.Properties.Count);
Assert.AreEqual("p000001", td.Properties[0].Name);
Assert.AreEqual("p00002e", td.Properties[1].Name);
Assert.AreEqual("p00002f", td.Properties[2].Name);
Assert.AreEqual("p000030", td.Properties[3].Name);
Assert.AreEqual("p000031", td.Properties[4].Name);
//direct call
typeName = "NS002.c000047";
td = TestUtils.FindType(ad, typeName);
Assert.IsNotNull(td, "Failed to find type: " + typeName);
md = TestUtils.FindMethod(td, ".cctor", null, null);
Assert.IsNotNull(td, "Failed to find .cctor: " + typeName);
Collection <Instruction> ic = md.Body.Instructions;
Assert.AreEqual(15, ic.Count);
Assert.AreEqual("System.Void System.Runtime.CompilerServices.RuntimeHelpers::InitializeArray(System.Array,System.RuntimeFieldHandle)", ic[6].Operand.ToString());
Assert.AreEqual("System.Void System.Runtime.CompilerServices.RuntimeHelpers::InitializeArray(System.Array,System.RuntimeFieldHandle)", ic[12].Operand.ToString());
TestUtils.CheckAndOutput(options.OutputFiles);
Utils.DeleteFile(options.OutputFiles);
}
public static void Deobfuscate(TestDeobfOptions options)
{
if (options == null || options.Rows == null || options.Rows.Length == 0)
{
return;
}
TestDeobfuscator deobf = new TestDeobfuscator(options);
deobf.Go();
if (deobf.Errors.Count > 0)
{
foreach (DeobfError de in deobf.Errors)
{
Utils.ConsoleOutput("{0}\r\n\r\n", de.ToString());
}
Assert.AreEqual(0, deobf.Errors.Count, "Deobfuscate error found.");
}
}
public void Test012_NameOnly()
{
TestDeobfOptions options = new TestDeobfOptions();
options.Rows = new string[] { "Assembly012.dll" };
options.ApplyFrom("Name Only");
options.chkAddMissingPropertyAndEventChecked = true;
TestUtils.Deobfuscate(options);
string outputFile = options.OutputFiles[0];
TestPEVerifyOptions vo = new TestPEVerifyOptions();
vo.Rows = new string[] { outputFile };
TestUtils.PEVerify(vo);
//TODO: add some checking for added properties
Utils.DeleteFile(outputFile);
}
public void ValidNameTest004()
{
string target;
bool result;
TestDeobfOptions options = new TestDeobfOptions();
target = "Aj4QrTN"; //TODO?
result = DeobfUtils.IsValidName(target, options);
Assert.IsTrue(result, target);
target = "AJLlWT"; //TODO?
result = DeobfUtils.IsValidName(target, options);
Assert.IsTrue(result, target);
target = "A05qgyfk1";
result = DeobfUtils.IsValidName(target, options);
Assert.IsFalse(result, target);
target = "auTALepob"; //TODO?
result = DeobfUtils.IsValidName(target, options);
Assert.IsTrue(result, target);
target = "Rb6hGgFem";
result = DeobfUtils.IsValidName(target, options);
Assert.IsFalse(result, target);
target = "t97Xh2M3j";
result = DeobfUtils.IsValidName(target, options);
Assert.IsFalse(result, target);
target = "LpHIjhc6t";
result = DeobfUtils.IsValidName(target, options);
Assert.IsFalse(result, target);
target = "GpQNp4q1a";
result = DeobfUtils.IsValidName(target, options);
Assert.IsFalse(result, target);
target = "WGlD8fXCb";
result = DeobfUtils.IsValidName(target, options);
Assert.IsFalse(result, target);
}
public void Test001()
{
TestDeobfOptions options = new TestDeobfOptions();
options.Rows = new string[] { "Assembly001.exe" };
options.ApplyFrom("Flow");
options.chkRemoveAttributeChecked = true;
options.AttributeFile = new AttributeFile(AttributeFile.Default.FileName);
options.AttributeFile.AllLevelStrings.Add("cvi4cGFBAypGRlpQZB");
TestDeobfuscator deobf = new TestDeobfuscator(options);
deobf.Go();
string outputFile = options.OutputFiles[0];
TestUtils.CheckAndOutput(new string[] { outputFile },
new string[] { TestUtils.ObfuscatedCommentText },
new string[] { "AMGtDMpoFL3aEFIsnt", "HKE8WcJreWA12f9Lr8" }
);
Utils.DeleteFile(outputFile);
}
public void Test019()
{
TestDeobfOptions options = new TestDeobfOptions();
options.Rows = new string[] { "Assembly019.dll" };
options.ApplyFrom("Flow");
options.chkRemoveAttributeChecked = true;
options.AttributeFile = new AttributeFile(AttributeFile.Default.FileName);
options.AttributeFile.AllLevelStrings.Add("0x02000068");
TestDeobfuscator deobf = new TestDeobfuscator(options);
deobf.Go();
string outputFile = options.OutputFiles[0];
TestUtils.CheckAndOutput(new string[] { outputFile });
Utils.DeleteFile(outputFile);
}
public void Test011()
{
TestDeobfOptions options = new TestDeobfOptions();
options.Rows = new string[] { "Assembly011.dll" };
options.ApplyFrom("Name and Flow");
options.LoopCount = 2;
TestUtils.Deobfuscate(options);
List <MethodDeclarationInfo> list = TestUtils.FindMethods(options.OutputFiles,
new string[] { TestUtils.ObfuscatedCommentText },
null);
int unexpected = 0;
int expected = 0;
foreach (MethodDeclarationInfo mdi in list)
{
switch (mdi.Name)
{
case "c000071.m0000a9(c00005e) : enum072 (0x06000348)":
//Expression stack is empty at offset 0015
//use loop count 1 for this method ...
expected++;
break;
default:
TestUtils.Output(mdi, null);
unexpected++;
break;
}
}
TestUtils.AssertFail(1, expected, unexpected);
string outputFile = options.OutputFiles[0];
Utils.DeleteFile(outputFile);
}
public void ValidNameTest003()
{
string target;
bool result;
TestDeobfOptions options = new TestDeobfOptions();
target = "O6Lu9fRJkae1mNEaZw";
result = DeobfUtils.IsValidName(target, options);
Assert.IsFalse(result, target);
target = "OvsG5kiWa2ig952vSH";
result = DeobfUtils.IsValidName(target, options);
Assert.IsFalse(result, target);
target = "NqVmlsUVgAvZE5umojm";
result = DeobfUtils.IsValidName(target, options);
Assert.IsFalse(result, target);
target = "AGEPbiSxbxaFCCuINB";
result = DeobfUtils.IsValidName(target, options);
Assert.IsFalse(result, target);
target = "PDbM101lmyWjObGHZX";
result = DeobfUtils.IsValidName(target, options);
Assert.IsFalse(result, target);
target = "uERBbksmWQHZojOlDO";
result = DeobfUtils.IsValidName(target, options);
Assert.IsFalse(result, target);
target = "mikr9QhOsU7eoLY2vO";
result = DeobfUtils.IsValidName(target, options);
Assert.IsFalse(result, target);
target = "x20fdba2900edec1d";
result = DeobfUtils.IsValidName(target, options);
Assert.IsFalse(result, target);
}
public void ValidNameTest002()
{
string target;
bool result;
TestDeobfOptions options = new TestDeobfOptions();
target = "MAX_LENGTH";
result = DeobfUtils.IsValidName(target, options);
Assert.IsTrue(result, target);
target = "PDF417";
result = DeobfUtils.IsValidName(target, options);
Assert.IsTrue(result, target);
target = "PDFGetFileName";
result = DeobfUtils.IsValidName(target, options);
Assert.IsTrue(result, target);
target = "SBConfiguration";
result = DeobfUtils.IsValidName(target, options);
Assert.IsTrue(result, target);
target = "ISBNumber";
result = DeobfUtils.IsValidName(target, options);
Assert.IsTrue(result, target);
target = "get_ISBNumber";
result = DeobfUtils.IsValidName(target, options);
Assert.IsTrue(result, target);
target = "GetISBNumber";
result = DeobfUtils.IsValidName(target, options);
Assert.IsTrue(result, target);
target = "GetASPXCode";
result = DeobfUtils.IsValidName(target, options);
Assert.IsTrue(result, target);
}
public void Test001()
{
TestDeobfOptions options = new TestDeobfOptions();
options.Rows = new string[] { "Assembly001.exe" };
options.ApplyFrom("Flow");
options.chkRemoveAttributeChecked = true;
options.AttributeFile = new AttributeFile(AttributeFile.Default.FileName);
options.AttributeFile.AllLevelStrings.Add("cvi4cGFBAypGRlpQZB");
TestDeobfuscator deobf = new TestDeobfuscator(options);
deobf.Go();
string outputFile = options.OutputFiles[0];
TestUtils.CheckAndOutput(new string[] { outputFile },
new string[] { TestUtils.ObfuscatedCommentText },
new string[] { "AMGtDMpoFL3aEFIsnt", "HKE8WcJreWA12f9Lr8" }
);
Utils.DeleteFile(outputFile);
}
public void Test015()
{
TestDeobfOptions options = new TestDeobfOptions();
options.Rows = new string[] { "Assembly015.dll" };
options.ApplyFrom("Name and Flow");
options.LoopCount = 7;
TestUtils.Deobfuscate(options);
List <MethodDeclarationInfo> list = TestUtils.FindMethods(options.OutputFiles,
new string[] { TestUtils.ObfuscatedCommentText },
null);
int unexpected = 0;
int expected = 0;
foreach (MethodDeclarationInfo mdi in list)
{
switch (mdi.Name)
{
//case "<Module>.m000001(String, Int32) : String (0x06000001)":
//seems reflector bug, fixed in 7.4
//expected++;
//break;
default:
TestUtils.Output(mdi, null);
unexpected++;
break;
}
}
TestUtils.AssertFail(0, expected, unexpected);
string outputFile = options.OutputFiles[0];
Utils.DeleteFile(outputFile);
}
public void Test016()
{
TestDeobfOptions options = new TestDeobfOptions();
options.Rows = new string[] { "Assembly016.dll" };
options.ApplyFrom("Name and Flow");
options.LoopCount = 2;
TestUtils.Deobfuscate(options);
List <MethodDeclarationInfo> list = TestUtils.FindMethods(options.OutputFiles,
new string[] { TestUtils.ObfuscatedCommentText },
null);
int unexpected = 0;
int expected = 0;
foreach (MethodDeclarationInfo mdi in list)
{
switch (mdi.Name)
{
default:
TestUtils.Output(mdi, null);
unexpected++;
break;
}
}
TestUtils.AssertFail(0, expected, unexpected);
string outputFile = options.OutputFiles[0];
Utils.DeleteFile(outputFile);
//There is a temp file generated and loaded, can't be deleted
//string tempFile = Path.Combine(options.SourceDir, "HWISD_nat.dll");
//Utils.DeleteFile(tempFile);
}
public void ValidNameTest003()
{
string target;
bool result;
TestDeobfOptions options = new TestDeobfOptions();
target = "O6Lu9fRJkae1mNEaZw";
result = DeobfUtils.IsValidName(target, options);
Assert.IsFalse(result, target);
target = "OvsG5kiWa2ig952vSH";
result = DeobfUtils.IsValidName(target, options);
Assert.IsFalse(result, target);
target = "NqVmlsUVgAvZE5umojm";
result = DeobfUtils.IsValidName(target, options);
Assert.IsFalse(result, target);
target = "AGEPbiSxbxaFCCuINB";
result = DeobfUtils.IsValidName(target, options);
Assert.IsFalse(result, target);
target = "PDbM101lmyWjObGHZX";
result = DeobfUtils.IsValidName(target, options);
Assert.IsFalse(result, target);
target = "uERBbksmWQHZojOlDO";
result = DeobfUtils.IsValidName(target, options);
Assert.IsFalse(result, target);
target = "mikr9QhOsU7eoLY2vO";
result = DeobfUtils.IsValidName(target, options);
Assert.IsFalse(result, target);
target = "x20fdba2900edec1d";
result = DeobfUtils.IsValidName(target, options);
Assert.IsFalse(result, target);
}
public void ValidNameTest002()
{
string target;
bool result;
TestDeobfOptions options = new TestDeobfOptions();
target = "MAX_LENGTH";
result = DeobfUtils.IsValidName(target, options);
Assert.IsTrue(result, target);
target = "PDF417";
result = DeobfUtils.IsValidName(target, options);
Assert.IsTrue(result, target);
target = "PDFGetFileName";
result = DeobfUtils.IsValidName(target, options);
Assert.IsTrue(result, target);
target = "SBConfiguration";
result = DeobfUtils.IsValidName(target, options);
Assert.IsTrue(result, target);
target = "ISBNumber";
result = DeobfUtils.IsValidName(target, options);
Assert.IsTrue(result, target);
target = "get_ISBNumber";
result = DeobfUtils.IsValidName(target, options);
Assert.IsTrue(result, target);
target = "GetISBNumber";
result = DeobfUtils.IsValidName(target, options);
Assert.IsTrue(result, target);
target = "GetASPXCode";
result = DeobfUtils.IsValidName(target, options);
Assert.IsTrue(result, target);
}
public void Test022()
{
TestDeobfOptions options = new TestDeobfOptions();
options.Rows = new string[] { "Assembly022.dll" };
options.ApplyFrom("Default");
options.chkDelegateCallChecked = true;
TestDeobfuscator deobf = new TestDeobfuscator(options);
deobf.Go();
string outputFile = options.OutputFiles[0];
TestDeobfOptions options2 = new TestDeobfOptions();
options2.SourceDir = Path.GetDirectoryName(outputFile);
options2.Rows = new string[] { outputFile };
options2.ApplyFrom("Flow without Boolean Function");
options2.LoopCount = 2;
options2.ExceptionHandlerFile = new ExceptionHandlerFile(ExceptionHandlerFile.Default.FileName);
options2.ExceptionHandlerFile.Keywords.Add("NS004.c00003e::m000");
TestDeobfuscator deobf2 = new TestDeobfuscator(options2);
deobf2.Go();
string outputFile2 = options2.OutputFiles[0];
TestUtils.CheckAndOutput(new string[] { outputFile2 },
new string[] { TestUtils.ObfuscatedCommentText,
TestUtils.ObfuscatedForeachText }
);
AssemblyDefinition ad = AssemblyDefinition.ReadAssembly(outputFile2);
string typeName = "NS012.c0000cb";
TypeDefinition td = TestUtils.FindType(ad, typeName);
Assert.IsNotNull(td, "Failed to find type: " + typeName);
string methodName = "m00002e";
MethodDefinition md = TestUtils.FindMethod(td, methodName,
new string[] { "System.String" }, "System.String");
Assert.IsNotNull(md, "Failed to find method: " + methodName);
Collection<Instruction> instructions = md.Body.Instructions;
Instruction ins1 = instructions[1];
Assert.AreEqual(Code.Ldstr, ins1.OpCode.Code, "Unexpected opcode " + ins1.OpCode.Code.ToString());
Assert.AreEqual(@"Software\Red Gate\", ins1.Operand, "Unexpected operand " + ins1.Operand as string);
Instruction ins2 = instructions[2];
Assert.AreEqual(Code.Callvirt, ins2.OpCode.Code, "Unexpected opcode " + ins2.OpCode.Code.ToString());
Assert.AreEqual(@"Microsoft.Win32.RegistryKey Microsoft.Win32.RegistryKey::OpenSubKey(System.String)", ins2.Operand.ToString(), "Unexpected operand " + ins2.Operand as string);
Utils.DeleteFile(outputFile);
Utils.DeleteFile(outputFile2);
}
public void Reflector74_FullTest()
{
//ensure to load default reflector at first
SimpleReflector dummy = SimpleReflector.Default;
TestDeobfOptions options = new TestDeobfOptions();
options.Rows = new string[] { "Reflector.7.4.exe" };
options.ApplyFrom("Default");
options.LoopCount = 2;
options.chkDelegateCallChecked = true;
options.IgnoredMethodFile.Regexes.Add(new Regex("RedGate.Licensing"));
options.IgnoredMethodFile.Regexes.Add(new Regex("ReflectorCustomDialog"));
TestDeobfuscator deobf = new TestDeobfuscator(options);
deobf.Go();
string outputFile = options.OutputFiles[0];
TestDeobfOptions options2 = new TestDeobfOptions();
options2.SourceDir = Path.GetDirectoryName(outputFile);
options2.Rows = new string[] { outputFile };
options2.ApplyFrom("Flow without Boolean Function");
options2.LoopCount = 2;
options2.chkReflectorFixChecked = true;
options2.ExceptionHandlerFile = new ExceptionHandlerFile(ExceptionHandlerFile.Default.FileName);
options2.ExceptionHandlerFile.Keywords.Add("NS011.c000065::m000");
TestDeobfuscator deobf2 = new TestDeobfuscator(options2);
deobf2.Go();
string outputFile2 = options2.OutputFiles[0];
List<MethodDeclarationInfo> list = TestUtils.FindMethods(
new string[] { outputFile2 },
new string[] { TestUtils.ObfuscatedCommentText, TestUtils.ObfuscatedForeachText },
null);
int unexpected = 0;
int expected = 0;
foreach (MethodDeclarationInfo mdi in list)
{
switch (mdi.MethodDeclaration.Token)
{
//Edit 2012-12-26: fixed in .Net Reflector 7.7
//case 0x060019ee:
//case 0x0600195b:
//TODO: find reason? or use ILSpy
//Non-matching stack heights
//expected++;
//break;
default:
TestUtils.Output(mdi, null);
unexpected++;
break;
}
}
TestUtils.AssertFail(0, expected, unexpected);
Utils.DeleteFile(outputFile);
Utils.DeleteFile(outputFile2);
}
public void Test012_NameOnly()
{
TestDeobfOptions options = new TestDeobfOptions();
options.Rows = new string[] { "Assembly012.dll" };
options.ApplyFrom("Name Only");
options.chkAddMissingPropertyAndEventChecked = true;
TestUtils.Deobfuscate(options);
string outputFile = options.OutputFiles[0];
TestPEVerifyOptions vo = new TestPEVerifyOptions();
vo.Rows = new string[] { outputFile };
TestUtils.PEVerify(vo);
//TODO: add some checking for added properties
Utils.DeleteFile(outputFile);
}
public static void DeobfuscateAndCheck(TestDeobfOptions options)
{
DeobfuscateAndCheck(options, new string[] { ObfuscatedCommentText });
}
public void Test016()
{
TestDeobfOptions options = new TestDeobfOptions();
options.Rows = new string[] { "Assembly016.dll" };
options.ApplyFrom("Name and Flow");
options.LoopCount = 2;
TestUtils.Deobfuscate(options);
List<MethodDeclarationInfo> list = TestUtils.FindMethods(options.OutputFiles,
new string[] { TestUtils.ObfuscatedCommentText },
null);
int unexpected = 0;
int expected = 0;
foreach (MethodDeclarationInfo mdi in list)
{
switch (mdi.Name)
{
default:
TestUtils.Output(mdi, null);
unexpected++;
break;
}
}
TestUtils.AssertFail(0, expected, unexpected);
string outputFile = options.OutputFiles[0];
Utils.DeleteFile(outputFile);
//There is a temp file generated and loaded, can't be deleted
//string tempFile = Path.Combine(options.SourceDir, "HWISD_nat.dll");
//Utils.DeleteFile(tempFile);
}
public void Test018()
{
TestDeobfOptions options = new TestDeobfOptions();
options.Rows = new string[] { "Assembly018.dll" };
options.ApplyFrom("Flow");
options.LoopCount = 2;
TestUtils.Deobfuscate(options);
TestDeobfOptions options2 = new TestDeobfOptions();
options2.Rows = options.OutputFiles;
options2.SourceDir = Path.GetDirectoryName(options.OutputFiles[0]);
options2.ApplyFrom("Flow without Boolean Function");
options2.chkCondBranchUpChecked = true;
options2.chkReflectorFixChecked = true;
options2.LoopCount = 2;
TestUtils.Deobfuscate(options2);
List <MethodDeclarationInfo> list = TestUtils.FindMethods(options2.OutputFiles,
new string[] { TestUtils.ObfuscatedCommentText },
null);
int unexpected = 0;
int expected = 0;
foreach (MethodDeclarationInfo mdi in list)
{
switch (mdi.Name)
{
//case "<Module>.a(String, Int32) : String (0x06000001)":
//seems reflector bug, fixed in 7.4
//expected++;
//break;
//case "l.a(String, String&) : String":
//use branch only 2, then +cond branch 2
//expected++;
//break;
case "b5.a(Object, Type, m, LicenseContext, StackTrace) : SecureLicense (0x06000949)":
//use branch only 2, make branch on instruction 124
expected++;
break;
case "aj.f(ParsedAttributeDictionary) : Void (0x06000ecd)":
//use branch 6, then you get "Expression stack is empty at xxx."
//second exception handler, nop 267 stloc.3
//it's not exactly correct becase local variable index 3 doesn't contains the current exception any more
expected++;
break;
case "Util.GetMergeType(String) : Type (0x060020ca)":
//use branch 6
expected++;
break;
case "AdoHelper<TFactory>.FillDataset(IDbCommand, DataSet, String[]) : Void (0x06001fa0)":
//use branch 6, then conditional branch 1, finally you can block move 1
expected++;
break;
case "ZipEntry.a(ZipFile) : ZipEntry (0x060011ba)":
//use default 2
expected++;
break;
case "aj.a() : Void (0x06000f03)":
case "cv.a(Int32) : Int32 (0x06000f7b)":
case "ZipEntry.a(ZipEntry, Encoding) : Boolean (0x06001228)":
//use block move option
expected++;
break;
default:
TestUtils.Output(mdi, null);
unexpected++;
break;
}
}
TestUtils.AssertFail(8, expected, unexpected);
Utils.DeleteFile(options.OutputFiles);
Utils.DeleteFile(options2.OutputFiles);
}
public void Test019()
{
TestDeobfOptions options = new TestDeobfOptions();
options.Rows = new string[] { "Assembly019.dll" };
options.ApplyFrom("Flow");
options.chkRemoveAttributeChecked = true;
options.AttributeFile = new AttributeFile(AttributeFile.Default.FileName);
options.AttributeFile.AllLevelStrings.Add("0x02000068");
TestDeobfuscator deobf = new TestDeobfuscator(options);
deobf.Go();
string outputFile = options.OutputFiles[0];
TestUtils.CheckAndOutput(new string[] { outputFile });
Utils.DeleteFile(outputFile);
}
public void Test011()
{
TestDeobfOptions options = new TestDeobfOptions();
options.Rows = new string[] { "Assembly011.dll" };
options.ApplyFrom("Name and Flow");
options.LoopCount = 2;
TestUtils.Deobfuscate(options);
List<MethodDeclarationInfo> list = TestUtils.FindMethods(options.OutputFiles,
new string[] { TestUtils.ObfuscatedCommentText },
null);
int unexpected = 0;
int expected = 0;
foreach (MethodDeclarationInfo mdi in list)
{
switch (mdi.Name)
{
case "c000071.m0000a9(c00005e) : enum072 (0x06000348)":
//Expression stack is empty at offset 0015
//use loop count 1 for this method ...
expected++;
break;
default:
TestUtils.Output(mdi, null);
unexpected++;
break;
}
}
TestUtils.AssertFail(1, expected, unexpected);
string outputFile = options.OutputFiles[0];
Utils.DeleteFile(outputFile);
}
public static void DeobfuscateAndCheck(TestDeobfOptions options)
{
DeobfuscateAndCheck(options, new string[] { ObfuscatedCommentText });
}
public void Test020()
{
TestDeobfOptions options = new TestDeobfOptions();
options.Rows = new string[] { "Assembly020.exe" };
options.ApplyFrom("Default");
options.chkAutoStringChecked = false;
options.chkBoolFunctionChecked = false;
TestDeobfuscator deobf = new TestDeobfuscator(options);
deobf.Go();
List<MethodDeclarationInfo> list = TestUtils.FindMethods(options.OutputFiles,
new string[] { TestUtils.ObfuscatedCommentText },
null);
int unexpected = 0;
int expected = 0;
foreach (MethodDeclarationInfo mdi in list)
{
switch (mdi.MethodDeclaration.Token)
{
case 0x06000012:
//case 0x06000155:
case 0x06000199:
case 0x060001ce:
case 0x060001cf:
case 0x06000774:
//use branch only
expected++;
break;
case 0x060003ad:
//case 0x06000413:
//use brach only 2 + conditional brach 2
expected++;
break;
default:
TestUtils.Output(mdi, null);
unexpected++;
break;
}
}
TestUtils.AssertFail(6, expected, unexpected);
string outputFile = options.OutputFiles[0];
Utils.DeleteFile(outputFile);
}
public void ValidNameTest001()
{
string target;
bool result;
TestDeobfOptions options = new TestDeobfOptions();
target = "delegate037";
result = DeobfUtils.IsValidName(target, options);
Assert.IsTrue(result, target);
target = "m0000a5";
result = DeobfUtils.IsValidName(target, options);
Assert.IsTrue(result, target);
target = "A4";
result = DeobfUtils.IsValidName(target, options);
Assert.IsTrue(result, target);
target = "runMethod2";
result = DeobfUtils.IsValidName(target, options);
Assert.IsTrue(result, target);
target = "get_AssemblyName";
result = DeobfUtils.IsValidName(target, options);
Assert.IsTrue(result, target);
target = "CloseAllOpeningFiles";
result = DeobfUtils.IsValidName(target, options);
Assert.IsTrue(result, target);
target = "UserCommentMaxLength";
result = DeobfUtils.IsValidName(target, options);
Assert.IsTrue(result, target);
target = "get_RefersToR1C1";
result = DeobfUtils.IsValidName(target, options);
Assert.IsTrue(result, target);
target = "CompareTo";
result = DeobfUtils.IsValidName(target, options);
Assert.IsTrue(result, target);
target = "Superscript";
result = DeobfUtils.IsValidName(target, options);
Assert.IsTrue(result, target);
target = "SyncRoot";
result = DeobfUtils.IsValidName(target, options);
Assert.IsTrue(result, target);
target = "CheckLayout";
result = DeobfUtils.IsValidName(target, options);
Assert.IsTrue(result, target);
target = "SW_MINIMIZE";
result = DeobfUtils.IsValidName(target, options);
Assert.IsTrue(result, target);
target = "CreateAQF1Completed";
result = DeobfUtils.IsValidName(target, options);
Assert.IsTrue(result, target);
}
public void ValidNameTest004()
{
string target;
bool result;
TestDeobfOptions options = new TestDeobfOptions();
target = "Aj4QrTN"; //TODO?
result = DeobfUtils.IsValidName(target, options);
Assert.IsTrue(result, target);
target = "AJLlWT"; //TODO?
result = DeobfUtils.IsValidName(target, options);
Assert.IsTrue(result, target);
target = "A05qgyfk1";
result = DeobfUtils.IsValidName(target, options);
Assert.IsFalse(result, target);
target = "auTALepob"; //TODO?
result = DeobfUtils.IsValidName(target, options);
Assert.IsTrue(result, target);
target = "Rb6hGgFem";
result = DeobfUtils.IsValidName(target, options);
Assert.IsFalse(result, target);
target = "t97Xh2M3j";
result = DeobfUtils.IsValidName(target, options);
Assert.IsFalse(result, target);
target = "LpHIjhc6t";
result = DeobfUtils.IsValidName(target, options);
Assert.IsFalse(result, target);
target = "GpQNp4q1a";
result = DeobfUtils.IsValidName(target, options);
Assert.IsFalse(result, target);
target = "WGlD8fXCb";
result = DeobfUtils.IsValidName(target, options);
Assert.IsFalse(result, target);
}
public void Test018()
{
TestDeobfOptions options = new TestDeobfOptions();
options.Rows = new string[] { "Assembly018.dll" };
options.ApplyFrom("Flow");
options.LoopCount = 2;
TestUtils.Deobfuscate(options);
TestDeobfOptions options2 = new TestDeobfOptions();
options2.Rows = options.OutputFiles;
options2.SourceDir = Path.GetDirectoryName(options.OutputFiles[0]);
options2.ApplyFrom("Flow without Boolean Function");
options2.chkCondBranchUpChecked = true;
options2.chkReflectorFixChecked = true;
options2.LoopCount = 2;
TestUtils.Deobfuscate(options2);
List<MethodDeclarationInfo> list = TestUtils.FindMethods(options2.OutputFiles,
new string[] { TestUtils.ObfuscatedCommentText },
null);
int unexpected = 0;
int expected = 0;
foreach (MethodDeclarationInfo mdi in list)
{
switch (mdi.Name)
{
//case "<Module>.a(String, Int32) : String (0x06000001)":
//seems reflector bug, fixed in 7.4
//expected++;
//break;
//case "l.a(String, String&) : String":
//use branch only 2, then +cond branch 2
//expected++;
//break;
case "b5.a(Object, Type, m, LicenseContext, StackTrace) : SecureLicense (0x06000949)":
//use branch only 2, make branch on instruction 124
expected++;
break;
case "aj.f(ParsedAttributeDictionary) : Void (0x06000ecd)":
//use branch 6, then you get "Expression stack is empty at xxx."
//second exception handler, nop 267 stloc.3
//it's not exactly correct becase local variable index 3 doesn't contains the current exception any more
expected++;
break;
case "Util.GetMergeType(String) : Type (0x060020ca)":
//use branch 6
expected++;
break;
case "AdoHelper<TFactory>.FillDataset(IDbCommand, DataSet, String[]) : Void (0x06001fa0)":
//use branch 6, then conditional branch 1, finally you can block move 1
expected++;
break;
case "ZipEntry.a(ZipFile) : ZipEntry (0x060011ba)":
//use default 2
expected++;
break;
case "aj.a() : Void (0x06000f03)":
case "cv.a(Int32) : Int32 (0x06000f7b)":
case "ZipEntry.a(ZipEntry, Encoding) : Boolean (0x06001228)":
//use block move option
expected++;
break;
default:
TestUtils.Output(mdi, null);
unexpected++;
break;
}
}
TestUtils.AssertFail(8, expected, unexpected);
Utils.DeleteFile(options.OutputFiles);
Utils.DeleteFile(options2.OutputFiles);
}
public void ValidNameTest001()
{
string target;
bool result;
TestDeobfOptions options = new TestDeobfOptions();
target = "delegate037";
result = DeobfUtils.IsValidName(target, options);
Assert.IsTrue(result, target);
target = "m0000a5";
result = DeobfUtils.IsValidName(target, options);
Assert.IsTrue(result, target);
target = "A4";
result = DeobfUtils.IsValidName(target, options);
Assert.IsTrue(result, target);
target = "runMethod2";
result = DeobfUtils.IsValidName(target, options);
Assert.IsTrue(result, target);
target = "get_AssemblyName";
result = DeobfUtils.IsValidName(target, options);
Assert.IsTrue(result, target);
target = "CloseAllOpeningFiles";
result = DeobfUtils.IsValidName(target, options);
Assert.IsTrue(result, target);
target = "UserCommentMaxLength";
result = DeobfUtils.IsValidName(target, options);
Assert.IsTrue(result, target);
target = "get_RefersToR1C1";
result = DeobfUtils.IsValidName(target, options);
Assert.IsTrue(result, target);
target = "CompareTo";
result = DeobfUtils.IsValidName(target, options);
Assert.IsTrue(result, target);
target = "Superscript";
result = DeobfUtils.IsValidName(target, options);
Assert.IsTrue(result, target);
target = "SyncRoot";
result = DeobfUtils.IsValidName(target, options);
Assert.IsTrue(result, target);
target = "CheckLayout";
result = DeobfUtils.IsValidName(target, options);
Assert.IsTrue(result, target);
target = "SW_MINIMIZE";
result = DeobfUtils.IsValidName(target, options);
Assert.IsTrue(result, target);
target = "CreateAQF1Completed";
result = DeobfUtils.IsValidName(target, options);
Assert.IsTrue(result, target);
}
public void Test015_NameOnly()
{
TestDeobfOptions options = new TestDeobfOptions();
options.Rows = new string[] { "Assembly015.dll" };
options.ApplyFrom("Name Only");
TestUtils.Deobfuscate(options);
string outputFile = options.OutputFiles[0];
TestPEVerifyOptions vo = new TestPEVerifyOptions();
vo.Rows = new string[] { outputFile };
TestUtils.PEVerify(vo);
Utils.DeleteFile(outputFile);
}
public void Test015()
{
TestDeobfOptions options = new TestDeobfOptions();
options.Rows = new string[] { "Assembly015.dll" };
options.ApplyFrom("Name and Flow");
options.LoopCount = 7;
TestUtils.Deobfuscate(options);
List<MethodDeclarationInfo> list = TestUtils.FindMethods(options.OutputFiles,
new string[] { TestUtils.ObfuscatedCommentText },
null);
int unexpected = 0;
int expected = 0;
foreach (MethodDeclarationInfo mdi in list)
{
switch (mdi.Name)
{
//case "<Module>.m000001(String, Int32) : String (0x06000001)":
//seems reflector bug, fixed in 7.4
//expected++;
//break;
default:
TestUtils.Output(mdi, null);
unexpected++;
break;
}
}
TestUtils.AssertFail(0, expected, unexpected);
string outputFile = options.OutputFiles[0];
Utils.DeleteFile(outputFile);
}
public void Test014()
{
TestDeobfOptions options = new TestDeobfOptions();
options.Rows = new string[] { "Assembly014.exe" };
options.ApplyFrom("Default");
options.LoopCount = 3;
options.IgnoredTypeFile.Regexes.Add(new Regex("DevExpress"));
TestUtils.DeobfuscateAndCheck(options);
string outputFile = options.OutputFiles[0];
Utils.DeleteFile(outputFile);
}
public static void DeobfuscateAndCheck(TestDeobfOptions options, string[] searchFors)
{
Deobfuscate(options);
CheckAndOutput(options.OutputFiles, searchFors);
}
public TestDeobfuscator(TestDeobfOptions options)
: base(options)
{
}
public void Test013_NameOnly()
{
TestDeobfOptions options = new TestDeobfOptions();
options.Rows = new string[] { "Assembly013.dll" };
options.ApplyFrom("Name Only");
TestUtils.Deobfuscate(options);
string outputFile = options.OutputFiles[0];
TestPEVerifyOptions vo = new TestPEVerifyOptions();
vo.Rows = new string[] { outputFile };
//After upgrade to 4.0, peverify find 1 error
//TestUtils.PEVerify(vo);
vo.TextInfoBox = new System.Windows.Forms.TextBox();
TestPEVerifier verifier = new TestPEVerifier(vo);
verifier.Go();
string outputText = vo.TextInfoBox.Text;
if (
outputText.Contains("1 Error(s) Verifying") &&
outputText.Contains("NS014.c000148[T]::m0003db][mdToken=0x6000f71][offset 0x00000021] The 'this' parameter to the call must be the calling method's 'this' parameter.(Error: 0x801318E1)")
)
{
Utils.DeleteFile(outputFile);
}
else
{
Assert.Fail(String.Format("Failed to verify {0}", options.Rows[0]));
}
}
public void Reflector70_FullTest()
{
TestDeobfOptions options = new TestDeobfOptions();
options.Rows = new string[] { "Reflector.7.0.exe" };
options.ApplyFrom("Default");
options.LoopCount = 2;
options.chkDelegateCallChecked = true;
options.IgnoredMethodFile.Regexes.Add(new Regex("0x060000c3")); //for 7.0
TestDeobfuscator deobf = new TestDeobfuscator(options);
deobf.Go();
string outputFile = options.OutputFiles[0];
TestDeobfOptions options2 = new TestDeobfOptions();
options2.SourceDir = Path.GetDirectoryName(outputFile);
options2.Rows = new string[] { outputFile };
options2.ApplyFrom("Flow without Boolean Function");
options2.LoopCount = 2;
options2.chkReflectorFixChecked = true;
options2.ExceptionHandlerFile = new ExceptionHandlerFile(ExceptionHandlerFile.Default.FileName);
options2.ExceptionHandlerFile.Keywords.Add("NS011.c000065::m000");
TestDeobfuscator deobf2 = new TestDeobfuscator(options2);
deobf2.Go();
string outputFile2 = options2.OutputFiles[0];
List<MethodDeclarationInfo> list = TestUtils.FindMethods(
new string[] { outputFile2 },
new string[] { TestUtils.ObfuscatedCommentText, TestUtils.ObfuscatedForeachText },
null);
int unexpected = 0;
int expected = 0;
foreach (MethodDeclarationInfo mdi in list)
{
switch (mdi.MethodDeclaration.Token)
{
//case 0x060008ef:
//c000183.m0003ea(Int32) : Int32 (0x060008ef):
//use cond branch (up) once at last
//expected++;
//break;
default:
TestUtils.Output(mdi, null);
unexpected++;
break;
}
}
TestUtils.AssertFail(0, expected, unexpected);
Utils.DeleteFile(outputFile);
Utils.DeleteFile(outputFile2);
}
public void Test023_NameOnly()
{
TestDeobfOptions options = new TestDeobfOptions();
options.Rows = new string[] { "Assembly023.exe" };
options.ApplyFrom("Name Only");
TestUtils.Deobfuscate(options);
Utils.DeleteFile(options.OutputFiles);
}
public void Test024()
{
TestDeobfOptions options = new TestDeobfOptions();
options.Rows = new string[] { "Assembly024.exe" };
options.ApplyFrom("Name and String");
options.chkDirectCallChecked = true;
TestDeobfuscator deobf = new TestDeobfuscator(options);
deobf.Go();
string outputFile = options.OutputFiles[0];
AssemblyDefinition ad = AssemblyDefinition.ReadAssembly(outputFile);
string typeName;
TypeDefinition td;
MethodDefinition md;
//duplicate property name
typeName = "NS014.c000031";
td = TestUtils.FindType(ad, typeName);
Assert.IsNotNull(td, "Failed to find type: " + typeName);
Assert.AreEqual(5, td.Properties.Count);
Assert.AreEqual("p000001", td.Properties[0].Name);
Assert.AreEqual("p00002e", td.Properties[1].Name);
Assert.AreEqual("p00002f", td.Properties[2].Name);
Assert.AreEqual("p000030", td.Properties[3].Name);
Assert.AreEqual("p000031", td.Properties[4].Name);
//direct call
typeName = "NS002.c000047";
td = TestUtils.FindType(ad, typeName);
Assert.IsNotNull(td, "Failed to find type: " + typeName);
md = TestUtils.FindMethod(td, ".cctor", null, null);
Assert.IsNotNull(td, "Failed to find .cctor: " + typeName);
Collection<Instruction> ic = md.Body.Instructions;
Assert.AreEqual(15, ic.Count);
Assert.AreEqual("System.Void System.Runtime.CompilerServices.RuntimeHelpers::InitializeArray(System.Array,System.RuntimeFieldHandle)", ic[6].Operand.ToString());
Assert.AreEqual("System.Void System.Runtime.CompilerServices.RuntimeHelpers::InitializeArray(System.Array,System.RuntimeFieldHandle)", ic[12].Operand.ToString());
TestUtils.CheckAndOutput(options.OutputFiles);
Utils.DeleteFile(options.OutputFiles);
}
public void Test017()
{
TestDeobfOptions options = new TestDeobfOptions();
options.Rows = new string[] { "Assembly017.exe" };
options.ApplyFrom("Flow without Boolean Function");
options.LoopCount = 2;
TestUtils.Deobfuscate(options);
List<MethodDeclarationInfo> list = TestUtils.FindMethods(options.OutputFiles,
new string[] { TestUtils.ObfuscatedCommentText },
null);
int unexpected = 0;
int expected = 0;
foreach (MethodDeclarationInfo mdi in list)
{
switch (mdi.Name)
{
case "ak.g() : Int32 (0x060000a5)":
//case "ap.a(bv, ar&, String) : Void (0x0600042c)":
//nop invalid pop
expected ++;
break;
//case "ap.am(Object, EventArgs) : Void":
case "n.a(MailMessage, IPAddress, Boolean, ArrayList, String, String, String, Boolean, String, Hashtable, ah) : String[] (0x06000592)":
case "dd.a(DataSet, String, Boolean) : Void (0x060005fd)":
//flow without conditional branch 3 => conditional branch only 1
expected ++;
break;
default:
TestUtils.Output(mdi, null);
unexpected ++;
break;
}
}
TestUtils.AssertFail(3, expected, unexpected);
string outputFile = options.OutputFiles[0];
Utils.DeleteFile(outputFile);
}
public TestDeobfuscator(TestDeobfOptions options)
: base(options)
{
}
public static void DeobfuscateAndCheck(TestDeobfOptions options, string[] searchFors)
{
Deobfuscate(options);
CheckAndOutput(options.OutputFiles, searchFors);
}
public void Test010()
{
TestDeobfOptions options = new TestDeobfOptions();
options.Rows = new string[] { "Assembly010.dll" };
options.ApplyFrom("Name and Flow");
options.LoopCount = 2;
TestUtils.DeobfuscateAndCheck(options);
string outputFile = options.OutputFiles[0];
Utils.DeleteFile(outputFile);
}