public ResolverBase(ModuleDefinition module, ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) { this.module = module; this.frameworkType = DotNetUtils.getFrameworkType(module); this.simpleDeobfuscator = simpleDeobfuscator; this.deob = deob; }
public void find(ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) { foreach (var type in module.Types) { if (type.Fields.Count != 1) continue; if (type.HasNestedTypes || type.HasGenericParameters || type.IsValueType) continue; if (DotNetUtils.getField(type, "System.Reflection.Assembly") == null) continue; if (DotNetUtils.getMethod(type, ".cctor") == null) continue; var getStream2 = getTheOnlyMethod(type, "System.IO.Stream", "(System.Reflection.Assembly,System.Type,System.String)"); var getNames = getTheOnlyMethod(type, "System.String[]", "(System.Reflection.Assembly)"); if (getStream2 == null && getNames == null) continue; var resource = findGetManifestResourceStreamTypeResource(type, simpleDeobfuscator, deob); if (resource == null && getStream2 != null) continue; getManifestResourceStreamType = type; getManifestResourceStream1Method = null; getManifestResourceStream2Method = getStream2; getManifestResourceNamesMethod = getNames; getManifestResourceStreamTypeResource = resource; break; } }
public void find(ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) { if (checkInitMethod(DotNetUtils.getModuleTypeCctor(module), simpleDeobfuscator, deob)) return; if (checkInitMethod(module.EntryPoint, simpleDeobfuscator, deob)) return; }
public static EmbeddedResource findEmbeddedResource(ModuleDefinition module, TypeDefinition decrypterType, ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) { return findEmbeddedResource(module, decrypterType, (method) => { simpleDeobfuscator.deobfuscate(method); simpleDeobfuscator.decryptStrings(method, deob); }); }
public void Find(ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) { foreach (var type in module.Types) { if (type.Fields.Count != 1) continue; if (type.HasNestedTypes || type.HasGenericParameters || type.IsValueType) continue; if (DotNetUtils.GetField(type, "System.Reflection.Assembly") == null) continue; if (type.FindStaticConstructor() == null) continue; var getStream2 = GetTheOnlyMethod(type, "System.IO.Stream", "(System.Reflection.Assembly,System.Type,System.String)"); var getNames = GetTheOnlyMethod(type, "System.String[]", "(System.Reflection.Assembly)"); var getRefAsms = GetTheOnlyMethod(type, "System.Reflection.AssemblyName[]", "(System.Reflection.Assembly)"); var bitmapCtor = GetTheOnlyMethod(type, "System.Drawing.Bitmap", "(System.Type,System.String)"); var iconCtor = GetTheOnlyMethod(type, "System.Drawing.Icon", "(System.Type,System.String)"); if (getStream2 == null && getNames == null && getRefAsms == null && bitmapCtor == null && iconCtor == null) continue; var resource = FindGetManifestResourceStreamTypeResource(type, simpleDeobfuscator, deob); if (resource == null && getStream2 != null) continue; getManifestResourceStreamType = type; CreateGetManifestResourceStream2(getStream2); CreateGetManifestResourceNames(getNames); CreateGetReferencedAssemblies(getRefAsms); CreateBitmapCtor(bitmapCtor); CreateIconCtor(iconCtor); getManifestResourceStreamTypeResource = resource; break; } }
public ResolverInfoBase(ModuleDefinition module, ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) { this.module = module; this.simpleDeobfuscator = simpleDeobfuscator; this.deob = deob; findTypes(); }
EmbeddedResource FindGetManifestResourceStreamTypeResource(TypeDef type, ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) { foreach (var method in type.Methods) { if (!method.IsPrivate || !method.IsStatic || method.Body == null) continue; if (!DotNetUtils.IsMethod(method, "System.String", "(System.Reflection.Assembly,System.Type,System.String)")) continue; simpleDeobfuscator.Deobfuscate(method); simpleDeobfuscator.DecryptStrings(method, deob); foreach (var s in DotNetUtils.GetCodeStrings(method)) { var resource = DotNetUtils.GetResource(module, s) as EmbeddedResource; if (resource != null) return resource; } } return null; }
public void find(ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) { foreach (var type in module.Types) { if (type.Fields.Count != 1) { continue; } if (type.HasNestedTypes || type.HasGenericParameters || type.IsValueType) { continue; } if (DotNetUtils.getField(type, "System.Reflection.Assembly") == null) { continue; } if (DotNetUtils.getMethod(type, ".cctor") == null) { continue; } var getStream2 = getTheOnlyMethod(type, "System.IO.Stream", "(System.Reflection.Assembly,System.Type,System.String)"); var getNames = getTheOnlyMethod(type, "System.String[]", "(System.Reflection.Assembly)"); var bitmapCtor = getTheOnlyMethod(type, "System.Drawing.Bitmap", "(System.Type,System.String)"); var iconCtor = getTheOnlyMethod(type, "System.Drawing.Icon", "(System.Type,System.String)"); if (getStream2 == null && getNames == null && bitmapCtor == null && iconCtor == null) { continue; } var resource = findGetManifestResourceStreamTypeResource(type, simpleDeobfuscator, deob); if (resource == null && getStream2 != null) { continue; } getManifestResourceStreamType = type; createGetManifestResourceStream2(getStream2); createGetManifestResourceNames(getNames); createBitmapCtor(bitmapCtor); createIconCtor(iconCtor); getManifestResourceStreamTypeResource = resource; break; } }
IDeobfuscator DetectObfuscator2(IEnumerable <IDeobfuscator> deobfuscators) { var allDetected = new List <IDeobfuscator>(); IDeobfuscator detected = null; int detectVal = 0; foreach (var deob in deobfuscators) { this.deob = deob; // So we can call deob.CanInlineMethods in deobfuscate() int val; //TODO: Re-enable exception handler //try { val = deob.Detect(); /*} * catch { * val = deob.Type == "un" ? 1 : 0; * }*/ Logger.v("{0,3}: {1}", val, deob.TypeLong); if (val > 0 && deob.Type != "un") { allDetected.Add(deob); } if (val > detectVal) { detectVal = val; detected = deob; } } this.deob = null; if (allDetected.Count > 1) { Logger.n("More than one obfuscator detected:"); Logger.Instance.Indent(); foreach (var deob in allDetected) { Logger.n("{0} (use: -p {1})", deob.Name, deob.Type); } Logger.Instance.DeIndent(); } return(detected); }
bool checkInitMethod(MethodDef checkMethod, ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) { var requiredFields = new string[] { "System.Collections.Hashtable", "System.Boolean", }; foreach (var method in DotNetUtils.getCalledMethods(module, checkMethod)) { if (method.Body == null) continue; if (!method.IsStatic) continue; if (!DotNetUtils.isMethod(method, "System.Void", "()")) continue; var type = method.DeclaringType; if (!new FieldTypes(type).exactly(requiredFields)) continue; var ctor = type.FindMethod(".ctor"); if (ctor == null) continue; var handler = DeobUtils.getResolveMethod(ctor); if (handler == null) continue; simpleDeobfuscator.decryptStrings(handler, deob); var resourcePrefix = getResourcePrefix(handler); if (resourcePrefix == null) continue; for (int i = 0; ; i++) { var resource = DotNetUtils.getResource(module, resourcePrefix + i.ToString("D5")) as EmbeddedResource; if (resource == null) break; resources.Add(resource); } initMethod = method; return true; } return false; }
IDeobfuscator detectObfuscator2(IEnumerable <IDeobfuscator> deobfuscators) { var allDetected = new List <IDeobfuscator>(); IDeobfuscator detected = null; int detectVal = 0; foreach (var deob in deobfuscators) { this.deob = deob; // So we can call deob.CanInlineMethods in deobfuscate() int val; try { val = deob.detect(); } catch { val = deob.Type == "un" ? 1 : 0; } Log.v("{0,3}: {1}", val, deob.TypeLong); if (val > 0 && deob.Type != "un") { allDetected.Add(deob); } if (val > detectVal) { detectVal = val; detected = deob; } } this.deob = null; if (allDetected.Count > 1) { Log.n("More than one obfuscator detected:"); Log.indent(); foreach (var deob in allDetected) { Log.n("{0} (use: -p {1})", deob.Name, deob.Type); } Log.deIndent(); } return(detected); }
IDeobfuscator earlyDetectObfuscator(IEnumerable <IDeobfuscator> deobfuscators) { IDeobfuscator detected = null; int detectVal = 0; foreach (var deob in deobfuscators) { int val = deob.earlyDetect(); if (val > 0) { Log.v("{0,3}: {1}", val, deob.TypeLong); } if (val > detectVal) { detectVal = val; detected = deob; } } return(detected); }
void DetectObfuscator(IEnumerable <IDeobfuscator> deobfuscators) { // The deobfuscators may call methods to deobfuscate control flow and decrypt // strings (statically) in order to detect the obfuscator. if (!options.ControlFlowDeobfuscation || options.StringDecrypterType == DecrypterType.None) { savedMethodBodies = new SavedMethodBodies(); } // It's not null if it unpacked a native file if (this.deob != null) { deob.Initialize(module); deob.DeobfuscatedFile = this; deob.Detect(); return; } foreach (var deob in deobfuscators) { deob.Initialize(module); deob.DeobfuscatedFile = this; } if (options.ForcedObfuscatorType != null) { foreach (var deob in deobfuscators) { if (string.Equals(options.ForcedObfuscatorType, deob.Type, StringComparison.OrdinalIgnoreCase)) { this.deob = deob; deob.Detect(); return; } } } else { this.deob = DetectObfuscator2(deobfuscators); } }
/// <summary> /// Adds a file to the deobfuscator and loads it. /// </summary> /// <param name="fileName">The name of the obfuscation map file to load.</param> public void AddFile(string fileName) { if (deobfuscatorImpl == null) { // Find out what system we need for this file if (SeeUnsharpDeobfuscator.SupportsFile(fileName)) { deobfuscatorImpl = new SeeUnsharpDeobfuscator(); } else if (DotfuscatorDeobfuscator.SupportsFile(fileName)) { deobfuscatorImpl = new DotfuscatorDeobfuscator(); } else { throw new NotSupportedException("The obfuscation map file is not supported."); } } deobfuscatorImpl.AddFile(fileName); }
bool initializeInfos(ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) { if (handlerMethod == null) return true; foreach (var method in resolverType.Methods) { if (!method.IsStatic || method.Body == null) continue; if (!DotNetUtils.isMethod(method, "System.Void", "()")) continue; if (!DeobUtils.hasInteger(method, ':') || !DeobUtils.hasInteger(method, '|')) continue; simpleDeobfuscator.deobfuscate(method); simpleDeobfuscator.decryptStrings(method, deob); if (!initializeInfos(method)) continue; return true; } return false; }
public void initialize(ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) { if (resolverType == null) return; encryptedResource = BabelUtils.findEmbeddedResource(module, resolverType, simpleDeobfuscator, deob); if (encryptedResource == null) { Log.w("Could not find embedded assemblies resource"); return; } var decrypted = new ResourceDecrypter(module).decrypt(encryptedResource.GetResourceData()); var reader = new BinaryReader(new MemoryStream(decrypted)); int numAssemblies = reader.ReadInt32(); embeddedAssemblyInfos = new EmbeddedAssemblyInfo[numAssemblies]; for (int i = 0; i < numAssemblies; i++) { string name = reader.ReadString(); var data = reader.ReadBytes(reader.ReadInt32()); var mod = ModuleDefinition.ReadModule(new MemoryStream(data)); embeddedAssemblyInfos[i] = new EmbeddedAssemblyInfo(name, DeobUtils.getExtension(mod.Kind), data); } }
bool FindStringsResource2(IDeobfuscator deob, ISimpleDeobfuscator simpleDeobfuscator, MethodDef initMethod) { if (initMethod == null) { return(false); } stringsResource = FindStringResource(initMethod); if (stringsResource != null) { return(true); } simpleDeobfuscator.DecryptStrings(initMethod, deob); stringsResource = FindStringResource(initMethod); if (stringsResource != null) { return(true); } return(false); }
public void initialize(ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) { if (handlerMethod == null) { return; } findOtherType(); simpleDeobfuscator.deobfuscate(handlerMethod); simpleDeobfuscator.decryptStrings(handlerMethod, deob); if (!createAssemblyInfos()) { throw new ApplicationException("Could not initialize assembly infos"); } simpleDeobfuscator.deobfuscate(decryptMethod); simpleDeobfuscator.decryptStrings(decryptMethod, deob); if (!createDecryptKey()) { throw new ApplicationException("Could not initialize decryption key"); } }
bool UnpackNativeImage(IEnumerable <IDeobfuscator> deobfuscators) { using (var peImage = new PEImage(Filename)) { foreach (var deob in deobfuscators) { byte[] unpackedData = null; try { unpackedData = deob.UnpackNativeFile(peImage); } catch { } if (unpackedData == null) { continue; } var oldModule = module; try { module = assemblyModule.Load(unpackedData); } catch { Logger.w("Could not load unpacked data. File: {0}, deobfuscator: {0}", peImage.FileName ?? "(unknown filename)", deob.TypeLong); continue; } finally { if (oldModule != null) { oldModule.Dispose(); } } this.deob = deob; return(true); } } return(false); }
void detectObfuscator(IEnumerable<IDeobfuscator> deobfuscators) { // The deobfuscators may call methods to deobfuscate control flow and decrypt // strings (statically) in order to detect the obfuscator. if (!options.ControlFlowDeobfuscation || options.StringDecrypterType == DecrypterType.None) savedMethodBodies = new SavedMethodBodies(); // It's not null if it unpacked a native file if (this.deob != null) { deob.init(module); deob.DeobfuscatedFile = this; deob.earlyDetect(); deob.detect(); return; } foreach (var deob in deobfuscators) { deob.init(module); deob.DeobfuscatedFile = this; } if (options.ForcedObfuscatorType != null) { foreach (var deob in deobfuscators) { if (string.Equals(options.ForcedObfuscatorType, deob.Type, StringComparison.OrdinalIgnoreCase)) { deob.earlyDetect(); this.deob = deob; deob.detect(); return; } } } else { this.deob = earlyDetectObfuscator(deobfuscators); if (this.deob == null) this.deob = detectObfuscator2(deobfuscators); else this.deob.detect(); } }
public List <ResourceInfo> GetEmbeddedAssemblies(ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) { var infos = new List <ResourceInfo>(); if (assemblyResolverMethod == null) { return(infos); } simpleDeobfuscator.Deobfuscate(assemblyResolverMethod); simpleDeobfuscator.DecryptStrings(assemblyResolverMethod, deob); foreach (var resourcePrefix in DotNetUtils.GetCodeStrings(assemblyResolverMethod)) { infos.AddRange(GetResourceInfos(resourcePrefix)); } return(infos); }
public bool init(IDeobfuscator deob, ISimpleDeobfuscator simpleDeobfuscator) { var cctor = DotNetUtils.getMethod(stringsEncodingClass, ".cctor"); if (cctor != null) { simpleDeobfuscator.deobfuscate(cctor); } decrypterVersion = guessVersion(cctor); if (!findDecrypterMethod()) { throw new ApplicationException("Could not find string decrypter method"); } if (!findStringsResource(deob, simpleDeobfuscator, cctor)) { return(false); } if (decrypterVersion <= StringDecrypterVersion.V3) { MethodDefinition initMethod; if (decrypterVersion == StringDecrypterVersion.V3) { initMethod = cctor; } else if (decrypterVersion == StringDecrypterVersion.V2) { initMethod = stringDecrypterMethod; } else { initMethod = stringDecrypterMethod; } stringOffset = 0; if (decrypterVersion != StringDecrypterVersion.V1) { if (callsGetPublicKeyToken(initMethod)) { var pkt = module.Assembly.Name.PublicKeyToken; if (pkt != null) { for (int i = 0; i < pkt.Length - 1; i += 2) { stringOffset ^= ((int)pkt[i] << 8) + pkt[i + 1]; } } } if (DeobUtils.hasInteger(initMethod, 0xFFFFFF) && DeobUtils.hasInteger(initMethod, 0xFFFF)) { stringOffset ^= ((stringDecrypterMethod.MetadataToken.ToInt32() & 0xFFFFFF) - 1) % 0xFFFF; } } } else { var offsetVal = findOffsetValue(cctor); if (offsetVal == null) { throw new ApplicationException("Could not find string offset"); } stringOffset = offsetVal.Value; decrypterVersion = StringDecrypterVersion.V4; } simpleZipTypeMethod = findSimpleZipTypeMethod(cctor) ?? findSimpleZipTypeMethod(stringDecrypterMethod); if (simpleZipTypeMethod != null) { resourceDecrypter = new ResourceDecrypter(new ResourceDecrypterInfo(module, simpleZipTypeMethod, simpleDeobfuscator)); } return(true); }
void IDeobfuscatedFile.SetDeobfuscator(IDeobfuscator deob) { this.deob = deob; }
bool UnpackNativeImage(IEnumerable<IDeobfuscator> deobfuscators) { using (var peImage = new PEImage(Filename)) { foreach (var deob in deobfuscators) { byte[] unpackedData = null; try { unpackedData = deob.UnpackNativeFile(peImage); } catch { } if (unpackedData == null) continue; var oldModule = module; try { module = assemblyModule.Load(unpackedData); } catch { Logger.w("Could not load unpacked data. File: {0}, deobfuscator: {0}", peImage.FileName ?? "(unknown filename)", deob.TypeLong); continue; } finally { if (oldModule != null) oldModule.Dispose(); } this.deob = deob; return true; } } return false; }
public ResourceResolverInfo(ModuleDefMD module, ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob, AssemblyResolverInfo assemblyResolverInfo) : base(module, simpleDeobfuscator, deob) { this.assemblyResolverInfo = assemblyResolverInfo; }
public bool Initialize(IDeobfuscator deob, ISimpleDeobfuscator simpleDeobfuscator) { var cctor = stringsEncodingClass.FindStaticConstructor(); if (cctor != null) simpleDeobfuscator.Deobfuscate(cctor); decrypterVersion = GuessVersion(cctor); if (!FindDecrypterMethod()) throw new ApplicationException("Could not find string decrypter method"); if (!FindStringsResource(deob, simpleDeobfuscator, cctor)) return false; if (decrypterVersion <= StringDecrypterVersion.V3) { MethodDef initMethod; if (decrypterVersion == StringDecrypterVersion.V3) initMethod = cctor; else if (decrypterVersion == StringDecrypterVersion.V2) initMethod = stringDecrypterMethod; else initMethod = stringDecrypterMethod; stringOffset = 0; if (decrypterVersion != StringDecrypterVersion.V1) { if (CallsGetPublicKeyToken(initMethod)) { var pkt = PublicKeyBase.ToPublicKeyToken(module.Assembly.PublicKeyToken); if (!PublicKeyBase.IsNullOrEmpty2(pkt)) { for (int i = 0; i < pkt.Data.Length - 1; i += 2) stringOffset ^= ((int)pkt.Data[i] << 8) + pkt.Data[i + 1]; } } if (DeobUtils.HasInteger(initMethod, 0xFFFFFF) && DeobUtils.HasInteger(initMethod, 0xFFFF)) { stringOffset ^= ((stringDecrypterMethod.MDToken.ToInt32() & 0xFFFFFF) - 1) % 0xFFFF; } } } else { var offsetVal = FindOffsetValue(cctor); if (offsetVal == null) throw new ApplicationException("Could not find string offset"); stringOffset = offsetVal.Value; decrypterVersion = StringDecrypterVersion.V4; } simpleZipTypeMethod = FindSimpleZipTypeMethod(cctor) ?? FindSimpleZipTypeMethod(stringDecrypterMethod); if (simpleZipTypeMethod != null) resourceDecrypter = new ResourceDecrypter(new ResourceDecrypterInfo(module, simpleZipTypeMethod, simpleDeobfuscator)); return true; }
public void initialize(ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) { if (methodsDecrypter == null) return; encryptedResource = BabelUtils.findEmbeddedResource(module, methodsDecrypter, simpleDeobfuscator, deob); if (encryptedResource == null) { Log.w("Could not find encrypted methods resource"); return; } addImageReader("", new ResourceDecrypter(module).decrypt(encryptedResource.GetResourceData())); }
public ResolverInfoBase(ModuleDefMD module, ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) { this.module = module; this.simpleDeobfuscator = simpleDeobfuscator; this.deob = deob; }
public static EmbeddedResource FindEmbeddedResource(ModuleDefMD module, TypeDef decrypterType, ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) { return(FindEmbeddedResource(module, decrypterType, (method) => { simpleDeobfuscator.Deobfuscate(method); simpleDeobfuscator.DecryptStrings(method, deob); })); }
public ResourceResolver(ModuleDefMD module, ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) : base(module, simpleDeobfuscator, deob) { }
void reloadModule(byte[] newModuleData, DumpedMethods dumpedMethods) { Log.v("Reloading decrypted assembly (original filename: {0})", Filename); simpleDeobfuscatorFlags.Clear(); module = assemblyModule.reload(newModuleData, dumpedMethods); allMethods = getAllMethods(); deob = deob.moduleReloaded(module); initializeDeobfuscator(); deob.DeobfuscatedFile = this; updateDynamicStringInliner(); }
bool FindStringsResource2(IDeobfuscator deob, ISimpleDeobfuscator simpleDeobfuscator, MethodDef initMethod) { if (initMethod == null) return false; stringsResource = FindStringResource(initMethod); if (stringsResource != null) return true; simpleDeobfuscator.DecryptStrings(initMethod, deob); stringsResource = FindStringResource(initMethod); if (stringsResource != null) return true; return false; }
public AssemblyDecrypter(ModuleDefMD module, ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) { this.module = module; this.simpleDeobfuscator = simpleDeobfuscator; this.deob = deob; }
bool checkInitMethod(MethodDefinition checkMethod, ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) { var requiredFields = new string[] { "System.Collections.Hashtable", "System.Boolean", }; foreach (var method in DotNetUtils.getCalledMethods(module, checkMethod)) { if (method.Body == null) { continue; } if (!method.IsStatic) { continue; } if (!DotNetUtils.isMethod(method, "System.Void", "()")) { continue; } var type = method.DeclaringType; if (!new FieldTypes(type).exactly(requiredFields)) { continue; } var ctor = DotNetUtils.getMethod(type, ".ctor"); if (ctor == null) { continue; } var handler = getHandler(ctor); if (handler == null) { continue; } simpleDeobfuscator.decryptStrings(handler, deob); var resourcePrefix = getResourcePrefix(handler); if (resourcePrefix == null) { continue; } for (int i = 0; ; i++) { var resource = DotNetUtils.getResource(module, resourcePrefix + i.ToString("D5")) as EmbeddedResource; if (resource == null) { break; } resources.Add(resource); } initMethod = method; return(true); } return(false); }
public List <AssemblyInfo> GetAssemblyInfos(ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) { var infos = new List <AssemblyInfo>(); if (embedResolverMethod != null) { simpleDeobfuscator.Deobfuscate(embedResolverMethod); simpleDeobfuscator.DecryptStrings(embedResolverMethod, deob); embedPassword = GetEmbedPassword(embedResolverMethod); } if (embedPassword == null) { return(infos); } foreach (var rsrc in module.Resources) { var resource = rsrc as EmbeddedResource; if (resource == null) { continue; } if (!Regex.IsMatch(resource.Name.String, "^cfd_([0-9a-f]{2})+_$")) { continue; } var asmData = Decrypt(embedPassword, Gunzip(resource.Data.ReadAllBytes())); var mod = ModuleDefMD.Load(asmData); infos.Add(new AssemblyInfo(asmData, resource, mod.Assembly.FullName, mod.Assembly.Name.String, DeobUtils.GetExtension(mod.Kind))); } return(infos); }
void ReloadModule(byte[] newModuleData, DumpedMethods dumpedMethods) { Logger.v("Reloading decrypted assembly (original filename: {0})", Filename); simpleDeobfuscatorFlags.Clear(); using (var oldModule = module) { module = assemblyModule.Reload(newModuleData, CreateDumpedMethodsRestorer(dumpedMethods), deob as IStringDecrypter); deob = deob.ModuleReloaded(module); } InitializeDeobfuscator(); deob.DeobfuscatedFile = this; UpdateDynamicStringInliner(); }
public bool Initialize(IDeobfuscator deob, ISimpleDeobfuscator simpleDeobfuscator) { var cctor = stringsEncodingClass.FindStaticConstructor(); if (cctor != null) { simpleDeobfuscator.Deobfuscate(cctor); } decrypterVersion = GuessVersion(cctor); if (!FindDecrypterMethod()) { throw new ApplicationException("Could not find string decrypter method"); } if (!FindStringsResource(deob, simpleDeobfuscator, cctor)) { return(false); } if (decrypterVersion <= StringDecrypterVersion.V3) { MethodDef initMethod; if (decrypterVersion == StringDecrypterVersion.V3) { initMethod = cctor; } else if (decrypterVersion == StringDecrypterVersion.V2) { initMethod = stringDecrypterMethod; } else { initMethod = stringDecrypterMethod; } stringOffset = 0; if (decrypterVersion != StringDecrypterVersion.V1) { if (CallsGetPublicKeyToken(initMethod)) { var pkt = PublicKeyBase.ToPublicKeyToken(module.Assembly.PublicKeyToken); if (!PublicKeyBase.IsNullOrEmpty2(pkt)) { for (int i = 0; i < pkt.Data.Length - 1; i += 2) { stringOffset ^= ((int)pkt.Data[i] << 8) + pkt.Data[i + 1]; } } } if (DeobUtils.HasInteger(initMethod, 0xFFFFFF) && DeobUtils.HasInteger(initMethod, 0xFFFF)) { stringOffset ^= ((stringDecrypterMethod.MDToken.ToInt32() & 0xFFFFFF) - 1) % 0xFFFF; } } } else { var offsetVal = FindOffsetValue(cctor); if (offsetVal == null) { throw new ApplicationException("Could not find string offset"); } stringOffset = offsetVal.Value; decrypterVersion = StringDecrypterVersion.V4; } simpleZipTypeMethod = FindSimpleZipTypeMethod(cctor) ?? FindSimpleZipTypeMethod(stringDecrypterMethod); if (simpleZipTypeMethod != null) { resourceDecrypter = new ResourceDecrypter(new ResourceDecrypterInfo(module, simpleZipTypeMethod, simpleDeobfuscator)); } return(true); }
public void Dispose() { DeobfuscateCleanUp(); if (module != null) module.Dispose(); if (deob != null) deob.Dispose(); module = null; deob = null; }
public AntiDebugger(ModuleDefMD module, ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) { this.module = module; this.simpleDeobfuscator = simpleDeobfuscator; this.deob = deob; }
/// <summary> /// Removes all loaded map files from the deobfuscator. /// </summary> public void Clear() { deobfuscatorImpl = null; }
public void initialize(ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) { if (!initializeInfos(simpleDeobfuscator, deob)) throw new ApplicationException("Could not initialize resource decrypter"); }
void ISimpleDeobfuscator.decryptStrings(MethodDefinition method, IDeobfuscator theDeob) { deobfuscate(method, "Static string decryption", (blocks) => theDeob.deobfuscateStrings(blocks)); }
IDeobfuscator detectObfuscator2(IEnumerable<IDeobfuscator> deobfuscators) { var allDetected = new List<IDeobfuscator>(); IDeobfuscator detected = null; int detectVal = 0; foreach (var deob in deobfuscators) { this.deob = deob; // So we can call deob.CanInlineMethods in deobfuscate() int val = deob.detect(); Log.v("{0,3}: {1}", val, deob.TypeLong); if (val > 0 && deob.Type != "un") allDetected.Add(deob); if (val > detectVal) { detectVal = val; detected = deob; } } this.deob = null; if (allDetected.Count > 1) { Log.n("More than one obfuscator detected:"); Log.indent(); foreach (var deob in allDetected) Log.n("{0} (use: -p {1})", deob.Name, deob.Type); Log.deIndent(); } return detected; }
public void Initialize(ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) { if (encryptedResource.Method == null) return; initMethod = FindInitMethod(simpleDeobfuscator); if (initMethod == null) throw new ApplicationException("Could not find resource resolver init method"); simpleDeobfuscator.Deobfuscate(encryptedResource.Method); simpleDeobfuscator.DecryptStrings(encryptedResource.Method, deob); encryptedResource.Initialize(simpleDeobfuscator); }
bool unpackNativeImage(IEnumerable<IDeobfuscator> deobfuscators) { var peImage = new PeImage(Utils.readFile(Filename)); foreach (var deob in deobfuscators) { byte[] unpackedData = null; try { unpackedData = deob.unpackNativeFile(peImage); } catch { } if (unpackedData == null) continue; try { module = assemblyModule.load(unpackedData); } catch { Log.w("Could not load unpacked data. Deobfuscator: {0}", deob.TypeLong); continue; } this.deob = deob; return true; } return false; }
EmbeddedResource FindGetManifestResourceStreamTypeResource(TypeDef type, ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) { foreach (var method in type.Methods) { if (!method.IsPrivate || !method.IsStatic || method.Body == null) { continue; } if (!DotNetUtils.IsMethod(method, "System.String", "(System.Reflection.Assembly,System.Type,System.String)")) { continue; } simpleDeobfuscator.Deobfuscate(method); simpleDeobfuscator.DecryptStrings(method, deob); foreach (var s in DotNetUtils.GetCodeStrings(method)) { if (DotNetUtils.GetResource(module, s) is EmbeddedResource resource) { return(resource); } } } return(null); }
void ISimpleDeobfuscator.DecryptStrings(MethodDef method, IDeobfuscator theDeob) { Deobfuscate(method, "Static string decryption", (blocks) => theDeob.DeobfuscateStrings(blocks)); }
bool FindStringsResource(IDeobfuscator deob, ISimpleDeobfuscator simpleDeobfuscator, MethodDef cctor) { if (stringsResource != null) return true; if (decrypterVersion <= StringDecrypterVersion.V3) { stringsResource = DotNetUtils.GetResource(module, (module.Mvid ?? Guid.NewGuid()).ToString("B")) as EmbeddedResource; if (stringsResource != null) return true; } if (FindStringsResource2(deob, simpleDeobfuscator, cctor)) return true; if (FindStringsResource2(deob, simpleDeobfuscator, stringDecrypterMethod)) return true; return false; }
public void Find(ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) { var entryPoint = module.EntryPoint; if (entryPoint == null) { return; } if (!new LocalTypes(entryPoint).All(requiredEntryPointLocals)) { return; } var type = entryPoint.DeclaringType; if (!new FieldTypes(type).All(requiredFields)) { return; } bool use7zip = type.NestedTypes.Count == 6; MethodDef decyptMethod; if (use7zip) { decyptMethod = FindDecryptMethod_7zip(type); } else { decyptMethod = FindDecryptMethod_inflate(type); } if (decyptMethod == null) { return; } var theVersion = ConfuserVersion.Unknown; var decryptLocals = new LocalTypes(decyptMethod); if (decryptLocals.Exists("System.IO.MemoryStream")) { if (DotNetUtils.CallsMethod(entryPoint, "System.Void", "(System.String,System.Byte[])")) { theVersion = ConfuserVersion.v10_r42915; } else if (DotNetUtils.CallsMethod(entryPoint, "System.Void", "(System.Security.Permissions.PermissionState)")) { theVersion = ConfuserVersion.v10_r48717; } else { theVersion = ConfuserVersion.v14_r57778; } } else { theVersion = ConfuserVersion.v14_r58564; } var cctor = type.FindStaticConstructor(); if (cctor == null) { return; } if ((asmResolverMethod = FindAssemblyResolverMethod(entryPoint.DeclaringType)) != null) { theVersion = ConfuserVersion.v14_r58802; simpleDeobfuscator.Deobfuscate(asmResolverMethod); if (!FindKey1(asmResolverMethod, out uint key1)) { return; } } switch (theVersion) { case ConfuserVersion.v10_r42915: case ConfuserVersion.v10_r48717: case ConfuserVersion.v14_r57778: break; case ConfuserVersion.v14_r58564: case ConfuserVersion.v14_r58802: simpleDeobfuscator.Deobfuscate(decyptMethod); if (FindKey0_v14_r58564(decyptMethod, out key0)) { break; } if (FindKey0_v14_r58852(decyptMethod, out key0)) { if (!decryptLocals.Exists("System.Security.Cryptography.RijndaelManaged")) { theVersion = ConfuserVersion.v14_r58852; break; } if (use7zip) { if (new LocalTypes(decyptMethod).Exists("System.IO.MemoryStream")) { theVersion = ConfuserVersion.v17_r75076; } else if (module.Name == "Stub.exe") { theVersion = ConfuserVersion.v18_r75184; } else if (!IsGetLenToPosStateMethodPrivate(type)) { theVersion = ConfuserVersion.v18_r75367; } else { theVersion = ConfuserVersion.v19_r77172; } } else if (IsDecryptMethod_v17_r73404(decyptMethod)) { theVersion = ConfuserVersion.v17_r73404; } else { theVersion = ConfuserVersion.v15_r60785; } break; } throw new ApplicationException("Could not find magic"); default: throw new ApplicationException("Invalid version"); } simpleDeobfuscator.Deobfuscate(cctor); simpleDeobfuscator.DecryptStrings(cctor, deob); if (FindEntryPointToken(simpleDeobfuscator, cctor, entryPoint, out entryPointToken) && !use7zip) { if (DotNetUtils.CallsMethod(asmResolverMethod, "System.Void", "(System.String)")) { theVersion = ConfuserVersion.v17_r73477; } else { theVersion = ConfuserVersion.v17_r73566; } } mainAsmResource = FindResource(cctor); if (mainAsmResource == null) { throw new ApplicationException("Could not find main assembly resource"); } version = theVersion; }
public bool init(IDeobfuscator deob, ISimpleDeobfuscator simpleDeobfuscator) { var cctor = DotNetUtils.getMethod(stringsEncodingClass, ".cctor"); if (cctor == null) throw new ApplicationException("Could not find .cctor"); simpleDeobfuscator.deobfuscate(cctor); stringsResource = findStringResource(cctor); if (stringsResource == null) { simpleDeobfuscator.decryptStrings(cctor, deob); stringsResource = findStringResource(cctor); if (stringsResource == null) return false; } var offsetVal = findOffsetValue(cctor); if (offsetVal == null) throw new ApplicationException("Could not find string offset"); stringOffset = offsetVal.Value; if (!findDecrypterMethod()) throw new ApplicationException("Could not find string decrypter method"); simpleZipType = findSimpleZipType(cctor); if (simpleZipType != null) resourceDecrypter = new ResourceDecrypter(new ResourceDecrypterInfo(module, simpleZipType, simpleDeobfuscator)); return true; }
public void Initialize(ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) { if (decrypterType == null) return; encryptedResource = BabelUtils.FindEmbeddedResource(module, decrypterType, simpleDeobfuscator, deob); if (encryptedResource == null) { Logger.w("Could not find encrypted constants resource"); return; } var decrypted = resourceDecrypter.Decrypt(encryptedResource.Data.ReadAllBytes()); var reader = new BinaryReader(new MemoryStream(decrypted)); int count; count = reader.ReadInt32(); decryptedInts = new int[count]; while (count-- > 0) decryptedInts[count] = reader.ReadInt32(); count = reader.ReadInt32(); decryptedLongs = new long[count]; while (count-- > 0) decryptedLongs[count] = reader.ReadInt64(); count = reader.ReadInt32(); decryptedFloats = new float[count]; while (count-- > 0) decryptedFloats[count] = reader.ReadSingle(); count = reader.ReadInt32(); decryptedDoubles = new double[count]; while (count-- > 0) decryptedDoubles[count] = reader.ReadDouble(); }
public AssemblyResolver(ModuleDefMD module, ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) : base(module, simpleDeobfuscator, deob) { }