public bool Initialize(ClarifierContext ctx) { injectHelper = new ClarifierInjectHelper(ctx); staticProtectionsManager.AddPatternMatchingMethod("Confuser.Runtime.Constant", "Get"); staticProtectionsManager.AddPatternMatchingMethod("Confuser.Runtime.Constant", "Initialize"); return(staticProtectionsManager.LoadTypes()); }
public double PerformIdentification(ClarifierContext ctx) { double[] result = new double[3]; result[0] = antiDebugSafe.MapSourceInDestination(ctx.CurrentModule); result[1] = antiDebugNet.MapSourceInDestination(ctx.CurrentModule); result[2] = antiDebugWin32.MapSourceInDestination(ctx.CurrentModule); return(result.Max()); }
public double PerformIdentification(ClarifierContext ctx) { SherlockNode loadStage = new SherlockNode(ctx.ILLanguage["ArgumentLoad"].Childs) { Name = "LoadStage", MaxNumber = null, MinNumber = 1, Mode = TestMode.InRange }; SherlockNode callStage = new SherlockNode(ctx.ILLanguage["Call"].Childs) { Name = "CallStage", MaxNumber = 1, MinNumber = 1, Mode = TestMode.InRange }; SherlockNode returnStage = new SherlockNode(ctx.ILLanguage["Return"].Childs) { Name = "ReturnStage", MaxNumber = 1, MinNumber = 1, Mode = TestMode.InRange }; SherlockNode proxyCall = new SherlockNode(new SherlockNode[] { loadStage, callStage, returnStage }) { Name = "ProxyCall", MinNumber = 1, MaxNumber = 1, Mode = TestMode.MatchEverything }; foreach (var method in ctx.CurrentModule.GetMethods()) { if (!method.HasBody) { continue; } ComparisonContext compCtx = new ComparisonContext() { InstructionList = method.Body.Instructions.ToList() }; if (proxyCall.Test(compCtx) == ConditionOutcome.Matched) { referenceProxyMethods[method] = null; } } if (referenceProxyMethods.Count != 0) { return(1.0); } return(0.0); }
public bool Initialize(ClarifierContext ctx) { antiDebugSafe.AddPatternMatchingMethod("Confuser.Runtime.AntiDebugSafe", "Initialize"); antiDebugSafe.AddPatternMatchingMethod("Confuser.Runtime.AntiDebugSafe", "Worker"); antiDebugNet.AddPatternMatchingMethod("Confuser.Runtime.AntiDebugAntinet", "Initialize"); antiDebugWin32.AddPatternMatchingMethod("Confuser.Runtime.AntiDebugWin32", "Initialize"); antiDebugWin32.AddPatternMatchingMethod("Confuser.Runtime.AntiDebugWin32", "Worker"); return(antiDebugSafe.LoadTypes() && antiDebugNet.LoadTypes() && antiDebugWin32.LoadTypes()); }
static void Main(string[] args) { Debug.Assert(args.Length > 0); ModuleDefMD targetModule = ModuleDefMD.Load(args[0]); ModuleDefMD runtimeModule = ModuleDefMD.Load("Confuser.Runtime.dll"); ClarifierContext ctx = new ClarifierContext { CurrentModule = targetModule, WriterListener = new MWListener(), //ILLanguage = il }; AntiDump antiDump = new AntiDump(); AntiDebug antiDebug = new AntiDebug(); Constants constants = new Constants(); AntiTamper antiTamper = new AntiTamper(); Inliner inliner = new Inliner(); inliner.PerformIdentification(ctx); inliner.PerformRemoval(ctx); antiTamper.Initialize(); antiTamper.PerformIdentification(ctx); antiTamper.PerformRemoval(ctx); antiDump.Initialize(ctx); antiDump.PerformIdentification(ctx); antiDump.PerformRemoval(ctx); antiDebug.Initialize(ctx); antiDebug.PerformIdentification(ctx); antiDebug.PerformRemoval(ctx); constants.Initialize(ctx); constants.PerformIdentification(ctx); constants.PerformRemoval(ctx); int lastBackslash = args[0].LastIndexOf('\\'); string targetExecutable = args[0].Substring(lastBackslash + 1, args[0].Length - 1 - lastBackslash); string parentDir = Directory.GetParent(Directory.GetParent(args[0]).FullName).FullName; parentDir = Path.Combine(parentDir, "Deobfuscated"); string destinationFile = Path.Combine(parentDir, targetExecutable); targetModule.Write(destinationFile); return; }
public void PerformRemoval(ClarifierContext ctx) { foreach (var v in staticProtectionsManager.DestinationMap) { foreach (var vv in v.matchingMethods) { var typeRef = ctx.CurrentModule.UpdateRowId(new TypeRefUser(ctx.CurrentModule, "System.Diagnostics", "Debugger", ctx.CurrentModule.CorLibTypes.AssemblyRef)); var classSignature = new ClassSig(typeRef); var methodSig = MethodSig.CreateStatic(ctx.CurrentModule.CorLibTypes.Void); MemberRefUser mff = ctx.CurrentModule.UpdateRowId(new MemberRefUser(ctx.CurrentModule, "Break", methodSig, classSignature.TypeDefOrRef)); vv.Body.Instructions.Insert(vv.Body.Instructions.Count - 1, Instruction.Create(OpCodes.Call, mff)); } } }
public void PerformRemoval(ClarifierContext ctx) { foreach (var method in ctx.CurrentModule.GetMethods()) { if (referenceProxyMethods.Keys.Contains(method)) { continue; } foreach (var instruction in method.GetInstructions()) { if (instruction.OpCode != OpCodes.Call) { continue; } MethodDef targetMethod = null; if (instruction.Operand is MethodDef) { targetMethod = instruction.Operand as MethodDef; } else if (instruction.Operand is MethodSpec) { MethodSpec tempMethod = instruction.Operand as MethodSpec; targetMethod = tempMethod.Method as MethodDef; } else if (instruction.Operand is MemberRef) { continue; } Debug.Assert(targetMethod != null); List <InstructionGroup> currentInstructionGroup; if (referenceProxyMethods.TryGetValue(targetMethod, out currentInstructionGroup)) { int callIndex = currentInstructionGroup.Where(x => x.Name == "Call").First().FoundInstructions[0]; instruction.Operand = targetMethod.Body.Instructions[callIndex].Operand; } } } }
public double PerformIdentification(ClarifierContext ctx) { return(staticProtectionsManager.MapSourceInDestination(ctx.CurrentModule)); }
public bool PerformRemoval(ClarifierContext ctx) { return(antiDebugSafe.PerformRemoval(ctx.CurrentModule) || antiDebugNet.PerformRemoval(ctx.CurrentModule) || antiDebugWin32.PerformRemoval(ctx.CurrentModule)); }
public bool PerformRemoval(ClarifierContext ctx) { return(true); }
public double PerformIdentification(ClarifierContext ctx) { return(0.0); }
public bool Initialize(ClarifierContext ctx) { return(true); }
/// <summary> /// Remove every reference and nullify the blacklisted method /// </summary> /// <param name="ctx"></param> /// <returns></returns> public bool PerformRemoval(ClarifierContext ctx) { return(staticProtectionsManager.PerformRemoval(ctx.CurrentModule)); }
/// <summary> /// Add and load the blacklisted method /// </summary> /// <param name="ctx">Context</param> /// <returns></returns> public bool Initialize(ClarifierContext ctx) { staticProtectionsManager.AddPatternMatchingMethod("Confuser.Runtime.AntiDump", "Initialize"); return(staticProtectionsManager.LoadTypes()); }
public bool PerformRemoval(ClarifierContext ctx) { ClarifierInjectHelper inject = new ClarifierInjectHelper(ctx); object instantiatedObject = inject.CloneAndInstantiateType(ctx.CurrentModule.GlobalType); Type dummyType = instantiatedObject.GetType(); Dictionary <string, MethodInfo> mapNewMethodsToName = new Dictionary <string, MethodInfo>(); List <MethodDef> onlyMethodsToSubstitute = staticProtectionsManager.DestinationMap.Where(x => x.name == "Get").First().matchingMethods; foreach (var v in staticProtectionsManager.DestinationMap) { foreach (var vv in v.matchingMethods) { mapNewMethodsToName[vv.Name] = dummyType.GetMethod(vv.Name); } } foreach (var currentMethod in ctx.CurrentModule.GetMethods()) { if (onlyMethodsToSubstitute.Exists(x => x == currentMethod)) { continue; } if (!currentMethod.HasBody) { continue; } // Look for calls to blacklisted methods for (var i = 0; i < currentMethod.Body.Instructions.Count; ++i) { Instruction currentInstruction = currentMethod.Body.Instructions[i]; if (currentInstruction.OpCode != OpCodes.Call) { continue; } IMethod targetMethod = (IMethod)currentInstruction.Operand; MethodInfo methodToInvoke; if (!onlyMethodsToSubstitute.Exists(x => x.Name == targetMethod.Name)) { continue; } if (mapNewMethodsToName.TryGetValue(targetMethod.Name, out methodToInvoke)) { // Here we are sure we are in presence of a call to a blacklisted methods; // Kill ye olde damn bastard! int inputParameters = methodToInvoke.GetParameters().Count(); object[] parameters = new object[inputParameters]; // Close the generic type before invoking if (methodToInvoke.IsGenericMethod) { MethodSpec genericMethod = (MethodSpec)targetMethod; Type[] genericTypes = genericMethod.GenericInstMethodSig.GenericArguments.Select(x => Type.GetType(x.ReflectionFullName)).ToArray(); methodToInvoke = methodToInvoke.MakeGenericMethod(genericTypes); } // Iterate backward in order to retrieve input parameters and removing instructions. int j = i; for (; j > i - inputParameters; j--) { Type targetType = methodToInvoke.GetParameters()[parameters.Length - (i - j) - 1].ParameterType; object operand = currentMethod.Body.Instructions[j - 1].Operand; if (targetType.IsValueType) { try { // Most common situation here is that the operand is an uint. // dnlib fail to assign the right type (int instead of uint) // so we force the cast... parameters[parameters.Length - (i - j) - 1] = (uint)(int)operand; } catch { // ...If the cast fail we try a conversion with value semantic. If even // this cast fail, we lift the white flag. parameters[parameters.Length - (i - j) - 1] = Convert.ChangeType(operand, targetType); } } else { parameters[parameters.Length - (i - j) - 1] = operand; } currentMethod.Body.Instructions.RemoveAt(j - 1); } i = j; object returnedObject = methodToInvoke.Invoke(null, parameters); Type returnedType = returnedObject.GetType(); if (returnedType == typeof(string)) { currentMethod.Body.Instructions[i] = new Instruction(OpCodes.Ldstr, returnedObject); } else if (returnedType.IsArray) { ITypeDefOrRef arrayType = null; int elementSize = 0; if (returnedType.Name == typeof(int[]).Name || returnedType.Name == typeof(float[]).Name) { elementSize = 4; if (returnedType.Name == typeof(int[]).Name) { arrayType = ctx.CurrentModule.CorLibTypes.Int32.TypeDefOrRef; } else { arrayType = ctx.CurrentModule.CorLibTypes.Double.TypeDefOrRef; } } else if (returnedType.Name == typeof(long[]).Name || returnedType.Name == typeof(double[]).Name) { elementSize = 8; if (returnedType.Name == typeof(long[]).Name) { arrayType = ctx.CurrentModule.CorLibTypes.Int64.TypeDefOrRef; } else { arrayType = ctx.CurrentModule.CorLibTypes.Double.TypeDefOrRef; } } else if (returnedType.Name == typeof(char[]).Name) { elementSize = 2; arrayType = ctx.CurrentModule.CorLibTypes.Char.TypeDefOrRef; } else { Debugger.Break(); } injectHelper.InjectArray((Array)returnedObject, currentMethod, arrayType, elementSize, i); } else { Debugger.Break(); } } } } return(true); }