public bool Initialize(ClarifierContext ctx)
{
injectHelper = new ClarifierInjectHelper(ctx);
staticProtectionsManager.AddPatternMatchingMethod("Confuser.Runtime.Constant", "Get");
staticProtectionsManager.AddPatternMatchingMethod("Confuser.Runtime.Constant", "Initialize");
return(staticProtectionsManager.LoadTypes());
}
public double PerformIdentification(ClarifierContext ctx)
{
double[] result = new double[3];
result[0] = antiDebugSafe.MapSourceInDestination(ctx.CurrentModule);
result[1] = antiDebugNet.MapSourceInDestination(ctx.CurrentModule);
result[2] = antiDebugWin32.MapSourceInDestination(ctx.CurrentModule);
return(result.Max());
}
public double PerformIdentification(ClarifierContext ctx)
{
SherlockNode loadStage = new SherlockNode(ctx.ILLanguage["ArgumentLoad"].Childs)
{
Name = "LoadStage",
MaxNumber = null,
MinNumber = 1,
Mode = TestMode.InRange
};
SherlockNode callStage = new SherlockNode(ctx.ILLanguage["Call"].Childs)
{
Name = "CallStage",
MaxNumber = 1,
MinNumber = 1,
Mode = TestMode.InRange
};
SherlockNode returnStage = new SherlockNode(ctx.ILLanguage["Return"].Childs)
{
Name = "ReturnStage",
MaxNumber = 1,
MinNumber = 1,
Mode = TestMode.InRange
};
SherlockNode proxyCall = new SherlockNode(new SherlockNode[] { loadStage, callStage, returnStage })
{
Name = "ProxyCall",
MinNumber = 1,
MaxNumber = 1,
Mode = TestMode.MatchEverything
};
foreach (var method in ctx.CurrentModule.GetMethods())
{
if (!method.HasBody)
{
continue;
}
ComparisonContext compCtx = new ComparisonContext()
{
InstructionList = method.Body.Instructions.ToList()
};
if (proxyCall.Test(compCtx) == ConditionOutcome.Matched)
{
referenceProxyMethods[method] = null;
}
}
if (referenceProxyMethods.Count != 0)
{
return(1.0);
}
return(0.0);
}
public bool Initialize(ClarifierContext ctx)
{
antiDebugSafe.AddPatternMatchingMethod("Confuser.Runtime.AntiDebugSafe", "Initialize");
antiDebugSafe.AddPatternMatchingMethod("Confuser.Runtime.AntiDebugSafe", "Worker");
antiDebugNet.AddPatternMatchingMethod("Confuser.Runtime.AntiDebugAntinet", "Initialize");
antiDebugWin32.AddPatternMatchingMethod("Confuser.Runtime.AntiDebugWin32", "Initialize");
antiDebugWin32.AddPatternMatchingMethod("Confuser.Runtime.AntiDebugWin32", "Worker");
return(antiDebugSafe.LoadTypes() && antiDebugNet.LoadTypes() && antiDebugWin32.LoadTypes());
}
static void Main(string[] args)
{
Debug.Assert(args.Length > 0);
ModuleDefMD targetModule = ModuleDefMD.Load(args[0]);
ModuleDefMD runtimeModule = ModuleDefMD.Load("Confuser.Runtime.dll");
ClarifierContext ctx = new ClarifierContext
{
CurrentModule = targetModule,
WriterListener = new MWListener(),
//ILLanguage = il
};
AntiDump antiDump = new AntiDump();
AntiDebug antiDebug = new AntiDebug();
Constants constants = new Constants();
AntiTamper antiTamper = new AntiTamper();
Inliner inliner = new Inliner();
inliner.PerformIdentification(ctx);
inliner.PerformRemoval(ctx);
antiTamper.Initialize();
antiTamper.PerformIdentification(ctx);
antiTamper.PerformRemoval(ctx);
antiDump.Initialize(ctx);
antiDump.PerformIdentification(ctx);
antiDump.PerformRemoval(ctx);
antiDebug.Initialize(ctx);
antiDebug.PerformIdentification(ctx);
antiDebug.PerformRemoval(ctx);
constants.Initialize(ctx);
constants.PerformIdentification(ctx);
constants.PerformRemoval(ctx);
int lastBackslash = args[0].LastIndexOf('\\');
string targetExecutable = args[0].Substring(lastBackslash + 1, args[0].Length - 1 - lastBackslash);
string parentDir = Directory.GetParent(Directory.GetParent(args[0]).FullName).FullName;
parentDir = Path.Combine(parentDir, "Deobfuscated");
string destinationFile = Path.Combine(parentDir, targetExecutable);
targetModule.Write(destinationFile);
return;
}
public void PerformRemoval(ClarifierContext ctx)
{
foreach (var v in staticProtectionsManager.DestinationMap)
{
foreach (var vv in v.matchingMethods)
{
var typeRef = ctx.CurrentModule.UpdateRowId(new TypeRefUser(ctx.CurrentModule, "System.Diagnostics", "Debugger", ctx.CurrentModule.CorLibTypes.AssemblyRef));
var classSignature = new ClassSig(typeRef);
var methodSig = MethodSig.CreateStatic(ctx.CurrentModule.CorLibTypes.Void);
MemberRefUser mff = ctx.CurrentModule.UpdateRowId(new MemberRefUser(ctx.CurrentModule, "Break", methodSig, classSignature.TypeDefOrRef));
vv.Body.Instructions.Insert(vv.Body.Instructions.Count - 1, Instruction.Create(OpCodes.Call, mff));
}
}
}
public void PerformRemoval(ClarifierContext ctx)
{
foreach (var method in ctx.CurrentModule.GetMethods())
{
if (referenceProxyMethods.Keys.Contains(method))
{
continue;
}
foreach (var instruction in method.GetInstructions())
{
if (instruction.OpCode != OpCodes.Call)
{
continue;
}
MethodDef targetMethod = null;
if (instruction.Operand is MethodDef)
{
targetMethod = instruction.Operand as MethodDef;
}
else if (instruction.Operand is MethodSpec)
{
MethodSpec tempMethod = instruction.Operand as MethodSpec;
targetMethod = tempMethod.Method as MethodDef;
}
else if (instruction.Operand is MemberRef)
{
continue;
}
Debug.Assert(targetMethod != null);
List <InstructionGroup> currentInstructionGroup;
if (referenceProxyMethods.TryGetValue(targetMethod, out currentInstructionGroup))
{
int callIndex = currentInstructionGroup.Where(x => x.Name == "Call").First().FoundInstructions[0];
instruction.Operand = targetMethod.Body.Instructions[callIndex].Operand;
}
}
}
}
public double PerformIdentification(ClarifierContext ctx)
{
return(staticProtectionsManager.MapSourceInDestination(ctx.CurrentModule));
}
public bool PerformRemoval(ClarifierContext ctx)
{
return(antiDebugSafe.PerformRemoval(ctx.CurrentModule) ||
antiDebugNet.PerformRemoval(ctx.CurrentModule) ||
antiDebugWin32.PerformRemoval(ctx.CurrentModule));
}
public bool PerformRemoval(ClarifierContext ctx)
{
return(true);
}
public double PerformIdentification(ClarifierContext ctx)
{
return(0.0);
}
public bool Initialize(ClarifierContext ctx)
{
return(true);
}
/// <summary>
/// Remove every reference and nullify the blacklisted method
/// </summary>
/// <param name="ctx"></param>
/// <returns></returns>
public bool PerformRemoval(ClarifierContext ctx)
{
return(staticProtectionsManager.PerformRemoval(ctx.CurrentModule));
}
/// <summary>
/// Add and load the blacklisted method
/// </summary>
/// <param name="ctx">Context</param>
/// <returns></returns>
public bool Initialize(ClarifierContext ctx)
{
staticProtectionsManager.AddPatternMatchingMethod("Confuser.Runtime.AntiDump", "Initialize");
return(staticProtectionsManager.LoadTypes());
}
public bool PerformRemoval(ClarifierContext ctx)
{
ClarifierInjectHelper inject = new ClarifierInjectHelper(ctx);
object instantiatedObject = inject.CloneAndInstantiateType(ctx.CurrentModule.GlobalType);
Type dummyType = instantiatedObject.GetType();
Dictionary <string, MethodInfo> mapNewMethodsToName = new Dictionary <string, MethodInfo>();
List <MethodDef> onlyMethodsToSubstitute = staticProtectionsManager.DestinationMap.Where(x => x.name == "Get").First().matchingMethods;
foreach (var v in staticProtectionsManager.DestinationMap)
{
foreach (var vv in v.matchingMethods)
{
mapNewMethodsToName[vv.Name] = dummyType.GetMethod(vv.Name);
}
}
foreach (var currentMethod in ctx.CurrentModule.GetMethods())
{
if (onlyMethodsToSubstitute.Exists(x => x == currentMethod))
{
continue;
}
if (!currentMethod.HasBody)
{
continue;
}
// Look for calls to blacklisted methods
for (var i = 0; i < currentMethod.Body.Instructions.Count; ++i)
{
Instruction currentInstruction = currentMethod.Body.Instructions[i];
if (currentInstruction.OpCode != OpCodes.Call)
{
continue;
}
IMethod targetMethod = (IMethod)currentInstruction.Operand;
MethodInfo methodToInvoke;
if (!onlyMethodsToSubstitute.Exists(x => x.Name == targetMethod.Name))
{
continue;
}
if (mapNewMethodsToName.TryGetValue(targetMethod.Name, out methodToInvoke))
{
// Here we are sure we are in presence of a call to a blacklisted methods;
// Kill ye olde damn bastard!
int inputParameters = methodToInvoke.GetParameters().Count();
object[] parameters = new object[inputParameters];
// Close the generic type before invoking
if (methodToInvoke.IsGenericMethod)
{
MethodSpec genericMethod = (MethodSpec)targetMethod;
Type[] genericTypes = genericMethod.GenericInstMethodSig.GenericArguments.Select(x => Type.GetType(x.ReflectionFullName)).ToArray();
methodToInvoke = methodToInvoke.MakeGenericMethod(genericTypes);
}
// Iterate backward in order to retrieve input parameters and removing instructions.
int j = i;
for (; j > i - inputParameters; j--)
{
Type targetType = methodToInvoke.GetParameters()[parameters.Length - (i - j) - 1].ParameterType;
object operand = currentMethod.Body.Instructions[j - 1].Operand;
if (targetType.IsValueType)
{
try
{
// Most common situation here is that the operand is an uint.
// dnlib fail to assign the right type (int instead of uint)
// so we force the cast...
parameters[parameters.Length - (i - j) - 1] = (uint)(int)operand;
}
catch
{
// ...If the cast fail we try a conversion with value semantic. If even
// this cast fail, we lift the white flag.
parameters[parameters.Length - (i - j) - 1] = Convert.ChangeType(operand, targetType);
}
}
else
{
parameters[parameters.Length - (i - j) - 1] = operand;
}
currentMethod.Body.Instructions.RemoveAt(j - 1);
}
i = j;
object returnedObject = methodToInvoke.Invoke(null, parameters);
Type returnedType = returnedObject.GetType();
if (returnedType == typeof(string))
{
currentMethod.Body.Instructions[i] = new Instruction(OpCodes.Ldstr, returnedObject);
}
else if (returnedType.IsArray)
{
ITypeDefOrRef arrayType = null;
int elementSize = 0;
if (returnedType.Name == typeof(int[]).Name || returnedType.Name == typeof(float[]).Name)
{
elementSize = 4;
if (returnedType.Name == typeof(int[]).Name)
{
arrayType = ctx.CurrentModule.CorLibTypes.Int32.TypeDefOrRef;
}
else
{
arrayType = ctx.CurrentModule.CorLibTypes.Double.TypeDefOrRef;
}
}
else if (returnedType.Name == typeof(long[]).Name || returnedType.Name == typeof(double[]).Name)
{
elementSize = 8;
if (returnedType.Name == typeof(long[]).Name)
{
arrayType = ctx.CurrentModule.CorLibTypes.Int64.TypeDefOrRef;
}
else
{
arrayType = ctx.CurrentModule.CorLibTypes.Double.TypeDefOrRef;
}
}
else if (returnedType.Name == typeof(char[]).Name)
{
elementSize = 2;
arrayType = ctx.CurrentModule.CorLibTypes.Char.TypeDefOrRef;
}
else
{
Debugger.Break();
}
injectHelper.InjectArray((Array)returnedObject, currentMethod, arrayType, elementSize, i);
}
else
{
Debugger.Break();
}
}
}
}
return(true);
}
