예제 #1
0
 public bool Execute(DeoxysContext context)
 {
     PurgeCtor(context);
     RemoveDLL(context);
     context.Cfg.DeclaringType.Fields.Remove(context.Cfg);
     return(true);
 }
예제 #2
0
        public bool Execute(DeoxysContext context)
        {
            //Locating Nasha0,Nasha1,Nasha2 Sections
            var peSections = context.PeFile.Sections.Where(q =>
                                                           q.Name != ".text" && q.Name != ".rsrc" && q.Name != ".reloc" && q.Name.Contains("0") ||
                                                           q.Name.Contains("1") || q.Name.Contains("2")).ToList();

            if (!peSections.Any())
            {
                return(false);
            }

            if (peSections.Count > 3)
            {
                peSections = peSections.Where(q => q.Name.Contains("Nasha")).ToList();
            }

            if (peSections.Count == 3)
            {
                context.Nasha0 = peSections[0];
                context.Logger.Success(
                    $"Located Nasha Section {context.Nasha0.Name} With Offset {context.Nasha0.Offset}");
                context.Nasha1 = peSections[1];
                context.Logger.Success(
                    $"Located Nasha Section {context.Nasha1.Name} With Offset {context.Nasha1.Offset}");
                context.Nasha2 = peSections[2];
                context.Logger.Success(
                    $"Located Nasha Section {context.Nasha2.Name} With Offset {context.Nasha2.Offset}");
                return(true);
            }
            return(false);
        }
예제 #3
0
        public void RemoveDLL(DeoxysContext context)
        {
            //Removing the dll reference
            var dll = context.Cfg.Signature.FieldType.GetUnderlyingTypeDefOrRef().Scope;

            context.Module.AssemblyReferences.Remove(new AssemblyReference(dll.GetAssembly()));
            context.Logger.Success($"Successfully Removed DLL {dll.Name}");
        }
예제 #4
0
        public void PurgeCtor(DeoxysContext context)
        {
            //Clearing the .ctor
            var ctor = context.Module.GetOrCreateModuleConstructor();

            ctor.CilMethodBody = new CilMethodBody(ctor);
            ctor.CilMethodBody.Instructions.Add(new CilInstruction(CilOpCodes.Ret));
            context.Logger.Success("Purged NashaVM Runtime Initializer");
        }
예제 #5
0
        public void RecompileMethods(DeoxysContext context)
        {
            var recompiler = new NashaRecompiler(context);

            foreach (var method in context.DisassembledVirtualizedMethods)
            {
                //Recompiling each method
                recompiler.RecompileMethod(method);
            }
        }
예제 #6
0
        public List <NashaMethod> DisassembleAllMethods(DeoxysContext context)
        {
            List <NashaMethod> nashaMethods = new List <NashaMethod>();
            var methodDisassembler          = new NashaMethodDisassembler(context);

            foreach (var method in context.VirtualizedMethods)
            {
                //Disassembling each method
                nashaMethods.Add(methodDisassembler.DisassembleMethod(method));
            }
            return(nashaMethods);
        }
예제 #7
0
 public Devirtualizer(DeoxysContext ctx)
 {
     Ctx = ctx;
     DevirtualizationStages = new List <IDevirtualizationStage>
     {
         new SectionDetection(),
         new CfgDetection(),
         new MethodDetection(),
         new OpCodeDetection(),
         new MethodDisassembly(),
         new MethodRecompiler(),
         new Cleanup()
     };
 }
예제 #8
0
        public bool Execute(DeoxysContext context)
        {
            var extractedOpCodes = ReadOpCodes(context, context.Nasha2.ToArray());

            if (extractedOpCodes.Count < 14)
            {
                return(false);
            }
            foreach (var opCode in extractedOpCodes)
            {
                context.DeoxysOpCodes[opCode.RandomValue] = opCode;
            }
            return(true);
        }
예제 #9
0
        public bool Execute(DeoxysContext context)
        {
            //Nasha injects some methods to initialize the vm
            var ctor   = context.Module.GetOrCreateModuleConstructor();
            var module = ctor.DeclaringType;

            if (module.Fields.Count >= 1 && ctor.CilMethodBody.Instructions.Count >= 7)
            {
                var field = ctor.CilMethodBody.Instructions[1];
                if (field.OpCode == CilOpCodes.Stsfld && field.Operand is FieldDefinition fieldDefinition)
                {
                    context.Cfg = fieldDefinition;
                    context.Logger.Success($"Detected CFG Field [{context.Cfg.Name}] At Constructor {module.Name}");
                    return(true);
                }
            }
            return(false);
        }
예제 #10
0
        private List <NashaOpCode> ReadOpCodes(DeoxysContext context, byte[] opcodeValues)
        {
            var opCodes = new List <NashaOpCode>();
            var reader  = new BinaryReader(new MemoryStream(opcodeValues));

            reader.BaseStream.Position += 8;
            //OpCode scrambling seems to have it's flaws.
            while (reader.BaseStream.Position != reader.BaseStream.Length)
            {
                var opc = ReadOpCode(reader);
                if (opc.Code == (NashaCode)777 || opc.Code == (NashaCode)1337)  // seems to be the exit code
                {
                    break;
                }
                opCodes.Add(opc);
                context.Logger.Info($"Found OpCode {opc.Code} with Random Value {opc.RandomValue}");
            }
            return(opCodes);
        }
예제 #11
0
파일: Program.cs 프로젝트: xuan2261/Deoxys
        public static void PrintInfo(DeoxysContext Context)
        {
            foreach (var line in @"
______                         
|  _  \                        
| | | |___  _____  ___   _ ___ 
| | | / _ \/ _ \ \/ / | | / __|
| |/ /  __/ (_) >  <| |_| \__ \
|___/ \___|\___/_/\_\\__, |___/
                      __/ |    
                     |___/     ".Split(new string[] { Environment.NewLine }, StringSplitOptions.RemoveEmptyEntries))
            {
                WriteLineMiddle(line, Color.Red);
            }
            Console.WriteLine();
            WriteLineMiddle($"Version - {CurrentVersion} | https://github.com/StackUnderflowRE/Deoxys", Color.CornflowerBlue);
            Console.WriteLine();
            Context.Logger.Success($"Loaded file {Context.Module.Name}");
        }
예제 #12
0
        private List <NashaOpCode> ReadOpCodes(DeoxysContext context, byte[] opcodeValues)
        {
            var opCodes = new List <NashaOpCode>();
            var reader  = new BinaryReader(new MemoryStream(opcodeValues));

            reader.BaseStream.Position += 4;
            var first = reader.ReadInt32();

            //OpCode scrambling seems to have it's flaws.
            while (reader.BaseStream.Position != reader.BaseStream.Length)
            {
                var opc = ReadOpCode(reader);
                if (opc.Code > (NashaCode)byte.MaxValue)
                {
                    break;
                }
                opCodes.Add(opc);
            }

            var newCodes = new List <NashaOpCode>();

            int currentId = first;

            for (int i = 0; i < opCodes.Count; i++)
            {
                if (currentId > byte.MaxValue)
                {
                    break;
                }
                var opc       = opCodes.First(q => q.Code == (NashaCode)currentId);
                var newOpCode = new NashaOpCode((NashaCode)i, opc.RandomValue);
                newCodes.Add(newOpCode);
                context.Logger.Info($"Found OpCode {newOpCode.Code} with Random Value {newOpCode.RandomValue}");
                currentId = opc.NextId;
            }

            return(newCodes);
        }
예제 #13
0
 private void MapMethods(DeoxysContext context)
 {
     foreach (var type in context.Module.GetAllTypes())
     {
         foreach (var method in type.Methods.Where(q => q.IsIL && q.CilMethodBody.Instructions.Count >= 7))
         {
             var instructions = method.CilMethodBody.Instructions;
             if (instructions.First().OpCode == CilOpCodes.Newobj &&
                 ((IMethodDescriptor)instructions.First().Operand).DeclaringType !=
                 context.Cfg.Signature.FieldType.GetUnderlyingTypeDefOrRef())
             {
                 var instructionField = instructions.First(q => q.OpCode == CilOpCodes.Ldsfld);
                 if (instructionField != null)
                 {
                     var index     = instructions.IndexOf(instructionField);
                     var methodKey = instructions[index - 1].GetLdcI4Constant();
                     context.VirtualizedMethods.Add(new NashaMethodInfo(method, methodKey));
                     context.Logger.Success($"Found Virtualized Method {method.Name} With Key {methodKey}");
                 }
             }
         }
     }
 }
예제 #14
0
파일: Program.cs 프로젝트: xuan2261/Deoxys
        public static void Main(string[] args)
        {
            Console.Title = $"Deoxys - Version {CurrentVersion} | https://github.com/StackUnderflowRE/Deoxys";
            ILogger logger = new ConsoleLogger();

            if (args.Length == 0)
            {
                logger.Error("Use <Deoxys.exe> --help");
                Console.ReadLine();
                return;
            }

            var options = Parser.Default.ParseArguments <ParseOptions>(args).WithNotParsed(q =>
            {
                logger.Info($"Usage : <Deoxys.exe> <Input File> <Settings>");
                Console.ReadLine();
                Environment.Exit(0);
            });
            var deoxysOptions = new DeoxysOptions(args[0], options.Value);
            var ctx           = new DeoxysContext(deoxysOptions, logger);

            PrintInfo(ctx);
            var  devirtualizer = new Devirtualizer(ctx);
            bool result        = devirtualizer.Devirtualize();

            if (result)
            {
                devirtualizer.Save();
                logger.Success("Finished Devirtualization With No Errors!");
            }
            else
            {
                logger.Error("Could not finish Devirtualization.");
            }

            Console.ReadLine();
        }
예제 #15
0
 public NashaMethodDisassembler(DeoxysContext context)
 {
     Context = context;
     InstructionDisassembler = new NashaInstructionDisassembler(this);
 }
예제 #16
0
 public bool Execute(DeoxysContext context)
 {
     PurgeCtor(context);
     RemoveDLL(context);
     return(true);
 }
예제 #17
0
 public NashaRecompiler(DeoxysContext context)
 {
     Context = context;
 }
예제 #18
0
 public bool Execute(DeoxysContext context)
 {
     MapMethods(context);
     return(context.VirtualizedMethods.Count != 0);
 }
예제 #19
0
 public NashaOperandResolver(DeoxysContext context)
 {
     Context = context;
 }
예제 #20
0
 public bool Execute(DeoxysContext context)
 {
     RecompileMethods(context);
     return(true);
 }
예제 #21
0
 public bool Execute(DeoxysContext context)
 {
     context.DisassembledVirtualizedMethods = DisassembleAllMethods(context);
     return(context.DisassembledVirtualizedMethods.Count == context.VirtualizedMethods.Count);
 }