Skip to content
This repository was archived by the owner on Dec 8, 2022. It is now read-only.

Commit 23477cc

Browse files
ViRb3ViRb3
committed
Implemented ConfuserEx deobfuscator
x86 cflow and x86 constant decryption Backport of LINQ (LinqBridge) Shift left/right emulation fixes in de4dot core Block class extended to hold additional information
1 parent 126758f commit 23477cc

32 files changed

+4550
-750
lines changed

BeaEngine.dll

245 KB
Binary file not shown.

LinqBridge.dll

61.5 KB
Binary file not shown.

de4dot.blocks/Block.cs

Lines changed: 348 additions & 320 deletions
Large diffs are not rendered by default.

de4dot.blocks/cflow/Int32Value.cs

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -541,8 +541,8 @@ public static Int32Value Shl(Int32Value a, Int32Value b) {
541541
return CreateUnknown();
542542
if (b.Value == 0)
543543
return a;
544-
if (b.Value < 0 || b.Value >= sizeof(int) * 8)
545-
return CreateUnknown();
544+
//if (b.Value < 0 || b.Value >= sizeof(int) * 8)
545+
// return CreateUnknown();
546546
int shift = b.Value;
547547
uint validMask = (a.ValidMask << shift) | (uint.MaxValue >> (sizeof(int) * 8 - shift));
548548
return new Int32Value(a.Value << shift, validMask);
@@ -553,8 +553,8 @@ public static Int32Value Shr(Int32Value a, Int32Value b) {
553553
return CreateUnknown();
554554
if (b.Value == 0)
555555
return a;
556-
if (b.Value < 0 || b.Value >= sizeof(int) * 8)
557-
return CreateUnknown();
556+
//if (b.Value < 0 || b.Value >= sizeof(int) * 8)
557+
// return CreateUnknown();
558558
int shift = b.Value;
559559
uint validMask = a.ValidMask >> shift;
560560
if (a.IsBitValid(sizeof(int) * 8 - 1))
@@ -567,8 +567,8 @@ public static Int32Value Shr_Un(Int32Value a, Int32Value b) {
567567
return CreateUnknown();
568568
if (b.Value == 0)
569569
return a;
570-
if (b.Value < 0 || b.Value >= sizeof(int) * 8)
571-
return CreateUnknown();
570+
//if (b.Value < 0 || b.Value >= sizeof(int) * 8)
571+
// return CreateUnknown();
572572
int shift = b.Value;
573573
uint validMask = (a.ValidMask >> shift) | (uint.MaxValue << (sizeof(int) * 8 - shift));
574574
return new Int32Value((int)((uint)a.Value >> shift), validMask);

de4dot.blocks/de4dot.blocks.csproj

Lines changed: 95 additions & 95 deletions
Original file line numberDiff line numberDiff line change
@@ -1,102 +1,102 @@
1-
<?xml version="1.0" encoding="utf-8"?>
2-
<Project ToolsVersion="4.0" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
3-
<PropertyGroup>
4-
<Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
5-
<Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
6-
<ProductVersion>8.0.30703</ProductVersion>
7-
<SchemaVersion>2.0</SchemaVersion>
8-
<ProjectGuid>{045B96F2-AF80-4C4C-8D27-E38635AC705E}</ProjectGuid>
9-
<OutputType>Library</OutputType>
10-
<AppDesignerFolder>Properties</AppDesignerFolder>
11-
<RootNamespace>de4dot.blocks</RootNamespace>
12-
<AssemblyName>de4dot.blocks</AssemblyName>
13-
<TargetFrameworkVersion>v2.0</TargetFrameworkVersion>
14-
<FileAlignment>512</FileAlignment>
15-
<SignAssembly>true</SignAssembly>
16-
<AssemblyOriginatorKeyFile>..\de4dot.snk</AssemblyOriginatorKeyFile>
17-
</PropertyGroup>
18-
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
19-
<DebugSymbols>true</DebugSymbols>
20-
<DebugType>full</DebugType>
21-
<Optimize>false</Optimize>
22-
<OutputPath>..\Debug\bin\</OutputPath>
23-
<DefineConstants>DEBUG;TRACE</DefineConstants>
24-
<ErrorReport>prompt</ErrorReport>
25-
<WarningLevel>4</WarningLevel>
26-
</PropertyGroup>
27-
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
28-
<DebugType>pdbonly</DebugType>
29-
<Optimize>true</Optimize>
30-
<OutputPath>..\Release\bin\</OutputPath>
31-
<DefineConstants>TRACE</DefineConstants>
32-
<ErrorReport>prompt</ErrorReport>
33-
<WarningLevel>4</WarningLevel>
34-
<TreatWarningsAsErrors>true</TreatWarningsAsErrors>
35-
</PropertyGroup>
36-
<ItemGroup>
37-
<Compile Include="BaseBlock.cs" />
38-
<Compile Include="Block.cs" />
39-
<Compile Include="Blocks.cs" />
40-
<Compile Include="BlocksSorter.cs" />
41-
<Compile Include="cflow\AccessChecker.cs" />
42-
<Compile Include="cflow\BlockCflowDeobfuscator.cs" />
43-
<Compile Include="cflow\BlockDeobfuscator.cs" />
44-
<Compile Include="cflow\BlocksCflowDeobfuscator.cs" />
45-
<Compile Include="cflow\BranchEmulator.cs" />
46-
<Compile Include="cflow\CachedCflowDeobfuscator.cs" />
47-
<Compile Include="cflow\CflowDeobfuscator.cs" />
48-
<Compile Include="cflow\CflowUtils.cs" />
49-
<Compile Include="cflow\ConstantsFolder.cs" />
50-
<Compile Include="cflow\DeadCodeRemover.cs" />
51-
<Compile Include="cflow\DeadStoreRemover.cs" />
52-
<Compile Include="cflow\DupBlockDeobfuscator.cs" />
53-
<Compile Include="cflow\IBlocksDeobfuscator.cs" />
54-
<Compile Include="cflow\ICflowDeobfuscator.cs" />
55-
<Compile Include="cflow\InstructionEmulator.cs" />
56-
<Compile Include="cflow\Int32Value.cs" />
57-
<Compile Include="cflow\Int64Value.cs" />
58-
<Compile Include="cflow\MethodCallInliner.cs" />
59-
<Compile Include="cflow\MethodCallInlinerBase.cs" />
60-
<Compile Include="cflow\Real8Value.cs" />
61-
<Compile Include="cflow\StLdlocFixer.cs" />
62-
<Compile Include="cflow\SwitchCflowDeobfuscator.cs" />
63-
<Compile Include="cflow\Value.cs" />
64-
<Compile Include="cflow\ValueStack.cs" />
65-
<Compile Include="CodeGenerator.cs" />
66-
<Compile Include="DeadBlocksRemover.cs" />
67-
<Compile Include="DotNetUtils.cs" />
68-
<Compile Include="DumpedMethod.cs" />
69-
<Compile Include="DumpedMethods.cs" />
70-
<Compile Include="FilterHandlerBlock.cs" />
71-
<Compile Include="ForwardScanOrder.cs" />
72-
<Compile Include="GenericArgsSubstitutor.cs" />
73-
<Compile Include="HandlerBlock.cs" />
74-
<Compile Include="Instr.cs" />
75-
<Compile Include="InstructionListParser.cs" />
76-
<Compile Include="MemberDefDict.cs" />
77-
<Compile Include="MethodBlocks.cs" />
78-
<Compile Include="Properties\AssemblyInfo.cs" />
79-
<Compile Include="ScopeBlock.cs" />
80-
<Compile Include="StackTracePatcher.cs" />
81-
<Compile Include="TryBlock.cs" />
82-
<Compile Include="TryHandlerBlock.cs" />
83-
<Compile Include="Utils.cs" />
84-
</ItemGroup>
85-
<ItemGroup>
86-
<ProjectReference Include="..\dnlib\src\dnlib.csproj">
87-
<Project>{FDFC1237-143F-4919-8318-4926901F4639}</Project>
88-
<Name>dnlib</Name>
89-
</ProjectReference>
90-
</ItemGroup>
91-
<ItemGroup>
92-
<Reference Include="System" />
93-
</ItemGroup>
94-
<Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
1+
<?xml version="1.0" encoding="utf-8"?>
2+
<Project ToolsVersion="4.0" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
3+
<PropertyGroup>
4+
<Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
5+
<Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
6+
<ProductVersion>8.0.30703</ProductVersion>
7+
<SchemaVersion>2.0</SchemaVersion>
8+
<ProjectGuid>{045B96F2-AF80-4C4C-8D27-E38635AC705E}</ProjectGuid>
9+
<OutputType>Library</OutputType>
10+
<AppDesignerFolder>Properties</AppDesignerFolder>
11+
<RootNamespace>de4dot.blocks</RootNamespace>
12+
<AssemblyName>de4dot.blocks</AssemblyName>
13+
<TargetFrameworkVersion>v2.0</TargetFrameworkVersion>
14+
<FileAlignment>512</FileAlignment>
15+
<SignAssembly>true</SignAssembly>
16+
<AssemblyOriginatorKeyFile>..\de4dot.snk</AssemblyOriginatorKeyFile>
17+
</PropertyGroup>
18+
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
19+
<DebugSymbols>true</DebugSymbols>
20+
<DebugType>full</DebugType>
21+
<Optimize>false</Optimize>
22+
<OutputPath>..\Debug\bin\</OutputPath>
23+
<DefineConstants>DEBUG;TRACE</DefineConstants>
24+
<ErrorReport>prompt</ErrorReport>
25+
<WarningLevel>4</WarningLevel>
26+
</PropertyGroup>
27+
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
28+
<DebugType>pdbonly</DebugType>
29+
<Optimize>true</Optimize>
30+
<OutputPath>..\Release\bin\</OutputPath>
31+
<DefineConstants>TRACE</DefineConstants>
32+
<ErrorReport>prompt</ErrorReport>
33+
<WarningLevel>4</WarningLevel>
34+
<TreatWarningsAsErrors>true</TreatWarningsAsErrors>
35+
</PropertyGroup>
36+
<ItemGroup>
37+
<Compile Include="BaseBlock.cs" />
38+
<Compile Include="Block.cs" />
39+
<Compile Include="Blocks.cs" />
40+
<Compile Include="BlocksSorter.cs" />
41+
<Compile Include="cflow\AccessChecker.cs" />
42+
<Compile Include="cflow\BlockCflowDeobfuscator.cs" />
43+
<Compile Include="cflow\BlockDeobfuscator.cs" />
44+
<Compile Include="cflow\BlocksCflowDeobfuscator.cs" />
45+
<Compile Include="cflow\BranchEmulator.cs" />
46+
<Compile Include="cflow\CachedCflowDeobfuscator.cs" />
47+
<Compile Include="cflow\CflowDeobfuscator.cs" />
48+
<Compile Include="cflow\CflowUtils.cs" />
49+
<Compile Include="cflow\ConstantsFolder.cs" />
50+
<Compile Include="cflow\DeadCodeRemover.cs" />
51+
<Compile Include="cflow\DeadStoreRemover.cs" />
52+
<Compile Include="cflow\DupBlockDeobfuscator.cs" />
53+
<Compile Include="cflow\IBlocksDeobfuscator.cs" />
54+
<Compile Include="cflow\ICflowDeobfuscator.cs" />
55+
<Compile Include="cflow\InstructionEmulator.cs" />
56+
<Compile Include="cflow\Int32Value.cs" />
57+
<Compile Include="cflow\Int64Value.cs" />
58+
<Compile Include="cflow\MethodCallInliner.cs" />
59+
<Compile Include="cflow\MethodCallInlinerBase.cs" />
60+
<Compile Include="cflow\Real8Value.cs" />
61+
<Compile Include="cflow\StLdlocFixer.cs" />
62+
<Compile Include="cflow\SwitchCflowDeobfuscator.cs" />
63+
<Compile Include="cflow\Value.cs" />
64+
<Compile Include="cflow\ValueStack.cs" />
65+
<Compile Include="CodeGenerator.cs" />
66+
<Compile Include="DeadBlocksRemover.cs" />
67+
<Compile Include="DotNetUtils.cs" />
68+
<Compile Include="DumpedMethod.cs" />
69+
<Compile Include="DumpedMethods.cs" />
70+
<Compile Include="FilterHandlerBlock.cs" />
71+
<Compile Include="ForwardScanOrder.cs" />
72+
<Compile Include="GenericArgsSubstitutor.cs" />
73+
<Compile Include="HandlerBlock.cs" />
74+
<Compile Include="Instr.cs" />
75+
<Compile Include="InstructionListParser.cs" />
76+
<Compile Include="MemberDefDict.cs" />
77+
<Compile Include="MethodBlocks.cs" />
78+
<Compile Include="Properties\AssemblyInfo.cs" />
79+
<Compile Include="ScopeBlock.cs" />
80+
<Compile Include="StackTracePatcher.cs" />
81+
<Compile Include="TryBlock.cs" />
82+
<Compile Include="TryHandlerBlock.cs" />
83+
<Compile Include="Utils.cs" />
84+
</ItemGroup>
85+
<ItemGroup>
86+
<ProjectReference Include="..\dnlib\src\dnlib.csproj">
87+
<Project>{FDFC1237-143F-4919-8318-4926901F4639}</Project>
88+
<Name>dnlib</Name>
89+
</ProjectReference>
90+
</ItemGroup>
91+
<ItemGroup>
92+
<Reference Include="System" />
93+
</ItemGroup>
94+
<Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
9595
<!-- To modify your build process, add your task inside one of the targets below and uncomment it.
9696
Other similar extension points exist, see Microsoft.Common.targets.
9797
<Target Name="BeforeBuild">
9898
</Target>
9999
<Target Name="AfterBuild">
100100
</Target>
101-
-->
101+
-->
102102
</Project>

de4dot.code/de4dot.code.csproj

Lines changed: 32 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
<?xml version="1.0" encoding="utf-8"?>
2-
<Project ToolsVersion="4.0" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
2+
<Project ToolsVersion="12.0" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
33
<PropertyGroup>
44
<Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
55
<Platform Condition=" '$(Platform)' == '' ">x86</Platform>
@@ -14,6 +14,7 @@
1414
<FileAlignment>512</FileAlignment>
1515
<SignAssembly>true</SignAssembly>
1616
<AssemblyOriginatorKeyFile>..\de4dot.snk</AssemblyOriginatorKeyFile>
17+
<TargetFrameworkProfile />
1718
</PropertyGroup>
1819
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
1920
<PlatformTarget>AnyCPU</PlatformTarget>
@@ -25,6 +26,7 @@
2526
<ErrorReport>prompt</ErrorReport>
2627
<WarningLevel>4</WarningLevel>
2728
<AllowUnsafeBlocks>true</AllowUnsafeBlocks>
29+
<Prefer32Bit>false</Prefer32Bit>
2830
</PropertyGroup>
2931
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
3032
<PlatformTarget>AnyCPU</PlatformTarget>
@@ -36,11 +38,15 @@
3638
<WarningLevel>4</WarningLevel>
3739
<TreatWarningsAsErrors>true</TreatWarningsAsErrors>
3840
<AllowUnsafeBlocks>true</AllowUnsafeBlocks>
41+
<Prefer32Bit>false</Prefer32Bit>
3942
</PropertyGroup>
4043
<PropertyGroup>
4144
<StartupObject />
4245
</PropertyGroup>
4346
<ItemGroup>
47+
<Reference Include="LinqBridge">
48+
<HintPath>..\LinqBridge.dll</HintPath>
49+
</Reference>
4450
<Reference Include="System" />
4551
<Reference Include="System.Drawing" />
4652
<Reference Include="System.Runtime.Remoting" />
@@ -150,6 +156,29 @@
150156
<Compile Include="deobfuscators\CodeWall\randomc\CRandomMersenne.cs" />
151157
<Compile Include="deobfuscators\CodeWall\randomc\CRandomMother.cs" />
152158
<Compile Include="deobfuscators\CodeWall\StringDecrypter.cs" />
159+
<Compile Include="deobfuscators\ConfuserEx\ConstantDecrypter.cs" />
160+
<Compile Include="deobfuscators\ConfuserEx\ConstantInliner.cs" />
161+
<Compile Include="deobfuscators\ConfuserEx\Deobfuscator.cs" />
162+
<Compile Include="deobfuscators\ConfuserEx\ControlFlowSolver.cs" />
163+
<Compile Include="deobfuscators\ConfuserEx\LzmaFinder.cs" />
164+
<Compile Include="deobfuscators\ConfuserEx\ResourceDecrypter.cs" />
165+
<Compile Include="deobfuscators\ConfuserEx\Utils.cs" />
166+
<Compile Include="deobfuscators\ConfuserEx\x86\Bea\Constants.cs" />
167+
<Compile Include="deobfuscators\ConfuserEx\x86\Bea\Engine.cs" />
168+
<Compile Include="deobfuscators\ConfuserEx\x86\Bea\Structs.cs" />
169+
<Compile Include="deobfuscators\ConfuserEx\x86\Instructions\X86ADD.cs" />
170+
<Compile Include="deobfuscators\ConfuserEx\x86\Instructions\X86DIV.cs" />
171+
<Compile Include="deobfuscators\ConfuserEx\x86\Instructions\X86IMUL.cs" />
172+
<Compile Include="deobfuscators\ConfuserEx\x86\Instructions\X86MOV.cs" />
173+
<Compile Include="deobfuscators\ConfuserEx\x86\Instructions\X86NEG.cs" />
174+
<Compile Include="deobfuscators\ConfuserEx\x86\Instructions\X86NOT.cs" />
175+
<Compile Include="deobfuscators\ConfuserEx\x86\Instructions\X86POP.cs" />
176+
<Compile Include="deobfuscators\ConfuserEx\x86\Instructions\X86PUSH.cs" />
177+
<Compile Include="deobfuscators\ConfuserEx\x86\Instructions\X86SUB.cs" />
178+
<Compile Include="deobfuscators\ConfuserEx\x86\Instructions\X86XOR.cs" />
179+
<Compile Include="deobfuscators\ConfuserEx\x86\UnmanagedBuff.cs" />
180+
<Compile Include="deobfuscators\ConfuserEx\x86\X86Instruction.cs" />
181+
<Compile Include="deobfuscators\ConfuserEx\x86\X86Method.cs" />
153182
<Compile Include="deobfuscators\Confuser\AntiDebugger.cs" />
154183
<Compile Include="deobfuscators\Confuser\AntiDumping.cs" />
155184
<Compile Include="deobfuscators\Confuser\Arg64ConstantsReader.cs" />
@@ -270,6 +299,7 @@
270299
<Compile Include="deobfuscators\InitializedDataCreator.cs" />
271300
<Compile Include="deobfuscators\InlinedMethodsFinder.cs" />
272301
<Compile Include="deobfuscators\ISimpleDeobfuscator.cs" />
302+
<Compile Include="deobfuscators\Lzma.cs" />
273303
<Compile Include="deobfuscators\MaxtoCode\CryptDecrypter.cs" />
274304
<Compile Include="deobfuscators\MaxtoCode\Decrypter6.cs" />
275305
<Compile Include="deobfuscators\MaxtoCode\DecrypterInfo.cs" />
@@ -423,4 +453,4 @@ copy "$(SolutionDir)COPYING" "..\$(OutDir)..\LICENSES"</PostBuildEvent>
423453
<Target Name="AfterBuild">
424454
</Target>
425455
-->
426-
</Project>
456+
</Project>

0 commit comments

Comments
 (0)