-
Notifications
You must be signed in to change notification settings - Fork 6
/
DummyDeobfuscator.cs
156 lines (119 loc) · 4.23 KB
/
DummyDeobfuscator.cs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
using System;
using System.Text.RegularExpressions;
namespace DeobHellper
{
/*
* Old, not used anymore.
public class DummyDeobfuscator
{
public static string Deobfuscate(string source, DummyOptions options)
{
string ret;
ret = source;
if(options.ResolveEB2S)
ResolveEB2S(ref ret);
if(options.ResolveStartRegister)
ResolveStartRegister(ref ret);
if(options.RenameFunctions)
RenameFunctions(ref ret);
if(options.ResolveExternalArrayVars)
ResolveExternalArrayVars(ref ret, options.REVOptions);
return ret;
}
private static void RenameFunctions(ref string source)
{
MatchCollection toDo;
toDo = Regex.Matches(source, @"^Func (\w+)\(.*\)", RegexOptions.IgnoreCase | RegexOptions.Multiline);
for(int i = 0; i < toDo.Count; i++) {
string replace;
replace = Regex.Escape(String.Format("{0}(",toDo[i].Groups[1].Value));
source = Regex.Replace(source, replace, String.Format("method{0}(", i), RegexOptions.IgnoreCase);
}
}
private static void ResolveEB2S(ref string source)
{
MatchCollection toDo;
toDo = Regex.Matches(source, "Execute\\(BinaryToString\\((\"|')0x[\\dA-F]+(\"|')\\)\\)", RegexOptions.IgnoreCase | RegexOptions.Multiline);
for(int i = 0; i < toDo.Count; i++) {
string workingOn;
Match lastMatch;
workingOn = toDo[i].Value;
while((lastMatch = Regex.Match(workingOn, "Execute\\(BinaryToString\\((\"|')(0x[\\dA-F]+)(\"|')\\)\\)", RegexOptions.IgnoreCase)).Success)
{
workingOn = AutoShit.BinaryToString(lastMatch.Groups[2].Value);
}
source = source.Replace(toDo[i].Value, workingOn);
}
}
private static void ResolveStartRegister(ref string source)
{
MatchCollection toDo;
toDo = Regex.Matches(source, "#OnAutoItStartRegister +\"(\\w+)\"");
for(int i = 0; i < toDo.Count; i++) {
string function;
function = toDo[i].Groups[1].Value;
source = source.Replace(toDo[i].Value, function + "()");
}
}
private static void ResolveExternalArrayVars(ref string source, ResolveExternalArrayVars options)
{
string[] values;
string attach, tblSource, separator, arrayName, fileName, cryptMethodName;
bool saveInFile, resolveAsciiCrypt;
MatchCollection coll;
tblSource = options.TblSource;
separator = options.Separator;
arrayName = options.ArrayName;
saveInFile = options.SaveInFile;
fileName = options.FileName;
resolveAsciiCrypt = options.ResolveAsciiCrypt;
cryptMethodName = options.CryptMethodName;
values = tblSource.Split(new string[] {separator}, StringSplitOptions.RemoveEmptyEntries);
attach = String.Format("Global ${0}[{1}]\r\n\r\n", arrayName, values.Length+1);
for(int i = 0; i < values.Length; i++){
if(resolveAsciiCrypt) {
string tmp;
tmp = AutoShit.BinaryToString(values[i], false);
attach += String.Format("${0}[{1}]=\"{2}\"\r\n", arrayName, i+1, tmp);
source = source.Replace(String.Format("{0}(${1}[{2}])", cryptMethodName, arrayName, i), String.Format("${0}[{1}]", arrayName, i));
} else {
attach += String.Format("${0}[{1}]=\"{2}\"\r\n", arrayName, i+1, values[i]);
}
}
attach += "\r\n";
if(resolveAsciiCrypt) {
coll = Regex.Matches(source, String.Format("{0}\\((\"|')([\\dA-F]+)(\"|')\\)", cryptMethodName), RegexOptions.Multiline | RegexOptions.IgnoreCase);
for(int i = 0; i < coll.Count; i++)
{
string tmp;
tmp = AutoShit.BinaryToString(coll[i].Groups[2].Value, false);
source = source.Replace(coll[i].Value, String.Format("\"{0}\"", tmp));
}
}
if(saveInFile) {
System.IO.File.WriteAllText(fileName, attach);
attach = String.Format("#include \"{0}\"\r\n", fileName);
}
source = attach + source;
}
}
public struct DummyOptions
{
public bool RenameFunctions;
public bool ResolveEB2S;
public bool ResolveStartRegister;
public bool ResolveExternalArrayVars;
public ResolveExternalArrayVars REVOptions;
}
public struct ResolveExternalArrayVars
{
public string TblSource;
public string Separator;
public string ArrayName;
public bool SaveInFile;
public string FileName;
public bool ResolveAsciiCrypt;
public string CryptMethodName;
}
*/
}