Posted May 11, 201510 yr Hi im new to de4dot midding so when i finaly made this to work i wanted to share with ewryone Open De4Dot source (be shure that you can compile it Video //Credit to @li0nsar3c00l) Then go to de4dot.code/deobfuscators and create New Folder (Phoneix_Protector)and create 2 classes Deobfuscator.cs and StringDecrypter.csand paste this codeDeobfuscator.cs using System.Collections.Generic;using dnlib.DotNet;using de4dot.blocks;namespace de4dot.code.deobfuscators.Phoneix_Protector{ public class DeobfuscatorInfo:DeobfuscatorInfoBase { public const string THE_NAME = "Phoneix Protector"; public const string THE_TYPE = "pp"; const string DEFAULT_REGEX = DeobfuscatorBase.DEFAULT_ASIAN_VALID_NAME_REGEX; public DeobfuscatorInfo() : base(DEFAULT_REGEX) { } public override string Name { get { return THE_NAME; } } public override string Type { get { return THE_TYPE; } } public override IDeobfuscator CreateDeobfuscator() { return new Deobfuscator(new Deobfuscator.Options { RenameResourcesInCode = false, ValidNameRegex = validNameRegex.Get(), }); } } class Deobfuscator : DeobfuscatorBase { Options options; string obfuscatorName = "Phoneix Protector"; StringDecrypter stringDecrypter; bool foundPhoneixAttribute = false; internal class Options : OptionsBase { } public override string Type { get { return DeobfuscatorInfo.THE_TYPE; } } public override string TypeLong { get { return DeobfuscatorInfo.THE_NAME; } } public override string Name { get { return obfuscatorName; } } public Deobfuscator(Options options) : base(options) { this.options = options; } protected override int DetectInternal() //Main Detect Function { int val = 0; if (stringDecrypter.Detected) val += 100; if (foundPhoneixAttribute) val += 10; return val; } protected override void ScanForObfuscator() //Main Scann Function { stringDecrypter = new StringDecrypter(module); stringDecrypter.Find(DeobfuscatedFile); FindPhoneixAttribute(); } void FindPhoneixAttribute() { foreach (var type in module.Types) { if (type.Namespace.StartsWith("?") && type.Namespace.EndsWith("?")) { foundPhoneixAttribute = true; return; } } } public override void DeobfuscateBegin() { base.DeobfuscateBegin(); foreach (var info in stringDecrypter.StringDecrypterInfos) staticStringInliner.Add(info.method, (method, gim, args) => stringDecrypter.Decrypt( (string)args[0])); //Decrypting all Strings DeobfuscatedFile.StringDecryptersAdded(); } public override void DeobfuscateEnd() { if (CanRemoveStringDecrypterType) { AddMethodsToBeRemoved(stringDecrypter.StringDecrypters, "String Decrypter Method"); //Removing All Calls for String Decrypt example: class1.decriptstring() AddTypeToBeRemoved(stringDecrypter.Type, "String Derypter Type"); //Removing Phoneix Class } base.DeobfuscateEnd(); } public override IEnumerable<int> GetStringDecrypterMethods() { var list = new List<int>(); foreach (var method in stringDecrypter.StringDecrypters) list.Add(method.MDToken.ToInt32()); return list; } } } StringDecrypt.cs using System.Collections.Generic;using dnlib.DotNet;using dnlib.DotNet.Emit;using de4dot.blocks;namespace de4dot.code.deobfuscators.Phoneix_Protector{ class StringDecrypter { ModuleDefMD module; MethodDefAndDeclaringTypeDict<StringDecrypterInfo> stringDecrypterMethods = new MethodDefAndDeclaringTypeDict<StringDecrypterInfo>(); TypeDef stringDecrypterType; public TypeDef Type //Returning Class Of String Decryptor Function { get { return stringDecrypterType; } } public class StringDecrypterInfo { public MethodDef method; public StringDecrypterInfo(MethodDef method) { this.method = method; } } public bool Detected { get { return stringDecrypterMethods.Count > 0; } } public IEnumerable<MethodDef> StringDecrypters { get { var list = new List<MethodDef>(stringDecrypterMethods.Count); foreach (var info in stringDecrypterMethods.GetValues()) list.Add(info.method); //adding all calls for string decryptor return list; } } public IEnumerable<StringDecrypterInfo> StringDecrypterInfos { get { return stringDecrypterMethods.GetValues(); } } public void Find(ISimpleDeobfuscator simpleDeobfuscator) { foreach (var type in module.GetTypes()) { FindStringDecrypterMethods(type, simpleDeobfuscator); } } void FindStringDecrypterMethods(TypeDef type, ISimpleDeobfuscator simpleDeobfuscator) //Seartching for Decrypt Function { foreach (var method in DotNetUtils.FindMethods(type.Methods, "System.String", new string[] { "System.String"})) { if (method.Body.HasExceptionHandlers) continue; if (DotNetUtils.GetMethodCalls(method, "System.String System.String::Intern(System.String)") != 1) continue; simpleDeobfuscator.Deobfuscate(method); var instrs = method.Body.Instructions; for (int i = 0; i < instrs.Count - 3; i++) //Seartching For String Decrypt Function (that is MsIl code of function (not all)) { if (!instrs[i].IsLdarg() || instrs[i].GetParameterIndex() != 0) continue; if (instrs[i + 1].OpCode.Code != Code.Callvirt) continue; if (!instrs[i + 2].IsStloc()) continue; if (!instrs[i + 3].IsLdloc()) continue; if (instrs[i + 4].OpCode.Code != Code.Newarr) continue; if (!instrs[i + 5].IsStloc()) continue; if (!instrs[i + 6].IsLdcI4()) continue; if (!instrs[i + 7].IsStloc()) continue; if (instrs[i + 8].OpCode.Code != Code.Br_S) continue; if (!instrs[i + 9].IsLdarg()) continue; if (!instrs[i + 10].IsLdloc()) continue; if (instrs[i + 11].OpCode.Code != Code.Callvirt) continue; //if you want you can continue with Il code but i think its enough var info = new StringDecrypterInfo(method); stringDecrypterMethods.Add(info.method, info); stringDecrypterType = method.DeclaringType; // Class Of String Decrypt function Logger.v("Found string decrypter method", Utils.RemoveNewlines(info.method)); break; } } } public StringDecrypter(ModuleDefMD module) { this.module = module; } public string Decrypt(string str) { var chrArr = new char[str.Length]; var i = 0; foreach (char c in str) chrArr[i] = char.ConvertFromUtf32((((byte)((c >> 8) ^ i) << 8) | (byte)(c ^ (chrArr.Length - i++))))[0]; return string.Intern(new string(chrArr)); } }} and in the end dont forget to add new de4dot.code.deobfuscators.Phoneix_Protector.DeobfuscatorInfo() in de4dot.cui/program.csi also added comments for better understanding hope it was usefoul Credit goes to 0xd4d //His XenoCode decrypt because its mostly copy of itHappy De4Dot Modding TheProxy Edited May 11, 201510 yr by TheProxy
Create an account or sign in to comment