2012-07-27 02:12:12 +08:00
|
|
|
|
/*
|
2015-10-30 05:45:26 +08:00
|
|
|
|
Copyright (C) 2011-2015 de4dot@gmail.com
|
2012-07-27 02:12:12 +08:00
|
|
|
|
|
|
|
|
|
This file is part of de4dot.
|
|
|
|
|
|
|
|
|
|
de4dot is free software: you can redistribute it and/or modify
|
|
|
|
|
it under the terms of the GNU General Public License as published by
|
|
|
|
|
the Free Software Foundation, either version 3 of the License, or
|
|
|
|
|
(at your option) any later version.
|
|
|
|
|
|
|
|
|
|
de4dot is distributed in the hope that it will be useful,
|
|
|
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
GNU General Public License for more details.
|
|
|
|
|
|
|
|
|
|
You should have received a copy of the GNU General Public License
|
|
|
|
|
along with de4dot. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
using System.Collections.Generic;
|
2012-12-23 04:08:29 +08:00
|
|
|
|
using dnlib.DotNet.Emit;
|
2012-07-27 02:12:12 +08:00
|
|
|
|
using de4dot.blocks;
|
|
|
|
|
using de4dot.blocks.cflow;
|
|
|
|
|
|
|
|
|
|
namespace de4dot.code.deobfuscators.Confuser {
|
|
|
|
|
class ConstantsFolder : BlockDeobfuscator {
|
2013-01-19 20:09:49 +08:00
|
|
|
|
protected override bool Deobfuscate(Block block) {
|
2012-07-27 02:12:12 +08:00
|
|
|
|
bool modified = false;
|
|
|
|
|
|
|
|
|
|
var instrs = block.Instructions;
|
2013-01-19 20:09:49 +08:00
|
|
|
|
var constantsReader = CreateConstantsReader(instrs);
|
2012-07-27 02:12:12 +08:00
|
|
|
|
for (int i = 0; i < instrs.Count; i++) {
|
|
|
|
|
int index = 0;
|
|
|
|
|
Instruction newInstr = null;
|
|
|
|
|
var instr = instrs[i];
|
2013-01-19 20:09:49 +08:00
|
|
|
|
if (constantsReader.IsLoadConstantInt32(instr.Instruction)) {
|
2012-07-27 02:12:12 +08:00
|
|
|
|
index = i;
|
|
|
|
|
int val;
|
2013-01-19 20:09:49 +08:00
|
|
|
|
if (!constantsReader.GetInt32(ref index, out val))
|
2012-07-27 02:12:12 +08:00
|
|
|
|
continue;
|
2012-11-19 06:42:43 +08:00
|
|
|
|
newInstr = Instruction.CreateLdcI4(val);
|
2012-07-27 02:12:12 +08:00
|
|
|
|
}
|
2013-01-19 20:09:49 +08:00
|
|
|
|
else if (constantsReader.IsLoadConstantInt64(instr.Instruction)) {
|
2012-07-27 02:12:12 +08:00
|
|
|
|
index = i;
|
|
|
|
|
long val;
|
2013-01-19 20:09:49 +08:00
|
|
|
|
if (!constantsReader.GetInt64(ref index, out val))
|
2012-07-27 02:12:12 +08:00
|
|
|
|
continue;
|
|
|
|
|
newInstr = Instruction.Create(OpCodes.Ldc_I8, val);
|
|
|
|
|
}
|
2013-01-19 20:09:49 +08:00
|
|
|
|
else if (constantsReader.IsLoadConstantDouble(instr.Instruction)) {
|
2012-07-31 07:16:35 +08:00
|
|
|
|
index = i;
|
|
|
|
|
double val;
|
2013-01-19 20:09:49 +08:00
|
|
|
|
if (!constantsReader.GetDouble(ref index, out val))
|
2012-07-31 07:16:35 +08:00
|
|
|
|
continue;
|
|
|
|
|
newInstr = Instruction.Create(OpCodes.Ldc_R8, val);
|
|
|
|
|
}
|
2012-07-27 02:12:12 +08:00
|
|
|
|
|
2012-07-31 07:16:35 +08:00
|
|
|
|
if (newInstr != null && index - i > 1) {
|
2013-01-19 20:09:49 +08:00
|
|
|
|
block.Insert(index++, Instruction.Create(OpCodes.Pop));
|
|
|
|
|
block.Insert(index++, newInstr);
|
2012-07-31 07:16:35 +08:00
|
|
|
|
i = index - 1;
|
2013-01-19 20:09:49 +08:00
|
|
|
|
constantsReader = CreateConstantsReader(instrs);
|
2012-07-31 07:16:35 +08:00
|
|
|
|
modified = true;
|
2012-07-27 02:12:12 +08:00
|
|
|
|
continue;
|
2012-07-31 07:16:35 +08:00
|
|
|
|
}
|
2012-07-27 02:12:12 +08:00
|
|
|
|
|
2012-07-31 07:16:35 +08:00
|
|
|
|
// Convert ldc.r4/r8 followed by conv to the appropriate ldc.i4/i8 instr
|
|
|
|
|
if (i + 1 < instrs.Count && (instr.OpCode.Code == Code.Ldc_R4 || instr.OpCode.Code == Code.Ldc_R8)) {
|
|
|
|
|
var conv = instrs[i + 1];
|
2017-01-05 20:46:04 +08:00
|
|
|
|
/*int vali32 = instr.OpCode.Code == Code.Ldc_R4 ? (int)(float)instr.Operand : (int)(double)instr.Operand;
|
2012-07-31 07:16:35 +08:00
|
|
|
|
long vali64 = instr.OpCode.Code == Code.Ldc_R4 ? (long)(float)instr.Operand : (long)(double)instr.Operand;
|
|
|
|
|
uint valu32 = instr.OpCode.Code == Code.Ldc_R4 ? (uint)(float)instr.Operand : (uint)(double)instr.Operand;
|
2017-01-05 20:46:04 +08:00
|
|
|
|
ulong valu64 = instr.OpCode.Code == Code.Ldc_R4 ? (ulong)(float)instr.Operand : (ulong)(double)instr.Operand;*/
|
2012-07-31 07:16:35 +08:00
|
|
|
|
switch (conv.OpCode.Code) {
|
|
|
|
|
case Code.Conv_I1:
|
2012-11-19 06:42:43 +08:00
|
|
|
|
newInstr = Instruction.CreateLdcI4(instr.OpCode.Code == Code.Ldc_R4 ? (sbyte)(float)instr.Operand : (sbyte)(double)instr.Operand);
|
2012-07-31 07:16:35 +08:00
|
|
|
|
break;
|
|
|
|
|
case Code.Conv_U1:
|
2012-11-19 06:42:43 +08:00
|
|
|
|
newInstr = Instruction.CreateLdcI4(instr.OpCode.Code == Code.Ldc_R4 ? (byte)(float)instr.Operand : (byte)(double)instr.Operand);
|
2012-07-31 07:16:35 +08:00
|
|
|
|
break;
|
|
|
|
|
case Code.Conv_I2:
|
2012-11-19 06:42:43 +08:00
|
|
|
|
newInstr = Instruction.CreateLdcI4(instr.OpCode.Code == Code.Ldc_R4 ? (short)(float)instr.Operand : (short)(double)instr.Operand);
|
2012-07-31 07:16:35 +08:00
|
|
|
|
break;
|
|
|
|
|
case Code.Conv_U2:
|
2012-11-19 06:42:43 +08:00
|
|
|
|
newInstr = Instruction.CreateLdcI4(instr.OpCode.Code == Code.Ldc_R4 ? (ushort)(float)instr.Operand : (ushort)(double)instr.Operand);
|
2012-07-31 07:16:35 +08:00
|
|
|
|
break;
|
|
|
|
|
case Code.Conv_I4:
|
2012-11-19 06:42:43 +08:00
|
|
|
|
newInstr = Instruction.CreateLdcI4(instr.OpCode.Code == Code.Ldc_R4 ? (int)(float)instr.Operand : (int)(double)instr.Operand);
|
2012-07-31 07:16:35 +08:00
|
|
|
|
break;
|
|
|
|
|
case Code.Conv_U4:
|
2012-11-19 06:42:43 +08:00
|
|
|
|
newInstr = Instruction.CreateLdcI4(instr.OpCode.Code == Code.Ldc_R4 ? (int)(uint)(float)instr.Operand : (int)(uint)(double)instr.Operand);
|
2012-07-31 07:16:35 +08:00
|
|
|
|
break;
|
|
|
|
|
case Code.Conv_I8:
|
|
|
|
|
newInstr = Instruction.Create(OpCodes.Ldc_I8, instr.OpCode.Code == Code.Ldc_R4 ? (long)(float)instr.Operand : (long)(double)instr.Operand);
|
|
|
|
|
break;
|
|
|
|
|
case Code.Conv_U8:
|
|
|
|
|
newInstr = Instruction.Create(OpCodes.Ldc_I8, instr.OpCode.Code == Code.Ldc_R4 ? (ulong)(float)instr.Operand : (ulong)(double)instr.Operand);
|
|
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
newInstr = null;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
if (newInstr != null) {
|
2013-01-19 20:09:49 +08:00
|
|
|
|
block.Replace(i, 2, newInstr);
|
|
|
|
|
constantsReader = CreateConstantsReader(instrs);
|
2012-07-31 07:16:35 +08:00
|
|
|
|
modified = true;
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
}
|
2012-07-27 02:12:12 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return modified;
|
|
|
|
|
}
|
|
|
|
|
|
2013-01-19 20:09:49 +08:00
|
|
|
|
static ConstantsReader CreateConstantsReader(IList<Instr> instrs) {
|
2012-07-27 02:12:12 +08:00
|
|
|
|
return new ConstantsReader(instrs, false);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|