monocul.us/de4dot-cex
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Rename cecil names; add new MemberRefFinder class

Browse Source
This commit is contained in:
de4dot 2012-11-02 15:57:11 +01:00
parent ab318e43e5
commit 00177034b9
178 changed files with 2479 additions and 2489 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
de4dot.code/DeobfuscatorContext.cs
View File

@ -58,20 +58,20 @@ namespace de4dot.code {
return type.ElementType;
}
public TypeDefinition resolve(TypeReference type) {
public TypeDef resolve(TypeReference type) {
if (type == null)
return null;
var typeDef = getNonGenericTypeReference(type) as TypeDefinition;
var typeDef = getNonGenericTypeReference(type) as TypeDef;
if (typeDef != null)
return typeDef;
return externalAssemblies.resolve(type);
}
public MethodDefinition resolve(MethodReference method) {
public MethodDef resolve(MethodReference method) {
if (method == null)
return null;
var methodDef = method as MethodDefinition;
var methodDef = method as MethodDef;
if (methodDef != null)
return methodDef;
@ -87,10 +87,10 @@ namespace de4dot.code {
return null;
}
public FieldDefinition resolve(FieldReference field) {
public FieldDef resolve(FieldReference field) {
if (field == null)
return null;
var fieldDef = field as FieldDefinition;
var fieldDef = field as FieldDef;
if (fieldDef != null)
return fieldDef;

2
de4dot.code/de4dot.code.csproj
View File

@ -277,7 +277,7 @@
<None Include="renamer\asmmodules\FieldDef.cs" />
<None Include="renamer\asmmodules\GenericParamDef.cs" />
<None Include="renamer\asmmodules\IResolver.cs" />
<None Include="renamer\asmmodules\MemberRefFinder.cs" />
<Compile Include="renamer\asmmodules\MemberRefFinder.cs" />
<None Include="renamer\asmmodules\MethodDef.cs" />
<None Include="renamer\asmmodules\MethodNameGroups.cs" />
<None Include="renamer\asmmodules\Module.cs" />

14
de4dot.code/deobfuscators/Babel_NET/AssemblyResolver.cs
View File

@ -19,15 +19,15 @@
using System;
using System.IO;
using Mono.Cecil;
using dot10.DotNet;
using de4dot.blocks;
namespace de4dot.code.deobfuscators.Babel_NET {
class AssemblyResolver {
ModuleDefinition module;
ResourceDecrypter resourceDecrypter;
TypeDefinition resolverType;
MethodDefinition registerMethod;
TypeDef resolverType;
MethodDef registerMethod;
EmbeddedResource encryptedResource;
EmbeddedAssemblyInfo[] embeddedAssemblyInfos = new EmbeddedAssemblyInfo[0];
@ -47,11 +47,11 @@ namespace de4dot.code.deobfuscators.Babel_NET {
get { return resolverType != null; }
}
public TypeDefinition Type {
public TypeDef Type {
get { return resolverType; }
}
public MethodDefinition InitMethod {
public MethodDef InitMethod {
get { return registerMethod; }
}
@ -80,7 +80,7 @@ namespace de4dot.code.deobfuscators.Babel_NET {
if (!new FieldTypes(type).exactly(requiredTypes))
continue;
MethodDefinition regMethod, handler;
MethodDef regMethod, handler;
if (!BabelUtils.findRegisterMethod(type, out regMethod, out handler))
continue;
@ -95,7 +95,7 @@ namespace de4dot.code.deobfuscators.Babel_NET {
}
}
static MethodDefinition findDecryptMethod(TypeDefinition type) {
static MethodDef findDecryptMethod(TypeDef type) {
foreach (var method in type.Methods) {
if (!DotNetUtils.isMethod(method, "System.Void", "(System.IO.Stream)"))
continue;

18
de4dot.code/deobfuscators/Babel_NET/BabelMethodCallInliner.cs
View File

@ -18,8 +18,8 @@
*/
using System.Collections.Generic;
using Mono.Cecil;
using Mono.Cecil.Cil;
using dot10.DotNet;
using dot10.DotNet.Emit;
using de4dot.blocks;
using de4dot.blocks.cflow;
@ -35,12 +35,12 @@ namespace de4dot.code.deobfuscators.Babel_NET {
branchEmulator = new BranchEmulator(emulator, this);
}
public static List<MethodDefinition> find(ModuleDefinition module, IEnumerable<MethodDefinition> notInlinedMethods) {
var notInlinedMethodsDict = new Dictionary<MethodDefinition, bool>();
public static List<MethodDef> find(ModuleDefinition module, IEnumerable<MethodDef> notInlinedMethods) {
var notInlinedMethodsDict = new Dictionary<MethodDef, bool>();
foreach (var method in notInlinedMethods)
notInlinedMethodsDict[method] = true;
var inlinedMethods = new List<MethodDefinition>();
var inlinedMethods = new List<MethodDef>();
foreach (var type in module.GetTypes()) {
foreach (var method in type.Methods) {
@ -83,7 +83,7 @@ namespace de4dot.code.deobfuscators.Babel_NET {
return changed;
}
static bool canInline(MethodDefinition method) {
static bool canInline(MethodDef method) {
if (!DotNetUtils.isMethod(method, "System.Int32", "(System.Int32)"))
return false;
if (!method.IsAssembly)
@ -94,12 +94,12 @@ namespace de4dot.code.deobfuscators.Babel_NET {
return method.IsStatic;
}
bool canInline2(MethodDefinition method) {
bool canInline2(MethodDef method) {
return canInline(method) && method != blocks.Method;
}
bool inlineMethod(Instruction callInstr, int instrIndex) {
var methodToInline = callInstr.Operand as MethodDefinition;
var methodToInline = callInstr.Operand as MethodDef;
if (methodToInline == null)
return false;
@ -124,7 +124,7 @@ namespace de4dot.code.deobfuscators.Babel_NET {
return true;
}
bool getNewValue(MethodDefinition method, int arg, out int newValue) {
bool getNewValue(MethodDef method, int arg, out int newValue) {
newValue = 0;
emulator.init(method);
emulator.setArg(method.Parameters[0], new Int32Value(arg));

18
de4dot.code/deobfuscators/Babel_NET/BabelUtils.cs
View File

@ -19,24 +19,24 @@
using System.Collections.Generic;
using System.Text;
using Mono.Cecil;
using Mono.Cecil.Cil;
using dot10.DotNet;
using dot10.DotNet.Emit;
using de4dot.blocks;
namespace de4dot.code.deobfuscators.Babel_NET {
static class BabelUtils {
public static EmbeddedResource findEmbeddedResource(ModuleDefinition module, TypeDefinition decrypterType) {
public static EmbeddedResource findEmbeddedResource(ModuleDefinition module, TypeDef decrypterType) {
return findEmbeddedResource(module, decrypterType, (method) => { });
}
public static EmbeddedResource findEmbeddedResource(ModuleDefinition module, TypeDefinition decrypterType, ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) {
public static EmbeddedResource findEmbeddedResource(ModuleDefinition module, TypeDef decrypterType, ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) {
return findEmbeddedResource(module, decrypterType, (method) => {
simpleDeobfuscator.deobfuscate(method);
simpleDeobfuscator.decryptStrings(method, deob);
});
}
public static EmbeddedResource findEmbeddedResource(ModuleDefinition module, TypeDefinition decrypterType, Action<MethodDefinition> fixMethod) {
public static EmbeddedResource findEmbeddedResource(ModuleDefinition module, TypeDef decrypterType, Action<MethodDef> fixMethod) {
foreach (var method in decrypterType.Methods) {
if (!DotNetUtils.isMethod(method, "System.String", "()"))
continue;
@ -50,7 +50,7 @@ namespace de4dot.code.deobfuscators.Babel_NET {
return null;
}
static EmbeddedResource findEmbeddedResource1(ModuleDefinition module, MethodDefinition method) {
static EmbeddedResource findEmbeddedResource1(ModuleDefinition module, MethodDef method) {
foreach (var s in DotNetUtils.getCodeStrings(method)) {
var resource = DotNetUtils.getResource(module, s) as EmbeddedResource;
if (resource != null)
@ -59,7 +59,7 @@ namespace de4dot.code.deobfuscators.Babel_NET {
return null;
}
static EmbeddedResource findEmbeddedResource2(ModuleDefinition module, MethodDefinition method) {
static EmbeddedResource findEmbeddedResource2(ModuleDefinition module, MethodDef method) {
var strings = new List<string>(DotNetUtils.getCodeStrings(method));
if (strings.Count != 1)
return null;
@ -75,7 +75,7 @@ namespace de4dot.code.deobfuscators.Babel_NET {
return DotNetUtils.getResource(module, sb.ToString()) as EmbeddedResource;
}
static bool getXorKey2(MethodDefinition method, out int xorKey) {
static bool getXorKey2(MethodDef method, out int xorKey) {
var instrs = method.Body.Instructions;
for (int i = 0; i < instrs.Count - 2; i++) {
var ldelem = instrs[i];
@ -97,7 +97,7 @@ namespace de4dot.code.deobfuscators.Babel_NET {
return false;
}
public static bool findRegisterMethod(TypeDefinition type, out MethodDefinition regMethod, out MethodDefinition handler) {
public static bool findRegisterMethod(TypeDef type, out MethodDef regMethod, out MethodDef handler) {
foreach (var method in type.Methods) {
if (!method.IsStatic || method.Body == null)
continue;

40
de4dot.code/deobfuscators/Babel_NET/ConstantsDecrypter.cs
View File

@ -21,8 +21,8 @@ using System;
using System.Collections.Generic;
using System.IO;
using System.Runtime.Serialization.Formatters.Binary;
using Mono.Cecil;
using Mono.Cecil.Cil;
using dot10.DotNet;
using dot10.DotNet.Emit;
using de4dot.blocks;
namespace de4dot.code.deobfuscators.Babel_NET {
@ -30,12 +30,12 @@ namespace de4dot.code.deobfuscators.Babel_NET {
ModuleDefinition module;
ResourceDecrypter resourceDecrypter;
InitializedDataCreator initializedDataCreator;
TypeDefinition decrypterType;
MethodDefinition int32Decrypter;
MethodDefinition int64Decrypter;
MethodDefinition singleDecrypter;
MethodDefinition doubleDecrypter;
MethodDefinition arrayDecrypter;
TypeDef decrypterType;
MethodDef int32Decrypter;
MethodDef int64Decrypter;
MethodDef singleDecrypter;
MethodDef doubleDecrypter;
MethodDef arrayDecrypter;
EmbeddedResource encryptedResource;
int[] decryptedInts;
long[] decryptedLongs;
@ -54,27 +54,27 @@ namespace de4dot.code.deobfuscators.Babel_NET {
get { return encryptedResource; }
}
public TypeDefinition Type {
public TypeDef Type {
get { return decrypterType; }
}
public MethodDefinition Int32Decrypter {
public MethodDef Int32Decrypter {
get { return int32Decrypter; }
}
public MethodDefinition Int64Decrypter {
public MethodDef Int64Decrypter {
get { return int64Decrypter; }
}
public MethodDefinition SingleDecrypter {
public MethodDef SingleDecrypter {
get { return singleDecrypter; }
}
public MethodDefinition DoubleDecrypter {
public MethodDef DoubleDecrypter {
get { return doubleDecrypter; }
}
public MethodDefinition ArrayDecrypter {
public MethodDef ArrayDecrypter {
get { return arrayDecrypter; }
}
@ -99,7 +99,7 @@ namespace de4dot.code.deobfuscators.Babel_NET {
}
}
bool isConstantDecrypter(TypeDefinition type) {
bool isConstantDecrypter(TypeDef type) {
if (type.HasEvents)
return false;
if (type.NestedTypes.Count != 1)
@ -131,7 +131,7 @@ namespace de4dot.code.deobfuscators.Babel_NET {
"System.Single[]",
"System.Double[]",
};
bool checkNestedFields(TypeDefinition nested) {
bool checkNestedFields(TypeDef nested) {
if (!new FieldTypes(nested).all(requiredTypes))
return false;
foreach (var field in nested.Fields) {
@ -193,11 +193,11 @@ namespace de4dot.code.deobfuscators.Babel_NET {
}
struct ArrayInfo {
public FieldDefinition encryptedField;
public FieldDef encryptedField;
public ArrayType arrayType;
public int start, len;
public ArrayInfo(int start, int len, FieldDefinition encryptedField, ArrayType arrayType) {
public ArrayInfo(int start, int len, FieldDef encryptedField, ArrayType arrayType) {
this.start = start;
this.len = len;
this.encryptedField = encryptedField;
@ -232,7 +232,7 @@ namespace de4dot.code.deobfuscators.Babel_NET {
var ldtoken = instrs[index++];
if (ldtoken.OpCode.Code != Code.Ldtoken)
continue;
var field = ldtoken.Operand as FieldDefinition;
var field = ldtoken.Operand as FieldDef;
if (field == null)
continue;
@ -255,7 +255,7 @@ namespace de4dot.code.deobfuscators.Babel_NET {
if (arrayType == null)
continue;
if (arrayType.ElementType.GetPrimitiveSize() == -1) {
Log.w("Can't decrypt non-primitive type array in method {0}", blocks.Method.MetadataToken.ToInt32());
Log.w("Can't decrypt non-primitive type array in method {0}", blocks.Method.MDToken.ToInt32());
continue;
}

6
de4dot.code/deobfuscators/Babel_NET/Deobfuscator.cs
View File

@ -19,7 +19,7 @@
using System.Collections.Generic;
using System.Text.RegularExpressions;
using Mono.Cecil;
using dot10.DotNet;
using de4dot.blocks;
using de4dot.blocks.cflow;
@ -182,7 +182,7 @@ namespace de4dot.code.deobfuscators.Babel_NET {
}
}
void checkVersion(TypeDefinition attr) {
void checkVersion(TypeDef attr) {
var versionField = DotNetUtils.getFieldByName(attr, "Version");
if (versionField != null && versionField.IsLiteral && versionField.Constant != null && versionField.Constant is string) {
var val = Regex.Match((string)versionField.Constant, @"^(\d+\.\d+\.\d+\.\d+)$");
@ -296,7 +296,7 @@ namespace de4dot.code.deobfuscators.Babel_NET {
public override IEnumerable<int> getStringDecrypterMethods() {
var list = new List<int>();
if (stringDecrypter.DecryptMethod != null)
list.Add(stringDecrypter.DecryptMethod.MetadataToken.ToInt32());
list.Add(stringDecrypter.DecryptMethod.MDToken.ToInt32());
return list;
}
}

20
de4dot.code/deobfuscators/Babel_NET/ImageReader.cs
View File

@ -22,8 +22,8 @@ using System.Collections.Generic;
using System.Runtime.InteropServices;
using System.IO;
using System.Text;
using Mono.Cecil;
using Mono.Cecil.Cil;
using dot10.DotNet;
using dot10.DotNet.Emit;
using de4dot.blocks;
namespace de4dot.code.deobfuscators.Babel_NET {
@ -104,7 +104,7 @@ namespace de4dot.code.deobfuscators.Babel_NET {
initializeTypeReferences(typeReferencesOffset);
}
public void restore(string name, MethodDefinition method) {
public void restore(string name, MethodDef method) {
var babelMethod = getMethod(name);
var body = method.Body;
@ -170,10 +170,10 @@ namespace de4dot.code.deobfuscators.Babel_NET {
return memberReferenceConverter.convert(fields[0]);
}
static List<FieldDefinition> getFields(TypeDefinition type, string name) {
static List<FieldDef> getFields(TypeDef type, string name) {
if (type == null)
return null;
var fields = new List<FieldDefinition>();
var fields = new List<FieldDef>();
foreach (var field in type.Fields) {
if (field.Name == name)
fields.Add(field);
@ -215,7 +215,7 @@ namespace de4dot.code.deobfuscators.Babel_NET {
return methods[0];
}
List<MethodReference> getMethods(TypeDefinition declaringType, BabelMethodreference babelMethodRef) {
List<MethodReference> getMethods(TypeDef declaringType, BabelMethodreference babelMethodRef) {
var methods = new List<MethodReference>();
var git = babelMethodRef.DeclaringType as GenericInstanceType;
@ -257,9 +257,9 @@ namespace de4dot.code.deobfuscators.Babel_NET {
return true;
}
TypeDefinition resolve(TypeReference type) {
if (type is TypeDefinition)
return (TypeDefinition)type;
TypeDef resolve(TypeReference type) {
if (type is TypeDef)
return (TypeDef)type;
if (type.IsGenericInstance)
type = ((GenericInstanceType)type).ElementType;
@ -400,7 +400,7 @@ namespace de4dot.code.deobfuscators.Babel_NET {
}
bool isValueType(TypeReference typeRef) {
var typeDef = typeRef as TypeDefinition;
var typeDef = typeRef as TypeDef;
if (typeDef != null)
return typeDef.IsValueType;

18
de4dot.code/deobfuscators/Babel_NET/InflaterCreator.cs
View File

@ -18,17 +18,17 @@
*/
using ICSharpCode.SharpZipLib.Zip.Compression;
using Mono.Cecil;
using Mono.Cecil.Cil;
using dot10.DotNet;
using dot10.DotNet.Emit;
using de4dot.blocks;
namespace de4dot.code.deobfuscators.Babel_NET {
class InflaterCreator {
public static Inflater create(MethodDefinition method, bool noHeader) {
public static Inflater create(MethodDef method, bool noHeader) {
return create(findInflaterType(method), noHeader);
}
public static Inflater create(TypeDefinition inflaterType, bool noHeader) {
public static Inflater create(TypeDef inflaterType, bool noHeader) {
if (inflaterType == null)
return createNormal(noHeader);
var initHeaderMethod = findInitHeaderMethod(inflaterType);
@ -50,13 +50,13 @@ namespace de4dot.code.deobfuscators.Babel_NET {
return new Inflater(noHeader);
}
static TypeDefinition findInflaterType(MethodDefinition method) {
static TypeDef findInflaterType(MethodDef method) {
if (method == null || method.Body == null)
return null;
foreach (var instr in method.Body.Instructions) {
if (instr.OpCode.Code != Code.Call)
continue;
var calledMethod = instr.Operand as MethodDefinition;
var calledMethod = instr.Operand as MethodDef;
if (calledMethod == null || !calledMethod.IsStatic)
continue;
@ -70,7 +70,7 @@ namespace de4dot.code.deobfuscators.Babel_NET {
return null;
}
static MethodDefinition findInitHeaderMethod(TypeDefinition inflaterType) {
static MethodDef findInitHeaderMethod(TypeDef inflaterType) {
foreach (var nested in inflaterType.NestedTypes) {
var method = findInitHeaderMethod2(nested);
if (method != null)
@ -79,7 +79,7 @@ namespace de4dot.code.deobfuscators.Babel_NET {
return null;
}
static MethodDefinition findInitHeaderMethod2(TypeDefinition nested) {
static MethodDef findInitHeaderMethod2(TypeDef nested) {
foreach (var method in nested.Methods) {
if (method.IsStatic || method.Body == null)
continue;
@ -92,7 +92,7 @@ namespace de4dot.code.deobfuscators.Babel_NET {
return null;
}
static int? getMagic(MethodDefinition method) {
static int? getMagic(MethodDef method) {
if (method == null || method.Body == null)
return null;
var instrs = method.Body.Instructions;

16
de4dot.code/deobfuscators/Babel_NET/MemberReferenceConverter.cs
View File

@ -18,7 +18,7 @@
*/
using System;
using Mono.Cecil;
using dot10.DotNet;
using de4dot.blocks;
namespace de4dot.code.deobfuscators.Babel_NET {
@ -35,7 +35,7 @@ namespace de4dot.code.deobfuscators.Babel_NET {
public TypeReference convert(TypeReference a) {
var newOne = update(a);
if (!(a is GenericParameter) && !MemberReferenceHelper.compareTypes(newOne, a))
if (!(a is GenericParam) && !MemberReferenceHelper.compareTypes(newOne, a))
throw new ApplicationException("Could not convert type reference");
return newOne;
}
@ -46,7 +46,7 @@ namespace de4dot.code.deobfuscators.Babel_NET {
var newTypeRef = new TypeReference(a.Namespace, a.Name, Module, memberReferenceConverter.convert(a.Scope), a.IsValueType);
foreach (var gp in a.GenericParameters)
newTypeRef.GenericParameters.Add(new GenericParameter(gp.Name, newTypeRef));
newTypeRef.GenericParameters.Add(new GenericParam(gp.Name, newTypeRef));
newTypeRef.DeclaringType = update(a.DeclaringType);
newTypeRef.UpdateElementType();
return newTypeRef;
@ -84,7 +84,7 @@ namespace de4dot.code.deobfuscators.Babel_NET {
}
public MethodReference convert(MethodReference methodRef) {
if (methodRef.GetType() != typeof(MethodReference) && methodRef.GetType() != typeof(MethodDefinition))
if (methodRef.GetType() != typeof(MethodReference) && methodRef.GetType() != typeof(MethodDef))
throw new ApplicationException("Invalid method reference type");
if (isInOurModule(methodRef))
return tryGetMethodDefinition(methodRef);
@ -93,7 +93,7 @@ namespace de4dot.code.deobfuscators.Babel_NET {
}
public MethodReference copy(MethodReference methodRef) {
if (methodRef.GetType() != typeof(MethodReference) && methodRef.GetType() != typeof(MethodDefinition))
if (methodRef.GetType() != typeof(MethodReference) && methodRef.GetType() != typeof(MethodDef))
throw new ApplicationException("Invalid method reference type");
var newMethodRef = new MethodReference(methodRef.Name, convert(methodRef.MethodReturnType.ReturnType), convert(methodRef.DeclaringType));
@ -103,7 +103,7 @@ namespace de4dot.code.deobfuscators.Babel_NET {
foreach (var param in methodRef.Parameters)
newMethodRef.Parameters.Add(new ParameterDefinition(param.Name, param.Attributes, convert(param.ParameterType)));
foreach (var gp in methodRef.GenericParameters)
newMethodRef.GenericParameters.Add(new GenericParameter(gp.Name, newMethodRef));
newMethodRef.GenericParameters.Add(new GenericParam(gp.Name, newMethodRef));
return newMethodRef;
}
@ -139,7 +139,7 @@ namespace de4dot.code.deobfuscators.Babel_NET {
}
public FieldReference tryGetFieldDefinition(FieldReference fieldRef) {
var fieldDef = fieldRef as FieldDefinition;
var fieldDef = fieldRef as FieldDef;
if (fieldDef != null)
return fieldDef;
@ -150,7 +150,7 @@ namespace de4dot.code.deobfuscators.Babel_NET {
}
public MethodReference tryGetMethodDefinition(MethodReference methodRef) {
var methodDef = methodRef as MethodDefinition;
var methodDef = methodRef as MethodDef;
if (methodDef != null)
return methodDef;

4
de4dot.code/deobfuscators/Babel_NET/MethodBodyReader.cs
View File

@ -19,8 +19,8 @@
using System;
using System.IO;
using Mono.Cecil;
using Mono.Cecil.Cil;
using dot10.DotNet;
using dot10.DotNet.Emit;
namespace de4dot.code.deobfuscators.Babel_NET {
class MethodBodyReader : MethodBodyReaderBase {

6
de4dot.code/deobfuscators/Babel_NET/MethodReferenceReader.cs
View File

@ -20,8 +20,8 @@
using System;
using System.Collections.Generic;
using System.IO;
using Mono.Cecil;
using Mono.Cecil.Cil;
using dot10.DotNet;
using dot10.DotNet.Emit;
using Mono.Collections.Generic;
namespace de4dot.code.deobfuscators.Babel_NET {
@ -49,7 +49,7 @@ namespace de4dot.code.deobfuscators.Babel_NET {
get { return new Collection<TypeReference>(GenericArguments); }
}
MetadataToken IMetadataTokenProvider.MetadataToken {
MetadataToken IMetadataTokenProvider.MDToken {
get { throw new NotImplementedException(); }
set { throw new NotImplementedException(); }
}

28
de4dot.code/deobfuscators/Babel_NET/MethodsDecrypter.cs
View File

@ -20,8 +20,8 @@
using System;
using System.Collections.Generic;
using System.IO;
using Mono.Cecil;
using Mono.Cecil.Cil;
using dot10.DotNet;
using dot10.DotNet.Emit;
using de4dot.blocks;
namespace de4dot.code.deobfuscators.Babel_NET {
@ -30,9 +30,9 @@ namespace de4dot.code.deobfuscators.Babel_NET {
ResourceDecrypter resourceDecrypter;
IDeobfuscatorContext deobfuscatorContext;
Dictionary<string, ImageReader> imageReaders = new Dictionary<string, ImageReader>(StringComparer.Ordinal);
TypeDefinition methodsDecrypterCreator;
TypeDefinition methodsDecrypter;
MethodDefinition decryptExecuteMethod;
TypeDef methodsDecrypterCreator;
TypeDef methodsDecrypter;
MethodDef decryptExecuteMethod;
EmbeddedResource encryptedResource;
public bool Detected {
@ -73,7 +73,7 @@ namespace de4dot.code.deobfuscators.Babel_NET {
}
}
static MethodDefinition findDecryptMethod(TypeDefinition type) {
static MethodDef findDecryptMethod(TypeDef type) {
foreach (var method in type.Methods) {
var decryptMethod = ResourceDecrypter.findDecrypterMethod(method);
if (decryptMethod != null)
@ -82,7 +82,7 @@ namespace de4dot.code.deobfuscators.Babel_NET {
return null;
}
TypeDefinition findMethodsDecrypterType(TypeDefinition type) {
TypeDef findMethodsDecrypterType(TypeDef type) {
foreach (var field in type.Fields) {
var fieldType = DotNetUtils.getType(module, field.FieldType);
if (fieldType == null)
@ -124,7 +124,7 @@ namespace de4dot.code.deobfuscators.Babel_NET {
class EncryptInfo {
public string encryptedMethodName;
public string feature;
public MethodDefinition method;
public MethodDef method;
public string FullName {
get {
@ -134,7 +134,7 @@ namespace de4dot.code.deobfuscators.Babel_NET {
}
}
public EncryptInfo(string encryptedMethodName, string feature, MethodDefinition method) {
public EncryptInfo(string encryptedMethodName, string feature, MethodDef method) {
this.encryptedMethodName = encryptedMethodName;
this.feature = feature;
this.method = method;
@ -142,9 +142,9 @@ namespace de4dot.code.deobfuscators.Babel_NET {
public override string ToString() {
if (feature != "")
return string.Format("{0}:{1} {2:X8}", feature, encryptedMethodName, method.MetadataToken.ToInt32());
return string.Format("{0}:{1} {2:X8}", feature, encryptedMethodName, method.MDToken.ToInt32());
else
return string.Format("{0} {1:X8}", encryptedMethodName, method.MetadataToken.ToInt32());
return string.Format("{0} {1:X8}", encryptedMethodName, method.MDToken.ToInt32());
}
}
@ -158,7 +158,7 @@ namespace de4dot.code.deobfuscators.Babel_NET {
numNonDecryptedMethods++;
continue;
}
Log.v("Decrypting method {0:X8}", info.method.MetadataToken.ToInt32());
Log.v("Decrypting method {0:X8}", info.method.MDToken.ToInt32());
imageReader.restore(info.FullName, info.method);
}
if (numNonDecryptedMethods > 0)
@ -214,7 +214,7 @@ namespace de4dot.code.deobfuscators.Babel_NET {
return infos;
}
bool checkEncryptedMethod(MethodDefinition method, out EncryptInfo info) {
bool checkEncryptedMethod(MethodDef method, out EncryptInfo info) {
info = null;
if (method.Body == null)
return false;
@ -237,7 +237,7 @@ namespace de4dot.code.deobfuscators.Babel_NET {
return true;
}
bool callsExecuteMethod(MethodDefinition method) {
bool callsExecuteMethod(MethodDef method) {
foreach (var instr in method.Body.Instructions) {
if (instr.OpCode.Code != Code.Call && instr.OpCode.Code != Code.Callvirt)
continue;

10
de4dot.code/deobfuscators/Babel_NET/ProxyCallFixer.cs
View File

@ -19,8 +19,8 @@
using System;
using System.Collections.Generic;
using Mono.Cecil;
using Mono.Cecil.Cil;
using dot10.DotNet;
using dot10.DotNet.Emit;
using de4dot.blocks;
namespace de4dot.code.deobfuscators.Babel_NET {
@ -54,7 +54,7 @@ namespace de4dot.code.deobfuscators.Babel_NET {
get { return true; }
}
protected override object checkCctor(TypeDefinition type, MethodDefinition cctor) {
protected override object checkCctor(TypeDef type, MethodDef cctor) {
var instructions = cctor.Body.Instructions;
for (int i = 0; i < instructions.Count; i++) {
TypeReference delegateType;
@ -95,7 +95,7 @@ namespace de4dot.code.deobfuscators.Babel_NET {
return null;
}
protected override void getCallInfo(object context, FieldDefinition field, out MethodReference calledMethod, out OpCode callOpcode) {
protected override void getCallInfo(object context, FieldDef field, out MethodReference calledMethod, out OpCode callOpcode) {
var ctx = (Context)context;
switch (ctx.proxyCreatorType) {
@ -141,7 +141,7 @@ namespace de4dot.code.deobfuscators.Babel_NET {
}
}
ProxyCreatorType getProxyCreatorType(MethodDefinition methodToCheck) {
ProxyCreatorType getProxyCreatorType(MethodDef methodToCheck) {
foreach (var calledMethod in DotNetUtils.getCalledMethods(module, methodToCheck)) {
if (!calledMethod.IsStatic || calledMethod.Body == null)
continue;

14
de4dot.code/deobfuscators/Babel_NET/ResourceDecrypter.cs
View File

@ -20,8 +20,8 @@
using System;
using System.IO;
using ICSharpCode.SharpZipLib.Zip.Compression;
using Mono.Cecil;
using Mono.Cecil.Cil;
using dot10.DotNet;
using dot10.DotNet.Emit;
using de4dot.blocks;
namespace de4dot.code.deobfuscators.Babel_NET {
@ -42,7 +42,7 @@ namespace de4dot.code.deobfuscators.Babel_NET {
class ResourceDecrypter {
ModuleDefinition module;
ISimpleDeobfuscator simpleDeobfuscator;
MethodDefinition decryptMethod;
MethodDef decryptMethod;
IDecrypter decrypter;
public ResourceDecrypter(ModuleDefinition module, ISimpleDeobfuscator simpleDeobfuscator) {
@ -155,7 +155,7 @@ namespace de4dot.code.deobfuscators.Babel_NET {
ModuleDefinition module;
Inflater inflater;
public Decrypter3(ModuleDefinition module, MethodDefinition decryptMethod) {
public Decrypter3(ModuleDefinition module, MethodDef decryptMethod) {
this.module = module;
this.inflater = InflaterCreator.create(decryptMethod, true);
}
@ -208,7 +208,7 @@ namespace de4dot.code.deobfuscators.Babel_NET {
}
}
public MethodDefinition DecryptMethod {
public MethodDef DecryptMethod {
set {
if (value == null)
return;
@ -221,14 +221,14 @@ namespace de4dot.code.deobfuscators.Babel_NET {
}
}
public static MethodDefinition findDecrypterMethod(MethodDefinition method) {
public static MethodDef findDecrypterMethod(MethodDef method) {
if (method == null || method.Body == null)
return null;
foreach (var instr in method.Body.Instructions) {
if (instr.OpCode.Code != Code.Call)
continue;
var calledMethod = instr.Operand as MethodDefinition;
var calledMethod = instr.Operand as MethodDef;
if (calledMethod == null || !calledMethod.IsStatic || calledMethod.Body == null)
continue;
if (!DotNetUtils.isMethod(calledMethod, "System.IO.MemoryStream", "(System.IO.Stream)"))

18
de4dot.code/deobfuscators/Babel_NET/ResourceResolver.cs
View File

@ -20,8 +20,8 @@
using System;
using System.Collections.Generic;
using System.IO;
using Mono.Cecil;
using Mono.Cecil.Cil;
using dot10.DotNet;
using dot10.DotNet.Emit;
using de4dot.blocks;
namespace de4dot.code.deobfuscators.Babel_NET {
@ -29,8 +29,8 @@ namespace de4dot.code.deobfuscators.Babel_NET {
ModuleDefinition module;
ResourceDecrypter resourceDecrypter;
ISimpleDeobfuscator simpleDeobfuscator;
TypeDefinition resolverType;
MethodDefinition registerMethod;
TypeDef resolverType;
MethodDef registerMethod;
EmbeddedResource encryptedResource;
bool hasXorKeys;
int xorKey1, xorKey2;
@ -39,11 +39,11 @@ namespace de4dot.code.deobfuscators.Babel_NET {
get { return resolverType != null; }
}
public TypeDefinition Type {
public TypeDef Type {
get { return resolverType; }
}
public MethodDefinition InitMethod {
public MethodDef InitMethod {
get { return registerMethod; }
}
@ -66,7 +66,7 @@ namespace de4dot.code.deobfuscators.Babel_NET {
if (!new FieldTypes(type).all(requiredTypes))
continue;
MethodDefinition regMethod, handler;
MethodDef regMethod, handler;
if (!BabelUtils.findRegisterMethod(type, out regMethod, out handler))
continue;
@ -87,7 +87,7 @@ namespace de4dot.code.deobfuscators.Babel_NET {
}
}
static MethodDefinition findDecryptMethod(TypeDefinition type) {
static MethodDef findDecryptMethod(TypeDef type) {
foreach (var method in type.Methods) {
if (!DotNetUtils.isMethod(method, "System.Reflection.Assembly", "(System.IO.Stream)"))
continue;
@ -96,7 +96,7 @@ namespace de4dot.code.deobfuscators.Babel_NET {
return null;
}
void initXorKeys(MethodDefinition method) {
void initXorKeys(MethodDef method) {
simpleDeobfuscator.deobfuscate(method);
var ints = new List<int>();
var instrs = method.Body.Instructions;

42
de4dot.code/deobfuscators/Babel_NET/StringDecrypter.cs
View File

@ -21,8 +21,8 @@ using System;
using System.Collections.Generic;
using System.IO;
using System.Text;
using Mono.Cecil;
using Mono.Cecil.Cil;
using dot10.DotNet;
using dot10.DotNet.Emit;
using de4dot.blocks;
using de4dot.blocks.cflow;
@ -31,12 +31,12 @@ namespace de4dot.code.deobfuscators.Babel_NET {
ModuleDefinition module;
ResourceDecrypter resourceDecrypter;
ISimpleDeobfuscator simpleDeobfuscator;
TypeDefinition decrypterType;
TypeDef decrypterType;
EmbeddedResource encryptedResource;
IDecrypterInfo decrypterInfo;
interface IDecrypterInfo {
MethodDefinition Decrypter { get; }
MethodDef Decrypter { get; }
bool NeedsResource { get; }
void initialize(ModuleDefinition module, EmbeddedResource resource);
string decrypt(object[] args);
@ -44,7 +44,7 @@ namespace de4dot.code.deobfuscators.Babel_NET {
// Babel .NET 2.x
class DecrypterInfoV1 : IDecrypterInfo {
public MethodDefinition Decrypter { get; set; }
public MethodDef Decrypter { get; set; }
public bool NeedsResource {
get { return false; }
}
@ -67,7 +67,7 @@ namespace de4dot.code.deobfuscators.Babel_NET {
class DecrypterInfoV2 : IDecrypterInfo {
byte[] key;
public MethodDefinition Decrypter { get; set; }
public MethodDef Decrypter { get; set; }
public bool NeedsResource {
get { return true; }
}
@ -97,7 +97,7 @@ namespace de4dot.code.deobfuscators.Babel_NET {
InstructionEmulator emulator = new InstructionEmulator();
public IList<Instruction> OffsetCalcInstructions { get; set; }
public MethodDefinition Decrypter { get; set; }
public MethodDef Decrypter { get; set; }
public bool NeedsResource {
get { return true; }
}
@ -113,12 +113,12 @@ namespace de4dot.code.deobfuscators.Babel_NET {
offsetToString[getOffset((int)reader.BaseStream.Position)] = reader.ReadString();
}
MethodDefinition dummyMethod;
MethodDef dummyMethod;
int getOffset(int offset) {
if (OffsetCalcInstructions == null || OffsetCalcInstructions.Count == 0)
return offset;
if (dummyMethod == null) {
dummyMethod = new MethodDefinition("", 0, new TypeReference("", "", null, null));
dummyMethod = new MethodDef("", 0, new TypeReference("", "", null, null));
dummyMethod.Body = new MethodBody(dummyMethod);
}
emulator.init(dummyMethod);
@ -141,11 +141,11 @@ namespace de4dot.code.deobfuscators.Babel_NET {
get { return decrypterType != null; }
}
public TypeDefinition Type {
public TypeDef Type {
get { return decrypterType; }
}
public MethodDefinition DecryptMethod {
public MethodDef DecryptMethod {
get { return decrypterInfo == null ? null : decrypterInfo.Decrypter; }
}
@ -171,7 +171,7 @@ namespace de4dot.code.deobfuscators.Babel_NET {
}
}
IDecrypterInfo checkDecrypterType(TypeDefinition type) {
IDecrypterInfo checkDecrypterType(TypeDef type) {
if (type.HasEvents)
return null;
if (type.NestedTypes.Count > 2)
@ -188,7 +188,7 @@ namespace de4dot.code.deobfuscators.Babel_NET {
return checkDecrypterTypeBabel2x(type);
}
IDecrypterInfo checkDecrypterTypeBabel2x(TypeDefinition type) {
IDecrypterInfo checkDecrypterTypeBabel2x(TypeDef type) {
if (type.HasEvents || type.HasProperties || type.HasNestedTypes)
return null;
if (type.HasFields || type.Methods.Count != 1)
@ -200,7 +200,7 @@ namespace de4dot.code.deobfuscators.Babel_NET {
return new DecrypterInfoV1 { Decrypter = decrypter };
}
bool checkDecryptMethodBabel2x(MethodDefinition method) {
bool checkDecryptMethodBabel2x(MethodDef method) {
if (!method.IsStatic || !method.IsPublic)
return false;
if (method.Body == null)
@ -242,7 +242,7 @@ namespace de4dot.code.deobfuscators.Babel_NET {
return stringLength == 1 && stringToCharArray == 1 && stringCtor == 1;
}
IDecrypterInfo checkNested(TypeDefinition type, TypeDefinition nested) {
IDecrypterInfo checkNested(TypeDef type, TypeDef nested) {
if (nested.HasProperties || nested.HasEvents)
return null;
@ -309,7 +309,7 @@ namespace de4dot.code.deobfuscators.Babel_NET {
}
class ReflectionToCecilMethodCreator {
MethodDefinition method;
MethodDef method;
List<Instruction> instructions = new List<Instruction>();
InstructionEmulator emulator;
int index;
@ -330,7 +330,7 @@ namespace de4dot.code.deobfuscators.Babel_NET {
get { return instructions; }
}
public ReflectionToCecilMethodCreator(MethodDefinition method) {
public ReflectionToCecilMethodCreator(MethodDef method) {
this.method = method;
this.emulator = new InstructionEmulator(method);
}
@ -466,7 +466,7 @@ namespace de4dot.code.deobfuscators.Babel_NET {
}
}
static List<Instruction> getOffsetCalcInstructions(MethodDefinition method) {
static List<Instruction> getOffsetCalcInstructions(MethodDef method) {
var creator = new ReflectionToCecilMethodCreator(method);
creator.create();
var instrs = creator.Instructions;
@ -499,7 +499,7 @@ namespace de4dot.code.deobfuscators.Babel_NET {
return -1;
}
static bool hasFieldType(IEnumerable<FieldDefinition> fields, TypeReference fieldType) {
static bool hasFieldType(IEnumerable<FieldDef> fields, TypeReference fieldType) {
foreach (var field in fields) {
if (MemberReferenceHelper.compareTypes(field.FieldType, fieldType))
return true;
@ -507,7 +507,7 @@ namespace de4dot.code.deobfuscators.Babel_NET {
return false;
}
static int getOffsetMagic(MethodDefinition method) {
static int getOffsetMagic(MethodDef method) {
var instrs = method.Body.Instructions;
for (int i = 0; i < instrs.Count - 4; i++) {
int index = i;
@ -549,7 +549,7 @@ namespace de4dot.code.deobfuscators.Babel_NET {
return 0;
}
bool checkFields(TypeDefinition type, string fieldType1, TypeDefinition fieldType2) {
bool checkFields(TypeDef type, string fieldType1, TypeDef fieldType2) {
if (type.Fields.Count != 2)
return false;
if (type.Fields[0].FieldType.FullName != fieldType1 &&

30
de4dot.code/deobfuscators/CliSecure/CliSecureRtType.cs
View File

@ -20,41 +20,41 @@
using System;
using System.Collections.Generic;
using System.IO;
using Mono.Cecil;
using dot10.DotNet;
using de4dot.blocks;
using de4dot.PE;
namespace de4dot.code.deobfuscators.CliSecure {
class CliSecureRtType {
ModuleDefinition module;
TypeDefinition cliSecureRtType;
MethodDefinition postInitializeMethod;
MethodDefinition initializeMethod;
MethodDefinition stringDecrypterMethod;
MethodDefinition loadMethod;
TypeDef cliSecureRtType;
MethodDef postInitializeMethod;
MethodDef initializeMethod;
MethodDef stringDecrypterMethod;
MethodDef loadMethod;
bool foundSig;
public bool Detected {
get { return foundSig || cliSecureRtType != null; }
}
public TypeDefinition Type {
public TypeDef Type {
get { return cliSecureRtType; }
}
public MethodDefinition StringDecrypterMethod {
public MethodDef StringDecrypterMethod {
get { return stringDecrypterMethod; }
}
public MethodDefinition PostInitializeMethod {
public MethodDef PostInitializeMethod {
get { return postInitializeMethod; }
}
public MethodDefinition InitializeMethod {
public MethodDef InitializeMethod {
get { return initializeMethod; }
}
public MethodDefinition LoadMethod {
public MethodDef LoadMethod {
get { return loadMethod; }
}
@ -165,7 +165,7 @@ namespace de4dot.code.deobfuscators.CliSecure {
return false;
}
static MethodDefinition findStringDecrypterMethod(TypeDefinition type) {
static MethodDef findStringDecrypterMethod(TypeDef type) {
foreach (var method in type.Methods) {
if (method.Body == null || !method.IsStatic)
continue;
@ -178,7 +178,7 @@ namespace de4dot.code.deobfuscators.CliSecure {
return null;
}
static MethodDefinition findMethod(TypeDefinition type, string returnType, string name, string parameters) {
static MethodDef findMethod(TypeDef type, string returnType, string name, string parameters) {
var methodName = returnType + " " + type.FullName + "::" + name + parameters;
foreach (var method in type.Methods) {
if (method.Body == null || !method.IsStatic)
@ -192,7 +192,7 @@ namespace de4dot.code.deobfuscators.CliSecure {
return null;
}
static bool hasInitializeMethod(TypeDefinition type, string name) {
static bool hasInitializeMethod(TypeDef type, string name) {
var method = DotNetUtils.getPInvokeMethod(type, name);
if (method == null)
return false;
@ -239,7 +239,7 @@ namespace de4dot.code.deobfuscators.CliSecure {
}
}
static bool isOldStringDecrypterMethod(MethodDefinition method) {
static bool isOldStringDecrypterMethod(MethodDef method) {
if (method == null || method.Body == null || !method.IsStatic)
return false;
if (!DotNetUtils.isMethod(method, "System.String", "(System.String)"))

10
de4dot.code/deobfuscators/CliSecure/Deobfuscator.cs
View File

@ -19,7 +19,7 @@
using System;
using System.Collections.Generic;
using Mono.Cecil;
using dot10.DotNet;
using Mono.MyStuff;
using de4dot.blocks;
using de4dot.PE;
@ -78,7 +78,7 @@ namespace de4dot.code.deobfuscators.CliSecure {
Options options;
string obfuscatorName = DeobfuscatorInfo.THE_NAME;
List<TypeDefinition> cliSecureAttributes = new List<TypeDefinition>();
List<TypeDef> cliSecureAttributes = new List<TypeDef>();
ProxyCallFixer proxyCallFixer;
CliSecureRtType cliSecureRtType;
StringDecrypter stringDecrypter;
@ -233,8 +233,8 @@ namespace de4dot.code.deobfuscators.CliSecure {
return newOne;
}
static List<TypeDefinition> lookup(ModuleDefinition module, List<TypeDefinition> types, string errorMsg) {
var list = new List<TypeDefinition>(types.Count);
static List<TypeDef> lookup(ModuleDefinition module, List<TypeDef> types, string errorMsg) {
var list = new List<TypeDef>(types.Count);
foreach (var type in types)
list.Add(DeobUtils.lookup(module, type, errorMsg));
return list;
@ -320,7 +320,7 @@ namespace de4dot.code.deobfuscators.CliSecure {
public override IEnumerable<int> getStringDecrypterMethods() {
var list = new List<int>();
if (stringDecrypter.Method != null)
list.Add(stringDecrypter.Method.MetadataToken.ToInt32());
list.Add(stringDecrypter.Method.MDToken.ToInt32());
return list;
}

4
de4dot.code/deobfuscators/CliSecure/MethodsDecrypter.cs
View File

@ -458,7 +458,7 @@ namespace de4dot.code.deobfuscators.CliSecure {
var initMethod = csRtType.InitializeMethod;
if (initMethod == null)
return null;
uint initToken = initMethod.MetadataToken.ToUInt32();
uint initToken = initMethod.MDToken.ToUInt32();
var moduleCctorBytes = new byte[6];
moduleCctorBytes[0] = 0x28; // call
moduleCctorBytes[1] = (byte)initToken;
@ -542,7 +542,7 @@ namespace de4dot.code.deobfuscators.CliSecure {
var dm = new DumpedMethod();
dm.token = 0x06000001 + (uint)i;
var method = (Mono.Cecil.MethodDefinition)module.LookupToken((int)dm.token);
var method = (Mono.Cecil.MethodDef)module.LookupToken((int)dm.token);
if (method == null || method.DeclaringType == DotNetUtils.getModuleType(module))
continue;

12
de4dot.code/deobfuscators/CliSecure/ProxyCallFixer.cs
View File

@ -19,8 +19,8 @@
using System;
using System.Collections.Generic;
using Mono.Cecil;
using Mono.Cecil.Cil;
using dot10.DotNet;
using dot10.DotNet.Emit;
using de4dot.blocks;
namespace de4dot.code.deobfuscators.CliSecure {
@ -49,19 +49,19 @@ namespace de4dot.code.deobfuscators.CliSecure {
}
}
protected override object checkCctor(ref TypeDefinition type, MethodDefinition cctor) {
protected override object checkCctor(ref TypeDef type, MethodDef cctor) {
var instrs = cctor.Body.Instructions;
if (instrs.Count != 3)
return null;
if (!DotNetUtils.isLdcI4(instrs[0].OpCode.Code))
return null;
if (instrs[1].OpCode != OpCodes.Call || !isDelegateCreatorMethod(instrs[1].Operand as MethodDefinition))
if (instrs[1].OpCode != OpCodes.Call || !isDelegateCreatorMethod(instrs[1].Operand as MethodDef))
return null;
if (instrs[2].OpCode != OpCodes.Ret)
return null;
int delegateToken = 0x02000001 + DotNetUtils.getLdcI4Value(instrs[0]);
if (type.MetadataToken.ToInt32() != delegateToken) {
if (type.MDToken.ToInt32() != delegateToken) {
Log.w("Delegate token is not current type");
return null;
}
@ -69,7 +69,7 @@ namespace de4dot.code.deobfuscators.CliSecure {
return new object();
}
protected override void getCallInfo(object context, FieldDefinition field, out MethodReference calledMethod, out OpCode callOpcode) {
protected override void getCallInfo(object context, FieldDef field, out MethodReference calledMethod, out OpCode callOpcode) {
if (memberReferences == null)
memberReferences = new List<MemberReference>(module.GetMemberReferences());

12
de4dot.code/deobfuscators/CliSecure/ResourceDecrypter.cs
View File

@ -20,25 +20,25 @@
using System.IO;
using System.Security.Cryptography;
using System.Text;
using Mono.Cecil;
using dot10.DotNet;
using de4dot.blocks;
namespace de4dot.code.deobfuscators.CliSecure {
class ResourceDecrypter {
ModuleDefinition module;
TypeDefinition rsrcType;
MethodDefinition rsrcRrrMethod;
MethodDefinition rsrcResolveMethod;
TypeDef rsrcType;
MethodDef rsrcRrrMethod;
MethodDef rsrcResolveMethod;
public bool Detected {
get { return rsrcType != null; }
}
public TypeDefinition Type {
public TypeDef Type {
get { return rsrcType; }
}
public MethodDefinition RsrcRrrMethod {
public MethodDef RsrcRrrMethod {
get { return rsrcRrrMethod; }
}

8
de4dot.code/deobfuscators/CliSecure/StackFrameHelper.cs
View File

@ -18,16 +18,16 @@
*/
using System;
using Mono.Cecil;
using dot10.DotNet;
using de4dot.blocks;
namespace de4dot.code.deobfuscators.CliSecure {
class StackFrameHelper {
ModuleDefinition module;
TypeDefinition stackFrameHelperType;
TypeDef stackFrameHelperType;
ExceptionLoggerRemover exceptionLoggerRemover = new ExceptionLoggerRemover();
public TypeDefinition Type {
public TypeDef Type {
get { return stackFrameHelperType; }
}
@ -46,7 +46,7 @@ namespace de4dot.code.deobfuscators.CliSecure {
if (type.Methods.Count > 3)
continue;
MethodDefinition errorMethod = null;
MethodDef errorMethod = null;
foreach (var method in type.Methods) {
if (method.IsRuntimeSpecialName && method.Name == ".ctor" && !method.HasParameters)
continue; // .ctor is allowed

12
de4dot.code/deobfuscators/CliSecure/StringDecrypter.cs
View File

@ -19,29 +19,29 @@
using System;
using System.Text;
using Mono.Cecil;
using dot10.DotNet;
namespace de4dot.code.deobfuscators.CliSecure {
class StringDecrypter {
ModuleDefinition module;
TypeDefinition stringDecrypterType;
MethodDefinition stringDecrypterMethod;
TypeDef stringDecrypterType;
MethodDef stringDecrypterMethod;
byte[] stringDecrypterKey;
public bool Detected {
get { return stringDecrypterMethod != null; }
}
public TypeDefinition Type {
public TypeDef Type {
get { return stringDecrypterType; }
}
public MethodDefinition Method {
public MethodDef Method {
get { return stringDecrypterMethod; }
set { stringDecrypterMethod = value; }
}
public StringDecrypter(ModuleDefinition module, MethodDefinition stringDecrypterMethod) {
public StringDecrypter(ModuleDefinition module, MethodDef stringDecrypterMethod) {
this.module = module;
this.stringDecrypterMethod = stringDecrypterMethod;
}

14
de4dot.code/deobfuscators/CliSecure/vm/CilOperandInstructionRestorer.cs
View File

@ -17,8 +17,8 @@
along with de4dot. If not, see <http://www.gnu.org/licenses/>.
*/
using Mono.Cecil;
using Mono.Cecil.Cil;
using dot10.DotNet;
using dot10.DotNet.Emit;
using Mono.Cecil.Metadata;
using de4dot.blocks;
@ -28,9 +28,9 @@ namespace de4dot.code.deobfuscators.CliSecure.vm {
// ldobj
// stobj
class CilOperandInstructionRestorer {
MethodDefinition method;
MethodDef method;
public bool restore(MethodDefinition method) {
public bool restore(MethodDef method) {
this.method = method;
bool atLeastOneFailed = false;
@ -99,13 +99,13 @@ namespace de4dot.code.deobfuscators.CliSecure.vm {
case CecilType.ArrayType:
case CecilType.GenericInstanceType:
case CecilType.PointerType:
case CecilType.TypeDefinition:
case CecilType.TypeDef:
case CecilType.TypeReference:
case CecilType.FunctionPointerType:
break;
case CecilType.GenericParameter:
var gp = (GenericParameter)type;
case CecilType.GenericParam:
var gp = (GenericParam)type;
if (method.DeclaringType != gp.Owner && method != gp.Owner)
return false;
break;

8
de4dot.code/deobfuscators/CliSecure/vm/Csvm.cs
View File

@ -20,7 +20,7 @@
using System;
using System.Collections.Generic;
using System.IO;
using Mono.Cecil;
using dot10.DotNet;
using de4dot.blocks;
namespace de4dot.code.deobfuscators.CliSecure.vm {
@ -98,17 +98,17 @@ namespace de4dot.code.deobfuscators.CliSecure.vm {
var converter = new CsvmToCilMethodConverter(deobfuscatorContext, module, opcodeDetector);
var methodPrinter = new MethodPrinter();
foreach (var csvmMethod in csvmMethods) {
var cilMethod = module.LookupToken(csvmMethod.Token) as MethodDefinition;
var cilMethod = module.LookupToken(csvmMethod.Token) as MethodDef;
if (cilMethod == null)
throw new ApplicationException(string.Format("Could not find method {0:X8}", csvmMethod.Token));
converter.convert(cilMethod, csvmMethod);
Log.v("Restored method {0:X8}", cilMethod.MetadataToken.ToInt32());
Log.v("Restored method {0:X8}", cilMethod.MDToken.ToInt32());
printMethod(methodPrinter, cilMethod);
}
Log.deIndent();
}
static void printMethod(MethodPrinter methodPrinter, MethodDefinition method) {
static void printMethod(MethodPrinter methodPrinter, MethodDef method) {
const Log.LogLevel dumpLogLevel = Log.LogLevel.verbose;
if (!Log.isAtLeast(dumpLogLevel))
return;

2
de4dot.code/deobfuscators/CliSecure/vm/CsvmDataReader.cs
View File

@ -20,7 +20,7 @@
using System;
using System.Collections.Generic;
using System.IO;
using Mono.Cecil;
using dot10.DotNet;
using de4dot.blocks;
namespace de4dot.code.deobfuscators.CliSecure.vm {

18
de4dot.code/deobfuscators/CliSecure/vm/CsvmToCilMethodConverter.cs
View File

@ -20,8 +20,8 @@
using System;
using System.Collections.Generic;
using System.IO;
using Mono.Cecil;
using Mono.Cecil.Cil;
using dot10.DotNet;
using dot10.DotNet.Emit;
using Mono.Cecil.Metadata;
using de4dot.blocks;
@ -38,7 +38,7 @@ namespace de4dot.code.deobfuscators.CliSecure.vm {
this.opCodeDetector = opCodeDetector;
}
public void convert(MethodDefinition cilMethod, CsvmMethodData csvmMethod) {
public void convert(MethodDef cilMethod, CsvmMethodData csvmMethod) {
var newInstructions = readInstructions(cilMethod, csvmMethod);
var newLocals = readLocals(cilMethod, csvmMethod);
var newExceptions = readExceptions(cilMethod, csvmMethod, newInstructions);
@ -50,7 +50,7 @@ namespace de4dot.code.deobfuscators.CliSecure.vm {
DotNetUtils.restoreBody(cilMethod, newInstructions, newExceptions);
if (!operandRestorer.restore(cilMethod))
Log.w("Failed to restore one or more instruction operands in CSVM method {0:X8}", cilMethod.MetadataToken.ToInt32());
Log.w("Failed to restore one or more instruction operands in CSVM method {0:X8}", cilMethod.MDToken.ToInt32());
restoreConstrainedPrefix(cilMethod);
}
@ -129,7 +129,7 @@ namespace de4dot.code.deobfuscators.CliSecure.vm {
instr.Operand = operand;
}
void fixArgs(IList<Instruction> instrs, MethodDefinition method) {
void fixArgs(IList<Instruction> instrs, MethodDef method) {
foreach (var instr in instrs) {
var op = instr.Operand as ArgOperand;
if (op == null)
@ -206,7 +206,7 @@ namespace de4dot.code.deobfuscators.CliSecure.vm {
}
}
List<Instruction> readInstructions(MethodDefinition cilMethod, CsvmMethodData csvmMethod) {
List<Instruction> readInstructions(MethodDef cilMethod, CsvmMethodData csvmMethod) {
var reader = new BinaryReader(new MemoryStream(csvmMethod.Instructions));
var instrs = new List<Instruction>();
int offset = 0;
@ -230,7 +230,7 @@ namespace de4dot.code.deobfuscators.CliSecure.vm {
return instr.OpCode.Size + (op.targetDisplacements.Length + 1) * 4;
}
List<VariableDefinition> readLocals(MethodDefinition cilMethod, CsvmMethodData csvmMethod) {
List<VariableDefinition> readLocals(MethodDef cilMethod, CsvmMethodData csvmMethod) {
var locals = new List<VariableDefinition>();
var reader = new BinaryReader(new MemoryStream(csvmMethod.Locals));
@ -303,7 +303,7 @@ namespace de4dot.code.deobfuscators.CliSecure.vm {
}
}
List<ExceptionHandler> readExceptions(MethodDefinition cilMethod, CsvmMethodData csvmMethod, List<Instruction> cilInstructions) {
List<ExceptionHandler> readExceptions(MethodDef cilMethod, CsvmMethodData csvmMethod, List<Instruction> cilInstructions) {
var reader = new BinaryReader(new MemoryStream(csvmMethod.Exceptions));
var ehs = new List<ExceptionHandler>();
@ -408,7 +408,7 @@ namespace de4dot.code.deobfuscators.CliSecure.vm {
return memberRef;
}
static void restoreConstrainedPrefix(MethodDefinition method) {
static void restoreConstrainedPrefix(MethodDef method) {
if (method == null || method.Body == null)
return;

8
de4dot.code/deobfuscators/CliSecure/vm/FieldsInfo.cs
View File

@ -19,7 +19,7 @@
using System;
using System.Collections.Generic;
using Mono.Cecil;
using dot10.DotNet;
namespace de4dot.code.deobfuscators.CliSecure.vm {
class FieldsInfo {
@ -27,13 +27,13 @@ namespace de4dot.code.deobfuscators.CliSecure.vm {
Dictionary<string, int> fieldTypes = new Dictionary<string, int>(StringComparer.Ordinal);
int numEnums = 0;
public FieldsInfo(TypeDefinition type)
public FieldsInfo(TypeDef type)
: this(type.Fields) {
}
public FieldsInfo(IEnumerable<FieldDefinition> fields) {
public FieldsInfo(IEnumerable<FieldDef> fields) {
foreach (var field in fields) {
var fieldTypeDef = field.FieldType as TypeDefinition;
var fieldTypeDef = field.FieldType as TypeDef;
if (fieldTypeDef != null && fieldTypeDef.IsEnum)
addEnum();
else

6
de4dot.code/deobfuscators/CliSecure/vm/OpCodeHandler.cs
View File

@ -21,8 +21,8 @@ using System;
using System.Collections.Generic;
using System.IO;
using de4dot.blocks;
using Mono.Cecil;
using Mono.Cecil.Cil;
using dot10.DotNet;
using dot10.DotNet.Emit;
using Mono.Cecil.Metadata;
namespace de4dot.code.deobfuscators.CliSecure.vm {
@ -439,7 +439,7 @@ namespace de4dot.code.deobfuscators.CliSecure.vm {
return isEmptyMethod(info.ReadMethod) && isEmptyMethod(info.ExecuteMethod);
}
static bool isEmptyMethod(MethodDefinition method) {
static bool isEmptyMethod(MethodDef method) {
foreach (var instr in method.Body.Instructions) {
if (instr.OpCode.Code == Code.Ret)
return true;

24
de4dot.code/deobfuscators/CliSecure/vm/UnknownHandlerInfo.cs
View File

@ -19,24 +19,24 @@
using System;
using System.Collections.Generic;
using Mono.Cecil;
using Mono.Cecil.Cil;
using dot10.DotNet;
using dot10.DotNet.Emit;
using de4dot.blocks;
namespace de4dot.code.deobfuscators.CliSecure.vm {
class UnknownHandlerInfo {
TypeDefinition type;
TypeDef type;
CsvmInfo csvmInfo;
FieldsInfo fieldsInfo;
MethodDefinition readMethod, executeMethod;
MethodDef readMethod, executeMethod;
int numStaticMethods, numInstanceMethods, numVirtualMethods, numCtors;
int executeMethodThrows, executeMethodPops;
public MethodDefinition ReadMethod {
public MethodDef ReadMethod {
get { return readMethod; }
}
public MethodDefinition ExecuteMethod {
public MethodDef ExecuteMethod {
get { return executeMethod; }
}
@ -64,7 +64,7 @@ namespace de4dot.code.deobfuscators.CliSecure.vm {
get { return numCtors; }
}
public UnknownHandlerInfo(TypeDefinition type, CsvmInfo csvmInfo) {
public UnknownHandlerInfo(TypeDef type, CsvmInfo csvmInfo) {
this.type = type;
this.csvmInfo = csvmInfo;
fieldsInfo = new FieldsInfo(getFields(type));
@ -74,11 +74,11 @@ namespace de4dot.code.deobfuscators.CliSecure.vm {
executeMethodPops = countPops(executeMethod);
}
static internal IEnumerable<FieldDefinition> getFields(TypeDefinition type) {
var typeFields = new FieldDefinitionAndDeclaringTypeDict<FieldDefinition>();
static internal IEnumerable<FieldDef> getFields(TypeDef type) {
var typeFields = new FieldDefinitionAndDeclaringTypeDict<FieldDef>();
foreach (var field in type.Fields)
typeFields.add(field, field);
var realFields = new Dictionary<FieldDefinition, bool>();
var realFields = new Dictionary<FieldDef, bool>();
foreach (var method in type.Methods) {
if (method.Body == null)
continue;
@ -132,7 +132,7 @@ namespace de4dot.code.deobfuscators.CliSecure.vm {
throw new ApplicationException("Could not find execute method");
}
static int countThrows(MethodDefinition method) {
static int countThrows(MethodDef method) {
int count = 0;
foreach (var instr in method.Body.Instructions) {
if (instr.OpCode.Code == Code.Throw)
@ -141,7 +141,7 @@ namespace de4dot.code.deobfuscators.CliSecure.vm {
return count;
}
int countPops(MethodDefinition method) {
int countPops(MethodDef method) {
int count = 0;
foreach (var instr in method.Body.Instructions) {
if (instr.OpCode.Code != Code.Call && instr.OpCode.Code != Code.Callvirt)

36
de4dot.code/deobfuscators/CliSecure/vm/VmOpCodeHandlerDetector.cs
View File

@ -19,8 +19,8 @@
using System;
using System.Collections.Generic;
using Mono.Cecil;
using Mono.Cecil.Cil;
using dot10.DotNet;
using dot10.DotNet.Emit;
using de4dot.blocks;
using de4dot.blocks.cflow;
@ -37,10 +37,10 @@ namespace de4dot.code.deobfuscators.CliSecure.vm {
}
class CsvmInfo {
public TypeDefinition StackValue { get; set; }
public TypeDefinition Stack { get; set; }
public MethodDefinition PopMethod { get; set; }
public MethodDefinition PeekMethod { get; set; }
public TypeDef StackValue { get; set; }
public TypeDef Stack { get; set; }
public MethodDef PopMethod { get; set; }
public MethodDef PeekMethod { get; set; }
}
class VmOpCodeHandlerDetector {
@ -73,7 +73,7 @@ namespace de4dot.code.deobfuscators.CliSecure.vm {
return csvmInfo;
}
TypeDefinition findStackValueType() {
TypeDef findStackValueType() {
foreach (var type in module.Types) {
if (isStackType(type))
return type;
@ -81,14 +81,14 @@ namespace de4dot.code.deobfuscators.CliSecure.vm {
return null;
}
static bool isStackType(TypeDefinition type) {
static bool isStackType(TypeDef type) {
if (type.Fields.Count != 2)
return false;
int enumTypes = 0;
int objectTypes = 0;
foreach (var field in type.Fields) {
var fieldType = field.FieldType as TypeDefinition;
var fieldType = field.FieldType as TypeDef;
if (fieldType != null && fieldType.IsEnum)
enumTypes++;
if (field.FieldType.FullName == "System.Object")
@ -100,7 +100,7 @@ namespace de4dot.code.deobfuscators.CliSecure.vm {
return true;
}
TypeDefinition findStackType(TypeDefinition stackValueType) {
TypeDef findStackType(TypeDef stackValueType) {
foreach (var type in module.Types) {
if (isStackType(type, stackValueType))
return type;
@ -108,7 +108,7 @@ namespace de4dot.code.deobfuscators.CliSecure.vm {
return null;
}
bool isStackType(TypeDefinition type, TypeDefinition stackValueType) {
bool isStackType(TypeDef type, TypeDef stackValueType) {
if (type.Interfaces.Count != 2)
return false;
if (!implementsInterface(type, "System.Collections.ICollection"))
@ -137,7 +137,7 @@ namespace de4dot.code.deobfuscators.CliSecure.vm {
return true;
}
static bool implementsInterface(TypeDefinition type, string ifaceName) {
static bool implementsInterface(TypeDef type, string ifaceName) {
foreach (var iface in type.Interfaces) {
if (iface.FullName == ifaceName)
return true;
@ -156,7 +156,7 @@ namespace de4dot.code.deobfuscators.CliSecure.vm {
}
}
static bool hasAdd(MethodDefinition method) {
static bool hasAdd(MethodDef method) {
foreach (var instr in method.Body.Instructions) {
if (instr.OpCode.Code == Code.Add)
return true;
@ -164,7 +164,7 @@ namespace de4dot.code.deobfuscators.CliSecure.vm {
return false;
}
List<TypeDefinition> findVmHandlerTypes() {
List<TypeDef> findVmHandlerTypes() {
var requiredFields = new string[] {
null,
"System.Collections.Generic.Dictionary`2<System.UInt16,System.Type>",
@ -190,13 +190,13 @@ namespace de4dot.code.deobfuscators.CliSecure.vm {
return null;
}
static List<TypeDefinition> findVmHandlerTypes(MethodDefinition method) {
var list = new List<TypeDefinition>();
static List<TypeDef> findVmHandlerTypes(MethodDef method) {
var list = new List<TypeDef>();
foreach (var instr in method.Body.Instructions) {
if (instr.OpCode.Code != Code.Ldtoken)
continue;
var type = instr.Operand as TypeDefinition;
var type = instr.Operand as TypeDef;
if (type == null)
continue;
@ -206,7 +206,7 @@ namespace de4dot.code.deobfuscators.CliSecure.vm {
return list;
}
void detectHandlers(List<TypeDefinition> handlerTypes, CsvmInfo csvmInfo) {
void detectHandlers(List<TypeDef> handlerTypes, CsvmInfo csvmInfo) {
opCodeHandlers = new List<OpCodeHandler>();
var detected = new List<OpCodeHandler>();

26
de4dot.code/deobfuscators/CodeFort/AssemblyDecrypter.cs
View File

@ -23,8 +23,8 @@ using System.IO;
using System.Security.Cryptography;
using System.Text;
using System.Text.RegularExpressions;
using Mono.Cecil;
using Mono.Cecil.Cil;
using dot10.DotNet;
using dot10.DotNet.Emit;
using de4dot.blocks;
namespace de4dot.code.deobfuscators.CodeFort {
@ -32,8 +32,8 @@ namespace de4dot.code.deobfuscators.CodeFort {
ModuleDefinition module;
EmbeddedResource assemblyEncryptedResource;
PasswordInfo embedPassword;
MethodDefinition embedInitMethod;
MethodDefinition embedResolverMethod;
MethodDef embedInitMethod;
MethodDef embedResolverMethod;
public class AssemblyInfo {
public readonly byte[] data;
@ -67,11 +67,11 @@ namespace de4dot.code.deobfuscators.CodeFort {
get { return EncryptedDetected || MainAssemblyHasAssemblyResolver; }
}
public TypeDefinition Type {
public TypeDef Type {
get { return embedInitMethod != null ? embedInitMethod.DeclaringType : null; }
}
public MethodDefinition InitMethod {
public MethodDef InitMethod {
get { return embedInitMethod; }
}
@ -118,10 +118,10 @@ namespace de4dot.code.deobfuscators.CodeFort {
return true;
}
MethodDefinition checkCalledMethods(MethodDefinition method) {
MethodDef checkCalledMethods(MethodDef method) {
int calls = 0;
TypeDefinition type = null;
MethodDefinition initMethod = null;
TypeDef type = null;
MethodDef initMethod = null;
foreach (var calledMethod in DotNetUtils.getCalledMethods(module, method)) {
calls++;
if (type != null && calledMethod.DeclaringType != type)
@ -144,7 +144,7 @@ namespace de4dot.code.deobfuscators.CodeFort {
findEmbedded(module.EntryPoint);
}
bool findEmbedded(MethodDefinition method) {
bool findEmbedded(MethodDef method) {
if (method == null || method.Body == null)
return false;
foreach (var calledMethod in DotNetUtils.getCalledMethods(module, method)) {
@ -162,7 +162,7 @@ namespace de4dot.code.deobfuscators.CodeFort {
return false;
}
MethodDefinition checkInitMethod(MethodDefinition method) {
MethodDef checkInitMethod(MethodDef method) {
if (method == null || !method.IsStatic || method.Body == null)
return null;
if (!DotNetUtils.isMethod(method, "System.Void", "()"))
@ -175,7 +175,7 @@ namespace de4dot.code.deobfuscators.CodeFort {
return resolver;
}
bool checkType(TypeDefinition type) {
bool checkType(TypeDef type) {
if (DotNetUtils.getMethod(type, "System.Byte[]", "(System.Byte[],System.String,System.String,System.Int32,System.String,System.Int32)") == null)
return false;
if (DotNetUtils.getMethod(type, "System.String", "(System.String)") == null)
@ -246,7 +246,7 @@ namespace de4dot.code.deobfuscators.CodeFort {
return infos;
}
static PasswordInfo getEmbedPassword(MethodDefinition method) {
static PasswordInfo getEmbedPassword(MethodDef method) {
var instrs = method.Body.Instructions;
for (int i = 0; i < instrs.Count - 3; i++) {
int index = i;

4
de4dot.code/deobfuscators/CodeFort/CfMethodCallInliner.cs
View File

@ -17,7 +17,7 @@
along with de4dot. If not, see <http://www.gnu.org/licenses/>.
*/
using Mono.Cecil;
using dot10.DotNet;
using de4dot.blocks;
using de4dot.blocks.cflow;
@ -30,7 +30,7 @@ namespace de4dot.code.deobfuscators.CodeFort {
this.proxyCallFixer = proxyCallFixer;
}
protected override bool canInline(MethodDefinition method) {
protected override bool canInline(MethodDef method) {
return proxyCallFixer.isProxyTargetMethod(method);
}

4
de4dot.code/deobfuscators/CodeFort/Deobfuscator.cs
View File

@ -19,7 +19,7 @@
using System;
using System.Collections.Generic;
using Mono.Cecil;
using dot10.DotNet;
using Mono.MyStuff;
using de4dot.blocks;
using de4dot.PE;
@ -173,7 +173,7 @@ namespace de4dot.code.deobfuscators.CodeFort {
public override IEnumerable<int> getStringDecrypterMethods() {
var list = new List<int>();
if (stringDecrypter.Method != null)
list.Add(stringDecrypter.Method.MetadataToken.ToInt32());
list.Add(stringDecrypter.Method.MDToken.ToInt32());
return list;
}
}

2
de4dot.code/deobfuscators/CodeFort/PasswordFinder.cs
View File

@ -22,7 +22,7 @@ using System.Collections.Generic;
using System.IO;
using System.Reflection;
using System.Reflection.Emit;
using Mono.Cecil;
using dot10.DotNet;
namespace de4dot.code.deobfuscators.CodeFort {
class PasswordInfo {

22
de4dot.code/deobfuscators/CodeFort/ProxyCallFixer.cs
View File

@ -19,17 +19,17 @@
using System;
using System.Collections.Generic;
using Mono.Cecil;
using Mono.Cecil.Cil;
using dot10.DotNet;
using dot10.DotNet.Emit;
using de4dot.blocks;
namespace de4dot.code.deobfuscators.CodeFort {
class ProxyCallFixer : ProxyCallFixer3 {
IList<MemberReference> memberReferences;
MethodDefinitionAndDeclaringTypeDict<bool> proxyTargetMethods = new MethodDefinitionAndDeclaringTypeDict<bool>();
TypeDefinition proxyMethodsType;
TypeDef proxyMethodsType;
public TypeDefinition ProxyMethodsType {
public TypeDef ProxyMethodsType {
get { return proxyMethodsType; }
}
@ -52,7 +52,7 @@ namespace de4dot.code.deobfuscators.CodeFort {
}
}
static MethodDefinition checkType(TypeDefinition type) {
static MethodDef checkType(TypeDef type) {
if (type.Fields.Count != 1)
return null;
if (type.Fields[0].FieldType.FullName != "System.Reflection.Module")
@ -60,11 +60,11 @@ namespace de4dot.code.deobfuscators.CodeFort {
return checkMethods(type);
}
static MethodDefinition checkMethods(TypeDefinition type) {
static MethodDef checkMethods(TypeDef type) {
if (type.Methods.Count != 3)
return null;
MethodDefinition creatorMethod = null;
MethodDef creatorMethod = null;
foreach (var method in type.Methods) {
if (method.Name == ".cctor")
continue;
@ -80,7 +80,7 @@ namespace de4dot.code.deobfuscators.CodeFort {
return creatorMethod;
}
protected override object checkCctor(ref TypeDefinition type, MethodDefinition cctor) {
protected override object checkCctor(ref TypeDef type, MethodDef cctor) {
var instrs = cctor.Body.Instructions;
if (instrs.Count != 3)
return null;
@ -90,15 +90,15 @@ namespace de4dot.code.deobfuscators.CodeFort {
var call = instrs[1];
if (call.OpCode.Code != Code.Call)
return null;
if (!isDelegateCreatorMethod(call.Operand as MethodDefinition))
if (!isDelegateCreatorMethod(call.Operand as MethodDef))
return null;
int rid = DotNetUtils.getLdcI4Value(ldci4);
if (cctor.DeclaringType.MetadataToken.RID != rid)
if (cctor.DeclaringType.MDToken.RID != rid)
throw new ApplicationException("Invalid rid");
return rid;
}
protected override void getCallInfo(object context, FieldDefinition field, out MethodReference calledMethod, out OpCode callOpcode) {
protected override void getCallInfo(object context, FieldDef field, out MethodReference calledMethod, out OpCode callOpcode) {
if (memberReferences == null)
memberReferences = new List<MemberReference>(module.GetMemberReferences());

18
de4dot.code/deobfuscators/CodeFort/StringDecrypter.cs
View File

@ -18,24 +18,24 @@
*/
using System.Text;
using Mono.Cecil;
using Mono.Cecil.Cil;
using dot10.DotNet;
using dot10.DotNet.Emit;
using de4dot.blocks;
namespace de4dot.code.deobfuscators.CodeFort {
class StringDecrypter {
ModuleDefinition module;
MethodDefinition decryptMethod;
MethodDef decryptMethod;
public bool Detected {
get { return decryptMethod != null; }
}
public MethodDefinition Method {
public MethodDef Method {
get { return decryptMethod; }
}
public TypeDefinition Type {
public TypeDef Type {
get { return decryptMethod == null ? null : decryptMethod.DeclaringType; }
}
@ -53,14 +53,14 @@ namespace de4dot.code.deobfuscators.CodeFort {
}
}
static MethodDefinition checkType(TypeDefinition type) {
static MethodDef checkType(TypeDef type) {
if (type.HasFields)
return null;
return checkMethods(type);
}
static MethodDefinition checkMethods(TypeDefinition type) {
MethodDefinition decryptMethod = null;
static MethodDef checkMethods(TypeDef type) {
MethodDef decryptMethod = null;
foreach (var method in type.Methods) {
if (method.Name == ".cctor")
continue;
@ -76,7 +76,7 @@ namespace de4dot.code.deobfuscators.CodeFort {
return decryptMethod;
}
static bool hasDouble(MethodDefinition method, double value) {
static bool hasDouble(MethodDef method, double value) {
if (method == null || method.Body == null)
return false;
foreach (var instr in method.Body.Instructions) {

36
de4dot.code/deobfuscators/CodeVeil/AssemblyResolver.cs
View File

@ -20,8 +20,8 @@
using System.Collections.Generic;
using System.IO;
using System.Xml;
using Mono.Cecil;
using Mono.Cecil.Cil;
using dot10.DotNet;
using dot10.DotNet.Emit;
using de4dot.blocks;
namespace de4dot.code.deobfuscators.CodeVeil {
@ -29,12 +29,12 @@ namespace de4dot.code.deobfuscators.CodeVeil {
ModuleDefinition module;
EmbeddedResource bundleData;
EmbeddedResource bundleXmlFile;
TypeDefinition bundleType;
TypeDefinition assemblyManagerType;
TypeDefinition bundleStreamProviderIFace;
TypeDefinition xmlParserType;
TypeDefinition bundledAssemblyType;
TypeDefinition streamProviderType;
TypeDef bundleType;
TypeDef assemblyManagerType;
TypeDef bundleStreamProviderIFace;
TypeDef xmlParserType;
TypeDef bundledAssemblyType;
TypeDef streamProviderType;
List<AssemblyInfo> infos = new List<AssemblyInfo>();
public class AssemblyInfo {
@ -66,9 +66,9 @@ namespace de4dot.code.deobfuscators.CodeVeil {
}
}
public IEnumerable<TypeDefinition> BundleTypes {
public IEnumerable<TypeDef> BundleTypes {
get {
var list = new List<TypeDefinition>();
var list = new List<TypeDef>();
if (!CanRemoveTypes)
return list;
@ -167,7 +167,7 @@ namespace de4dot.code.deobfuscators.CodeVeil {
return value;
}
TypeDefinition findBundleType() {
TypeDef findBundleType() {
foreach (var type in module.Types) {
if (type.Namespace != "")
continue;
@ -193,7 +193,7 @@ namespace de4dot.code.deobfuscators.CodeVeil {
return null;
}
MethodDefinition findInitMethod(TypeDefinition type) {
MethodDef findInitMethod(TypeDef type) {
foreach (var method in type.Methods) {
if (!method.IsStatic || method.Body == null)
continue;
@ -208,7 +208,7 @@ namespace de4dot.code.deobfuscators.CodeVeil {
return null;
}
MethodDefinition findGetTempFilenameMethod(TypeDefinition type) {
MethodDef findGetTempFilenameMethod(TypeDef type) {
foreach (var method in type.Methods) {
if (method.IsStatic || method.Body == null)
continue;
@ -234,7 +234,7 @@ namespace de4dot.code.deobfuscators.CodeVeil {
return;
foreach (var field in bundleType.Fields) {
var type = field.FieldType as TypeDefinition;
var type = field.FieldType as TypeDef;
if (type == null)
continue;
if (type == bundleType)
@ -245,7 +245,7 @@ namespace de4dot.code.deobfuscators.CodeVeil {
var ctor = DotNetUtils.getMethod(type, ".ctor");
if (ctor == null || ctor.Parameters.Count != 2)
continue;
var iface = ctor.Parameters[1].ParameterType as TypeDefinition;
var iface = ctor.Parameters[1].ParameterType as TypeDef;
if (iface == null || !iface.IsInterface)
continue;
@ -259,7 +259,7 @@ namespace de4dot.code.deobfuscators.CodeVeil {
if (assemblyManagerType == null)
return;
foreach (var field in assemblyManagerType.Fields) {
var type = field.FieldType as TypeDefinition;
var type = field.FieldType as TypeDef;
if (type == null || type.IsInterface)
continue;
var ctor = DotNetUtils.getMethod(type, ".ctor");
@ -274,7 +274,7 @@ namespace de4dot.code.deobfuscators.CodeVeil {
continue;
if (git.GenericArguments.Count != 1)
continue;
var type2 = git.GenericArguments[0] as TypeDefinition;
var type2 = git.GenericArguments[0] as TypeDef;
if (type2 == null)
continue;
@ -293,7 +293,7 @@ namespace de4dot.code.deobfuscators.CodeVeil {
foreach (var instr in ctor.Body.Instructions) {
if (instr.OpCode.Code != Code.Newobj)
continue;
var newobjCtor = instr.Operand as MethodDefinition;
var newobjCtor = instr.Operand as MethodDef;
if (newobjCtor == null)
continue;
if (newobjCtor.DeclaringType == assemblyManagerType)

6
de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs
View File

@ -19,7 +19,7 @@
using System;
using System.Collections.Generic;
using Mono.Cecil;
using dot10.DotNet;
using Mono.MyStuff;
using de4dot.blocks;
@ -62,7 +62,7 @@ namespace de4dot.code.deobfuscators.CodeVeil {
ProxyCallFixer proxyCallFixer;
StringDecrypter stringDecrypter;
AssemblyResolver assemblyResolver;
TypeDefinition killType;
TypeDef killType;
ResourceDecrypter resourceDecrypter;
internal class Options : OptionsBase {
@ -279,7 +279,7 @@ namespace de4dot.code.deobfuscators.CodeVeil {
public override IEnumerable<int> getStringDecrypterMethods() {
var list = new List<int>();
if (stringDecrypter.DecryptMethod != null)
list.Add(stringDecrypter.DecryptMethod.MetadataToken.ToInt32());
list.Add(stringDecrypter.DecryptMethod.MDToken.ToInt32());
return list;
}
}

10
de4dot.code/deobfuscators/CodeVeil/InvalidMethodsFinder.cs
View File

@ -18,12 +18,12 @@
*/
using System.Collections.Generic;
using Mono.Cecil;
using dot10.DotNet;
namespace de4dot.code.deobfuscators.CodeVeil {
class InvalidMethodsFinder {
public static List<MethodDefinition> findAll(ModuleDefinition module) {
var list = new List<MethodDefinition>();
public static List<MethodDef> findAll(ModuleDefinition module) {
var list = new List<MethodDef>();
foreach (var type in module.GetTypes()) {
foreach (var method in type.Methods) {
if (isInvalidMethod(method))
@ -33,14 +33,14 @@ namespace de4dot.code.deobfuscators.CodeVeil {
return list;
}
public static bool isInvalidMethod(MethodDefinition method) {
public static bool isInvalidMethod(MethodDef method) {
if (method == null)
return false;
if (method.IsStatic)
return false;
if (method.Parameters.Count != 0)
return false;
var retType = method.MethodReturnType.ReturnType as GenericParameter;
var retType = method.MethodReturnType.ReturnType as GenericParam;
if (retType == null)
return false;

42
de4dot.code/deobfuscators/CodeVeil/MainType.cs
View File

@ -18,8 +18,8 @@
*/
using System.Collections.Generic;
using Mono.Cecil;
using Mono.Cecil.Cil;
using dot10.DotNet;
using dot10.DotNet.Emit;
using Mono.Cecil.Metadata;
using de4dot.blocks;
@ -27,12 +27,12 @@ namespace de4dot.code.deobfuscators.CodeVeil {
// Detects the type CV adds to the assembly that gets called from <Module>::.cctor.
class MainType {
ModuleDefinition module;
TypeDefinition theType;
MethodDefinition initMethod;
MethodDefinition tamperCheckMethod;
TypeDef theType;
MethodDef initMethod;
MethodDef tamperCheckMethod;
ObfuscatorVersion obfuscatorVersion = ObfuscatorVersion.Unknown;
List<int> rvas = new List<int>(); // _stub and _executive
List<MethodDefinition> otherInitMethods = new List<MethodDefinition>();
List<MethodDef> otherInitMethods = new List<MethodDef>();
public bool Detected {
get { return theType != null; }
@ -42,19 +42,19 @@ namespace de4dot.code.deobfuscators.CodeVeil {
get { return obfuscatorVersion; }
}
public TypeDefinition Type {
public TypeDef Type {
get { return theType; }
}
public MethodDefinition InitMethod {
public MethodDef InitMethod {
get { return initMethod; }
}
public List<MethodDefinition> OtherInitMethods {
public List<MethodDef> OtherInitMethods {
get { return otherInitMethods; }
}
public MethodDefinition TamperCheckMethod {
public MethodDef TamperCheckMethod {
get { return tamperCheckMethod; }
}
@ -99,7 +99,7 @@ namespace de4dot.code.deobfuscators.CodeVeil {
var call = instrs[i + 2];
if (call.OpCode.Code != Code.Call)
continue;
var initMethodTmp = call.Operand as MethodDefinition;
var initMethodTmp = call.Operand as MethodDef;
ObfuscatorVersion obfuscatorVersionTmp;
if (!checkInitMethod(initMethodTmp, out obfuscatorVersionTmp))
continue;
@ -118,7 +118,7 @@ namespace de4dot.code.deobfuscators.CodeVeil {
"System.Collections.Generic.List`1<System.Delegate>",
"System.Runtime.InteropServices.GCHandle",
};
bool checkInitMethod(MethodDefinition initMethod, out ObfuscatorVersion obfuscatorVersionTmp) {
bool checkInitMethod(MethodDef initMethod, out ObfuscatorVersion obfuscatorVersionTmp) {
obfuscatorVersionTmp = ObfuscatorVersion.Unknown;
if (initMethod == null)
@ -146,7 +146,7 @@ namespace de4dot.code.deobfuscators.CodeVeil {
return true;
}
static bool hasCodeString(MethodDefinition method, string str) {
static bool hasCodeString(MethodDef method, string str) {
foreach (var s in DotNetUtils.getCodeStrings(method)) {
if (s == str)
return true;
@ -154,7 +154,7 @@ namespace de4dot.code.deobfuscators.CodeVeil {
return false;
}
bool checkMethodsType(TypeDefinition type) {
bool checkMethodsType(TypeDef type) {
rvas = new List<int>();
var fields = getRvaFields(type);
@ -166,8 +166,8 @@ namespace de4dot.code.deobfuscators.CodeVeil {
return true;
}
static List<FieldDefinition> getRvaFields(TypeDefinition type) {
var fields = new List<FieldDefinition>();
static List<FieldDef> getRvaFields(TypeDef type) {
var fields = new List<FieldDef>();
foreach (var field in type.Fields) {
if (field.FieldType.EType != ElementType.U1 && field.FieldType.EType != ElementType.U4)
continue;
@ -187,7 +187,7 @@ namespace de4dot.code.deobfuscators.CodeVeil {
otherInitMethods = findOtherInitMethods();
}
MethodDefinition findTamperCheckMethod() {
MethodDef findTamperCheckMethod() {
foreach (var method in theType.Methods) {
if (!method.IsStatic || method.Body == null)
continue;
@ -200,8 +200,8 @@ namespace de4dot.code.deobfuscators.CodeVeil {
return null;
}
List<MethodDefinition> findOtherInitMethods() {
var list = new List<MethodDefinition>();
List<MethodDef> findOtherInitMethods() {
var list = new List<MethodDef>();
foreach (var method in theType.Methods) {
if (!method.IsStatic)
continue;
@ -215,7 +215,7 @@ namespace de4dot.code.deobfuscators.CodeVeil {
return list;
}
public MethodDefinition getInitStringDecrypterMethod(MethodDefinition stringDecrypterInitMethod) {
public MethodDef getInitStringDecrypterMethod(MethodDef stringDecrypterInitMethod) {
if (stringDecrypterInitMethod == null)
return null;
if (theType == null)
@ -230,7 +230,7 @@ namespace de4dot.code.deobfuscators.CodeVeil {
return null;
}
bool callsMethod(MethodDefinition methodToCheck, MethodDefinition calledMethod) {
bool callsMethod(MethodDef methodToCheck, MethodDef calledMethod) {
foreach (var method in DotNetUtils.getCalledMethods(module, methodToCheck)) {
if (method == calledMethod)
return true;

4
de4dot.code/deobfuscators/CodeVeil/MethodsDecrypter.cs
View File

@ -20,8 +20,8 @@
using System;
using System.Collections.Generic;
using System.IO;
using Mono.Cecil;
using Mono.Cecil.Cil;
using dot10.DotNet;
using dot10.DotNet.Emit;
using Mono.Cecil.Metadata;
using Mono.MyStuff;
using de4dot.blocks;

56
de4dot.code/deobfuscators/CodeVeil/ProxyCallFixer.cs
View File

@ -20,8 +20,8 @@
using System;
using System.Collections.Generic;
using System.IO;
using Mono.Cecil;
using Mono.Cecil.Cil;
using dot10.DotNet;
using dot10.DotNet.Emit;
using Mono.Cecil.Metadata;
using de4dot.blocks;
@ -32,12 +32,12 @@ namespace de4dot.code.deobfuscators.CodeVeil {
BinaryReader reader;
class Info {
public TypeDefinition proxyType;
public MethodDefinition initMethod;
public FieldDefinition dataField;
public TypeDefinition ilgeneratorType;
public TypeDefinition fieldInfoType;
public TypeDefinition methodInfoType;
public TypeDef proxyType;
public MethodDef initMethod;
public FieldDef dataField;
public TypeDef ilgeneratorType;
public TypeDef fieldInfoType;
public TypeDef methodInfoType;
}
class Context {
@ -61,15 +61,15 @@ namespace de4dot.code.deobfuscators.CodeVeil {
}
}
public TypeDefinition IlGeneratorType {
public TypeDef IlGeneratorType {
get { return info.ilgeneratorType; }
}
public TypeDefinition FieldInfoType {
public TypeDef FieldInfoType {
get { return info.fieldInfoType; }
}
public TypeDefinition MethodInfoType {
public TypeDef MethodInfoType {
get { return info.methodInfoType; }
}
@ -89,7 +89,7 @@ namespace de4dot.code.deobfuscators.CodeVeil {
info.methodInfoType = lookup(oldOne.info.methodInfoType, "Could not find methodInfoType");
}
protected override object checkCctor(ref TypeDefinition type, MethodDefinition cctor) {
protected override object checkCctor(ref TypeDef type, MethodDef cctor) {
var instrs = cctor.Body.Instructions;
for (int i = 0; i < instrs.Count - 1; i++) {
var ldci4 = instrs[i];
@ -105,14 +105,14 @@ namespace de4dot.code.deobfuscators.CodeVeil {
int offset = DotNetUtils.getLdcI4Value(ldci4);
reader.BaseStream.Position = offset;
int rid = DeobUtils.readVariableLengthInt32(reader);
if (rid != type.MetadataToken.RID)
if (rid != type.MDToken.RID)
throw new ApplicationException("Invalid RID");
return string.Empty; // It's non-null
}
return null;
}
protected override void getCallInfo(object context, FieldDefinition field, out MethodReference calledMethod, out OpCode callOpcode) {
protected override void getCallInfo(object context, FieldDef field, out MethodReference calledMethod, out OpCode callOpcode) {
byte flags = reader.ReadByte();
int methodToken = 0x06000000 + ((flags & 0x3F) << 24) + DeobUtils.readVariableLengthInt32(reader);
@ -122,7 +122,7 @@ namespace de4dot.code.deobfuscators.CodeVeil {
calledMethod = module.LookupToken(methodToken) as MethodReference;
if (calledMethod == null)
throw new ApplicationException("Could not find method");
if (genericTypeToken != -1 && calledMethod.DeclaringType.MetadataToken.ToInt32() != genericTypeToken)
if (genericTypeToken != -1 && calledMethod.DeclaringType.MDToken.ToInt32() != genericTypeToken)
throw new ApplicationException("Invalid declaring type token");
}
@ -138,7 +138,7 @@ namespace de4dot.code.deobfuscators.CodeVeil {
setDelegateCreatorMethod(info.initMethod);
}
bool initializeInfo(Info infoTmp, TypeDefinition type) {
bool initializeInfo(Info infoTmp, TypeDef type) {
foreach (var dtype in type.NestedTypes) {
var cctor = DotNetUtils.getMethod(dtype, ".cctor");
if (cctor == null)
@ -152,7 +152,7 @@ namespace de4dot.code.deobfuscators.CodeVeil {
return false;
}
bool initProxyType(Info infoTmp, MethodDefinition method) {
bool initProxyType(Info infoTmp, MethodDef method) {
foreach (var calledMethod in DotNetUtils.getCalledMethods(module, method)) {
if (!calledMethod.IsStatic)
continue;
@ -175,7 +175,7 @@ namespace de4dot.code.deobfuscators.CodeVeil {
"System.Reflection.Emit.OpCode",
"System.Reflection.Emit.OpCode[]",
};
bool checkProxyType(Info infoTmp, TypeDefinition type) {
bool checkProxyType(Info infoTmp, TypeDef type) {
if (type.NestedTypes.Count != 1)
return false;
@ -196,8 +196,8 @@ namespace de4dot.code.deobfuscators.CodeVeil {
return true;
}
static List<FieldDefinition> getRvaFields(TypeDefinition type) {
var fields = new List<FieldDefinition>();
static List<FieldDef> getRvaFields(TypeDef type) {
var fields = new List<FieldDef>();
foreach (var field in type.Fields) {
if (field.RVA != 0)
fields.Add(field);
@ -205,9 +205,9 @@ namespace de4dot.code.deobfuscators.CodeVeil {
return fields;
}
protected override IEnumerable<TypeDefinition> getDelegateTypes() {
protected override IEnumerable<TypeDef> getDelegateTypes() {
if (!mainType.Detected)
return new List<TypeDefinition>();
return new List<TypeDef>();
return mainType.Type.NestedTypes;
}
@ -233,9 +233,9 @@ namespace de4dot.code.deobfuscators.CodeVeil {
if (method.Parameters[2].ParameterType.FullName != "System.Type[]")
continue;
var methodType = method.Parameters[0].ParameterType as TypeDefinition;
var fieldType = method.Parameters[1].ParameterType as TypeDefinition;
var ilgType = method.Parameters[3].ParameterType as TypeDefinition;
var methodType = method.Parameters[0].ParameterType as TypeDef;
var fieldType = method.Parameters[1].ParameterType as TypeDef;
var ilgType = method.Parameters[3].ParameterType as TypeDef;
if (!checkMethodType(methodType))
continue;
if (!checkFieldType(fieldType))
@ -249,7 +249,7 @@ namespace de4dot.code.deobfuscators.CodeVeil {
}
}
bool checkMethodType(TypeDefinition type) {
bool checkMethodType(TypeDef type) {
if (type == null || type.BaseType == null || type.BaseType.EType != ElementType.Object)
return false;
if (type.Fields.Count != 1)
@ -260,7 +260,7 @@ namespace de4dot.code.deobfuscators.CodeVeil {
return true;
}
bool checkFieldType(TypeDefinition type) {
bool checkFieldType(TypeDef type) {
if (type == null || type.BaseType == null || type.BaseType.EType != ElementType.Object)
return false;
if (DotNetUtils.getField(type, "System.Reflection.FieldInfo") == null)
@ -269,7 +269,7 @@ namespace de4dot.code.deobfuscators.CodeVeil {
return true;
}
bool checkIlGeneratorType(TypeDefinition type) {
bool checkIlGeneratorType(TypeDef type) {
if (type == null || type.BaseType == null || type.BaseType.EType != ElementType.Object)
return false;
if (type.Fields.Count != 1)

2
de4dot.code/deobfuscators/CodeVeil/ResourceConverter.cs
View File

@ -19,7 +19,7 @@
using System;
using System.IO;
using Mono.Cecil;
using dot10.DotNet;
using de4dot.code.resources;
namespace de4dot.code.deobfuscators.CodeVeil {

52
de4dot.code/deobfuscators/CodeVeil/ResourceDecrypter.cs
View File

@ -19,23 +19,23 @@
using System;
using System.IO;
using Mono.Cecil;
using Mono.Cecil.Cil;
using dot10.DotNet;
using dot10.DotNet.Emit;
using Mono.Cecil.Metadata;
using de4dot.blocks;
namespace de4dot.code.deobfuscators.CodeVeil {
class ResourceDecrypter {
ModuleDefinition module;
TypeDefinition encryptedResourceStreamType;
TypeDefinition encryptedResourceSetType;
MethodDefinition encryptedResourceSet_GetDefaultReader;
TypeDefinition encryptedResourceReaderType;
TypeDef encryptedResourceStreamType;
TypeDef encryptedResourceSetType;
MethodDef encryptedResourceSet_GetDefaultReader;
TypeDef encryptedResourceReaderType;
GenericInstanceType encryptedResourceReaderTypeDict;
TypeDefinition resType;
MethodDefinition resTypeCtor;
TypeDefinition resourceFlagsType;
TypeDefinition resourceEnumeratorType;
TypeDef resType;
MethodDef resTypeCtor;
TypeDef resourceFlagsType;
TypeDef resourceEnumeratorType;
MethodCallRestorerBase methodsRestorer;
public bool CanRemoveTypes {
@ -49,27 +49,27 @@ namespace de4dot.code.deobfuscators.CodeVeil {
}
}
public TypeDefinition EncryptedResourceStreamType {
public TypeDef EncryptedResourceStreamType {
get { return encryptedResourceStreamType; }
}
public TypeDefinition EncryptedResourceSetType {
public TypeDef EncryptedResourceSetType {
get { return encryptedResourceSetType; }
}
public TypeDefinition EncryptedResourceReaderType {
public TypeDef EncryptedResourceReaderType {
get { return encryptedResourceReaderType; }
}
public TypeDefinition ResType {
public TypeDef ResType {
get { return resType; }
}
public TypeDefinition ResourceFlagsType {
public TypeDef ResourceFlagsType {
get { return resourceFlagsType; }
}
public TypeDefinition ResourceEnumeratorType {
public TypeDef ResourceEnumeratorType {
get { return resourceEnumeratorType; }
}
@ -122,7 +122,7 @@ namespace de4dot.code.deobfuscators.CodeVeil {
void findResourceFlags() {
if (resTypeCtor == null || resTypeCtor.Parameters.Count != 4)
return;
var type = resTypeCtor.Parameters[2].ParameterType as TypeDefinition;
var type = resTypeCtor.Parameters[2].ParameterType as TypeDef;
if (type == null || !type.IsEnum)
return;
@ -137,7 +137,7 @@ namespace de4dot.code.deobfuscators.CodeVeil {
void findResType() {
if (encryptedResourceReaderTypeDict == null)
return;
var type = encryptedResourceReaderTypeDict.GenericArguments[1] as TypeDefinition;
var type = encryptedResourceReaderTypeDict.GenericArguments[1] as TypeDef;
if (type == null)
return;
if (type.BaseType == null || type.BaseType.EType != ElementType.Object)
@ -175,7 +175,7 @@ namespace de4dot.code.deobfuscators.CodeVeil {
encryptedResourceReaderTypeDict = dictType;
}
static bool hasInterface(TypeDefinition type, string interfaceFullName) {
static bool hasInterface(TypeDef type, string interfaceFullName) {
foreach (var iface in type.Interfaces) {
if (iface.FullName == interfaceFullName)
return true;
@ -183,7 +183,7 @@ namespace de4dot.code.deobfuscators.CodeVeil {
return false;
}
static GenericInstanceType getDlxResDict(TypeDefinition type) {
static GenericInstanceType getDlxResDict(TypeDef type) {
foreach (var field in type.Fields) {
var fieldType = field.FieldType as GenericInstanceType;
if (fieldType == null)
@ -194,20 +194,20 @@ namespace de4dot.code.deobfuscators.CodeVeil {
continue;
if (fieldType.GenericArguments[0].FullName != "System.String")
continue;
if (!(fieldType.GenericArguments[1] is TypeDefinition))
if (!(fieldType.GenericArguments[1] is TypeDef))
continue;
return fieldType;
}
return null;
}
static TypeDefinition getTypeFromCode(MethodDefinition method) {
static TypeDef getTypeFromCode(MethodDef method) {
if (method == null || method.Body == null)
return null;
foreach (var instr in method.Body.Instructions) {
if (instr.OpCode.Code != Code.Ldtoken)
continue;
var type = instr.Operand as TypeDefinition;
var type = instr.Operand as TypeDef;
if (type != null)
return type;
}
@ -260,7 +260,7 @@ namespace de4dot.code.deobfuscators.CodeVeil {
if (findXxteaMethod(type) == null)
continue;
MethodDefinition getManifestResourceStreamMethodTmp1, getManifestResourceStreamMethodTmp2;
MethodDef getManifestResourceStreamMethodTmp1, getManifestResourceStreamMethodTmp2;
if (!findManifestResourceStreamMethods(type, out getManifestResourceStreamMethodTmp1, out getManifestResourceStreamMethodTmp2))
continue;
@ -271,7 +271,7 @@ namespace de4dot.code.deobfuscators.CodeVeil {
}
}
static MethodDefinition findXxteaMethod(TypeDefinition type) {
static MethodDef findXxteaMethod(TypeDef type) {
foreach (var method in type.Methods) {
if (!method.IsPrivate || method.IsStatic || method.Body == null)
continue;
@ -292,7 +292,7 @@ namespace de4dot.code.deobfuscators.CodeVeil {
return null;
}
static bool findManifestResourceStreamMethods(TypeDefinition type, out MethodDefinition getManifestResourceStreamMethodTmp1, out MethodDefinition getManifestResourceStreamMethodTmp2) {
static bool findManifestResourceStreamMethods(TypeDef type, out MethodDef getManifestResourceStreamMethodTmp1, out MethodDef getManifestResourceStreamMethodTmp2) {
getManifestResourceStreamMethodTmp1 = null;
getManifestResourceStreamMethodTmp2 = null;
foreach (var method in type.Methods) {

36
de4dot.code/deobfuscators/CodeVeil/StringDecrypter.cs
View File

@ -19,33 +19,33 @@
using System;
using System.IO;
using Mono.Cecil;
using Mono.Cecil.Cil;
using dot10.DotNet;
using dot10.DotNet.Emit;
using de4dot.blocks;
namespace de4dot.code.deobfuscators.CodeVeil {
class StringDecrypter {
ModuleDefinition module;
MainType mainType;
TypeDefinition decrypterType;
FieldDefinition stringDataField;
MethodDefinition initMethod;
MethodDefinition decrypterMethod;
TypeDef decrypterType;
FieldDef stringDataField;
MethodDef initMethod;
MethodDef decrypterMethod;
string[] decryptedStrings;
public bool Detected {
get { return decrypterType != null; }
}
public TypeDefinition Type {
public TypeDef Type {
get { return decrypterType; }
}
public MethodDefinition InitMethod {
public MethodDef InitMethod {
get { return initMethod; }
}
public MethodDefinition DecryptMethod {
public MethodDef DecryptMethod {
get { return decrypterMethod; }
}
@ -79,7 +79,7 @@ namespace de4dot.code.deobfuscators.CodeVeil {
findV5(cctor);
}
bool find(MethodDefinition method) {
bool find(MethodDef method) {
if (method == null || method.Body == null || !method.IsStatic)
return false;
@ -88,7 +88,7 @@ namespace de4dot.code.deobfuscators.CodeVeil {
var call = instrs[i];
if (call.OpCode.Code != Code.Call)
continue;
var initMethodTmp = call.Operand as MethodDefinition;
var initMethodTmp = call.Operand as MethodDef;
if (initMethodTmp == null || initMethodTmp.Body == null || !initMethodTmp.IsStatic)
continue;
if (!DotNetUtils.isMethod(initMethodTmp, "System.Void", "()"))
@ -105,7 +105,7 @@ namespace de4dot.code.deobfuscators.CodeVeil {
}
// The main decrypter type calls the string decrypter init method inside its init method
void findV5(MethodDefinition method) {
void findV5(MethodDef method) {
if (!mainType.Detected)
return;
foreach (var calledMethod in DotNetUtils.getCalledMethods(module, mainType.InitMethod)) {
@ -114,7 +114,7 @@ namespace de4dot.code.deobfuscators.CodeVeil {
}
}
bool checkType(TypeDefinition type) {
bool checkType(TypeDef type) {
if (!type.HasNestedTypes)
return false;
@ -134,8 +134,8 @@ namespace de4dot.code.deobfuscators.CodeVeil {
return true;
}
static MethodDefinition getDecrypterMethod(TypeDefinition type) {
MethodDefinition foundMethod = null;
static MethodDef getDecrypterMethod(TypeDef type) {
MethodDef foundMethod = null;
foreach (var method in type.Methods) {
if (method.Body == null || !method.IsStatic)
continue;
@ -155,11 +155,11 @@ namespace de4dot.code.deobfuscators.CodeVeil {
"System.String[]",
"System.UInt32[]",
};
FieldDefinition checkFields(TypeDefinition type) {
FieldDef checkFields(TypeDef type) {
if (!new FieldTypes(type).all(requiredFields))
return null;
FieldDefinition stringData = null;
FieldDef stringData = null;
foreach (var field in type.Fields) {
if (field.RVA != 0) {
if (stringData != null)
@ -193,7 +193,7 @@ namespace de4dot.code.deobfuscators.CodeVeil {
stringDataField.InitialValue = new byte[1];
}
static uint[] getKey(MethodDefinition method) {
static uint[] getKey(MethodDef method) {
var instrs = method.Body.Instructions;
for (int i = 0; i < instrs.Count - 1; i++) {
var ldci4 = instrs[i];

22
de4dot.code/deobfuscators/CodeVeil/TamperDetection.cs
View File

@ -18,8 +18,8 @@
*/
using System.Collections.Generic;
using Mono.Cecil;
using Mono.Cecil.Cil;
using dot10.DotNet;
using dot10.DotNet.Emit;
using Mono.Cecil.Metadata;
using de4dot.blocks;
@ -27,14 +27,14 @@ namespace de4dot.code.deobfuscators.CodeVeil {
class TamperDetection {
ModuleDefinition module;
MainType mainType;
TypeDefinition tamperDetectionType;
List<MethodDefinition> tamperDetectionMethods = new List<MethodDefinition>();
TypeDef tamperDetectionType;
List<MethodDef> tamperDetectionMethods = new List<MethodDef>();
public TypeDefinition Type {
public TypeDef Type {
get { return tamperDetectionType; }
}
public List<MethodDefinition> Methods {
public List<MethodDef> Methods {
get { return tamperDetectionMethods; }
}
@ -82,7 +82,7 @@ namespace de4dot.code.deobfuscators.CodeVeil {
}
}
bool checkTamperDetectionClasses(IEnumerable<TypeDefinition> types) {
bool checkTamperDetectionClasses(IEnumerable<TypeDef> types) {
foreach (var type in types) {
if (!isTamperDetectionClass(type))
return false;
@ -90,13 +90,13 @@ namespace de4dot.code.deobfuscators.CodeVeil {
return true;
}
bool isTamperDetectionClass(TypeDefinition type) {
bool isTamperDetectionClass(TypeDef type) {
if (type.BaseType == null || type.BaseType.EType != ElementType.Object)
return false;
if ((type.Attributes & ~TypeAttributes.Sealed) != TypeAttributes.NestedAssembly)
return false;
MethodDefinition cctor = null, initMethod = null;
MethodDef cctor = null, initMethod = null;
foreach (var method in type.Methods) {
if (InvalidMethodsFinder.isInvalidMethod(method))
continue;
@ -116,7 +116,7 @@ namespace de4dot.code.deobfuscators.CodeVeil {
return true;
}
bool callsMainTypeTamperCheckMethod(MethodDefinition method) {
bool callsMainTypeTamperCheckMethod(MethodDef method) {
foreach (var calledMethod in DotNetUtils.getCalledMethods(module, method)) {
if (calledMethod == mainType.TamperCheckMethod)
return true;
@ -142,7 +142,7 @@ namespace de4dot.code.deobfuscators.CodeVeil {
}
static bool checkInvokeCall(Instruction instr, string returnType, string parameters) {
var method = instr.Operand as MethodDefinition;
var method = instr.Operand as MethodDef;
if (method == null)
return false;
if (method.Name != "Invoke")

20
de4dot.code/deobfuscators/CodeWall/AssemblyDecrypter.cs
View File

@ -22,8 +22,8 @@ using System.Collections.Generic;
using System.IO;
using System.Security.Cryptography;
using System.Text;
using Mono.Cecil;
using Mono.Cecil.Cil;
using dot10.DotNet;
using dot10.DotNet.Emit;
using de4dot.blocks;
using de4dot.code.resources;
@ -74,7 +74,7 @@ namespace de4dot.code.deobfuscators.CodeWall {
if (!checkEntryPoint(method))
return;
MethodDefinition decryptAssemblyMethod;
MethodDef decryptAssemblyMethod;
var mainKey = getMainResourceKey(method, out decryptAssemblyMethod);
if (mainKey == null)
return;
@ -100,7 +100,7 @@ namespace de4dot.code.deobfuscators.CodeWall {
"System.AppDomain",
"System.DateTime",
};
bool checkEntryPoint(MethodDefinition method) {
bool checkEntryPoint(MethodDef method) {
if (method == null)
return false;
if (!new LocalTypes(method).all(requiredLocals))
@ -112,12 +112,12 @@ namespace de4dot.code.deobfuscators.CodeWall {
return true;
}
void deobfuscateAll(MethodDefinition method) {
void deobfuscateAll(MethodDef method) {
simpleDeobfuscator.deobfuscate(method);
simpleDeobfuscator.decryptStrings(method, deob);
}
string getMainResourceKey(MethodDefinition method, out MethodDefinition decryptAssemblyMethod) {
string getMainResourceKey(MethodDef method, out MethodDef decryptAssemblyMethod) {
foreach (var calledMethod in DotNetUtils.getCalledMethods(module, method)) {
if (!calledMethod.IsStatic || calledMethod.Body == null)
continue;
@ -135,7 +135,7 @@ namespace de4dot.code.deobfuscators.CodeWall {
return null;
}
string getMainResourceKeyInfo(MethodDefinition method, out MethodDefinition decryptAssemblyMethod) {
string getMainResourceKeyInfo(MethodDef method, out MethodDef decryptAssemblyMethod) {
var instrs = method.Body.Instructions;
for (int i = 0; i < instrs.Count - 1; i++) {
var ldstr = instrs[i];
@ -144,7 +144,7 @@ namespace de4dot.code.deobfuscators.CodeWall {
var call = instrs[i + 1];
if (call.OpCode.Code != Code.Call)
continue;
var calledMethod = call.Operand as MethodDefinition;
var calledMethod = call.Operand as MethodDef;
if (calledMethod == null)
continue;
@ -155,7 +155,7 @@ namespace de4dot.code.deobfuscators.CodeWall {
return null;
}
EmbeddedResource getResource(MethodDefinition method, out ModuleDefinition theResourceModule) {
EmbeddedResource getResource(MethodDef method, out ModuleDefinition theResourceModule) {
string resourceDllFileName = null;
theResourceModule = module;
foreach (var s in DotNetUtils.getCodeStrings(method)) {
@ -192,7 +192,7 @@ namespace de4dot.code.deobfuscators.CodeWall {
}
}
bool getPassword(MethodDefinition method, out string password, out string salt) {
bool getPassword(MethodDef method, out string password, out string salt) {
var instrs = method.Body.Instructions;
for (int i = 0; i < instrs.Count - 1; i++) {
var ldstr1 = instrs[i];

4
de4dot.code/deobfuscators/CodeWall/Deobfuscator.cs
View File

@ -19,7 +19,7 @@
using System;
using System.Collections.Generic;
using Mono.Cecil;
using dot10.DotNet;
using Mono.MyStuff;
using de4dot.blocks;
using de4dot.PE;
@ -263,7 +263,7 @@ namespace de4dot.code.deobfuscators.CodeWall {
public override IEnumerable<int> getStringDecrypterMethods() {
var list = new List<int>();
foreach (var info in stringDecrypter.Infos)
list.Add(info.Method.MetadataToken.ToInt32());
list.Add(info.Method.MDToken.ToInt32());
return list;
}
}

6
de4dot.code/deobfuscators/CodeWall/MethodsDecrypter.cs
View File

@ -18,8 +18,8 @@
*/
using System;
using Mono.Cecil;
using Mono.Cecil.Cil;
using dot10.DotNet;
using dot10.DotNet.Emit;
using Mono.MyStuff;
using de4dot.PE;
using de4dot.blocks;
@ -51,7 +51,7 @@ namespace de4dot.code.deobfuscators.CodeWall {
}
}
bool checkCctor(MethodDefinition method) {
bool checkCctor(MethodDef method) {
if (method == null || method.Body == null)
return false;

52
de4dot.code/deobfuscators/CodeWall/StringDecrypter.cs
View File

@ -21,8 +21,8 @@ using System;
using System.Collections.Generic;
using System.IO;
using System.Text;
using Mono.Cecil;
using Mono.Cecil.Cil;
using dot10.DotNet;
using dot10.DotNet.Emit;
using de4dot.blocks;
namespace de4dot.code.deobfuscators.CodeWall {
@ -38,13 +38,13 @@ namespace de4dot.code.deobfuscators.CodeWall {
}
public class StringEncrypterInfo {
MethodDefinition method;
MethodDef method;
public TypeDefinition Type {
public TypeDef Type {
get { return method.DeclaringType; }
}
public MethodDefinition Method {
public MethodDef Method {
get { return method; }
}
@ -54,7 +54,7 @@ namespace de4dot.code.deobfuscators.CodeWall {
public int Magic3 { get; set; }
public BinaryReader Reader { get; set; }
public StringEncrypterInfo(MethodDefinition method) {
public StringEncrypterInfo(MethodDef method) {
this.method = method;
}
@ -94,7 +94,7 @@ namespace de4dot.code.deobfuscators.CodeWall {
public override string ToString() {
return string.Format("{0:X8} M1:{1:X8} M2:{2:X8} M3:{3:X8}",
Method.MetadataToken.ToInt32(),
Method.MDToken.ToInt32(),
Magic1, Magic2, Magic3);
}
}
@ -124,7 +124,7 @@ namespace de4dot.code.deobfuscators.CodeWall {
public void find() {
foreach (var type in module.Types) {
MethodDefinition decrypterMethod;
MethodDef decrypterMethod;
var decrypterVersion = checkType(type, out decrypterMethod);
if (decrypterVersion == Version.Unknown)
continue;
@ -133,8 +133,8 @@ namespace de4dot.code.deobfuscators.CodeWall {
}
}
Version checkType(TypeDefinition type, out MethodDefinition decrypterMethod) {
MethodDefinition method;
Version checkType(TypeDef type, out MethodDef decrypterMethod) {
MethodDef method;
if ((method = checkType_v30(type)) != null) {
decrypterMethod = method;
@ -161,8 +161,8 @@ namespace de4dot.code.deobfuscators.CodeWall {
"System.Random",
"System.String",
};
MethodDefinition checkType_v30(TypeDefinition type) {
MethodDefinition decrypterMethod = checkMethods_v30(type);
MethodDef checkType_v30(TypeDef type) {
MethodDef decrypterMethod = checkMethods_v30(type);
if (decrypterMethod == null)
return null;
if (!new FieldTypes(type).exactly(requiredTypes_v30))
@ -173,12 +173,12 @@ namespace de4dot.code.deobfuscators.CodeWall {
return decrypterMethod;
}
static MethodDefinition checkMethods_v30(TypeDefinition type) {
static MethodDef checkMethods_v30(TypeDef type) {
if (type.Methods.Count < 1 || type.Methods.Count > 2)
return null;
MethodDefinition decrypterMethod = null;
MethodDefinition cctor = null;
MethodDef decrypterMethod = null;
MethodDef cctor = null;
foreach (var method in type.Methods) {
if (method.Name == ".cctor") {
cctor = method;
@ -208,8 +208,8 @@ namespace de4dot.code.deobfuscators.CodeWall {
"System.String",
"System.Object",
};
MethodDefinition checkType_v36(TypeDefinition type) {
MethodDefinition decrypterMethod = checkMethods_v36(type);
MethodDef checkType_v36(TypeDef type) {
MethodDef decrypterMethod = checkMethods_v36(type);
if (decrypterMethod == null)
return null;
if (!new FieldTypes(type).exactly(requiredTypes_v36))
@ -220,12 +220,12 @@ namespace de4dot.code.deobfuscators.CodeWall {
return decrypterMethod;
}
static MethodDefinition checkMethods_v36(TypeDefinition type) {
static MethodDef checkMethods_v36(TypeDef type) {
if (type.Methods.Count != 2)
return null;
MethodDefinition decrypterMethod = null;
MethodDefinition cctor = null;
MethodDef decrypterMethod = null;
MethodDef cctor = null;
foreach (var method in type.Methods) {
if (method.Name == ".cctor") {
cctor = method;
@ -249,7 +249,7 @@ namespace de4dot.code.deobfuscators.CodeWall {
simpleDeobfuscator.deobfuscate(info.Method);
info.Resource = findResource(info.Method);
if (info.Resource == null) {
Log.w("Could not find encrypted strings resource (Method {0:X8})", info.Method.MetadataToken.ToInt32());
Log.w("Could not find encrypted strings resource (Method {0:X8})", info.Method.MDToken.ToInt32());
continue;
}
info.Magic1 = findMagic1(info.Method);
@ -259,11 +259,11 @@ namespace de4dot.code.deobfuscators.CodeWall {
}
}
EmbeddedResource findResource(MethodDefinition method) {
EmbeddedResource findResource(MethodDef method) {
return DotNetUtils.getResource(module, DotNetUtils.getCodeStrings(method)) as EmbeddedResource;
}
static int findMagic1(MethodDefinition method) {
static int findMagic1(MethodDef method) {
var instrs = method.Body.Instructions;
for (int i = 0; i < instrs.Count - 2; i++) {
var ldarg = instrs[i];
@ -279,7 +279,7 @@ namespace de4dot.code.deobfuscators.CodeWall {
throw new ApplicationException("Could not find magic1");
}
static int findMagic2(MethodDefinition method) {
static int findMagic2(MethodDef method) {
var instrs = method.Body.Instructions;
for (int i = 0; i < instrs.Count - 2; i++) {
var ldloc = instrs[i];
@ -295,7 +295,7 @@ namespace de4dot.code.deobfuscators.CodeWall {
throw new ApplicationException("Could not find magic2");
}
static int findMagic3(MethodDefinition method) {
static int findMagic3(MethodDef method) {
var instrs = method.Body.Instructions;
for (int i = 0; i < instrs.Count - 2; i++) {
var ldarg = instrs[i];
@ -311,7 +311,7 @@ namespace de4dot.code.deobfuscators.CodeWall {
throw new ApplicationException("Could not find magic3");
}
public string decrypt(MethodDefinition method, int magic1, int magic2, int magic3) {
public string decrypt(MethodDef method, int magic1, int magic2, int magic3) {
var info = stringEncrypterInfos.find(method);
return info.decrypt(magic1, magic2, magic3);
}

16
de4dot.code/deobfuscators/CryptoObfuscator/AntiDebugger.cs
View File

@ -17,7 +17,7 @@
along with de4dot. If not, see <http://www.gnu.org/licenses/>.
*/
using Mono.Cecil;
using dot10.DotNet;
using de4dot.blocks;
namespace de4dot.code.deobfuscators.CryptoObfuscator {
@ -25,14 +25,14 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
ModuleDefinition module;
ISimpleDeobfuscator simpleDeobfuscator;
IDeobfuscator deob;
TypeDefinition antiDebuggerType;
MethodDefinition antiDebuggerMethod;
TypeDef antiDebuggerType;
MethodDef antiDebuggerMethod;
public TypeDefinition Type {
public TypeDef Type {
get { return antiDebuggerType; }
}
public MethodDefinition Method {
public MethodDef Method {
get { return antiDebuggerMethod; }
}
@ -49,7 +49,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
return;
}
bool find(MethodDefinition methodToCheck) {
bool find(MethodDef methodToCheck) {
if (methodToCheck == null)
return false;
foreach (var method in DotNetUtils.getCalledMethods(module, methodToCheck)) {
@ -79,12 +79,12 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
return false;
}
void deobfuscate(MethodDefinition method) {
void deobfuscate(MethodDef method) {
simpleDeobfuscator.deobfuscate(method);
simpleDeobfuscator.decryptStrings(method, deob);
}
bool containsString(MethodDefinition method, string part) {
bool containsString(MethodDef method, string part) {
foreach (var s in DotNetUtils.getCodeStrings(method)) {
if (s.Contains(part))
return true;

16
de4dot.code/deobfuscators/CryptoObfuscator/AssemblyResolver.cs
View File

@ -20,15 +20,15 @@
using System;
using System.Collections.Generic;
using System.Text;
using Mono.Cecil;
using Mono.Cecil.Cil;
using dot10.DotNet;
using dot10.DotNet.Emit;
using de4dot.blocks;
namespace de4dot.code.deobfuscators.CryptoObfuscator {
class AssemblyResolver {
ModuleDefinition module;
TypeDefinition resolverType;
MethodDefinition resolverMethod;
TypeDef resolverType;
MethodDef resolverMethod;
List<AssemblyInfo> assemblyInfos = new List<AssemblyInfo>();
public class AssemblyInfo {
@ -54,11 +54,11 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
get { return assemblyInfos; }
}
public TypeDefinition Type {
public TypeDef Type {
get { return resolverType; }
}
public MethodDefinition Method {
public MethodDef Method {
get { return resolverMethod; }
}
@ -81,7 +81,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
}
}
bool checkType(TypeDefinition type, MethodDefinition initMethod) {
bool checkType(TypeDef type, MethodDef initMethod) {
if (DotNetUtils.findFieldType(type, "System.Collections.Hashtable", true) == null)
return false;
if (!checkInitMethod(initMethod))
@ -102,7 +102,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
return true;
}
bool checkInitMethod(MethodDefinition initMethod) {
bool checkInitMethod(MethodDef initMethod) {
if (!initMethod.HasBody)
return false;

4
de4dot.code/deobfuscators/CryptoObfuscator/CoUtils.cs
View File

@ -20,12 +20,12 @@
using System;
using System.Collections.Generic;
using System.Text;
using Mono.Cecil;
using dot10.DotNet;
using de4dot.blocks;
namespace de4dot.code.deobfuscators.CryptoObfuscator {
static class CoUtils {
public static EmbeddedResource getResource(ModuleDefinition module, MethodDefinition method) {
public static EmbeddedResource getResource(ModuleDefinition module, MethodDef method) {
if (method == null || method.Body == null)
return null;
return getResource(module, DotNetUtils.getCodeStrings(method));

26
de4dot.code/deobfuscators/CryptoObfuscator/ConstantsDecrypter.cs
View File

@ -20,21 +20,21 @@
using System;
using System.Collections.Generic;
using System.Text;
using Mono.Cecil;
using dot10.DotNet;
using de4dot.blocks;
namespace de4dot.code.deobfuscators.CryptoObfuscator {
class ConstantsDecrypter {
ModuleDefinition module;
TypeDefinition decrypterType;
MethodDefinition methodI4;
MethodDefinition methodI8;
MethodDefinition methodR4;
MethodDefinition methodR8;
TypeDef decrypterType;
MethodDef methodI4;
MethodDef methodI8;
MethodDef methodR4;
MethodDef methodR8;
EmbeddedResource encryptedResource;
byte[] constantsData;
public TypeDefinition Type {
public TypeDef Type {
get { return decrypterType; }
}
@ -42,19 +42,19 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
get { return encryptedResource; }
}
public MethodDefinition Int32Decrypter {
public MethodDef Int32Decrypter {
get { return methodI4; }
}
public MethodDefinition Int64Decrypter {
public MethodDef Int64Decrypter {
get { return methodI8; }
}
public MethodDefinition SingleDecrypter {
public MethodDef SingleDecrypter {
get { return methodR4; }
}
public MethodDefinition DoubleDecrypter {
public MethodDef DoubleDecrypter {
get { return methodR8; }
}
@ -79,7 +79,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
static readonly string[] requiredTypes = new string[] {
"System.Byte[]",
};
bool checkType(TypeDefinition type) {
bool checkType(TypeDef type) {
if (type.Methods.Count != 7)
return false;
if (type.Fields.Count < 1 || type.Fields.Count > 2)
@ -92,7 +92,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
return true;
}
bool checkMethods(TypeDefinition type) {
bool checkMethods(TypeDef type) {
methodI4 = DotNetUtils.getMethod(type, "System.Int32", "(System.Int32)");
methodI8 = DotNetUtils.getMethod(type, "System.Int64", "(System.Int32)");
methodR4 = DotNetUtils.getMethod(type, "System.Single", "(System.Int32)");

6
de4dot.code/deobfuscators/CryptoObfuscator/Deobfuscator.cs
View File

@ -20,7 +20,7 @@
using System;
using System.Collections.Generic;
using System.Text.RegularExpressions;
using Mono.Cecil;
using dot10.DotNet;
using de4dot.blocks;
namespace de4dot.code.deobfuscators.CryptoObfuscator {
@ -149,7 +149,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
foundObfuscatorUserString = Utils.StartsWith(module.GetUserString(0x70000001), "\u0011\"3D9B94A98B-76A8-4810-B1A0-4BE7C4F9C98D", StringComparison.Ordinal);
}
void initializeVersion(TypeDefinition attr) {
void initializeVersion(TypeDef attr) {
var s = DotNetUtils.getCustomArgAsString(getAssemblyAttribute(attr), 0);
if (s == null)
return;
@ -282,7 +282,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
public override IEnumerable<int> getStringDecrypterMethods() {
var list = new List<int>();
if (stringDecrypter.Method != null)
list.Add(stringDecrypter.Method.MetadataToken.ToInt32());
list.Add(stringDecrypter.Method.MDToken.ToInt32());
return list;
}
}

10
de4dot.code/deobfuscators/CryptoObfuscator/MethodBodyReader.cs
View File

@ -20,8 +20,8 @@
using System;
using System.Collections.Generic;
using System.IO;
using Mono.Cecil;
using Mono.Cecil.Cil;
using dot10.DotNet;
using dot10.DotNet.Emit;
using de4dot.blocks;
namespace de4dot.code.deobfuscators.CryptoObfuscator {
@ -34,7 +34,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
this.module = module;
}
public void read(MethodDefinition method) {
public void read(MethodDef method) {
this.parameters = getParameters(method);
this.Locals = getLocals(method);
@ -55,7 +55,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
return DotNetUtils.getParameters(method);
}
static IList<VariableDefinition> getLocals(MethodDefinition method) {
static IList<VariableDefinition> getLocals(MethodDef method) {
if (method.Body == null)
return new List<VariableDefinition>();
return new List<VariableDefinition>(method.Body.Variables);
@ -115,7 +115,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
return eh;
}
public override void restoreMethod(MethodDefinition method) {
public override void restoreMethod(MethodDef method) {
base.restoreMethod(method);
method.Body.MaxStackSize = maxStackSize;
}

30
de4dot.code/deobfuscators/CryptoObfuscator/MethodsDecrypter.cs
View File

@ -20,24 +20,24 @@
using System;
using System.Collections.Generic;
using System.IO;
using Mono.Cecil;
using Mono.Cecil.Cil;
using dot10.DotNet;
using dot10.DotNet.Emit;
using de4dot.blocks;
namespace de4dot.code.deobfuscators.CryptoObfuscator {
class MethodsDecrypter {
ModuleDefinition module;
TypeDefinition decrypterType;
MethodDefinition decryptMethod;
MethodDefinition decrypterCctor;
TypeDef decrypterType;
MethodDef decryptMethod;
MethodDef decrypterCctor;
EmbeddedResource resource;
List<TypeDefinition> delegateTypes = new List<TypeDefinition>();
List<TypeDef> delegateTypes = new List<TypeDef>();
public TypeDefinition Type {
public TypeDef Type {
get { return decrypterType; }
}
public IEnumerable<TypeDefinition> DelegateTypes {
public IEnumerable<TypeDef> DelegateTypes {
get { return delegateTypes; }
}
@ -65,7 +65,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
"System.Collections.Generic.Dictionary`2<System.Int32,System.Int32>",
"System.ModuleHandle",
};
bool check(TypeDefinition type) {
bool check(TypeDef type) {
if (type.NestedTypes.Count != 1)
return false;
if (type.Fields.Count != 3)
@ -98,7 +98,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
"System.Type",
"System.Type[]",
};
static MethodDefinition findDecryptMethod(TypeDefinition type) {
static MethodDef findDecryptMethod(TypeDef type) {
foreach (var method in type.Methods) {
if (!method.IsStatic || method.Body == null)
continue;
@ -136,7 +136,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
}
void decrypt(BinaryReader reader, int delegateTypeToken) {
var delegateType = module.LookupToken(delegateTypeToken) as TypeDefinition;
var delegateType = module.LookupToken(delegateTypeToken) as TypeDef;
if (delegateType == null)
throw new ApplicationException("Couldn't find delegate type");
@ -148,7 +148,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
var encType = module.LookupToken(encDeclToken) as TypeReference;
if (encType == null)
throw new ApplicationException("Invalid declaring type token");
var encMethod = module.LookupToken(encMethToken) as MethodDefinition;
var encMethod = module.LookupToken(encMethToken) as MethodDef;
if (encMethod == null)
throw new ApplicationException("Invalid encrypted method token");
@ -157,14 +157,14 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
bodyReader.restoreMethod(encMethod);
Log.v("Restored method {0} ({1:X8}). Instrs:{2}, Locals:{3}, Exceptions:{4}",
Utils.removeNewlines(encMethod.FullName),
encMethod.MetadataToken.ToInt32(),
encMethod.MDToken.ToInt32(),
encMethod.Body.Instructions.Count,
encMethod.Body.Variables.Count,
encMethod.Body.ExceptionHandlers.Count);
delegateTypes.Add(delegateType);
}
bool getTokens(TypeDefinition delegateType, out int delegateToken, out int encMethodToken, out int encDeclaringTypeToken) {
bool getTokens(TypeDef delegateType, out int delegateToken, out int encMethodToken, out int encDeclaringTypeToken) {
delegateToken = 0;
encMethodToken = 0;
encDeclaringTypeToken = 0;
@ -187,7 +187,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
var call = instrs[i + 3];
if (call.OpCode.Code != Code.Call)
continue;
var calledMethod = call.Operand as MethodDefinition;
var calledMethod = call.Operand as MethodDef;
if (calledMethod == null)
continue;
if (calledMethod != decryptMethod)

18
de4dot.code/deobfuscators/CryptoObfuscator/ProxyCallFixer.cs
View File

@ -19,13 +19,13 @@
using System;
using System.Collections.Generic;
using Mono.Cecil;
using Mono.Cecil.Cil;
using dot10.DotNet;
using dot10.DotNet.Emit;
using de4dot.blocks;
namespace de4dot.code.deobfuscators.CryptoObfuscator {
class ProxyCallFixer : ProxyCallFixer2 {
Dictionary<MethodDefinition, ProxyCreatorType> methodToType = new Dictionary<MethodDefinition, ProxyCreatorType>();
Dictionary<MethodDef, ProxyCreatorType> methodToType = new Dictionary<MethodDef, ProxyCreatorType>();
public ProxyCallFixer(ModuleDefinition module)
: base(module) {
@ -51,7 +51,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
}
}
protected override object checkCctor(TypeDefinition type, MethodDefinition cctor) {
protected override object checkCctor(TypeDef type, MethodDef cctor) {
var instructions = cctor.Body.Instructions;
for (int i = 0; i < instructions.Count; i++) {
var instrs = DotNetUtils.getInstructions(instructions, i, OpCodes.Ldc_I4, OpCodes.Ldc_I4, OpCodes.Ldc_I4, OpCodes.Call);
@ -61,7 +61,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
int typeToken = (int)instrs[0].Operand;
int methodToken = (int)instrs[1].Operand;
int declaringTypeToken = (int)instrs[2].Operand;
var createMethod = instrs[3].Operand as MethodDefinition;
var createMethod = instrs[3].Operand as MethodDef;
ProxyCreatorType proxyCreatorType;
if (!methodToType.TryGetValue(createMethod, out proxyCreatorType))
@ -73,7 +73,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
return null;
}
protected override void getCallInfo(object context, FieldDefinition field, out MethodReference calledMethod, out OpCode callOpcode) {
protected override void getCallInfo(object context, FieldDef field, out MethodReference calledMethod, out OpCode callOpcode) {
var ctx = (Context)context;
switch (ctx.proxyCreatorType) {
@ -107,13 +107,13 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
}
}
MethodDefinition getProxyCreateMethod(TypeDefinition type) {
MethodDef getProxyCreateMethod(TypeDef type) {
if (DotNetUtils.findFieldType(type, "System.ModuleHandle", true) == null)
return null;
if (type.Fields.Count < 1 || type.Fields.Count > 12)
return null;
MethodDefinition createMethod = null;
MethodDef createMethod = null;
foreach (var m in type.Methods) {
if (m.Name == ".ctor" || m.Name == ".cctor")
continue;
@ -131,7 +131,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
return createMethod;
}
ProxyCreatorType getProxyCreatorType(TypeDefinition type, MethodDefinition createMethod) {
ProxyCreatorType getProxyCreatorType(TypeDef type, MethodDef createMethod) {
int numCalls = 0, numCallvirts = 0, numNewobjs = 0;
foreach (var instr in createMethod.Body.Instructions) {
if (instr.OpCode.Code != Code.Ldsfld)

18
de4dot.code/deobfuscators/CryptoObfuscator/ResourceDecrypter.cs
View File

@ -22,15 +22,15 @@ using System.Collections.Generic;
using System.IO;
using System.IO.Compression;
using System.Security.Cryptography;
using Mono.Cecil;
using Mono.Cecil.Cil;
using dot10.DotNet;
using dot10.DotNet.Emit;
using de4dot.blocks;
namespace de4dot.code.deobfuscators.CryptoObfuscator {
class ResourceDecrypter {
const int BUFLEN = 0x8000;
ModuleDefinition module;
TypeDefinition resourceDecrypterType;
TypeDef resourceDecrypterType;
byte[] buffer1 = new byte[BUFLEN];
byte[] buffer2 = new byte[BUFLEN];
byte desEncryptedFlag;
@ -97,7 +97,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
return false;
}
bool checkCctor(MethodDefinition cctor) {
bool checkCctor(MethodDef cctor) {
if (cctor.Body == null)
return false;
int stsfldCount = 0;
@ -182,7 +182,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
bitwiseNotEncryptedFlag = 4;
}
static bool checkFlipBits(MethodDefinition method) {
static bool checkFlipBits(MethodDef method) {
var instrs = method.Body.Instructions;
for (int i = 0; i < instrs.Count - 1; i++) {
var ldloc = instrs[i];
@ -202,7 +202,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
return false;
}
bool updateFlags(MethodDefinition method, ISimpleDeobfuscator simpleDeobfuscator) {
bool updateFlags(MethodDef method, ISimpleDeobfuscator simpleDeobfuscator) {
if (method == null || method.Body == null)
return false;
@ -266,7 +266,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
return false;
}
static int getHeaderSkipBytes(MethodDefinition method) {
static int getHeaderSkipBytes(MethodDef method) {
var instrs = method.Body.Instructions;
for (int i = 0; i < instrs.Count - 1; i++) {
var ldci4 = instrs[i];
@ -291,11 +291,11 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
return false;
}
MethodDefinition getDecrypterMethod() {
MethodDef getDecrypterMethod() {
return getDecrypterMethod(resourceDecrypterType);
}
static MethodDefinition getDecrypterMethod(TypeDefinition type) {
static MethodDef getDecrypterMethod(TypeDef type) {
foreach (var method in type.Methods) {
if (DotNetUtils.isMethod(method, "System.Byte[]", "(System.IO.Stream)"))
return method;

16
de4dot.code/deobfuscators/CryptoObfuscator/ResourceResolver.cs
View File

@ -19,16 +19,16 @@
using System;
using System.Collections.Generic;
using Mono.Cecil;
using Mono.Cecil.Cil;
using dot10.DotNet;
using dot10.DotNet.Emit;
using de4dot.blocks;
namespace de4dot.code.deobfuscators.CryptoObfuscator {
class ResourceResolver {
ModuleDefinition module;
ResourceDecrypter resourceDecrypter;
TypeDefinition resolverType;
MethodDefinition resolverMethod;
TypeDef resolverType;
MethodDef resolverMethod;
ResolverVersion resolverVersion = ResolverVersion.V1;
bool mergedIt = false;
@ -38,11 +38,11 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
V2,
}
public TypeDefinition Type {
public TypeDef Type {
get { return resolverType; }
}
public MethodDefinition Method {
public MethodDef Method {
get { return resolverMethod; }
}
@ -99,7 +99,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
return names;
}
bool checkType(MethodDefinition initMethod) {
bool checkType(MethodDef initMethod) {
if (!initMethod.HasBody)
return false;
if (DotNetUtils.findFieldType(initMethod.DeclaringType, "System.Reflection.Assembly", true) == null)
@ -116,7 +116,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
return true;
}
ResolverVersion checkSetupMethod(MethodDefinition setupMethod) {
ResolverVersion checkSetupMethod(MethodDef setupMethod) {
var instructions = setupMethod.Body.Instructions;
int foundCount = 0;
for (int i = 0; i < instructions.Count; i++) {

18
de4dot.code/deobfuscators/CryptoObfuscator/StringDecrypter.cs
View File

@ -19,26 +19,26 @@
using System;
using System.Text;
using Mono.Cecil;
using dot10.DotNet;
using de4dot.blocks;
namespace de4dot.code.deobfuscators.CryptoObfuscator {
class StringDecrypter {
ModuleDefinition module;
EmbeddedResource stringResource;
TypeDefinition stringDecrypterType;
MethodDefinition stringDecrypterMethod;
TypeDef stringDecrypterType;
MethodDef stringDecrypterMethod;
byte[] decryptedData;
public bool Detected {
get { return stringDecrypterType != null; }
}
public TypeDefinition Type {
public TypeDef Type {
get { return stringDecrypterType; }
}
public MethodDefinition Method {
public MethodDef Method {
get { return stringDecrypterMethod; }
}
@ -51,8 +51,8 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
}
public void find() {
TypeDefinition type;
MethodDefinition method;
TypeDef type;
MethodDef method;
if (!findStringDecrypterType(out type, out method))
return;
@ -98,7 +98,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
return Encoding.Unicode.GetString(decryptedData, index, len);
}
bool findStringDecrypterType(out TypeDefinition theType, out MethodDefinition theMethod) {
bool findStringDecrypterType(out TypeDef theType, out MethodDef theMethod) {
theType = null;
theMethod = null;
@ -114,7 +114,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
if (type.NestedTypes.Count > 0)
continue;
MethodDefinition method = null;
MethodDef method = null;
foreach (var m in type.Methods) {
if (m.Name == ".ctor" || m.Name == ".cctor")
continue;

18
de4dot.code/deobfuscators/CryptoObfuscator/TamperDetection.cs
View File

@ -17,25 +17,25 @@
along with de4dot. If not, see <http://www.gnu.org/licenses/>.
*/
using Mono.Cecil;
using dot10.DotNet;
using de4dot.blocks;
namespace de4dot.code.deobfuscators.CryptoObfuscator {
class TamperDetection {
ModuleDefinition module;
TypeDefinition tamperType;
MethodDefinition tamperMethod;
TypeDef tamperType;
MethodDef tamperMethod;
FrameworkType frameworkType;
public bool Detected {
get { return tamperMethod != null; }
}
public TypeDefinition Type {
public TypeDef Type {
get { return tamperType; }
}
public MethodDefinition Method {
public MethodDef Method {
get { return tamperMethod; }
}
@ -51,7 +51,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
return;
}
bool find(MethodDefinition methodToCheck) {
bool find(MethodDef methodToCheck) {
if (methodToCheck == null)
return false;
@ -79,7 +79,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
return false;
}
bool findDesktop(MethodDefinition method) {
bool findDesktop(MethodDef method) {
var type = method.DeclaringType;
if (!method.IsStatic || !DotNetUtils.isMethod(method, "System.Void", "()"))
@ -107,7 +107,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
"System.Reflection.AssemblyName",
"System.String",
};
bool findSilverlight(MethodDefinition method) {
bool findSilverlight(MethodDef method) {
if (!new LocalTypes(method).exactly(requiredLocals_sl))
return false;
if (!DotNetUtils.callsMethod(method, "System.Int32 System.String::get_Length()"))
@ -136,7 +136,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
"System.Int32",
"System.String",
};
bool findCompactFramework(MethodDefinition method) {
bool findCompactFramework(MethodDef method) {
if (!new LocalTypes(method).exactly(requiredLocals_cf))
return false;
if (!DotNetUtils.callsMethod(method, "System.Int32 System.String::get_Length()"))

4
de4dot.code/deobfuscators/DeepSea/ArrayBlockDeobfuscator.cs
View File

@ -18,8 +18,8 @@
*/
using System.Collections.Generic;
using Mono.Cecil;
using Mono.Cecil.Cil;
using dot10.DotNet;
using dot10.DotNet.Emit;
using de4dot.blocks;
using de4dot.blocks.cflow;

22
de4dot.code/deobfuscators/DeepSea/ArrayBlockState.cs
View File

@ -18,8 +18,8 @@
*/
using System.Collections.Generic;
using Mono.Cecil;
using Mono.Cecil.Cil;
using dot10.DotNet;
using dot10.DotNet.Emit;
using Mono.Cecil.Metadata;
using de4dot.blocks;
@ -29,11 +29,11 @@ namespace de4dot.code.deobfuscators.DeepSea {
FieldDefinitionAndDeclaringTypeDict<FieldInfo> fieldToInfo = new FieldDefinitionAndDeclaringTypeDict<FieldInfo>();
public class FieldInfo {
public readonly FieldDefinition field;
public readonly FieldDefinition arrayInitField;
public readonly FieldDef field;
public readonly FieldDef arrayInitField;
public readonly byte[] array;
public FieldInfo(FieldDefinition field, FieldDefinition arrayInitField) {
public FieldInfo(FieldDef field, FieldDef arrayInitField) {
this.field = field;
this.arrayInitField = arrayInitField;
this.array = (byte[])arrayInitField.InitialValue.Clone();
@ -52,14 +52,14 @@ namespace de4dot.code.deobfuscators.DeepSea {
initializeArrays(simpleDeobfuscator, DotNetUtils.getModuleTypeCctor(module));
}
void initializeArrays(ISimpleDeobfuscator simpleDeobfuscator, MethodDefinition method) {
void initializeArrays(ISimpleDeobfuscator simpleDeobfuscator, MethodDef method) {
if (method == null || method.Body == null)
return;
while (initializeArrays2(simpleDeobfuscator, method)) {
}
}
bool initializeArrays2(ISimpleDeobfuscator simpleDeobfuscator, MethodDefinition method) {
bool initializeArrays2(ISimpleDeobfuscator simpleDeobfuscator, MethodDef method) {
bool foundField = false;
simpleDeobfuscator.deobfuscate(method, true);
var instructions = method.Body.Instructions;
@ -76,7 +76,7 @@ namespace de4dot.code.deobfuscators.DeepSea {
if (arrayType == null || arrayType.EType != ElementType.U1)
continue;
var arrayInitField = instrs[2].Operand as FieldDefinition;
var arrayInitField = instrs[2].Operand as FieldDef;
if (arrayInitField == null || arrayInitField.InitialValue == null || arrayInitField.InitialValue.Length == 0)
continue;
@ -84,7 +84,7 @@ namespace de4dot.code.deobfuscators.DeepSea {
if (calledMethod == null || calledMethod.FullName != "System.Void System.Runtime.CompilerServices.RuntimeHelpers::InitializeArray(System.Array,System.RuntimeFieldHandle)")
continue;
var targetField = instrs[4].Operand as FieldDefinition;
var targetField = instrs[4].Operand as FieldDef;
if (targetField == null)
continue;
@ -102,8 +102,8 @@ namespace de4dot.code.deobfuscators.DeepSea {
return fieldToInfo.find(fieldRef);
}
public IEnumerable<FieldDefinition> cleanUp() {
var removedFields = new List<FieldDefinition>();
public IEnumerable<FieldDef> cleanUp() {
var removedFields = new List<FieldDef>();
var moduleCctor = DotNetUtils.getModuleTypeCctor(module);
if (moduleCctor == null)
return removedFields;

52
de4dot.code/deobfuscators/DeepSea/AssemblyResolver.cs
View File

@ -21,15 +21,15 @@ using System;
using System.Collections.Generic;
using System.IO;
using System.Text.RegularExpressions;
using Mono.Cecil;
using Mono.Cecil.Cil;
using dot10.DotNet;
using dot10.DotNet.Emit;
using de4dot.blocks;
namespace de4dot.code.deobfuscators.DeepSea {
class AssemblyResolver : ResolverBase {
Version version;
List<FieldInfo> fieldInfos;
MethodDefinition decryptMethod;
MethodDef decryptMethod;
enum Version {
Unknown,
@ -62,16 +62,16 @@ namespace de4dot.code.deobfuscators.DeepSea {
}
class FieldInfo {
public FieldDefinition field;
public FieldDef field;
public int magic;
public FieldInfo(FieldDefinition field, int magic) {
public FieldInfo(FieldDef field, int magic) {
this.field = field;
this.magic = magic;
}
}
public MethodDefinition DecryptMethod {
public MethodDef DecryptMethod {
get { return decryptMethod; }
}
@ -86,7 +86,7 @@ namespace de4dot.code.deobfuscators.DeepSea {
"System.Security.Cryptography.SHA1Managed",
"System.Windows.AssemblyPart",
};
protected override bool checkResolverInitMethodSilverlight(MethodDefinition resolverInitMethod) {
protected override bool checkResolverInitMethodSilverlight(MethodDef resolverInitMethod) {
if (resolverInitMethod.Body.ExceptionHandlers.Count != 1)
return false;
@ -110,7 +110,7 @@ namespace de4dot.code.deobfuscators.DeepSea {
return false;
}
void updateVersion(MethodDefinition handler) {
void updateVersion(MethodDef handler) {
if (isV3Old(handler)) {
version = Version.V3Old;
return;
@ -125,7 +125,7 @@ namespace de4dot.code.deobfuscators.DeepSea {
}
}
static bool isV3SL(MethodDefinition handler) {
static bool isV3SL(MethodDef handler) {
var instrs = handler.Body.Instructions;
for (int i = 0; i < instrs.Count - 3; i++) {
if (!DotNetUtils.isLdloc(instrs[i]))
@ -141,7 +141,7 @@ namespace de4dot.code.deobfuscators.DeepSea {
return false;
}
static bool isV41SL(MethodDefinition handler) {
static bool isV41SL(MethodDef handler) {
var instrs = handler.Body.Instructions;
for (int i = 0; i < instrs.Count; i++) {
if (!DotNetUtils.isLdcI4(instrs[i]) || DotNetUtils.getLdcI4Value(instrs[i]) != 5)
@ -157,18 +157,18 @@ namespace de4dot.code.deobfuscators.DeepSea {
return false;
}
static bool isV3Old(MethodDefinition method) {
static bool isV3Old(MethodDef method) {
return DotNetUtils.callsMethod(method, "System.Int32 System.IO.Stream::Read(System.Byte[],System.Int32,System.Int32)") &&
!DotNetUtils.callsMethod(method, "System.Int32 System.IO.Stream::ReadByte()") &&
// Obfuscated System.Int32 System.IO.Stream::ReadByte()
!DotNetUtils.callsMethod(method, "System.Int32", "(System.IO.Stream,System.Int32,System.Int32)");
}
protected override bool checkResolverInitMethodInternal(MethodDefinition resolverInitMethod) {
protected override bool checkResolverInitMethodInternal(MethodDef resolverInitMethod) {
return DotNetUtils.callsMethod(resolverInitMethod, "System.Void System.AppDomain::add_AssemblyResolve(System.ResolveEventHandler)");
}
protected override bool checkHandlerMethodDesktopInternal(MethodDefinition handler) {
protected override bool checkHandlerMethodDesktopInternal(MethodDef handler) {
if (checkHandlerV3(handler) || checkHandlerSL(handler)) {
updateVersion(handler);
return true;
@ -176,7 +176,7 @@ namespace de4dot.code.deobfuscators.DeepSea {
simpleDeobfuscator.deobfuscate(handler);
List<FieldInfo> fieldInfosTmp;
MethodDefinition decryptMethodTmp;
MethodDef decryptMethodTmp;
if (checkHandlerV4(handler, out fieldInfosTmp, out decryptMethodTmp)) {
version = Version.V4;
fieldInfos = fieldInfosTmp;
@ -204,7 +204,7 @@ namespace de4dot.code.deobfuscators.DeepSea {
"System.Security.Cryptography.SHA1CryptoServiceProvider",
"System.String",
};
static bool checkHandlerV3(MethodDefinition handler) {
static bool checkHandlerV3(MethodDef handler) {
return new LocalTypes(handler).all(handlerLocalTypes_NET);
}
@ -216,12 +216,12 @@ namespace de4dot.code.deobfuscators.DeepSea {
"System.String",
"System.Windows.AssemblyPart",
};
static bool checkHandlerSL(MethodDefinition handler) {
static bool checkHandlerSL(MethodDef handler) {
return new LocalTypes(handler).all(handlerLocalTypes_SL);
}
// 4.0.1.18 .. 4.0.3
bool checkHandlerV4(MethodDefinition handler, out List<FieldInfo> fieldInfos, out MethodDefinition decryptMethod) {
bool checkHandlerV4(MethodDef handler, out List<FieldInfo> fieldInfos, out MethodDef decryptMethod) {
fieldInfos = new List<FieldInfo>();
decryptMethod = null;
@ -232,7 +232,7 @@ namespace de4dot.code.deobfuscators.DeepSea {
var ldtoken = instrs[index++];
if (ldtoken.OpCode.Code != Code.Ldtoken)
continue;
var field = ldtoken.Operand as FieldDefinition;
var field = ldtoken.Operand as FieldDef;
if (field == null || field.InitialValue == null || field.InitialValue.Length == 0)
return false;
@ -252,7 +252,7 @@ namespace de4dot.code.deobfuscators.DeepSea {
call = instrs[index++];
if (call.OpCode.Code != Code.Call)
return false;
var decryptMethodTmp = call.Operand as MethodDefinition;
var decryptMethodTmp = call.Operand as MethodDef;
if (!DotNetUtils.isMethod(decryptMethodTmp, "System.Reflection.Assembly", "(System.RuntimeFieldHandle,System.Int32,System.Int32)"))
return false;
@ -264,7 +264,7 @@ namespace de4dot.code.deobfuscators.DeepSea {
}
// 4.0.4, 4.1+
Version checkHandlerV404_41(MethodDefinition handler, out List<FieldInfo> fieldInfos, out MethodDefinition decryptMethod) {
Version checkHandlerV404_41(MethodDef handler, out List<FieldInfo> fieldInfos, out MethodDef decryptMethod) {
Version version = Version.Unknown;
fieldInfos = new List<FieldInfo>();
decryptMethod = null;
@ -286,7 +286,7 @@ namespace de4dot.code.deobfuscators.DeepSea {
var ldtoken = instrs[index++];
if (ldtoken.OpCode.Code != Code.Ldtoken)
continue;
var field = ldtoken.Operand as FieldDefinition;
var field = ldtoken.Operand as FieldDef;
if (field == null || field.InitialValue == null || field.InitialValue.Length == 0)
continue;
@ -302,7 +302,7 @@ namespace de4dot.code.deobfuscators.DeepSea {
var args = DsUtils.getArgValues(instrs, callIndex);
if (args == null)
continue;
var decryptMethodTmp = instrs[callIndex].Operand as MethodDefinition;
var decryptMethodTmp = instrs[callIndex].Operand as MethodDef;
if (decryptMethodTmp == null)
continue;
int magic;
@ -317,7 +317,7 @@ namespace de4dot.code.deobfuscators.DeepSea {
return version;
}
static bool getMagic(MethodDefinition method, IList<object> args, out Version version, out int magic) {
static bool getMagic(MethodDef method, IList<object> args, out Version version, out int magic) {
magic = 0;
int magicIndex = getMagicIndex(method, out version);
if (magicIndex < 0 || magicIndex >= args.Count)
@ -330,7 +330,7 @@ namespace de4dot.code.deobfuscators.DeepSea {
return true;
}
static int getMagicIndex(MethodDefinition method, out Version version) {
static int getMagicIndex(MethodDef method, out Version version) {
int magicIndex = getMagicIndex404(method);
if (magicIndex >= 0) {
version = Version.V404;
@ -347,7 +347,7 @@ namespace de4dot.code.deobfuscators.DeepSea {
return -1;
}
static int getMagicIndex404(MethodDefinition method) {
static int getMagicIndex404(MethodDef method) {
var instrs = method.Body.Instructions;
for (int i = 0; i < instrs.Count - 4; i++) {
int index = i;
@ -368,7 +368,7 @@ namespace de4dot.code.deobfuscators.DeepSea {
return -1;
}
static int getMagicIndex41Trial(MethodDefinition method) {
static int getMagicIndex41Trial(MethodDef method) {
var instrs = method.Body.Instructions;
for (int i = 0; i < instrs.Count - 4; i++) {
int index = i;

6
de4dot.code/deobfuscators/DeepSea/CastDeobfuscator.cs
View File

@ -21,8 +21,8 @@ using System;
using System.Collections.Generic;
using de4dot.blocks;
using de4dot.blocks.cflow;
using Mono.Cecil;
using Mono.Cecil.Cil;
using dot10.DotNet;
using dot10.DotNet.Emit;
namespace de4dot.code.deobfuscators.DeepSea {
class CastDeobfuscator : IBlocksDeobfuscator {
@ -67,7 +67,7 @@ namespace de4dot.code.deobfuscators.DeepSea {
public override string ToString() {
if (type == null)
return string.Format("{0} - INVALID", local);
return string.Format("{0} - {1:X8} {2}", local, type.MetadataToken.ToInt32(), type.FullName);
return string.Format("{0} - {1:X8} {2}", local, type.MDToken.ToInt32(), type.FullName);
}
}

4
de4dot.code/deobfuscators/DeepSea/Deobfuscator.cs
View File

@ -18,7 +18,7 @@
*/
using System.Collections.Generic;
using Mono.Cecil;
using dot10.DotNet;
using de4dot.blocks;
using de4dot.blocks.cflow;
@ -292,7 +292,7 @@ done:
public override IEnumerable<int> getStringDecrypterMethods() {
var list = new List<int>();
foreach (var method in stringDecrypter.DecrypterMethods)
list.Add(method.MetadataToken.ToInt32());
list.Add(method.MDToken.ToInt32());
return list;
}
}

2
de4dot.code/deobfuscators/DeepSea/DsConstantsReader.cs
View File

@ -18,7 +18,7 @@
*/
using System.Collections.Generic;
using Mono.Cecil.Cil;
using dot10.DotNet.Emit;
using de4dot.blocks;
namespace de4dot.code.deobfuscators.DeepSea {

8
de4dot.code/deobfuscators/DeepSea/DsInlinedMethodsFinder.cs
View File

@ -18,16 +18,16 @@
*/
using System.Collections.Generic;
using Mono.Cecil;
using dot10.DotNet;
namespace de4dot.code.deobfuscators.DeepSea {
static class DsInlinedMethodsFinder {
public static List<MethodDefinition> find(ModuleDefinition module, IEnumerable<MethodDefinition> notInlinedMethods) {
var notInlinedMethodsDict = new Dictionary<MethodDefinition, bool>();
public static List<MethodDef> find(ModuleDefinition module, IEnumerable<MethodDef> notInlinedMethods) {
var notInlinedMethodsDict = new Dictionary<MethodDef, bool>();
foreach (var method in notInlinedMethods)
notInlinedMethodsDict[method] = true;
var inlinedMethods = new List<MethodDefinition>();
var inlinedMethods = new List<MethodDef>();
foreach (var type in module.GetTypes()) {
foreach (var method in type.Methods) {

14
de4dot.code/deobfuscators/DeepSea/DsMethodCallInliner.cs
View File

@ -18,8 +18,8 @@
*/
using System.Collections.Generic;
using Mono.Cecil;
using Mono.Cecil.Cil;
using dot10.DotNet;
using dot10.DotNet.Emit;
using Mono.Cecil.Metadata;
using de4dot.blocks;
using de4dot.blocks.cflow;
@ -30,7 +30,7 @@ namespace de4dot.code.deobfuscators.DeepSea {
List<ParameterDefinition> parameters;
ParameterDefinition arg1, arg2;
Value returnValue;
MethodDefinition methodToInline;
MethodDef methodToInline;
CachedCflowDeobfuscator cflowDeobfuscator;
public DsMethodCallInliner(CachedCflowDeobfuscator cflowDeobfuscator) {
@ -51,7 +51,7 @@ namespace de4dot.code.deobfuscators.DeepSea {
}
bool inlineMethod(Instruction callInstr, int instrIndex) {
var method = callInstr.Operand as MethodDefinition;
var method = callInstr.Operand as MethodDef;
if (method == null)
return false;
if (!canInline(method))
@ -70,7 +70,7 @@ namespace de4dot.code.deobfuscators.DeepSea {
return true;
}
bool inlineMethod(MethodDefinition methodToInline, int instrIndex, int const1, int const2) {
bool inlineMethod(MethodDef methodToInline, int instrIndex, int const1, int const2) {
this.methodToInline = methodToInline = cflowDeobfuscator.deobfuscate(methodToInline);
parameters = DotNetUtils.getParameters(methodToInline);
@ -294,7 +294,7 @@ done:
return instructionEmulator.stackSize() == 0;
}
public static bool canInline(MethodDefinition method) {
public static bool canInline(MethodDef method) {
if (method == null || method.Body == null)
return false;
if (method.Attributes != (MethodAttributes.Assembly | MethodAttributes.Static))
@ -322,7 +322,7 @@ done:
return etype == ElementType.Char || etype == ElementType.I2 || etype == ElementType.I4;
}
protected override bool isReturn(MethodDefinition methodToInline, int instrIndex) {
protected override bool isReturn(MethodDef methodToInline, int instrIndex) {
int oldIndex = instrIndex;
if (base.isReturn(methodToInline, oldIndex))
return true;

6
de4dot.code/deobfuscators/DeepSea/DsUtils.cs
View File

@ -18,8 +18,8 @@
*/
using System.Collections.Generic;
using Mono.Cecil;
using Mono.Cecil.Cil;
using dot10.DotNet;
using dot10.DotNet.Emit;
using de4dot.blocks;
namespace de4dot.code.deobfuscators.DeepSea {
@ -40,7 +40,7 @@ namespace de4dot.code.deobfuscators.DeepSea {
return args;
}
public static bool getArgValue(MethodDefinition method, int index, out object arg) {
public static bool getArgValue(MethodDef method, int index, out object arg) {
return getArgValue(method.Body.Instructions[index], out arg);
}

44
de4dot.code/deobfuscators/DeepSea/FieldsRestorer.cs
View File

@ -19,8 +19,8 @@
using System;
using System.Collections.Generic;
using Mono.Cecil;
using Mono.Cecil.Cil;
using dot10.DotNet;
using dot10.DotNet.Emit;
using Mono.Cecil.Metadata;
using de4dot.blocks;
@ -28,13 +28,13 @@ namespace de4dot.code.deobfuscators.DeepSea {
// DS 4.x can move fields from a class to a struct. This class restores the fields.
class FieldsRestorer {
ModuleDefinition module;
TypeDefinitionDict<List<TypeDefinition>> structToOwners = new TypeDefinitionDict<List<TypeDefinition>>();
TypeDefinitionDict<List<TypeDef>> structToOwners = new TypeDefinitionDict<List<TypeDef>>();
FieldDefinitionAndDeclaringTypeDict<bool> structFieldsToFix = new FieldDefinitionAndDeclaringTypeDict<bool>();
TypeDefinitionDict<FieldDefinitionAndDeclaringTypeDict<FieldDefinition>> typeToFieldsDict = new TypeDefinitionDict<FieldDefinitionAndDeclaringTypeDict<FieldDefinition>>();
TypeDefinitionDict<FieldDefinitionAndDeclaringTypeDict<FieldDef>> typeToFieldsDict = new TypeDefinitionDict<FieldDefinitionAndDeclaringTypeDict<FieldDef>>();
public List<TypeDefinition> FieldStructs {
public List<TypeDef> FieldStructs {
get {
var list = new List<TypeDefinition>(structToOwners.Count);
var list = new List<TypeDef>(structToOwners.Count);
foreach (var structType in structToOwners.getKeys()) {
if (!hasNoMethods(structType))
continue;
@ -45,7 +45,7 @@ namespace de4dot.code.deobfuscators.DeepSea {
}
}
static bool hasNoMethods(TypeDefinition type) {
static bool hasNoMethods(TypeDef type) {
if (type.Methods.Count == 0)
return true;
if (type.BaseType == null)
@ -77,7 +77,7 @@ namespace de4dot.code.deobfuscators.DeepSea {
break;
}
var fieldsDict = new FieldDefinitionAndDeclaringTypeDict<FieldDefinition>();
var fieldsDict = new FieldDefinitionAndDeclaringTypeDict<FieldDef>();
typeToFieldsDict.add(ownerType, fieldsDict);
foreach (var structField in structType.Fields) {
var newField = DotNetUtils.createFieldDefinition(structField.Name, structField.Attributes, structField.FieldType);
@ -88,9 +88,9 @@ namespace de4dot.code.deobfuscators.DeepSea {
}
}
Dictionary<TypeDefinition, List<TypeDefinition>> getMovedTypes() {
var candidates = new Dictionary<TypeDefinition, List<TypeDefinition>>();
var typeToStruct = new Dictionary<TypeDefinition, TypeDefinition>();
Dictionary<TypeDef, List<TypeDef>> getMovedTypes() {
var candidates = new Dictionary<TypeDef, List<TypeDef>>();
var typeToStruct = new Dictionary<TypeDef, TypeDef>();
foreach (var type in module.GetTypes()) {
foreach (var field in getPossibleFields(type)) {
var fieldType = DotNetUtils.getType(module, field.FieldType);
@ -113,9 +113,9 @@ namespace de4dot.code.deobfuscators.DeepSea {
if (!checkFields(fieldType))
continue;
List<TypeDefinition> list;
List<TypeDef> list;
if (!candidates.TryGetValue(fieldType, out list))
candidates[fieldType] = list = new List<TypeDefinition>();
candidates[fieldType] = list = new List<TypeDef>();
list.Add(type);
typeToStruct[type] = fieldType;
break;
@ -123,7 +123,7 @@ namespace de4dot.code.deobfuscators.DeepSea {
}
foreach (var type in module.GetTypes()) {
TypeDefinition structType;
TypeDef structType;
typeToStruct.TryGetValue(type, out structType);
foreach (var field in type.Fields) {
@ -144,8 +144,8 @@ namespace de4dot.code.deobfuscators.DeepSea {
return candidates;
}
IEnumerable<FieldDefinition> getPossibleFields(TypeDefinition type) {
var typeToFields = new TypeDefinitionDict<List<FieldDefinition>>();
IEnumerable<FieldDef> getPossibleFields(TypeDef type) {
var typeToFields = new TypeDefinitionDict<List<FieldDef>>();
foreach (var field in type.Fields) {
if (field.Attributes != FieldAttributes.Private)
continue;
@ -156,7 +156,7 @@ namespace de4dot.code.deobfuscators.DeepSea {
continue;
var list = typeToFields.find(fieldType);
if (list == null)
typeToFields.add(fieldType, list = new List<FieldDefinition>());
typeToFields.add(fieldType, list = new List<FieldDef>());
list.Add(field);
}
@ -166,20 +166,20 @@ namespace de4dot.code.deobfuscators.DeepSea {
}
}
static bool checkBaseType(TypeDefinition type) {
static bool checkBaseType(TypeDef type) {
if (type == null || type.BaseType == null)
return false;
return type.BaseType.FullName == "System.ValueType" || type.BaseType.EType == ElementType.Object;
}
void removeType(Dictionary<TypeDefinition, List<TypeDefinition>> candidates, TypeReference type) {
void removeType(Dictionary<TypeDef, List<TypeDef>> candidates, TypeReference type) {
var typeDef = DotNetUtils.getType(module, type);
if (typeDef == null)
return;
candidates.Remove(typeDef);
}
static bool checkMethods(TypeDefinition type) {
static bool checkMethods(TypeDef type) {
foreach (var method in type.Methods) {
if (method.Name == ".cctor")
continue;
@ -197,7 +197,7 @@ namespace de4dot.code.deobfuscators.DeepSea {
return false;
}
static bool checkFields(TypeDefinition type) {
static bool checkFields(TypeDef type) {
if (type.Fields.Count == 0)
return false;
foreach (var field in type.Fields) {
@ -270,7 +270,7 @@ namespace de4dot.code.deobfuscators.DeepSea {
return newInstrs;
}
FieldDefinition getNewField(FieldReference structField, FieldReference oldFieldRef) {
FieldDef getNewField(FieldReference structField, FieldReference oldFieldRef) {
var fieldsDict = typeToFieldsDict.find(structField.DeclaringType);
if (fieldsDict == null)
throw new ApplicationException("Could not find structField declaringType");

32
de4dot.code/deobfuscators/DeepSea/ResolverBase.cs
View File

@ -19,8 +19,8 @@
using System;
using System.Collections.Generic;
using Mono.Cecil;
using Mono.Cecil.Cil;
using dot10.DotNet;
using dot10.DotNet.Emit;
using de4dot.blocks;
namespace de4dot.code.deobfuscators.DeepSea {
@ -28,15 +28,15 @@ namespace de4dot.code.deobfuscators.DeepSea {
protected ModuleDefinition module;
protected ISimpleDeobfuscator simpleDeobfuscator;
protected IDeobfuscator deob;
protected MethodDefinition initMethod;
protected MethodDefinition resolveHandler;
protected MethodDef initMethod;
protected MethodDef resolveHandler;
protected FrameworkType frameworkType;
public MethodDefinition InitMethod {
public MethodDef InitMethod {
get { return initMethod; }
}
public MethodDefinition HandlerMethod {
public MethodDef HandlerMethod {
get { return resolveHandler; }
}
@ -58,7 +58,7 @@ namespace de4dot.code.deobfuscators.DeepSea {
return;
}
bool checkCalledMethods(MethodDefinition checkMethod) {
bool checkCalledMethods(MethodDef checkMethod) {
if (checkMethod == null || checkMethod.Body == null)
return false;
@ -75,7 +75,7 @@ namespace de4dot.code.deobfuscators.DeepSea {
return false;
}
bool checkResolverInitMethod(MethodDefinition resolverInitMethod) {
bool checkResolverInitMethod(MethodDef resolverInitMethod) {
if (resolverInitMethod == null || resolverInitMethod.Body == null)
return false;
if (resolverInitMethod.Body.ExceptionHandlers.Count != 1)
@ -89,7 +89,7 @@ namespace de4dot.code.deobfuscators.DeepSea {
}
}
bool checkResolverInitMethodDesktop(MethodDefinition resolverInitMethod) {
bool checkResolverInitMethodDesktop(MethodDef resolverInitMethod) {
simpleDeobfuscator.deobfuscate(resolverInitMethod);
if (!checkResolverInitMethodInternal(resolverInitMethod))
return false;
@ -106,25 +106,25 @@ namespace de4dot.code.deobfuscators.DeepSea {
return false;
}
protected virtual bool checkResolverInitMethodSilverlight(MethodDefinition resolverInitMethod) {
protected virtual bool checkResolverInitMethodSilverlight(MethodDef resolverInitMethod) {
return false;
}
protected abstract bool checkResolverInitMethodInternal(MethodDefinition resolverInitMethod);
protected abstract bool checkResolverInitMethodInternal(MethodDef resolverInitMethod);
IEnumerable<MethodDefinition> getLdftnMethods(MethodDefinition method) {
var list = new List<MethodDefinition>();
IEnumerable<MethodDef> getLdftnMethods(MethodDef method) {
var list = new List<MethodDef>();
foreach (var instr in method.Body.Instructions) {
if (instr.OpCode.Code != Code.Ldftn)
continue;
var loadedMethod = instr.Operand as MethodDefinition;
var loadedMethod = instr.Operand as MethodDef;
if (loadedMethod != null)
list.Add(loadedMethod);
}
return list;
}
bool checkHandlerMethodDesktop(MethodDefinition handler) {
bool checkHandlerMethodDesktop(MethodDef handler) {
if (handler == null || handler.Body == null || !handler.IsStatic)
return false;
if (!DotNetUtils.isMethod(handler, "System.Reflection.Assembly", "(System.Object,System.ResolveEventArgs)"))
@ -132,7 +132,7 @@ namespace de4dot.code.deobfuscators.DeepSea {
return checkHandlerMethodDesktopInternal(handler);
}
protected abstract bool checkHandlerMethodDesktopInternal(MethodDefinition handler);
protected abstract bool checkHandlerMethodDesktopInternal(MethodDef handler);
// 3.0.3.41 - 3.0.4.44
protected static byte[] decryptResourceV3Old(EmbeddedResource resource) {

56
de4dot.code/deobfuscators/DeepSea/ResourceResolver.cs
View File

@ -19,8 +19,8 @@
using System;
using System.Collections.Generic;
using Mono.Cecil;
using Mono.Cecil.Cil;
using dot10.DotNet;
using dot10.DotNet.Emit;
using de4dot.blocks;
namespace de4dot.code.deobfuscators.DeepSea {
@ -42,30 +42,30 @@ namespace de4dot.code.deobfuscators.DeepSea {
}
class Data40 {
public FieldDefinition resourceField;
public MethodDefinition resolveHandler2;
public MethodDefinition getDataMethod;
public FieldDef resourceField;
public MethodDef resolveHandler2;
public MethodDef getDataMethod;
public int magic;
}
class Data41 {
public FieldDefinition resourceField;
public MethodDefinition resolveHandler2;
public FieldDef resourceField;
public MethodDef resolveHandler2;
public int magic;
public bool isTrial;
}
class HandlerInfo {
public MethodDefinition handler;
public MethodDef handler;
public IList<object> args;
public HandlerInfo(MethodDefinition handler, IList<object> args) {
public HandlerInfo(MethodDef handler, IList<object> args) {
this.handler = handler;
this.args = args;
}
}
public MethodDefinition InitMethod2 {
public MethodDef InitMethod2 {
get {
if (data40 != null)
return data40.resolveHandler2;
@ -75,7 +75,7 @@ namespace de4dot.code.deobfuscators.DeepSea {
}
}
public MethodDefinition GetDataMethod {
public MethodDef GetDataMethod {
get { return data40 != null ? data40.getDataMethod : null; }
}
@ -87,11 +87,11 @@ namespace de4dot.code.deobfuscators.DeepSea {
: base(module, simpleDeobfuscator, deob) {
}
protected override bool checkResolverInitMethodInternal(MethodDefinition resolverInitMethod) {
protected override bool checkResolverInitMethodInternal(MethodDef resolverInitMethod) {
return DotNetUtils.callsMethod(resolverInitMethod, "System.Void System.AppDomain::add_ResourceResolve(System.ResolveEventHandler)");
}
protected override bool checkHandlerMethodDesktopInternal(MethodDefinition handler) {
protected override bool checkHandlerMethodDesktopInternal(MethodDef handler) {
if (checkHandlerV3(handler)) {
version = ResourceVersion.V3;
return true;
@ -114,13 +114,13 @@ namespace de4dot.code.deobfuscators.DeepSea {
return false;
}
HandlerInfo getHandlerArgs41(MethodDefinition handler) {
HandlerInfo getHandlerArgs41(MethodDef handler) {
var instrs = handler.Body.Instructions;
for (int i = 0; i < instrs.Count; i++) {
var instr = instrs[i];
if (instr.OpCode.Code != Code.Call)
continue;
var calledMethod = instr.Operand as MethodDefinition;
var calledMethod = instr.Operand as MethodDef;
if (calledMethod == null)
continue;
if (getLdtokenField(calledMethod) == null)
@ -158,7 +158,7 @@ namespace de4dot.code.deobfuscators.DeepSea {
return true;
}
static int getMagicArgIndex41Retail(MethodDefinition method) {
static int getMagicArgIndex41Retail(MethodDef method) {
var instrs = method.Body.Instructions;
for (int i = 0; i < instrs.Count - 3; i++) {
var add = instrs[i];
@ -179,7 +179,7 @@ namespace de4dot.code.deobfuscators.DeepSea {
return -1;
}
static int getMagicArgIndex41Trial(MethodDefinition method) {
static int getMagicArgIndex41Trial(MethodDef method) {
var instrs = method.Body.Instructions;
for (int i = 0; i < instrs.Count - 2; i++) {
var ldarg = instrs[i];
@ -195,11 +195,11 @@ namespace de4dot.code.deobfuscators.DeepSea {
return -1;
}
static FieldDefinition getLdtokenField(MethodDefinition method) {
static FieldDef getLdtokenField(MethodDef method) {
foreach (var instr in method.Body.Instructions) {
if (instr.OpCode.Code != Code.Ldtoken)
continue;
var field = instr.Operand as FieldDefinition;
var field = instr.Operand as FieldDef;
if (field == null || field.InitialValue == null || field.InitialValue.Length == 0)
continue;
@ -219,11 +219,11 @@ namespace de4dot.code.deobfuscators.DeepSea {
"System.String",
"System.String[]",
};
static bool checkHandlerV3(MethodDefinition handler) {
static bool checkHandlerV3(MethodDef handler) {
return new LocalTypes(handler).all(handlerLocalTypes_V3);
}
static Data40 checkHandlerV40(MethodDefinition handler) {
static Data40 checkHandlerV40(MethodDef handler) {
var data40 = new Data40();
var instrs = handler.Body.Instructions;
@ -236,10 +236,10 @@ namespace de4dot.code.deobfuscators.DeepSea {
var ldtoken = instrs[index++];
if (ldtoken.OpCode.Code != Code.Ldtoken)
continue;
var field = ldtoken.Operand as FieldDefinition;
var field = ldtoken.Operand as FieldDef;
string methodSig = "(System.ResolveEventArgs,System.RuntimeFieldHandle,System.Int32,System.String,System.Int32)";
var method = ldtoken.Operand as MethodDefinition;
var method = ldtoken.Operand as MethodDef;
if (method != null) {
// >= 4.0.4
if (!DotNetUtils.isMethod(method, "System.Byte[]", "()"))
@ -273,7 +273,7 @@ namespace de4dot.code.deobfuscators.DeepSea {
call = instrs[index++];
if (call.OpCode.Code != Code.Call)
continue;
var resolveHandler2 = call.Operand as MethodDefinition;
var resolveHandler2 = call.Operand as MethodDef;
if (!DotNetUtils.isMethod(resolveHandler2, "System.Reflection.Assembly", methodSig))
continue;
@ -286,11 +286,11 @@ namespace de4dot.code.deobfuscators.DeepSea {
return null;
}
static FieldDefinition getResourceField(MethodDefinition method) {
static FieldDef getResourceField(MethodDef method) {
foreach (var instr in method.Body.Instructions) {
if (instr.OpCode.Code != Code.Ldtoken)
continue;
var field = instr.Operand as FieldDefinition;
var field = instr.Operand as FieldDef;
if (field == null || field.InitialValue == null || field.InitialValue.Length == 0)
continue;
return field;
@ -337,11 +337,11 @@ namespace de4dot.code.deobfuscators.DeepSea {
}
}
bool decryptResource(FieldDefinition resourceField, int magic) {
bool decryptResource(FieldDef resourceField, int magic) {
if (resourceField == null)
return false;
string name = string.Format("Embedded data field {0:X8} RVA {1:X8}", resourceField.MetadataToken.ToInt32(), resourceField.RVA);
string name = string.Format("Embedded data field {0:X8} RVA {1:X8}", resourceField.MDToken.ToInt32(), resourceField.RVA);
DeobUtils.decryptAndAddResources(module, name, () => decryptResourceV4(resourceField.InitialValue, magic));
resourceField.InitialValue = new byte[1];
resourceField.FieldType = module.TypeSystem.Byte;

120
de4dot.code/deobfuscators/DeepSea/StringDecrypter.cs
View File

@ -20,8 +20,8 @@
using System;
using System.Collections.Generic;
using System.Text;
using Mono.Cecil;
using Mono.Cecil.Cil;
using dot10.DotNet;
using dot10.DotNet.Emit;
using Mono.Cecil.Metadata;
using de4dot.blocks;
@ -40,18 +40,18 @@ namespace de4dot.code.deobfuscators.DeepSea {
interface IDecrypterInfo {
DecrypterVersion Version { get; }
MethodDefinition Method { get; }
MethodDef Method { get; }
string decrypt(object[] args);
void cleanup();
}
static short[] findKey(MethodDefinition initMethod, FieldDefinition keyField) {
static short[] findKey(MethodDef initMethod, FieldDef keyField) {
var fields = new FieldDefinitionAndDeclaringTypeDict<bool>();
fields.add(keyField, true);
return findKey(initMethod, fields);
}
static short[] findKey(MethodDefinition initMethod, FieldDefinitionAndDeclaringTypeDict<bool> fields) {
static short[] findKey(MethodDef initMethod, FieldDefinitionAndDeclaringTypeDict<bool> fields) {
var instrs = initMethod.Body.Instructions;
for (int i = 0; i < instrs.Count - 2; i++) {
var ldci4 = instrs[i];
@ -84,7 +84,7 @@ namespace de4dot.code.deobfuscators.DeepSea {
return null;
}
static FieldDefinition getStoreField(MethodDefinition method, int startIndex, VariableDefinition local) {
static FieldDef getStoreField(MethodDef method, int startIndex, VariableDefinition local) {
var instrs = method.Body.Instructions;
for (int i = 0; i < instrs.Count - 1; i++) {
var ldloc = instrs[i];
@ -96,18 +96,18 @@ namespace de4dot.code.deobfuscators.DeepSea {
var stsfld = instrs[i + 1];
if (stsfld.OpCode.Code != Code.Stsfld)
continue;
return stsfld.Operand as FieldDefinition;
return stsfld.Operand as FieldDef;
}
return null;
}
static bool findMagic(MethodDefinition method, out int magic) {
static bool findMagic(MethodDef method, out int magic) {
int arg1, arg2;
return findMagic(method, out arg1, out arg2, out magic);
}
static bool findMagic(MethodDefinition method, out int arg1, out int arg2, out int magic) {
static bool findMagic(MethodDef method, out int arg1, out int arg2, out int magic) {
var instrs = method.Body.Instructions;
for (int i = 0; i < instrs.Count - 3; i++) {
if ((arg1 = DotNetUtils.getArgIndex(instrs[i])) < 0)
@ -127,7 +127,7 @@ namespace de4dot.code.deobfuscators.DeepSea {
return false;
}
static void removeInitializeArrayCall(MethodDefinition method, FieldDefinition field) {
static void removeInitializeArrayCall(MethodDef method, FieldDef field) {
var instrs = method.Body.Instructions;
for (int i = 0; i < instrs.Count - 1; i++) {
var ldtoken = instrs[i];
@ -151,7 +151,7 @@ namespace de4dot.code.deobfuscators.DeepSea {
}
class DecrypterInfo41 : IDecrypterInfo {
MethodDefinition cctor;
MethodDef cctor;
int magic;
int arg1, arg2;
FieldDefinitionAndDeclaringTypeDict<bool> fields;
@ -164,10 +164,10 @@ namespace de4dot.code.deobfuscators.DeepSea {
class ArrayInfo {
public int sizeInElems;
public TypeReference elementType;
public FieldDefinition initField;
public FieldDefinition field;
public FieldDef initField;
public FieldDef field;
public ArrayInfo(int sizeInElems, TypeReference elementType, FieldDefinition initField, FieldDefinition field) {
public ArrayInfo(int sizeInElems, TypeReference elementType, FieldDef initField, FieldDef field) {
this.sizeInElems = sizeInElems;
this.elementType = elementType;
this.initField = initField;
@ -179,14 +179,14 @@ namespace de4dot.code.deobfuscators.DeepSea {
get { return DecrypterVersion.V4_1; }
}
public MethodDefinition Method { get; private set; }
public MethodDef Method { get; private set; }
public DecrypterInfo41(MethodDefinition cctor, MethodDefinition method) {
public DecrypterInfo41(MethodDef cctor, MethodDef method) {
this.cctor = cctor;
Method = method;
}
public static bool isPossibleDecrypterMethod(MethodDefinition method) {
public static bool isPossibleDecrypterMethod(MethodDef method) {
if (!checkMethodSignature(method))
return false;
var fields = getFields(method);
@ -196,7 +196,7 @@ namespace de4dot.code.deobfuscators.DeepSea {
return true;
}
static bool checkMethodSignature(MethodDefinition method) {
static bool checkMethodSignature(MethodDef method) {
if (method.MethodReturnType.ReturnType.EType != ElementType.String)
return false;
int count = 0;
@ -207,12 +207,12 @@ namespace de4dot.code.deobfuscators.DeepSea {
return count >= 2;
}
static FieldDefinitionAndDeclaringTypeDict<bool> getFields(MethodDefinition method) {
static FieldDefinitionAndDeclaringTypeDict<bool> getFields(MethodDef method) {
var fields = new FieldDefinitionAndDeclaringTypeDict<bool>();
foreach (var instr in method.Body.Instructions) {
if (instr.OpCode.Code != Code.Ldsfld && instr.OpCode.Code != Code.Stsfld)
continue;
var field = instr.Operand as FieldDefinition;
var field = instr.Operand as FieldDef;
if (field == null)
continue;
if (field.DeclaringType != method.DeclaringType)
@ -248,7 +248,7 @@ namespace de4dot.code.deobfuscators.DeepSea {
return true;
}
int findKeyShift(MethodDefinition method) {
int findKeyShift(MethodDef method) {
var instrs = method.Body.Instructions;
for (int i = 0; i < instrs.Count - 3; i++) {
int index = i;
@ -276,7 +276,7 @@ namespace de4dot.code.deobfuscators.DeepSea {
return -1;
}
int findNextFieldUse(MethodDefinition method, int index) {
int findNextFieldUse(MethodDef method, int index) {
var instrs = method.Body.Instructions;
for (int i = index; i < instrs.Count; i++) {
var instr = instrs[i];
@ -291,7 +291,7 @@ namespace de4dot.code.deobfuscators.DeepSea {
return -1;
}
ArrayInfo getArrayInfo(MethodDefinition method) {
ArrayInfo getArrayInfo(MethodDef method) {
var instructions = method.Body.Instructions;
for (int i = 0; i < instructions.Count; i++) {
var ldci4_arraySizeInBytes = instructions[i];
@ -304,8 +304,8 @@ namespace de4dot.code.deobfuscators.DeepSea {
int sizeInBytes = DotNetUtils.getLdcI4Value(ldci4_arraySizeInBytes);
var elementType = instrs[0].Operand as TypeReference;
var initField = instrs[2].Operand as FieldDefinition;
var field = instrs[4].Operand as FieldDefinition;
var initField = instrs[2].Operand as FieldDef;
var field = instrs[4].Operand as FieldDef;
if (elementType == null)
continue;
if (initField == null || initField.InitialValue == null || initField.InitialValue.Length == 0)
@ -327,7 +327,7 @@ namespace de4dot.code.deobfuscators.DeepSea {
return findKey(cctor);
}
short[] findKey(MethodDefinition initMethod) {
short[] findKey(MethodDef initMethod) {
return StringDecrypter.findKey(initMethod, fields);
}
@ -386,27 +386,27 @@ namespace de4dot.code.deobfuscators.DeepSea {
}
class DecrypterInfo40 : IDecrypterInfo {
MethodDefinition cctor;
MethodDef cctor;
int magic;
FieldDefinition cachedStringsField;
FieldDefinition keyField;
FieldDefinition encryptedStringsField;
FieldDefinition encryptedDataField;
FieldDef cachedStringsField;
FieldDef keyField;
FieldDef encryptedStringsField;
FieldDef encryptedDataField;
short[] key;
ushort[] encryptedData;
public MethodDefinition Method { get; private set; }
public MethodDef Method { get; private set; }
public DecrypterVersion Version {
get { return DecrypterVersion.V4_0; }
}
public DecrypterInfo40(MethodDefinition cctor, MethodDefinition method) {
public DecrypterInfo40(MethodDef cctor, MethodDef method) {
this.cctor = cctor;
this.Method = method;
}
public static bool isPossibleDecrypterMethod(MethodDefinition method) {
public static bool isPossibleDecrypterMethod(MethodDef method) {
if (!checkFields(method.DeclaringType.Fields))
return false;
return DotNetUtils.isMethod(method, "System.String", "(System.Int32,System.Int32)");
@ -438,13 +438,13 @@ namespace de4dot.code.deobfuscators.DeepSea {
return true;
}
List<FieldDefinition> findFields() {
var charArrayFields = new List<FieldDefinition>();
List<FieldDef> findFields() {
var charArrayFields = new List<FieldDef>();
foreach (var instr in Method.Body.Instructions) {
if (instr.OpCode.Code != Code.Stsfld && instr.OpCode.Code != Code.Ldsfld)
continue;
var field = instr.Operand as FieldDefinition;
var field = instr.Operand as FieldDef;
if (field == null)
continue;
if (!MemberReferenceHelper.compareTypes(Method.DeclaringType, field.DeclaringType))
@ -472,17 +472,17 @@ namespace de4dot.code.deobfuscators.DeepSea {
return charArrayFields;
}
static FieldDefinition findEncryptedStrings(MethodDefinition initMethod, List<FieldDefinition> ourFields, out FieldDefinition dataField) {
static FieldDef findEncryptedStrings(MethodDef initMethod, List<FieldDef> ourFields, out FieldDef dataField) {
for (int i = 0; i < initMethod.Body.Instructions.Count; i++) {
var instrs = DotNetUtils.getInstructions(initMethod.Body.Instructions, i, OpCodes.Ldtoken, OpCodes.Call, OpCodes.Stsfld);
if (instrs == null)
continue;
dataField = instrs[0].Operand as FieldDefinition;
dataField = instrs[0].Operand as FieldDef;
if (dataField == null || dataField.InitialValue == null || dataField.InitialValue.Length == 0)
continue;
var savedField = instrs[2].Operand as FieldDefinition;
var savedField = instrs[2].Operand as FieldDef;
if (savedField == null || !matches(ourFields, savedField))
continue;
@ -493,7 +493,7 @@ namespace de4dot.code.deobfuscators.DeepSea {
return null;
}
static bool matches(IEnumerable<FieldDefinition> ourFields, FieldReference field) {
static bool matches(IEnumerable<FieldDef> ourFields, FieldReference field) {
foreach (var ourField in ourFields) {
if (MemberReferenceHelper.compareFieldReferenceAndDeclaringType(ourField, field))
return true;
@ -510,7 +510,7 @@ namespace de4dot.code.deobfuscators.DeepSea {
return findKey(cctor);
}
short[] findKey(MethodDefinition initMethod) {
short[] findKey(MethodDef initMethod) {
return StringDecrypter.findKey(initMethod, keyField);
}
@ -545,26 +545,26 @@ namespace de4dot.code.deobfuscators.DeepSea {
}
class DecrypterInfo13 : IDecrypterInfo {
MethodDefinition cctor;
FieldDefinition cachedStringsField;
FieldDefinition keyField;
MethodDef cctor;
FieldDef cachedStringsField;
FieldDef keyField;
int magic;
string[] encryptedStrings;
short[] key;
public MethodDefinition Method { get; private set; }
public MethodDef Method { get; private set; }
public DecrypterVersion Version {
get { return DecrypterVersion.V1_3; }
}
public static bool isPossibleDecrypterMethod(MethodDefinition method) {
public static bool isPossibleDecrypterMethod(MethodDef method) {
if (!checkFields(method.DeclaringType.Fields))
return false;
return DotNetUtils.isMethod(method, "System.String", "(System.Int32)");
}
public DecrypterInfo13(MethodDefinition cctor, MethodDefinition method) {
public DecrypterInfo13(MethodDef cctor, MethodDef method) {
this.cctor = cctor;
this.Method = method;
}
@ -602,7 +602,7 @@ namespace de4dot.code.deobfuscators.DeepSea {
foreach (var instr in Method.Body.Instructions) {
if (instr.OpCode.Code != Code.Stsfld && instr.OpCode.Code != Code.Ldsfld)
continue;
var field = instr.Operand as FieldDefinition;
var field = instr.Operand as FieldDef;
if (field == null)
continue;
if (!MemberReferenceHelper.compareTypes(Method.DeclaringType, field.DeclaringType))
@ -637,7 +637,7 @@ namespace de4dot.code.deobfuscators.DeepSea {
return findKey(cctor);
}
short[] findKey(MethodDefinition initMethod) {
short[] findKey(MethodDef initMethod) {
return StringDecrypter.findKey(initMethod, keyField);
}
@ -650,7 +650,7 @@ namespace de4dot.code.deobfuscators.DeepSea {
return key;
}
static bool findMagic(MethodDefinition method, out int magic) {
static bool findMagic(MethodDef method, out int magic) {
var instrs = method.Body.Instructions;
for (int i = 0; i < instrs.Count - 2; i++) {
var ldarg = instrs[i];
@ -668,7 +668,7 @@ namespace de4dot.code.deobfuscators.DeepSea {
return false;
}
bool findEncryptedStrings(MethodDefinition method) {
bool findEncryptedStrings(MethodDef method) {
var switchInstr = getOnlySwitchInstruction(method);
if (switchInstr == null)
return false;
@ -683,7 +683,7 @@ namespace de4dot.code.deobfuscators.DeepSea {
return true;
}
static Instruction getOnlySwitchInstruction(MethodDefinition method) {
static Instruction getOnlySwitchInstruction(MethodDef method) {
Instruction switchInstr = null;
foreach (var instr in method.Body.Instructions) {
if (instr.OpCode.Code != Code.Switch)
@ -711,9 +711,9 @@ namespace de4dot.code.deobfuscators.DeepSea {
get { return version; }
}
public List<MethodDefinition> DecrypterMethods {
public List<MethodDef> DecrypterMethods {
get {
var methods = new List<MethodDefinition>(methodToInfo.Count);
var methods = new List<MethodDef>(methodToInfo.Count);
foreach (var info in methodToInfo.getValues())
methods.Add(info.Method);
return methods;
@ -765,14 +765,14 @@ namespace de4dot.code.deobfuscators.DeepSea {
}
}
static void deobfuscateCctor(ISimpleDeobfuscator simpleDeobfuscator, MethodDefinition cctor, ref bool deobfuscatedCctor, bool hasPublicKeyToken) {
static void deobfuscateCctor(ISimpleDeobfuscator simpleDeobfuscator, MethodDef cctor, ref bool deobfuscatedCctor, bool hasPublicKeyToken) {
if (deobfuscatedCctor || hasPublicKeyToken)
return;
simpleDeobfuscator.deobfuscate(cctor);
deobfuscatedCctor = true;
}
static bool checkFields(IEnumerable<FieldDefinition> fields) {
static bool checkFields(IEnumerable<FieldDef> fields) {
bool foundCharAry = false, foundStringAry = false;
foreach (var field in fields) {
if (foundCharAry && foundStringAry)
@ -789,21 +789,21 @@ namespace de4dot.code.deobfuscators.DeepSea {
return foundCharAry && foundStringAry;
}
DecrypterInfo13 getInfoV13(MethodDefinition cctor, MethodDefinition method) {
DecrypterInfo13 getInfoV13(MethodDef cctor, MethodDef method) {
var info = new DecrypterInfo13(cctor, method);
if (!info.initialize())
return null;
return info;
}
DecrypterInfo40 getInfoV40(MethodDefinition cctor, MethodDefinition method) {
DecrypterInfo40 getInfoV40(MethodDef cctor, MethodDef method) {
var info = new DecrypterInfo40(cctor, method);
if (!info.initialize())
return null;
return info;
}
DecrypterInfo41 getInfoV41(MethodDefinition cctor, MethodDefinition method) {
DecrypterInfo41 getInfoV41(MethodDef cctor, MethodDef method) {
var info = new DecrypterInfo41(cctor, method);
if (!info.initialize())
return null;

6
de4dot.code/deobfuscators/Dotfuscator/Deobfuscator.cs
View File

@ -18,7 +18,7 @@
*/
using System.Collections.Generic;
using Mono.Cecil;
using dot10.DotNet;
using de4dot.blocks;
namespace de4dot.code.deobfuscators.Dotfuscator {
@ -101,7 +101,7 @@ namespace de4dot.code.deobfuscators.Dotfuscator {
}
}
void initializeVersion(TypeDefinition attr) {
void initializeVersion(TypeDef attr) {
var s = DotNetUtils.getCustomArgAsString(getAssemblyAttribute(attr), 0);
if (s == null)
return;
@ -129,7 +129,7 @@ namespace de4dot.code.deobfuscators.Dotfuscator {
public override IEnumerable<int> getStringDecrypterMethods() {
var list = new List<int>();
foreach (var method in stringDecrypter.StringDecrypters)
list.Add(method.MetadataToken.ToInt32());
list.Add(method.MDToken.ToInt32());
return list;
}
}

14
de4dot.code/deobfuscators/Dotfuscator/StringDecrypter.cs
View File

@ -18,8 +18,8 @@
*/
using System.Collections.Generic;
using Mono.Cecil;
using Mono.Cecil.Cil;
using dot10.DotNet;
using dot10.DotNet.Emit;
using de4dot.blocks;
namespace de4dot.code.deobfuscators.Dotfuscator {
@ -28,9 +28,9 @@ namespace de4dot.code.deobfuscators.Dotfuscator {
Dictionary<MethodReference, StringDecrypterInfo> stringDecrypterMethods = new Dictionary<MethodReference, StringDecrypterInfo>();
public class StringDecrypterInfo {
public MethodDefinition method;
public MethodDef method;
public int magic;
public StringDecrypterInfo(MethodDefinition method, int magic) {
public StringDecrypterInfo(MethodDef method, int magic) {
this.method = method;
this.magic = magic;
}
@ -40,9 +40,9 @@ namespace de4dot.code.deobfuscators.Dotfuscator {
get { return stringDecrypterMethods.Count > 0; }
}
public IEnumerable<MethodDefinition> StringDecrypters {
public IEnumerable<MethodDef> StringDecrypters {
get {
var list = new List<MethodDefinition>(stringDecrypterMethods.Count);
var list = new List<MethodDef>(stringDecrypterMethods.Count);
foreach (var info in stringDecrypterMethods)
list.Add(info.Value.method);
return list;
@ -62,7 +62,7 @@ namespace de4dot.code.deobfuscators.Dotfuscator {
findStringDecrypterMethods(type, simpleDeobfuscator);
}
void findStringDecrypterMethods(TypeDefinition type, ISimpleDeobfuscator simpleDeobfuscator) {
void findStringDecrypterMethods(TypeDef type, ISimpleDeobfuscator simpleDeobfuscator) {
foreach (var method in DotNetUtils.findMethods(type.Methods, "System.String", new string[] { "System.String", "System.Int32" })) {
if (method.Body.HasExceptionHandlers)
continue;

42
de4dot.code/deobfuscators/Eazfuscator_NET/AssemblyResolver.cs
View File

@ -22,19 +22,19 @@ using System.Collections.Generic;
using System.IO;
using System.Text;
using System.Text.RegularExpressions;
using Mono.Cecil;
using Mono.Cecil.Cil;
using dot10.DotNet;
using dot10.DotNet.Emit;
using de4dot.blocks;
namespace de4dot.code.deobfuscators.Eazfuscator_NET {
class AssemblyResolver {
ModuleDefinition module;
DecrypterType decrypterType;
TypeDefinition resolverType;
MethodDefinition initMethod;
MethodDefinition handlerMethod;
MethodDefinition decryptMethod;
TypeDefinition otherType;
TypeDef resolverType;
MethodDef initMethod;
MethodDef handlerMethod;
MethodDef decryptMethod;
TypeDef otherType;
List<AssemblyInfo> assemblyInfos = new List<AssemblyInfo>();
FrameworkType frameworkType;
byte[] decryptKey;
@ -56,15 +56,15 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
}
}
public TypeDefinition Type {
public TypeDef Type {
get { return resolverType; }
}
public TypeDefinition OtherType {
public TypeDef OtherType {
get { return otherType; }
}
public MethodDefinition InitMethod {
public MethodDef InitMethod {
get { return initMethod; }
}
@ -87,7 +87,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
checkCalledMethods(DotNetUtils.getModuleTypeCctor(module));
}
bool checkCalledMethods(MethodDefinition method) {
bool checkCalledMethods(MethodDef method) {
if (method == null || method.Body == null)
return false;
@ -95,7 +95,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
if (instr.OpCode.Code != Code.Call)
continue;
var calledMethod = instr.Operand as MethodDefinition;
var calledMethod = instr.Operand as MethodDef;
if (calledMethod == null || !calledMethod.IsStatic || calledMethod.Body == null)
continue;
if (!DotNetUtils.isMethod(calledMethod, "System.Void", "()"))
@ -119,7 +119,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
return false;
}
bool checkInitMethodSilverlight(MethodDefinition method) {
bool checkInitMethodSilverlight(MethodDef method) {
var type = method.DeclaringType;
if (type.NestedTypes.Count != 2)
return false;
@ -134,11 +134,11 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
return true;
}
static MethodDefinition getResolveMethodSilverlight(MethodDefinition initMethod) {
static MethodDef getResolveMethodSilverlight(MethodDef initMethod) {
foreach (var instr in initMethod.Body.Instructions) {
if (instr.OpCode.Code != Code.Call)
continue;
var calledMethod = instr.Operand as MethodDefinition;
var calledMethod = instr.Operand as MethodDef;
if (calledMethod == null)
continue;
if (!DotNetUtils.isMethod(calledMethod, "System.Void", "()"))
@ -153,7 +153,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
return null;
}
bool checkInitMethod(MethodDefinition method) {
bool checkInitMethod(MethodDef method) {
var type = method.DeclaringType;
if (type.NestedTypes.Count < 2 || type.NestedTypes.Count > 6)
return false;
@ -173,7 +173,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
return true;
}
MethodDefinition getDecryptMethod() {
MethodDef getDecryptMethod() {
foreach (var method in resolverType.Methods) {
if (!method.IsStatic || method.Body == null)
continue;
@ -198,14 +198,14 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
throw new ApplicationException("Could not initialize decrypterType");
}
TypeDefinition getDecrypterType(MethodDefinition method) {
TypeDef getDecrypterType(MethodDef method) {
if (method == null || method.Body == null)
return null;
foreach (var instr in method.Body.Instructions) {
if (instr.OpCode.Code != Code.Call)
continue;
var calledMethod = instr.Operand as MethodDefinition;
var calledMethod = instr.Operand as MethodDef;
if (calledMethod == null || !calledMethod.IsStatic || calledMethod.DeclaringType == resolverType)
continue;
if (!DotNetUtils.isMethod(calledMethod, "System.Void", "(System.Byte[])"))
@ -467,8 +467,8 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
}
}
static MethodDefinition getTheOnlyMethod(TypeDefinition type, string typeName, string methodName, string returnType, string parameters) {
MethodDefinition foundMethod = null;
static MethodDef getTheOnlyMethod(TypeDef type, string typeName, string methodName, string returnType, string parameters) {
MethodDef foundMethod = null;
foreach (var method in type.Methods) {
if (!method.IsStatic || method.Body == null || method.HasGenericParameters)

20
de4dot.code/deobfuscators/Eazfuscator_NET/CodeCompilerMethodCallRestorer.cs
View File

@ -17,7 +17,7 @@
along with de4dot. If not, see <http://www.gnu.org/licenses/>.
*/
using Mono.Cecil;
using dot10.DotNet;
namespace de4dot.code.deobfuscators.Eazfuscator_NET {
class CodeCompilerMethodCallRestorer : MethodCallRestorerBase {
@ -63,55 +63,55 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
: base(module) {
}
public void add_CodeDomProvider_CompileAssemblyFromDom(MethodDefinition oldMethod) {
public void add_CodeDomProvider_CompileAssemblyFromDom(MethodDef oldMethod) {
if (oldMethod == null)
return;
add(oldMethod, builder.instanceMethod("CompileAssemblyFromDom", CodeDomProvider, CompilerResults, CompilerParameters, CodeCompileUnitArray));
}
public void add_CodeDomProvider_CompileAssemblyFromFile(MethodDefinition oldMethod) {
public void add_CodeDomProvider_CompileAssemblyFromFile(MethodDef oldMethod) {
if (oldMethod == null)
return;
add(oldMethod, builder.instanceMethod("CompileAssemblyFromFile", CodeDomProvider, CompilerResults, CompilerParameters, StringArray));
}
public void add_CodeDomProvider_CompileAssemblyFromSource(MethodDefinition oldMethod) {
public void add_CodeDomProvider_CompileAssemblyFromSource(MethodDef oldMethod) {
if (oldMethod == null)
return;
add(oldMethod, builder.instanceMethod("CompileAssemblyFromSource", CodeDomProvider, CompilerResults, CompilerParameters, StringArray));
}
public void add_ICodeCompiler_CompileAssemblyFromDom(MethodDefinition oldMethod) {
public void add_ICodeCompiler_CompileAssemblyFromDom(MethodDef oldMethod) {
if (oldMethod == null)
return;
add(oldMethod, builder.instanceMethod("CompileAssemblyFromDom", ICodeCompiler, CompilerResults, CompilerParameters, CodeCompileUnit));
}
public void add_ICodeCompiler_CompileAssemblyFromDomBatch(MethodDefinition oldMethod) {
public void add_ICodeCompiler_CompileAssemblyFromDomBatch(MethodDef oldMethod) {
if (oldMethod == null)
return;
add(oldMethod, builder.instanceMethod("CompileAssemblyFromDomBatch", ICodeCompiler, CompilerResults, CompilerParameters, CodeCompileUnitArray));
}
public void add_ICodeCompiler_CompileAssemblyFromFile(MethodDefinition oldMethod) {
public void add_ICodeCompiler_CompileAssemblyFromFile(MethodDef oldMethod) {
if (oldMethod == null)
return;
add(oldMethod, builder.instanceMethod("CompileAssemblyFromFile", ICodeCompiler, CompilerResults, CompilerParameters, builder.String));
}
public void add_ICodeCompiler_CompileAssemblyFromFileBatch(MethodDefinition oldMethod) {
public void add_ICodeCompiler_CompileAssemblyFromFileBatch(MethodDef oldMethod) {
if (oldMethod == null)
return;
add(oldMethod, builder.instanceMethod("CompileAssemblyFromFileBatch", ICodeCompiler, CompilerResults, CompilerParameters, StringArray));
}
public void add_ICodeCompiler_CompileAssemblyFromSource(MethodDefinition oldMethod) {
public void add_ICodeCompiler_CompileAssemblyFromSource(MethodDef oldMethod) {
if (oldMethod == null)
return;
add(oldMethod, builder.instanceMethod("CompileAssemblyFromSource", ICodeCompiler, CompilerResults, CompilerParameters, builder.String));
}
public void add_ICodeCompiler_CompileAssemblyFromSourceBatch(MethodDefinition oldMethod) {
public void add_ICodeCompiler_CompileAssemblyFromSourceBatch(MethodDef oldMethod) {
if (oldMethod == null)
return;
add(oldMethod, builder.instanceMethod("CompileAssemblyFromSourceBatch", ICodeCompiler, CompilerResults, CompilerParameters, StringArray));

62
de4dot.code/deobfuscators/Eazfuscator_NET/DecrypterType.cs
View File

@ -20,23 +20,23 @@
using System;
using System.Collections.Generic;
using System.Text;
using Mono.Cecil;
using Mono.Cecil.Cil;
using dot10.DotNet;
using dot10.DotNet.Emit;
using de4dot.blocks;
namespace de4dot.code.deobfuscators.Eazfuscator_NET {
class DecrypterType {
ModuleDefinition module;
ISimpleDeobfuscator simpleDeobfuscator;
TypeDefinition type;
MethodDefinition int64Method;
TypeDef type;
MethodDef int64Method;
bool initialized;
ulong l1;
int i1, i2, i3;
int m1_i1, m2_i1, m2_i2, m3_i1;
MethodDefinition[] efConstMethods;
MethodDef[] efConstMethods;
public TypeDefinition Type {
public TypeDef Type {
get { return type; }
set {
if (type == null)
@ -80,7 +80,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
if (type == null)
return false;
efConstMethods = new MethodDefinition[6];
efConstMethods = new MethodDef[6];
efConstMethods[0] = findEfConstMethodCall(int64Method);
efConstMethods[5] = findEfConstMethodCall(efConstMethods[0]);
@ -105,7 +105,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
return true;
}
static int getNumberOfTypeofs(MethodDefinition method) {
static int getNumberOfTypeofs(MethodDef method) {
if (method == null)
return 0;
int count = 0;
@ -116,21 +116,21 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
return count;
}
MethodDefinition findEfConstMethodCall(MethodDefinition method) {
MethodDef findEfConstMethodCall(MethodDef method) {
var list = findEfConstMethodCalls(method);
if (list == null || list.Count != 1)
return null;
return list[0];
}
List<MethodDefinition> findEfConstMethodCalls(MethodDefinition method) {
List<MethodDef> findEfConstMethodCalls(MethodDef method) {
if (method == null)
return null;
var list = new List<MethodDefinition>();
var list = new List<MethodDef>();
foreach (var instr in method.Body.Instructions) {
if (instr.OpCode.Code != Code.Call)
continue;
var calledMethod = instr.Operand as MethodDefinition;
var calledMethod = instr.Operand as MethodDef;
if (calledMethod == null || !calledMethod.IsStatic || calledMethod.Body == null)
continue;
if (!DotNetUtils.isMethod(calledMethod, "System.Int32", "()"))
@ -143,7 +143,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
return list;
}
MethodDefinition findInt64Method() {
MethodDef findInt64Method() {
if (type == null)
return null;
foreach (var method in type.Methods) {
@ -160,7 +160,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
return null;
}
bool findInt64(MethodDefinition method) {
bool findInt64(MethodDef method) {
var instrs = method.Body.Instructions;
for (int i = 0; i < instrs.Count - 1; i++) {
var ldci8 = instrs[i];
@ -212,8 +212,8 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
return false;
}
static List<MethodDefinition> getBinaryIntMethods(TypeDefinition type) {
var list = new List<MethodDefinition>();
static List<MethodDef> getBinaryIntMethods(TypeDef type) {
var list = new List<MethodDef>();
foreach (var method in type.Methods) {
if (!method.IsStatic || method.Body == null)
continue;
@ -225,7 +225,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
return list;
}
bool findMethod1Int(IEnumerable<MethodDefinition> methods) {
bool findMethod1Int(IEnumerable<MethodDef> methods) {
foreach (var method in methods) {
if (countInstructions(method, Code.Ldarg_0) != 1)
continue;
@ -239,7 +239,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
return false;
}
bool findMethod2Int(IEnumerable<MethodDefinition> methods) {
bool findMethod2Int(IEnumerable<MethodDef> methods) {
foreach (var method in methods) {
var constants = getConstants(method);
if (constants.Count != 2)
@ -252,7 +252,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
return false;
}
bool findMethod3Int(IEnumerable<MethodDefinition> methods) {
bool findMethod3Int(IEnumerable<MethodDef> methods) {
foreach (var method in methods) {
if (countInstructions(method, Code.Ldarg_0) != 2)
continue;
@ -266,7 +266,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
return false;
}
static int countInstructions(MethodDefinition method, Code code) {
static int countInstructions(MethodDef method, Code code) {
int count = 0;
foreach (var instr in method.Body.Instructions) {
if (instr.OpCode.Code == code)
@ -275,7 +275,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
return count;
}
static List<int> getConstants(MethodDefinition method) {
static List<int> getConstants(MethodDef method) {
var list = new List<int>();
if (method == null)
@ -309,27 +309,27 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
}
int constMethod1() {
return binOp3(binOp2(efConstMethods[1].DeclaringType.MetadataToken.ToInt32(), binOp3(efConstMethods[0].DeclaringType.MetadataToken.ToInt32(), efConstMethods[4].DeclaringType.MetadataToken.ToInt32())), constMethod6());
return binOp3(binOp2(efConstMethods[1].DeclaringType.MDToken.ToInt32(), binOp3(efConstMethods[0].DeclaringType.MDToken.ToInt32(), efConstMethods[4].DeclaringType.MDToken.ToInt32())), constMethod6());
}
int constMethod2() {
return binOp1(efConstMethods[2].DeclaringType.MetadataToken.ToInt32(), efConstMethods[3].DeclaringType.MetadataToken.ToInt32() ^ binOp2(efConstMethods[1].DeclaringType.MetadataToken.ToInt32(), binOp3(efConstMethods[5].DeclaringType.MetadataToken.ToInt32(), constMethod4())));
return binOp1(efConstMethods[2].DeclaringType.MDToken.ToInt32(), efConstMethods[3].DeclaringType.MDToken.ToInt32() ^ binOp2(efConstMethods[1].DeclaringType.MDToken.ToInt32(), binOp3(efConstMethods[5].DeclaringType.MDToken.ToInt32(), constMethod4())));
}
int constMethod3() {
return binOp3(binOp1(constMethod2() ^ i1, efConstMethods[3].DeclaringType.MetadataToken.ToInt32()), binOp2(efConstMethods[0].DeclaringType.MetadataToken.ToInt32() ^ efConstMethods[5].DeclaringType.MetadataToken.ToInt32(), i2));
return binOp3(binOp1(constMethod2() ^ i1, efConstMethods[3].DeclaringType.MDToken.ToInt32()), binOp2(efConstMethods[0].DeclaringType.MDToken.ToInt32() ^ efConstMethods[5].DeclaringType.MDToken.ToInt32(), i2));
}
int constMethod4() {
return binOp3(efConstMethods[3].DeclaringType.MetadataToken.ToInt32(), binOp1(efConstMethods[0].DeclaringType.MetadataToken.ToInt32(), binOp2(efConstMethods[1].DeclaringType.MetadataToken.ToInt32(), binOp3(efConstMethods[2].DeclaringType.MetadataToken.ToInt32(), binOp1(efConstMethods[4].DeclaringType.MetadataToken.ToInt32(), efConstMethods[5].DeclaringType.MetadataToken.ToInt32())))));
return binOp3(efConstMethods[3].DeclaringType.MDToken.ToInt32(), binOp1(efConstMethods[0].DeclaringType.MDToken.ToInt32(), binOp2(efConstMethods[1].DeclaringType.MDToken.ToInt32(), binOp3(efConstMethods[2].DeclaringType.MDToken.ToInt32(), binOp1(efConstMethods[4].DeclaringType.MDToken.ToInt32(), efConstMethods[5].DeclaringType.MDToken.ToInt32())))));
}
int constMethod5() {
return binOp2(binOp2(constMethod3(), binOp1(efConstMethods[4].DeclaringType.MetadataToken.ToInt32(), constMethod2())), efConstMethods[5].DeclaringType.MetadataToken.ToInt32());
return binOp2(binOp2(constMethod3(), binOp1(efConstMethods[4].DeclaringType.MDToken.ToInt32(), constMethod2())), efConstMethods[5].DeclaringType.MDToken.ToInt32());
}
int constMethod6() {
return binOp1(efConstMethods[5].DeclaringType.MetadataToken.ToInt32(), binOp3(binOp2(efConstMethods[4].DeclaringType.MetadataToken.ToInt32(), efConstMethods[0].DeclaringType.MetadataToken.ToInt32()), binOp3(efConstMethods[2].DeclaringType.MetadataToken.ToInt32() ^ i3, constMethod5())));
return binOp1(efConstMethods[5].DeclaringType.MDToken.ToInt32(), binOp3(binOp2(efConstMethods[4].DeclaringType.MDToken.ToInt32(), efConstMethods[0].DeclaringType.MDToken.ToInt32()), binOp3(efConstMethods[2].DeclaringType.MDToken.ToInt32() ^ i3, constMethod5())));
}
public ulong getMagic() {
@ -343,13 +343,13 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
bytes.AddRange(Encoding.Unicode.GetBytes(module.Assembly.Name.Name));
}
int cm1 = constMethod1();
bytes.Add((byte)(type.MetadataToken.ToInt32() >> 24));
bytes.Add((byte)(type.MDToken.ToInt32() >> 24));
bytes.Add((byte)(cm1 >> 16));
bytes.Add((byte)(type.MetadataToken.ToInt32() >> 8));
bytes.Add((byte)(type.MDToken.ToInt32() >> 8));
bytes.Add((byte)cm1);
bytes.Add((byte)(type.MetadataToken.ToInt32() >> 16));
bytes.Add((byte)(type.MDToken.ToInt32() >> 16));
bytes.Add((byte)(cm1 >> 8));
bytes.Add((byte)type.MetadataToken.ToInt32());
bytes.Add((byte)type.MDToken.ToInt32());
bytes.Add((byte)(cm1 >> 24));
ulong magic = 0;

4
de4dot.code/deobfuscators/Eazfuscator_NET/Deobfuscator.cs
View File

@ -18,7 +18,7 @@
*/
using System.Collections.Generic;
using Mono.Cecil;
using dot10.DotNet;
using de4dot.blocks;
namespace de4dot.code.deobfuscators.Eazfuscator_NET {
@ -167,7 +167,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
public override IEnumerable<int> getStringDecrypterMethods() {
var list = new List<int>();
if (stringDecrypter.Method != null)
list.Add(stringDecrypter.Method.MetadataToken.ToInt32());
list.Add(stringDecrypter.Method.MDToken.ToInt32());
return list;
}
}

4
de4dot.code/deobfuscators/Eazfuscator_NET/EfConstantsReader.cs
View File

@ -17,13 +17,13 @@
along with de4dot. If not, see <http://www.gnu.org/licenses/>.
*/
using Mono.Cecil;
using dot10.DotNet;
using Mono.Cecil.Metadata;
using de4dot.blocks;
namespace de4dot.code.deobfuscators.Eazfuscator_NET {
class EfConstantsReader : ConstantsReader {
public EfConstantsReader(MethodDefinition method)
public EfConstantsReader(MethodDef method)
: base(method) {
initialize();
}

10
de4dot.code/deobfuscators/Eazfuscator_NET/EfUtils.cs
View File

@ -18,13 +18,13 @@
*/
using System.Collections.Generic;
using Mono.Cecil;
using Mono.Cecil.Cil;
using dot10.DotNet;
using dot10.DotNet.Emit;
using de4dot.blocks;
namespace de4dot.code.deobfuscators.Eazfuscator_NET {
static class EfUtils {
public static int findOpCodeIndex(MethodDefinition method, int index, Code code) {
public static int findOpCodeIndex(MethodDef method, int index, Code code) {
for (; index < method.Body.Instructions.Count; index++) {
var instr = method.Body.Instructions[index];
if (instr.OpCode.Code != code)
@ -35,7 +35,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
return -1;
}
public static int findOpCodeIndex(MethodDefinition method, int index, Code code, string operandString) {
public static int findOpCodeIndex(MethodDef method, int index, Code code, string operandString) {
while (index < method.Body.Instructions.Count) {
index = findOpCodeIndex(method, index, code);
if (index < 0)
@ -49,7 +49,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
return -1;
}
public static Instruction getNextStore(MethodDefinition method, ref int index) {
public static Instruction getNextStore(MethodDef method, ref int index) {
for (; index < method.Body.Instructions.Count; index++) {
var instr = method.Body.Instructions[index];

12
de4dot.code/deobfuscators/Eazfuscator_NET/ResourceMethodsRestorer.cs
View File

@ -17,15 +17,15 @@
along with de4dot. If not, see <http://www.gnu.org/licenses/>.
*/
using Mono.Cecil;
using dot10.DotNet;
using de4dot.blocks;
namespace de4dot.code.deobfuscators.Eazfuscator_NET {
class ResourceMethodsRestorer : MethodCallRestorerBase {
TypeDefinition getManifestResourceStreamType;
TypeDef getManifestResourceStreamType;
EmbeddedResource getManifestResourceStreamTypeResource;
public TypeDefinition Type {
public TypeDef Type {
get { return getManifestResourceStreamType; }
}
@ -69,7 +69,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
}
}
EmbeddedResource findGetManifestResourceStreamTypeResource(TypeDefinition type, ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) {
EmbeddedResource findGetManifestResourceStreamTypeResource(TypeDef type, ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) {
foreach (var method in type.Methods) {
if (!method.IsPrivate || !method.IsStatic || method.Body == null)
continue;
@ -86,8 +86,8 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
return null;
}
static MethodDefinition getTheOnlyMethod(TypeDefinition type, string returnType, string parameters) {
MethodDefinition foundMethod = null;
static MethodDef getTheOnlyMethod(TypeDef type, string returnType, string parameters) {
MethodDef foundMethod = null;
foreach (var method in type.Methods) {
if (!method.IsStatic || method.Body == null || method.HasGenericParameters)

22
de4dot.code/deobfuscators/Eazfuscator_NET/ResourceResolver.cs
View File

@ -20,24 +20,24 @@
using System;
using System.Collections.Generic;
using System.IO;
using Mono.Cecil;
using Mono.Cecil.Cil;
using dot10.DotNet;
using dot10.DotNet.Emit;
using de4dot.blocks;
namespace de4dot.code.deobfuscators.Eazfuscator_NET {
class ResourceResolver {
ModuleDefinition module;
AssemblyResolver assemblyResolver;
TypeDefinition resolverType;
MethodDefinition initMethod;
MethodDefinition handlerMethod;
TypeDef resolverType;
MethodDef initMethod;
MethodDef handlerMethod;
List<string> resourceInfos = new List<string>();
public TypeDefinition Type {
public TypeDef Type {
get { return resolverType; }
}
public MethodDefinition InitMethod {
public MethodDef InitMethod {
get { return initMethod; }
}
@ -56,14 +56,14 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
checkCalledMethods(DotNetUtils.getModuleTypeCctor(module));
}
bool checkCalledMethods(MethodDefinition method) {
bool checkCalledMethods(MethodDef method) {
if (method == null || method.Body == null)
return false;
foreach (var instr in method.Body.Instructions) {
if (instr.OpCode.Code != Code.Call)
continue;
if (!checkInitMethod(instr.Operand as MethodDefinition))
if (!checkInitMethod(instr.Operand as MethodDef))
continue;
return true;
@ -72,7 +72,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
return false;
}
bool checkInitMethod(MethodDefinition method) {
bool checkInitMethod(MethodDef method) {
if (method == null || !method.IsStatic || method.Body == null)
return false;
if (!DotNetUtils.isMethod(method, "System.Void", "()"))
@ -121,7 +121,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
return false;
}
bool initializeInfos(MethodDefinition method) {
bool initializeInfos(MethodDef method) {
foreach (var s in DotNetUtils.getCodeStrings(method)) {
if (string.IsNullOrEmpty(s))
continue;

74
de4dot.code/deobfuscators/Eazfuscator_NET/StringDecrypter.cs
View File

@ -21,17 +21,17 @@ using System;
using System.Collections.Generic;
using System.IO;
using System.Text;
using Mono.Cecil;
using Mono.Cecil.Cil;
using dot10.DotNet;
using dot10.DotNet.Emit;
using Mono.Cecil.Metadata;
using de4dot.blocks;
namespace de4dot.code.deobfuscators.Eazfuscator_NET {
class StringDecrypter {
ModuleDefinition module;
TypeDefinition stringType;
MethodDefinition stringMethod;
TypeDefinition dataDecrypterType;
TypeDef stringType;
MethodDef stringMethod;
TypeDef dataDecrypterType;
short s1, s2, s3;
int i1, i2, i3, i4, i5, i6;
bool checkMinus2;
@ -48,10 +48,10 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
bool isV32OrLater;
class StreamHelperType {
public TypeDefinition type;
public MethodDefinition readInt16Method;
public MethodDefinition readInt32Method;
public MethodDefinition readBytesMethod;
public TypeDef type;
public MethodDef readInt16Method;
public MethodDef readInt32Method;
public MethodDef readBytesMethod;
public bool Detected {
get {
@ -61,7 +61,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
}
}
public StreamHelperType(TypeDefinition type) {
public StreamHelperType(TypeDef type) {
this.type = type;
foreach (var method in type.Methods) {
@ -77,7 +77,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
}
}
public TypeDefinition Type {
public TypeDef Type {
get { return stringType; }
}
@ -85,16 +85,16 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
get { return encryptedResource; }
}
public IEnumerable<TypeDefinition> Types {
public IEnumerable<TypeDef> Types {
get {
return new List<TypeDefinition> {
return new List<TypeDef> {
stringType,
dataDecrypterType,
};
}
}
public MethodDefinition Method {
public MethodDef Method {
get { return stringMethod; }
}
@ -107,7 +107,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
this.decrypterType = decrypterType;
}
static bool checkIfV32OrLater(TypeDefinition type) {
static bool checkIfV32OrLater(TypeDef type) {
int numInts = 0;
foreach (var field in type.Fields) {
if (field.FieldType.EType == ElementType.I4)
@ -137,7 +137,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
"System.Byte[]",
"System.Int16",
};
bool checkType(TypeDefinition type) {
bool checkType(TypeDef type) {
if (!new FieldTypes(type).all(requiredFieldTypes))
return false;
if (type.NestedTypes.Count == 0) {
@ -159,9 +159,9 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
"System.IO.Stream",
"System.Byte[]",
};
static StreamHelperType findStreamHelperType(TypeDefinition type) {
static StreamHelperType findStreamHelperType(TypeDef type) {
foreach (var field in type.Fields) {
var nested = field.FieldType as TypeDefinition;
var nested = field.FieldType as TypeDef;
if (nested == null)
continue;
if (nested.DeclaringType != type)
@ -186,7 +186,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
"System.Reflection.Assembly",
"System.String",
};
static bool checkDecrypterMethod(MethodDefinition method) {
static bool checkDecrypterMethod(MethodDef method) {
if (method == null || !method.IsStatic || method.Body == null)
return false;
if (!DotNetUtils.isMethod(method, "System.String", "(System.Int32)"))
@ -344,7 +344,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
return null;
}
static int getFlagsOffset(MethodDefinition method, int index, VariableDefinition local) {
static int getFlagsOffset(MethodDef method, int index, VariableDefinition local) {
var instrs = method.Body.Instructions;
for (; index < instrs.Count; index++) {
var ldloc = instrs[index];
@ -358,7 +358,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
return -1;
}
static VariableDefinition getFlagsLocal(MethodDefinition method, int index) {
static VariableDefinition getFlagsLocal(MethodDef method, int index) {
var instrs = method.Body.Instructions;
if (index + 5 >= instrs.Count)
return null;
@ -485,17 +485,17 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
return lcg * 214013 + 2531011;
}
bool findResource(MethodDefinition method) {
bool findResource(MethodDef method) {
encryptedResource = findResourceFromCodeString(method) ??
findResourceFromStringBuilder(method);
return encryptedResource != null;
}
EmbeddedResource findResourceFromCodeString(MethodDefinition method) {
EmbeddedResource findResourceFromCodeString(MethodDef method) {
return DotNetUtils.getResource(module, DotNetUtils.getCodeStrings(method)) as EmbeddedResource;
}
EmbeddedResource findResourceFromStringBuilder(MethodDefinition method) {
EmbeddedResource findResourceFromStringBuilder(MethodDef method) {
int startIndex = EfUtils.findOpCodeIndex(method, 0, Code.Newobj, "System.Void System.Text.StringBuilder::.ctor()");
if (startIndex < 0)
return null;
@ -532,11 +532,11 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
return DotNetUtils.getResource(module, sb.ToString()) as EmbeddedResource;
}
static MethodDefinition findInt64Method(MethodDefinition method) {
static MethodDef findInt64Method(MethodDef method) {
foreach (var instr in method.Body.Instructions) {
if (instr.OpCode.Code != Code.Call)
continue;
var calledMethod = instr.Operand as MethodDefinition;
var calledMethod = instr.Operand as MethodDef;
if (calledMethod == null)
continue;
if (!DotNetUtils.isMethod(calledMethod, "System.Int64", "()"))
@ -547,11 +547,11 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
return null;
}
static TypeDefinition findDataDecrypterType(MethodDefinition method) {
static TypeDef findDataDecrypterType(MethodDef method) {
foreach (var instr in method.Body.Instructions) {
if (instr.OpCode.Code != Code.Call)
continue;
var calledMethod = instr.Operand as MethodDefinition;
var calledMethod = instr.Operand as MethodDef;
if (calledMethod == null)
continue;
if (!DotNetUtils.isMethod(calledMethod, "System.Byte[]", "(System.Byte[],System.Byte[])"))
@ -617,7 +617,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
return returnValue;
}
static int findInitIntsIndex(MethodDefinition method, out bool initializedAll) {
static int findInitIntsIndex(MethodDef method, out bool initializedAll) {
initializedAll = false;
var instrs = method.Body.Instructions;
@ -630,13 +630,13 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
if (stsfld.OpCode.Code != Code.Stsfld)
continue;
var storeField = stsfld.Operand as FieldDefinition;
var storeField = stsfld.Operand as FieldDef;
if (storeField == null || storeField.FieldType.FullName != "System.Byte[]")
continue;
var instr = instrs[i + 2];
if (instr.OpCode.Code == Code.Ldsfld) {
var loadField = instr.Operand as FieldDefinition;
var loadField = instr.Operand as FieldDef;
if (loadField == null || loadField.FieldType.EType != ElementType.I4)
continue;
}
@ -652,7 +652,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
return -1;
}
bool findIntsCctor(MethodDefinition cctor) {
bool findIntsCctor(MethodDef cctor) {
int index = 0;
if (!findCallGetFrame(cctor, ref index))
return findIntsCctor2(cctor);
@ -683,7 +683,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
}
// Compact Framework doesn't have StackFrame
bool findIntsCctor2(MethodDefinition cctor) {
bool findIntsCctor2(MethodDef cctor) {
int index = 0;
var instrs = cctor.Body.Instructions;
var constantsReader = new EfConstantsReader(cctor);
@ -822,7 +822,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
}
}
static bool callsGetPublicKeyToken(MethodDefinition method) {
static bool callsGetPublicKeyToken(MethodDef method) {
int index = 0;
return findCall(method, ref index, "System.Byte[] System.Reflection.AssemblyName::GetPublicKeyToken()");
}
@ -839,11 +839,11 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
return findCall(stringMethod, ref index, streamHelperType == null ? "System.Byte[] System.IO.BinaryReader::ReadBytes(System.Int32)" : streamHelperType.readBytesMethod.FullName);
}
static bool findCallGetFrame(MethodDefinition method, ref int index) {
static bool findCallGetFrame(MethodDef method, ref int index) {
return findCall(method, ref index, "System.Diagnostics.StackFrame System.Diagnostics.StackTrace::GetFrame(System.Int32)");
}
static bool findCall(MethodDefinition method, ref int index, string methodFullName) {
static bool findCall(MethodDef method, ref int index, string methodFullName) {
for (; index < method.Body.Instructions.Count; index++) {
if (!findCallvirt(method, ref index))
return false;
@ -859,7 +859,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
return false;
}
static bool findCallvirt(MethodDefinition method, ref int index) {
static bool findCallvirt(MethodDef method, ref int index) {
var instrs = method.Body.Instructions;
for (; index < instrs.Count; index++) {
var instr = instrs[index];

10
de4dot.code/deobfuscators/Eazfuscator_NET/VersionDetector.cs
View File

@ -19,7 +19,7 @@
using System;
using System.Collections.Generic;
using Mono.Cecil;
using dot10.DotNet;
using de4dot.blocks;
namespace de4dot.code.deobfuscators.Eazfuscator_NET {
@ -38,8 +38,8 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
if (decryptStringType == null || decryptStringMethod == null)
return null;
var otherMethods = new List<MethodDefinition>();
MethodDefinition cctor = null;
var otherMethods = new List<MethodDef>();
MethodDef cctor = null;
foreach (var method in decryptStringType.Methods) {
if (method == decryptStringMethod)
continue;
@ -671,7 +671,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
return null;
}
TypeDefinition getNestedType(int n) {
TypeDef getNestedType(int n) {
var type = stringDecrypter.Type;
int fieldIndex;
@ -684,7 +684,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
if (fieldIndex >= type.Fields.Count)
return null;
var nestedType = type.Fields[fieldIndex].FieldType as TypeDefinition;
var nestedType = type.Fields[fieldIndex].FieldType as TypeDef;
if (nestedType == null || type.NestedTypes.IndexOf(nestedType) < 0)
return null;

8
de4dot.code/deobfuscators/Goliath_NET/ArrayDecrypter.cs
View File

@ -18,7 +18,7 @@
*/
using System;
using Mono.Cecil;
using dot10.DotNet;
using de4dot.blocks;
namespace de4dot.code.deobfuscators.Goliath_NET {
@ -31,15 +31,15 @@ namespace de4dot.code.deobfuscators.Goliath_NET {
"System.Byte[]",
"System.Collections.Generic.Dictionary`2<System.Int32,System.Byte[]>",
};
protected override bool checkDecrypterType(TypeDefinition type) {
protected override bool checkDecrypterType(TypeDef type) {
return new FieldTypes(type).exactly(requiredFields);
}
protected override bool checkDelegateInvokeMethod(MethodDefinition invokeMethod) {
protected override bool checkDelegateInvokeMethod(MethodDef invokeMethod) {
return DotNetUtils.isMethod(invokeMethod, "System.Byte[]", "(System.Int32)");
}
public byte[] decrypt(MethodDefinition method) {
public byte[] decrypt(MethodDef method) {
var info = getInfo(method);
decryptedReader.BaseStream.Position = info.offset;
return decryptedReader.ReadBytes(decryptedReader.ReadInt32());

4
de4dot.code/deobfuscators/Goliath_NET/ArrayValueInliner.cs
View File

@ -19,8 +19,8 @@
using System;
using System.Collections.Generic;
using Mono.Cecil;
using Mono.Cecil.Cil;
using dot10.DotNet;
using dot10.DotNet.Emit;
using de4dot.blocks;
namespace de4dot.code.deobfuscators.Goliath_NET {

48
de4dot.code/deobfuscators/Goliath_NET/DecrypterBase.cs
View File

@ -20,25 +20,25 @@
using System;
using System.Collections.Generic;
using System.IO;
using Mono.Cecil;
using Mono.Cecil.Cil;
using dot10.DotNet;
using dot10.DotNet.Emit;
using de4dot.blocks;
namespace de4dot.code.deobfuscators.Goliath_NET {
abstract class DecrypterBase {
protected ModuleDefinition module;
EmbeddedResource encryptedResource;
TypeDefinition decrypterType;
TypeDefinition delegateType;
TypeDefinition delegateInitType;
TypeDef decrypterType;
TypeDef delegateType;
TypeDef delegateInitType;
protected BinaryReader decryptedReader;
MethodDefinitionAndDeclaringTypeDict<Info> decrypterMethods = new MethodDefinitionAndDeclaringTypeDict<Info>();
protected class Info {
public MethodDefinition method;
public MethodDef method;
public int offset;
public bool referenced = false;
public Info(MethodDefinition method, int offset) {
public Info(MethodDef method, int offset) {
this.method = method;
this.offset = offset;
}
@ -52,21 +52,21 @@ namespace de4dot.code.deobfuscators.Goliath_NET {
get { return encryptedResource; }
}
public TypeDefinition Type {
public TypeDef Type {
get { return decrypterType; }
}
public TypeDefinition DelegateInitType {
public TypeDef DelegateInitType {
get { return delegateInitType ?? findDelegateInitType();}
}
public TypeDefinition DelegateType {
public TypeDef DelegateType {
get { return delegateType; }
}
public IEnumerable<TypeDefinition> DecrypterTypes {
public IEnumerable<TypeDef> DecrypterTypes {
get {
var types = new TypeDefinitionDict<TypeDefinition>();
var types = new TypeDefinitionDict<TypeDef>();
foreach (var info in decrypterMethods.getValues()) {
if (info.referenced)
types.add(info.method.DeclaringType, info.method.DeclaringType);
@ -79,7 +79,7 @@ namespace de4dot.code.deobfuscators.Goliath_NET {
this.module = module;
}
protected Info getInfo(MethodDefinition method) {
protected Info getInfo(MethodDef method) {
var info = decrypterMethods.find(method);
if (info == null)
return null;
@ -110,7 +110,7 @@ namespace de4dot.code.deobfuscators.Goliath_NET {
}
}
protected abstract bool checkDecrypterType(TypeDefinition type);
protected abstract bool checkDecrypterType(TypeDef type);
void splitTypeName(string fullName, out string ns, out string name) {
int index = fullName.LastIndexOf('.');
@ -171,13 +171,13 @@ namespace de4dot.code.deobfuscators.Goliath_NET {
}
}
Info getDecrypterInfo(MethodDefinition method, FieldDefinition delegateField) {
Info getDecrypterInfo(MethodDef method, FieldDef delegateField) {
try {
int index = 0;
var instrs = method.Body.Instructions;
if (instrs[index].OpCode.Code != Code.Ldsfld)
return null;
var field = instrs[index++].Operand as FieldDefinition;
var field = instrs[index++].Operand as FieldDef;
if (field != delegateField)
return null;
@ -204,12 +204,12 @@ namespace de4dot.code.deobfuscators.Goliath_NET {
}
}
bool checkCctor(MethodDefinition cctor) {
bool checkCctor(MethodDef cctor) {
var ldtokenType = getLdtokenType(cctor);
if (!MemberReferenceHelper.compareTypes(ldtokenType, cctor.DeclaringType))
return false;
MethodDefinition initMethod = null;
MethodDef initMethod = null;
foreach (var method in DotNetUtils.getCalledMethods(module, cctor)) {
if (DotNetUtils.isMethod(method, "System.Void", "(System.Type)")) {
initMethod = method;
@ -222,7 +222,7 @@ namespace de4dot.code.deobfuscators.Goliath_NET {
return true;
}
static TypeReference getLdtokenType(MethodDefinition method) {
static TypeReference getLdtokenType(MethodDef method) {
if (method == null || method.Body == null)
return null;
foreach (var instr in method.Body.Instructions) {
@ -233,7 +233,7 @@ namespace de4dot.code.deobfuscators.Goliath_NET {
return null;
}
bool checkDelegateType(TypeDefinition type) {
bool checkDelegateType(TypeDef type) {
if (!DotNetUtils.derivesFromDelegate(type))
return false;
var invoke = DotNetUtils.getMethod(type, "Invoke");
@ -242,7 +242,7 @@ namespace de4dot.code.deobfuscators.Goliath_NET {
return checkDelegateInvokeMethod(invoke);
}
protected abstract bool checkDelegateInvokeMethod(MethodDefinition invokeMethod);
protected abstract bool checkDelegateInvokeMethod(MethodDef invokeMethod);
byte[] decrypt(byte[] encryptedData) {
const int KEY_LEN = 0x100;
@ -265,7 +265,7 @@ namespace de4dot.code.deobfuscators.Goliath_NET {
return decryptedData;
}
TypeDefinition findDelegateInitType() {
TypeDef findDelegateInitType() {
if (delegateType == null)
return null;
@ -290,8 +290,8 @@ namespace de4dot.code.deobfuscators.Goliath_NET {
return null;
}
public IEnumerable<MethodDefinition> getMethods() {
var list = new List<MethodDefinition>(decrypterMethods.Count);
public IEnumerable<MethodDef> getMethods() {
var list = new List<MethodDef>(decrypterMethods.Count);
foreach (var info in decrypterMethods.getValues())
list.Add(info.method);
return list;

6
de4dot.code/deobfuscators/Goliath_NET/Deobfuscator.cs
View File

@ -18,7 +18,7 @@
*/
using System.Collections.Generic;
using Mono.Cecil;
using dot10.DotNet;
using de4dot.blocks;
namespace de4dot.code.deobfuscators.Goliath_NET {
@ -162,7 +162,7 @@ namespace de4dot.code.deobfuscators.Goliath_NET {
}
}
void initializeVersion(TypeDefinition attr) {
void initializeVersion(TypeDef attr) {
var s = DotNetUtils.getCustomArgAsString(getAssemblyAttribute(attr), 0);
if (s == null)
return;
@ -274,7 +274,7 @@ namespace de4dot.code.deobfuscators.Goliath_NET {
public override IEnumerable<int> getStringDecrypterMethods() {
var list = new List<int>();
foreach (var method in stringDecrypter.getMethods())
list.Add(method.MetadataToken.ToInt32());
list.Add(method.MDToken.ToInt32());
return list;
}
}

8
de4dot.code/deobfuscators/Goliath_NET/IntegerDecrypter.cs
View File

@ -18,7 +18,7 @@
*/
using System;
using Mono.Cecil;
using dot10.DotNet;
using de4dot.blocks;
namespace de4dot.code.deobfuscators.Goliath_NET {
@ -31,15 +31,15 @@ namespace de4dot.code.deobfuscators.Goliath_NET {
"System.Byte[]",
"System.Collections.Generic.Dictionary`2<System.Int32,System.Object>",
};
protected override bool checkDecrypterType(TypeDefinition type) {
protected override bool checkDecrypterType(TypeDef type) {
return new FieldTypes(type).exactly(requiredFields);
}
protected override bool checkDelegateInvokeMethod(MethodDefinition invokeMethod) {
protected override bool checkDelegateInvokeMethod(MethodDef invokeMethod) {
return DotNetUtils.isMethod(invokeMethod, "System.Object", "(System.Int32)");
}
public int decrypt(MethodDefinition method) {
public int decrypt(MethodDef method) {
var info = getInfo(method);
decryptedReader.BaseStream.Position = info.offset;
int len = decryptedReader.ReadInt32();

14
de4dot.code/deobfuscators/Goliath_NET/LocalsRestorer.cs
View File

@ -18,8 +18,8 @@
*/
using System.Collections.Generic;
using Mono.Cecil;
using Mono.Cecil.Cil;
using dot10.DotNet;
using dot10.DotNet.Emit;
using de4dot.blocks;
namespace de4dot.code.deobfuscators.Goliath_NET {
@ -28,18 +28,18 @@ namespace de4dot.code.deobfuscators.Goliath_NET {
TypeDefinitionDict<Info> typeToInfo = new TypeDefinitionDict<Info>();
class Info {
public TypeDefinition type;
public TypeDef type;
public TypeReference localType;
public bool referenced = false;
public Info(TypeDefinition type, TypeReference localType) {
public Info(TypeDef type, TypeReference localType) {
this.type = type;
this.localType = localType;
}
}
public List<TypeDefinition> Types {
public List<TypeDef> Types {
get {
var list = new List<TypeDefinition>(typeToInfo.Count);
var list = new List<TypeDef>(typeToInfo.Count);
foreach (var info in typeToInfo.getValues()) {
if (info.referenced)
list.Add(info.type);
@ -57,7 +57,7 @@ namespace de4dot.code.deobfuscators.Goliath_NET {
initialize(type);
}
void initialize(TypeDefinition type) {
void initialize(TypeDef type) {
if (type.HasEvents || type.HasProperties)
return;

2
de4dot.code/deobfuscators/Goliath_NET/LogicalExpressionFixer.cs
View File

@ -17,7 +17,7 @@
along with de4dot. If not, see <http://www.gnu.org/licenses/>.
*/
using Mono.Cecil.Cil;
using dot10.DotNet.Emit;
using de4dot.blocks;
namespace de4dot.code.deobfuscators.Goliath_NET {

20
de4dot.code/deobfuscators/Goliath_NET/ProxyCallFixer.cs
View File

@ -19,8 +19,8 @@
using System;
using System.Collections.Generic;
using Mono.Cecil;
using Mono.Cecil.Cil;
using dot10.DotNet;
using dot10.DotNet.Emit;
using de4dot.blocks;
namespace de4dot.code.deobfuscators.Goliath_NET {
@ -30,9 +30,9 @@ namespace de4dot.code.deobfuscators.Goliath_NET {
}
class MyInfo {
public MethodDefinition method;
public MethodDef method;
public DelegateInfo delegateInfo;
public MyInfo(MethodDefinition method, DelegateInfo delegateInfo) {
public MyInfo(MethodDef method, DelegateInfo delegateInfo) {
this.method = method;
this.delegateInfo = delegateInfo;
}
@ -56,7 +56,7 @@ namespace de4dot.code.deobfuscators.Goliath_NET {
if (infos.Count == 0)
continue;
Log.v("Found proxy delegate: {0} ({1:X8})", Utils.removeNewlines(type), type.MetadataToken.ToUInt32());
Log.v("Found proxy delegate: {0} ({1:X8})", Utils.removeNewlines(type), type.MDToken.ToUInt32());
RemovedDelegateCreatorCalls++;
Log.indent();
foreach (var info in infos) {
@ -66,14 +66,14 @@ namespace de4dot.code.deobfuscators.Goliath_NET {
Utils.removeNewlines(di.field.Name),
di.callOpcode,
Utils.removeNewlines(di.methodRef),
di.methodRef.MetadataToken.ToUInt32());
di.methodRef.MDToken.ToUInt32());
}
Log.deIndent();
delegateTypesDict[type] = true;
}
}
bool checkProxyMethod(MethodDefinition method, out DelegateInfo info) {
bool checkProxyMethod(MethodDef method, out DelegateInfo info) {
info = null;
if (!method.IsStatic || method.Body == null)
return false;
@ -86,7 +86,7 @@ namespace de4dot.code.deobfuscators.Goliath_NET {
if (instrs[index].OpCode.Code != Code.Ldsfld)
return false;
var field = instrs[index++].Operand as FieldDefinition;
var field = instrs[index++].Operand as FieldDef;
if (field == null || !field.IsStatic)
return false;
if (!MemberReferenceHelper.compareTypes(method.DeclaringType, field.DeclaringType))
@ -132,11 +132,11 @@ namespace de4dot.code.deobfuscators.Goliath_NET {
return true;
}
protected override object checkCctor(TypeDefinition type, MethodDefinition cctor) {
protected override object checkCctor(TypeDef type, MethodDef cctor) {
throw new System.NotImplementedException();
}
protected override void getCallInfo(object context, FieldDefinition field, out MethodReference calledMethod, out OpCode callOpcode) {
protected override void getCallInfo(object context, FieldDef field, out MethodReference calledMethod, out OpCode callOpcode) {
throw new System.NotImplementedException();
}
}

14
de4dot.code/deobfuscators/Goliath_NET/StringDecrypter.cs
View File

@ -19,16 +19,16 @@
using System;
using System.Text;
using Mono.Cecil;
using Mono.Cecil.Cil;
using dot10.DotNet;
using dot10.DotNet.Emit;
using de4dot.blocks;
namespace de4dot.code.deobfuscators.Goliath_NET {
class StringDecrypter : DecrypterBase {
TypeReference delegateReturnType;
FieldDefinition stringStructField;
FieldDef stringStructField;
public TypeDefinition StringStruct {
public TypeDef StringStruct {
get { return Detected && stringStructField != null ? stringStructField.DeclaringType : null; }
}
@ -40,7 +40,7 @@ namespace de4dot.code.deobfuscators.Goliath_NET {
"System.Byte[]",
"System.Collections.Generic.Dictionary`2<System.Int32,System.String>",
};
protected override bool checkDecrypterType(TypeDefinition type) {
protected override bool checkDecrypterType(TypeDef type) {
var fields = type.Fields;
if (fields.Count != 2)
return false;
@ -80,11 +80,11 @@ namespace de4dot.code.deobfuscators.Goliath_NET {
return true;
}
protected override bool checkDelegateInvokeMethod(MethodDefinition invokeMethod) {
protected override bool checkDelegateInvokeMethod(MethodDef invokeMethod) {
return DotNetUtils.isMethod(invokeMethod, delegateReturnType.FullName, "(System.Int32)");
}
public string decrypt(MethodDefinition method) {
public string decrypt(MethodDef method) {
var info = getInfo(method);
decryptedReader.BaseStream.Position = info.offset;
int len = decryptedReader.ReadInt32();

16
de4dot.code/deobfuscators/Goliath_NET/StrongNameChecker.cs
View File

@ -17,25 +17,25 @@
along with de4dot. If not, see <http://www.gnu.org/licenses/>.
*/
using Mono.Cecil;
using Mono.Cecil.Cil;
using dot10.DotNet;
using dot10.DotNet.Emit;
using de4dot.blocks;
namespace de4dot.code.deobfuscators.Goliath_NET {
class StrongNameChecker {
ModuleDefinition module;
TypeDefinition strongNameType;
MethodDefinition strongNameCheckMethod;
TypeDef strongNameType;
MethodDef strongNameCheckMethod;
public bool Detected {
get { return strongNameType != null;}
}
public TypeDefinition Type {
public TypeDef Type {
get { return strongNameType; }
}
public MethodDefinition CheckerMethod {
public MethodDef CheckerMethod {
get { return strongNameCheckMethod; }
}
@ -65,7 +65,7 @@ namespace de4dot.code.deobfuscators.Goliath_NET {
}
}
MethodDefinition getAntiTamperingDetectionMethod(TypeDefinition type) {
MethodDef getAntiTamperingDetectionMethod(TypeDef type) {
var requiredLocals = new string[] {
"System.Reflection.Assembly",
"System.Collections.Generic.Stack`1<System.Int32>",
@ -85,7 +85,7 @@ namespace de4dot.code.deobfuscators.Goliath_NET {
return null;
}
static bool hasThrow(MethodDefinition method) {
static bool hasThrow(MethodDef method) {
if (method == null || method.Body == null)
return false;
foreach (var instr in method.Body.Instructions) {

2
de4dot.code/deobfuscators/ILProtector/Deobfuscator.cs
View File

@ -19,7 +19,7 @@
using System;
using System.Collections.Generic;
using Mono.Cecil;
using dot10.DotNet;
using de4dot.blocks;
namespace de4dot.code.deobfuscators.ILProtector {

Some files were not shown because too many files have changed in this diff Show More