Convert 'return some_int' native methods to CIL code

2011-11-11 20:55:39 +01:00 · 2011-11-11 20:55:39 +01:00 · 0318c85a07
commit 0318c85a07
parent a3e7d9c9d6
1 changed files with 55 additions and 26 deletions
--- a/de4dot.code/deobfuscators/dotNET_Reactor/MethodsDecrypter.cs
+++ b/de4dot.code/deobfuscators/dotNET_Reactor/MethodsDecrypter.cs
@ -94,6 +94,8 @@ namespace de4dot.deobfuscators.dotNET_Reactor {
 			encryptedResource.Method = (MethodDefinition)callCounter.most();
 		}

+		static short[] nativeLdci4 = new short[] { 0x55, 0x8B, 0xEC, 0xB8, -1, -1, -1, -1, 0x5D, 0xC3 };
+		static short[] nativeLdci4_0 = new short[] { 0x55, 0x8B, 0xEC, 0x33, 0xC0, 0x5D, 0xC3 };
 		public bool decrypt(PE.PeImage peImage, ISimpleDeobfuscator simpleDeobfuscator, ref Dictionary<uint, DumpedMethod> dumpedMethods) {
 			if (encryptedResource.Method == null)
 				return false;
@ -194,8 +196,24 @@ namespace de4dot.deobfuscators.dotNET_Reactor {
 						}
 						//TODO: Convert to CIL code
 						Log.v("Found native code. Ignoring it for now... Assembly won't run. token: {0:X8}", 0x06000001 + methodIndex);
+
+						// Convert return true / false methods. The others are converted to
+						// throw 0xDEADCODE.
+						if (isCode(nativeLdci4, methodData)) {
+							uint val = BitConverter.ToUInt32(methodData, 4);
+							methodData = new byte[] { 0x20, 0, 0, 0, 0, 0x2A };
+							methodData[1] = (byte)val;
+							methodData[2] = (byte)(val >> 8);
+							methodData[3] = (byte)(val >> 16);
+							methodData[4] = (byte)(val >> 24);
 						}
-					else {
+						else if (isCode(nativeLdci4_0, methodData)) {
+							methodData = new byte[] { 0x16, 0x2A };
+						}
+						else
+							methodData = new byte[] { 0x20, 0xDE, 0xC0, 0xAD, 0xDE, 0x7A };
+					}
+
 					var dm = new DumpedMethod();
 					dm.token = (uint)(0x06000001 + methodIndex);
 					dm.code = methodData;
@ -224,8 +242,19 @@ namespace de4dot.deobfuscators.dotNET_Reactor {
 					dumpedMethods[dm.token] = dm;
 				}
 			}
+
+			return true;
 		}

+		static bool isCode(short[] nativeCode, byte[] code) {
+			if (nativeCode.Length != code.Length)
+				return false;
+			for (int i = 0; i < nativeCode.Length; i++) {
+				if (nativeCode[i] == -1)
+					continue;
+				if ((byte)nativeCode[i] != code[i])
+					return false;
+			}
 			return true;
 		}