Remove most calls to main CV type
This commit is contained in:
parent
c757139357
commit
04247b5533
|
@ -176,6 +176,11 @@ namespace de4dot.code.deobfuscators.CodeVeil {
|
|||
base.deobfuscateBegin();
|
||||
|
||||
mainType.initialize();
|
||||
if (mainType.Version >= ObfuscatorVersion.V5_0) {
|
||||
//TODO: addTypeToBeRemoved(mainType.Type, "Main CV type");
|
||||
}
|
||||
foreach (var initMethod in mainType.OtherInitMethods)
|
||||
addCctorInitCallToBeRemoved(initMethod);
|
||||
|
||||
if (Operations.DecryptStrings != OpDecryptString.None) {
|
||||
stringDecrypter.initialize();
|
||||
|
@ -218,6 +223,11 @@ namespace de4dot.code.deobfuscators.CodeVeil {
|
|||
base.deobfuscateMethodBegin(blocks);
|
||||
}
|
||||
|
||||
public override void deobfuscateMethodEnd(blocks.Blocks blocks) {
|
||||
mainType.removeInitCall(blocks);
|
||||
base.deobfuscateMethodEnd(blocks);
|
||||
}
|
||||
|
||||
public override void deobfuscateEnd() {
|
||||
removeProxyDelegates(proxyDelegateFinder, false); //TODO: Should be 'true'
|
||||
base.deobfuscateEnd();
|
||||
|
|
|
@ -32,6 +32,7 @@ namespace de4dot.code.deobfuscators.CodeVeil {
|
|||
MethodDefinition tamperCheckMethod;
|
||||
ObfuscatorVersion obfuscatorVersion = ObfuscatorVersion.Unknown;
|
||||
List<int> rvas = new List<int>(); // _stub and _executive
|
||||
List<MethodDefinition> otherInitMethods = new List<MethodDefinition>();
|
||||
|
||||
public bool Detected {
|
||||
get { return theType != null; }
|
||||
|
@ -49,6 +50,10 @@ namespace de4dot.code.deobfuscators.CodeVeil {
|
|||
get { return initMethod; }
|
||||
}
|
||||
|
||||
public List<MethodDefinition> OtherInitMethods {
|
||||
get { return otherInitMethods; }
|
||||
}
|
||||
|
||||
public MethodDefinition TamperCheckMethod {
|
||||
get { return tamperCheckMethod; }
|
||||
}
|
||||
|
@ -174,7 +179,11 @@ namespace de4dot.code.deobfuscators.CodeVeil {
|
|||
}
|
||||
|
||||
public void initialize() {
|
||||
if (theType == null)
|
||||
return;
|
||||
|
||||
tamperCheckMethod = findTamperCheckMethod();
|
||||
otherInitMethods = findOtherInitMethods();
|
||||
}
|
||||
|
||||
MethodDefinition findTamperCheckMethod() {
|
||||
|
@ -190,6 +199,21 @@ namespace de4dot.code.deobfuscators.CodeVeil {
|
|||
return null;
|
||||
}
|
||||
|
||||
List<MethodDefinition> findOtherInitMethods() {
|
||||
var list = new List<MethodDefinition>();
|
||||
foreach (var method in theType.Methods) {
|
||||
if (!method.IsStatic)
|
||||
continue;
|
||||
if (method.Name == ".cctor")
|
||||
continue;
|
||||
if (!DotNetUtils.isMethod(method, "System.Void", "()"))
|
||||
continue;
|
||||
|
||||
list.Add(method);
|
||||
}
|
||||
return list;
|
||||
}
|
||||
|
||||
public MethodDefinition getInitStringDecrypterMethod(MethodDefinition stringDecrypterInitMethod) {
|
||||
if (stringDecrypterInitMethod == null)
|
||||
return null;
|
||||
|
@ -212,5 +236,32 @@ namespace de4dot.code.deobfuscators.CodeVeil {
|
|||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
public void removeInitCall(Blocks blocks) {
|
||||
if (initMethod == null || theType == null)
|
||||
return;
|
||||
if (blocks.Method.Name != ".cctor")
|
||||
return;
|
||||
if (blocks.Method.DeclaringType != DotNetUtils.getModuleType(module))
|
||||
return;
|
||||
|
||||
foreach (var block in blocks.MethodBlocks.getAllBlocks()) {
|
||||
var instrs = block.Instructions;
|
||||
for (int i = 0; i < instrs.Count - 2; i++) {
|
||||
if (!instrs[i].isLdcI4())
|
||||
continue;
|
||||
if (!instrs[i + 1].isLdcI4())
|
||||
continue;
|
||||
var call = instrs[i + 2];
|
||||
if (call.OpCode.Code != Code.Call)
|
||||
continue;
|
||||
if (call.Operand != initMethod)
|
||||
continue;
|
||||
|
||||
block.remove(i, 3);
|
||||
return;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue
Block a user