Merge branch 'master' into newcode
This commit is contained in:
de4dot
commit
080a11c437
|
|
@ -294,6 +294,10 @@ namespace de4dot.blocks {
|
||||||
return module.Types[0];
|
return module.Types[0];
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public static MethodDefinition getModuleTypeCctor(ModuleDefinition module) {
|
||||||
|
return getMethod(getModuleType(module), ".cctor");
|
||||||
|
}
|
||||||
|
|
||||||
public static bool isEmpty(MethodDefinition method) {
|
public static bool isEmpty(MethodDefinition method) {
|
||||||
if (method.Body == null)
|
if (method.Body == null)
|
||||||
return false;
|
return false;
|
||||||
|
|
|
||||||
|
|
@ -232,6 +232,10 @@ namespace de4dot.blocks.cflow {
|
||||||
return valueStack.pop();
|
return valueStack.pop();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public Value peek() {
|
||||||
|
return valueStack.peek();
|
||||||
|
}
|
||||||
|
|
||||||
public void emulate(IEnumerable<Instr> instructions) {
|
public void emulate(IEnumerable<Instr> instructions) {
|
||||||
foreach (var instr in instructions)
|
foreach (var instr in instructions)
|
||||||
emulate(instr.Instruction);
|
emulate(instr.Instruction);
|
||||||
|
|
|
||||||
2
cecil
2
cecil
|
|
@ -1 +1 @@
|
||||||
Subproject commit a865fbdbaa5ff9231751aeb1979f722f925a8725
|
Subproject commit 766ef4e529f0c8a4584a708711a33a1752e658c6
|
||||||
|
|
@ -97,6 +97,19 @@ namespace de4dot.code.deobfuscators {
|
||||||
return resultArray;
|
return resultArray;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public static short[] getInitializedInt16Array(int arraySize, MethodDefinition method, ref int newarrIndex) {
|
||||||
|
var resultValueArray = getInitializedArray(arraySize, method, ref newarrIndex, Code.Stelem_I2);
|
||||||
|
|
||||||
|
var resultArray = new short[resultValueArray.Length];
|
||||||
|
for (int i = 0; i < resultArray.Length; i++) {
|
||||||
|
var intValue = resultValueArray[i] as Int32Value;
|
||||||
|
if (intValue == null || !intValue.allBitsValid())
|
||||||
|
return null;
|
||||||
|
resultArray[i] = (short)intValue.value;
|
||||||
|
}
|
||||||
|
return resultArray;
|
||||||
|
}
|
||||||
|
|
||||||
public static int[] getInitializedInt32Array(int arraySize, MethodDefinition method, ref int newarrIndex) {
|
public static int[] getInitializedInt32Array(int arraySize, MethodDefinition method, ref int newarrIndex) {
|
||||||
var resultValueArray = getInitializedArray(arraySize, method, ref newarrIndex, Code.Stelem_I4);
|
var resultValueArray = getInitializedArray(arraySize, method, ref newarrIndex, Code.Stelem_I4);
|
||||||
|
|
||||||
|
|
@ -125,6 +138,25 @@ namespace de4dot.code.deobfuscators {
|
||||||
break;
|
break;
|
||||||
if (instr.OpCode.Code == Code.Newarr)
|
if (instr.OpCode.Code == Code.Newarr)
|
||||||
break;
|
break;
|
||||||
|
switch (instr.OpCode.Code) {
|
||||||
|
case Code.Newarr:
|
||||||
|
case Code.Newobj:
|
||||||
|
goto done;
|
||||||
|
|
||||||
|
case Code.Stloc:
|
||||||
|
case Code.Stloc_S:
|
||||||
|
case Code.Stloc_0:
|
||||||
|
case Code.Stloc_1:
|
||||||
|
case Code.Stloc_2:
|
||||||
|
case Code.Stloc_3:
|
||||||
|
case Code.Starg:
|
||||||
|
case Code.Starg_S:
|
||||||
|
case Code.Stsfld:
|
||||||
|
case Code.Stfld:
|
||||||
|
if (emulator.peek() == theArray && i != newarrIndex + 1)
|
||||||
|
goto done;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
if (instr.OpCode.Code == stelemOpCode) {
|
if (instr.OpCode.Code == stelemOpCode) {
|
||||||
var value = emulator.pop();
|
var value = emulator.pop();
|
||||||
|
|
@ -138,6 +170,7 @@ namespace de4dot.code.deobfuscators {
|
||||||
else
|
else
|
||||||
emulator.emulate(instr);
|
emulator.emulate(instr);
|
||||||
}
|
}
|
||||||
|
done:
|
||||||
if (i != newarrIndex + 1)
|
if (i != newarrIndex + 1)
|
||||||
i--;
|
i--;
|
||||||
newarrIndex = i;
|
newarrIndex = i;
|
||||||
|
|
|
||||||
|
|
@ -179,6 +179,7 @@ namespace de4dot.code.deobfuscators.CliSecure {
|
||||||
proxyDelegateFinder.find();
|
proxyDelegateFinder.find();
|
||||||
|
|
||||||
staticStringInliner.add(stringDecrypter.Method, (method, args) => stringDecrypter.decrypt((string)args[0]));
|
staticStringInliner.add(stringDecrypter.Method, (method, args) => stringDecrypter.decrypt((string)args[0]));
|
||||||
|
DeobfuscatedFile.stringDecryptersAdded();
|
||||||
|
|
||||||
if (options.DecryptMethods) {
|
if (options.DecryptMethods) {
|
||||||
addCctorInitCallToBeRemoved(cliSecureRtType.InitializeMethod);
|
addCctorInitCallToBeRemoved(cliSecureRtType.InitializeMethod);
|
||||||
|
|
|
||||||
|
|
@ -45,7 +45,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
||||||
public void find() {
|
public void find() {
|
||||||
if (find(module.EntryPoint))
|
if (find(module.EntryPoint))
|
||||||
return;
|
return;
|
||||||
if (find(DotNetUtils.getMethod(DotNetUtils.getModuleType(module), ".cctor")))
|
if (find(DotNetUtils.getModuleTypeCctor(module)))
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -45,7 +45,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
||||||
public void find() {
|
public void find() {
|
||||||
if (find(module.EntryPoint))
|
if (find(module.EntryPoint))
|
||||||
return;
|
return;
|
||||||
if (find(DotNetUtils.getMethod(DotNetUtils.getModuleType(module), ".cctor")))
|
if (find(DotNetUtils.getModuleTypeCctor(module)))
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -22,6 +22,7 @@ using System.IO;
|
||||||
using System.Security.Cryptography;
|
using System.Security.Cryptography;
|
||||||
using Mono.Cecil;
|
using Mono.Cecil;
|
||||||
using ICSharpCode.SharpZipLib.Zip.Compression;
|
using ICSharpCode.SharpZipLib.Zip.Compression;
|
||||||
|
using de4dot.blocks;
|
||||||
|
|
||||||
namespace de4dot.code.deobfuscators {
|
namespace de4dot.code.deobfuscators {
|
||||||
static class DeobUtils {
|
static class DeobUtils {
|
||||||
|
|
@ -103,10 +104,14 @@ namespace de4dot.code.deobfuscators {
|
||||||
}
|
}
|
||||||
|
|
||||||
public static byte[] inflate(byte[] data, bool hasHeader) {
|
public static byte[] inflate(byte[] data, bool hasHeader) {
|
||||||
|
return inflate(data, 0, data.Length, hasHeader);
|
||||||
|
}
|
||||||
|
|
||||||
|
public static byte[] inflate(byte[] data, int start, int len, bool hasHeader) {
|
||||||
var buffer = new byte[0x1000];
|
var buffer = new byte[0x1000];
|
||||||
var memStream = new MemoryStream();
|
var memStream = new MemoryStream();
|
||||||
var inflater = new Inflater(hasHeader);
|
var inflater = new Inflater(hasHeader);
|
||||||
inflater.SetInput(data, 0, data.Length);
|
inflater.SetInput(data, start, len);
|
||||||
while (true) {
|
while (true) {
|
||||||
int count = inflater.Inflate(buffer, 0, buffer.Length);
|
int count = inflater.Inflate(buffer, 0, buffer.Length);
|
||||||
if (count == 0)
|
if (count == 0)
|
||||||
|
|
@ -115,5 +120,14 @@ namespace de4dot.code.deobfuscators {
|
||||||
}
|
}
|
||||||
return memStream.ToArray();
|
return memStream.ToArray();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public static EmbeddedResource getEmbeddedResourceFromCodeStrings(ModuleDefinition module, MethodDefinition method) {
|
||||||
|
foreach (var s in DotNetUtils.getCodeStrings(method)) {
|
||||||
|
var resource = DotNetUtils.getResource(module, s) as EmbeddedResource;
|
||||||
|
if (resource != null)
|
||||||
|
return resource;
|
||||||
|
}
|
||||||
|
return null;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -638,8 +638,11 @@ namespace de4dot.code.deobfuscators {
|
||||||
public virtual void OnBeforeAddingResources(MetadataBuilder builder) {
|
public virtual void OnBeforeAddingResources(MetadataBuilder builder) {
|
||||||
}
|
}
|
||||||
|
|
||||||
public void findAndRemoveInlinedMethods() {
|
protected void findAndRemoveInlinedMethods() {
|
||||||
var inlinedMethods = InlinedMethodsFinder.find(module);
|
removeInlinedMethods(InlinedMethodsFinder.find(module));
|
||||||
|
}
|
||||||
|
|
||||||
|
protected void removeInlinedMethods(List<MethodDefinition> inlinedMethods) {
|
||||||
addMethodsToBeRemoved(new UnusedMethodsFinder(module, inlinedMethods, getRemovedMethods()).find(), "Inlined method");
|
addMethodsToBeRemoved(new UnusedMethodsFinder(module, inlinedMethods, getRemovedMethods()).find(), "Inlined method");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -116,6 +116,7 @@ namespace de4dot.code.deobfuscators.Dotfuscator {
|
||||||
base.deobfuscateBegin();
|
base.deobfuscateBegin();
|
||||||
foreach (var info in stringDecrypter.StringDecrypterInfos)
|
foreach (var info in stringDecrypter.StringDecrypterInfos)
|
||||||
staticStringInliner.add(info.method, (method, args) => stringDecrypter.decrypt(method, (string)args[0], (int)args[1]));
|
staticStringInliner.add(info.method, (method, args) => stringDecrypter.decrypt(method, (string)args[0], (int)args[1]));
|
||||||
|
DeobfuscatedFile.stringDecryptersAdded();
|
||||||
}
|
}
|
||||||
|
|
||||||
public override void deobfuscateEnd() {
|
public override void deobfuscateEnd() {
|
||||||
|
|
|
||||||
|
|
@ -43,7 +43,7 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
|
||||||
}
|
}
|
||||||
|
|
||||||
public bool find() {
|
public bool find() {
|
||||||
if (checkCalledMethods(DotNetUtils.getMethod(DotNetUtils.getModuleType(module), ".cctor")))
|
if (checkCalledMethods(DotNetUtils.getModuleTypeCctor(module)))
|
||||||
return true;
|
return true;
|
||||||
if (checkCalledMethods(module.EntryPoint))
|
if (checkCalledMethods(module.EntryPoint))
|
||||||
return true;
|
return true;
|
||||||
|
|
|
||||||
|
|
@ -58,7 +58,7 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
|
||||||
if (resolverType != null)
|
if (resolverType != null)
|
||||||
return true;
|
return true;
|
||||||
|
|
||||||
if (findTypes(DotNetUtils.getMethod(DotNetUtils.getModuleType(module), ".cctor")))
|
if (findTypes(DotNetUtils.getModuleTypeCctor(module)))
|
||||||
return true;
|
return true;
|
||||||
if (findTypes(module.EntryPoint))
|
if (findTypes(module.EntryPoint))
|
||||||
return true;
|
return true;
|
||||||
|
|
|
||||||
|
|
@ -100,6 +100,7 @@ namespace de4dot.code.deobfuscators.Xenocode {
|
||||||
base.deobfuscateBegin();
|
base.deobfuscateBegin();
|
||||||
|
|
||||||
staticStringInliner.add(stringDecrypter.Method, (method, args) => stringDecrypter.decrypt((string)args[0], (int)args[1]));
|
staticStringInliner.add(stringDecrypter.Method, (method, args) => stringDecrypter.decrypt((string)args[0], (int)args[1]));
|
||||||
|
DeobfuscatedFile.stringDecryptersAdded();
|
||||||
}
|
}
|
||||||
|
|
||||||
public override void deobfuscateEnd() {
|
public override void deobfuscateEnd() {
|
||||||
|
|
|
||||||
|
|
@ -255,6 +255,7 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v3 {
|
||||||
staticStringInliner.add(decrypterType.StringDecrypter2, (method2, args) => {
|
staticStringInliner.add(decrypterType.StringDecrypter2, (method2, args) => {
|
||||||
return decrypterType.decrypt2((string)args[0]);
|
return decrypterType.decrypt2((string)args[0]);
|
||||||
});
|
});
|
||||||
|
DeobfuscatedFile.stringDecryptersAdded();
|
||||||
|
|
||||||
libAssemblyResolver = new LibAssemblyResolver(module);
|
libAssemblyResolver = new LibAssemblyResolver(module);
|
||||||
libAssemblyResolver.find(DeobfuscatedFile, this);
|
libAssemblyResolver.find(DeobfuscatedFile, this);
|
||||||
|
|
|
||||||
|
|
@ -65,7 +65,7 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v3 {
|
||||||
}
|
}
|
||||||
|
|
||||||
public void find() {
|
public void find() {
|
||||||
foreach (var info in DotNetUtils.getCalledMethods(module, DotNetUtils.getMethod(DotNetUtils.getModuleType(module), ".cctor"))) {
|
foreach (var info in DotNetUtils.getCalledMethods(module, DotNetUtils.getModuleTypeCctor(module))) {
|
||||||
if (!DotNetUtils.isMethod(info.Item2, "System.Void", "()"))
|
if (!DotNetUtils.isMethod(info.Item2, "System.Void", "()"))
|
||||||
continue;
|
continue;
|
||||||
if (info.Item1.FullName != "<PrivateImplementationDetails>{F1C5056B-0AFC-4423-9B83-D13A26B48869}")
|
if (info.Item1.FullName != "<PrivateImplementationDetails>{F1C5056B-0AFC-4423-9B83-D13A26B48869}")
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue
Block a user