monocul.us/de4dot-cex
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Search for sig starting from _stub RVA

Browse Source
This commit is contained in:
de4dot 2012-02-08 09:29:49 +01:00
parent a8d4b38c79
commit 09e840923d
1 changed files with 17 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
de4dot.code/deobfuscators/CodeVeil/MethodsDecrypter.cs
View File

@ -341,8 +341,9 @@ namespace de4dot.code.deobfuscators.CodeVeil {
const int RVA_EXECUTIVE_OFFSET = 1 * 4;
const int ENC_CODE_OFFSET = 6 * 4;
for (int offset = 0; offset < section.sizeOfRawData - (ENC_CODE_OFFSET + 4 - 1); ) {
offset = findSig(fileData, offset, initializeMethodEnd);
int lastOffset = (int)(section.pointerToRawData + section.sizeOfRawData);
for (int offset = getStartOffset(peImage); offset < lastOffset; ) {
offset = findSig(fileData, offset, lastOffset, initializeMethodEnd);
if (offset < 0)
return null;
offset += initializeMethodEnd.Length;
@ -351,6 +352,8 @@ namespace de4dot.code.deobfuscators.CodeVeil {
if (retImm16 != 0x0C && retImm16 != 0x10)
continue;
offset += 2;
if (offset + ENC_CODE_OFFSET + 4 > lastOffset)
return null;
int rva = BitConverter.ToInt32(fileData, offset + RVA_EXECUTIVE_OFFSET);
if (rvas.IndexOf(rva) < 0)
@ -372,8 +375,18 @@ namespace de4dot.code.deobfuscators.CodeVeil {
return null;
}
static int findSig(byte[] fileData, int offset, byte[] sig) {
for (int i = offset; i < fileData.Length - sig.Length + 1; i++) {
int getStartOffset(PeImage peImage) {
int minOffset = int.MaxValue;
foreach (var rva in rvas) {
int rvaOffs = (int)peImage.rvaToOffset((uint)rva);
if (rvaOffs < minOffset)
minOffset = rvaOffs;
}
return minOffset == int.MaxValue ? 0 : minOffset;
}
static int findSig(byte[] fileData, int offset, int lastOffset, byte[] sig) {
for (int i = offset; i < lastOffset - sig.Length + 1; i++) {
if (fileData[i] != sig[0])
continue;
if (compare(fileData, i + 1, sig, 1, sig.Length - 1))