diff --git a/de4dot.code/de4dot.code.csproj b/de4dot.code/de4dot.code.csproj
index 73f6676a..3a8a3e13 100644
--- a/de4dot.code/de4dot.code.csproj
+++ b/de4dot.code/de4dot.code.csproj
@@ -79,11 +79,10 @@
-
-
+
-
-
+
+
diff --git a/de4dot.code/deobfuscators/CodeVeil/v3_v4/Deobfuscator.cs b/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs
similarity index 84%
rename from de4dot.code/deobfuscators/CodeVeil/v3_v4/Deobfuscator.cs
rename to de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs
index 35cf2f05..b1280d4a 100644
--- a/de4dot.code/deobfuscators/CodeVeil/v3_v4/Deobfuscator.cs
+++ b/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs
@@ -21,10 +21,10 @@ using System.Collections.Generic;
using Mono.Cecil;
using Mono.MyStuff;
-namespace de4dot.code.deobfuscators.CodeVeil.v3_v4 {
+namespace de4dot.code.deobfuscators.CodeVeil {
public class DeobfuscatorInfo : DeobfuscatorInfoBase {
public const string THE_NAME = "CodeVeil";
- public const string THE_TYPE = "cv4";
+ public const string THE_TYPE = "cv";
const string DEFAULT_REGEX = @"!^[A-Za-z]{1,2}$&" + DeobfuscatorBase.DEFAULT_VALID_NAME_REGEX;
public DeobfuscatorInfo()
@@ -53,10 +53,11 @@ namespace de4dot.code.deobfuscators.CodeVeil.v3_v4 {
class Deobfuscator : DeobfuscatorBase {
Options options;
- string obfuscatorName = DeobfuscatorInfo.THE_NAME + " 3.x - 4.x";
+ string obfuscatorName = DeobfuscatorInfo.THE_NAME;
bool foundKillType = false;
MethodsDecrypter methodsDecrypter;
+ ProxyDelegateFinder proxyDelegateFinder;
StringDecrypter stringDecrypter;
internal class Options : OptionsBase {
@@ -83,7 +84,8 @@ namespace de4dot.code.deobfuscators.CodeVeil.v3_v4 {
int val = 0;
int sum = toInt32(methodsDecrypter.Detected) +
- toInt32(stringDecrypter.Detected);
+ toInt32(stringDecrypter.Detected) +
+ toInt32(proxyDelegateFinder.Detected);
if (sum > 0)
val += 100 + 10 * (sum - 1);
if (foundKillType)
@@ -94,6 +96,8 @@ namespace de4dot.code.deobfuscators.CodeVeil.v3_v4 {
protected override void scanForObfuscator() {
findKillType();
+ proxyDelegateFinder = new ProxyDelegateFinder(module);
+ proxyDelegateFinder.findDelegateCreator();
methodsDecrypter = new MethodsDecrypter(module);
methodsDecrypter.find();
stringDecrypter = new StringDecrypter(module);
@@ -127,6 +131,7 @@ namespace de4dot.code.deobfuscators.CodeVeil.v3_v4 {
newOne.setModule(module);
newOne.methodsDecrypter = new MethodsDecrypter(module, methodsDecrypter);
newOne.stringDecrypter = new StringDecrypter(module, stringDecrypter);
+ newOne.proxyDelegateFinder = new ProxyDelegateFinder(module, proxyDelegateFinder);
return newOne;
}
@@ -141,12 +146,17 @@ namespace de4dot.code.deobfuscators.CodeVeil.v3_v4 {
DeobfuscatedFile.stringDecryptersAdded();
}
- //TODO:
+ proxyDelegateFinder.initialize();
+ proxyDelegateFinder.find();
+ }
+
+ public override void deobfuscateMethodBegin(blocks.Blocks blocks) {
+ proxyDelegateFinder.deobfuscate(blocks);
+ base.deobfuscateMethodBegin(blocks);
}
public override void deobfuscateEnd() {
- //TODO:
-
+ removeProxyDelegates(proxyDelegateFinder, false); //TODO: Should be 'true'
base.deobfuscateEnd();
}
diff --git a/de4dot.code/deobfuscators/CodeVeil/v3_v4/MethodsDecrypter.cs b/de4dot.code/deobfuscators/CodeVeil/MethodsDecrypter.cs
similarity index 99%
rename from de4dot.code/deobfuscators/CodeVeil/v3_v4/MethodsDecrypter.cs
rename to de4dot.code/deobfuscators/CodeVeil/MethodsDecrypter.cs
index c7566cb3..5db193ae 100644
--- a/de4dot.code/deobfuscators/CodeVeil/v3_v4/MethodsDecrypter.cs
+++ b/de4dot.code/deobfuscators/CodeVeil/MethodsDecrypter.cs
@@ -27,7 +27,7 @@ using Mono.MyStuff;
using de4dot.blocks;
using de4dot.code.PE;
-namespace de4dot.code.deobfuscators.CodeVeil.v3_v4 {
+namespace de4dot.code.deobfuscators.CodeVeil {
// The code isn't currently encrypted at all! But let's keep this class name.
class MethodsDecrypter {
ModuleDefinition module;
diff --git a/de4dot.code/deobfuscators/CodeVeil/v5/ProxyDelegateFinder.cs b/de4dot.code/deobfuscators/CodeVeil/ProxyDelegateFinder.cs
similarity index 97%
rename from de4dot.code/deobfuscators/CodeVeil/v5/ProxyDelegateFinder.cs
rename to de4dot.code/deobfuscators/CodeVeil/ProxyDelegateFinder.cs
index b717b5e4..840d9b3c 100644
--- a/de4dot.code/deobfuscators/CodeVeil/v5/ProxyDelegateFinder.cs
+++ b/de4dot.code/deobfuscators/CodeVeil/ProxyDelegateFinder.cs
@@ -24,7 +24,7 @@ using Mono.Cecil;
using Mono.Cecil.Cil;
using de4dot.blocks;
-namespace de4dot.code.deobfuscators.CodeVeil.v5 {
+namespace de4dot.code.deobfuscators.CodeVeil {
class ProxyDelegateFinder : ProxyDelegateFinderBase {
Info info = new Info();
BinaryReader reader;
@@ -48,6 +48,10 @@ namespace de4dot.code.deobfuscators.CodeVeil.v5 {
: base(module) {
}
+ public ProxyDelegateFinder(ModuleDefinition module, ProxyDelegateFinder oldOne)
+ : base(module, oldOne) {
+ }
+
protected override object checkCctor(TypeDefinition type, MethodDefinition cctor) {
var instrs = cctor.Body.Instructions;
for (int i = 0; i < instrs.Count - 1; i++) {
diff --git a/de4dot.code/deobfuscators/CodeVeil/StringDecrypter.cs b/de4dot.code/deobfuscators/CodeVeil/StringDecrypter.cs
index fa049494..591c865b 100644
--- a/de4dot.code/deobfuscators/CodeVeil/StringDecrypter.cs
+++ b/de4dot.code/deobfuscators/CodeVeil/StringDecrypter.cs
@@ -78,9 +78,11 @@ namespace de4dot.code.deobfuscators.CodeVeil {
initMethod = initMethodTmp;
break;
}
+
+ find2();
}
- public void find2() {
+ void find2() {
foreach (var type in module.Types) {
if (!checkType(type))
continue;
@@ -174,7 +176,7 @@ namespace de4dot.code.deobfuscators.CodeVeil {
}
public void initialize() {
- if (stringDataField == null)
+ if (initMethod == null || stringDataField == null)
return;
var key = getKey(initMethod);
diff --git a/de4dot.code/deobfuscators/CodeVeil/v5/Deobfuscator.cs b/de4dot.code/deobfuscators/CodeVeil/v5/Deobfuscator.cs
deleted file mode 100644
index 47ba7fc3..00000000
--- a/de4dot.code/deobfuscators/CodeVeil/v5/Deobfuscator.cs
+++ /dev/null
@@ -1,129 +0,0 @@
-/*
- Copyright (C) 2011-2012 de4dot@gmail.com
-
- This file is part of de4dot.
-
- de4dot is free software: you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation, either version 3 of the License, or
- (at your option) any later version.
-
- de4dot is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with de4dot. If not, see .
-*/
-
-using System.Collections.Generic;
-using Mono.Cecil;
-
-namespace de4dot.code.deobfuscators.CodeVeil.v5 {
- public class DeobfuscatorInfo : DeobfuscatorInfoBase {
- public const string THE_NAME = "CodeVeil";
- public const string THE_TYPE = "cv5";
- const string DEFAULT_REGEX = @"!^[A-Za-z]{1,2}$&" + DeobfuscatorBase.DEFAULT_VALID_NAME_REGEX;
-
- public DeobfuscatorInfo()
- : base(DEFAULT_REGEX) {
- }
-
- public override string Name {
- get { return THE_NAME; }
- }
-
- public override string Type {
- get { return THE_TYPE; }
- }
-
- public override IDeobfuscator createDeobfuscator() {
- return new Deobfuscator(new Deobfuscator.Options {
- ValidNameRegex = validNameRegex.get(),
- });
- }
-
- protected override IEnumerable