Better support of DNR + .NET 1.x assemblies

2012-12-04 23:58:34 +01:00 · 2012-12-04 23:58:34 +01:00 · 0ba3a0c1e2
commit 0ba3a0c1e2
parent b38aaca582
2 changed files with 30 additions and 4 deletions
--- a/de4dot.code/deobfuscators/dotNET_Reactor/v4/Deobfuscator.cs
+++ b/de4dot.code/deobfuscators/dotNET_Reactor/v4/Deobfuscator.cs
@ -382,7 +382,7 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
 				return false;

 			var tokenToNativeCode = new Dictionary<uint,byte[]>();
-			if (!methodsDecrypter.decrypt(peImage, DeobfuscatedFile, ref dumpedMethods, tokenToNativeCode))
+			if (!methodsDecrypter.decrypt(peImage, DeobfuscatedFile, ref dumpedMethods, tokenToNativeCode, unpackedNativeFile))
 				return false;

 			newFileData = fileData;
@ -584,9 +584,26 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
 			else
 				Logger.v("Could not remove decrypter type");

+			fixEntryPoint();
+
 			base.deobfuscateEnd();
 		}

+		void fixEntryPoint() {
+			if (!module.IsClr1x)
+				return;
+
+			var ep = module.EntryPoint;
+			if (ep == null)
+				return;
+			if (ep.MethodSig.GetParamCount() <= 1)
+				return;
+
+			ep.MethodSig = MethodSig.CreateStatic(ep.MethodSig.RetType, new SZArraySig(module.CorLibTypes.String));
+			ep.ParamList.Clear();
+			ep.Parameters.UpdateParameterTypes();
+		}
+
 		void removeInlinedMethods() {
 			if (!options.InlineMethods || !options.RemoveInlinedMethods)
 				return;
--- a/de4dot.code/deobfuscators/dotNET_Reactor/v4/MethodsDecrypter.cs
+++ b/de4dot.code/deobfuscators/dotNET_Reactor/v4/MethodsDecrypter.cs
@ -123,7 +123,7 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {

 		static short[] nativeLdci4 = new short[] { 0x55, 0x8B, 0xEC, 0xB8, -1, -1, -1, -1, 0x5D, 0xC3 };
 		static short[] nativeLdci4_0 = new short[] { 0x55, 0x8B, 0xEC, 0x33, 0xC0, 0x5D, 0xC3 };
-		public bool decrypt(MyPEImage peImage, ISimpleDeobfuscator simpleDeobfuscator, ref DumpedMethods dumpedMethods, Dictionary<uint, byte[]> tokenToNativeCode) {
+		public bool decrypt(MyPEImage peImage, ISimpleDeobfuscator simpleDeobfuscator, ref DumpedMethods dumpedMethods, Dictionary<uint, byte[]> tokenToNativeCode, bool unpackedNativeFile) {
 			if (encryptedResource.Method == null)
 				return false;

@ -158,13 +158,22 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
 			}
 			else if (!hooksJitter || mode == 1) {
 				// DNR 3.9.8.0, 4.0, 4.1, 4.2, 4.3, 4.4
+
+				// If it's .NET 1.x, then offsets are used, not RVAs.
+				bool useOffsets = unpackedNativeFile && module.IsClr1x;
+
 				patchDwords(peImage, methodsDataReader, patchCount);
 				while (methodsDataReader.Position < methodsData.Length - 1) {
 					uint rva = methodsDataReader.ReadUInt32();
 					uint token = methodsDataReader.ReadUInt32();	// token, unknown, or index
 					int size = methodsDataReader.ReadInt32();
-					if (size > 0)
-						peImage.dotNetSafeWrite(rva, methodsDataReader.ReadBytes(size));
+					if (size > 0) {
+						var newData = methodsDataReader.ReadBytes(size);
+						if (useOffsets)
+							peImage.dotNetSafeWriteOffset(rva, newData);
+						else
+							peImage.dotNetSafeWrite(rva, newData);
+					}
 				}
 			}
 			else {