Better support of DNR + .NET 1.x assemblies
This commit is contained in:
parent
b38aaca582
commit
0ba3a0c1e2
|
@ -382,7 +382,7 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
var tokenToNativeCode = new Dictionary<uint,byte[]>();
|
var tokenToNativeCode = new Dictionary<uint,byte[]>();
|
||||||
if (!methodsDecrypter.decrypt(peImage, DeobfuscatedFile, ref dumpedMethods, tokenToNativeCode))
|
if (!methodsDecrypter.decrypt(peImage, DeobfuscatedFile, ref dumpedMethods, tokenToNativeCode, unpackedNativeFile))
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
newFileData = fileData;
|
newFileData = fileData;
|
||||||
|
@ -584,9 +584,26 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
|
||||||
else
|
else
|
||||||
Logger.v("Could not remove decrypter type");
|
Logger.v("Could not remove decrypter type");
|
||||||
|
|
||||||
|
fixEntryPoint();
|
||||||
|
|
||||||
base.deobfuscateEnd();
|
base.deobfuscateEnd();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
void fixEntryPoint() {
|
||||||
|
if (!module.IsClr1x)
|
||||||
|
return;
|
||||||
|
|
||||||
|
var ep = module.EntryPoint;
|
||||||
|
if (ep == null)
|
||||||
|
return;
|
||||||
|
if (ep.MethodSig.GetParamCount() <= 1)
|
||||||
|
return;
|
||||||
|
|
||||||
|
ep.MethodSig = MethodSig.CreateStatic(ep.MethodSig.RetType, new SZArraySig(module.CorLibTypes.String));
|
||||||
|
ep.ParamList.Clear();
|
||||||
|
ep.Parameters.UpdateParameterTypes();
|
||||||
|
}
|
||||||
|
|
||||||
void removeInlinedMethods() {
|
void removeInlinedMethods() {
|
||||||
if (!options.InlineMethods || !options.RemoveInlinedMethods)
|
if (!options.InlineMethods || !options.RemoveInlinedMethods)
|
||||||
return;
|
return;
|
||||||
|
|
|
@ -123,7 +123,7 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
|
||||||
|
|
||||||
static short[] nativeLdci4 = new short[] { 0x55, 0x8B, 0xEC, 0xB8, -1, -1, -1, -1, 0x5D, 0xC3 };
|
static short[] nativeLdci4 = new short[] { 0x55, 0x8B, 0xEC, 0xB8, -1, -1, -1, -1, 0x5D, 0xC3 };
|
||||||
static short[] nativeLdci4_0 = new short[] { 0x55, 0x8B, 0xEC, 0x33, 0xC0, 0x5D, 0xC3 };
|
static short[] nativeLdci4_0 = new short[] { 0x55, 0x8B, 0xEC, 0x33, 0xC0, 0x5D, 0xC3 };
|
||||||
public bool decrypt(MyPEImage peImage, ISimpleDeobfuscator simpleDeobfuscator, ref DumpedMethods dumpedMethods, Dictionary<uint, byte[]> tokenToNativeCode) {
|
public bool decrypt(MyPEImage peImage, ISimpleDeobfuscator simpleDeobfuscator, ref DumpedMethods dumpedMethods, Dictionary<uint, byte[]> tokenToNativeCode, bool unpackedNativeFile) {
|
||||||
if (encryptedResource.Method == null)
|
if (encryptedResource.Method == null)
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
|
@ -158,13 +158,22 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
|
||||||
}
|
}
|
||||||
else if (!hooksJitter || mode == 1) {
|
else if (!hooksJitter || mode == 1) {
|
||||||
// DNR 3.9.8.0, 4.0, 4.1, 4.2, 4.3, 4.4
|
// DNR 3.9.8.0, 4.0, 4.1, 4.2, 4.3, 4.4
|
||||||
|
|
||||||
|
// If it's .NET 1.x, then offsets are used, not RVAs.
|
||||||
|
bool useOffsets = unpackedNativeFile && module.IsClr1x;
|
||||||
|
|
||||||
patchDwords(peImage, methodsDataReader, patchCount);
|
patchDwords(peImage, methodsDataReader, patchCount);
|
||||||
while (methodsDataReader.Position < methodsData.Length - 1) {
|
while (methodsDataReader.Position < methodsData.Length - 1) {
|
||||||
uint rva = methodsDataReader.ReadUInt32();
|
uint rva = methodsDataReader.ReadUInt32();
|
||||||
uint token = methodsDataReader.ReadUInt32(); // token, unknown, or index
|
uint token = methodsDataReader.ReadUInt32(); // token, unknown, or index
|
||||||
int size = methodsDataReader.ReadInt32();
|
int size = methodsDataReader.ReadInt32();
|
||||||
if (size > 0)
|
if (size > 0) {
|
||||||
peImage.dotNetSafeWrite(rva, methodsDataReader.ReadBytes(size));
|
var newData = methodsDataReader.ReadBytes(size);
|
||||||
|
if (useOffsets)
|
||||||
|
peImage.dotNetSafeWriteOffset(rva, newData);
|
||||||
|
else
|
||||||
|
peImage.dotNetSafeWrite(rva, newData);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
|
|
Loading…
Reference in New Issue
Block a user