Create DNR3 dir
This commit is contained in:
parent
dd60af245a
commit
0d92b37536
|
@ -77,30 +77,32 @@
|
||||||
<Compile Include="deobfuscators\DeobfuscatorInfoBase.cs" />
|
<Compile Include="deobfuscators\DeobfuscatorInfoBase.cs" />
|
||||||
<Compile Include="deobfuscators\DeobUtils.cs" />
|
<Compile Include="deobfuscators\DeobUtils.cs" />
|
||||||
<Compile Include="deobfuscators\Dotfuscator\Deobfuscator.cs" />
|
<Compile Include="deobfuscators\Dotfuscator\Deobfuscator.cs" />
|
||||||
<Compile Include="deobfuscators\dotNET_Reactor\v3\ApplicationModeDecrypter.cs" />
|
<Compile Include="deobfuscators\dotNET_Reactor3\ApplicationModeDecrypter.cs" />
|
||||||
<Compile Include="deobfuscators\dotNET_Reactor\v3\ApplicationModeUnpacker.cs" />
|
<Compile Include="deobfuscators\dotNET_Reactor3\ApplicationModeUnpacker.cs" />
|
||||||
<Compile Include="deobfuscators\dotNET_Reactor\AssemblyResolver.cs" />
|
<Compile Include="deobfuscators\dotNET_Reactor3\Deobfuscator.cs" />
|
||||||
<Compile Include="deobfuscators\dotNET_Reactor\BooleanDecrypter.cs" />
|
<Compile Include="deobfuscators\dotNET_Reactor4\AssemblyResolver.cs" />
|
||||||
<Compile Include="deobfuscators\dotNET_Reactor\BoolValueInliner.cs" />
|
<Compile Include="deobfuscators\dotNET_Reactor4\BooleanDecrypter.cs" />
|
||||||
<Compile Include="deobfuscators\dotNET_Reactor\Deobfuscator.cs" />
|
<Compile Include="deobfuscators\dotNET_Reactor4\BoolValueInliner.cs" />
|
||||||
<Compile Include="deobfuscators\dotNET_Reactor\EmptyClass.cs" />
|
<Compile Include="deobfuscators\dotNET_Reactor4\Deobfuscator.cs" />
|
||||||
<Compile Include="deobfuscators\dotNET_Reactor\EncryptedResource.cs" />
|
<Compile Include="deobfuscators\dotNET_Reactor4\EmptyClass.cs" />
|
||||||
<Compile Include="deobfuscators\dotNET_Reactor\MetadataTokenObfuscator.cs" />
|
<Compile Include="deobfuscators\dotNET_Reactor4\EncryptedResource.cs" />
|
||||||
<Compile Include="deobfuscators\dotNET_Reactor\MethodsDecrypter.cs" />
|
<Compile Include="deobfuscators\dotNET_Reactor4\MetadataTokenObfuscator.cs" />
|
||||||
<Compile Include="deobfuscators\dotNET_Reactor\NativeFileDecrypter.cs" />
|
<Compile Include="deobfuscators\dotNET_Reactor4\MethodsDecrypter.cs" />
|
||||||
<Compile Include="deobfuscators\dotNET_Reactor\NativeImageUnpacker.cs" />
|
<Compile Include="deobfuscators\dotNET_Reactor4\NativeFileDecrypter.cs" />
|
||||||
<Compile Include="deobfuscators\dotNET_Reactor\QuickLZ.cs" />
|
<Compile Include="deobfuscators\dotNET_Reactor4\NativeImageUnpacker.cs" />
|
||||||
<Compile Include="deobfuscators\dotNET_Reactor\ResourceResolver.cs" />
|
<Compile Include="deobfuscators\QuickLZ.cs" />
|
||||||
<Compile Include="deobfuscators\dotNET_Reactor\StringDecrypter.cs" />
|
<Compile Include="deobfuscators\dotNET_Reactor4\ResourceResolver.cs" />
|
||||||
<Compile Include="deobfuscators\dotNET_Reactor\AntiStrongName.cs" />
|
<Compile Include="deobfuscators\dotNET_Reactor4\StringDecrypter.cs" />
|
||||||
<Compile Include="deobfuscators\dotNET_Reactor\v3\AssemblyResolver.cs" />
|
<Compile Include="deobfuscators\dotNET_Reactor4\AntiStrongName.cs" />
|
||||||
<Compile Include="deobfuscators\dotNET_Reactor\v3\DecryptMethod.cs" />
|
<Compile Include="deobfuscators\dotNET_Reactor3\AssemblyResolver.cs" />
|
||||||
<Compile Include="deobfuscators\dotNET_Reactor\v3\MemoryPatcher.cs" />
|
<Compile Include="deobfuscators\dotNET_Reactor3\DecryptMethod.cs" />
|
||||||
|
<Compile Include="deobfuscators\dotNET_Reactor3\MemoryPatcher.cs" />
|
||||||
<Compile Include="deobfuscators\Eazfuscator\Deobfuscator.cs" />
|
<Compile Include="deobfuscators\Eazfuscator\Deobfuscator.cs" />
|
||||||
<Compile Include="deobfuscators\ExceptionLoggerRemover.cs" />
|
<Compile Include="deobfuscators\ExceptionLoggerRemover.cs" />
|
||||||
<Compile Include="deobfuscators\IDeobfuscatedFile.cs" />
|
<Compile Include="deobfuscators\IDeobfuscatedFile.cs" />
|
||||||
<Compile Include="deobfuscators\IDeobfuscator.cs" />
|
<Compile Include="deobfuscators\IDeobfuscator.cs" />
|
||||||
<Compile Include="deobfuscators\IDeobfuscatorInfo.cs" />
|
<Compile Include="deobfuscators\IDeobfuscatorInfo.cs" />
|
||||||
|
<Compile Include="deobfuscators\InlinedMethodsFinder.cs" />
|
||||||
<Compile Include="deobfuscators\ISimpleDeobfuscator.cs" />
|
<Compile Include="deobfuscators\ISimpleDeobfuscator.cs" />
|
||||||
<Compile Include="deobfuscators\RandomNameChecker.cs" />
|
<Compile Include="deobfuscators\RandomNameChecker.cs" />
|
||||||
<Compile Include="deobfuscators\StringCounts.cs" />
|
<Compile Include="deobfuscators\StringCounts.cs" />
|
||||||
|
@ -125,6 +127,7 @@
|
||||||
<Compile Include="deobfuscators\TypesRestorer.cs" />
|
<Compile Include="deobfuscators\TypesRestorer.cs" />
|
||||||
<Compile Include="deobfuscators\Unknown\Deobfuscator.cs" />
|
<Compile Include="deobfuscators\Unknown\Deobfuscator.cs" />
|
||||||
<Compile Include="deobfuscators\UnpackedFile.cs" />
|
<Compile Include="deobfuscators\UnpackedFile.cs" />
|
||||||
|
<Compile Include="deobfuscators\UnusedMethodsFinder.cs" />
|
||||||
<Compile Include="deobfuscators\Xenocode\Deobfuscator.cs" />
|
<Compile Include="deobfuscators\Xenocode\Deobfuscator.cs" />
|
||||||
<Compile Include="deobfuscators\Xenocode\StringDecrypter.cs" />
|
<Compile Include="deobfuscators\Xenocode\StringDecrypter.cs" />
|
||||||
<Compile Include="IObfuscatedFile.cs" />
|
<Compile Include="IObfuscatedFile.cs" />
|
||||||
|
|
|
@ -584,5 +584,10 @@ namespace de4dot.code.deobfuscators {
|
||||||
|
|
||||||
public virtual void OnBeforeAddingResources(MetadataBuilder builder) {
|
public virtual void OnBeforeAddingResources(MetadataBuilder builder) {
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public void findAndRemoveInlinedMethods() {
|
||||||
|
var inlinedMethods = InlinedMethodsFinder.find(module);
|
||||||
|
addMethodsToBeRemoved(new UnusedMethodsFinder(module, inlinedMethods).find(), "Inlined method");
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
131
de4dot.code/deobfuscators/InlinedMethodsFinder.cs
Normal file
131
de4dot.code/deobfuscators/InlinedMethodsFinder.cs
Normal file
|
@ -0,0 +1,131 @@
|
||||||
|
/*
|
||||||
|
Copyright (C) 2011 de4dot@gmail.com
|
||||||
|
|
||||||
|
This file is part of de4dot.
|
||||||
|
|
||||||
|
de4dot is free software: you can redistribute it and/or modify
|
||||||
|
it under the terms of the GNU General Public License as published by
|
||||||
|
the Free Software Foundation, either version 3 of the License, or
|
||||||
|
(at your option) any later version.
|
||||||
|
|
||||||
|
de4dot is distributed in the hope that it will be useful,
|
||||||
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
GNU General Public License for more details.
|
||||||
|
|
||||||
|
You should have received a copy of the GNU General Public License
|
||||||
|
along with de4dot. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
*/
|
||||||
|
|
||||||
|
using System.Collections.Generic;
|
||||||
|
using Mono.Cecil;
|
||||||
|
using Mono.Cecil.Cil;
|
||||||
|
using de4dot.blocks;
|
||||||
|
|
||||||
|
namespace de4dot.code.deobfuscators {
|
||||||
|
static class InlinedMethodsFinder {
|
||||||
|
public static List<MethodDefinition> find(ModuleDefinition module) {
|
||||||
|
// Not all garbage methods are inlined, possibly because we remove some code that calls
|
||||||
|
// the garbage method before the methods inliner has a chance to inline it. Try to find
|
||||||
|
// all garbage methods and other code will figure out if there are any calls left.
|
||||||
|
|
||||||
|
var inlinedMethods = new List<MethodDefinition>();
|
||||||
|
foreach (var type in module.GetTypes()) {
|
||||||
|
foreach (var method in type.Methods) {
|
||||||
|
if (!method.IsStatic)
|
||||||
|
continue;
|
||||||
|
if (!method.IsAssembly && !method.IsCompilerControlled)
|
||||||
|
continue;
|
||||||
|
if (method.GenericParameters.Count > 0)
|
||||||
|
continue;
|
||||||
|
if (method.Name == ".cctor")
|
||||||
|
continue;
|
||||||
|
if (method.Body == null)
|
||||||
|
continue;
|
||||||
|
var instrs = method.Body.Instructions;
|
||||||
|
if (instrs.Count < 2)
|
||||||
|
continue;
|
||||||
|
|
||||||
|
switch (instrs[0].OpCode.Code) {
|
||||||
|
case Code.Ldc_I4:
|
||||||
|
case Code.Ldc_I4_0:
|
||||||
|
case Code.Ldc_I4_1:
|
||||||
|
case Code.Ldc_I4_2:
|
||||||
|
case Code.Ldc_I4_3:
|
||||||
|
case Code.Ldc_I4_4:
|
||||||
|
case Code.Ldc_I4_5:
|
||||||
|
case Code.Ldc_I4_6:
|
||||||
|
case Code.Ldc_I4_7:
|
||||||
|
case Code.Ldc_I4_8:
|
||||||
|
case Code.Ldc_I4_M1:
|
||||||
|
case Code.Ldc_I4_S:
|
||||||
|
case Code.Ldc_I8:
|
||||||
|
case Code.Ldc_R4:
|
||||||
|
case Code.Ldc_R8:
|
||||||
|
case Code.Ldftn:
|
||||||
|
case Code.Ldnull:
|
||||||
|
case Code.Ldstr:
|
||||||
|
case Code.Ldtoken:
|
||||||
|
case Code.Ldsfld:
|
||||||
|
case Code.Ldsflda:
|
||||||
|
if (instrs[1].OpCode.Code != Code.Ret)
|
||||||
|
continue;
|
||||||
|
break;
|
||||||
|
|
||||||
|
case Code.Ldarg:
|
||||||
|
case Code.Ldarg_S:
|
||||||
|
case Code.Ldarg_0:
|
||||||
|
case Code.Ldarg_1:
|
||||||
|
case Code.Ldarg_2:
|
||||||
|
case Code.Ldarg_3:
|
||||||
|
case Code.Call:
|
||||||
|
if (!isCallMethod(method))
|
||||||
|
continue;
|
||||||
|
break;
|
||||||
|
|
||||||
|
default:
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
|
inlinedMethods.Add(method);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return inlinedMethods;
|
||||||
|
}
|
||||||
|
|
||||||
|
static bool isCallMethod(MethodDefinition method) {
|
||||||
|
int loadIndex = 0;
|
||||||
|
int methodArgsCount = DotNetUtils.getArgsCount(method);
|
||||||
|
var instrs = method.Body.Instructions;
|
||||||
|
int i = 0;
|
||||||
|
for (; i < instrs.Count && i < methodArgsCount; i++) {
|
||||||
|
var instr = instrs[i];
|
||||||
|
switch (instr.OpCode.Code) {
|
||||||
|
case Code.Ldarg:
|
||||||
|
case Code.Ldarg_S:
|
||||||
|
case Code.Ldarg_0:
|
||||||
|
case Code.Ldarg_1:
|
||||||
|
case Code.Ldarg_2:
|
||||||
|
case Code.Ldarg_3:
|
||||||
|
if (DotNetUtils.getArgIndex(method, instr) != loadIndex)
|
||||||
|
return false;
|
||||||
|
loadIndex++;
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
if (loadIndex != methodArgsCount)
|
||||||
|
return false;
|
||||||
|
if (i + 1 >= instrs.Count)
|
||||||
|
return false;
|
||||||
|
|
||||||
|
if (instrs[i].OpCode.Code != Code.Call && instrs[i].OpCode.Code != Code.Callvirt)
|
||||||
|
return false;
|
||||||
|
if (instrs[i + 1].OpCode.Code != Code.Ret)
|
||||||
|
return false;
|
||||||
|
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
|
@ -11,7 +11,7 @@
|
||||||
|
|
||||||
using System;
|
using System;
|
||||||
|
|
||||||
namespace de4dot.code.deobfuscators.dotNET_Reactor {
|
namespace de4dot.code.deobfuscators {
|
||||||
static class QuickLZ {
|
static class QuickLZ {
|
||||||
static int sig = 0x5A4C4351; // "QCLZ"
|
static int sig = 0x5A4C4351; // "QCLZ"
|
||||||
|
|
85
de4dot.code/deobfuscators/UnusedMethodsFinder.cs
Normal file
85
de4dot.code/deobfuscators/UnusedMethodsFinder.cs
Normal file
|
@ -0,0 +1,85 @@
|
||||||
|
/*
|
||||||
|
Copyright (C) 2011 de4dot@gmail.com
|
||||||
|
|
||||||
|
This file is part of de4dot.
|
||||||
|
|
||||||
|
de4dot is free software: you can redistribute it and/or modify
|
||||||
|
it under the terms of the GNU General Public License as published by
|
||||||
|
the Free Software Foundation, either version 3 of the License, or
|
||||||
|
(at your option) any later version.
|
||||||
|
|
||||||
|
de4dot is distributed in the hope that it will be useful,
|
||||||
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
GNU General Public License for more details.
|
||||||
|
|
||||||
|
You should have received a copy of the GNU General Public License
|
||||||
|
along with de4dot. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
*/
|
||||||
|
|
||||||
|
using System.Collections.Generic;
|
||||||
|
using Mono.Cecil;
|
||||||
|
using Mono.Cecil.Cil;
|
||||||
|
using de4dot.blocks;
|
||||||
|
|
||||||
|
namespace de4dot.code.deobfuscators {
|
||||||
|
class UnusedMethodsFinder {
|
||||||
|
ModuleDefinition module;
|
||||||
|
Dictionary<MethodDefinition, bool> possiblyUnusedMethods = new Dictionary<MethodDefinition, bool>();
|
||||||
|
Stack<MethodDefinition> notUnusedStack = new Stack<MethodDefinition>();
|
||||||
|
|
||||||
|
public UnusedMethodsFinder(ModuleDefinition module, IEnumerable<MethodDefinition> possiblyUnusedMethods) {
|
||||||
|
this.module = module;
|
||||||
|
foreach (var method in possiblyUnusedMethods) {
|
||||||
|
if (method != module.EntryPoint)
|
||||||
|
this.possiblyUnusedMethods[method] = true;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
public IEnumerable<MethodDefinition> find() {
|
||||||
|
if (possiblyUnusedMethods.Count == 0)
|
||||||
|
return possiblyUnusedMethods.Keys;
|
||||||
|
|
||||||
|
foreach (var type in module.GetTypes()) {
|
||||||
|
foreach (var method in type.Methods)
|
||||||
|
check(method);
|
||||||
|
}
|
||||||
|
|
||||||
|
while (notUnusedStack.Count > 0) {
|
||||||
|
var method = notUnusedStack.Pop();
|
||||||
|
if (!possiblyUnusedMethods.Remove(method))
|
||||||
|
continue;
|
||||||
|
check(method);
|
||||||
|
}
|
||||||
|
|
||||||
|
return possiblyUnusedMethods.Keys;
|
||||||
|
}
|
||||||
|
|
||||||
|
void check(MethodDefinition method) {
|
||||||
|
if (method.Body == null)
|
||||||
|
return;
|
||||||
|
if (possiblyUnusedMethods.ContainsKey(method))
|
||||||
|
return;
|
||||||
|
|
||||||
|
foreach (var instr in method.Body.Instructions) {
|
||||||
|
switch (instr.OpCode.Code) {
|
||||||
|
case Code.Call:
|
||||||
|
case Code.Calli:
|
||||||
|
case Code.Callvirt:
|
||||||
|
case Code.Newobj:
|
||||||
|
case Code.Ldtoken:
|
||||||
|
case Code.Ldftn:
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
|
var calledMethod = DotNetUtils.getMethod(module, instr.Operand as MethodReference);
|
||||||
|
if (calledMethod == null)
|
||||||
|
continue;
|
||||||
|
if (possiblyUnusedMethods.ContainsKey(calledMethod))
|
||||||
|
notUnusedStack.Push(calledMethod);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
|
@ -21,7 +21,7 @@ using Mono.Cecil;
|
||||||
using de4dot.blocks;
|
using de4dot.blocks;
|
||||||
using de4dot.blocks.cflow;
|
using de4dot.blocks.cflow;
|
||||||
|
|
||||||
namespace de4dot.code.deobfuscators.dotNET_Reactor.v3 {
|
namespace de4dot.code.deobfuscators.dotNET_Reactor3 {
|
||||||
class ApplicationModeDecrypter {
|
class ApplicationModeDecrypter {
|
||||||
ModuleDefinition module;
|
ModuleDefinition module;
|
||||||
AssemblyResolver assemblyResolver;
|
AssemblyResolver assemblyResolver;
|
|
@ -25,7 +25,7 @@ using System.Text.RegularExpressions;
|
||||||
using Mono.Cecil;
|
using Mono.Cecil;
|
||||||
using de4dot.code.PE;
|
using de4dot.code.PE;
|
||||||
|
|
||||||
namespace de4dot.code.deobfuscators.dotNET_Reactor.v3 {
|
namespace de4dot.code.deobfuscators.dotNET_Reactor3 {
|
||||||
class IniFile {
|
class IniFile {
|
||||||
Dictionary<string, string> nameToValue = new Dictionary<string, string>(StringComparer.OrdinalIgnoreCase);
|
Dictionary<string, string> nameToValue = new Dictionary<string, string>(StringComparer.OrdinalIgnoreCase);
|
||||||
|
|
|
@ -22,7 +22,7 @@ using Mono.Cecil;
|
||||||
using de4dot.blocks;
|
using de4dot.blocks;
|
||||||
using de4dot.blocks.cflow;
|
using de4dot.blocks.cflow;
|
||||||
|
|
||||||
namespace de4dot.code.deobfuscators.dotNET_Reactor.v3 {
|
namespace de4dot.code.deobfuscators.dotNET_Reactor3 {
|
||||||
class AssemblyResolver {
|
class AssemblyResolver {
|
||||||
DecryptMethod decryptMethod = new DecryptMethod();
|
DecryptMethod decryptMethod = new DecryptMethod();
|
||||||
|
|
|
@ -21,7 +21,7 @@ using System;
|
||||||
using System.Collections.Generic;
|
using System.Collections.Generic;
|
||||||
using Mono.Cecil;
|
using Mono.Cecil;
|
||||||
|
|
||||||
namespace de4dot.code.deobfuscators.dotNET_Reactor.v3 {
|
namespace de4dot.code.deobfuscators.dotNET_Reactor3 {
|
||||||
class DecryptMethod {
|
class DecryptMethod {
|
||||||
MethodDefinition decryptionMethod;
|
MethodDefinition decryptionMethod;
|
||||||
byte[] key;
|
byte[] key;
|
246
de4dot.code/deobfuscators/dotNET_Reactor3/Deobfuscator.cs
Normal file
246
de4dot.code/deobfuscators/dotNET_Reactor3/Deobfuscator.cs
Normal file
|
@ -0,0 +1,246 @@
|
||||||
|
/*
|
||||||
|
Copyright (C) 2011 de4dot@gmail.com
|
||||||
|
|
||||||
|
This file is part of de4dot.
|
||||||
|
|
||||||
|
de4dot is free software: you can redistribute it and/or modify
|
||||||
|
it under the terms of the GNU General Public License as published by
|
||||||
|
the Free Software Foundation, either version 3 of the License, or
|
||||||
|
(at your option) any later version.
|
||||||
|
|
||||||
|
de4dot is distributed in the hope that it will be useful,
|
||||||
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
GNU General Public License for more details.
|
||||||
|
|
||||||
|
You should have received a copy of the GNU General Public License
|
||||||
|
along with de4dot. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
*/
|
||||||
|
|
||||||
|
using System;
|
||||||
|
using System.Collections.Generic;
|
||||||
|
using System.IO;
|
||||||
|
using System.Text.RegularExpressions;
|
||||||
|
using Mono.Cecil;
|
||||||
|
using Mono.Cecil.Cil;
|
||||||
|
using Mono.MyStuff;
|
||||||
|
using de4dot.blocks;
|
||||||
|
using de4dot.code.PE;
|
||||||
|
|
||||||
|
namespace de4dot.code.deobfuscators.dotNET_Reactor3 {
|
||||||
|
public class DeobfuscatorInfo : DeobfuscatorInfoBase {
|
||||||
|
public const string THE_NAME = ".NET Reactor";
|
||||||
|
public const string THE_TYPE = "dr3";
|
||||||
|
const string DEFAULT_REGEX = DeobfuscatorBase.DEFAULT_VALID_NAME_REGEX;
|
||||||
|
BoolOption restoreTypes;
|
||||||
|
BoolOption inlineMethods;
|
||||||
|
BoolOption removeInlinedMethods;
|
||||||
|
BoolOption removeNamespaces;
|
||||||
|
BoolOption removeAntiStrongName;
|
||||||
|
|
||||||
|
public DeobfuscatorInfo()
|
||||||
|
: base(DEFAULT_REGEX) {
|
||||||
|
restoreTypes = new BoolOption(null, makeArgName("types"), "Restore types (object -> real type)", true);
|
||||||
|
inlineMethods = new BoolOption(null, makeArgName("inline"), "Inline short methods", true);
|
||||||
|
removeInlinedMethods = new BoolOption(null, makeArgName("remove-inlined"), "Remove inlined methods", true);
|
||||||
|
removeNamespaces = new BoolOption(null, makeArgName("ns1"), "Clear namespace if there's only one class in it", true);
|
||||||
|
removeAntiStrongName = new BoolOption(null, makeArgName("sn"), "Remove anti strong name code", true);
|
||||||
|
}
|
||||||
|
|
||||||
|
public override string Name {
|
||||||
|
get { return THE_NAME; }
|
||||||
|
}
|
||||||
|
|
||||||
|
public override string Type {
|
||||||
|
get { return THE_TYPE; }
|
||||||
|
}
|
||||||
|
|
||||||
|
public override IDeobfuscator createDeobfuscator() {
|
||||||
|
return new Deobfuscator(new Deobfuscator.Options {
|
||||||
|
ValidNameRegex = validNameRegex.get(),
|
||||||
|
RestoreTypes = restoreTypes.get(),
|
||||||
|
InlineMethods = inlineMethods.get(),
|
||||||
|
RemoveInlinedMethods = removeInlinedMethods.get(),
|
||||||
|
RemoveNamespaces = removeNamespaces.get(),
|
||||||
|
RemoveAntiStrongName = removeAntiStrongName.get(),
|
||||||
|
});
|
||||||
|
}
|
||||||
|
|
||||||
|
protected override IEnumerable<Option> getOptionsInternal() {
|
||||||
|
return new List<Option>() {
|
||||||
|
restoreTypes,
|
||||||
|
inlineMethods,
|
||||||
|
removeInlinedMethods,
|
||||||
|
removeNamespaces,
|
||||||
|
removeAntiStrongName,
|
||||||
|
};
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
class Deobfuscator : DeobfuscatorBase {
|
||||||
|
Options options;
|
||||||
|
string obfuscatorName = DeobfuscatorInfo.THE_NAME;
|
||||||
|
|
||||||
|
List<UnpackedFile> unpackedFiles = new List<UnpackedFile>();
|
||||||
|
|
||||||
|
bool unpackedNativeFile = false;
|
||||||
|
bool startedDeobfuscating = false;
|
||||||
|
|
||||||
|
internal class Options : OptionsBase {
|
||||||
|
public bool RestoreTypes { get; set; }
|
||||||
|
public bool InlineMethods { get; set; }
|
||||||
|
public bool RemoveInlinedMethods { get; set; }
|
||||||
|
public bool RemoveNamespaces { get; set; }
|
||||||
|
public bool RemoveAntiStrongName { get; set; }
|
||||||
|
}
|
||||||
|
|
||||||
|
public override string Type {
|
||||||
|
get { return DeobfuscatorInfo.THE_TYPE; }
|
||||||
|
}
|
||||||
|
|
||||||
|
public override string TypeLong {
|
||||||
|
get { return DeobfuscatorInfo.THE_NAME + " 3.x"; }
|
||||||
|
}
|
||||||
|
|
||||||
|
public override string Name {
|
||||||
|
get { return obfuscatorName; }
|
||||||
|
}
|
||||||
|
|
||||||
|
public override bool CanInlineMethods {
|
||||||
|
get { return startedDeobfuscating ? options.InlineMethods : true; }
|
||||||
|
}
|
||||||
|
|
||||||
|
public Deobfuscator(Options options)
|
||||||
|
: base(options) {
|
||||||
|
this.options = options;
|
||||||
|
|
||||||
|
if (options.RemoveNamespaces)
|
||||||
|
this.RenamingOptions |= RenamingOptions.RemoveNamespaceIfOneType;
|
||||||
|
else
|
||||||
|
this.RenamingOptions &= ~RenamingOptions.RemoveNamespaceIfOneType;
|
||||||
|
}
|
||||||
|
|
||||||
|
public override byte[] unpackNativeFile(PeImage peImage) {
|
||||||
|
var unpackerv3 = new ApplicationModeUnpacker(peImage);
|
||||||
|
var data = unpackerv3.unpack();
|
||||||
|
if (data == null)
|
||||||
|
return null;
|
||||||
|
|
||||||
|
unpackedFiles.AddRange(unpackerv3.EmbeddedAssemblies);
|
||||||
|
unpackedNativeFile = true;
|
||||||
|
ModuleBytes = data;
|
||||||
|
return data;
|
||||||
|
}
|
||||||
|
|
||||||
|
public override void init(ModuleDefinition module) {
|
||||||
|
base.init(module);
|
||||||
|
}
|
||||||
|
|
||||||
|
static Regex isRandomName = new Regex(@"^[A-Z]{30,40}$");
|
||||||
|
static Regex isRandomNameMembers = new Regex(@"^[a-zA-Z0-9]{9,11}$"); // methods, fields, props, events
|
||||||
|
static Regex isRandomNameTypes = new Regex(@"^[a-zA-Z0-9]{18,19}(?:`\d+)?$"); // types, namespaces
|
||||||
|
|
||||||
|
bool checkValidName(string name, Regex regex) {
|
||||||
|
if (isRandomName.IsMatch(name))
|
||||||
|
return false;
|
||||||
|
if (regex.IsMatch(name)) {
|
||||||
|
if (RandomNameChecker.isRandom(name))
|
||||||
|
return false;
|
||||||
|
if (!RandomNameChecker.isNonRandom(name))
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
return checkValidName(name);
|
||||||
|
}
|
||||||
|
|
||||||
|
public override bool isValidNamespaceName(string ns) {
|
||||||
|
if (ns == null)
|
||||||
|
return false;
|
||||||
|
if (ns.Contains("."))
|
||||||
|
return base.isValidNamespaceName(ns);
|
||||||
|
return checkValidName(ns, isRandomNameTypes);
|
||||||
|
}
|
||||||
|
|
||||||
|
public override bool isValidTypeName(string name) {
|
||||||
|
return name != null && checkValidName(name, isRandomNameTypes);
|
||||||
|
}
|
||||||
|
|
||||||
|
public override bool isValidMethodName(string name) {
|
||||||
|
return name != null && checkValidName(name, isRandomNameMembers);
|
||||||
|
}
|
||||||
|
|
||||||
|
public override bool isValidPropertyName(string name) {
|
||||||
|
return name != null && checkValidName(name, isRandomNameMembers);
|
||||||
|
}
|
||||||
|
|
||||||
|
public override bool isValidEventName(string name) {
|
||||||
|
return name != null && checkValidName(name, isRandomNameMembers);
|
||||||
|
}
|
||||||
|
|
||||||
|
public override bool isValidFieldName(string name) {
|
||||||
|
return name != null && checkValidName(name, isRandomNameMembers);
|
||||||
|
}
|
||||||
|
|
||||||
|
public override bool isValidGenericParamName(string name) {
|
||||||
|
return name != null && checkValidName(name, isRandomNameMembers);
|
||||||
|
}
|
||||||
|
|
||||||
|
public override bool isValidMethodArgName(string name) {
|
||||||
|
return name != null && checkValidName(name, isRandomNameMembers);
|
||||||
|
}
|
||||||
|
|
||||||
|
protected override int detectInternal() {
|
||||||
|
int val = 0;
|
||||||
|
|
||||||
|
if (unpackedNativeFile)
|
||||||
|
val += 100;
|
||||||
|
|
||||||
|
return val;
|
||||||
|
}
|
||||||
|
|
||||||
|
static int convert(bool b) {
|
||||||
|
return b ? 1 : 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
protected override void scanForObfuscator() {
|
||||||
|
obfuscatorName = detectVersion();
|
||||||
|
if (unpackedNativeFile)
|
||||||
|
obfuscatorName += " (native)";
|
||||||
|
}
|
||||||
|
|
||||||
|
string detectVersion() {
|
||||||
|
return DeobfuscatorInfo.THE_NAME + " 3.x";
|
||||||
|
}
|
||||||
|
|
||||||
|
public override void deobfuscateBegin() {
|
||||||
|
base.deobfuscateBegin();
|
||||||
|
|
||||||
|
dumpUnpackedFiles();
|
||||||
|
|
||||||
|
startedDeobfuscating = true;
|
||||||
|
}
|
||||||
|
|
||||||
|
void dumpUnpackedFiles() {
|
||||||
|
foreach (var unpackedFile in unpackedFiles)
|
||||||
|
DeobfuscatedFile.createAssemblyFile(unpackedFile.data, Path.GetFileNameWithoutExtension(unpackedFile.filename), Path.GetExtension(unpackedFile.filename));
|
||||||
|
}
|
||||||
|
|
||||||
|
public override void deobfuscateEnd() {
|
||||||
|
removeInlinedMethods();
|
||||||
|
if (options.RestoreTypes)
|
||||||
|
new TypesRestorer(module).deobfuscate();
|
||||||
|
|
||||||
|
base.deobfuscateEnd();
|
||||||
|
}
|
||||||
|
|
||||||
|
void removeInlinedMethods() {
|
||||||
|
if (!options.InlineMethods || !options.RemoveInlinedMethods)
|
||||||
|
return;
|
||||||
|
findAndRemoveInlinedMethods();
|
||||||
|
}
|
||||||
|
|
||||||
|
public override IEnumerable<string> getStringDecrypterMethods() {
|
||||||
|
var list = new List<string>();
|
||||||
|
return list;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
|
@ -26,7 +26,7 @@ using de4dot.blocks;
|
||||||
using de4dot.blocks.cflow;
|
using de4dot.blocks.cflow;
|
||||||
using de4dot.code.PE;
|
using de4dot.code.PE;
|
||||||
|
|
||||||
namespace de4dot.code.deobfuscators.dotNET_Reactor.v3 {
|
namespace de4dot.code.deobfuscators.dotNET_Reactor3 {
|
||||||
class MemoryPatcher {
|
class MemoryPatcher {
|
||||||
DecryptMethod decryptMethod = new DecryptMethod();
|
DecryptMethod decryptMethod = new DecryptMethod();
|
||||||
List<PatchInfo> patchInfos = new List<PatchInfo>();
|
List<PatchInfo> patchInfos = new List<PatchInfo>();
|
|
@ -22,7 +22,7 @@ using Mono.Cecil;
|
||||||
using Mono.Cecil.Cil;
|
using Mono.Cecil.Cil;
|
||||||
using de4dot.blocks;
|
using de4dot.blocks;
|
||||||
|
|
||||||
namespace de4dot.code.deobfuscators.dotNET_Reactor {
|
namespace de4dot.code.deobfuscators.dotNET_Reactor4 {
|
||||||
class AntiStrongName {
|
class AntiStrongName {
|
||||||
TypeDefinition decrypterType;
|
TypeDefinition decrypterType;
|
||||||
MethodDefinition antiStrongNameMethod;
|
MethodDefinition antiStrongNameMethod;
|
|
@ -23,7 +23,7 @@ using System.IO;
|
||||||
using Mono.Cecil;
|
using Mono.Cecil;
|
||||||
using de4dot.blocks;
|
using de4dot.blocks;
|
||||||
|
|
||||||
namespace de4dot.code.deobfuscators.dotNET_Reactor {
|
namespace de4dot.code.deobfuscators.dotNET_Reactor4 {
|
||||||
class ResourceInfo {
|
class ResourceInfo {
|
||||||
public EmbeddedResource resource;
|
public EmbeddedResource resource;
|
||||||
public string name;
|
public string name;
|
|
@ -22,7 +22,7 @@ using Mono.Cecil;
|
||||||
using Mono.Cecil.Cil;
|
using Mono.Cecil.Cil;
|
||||||
using de4dot.blocks;
|
using de4dot.blocks;
|
||||||
|
|
||||||
namespace de4dot.code.deobfuscators.dotNET_Reactor {
|
namespace de4dot.code.deobfuscators.dotNET_Reactor4 {
|
||||||
class BoolValueInliner : MethodReturnValueInliner {
|
class BoolValueInliner : MethodReturnValueInliner {
|
||||||
Dictionary<MethodReferenceAndDeclaringTypeKey, Func<MethodDefinition, object[], bool>> boolDecrypters = new Dictionary<MethodReferenceAndDeclaringTypeKey, Func<MethodDefinition, object[], bool>>();
|
Dictionary<MethodReferenceAndDeclaringTypeKey, Func<MethodDefinition, object[], bool>> boolDecrypters = new Dictionary<MethodReferenceAndDeclaringTypeKey, Func<MethodDefinition, object[], bool>>();
|
||||||
|
|
|
@ -21,7 +21,7 @@ using System;
|
||||||
using Mono.Cecil;
|
using Mono.Cecil;
|
||||||
using de4dot.blocks;
|
using de4dot.blocks;
|
||||||
|
|
||||||
namespace de4dot.code.deobfuscators.dotNET_Reactor {
|
namespace de4dot.code.deobfuscators.dotNET_Reactor4 {
|
||||||
class BooleanDecrypter {
|
class BooleanDecrypter {
|
||||||
ModuleDefinition module;
|
ModuleDefinition module;
|
||||||
EncryptedResource encryptedResource;
|
EncryptedResource encryptedResource;
|
|
@ -27,10 +27,10 @@ using Mono.MyStuff;
|
||||||
using de4dot.blocks;
|
using de4dot.blocks;
|
||||||
using de4dot.code.PE;
|
using de4dot.code.PE;
|
||||||
|
|
||||||
namespace de4dot.code.deobfuscators.dotNET_Reactor {
|
namespace de4dot.code.deobfuscators.dotNET_Reactor4 {
|
||||||
public class DeobfuscatorInfo : DeobfuscatorInfoBase {
|
public class DeobfuscatorInfo : DeobfuscatorInfoBase {
|
||||||
public const string THE_NAME = ".NET Reactor";
|
public const string THE_NAME = ".NET Reactor";
|
||||||
public const string THE_TYPE = "dr";
|
public const string THE_TYPE = "dr4";
|
||||||
const string DEFAULT_REGEX = DeobfuscatorBase.DEFAULT_VALID_NAME_REGEX;
|
const string DEFAULT_REGEX = DeobfuscatorBase.DEFAULT_VALID_NAME_REGEX;
|
||||||
BoolOption decryptMethods;
|
BoolOption decryptMethods;
|
||||||
BoolOption decryptBools;
|
BoolOption decryptBools;
|
||||||
|
@ -99,7 +99,7 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor {
|
||||||
|
|
||||||
class Deobfuscator : DeobfuscatorBase {
|
class Deobfuscator : DeobfuscatorBase {
|
||||||
Options options;
|
Options options;
|
||||||
string obfuscatorName = ".NET Reactor";
|
string obfuscatorName = DeobfuscatorInfo.THE_NAME;
|
||||||
|
|
||||||
PeImage peImage;
|
PeImage peImage;
|
||||||
byte[] fileData;
|
byte[] fileData;
|
||||||
|
@ -112,7 +112,6 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor {
|
||||||
ResourceResolver resourceResolver;
|
ResourceResolver resourceResolver;
|
||||||
AntiStrongName antiStrongname;
|
AntiStrongName antiStrongname;
|
||||||
EmptyClass emptyClass;
|
EmptyClass emptyClass;
|
||||||
List<UnpackedFile> unpackedFiles = new List<UnpackedFile>();
|
|
||||||
|
|
||||||
bool unpackedNativeFile = false;
|
bool unpackedNativeFile = false;
|
||||||
bool canRemoveDecrypterType = true;
|
bool canRemoveDecrypterType = true;
|
||||||
|
@ -136,7 +135,7 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor {
|
||||||
}
|
}
|
||||||
|
|
||||||
public override string TypeLong {
|
public override string TypeLong {
|
||||||
get { return DeobfuscatorInfo.THE_NAME; }
|
get { return DeobfuscatorInfo.THE_NAME + " 4.x"; }
|
||||||
}
|
}
|
||||||
|
|
||||||
public override string Name {
|
public override string Name {
|
||||||
|
@ -158,7 +157,7 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor {
|
||||||
}
|
}
|
||||||
|
|
||||||
public override byte[] unpackNativeFile(PeImage peImage) {
|
public override byte[] unpackNativeFile(PeImage peImage) {
|
||||||
var data = unpack(peImage);
|
var data = new NativeImageUnpacker(peImage).unpack();
|
||||||
if (data == null)
|
if (data == null)
|
||||||
return null;
|
return null;
|
||||||
|
|
||||||
|
@ -167,21 +166,6 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor {
|
||||||
return data;
|
return data;
|
||||||
}
|
}
|
||||||
|
|
||||||
byte[] unpack(PeImage peImage) {
|
|
||||||
var data = new NativeImageUnpacker(peImage).unpack();
|
|
||||||
if (data != null)
|
|
||||||
return data;
|
|
||||||
|
|
||||||
var unpackerv3 = new v3.ApplicationModeUnpacker(peImage);
|
|
||||||
data = unpackerv3.unpack();
|
|
||||||
if (data != null) {
|
|
||||||
unpackedFiles.AddRange(unpackerv3.EmbeddedAssemblies);
|
|
||||||
return data;
|
|
||||||
}
|
|
||||||
|
|
||||||
return null;
|
|
||||||
}
|
|
||||||
|
|
||||||
public override void init(ModuleDefinition module) {
|
public override void init(ModuleDefinition module) {
|
||||||
base.init(module);
|
base.init(module);
|
||||||
}
|
}
|
||||||
|
@ -326,31 +310,31 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor {
|
||||||
continue;
|
continue;
|
||||||
localTypes = new LocalTypes(info.method);
|
localTypes = new LocalTypes(info.method);
|
||||||
if (!localTypes.exists("System.IntPtr"))
|
if (!localTypes.exists("System.IntPtr"))
|
||||||
return ".NET Reactor <= 3.7";
|
return DeobfuscatorInfo.THE_NAME + " <= 3.7";
|
||||||
minVer = 3800;
|
minVer = 3800;
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (methodsDecrypter.Method == null) {
|
if (methodsDecrypter.Method == null) {
|
||||||
if (minVer >= 3800)
|
if (minVer >= 3800)
|
||||||
return ".NET Reactor >= 3.8";
|
return DeobfuscatorInfo.THE_NAME + " >= 3.8";
|
||||||
return ".NET Reactor";
|
return DeobfuscatorInfo.THE_NAME;
|
||||||
}
|
}
|
||||||
localTypes = new LocalTypes(methodsDecrypter.Method);
|
localTypes = new LocalTypes(methodsDecrypter.Method);
|
||||||
|
|
||||||
if (localTypes.exists("System.Int32[]")) {
|
if (localTypes.exists("System.Int32[]")) {
|
||||||
if (minVer >= 3800)
|
if (minVer >= 3800)
|
||||||
return ".NET Reactor 3.8.4.1 - 3.9.0.1";
|
return DeobfuscatorInfo.THE_NAME + " 3.8.4.1 - 3.9.0.1";
|
||||||
return ".NET Reactor <= 3.9.0.1";
|
return DeobfuscatorInfo.THE_NAME + " <= 3.9.0.1";
|
||||||
}
|
}
|
||||||
if (!localTypes.exists("System.Diagnostics.Process")) { // If < 4.0
|
if (!localTypes.exists("System.Diagnostics.Process")) { // If < 4.0
|
||||||
if (localTypes.exists("System.Diagnostics.StackFrame"))
|
if (localTypes.exists("System.Diagnostics.StackFrame"))
|
||||||
return ".NET Reactor 3.9.8.0";
|
return DeobfuscatorInfo.THE_NAME + " 3.9.8.0";
|
||||||
}
|
}
|
||||||
|
|
||||||
var compileMethod = MethodsDecrypter.findDnrCompileMethod(methodsDecrypter.Method.DeclaringType);
|
var compileMethod = MethodsDecrypter.findDnrCompileMethod(methodsDecrypter.Method.DeclaringType);
|
||||||
if (compileMethod == null)
|
if (compileMethod == null)
|
||||||
return ".NET Reactor < 4.0";
|
return DeobfuscatorInfo.THE_NAME + " < 4.0";
|
||||||
DeobfuscatedFile.deobfuscate(compileMethod);
|
DeobfuscatedFile.deobfuscate(compileMethod);
|
||||||
bool compileMethodHasConstant_0x70000000 = findConstant(compileMethod, 0x70000000); // 4.0-4.1
|
bool compileMethodHasConstant_0x70000000 = findConstant(compileMethod, 0x70000000); // 4.0-4.1
|
||||||
DeobfuscatedFile.deobfuscate(methodsDecrypter.Method);
|
DeobfuscatedFile.deobfuscate(methodsDecrypter.Method);
|
||||||
|
@ -358,20 +342,20 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor {
|
||||||
|
|
||||||
if (compileMethodHasConstant_0x70000000) {
|
if (compileMethodHasConstant_0x70000000) {
|
||||||
if (hasCorEnableProfilingString)
|
if (hasCorEnableProfilingString)
|
||||||
return ".NET Reactor 4.1";
|
return DeobfuscatorInfo.THE_NAME + " 4.1";
|
||||||
return ".NET Reactor 4.0";
|
return DeobfuscatorInfo.THE_NAME + " 4.0";
|
||||||
}
|
}
|
||||||
if (!hasCorEnableProfilingString)
|
if (!hasCorEnableProfilingString)
|
||||||
return ".NET Reactor";
|
return DeobfuscatorInfo.THE_NAME;
|
||||||
// 4.2-4.4
|
// 4.2-4.4
|
||||||
|
|
||||||
if (!localTypes.exists("System.Byte&"))
|
if (!localTypes.exists("System.Byte&"))
|
||||||
return ".NET Reactor 4.2";
|
return DeobfuscatorInfo.THE_NAME + " 4.2";
|
||||||
|
|
||||||
localTypes = new LocalTypes(compileMethod);
|
localTypes = new LocalTypes(compileMethod);
|
||||||
if (localTypes.exists("System.Object"))
|
if (localTypes.exists("System.Object"))
|
||||||
return ".NET Reactor 4.4";
|
return DeobfuscatorInfo.THE_NAME + " 4.4";
|
||||||
return ".NET Reactor 4.3";
|
return DeobfuscatorInfo.THE_NAME + " 4.3";
|
||||||
}
|
}
|
||||||
|
|
||||||
static bool findString(MethodDefinition method, string s) {
|
static bool findString(MethodDefinition method, string s) {
|
||||||
|
@ -522,16 +506,9 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor {
|
||||||
if (options.InlineMethods)
|
if (options.InlineMethods)
|
||||||
addTypeToBeRemoved(emptyClass.Type, "Empty class");
|
addTypeToBeRemoved(emptyClass.Type, "Empty class");
|
||||||
|
|
||||||
dumpUnpackedFiles();
|
|
||||||
|
|
||||||
startedDeobfuscating = true;
|
startedDeobfuscating = true;
|
||||||
}
|
}
|
||||||
|
|
||||||
void dumpUnpackedFiles() {
|
|
||||||
foreach (var unpackedFile in unpackedFiles)
|
|
||||||
DeobfuscatedFile.createAssemblyFile(unpackedFile.data, Path.GetFileNameWithoutExtension(unpackedFile.filename), Path.GetExtension(unpackedFile.filename));
|
|
||||||
}
|
|
||||||
|
|
||||||
void addEntryPointCallToBeRemoved(MethodReference methodToBeRemoved) {
|
void addEntryPointCallToBeRemoved(MethodReference methodToBeRemoved) {
|
||||||
var entryPoint = module.EntryPoint;
|
var entryPoint = module.EntryPoint;
|
||||||
addCallToBeRemoved(entryPoint, methodToBeRemoved);
|
addCallToBeRemoved(entryPoint, methodToBeRemoved);
|
||||||
|
@ -615,170 +592,10 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor {
|
||||||
base.deobfuscateEnd();
|
base.deobfuscateEnd();
|
||||||
}
|
}
|
||||||
|
|
||||||
class UnusedMethodsFinder {
|
|
||||||
ModuleDefinition module;
|
|
||||||
Dictionary<MethodDefinition, bool> possiblyUnusedMethods = new Dictionary<MethodDefinition, bool>();
|
|
||||||
Stack<MethodDefinition> notUnusedStack = new Stack<MethodDefinition>();
|
|
||||||
|
|
||||||
public UnusedMethodsFinder(ModuleDefinition module, IEnumerable<MethodDefinition> possiblyUnusedMethods) {
|
|
||||||
this.module = module;
|
|
||||||
foreach (var method in possiblyUnusedMethods) {
|
|
||||||
if (method != module.EntryPoint)
|
|
||||||
this.possiblyUnusedMethods[method] = true;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
public IEnumerable<MethodDefinition> find() {
|
|
||||||
if (possiblyUnusedMethods.Count == 0)
|
|
||||||
return possiblyUnusedMethods.Keys;
|
|
||||||
|
|
||||||
foreach (var type in module.GetTypes()) {
|
|
||||||
foreach (var method in type.Methods)
|
|
||||||
check(method);
|
|
||||||
}
|
|
||||||
|
|
||||||
while (notUnusedStack.Count > 0) {
|
|
||||||
var method = notUnusedStack.Pop();
|
|
||||||
if (!possiblyUnusedMethods.Remove(method))
|
|
||||||
continue;
|
|
||||||
check(method);
|
|
||||||
}
|
|
||||||
|
|
||||||
return possiblyUnusedMethods.Keys;
|
|
||||||
}
|
|
||||||
|
|
||||||
void check(MethodDefinition method) {
|
|
||||||
if (method.Body == null)
|
|
||||||
return;
|
|
||||||
if (possiblyUnusedMethods.ContainsKey(method))
|
|
||||||
return;
|
|
||||||
|
|
||||||
foreach (var instr in method.Body.Instructions) {
|
|
||||||
switch (instr.OpCode.Code) {
|
|
||||||
case Code.Call:
|
|
||||||
case Code.Calli:
|
|
||||||
case Code.Callvirt:
|
|
||||||
case Code.Newobj:
|
|
||||||
case Code.Ldtoken:
|
|
||||||
case Code.Ldftn:
|
|
||||||
break;
|
|
||||||
default:
|
|
||||||
continue;
|
|
||||||
}
|
|
||||||
|
|
||||||
var calledMethod = DotNetUtils.getMethod(module, instr.Operand as MethodReference);
|
|
||||||
if (calledMethod == null)
|
|
||||||
continue;
|
|
||||||
if (possiblyUnusedMethods.ContainsKey(calledMethod))
|
|
||||||
notUnusedStack.Push(calledMethod);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
void removeInlinedMethods() {
|
void removeInlinedMethods() {
|
||||||
if (!options.InlineMethods || !options.RemoveInlinedMethods)
|
if (!options.InlineMethods || !options.RemoveInlinedMethods)
|
||||||
return;
|
return;
|
||||||
|
findAndRemoveInlinedMethods();
|
||||||
// Not all garbage methods are inlined, possibly because we remove some code that calls
|
|
||||||
// the garbage method before the methods inliner has a chance to inline it. Try to find
|
|
||||||
// all garbage methods and other code will figure out if there are any calls left.
|
|
||||||
|
|
||||||
var inlinedMethods = new List<MethodDefinition>();
|
|
||||||
foreach (var type in module.GetTypes()) {
|
|
||||||
foreach (var method in type.Methods) {
|
|
||||||
if (!method.IsStatic)
|
|
||||||
continue;
|
|
||||||
if (!method.IsAssembly && !method.IsCompilerControlled)
|
|
||||||
continue;
|
|
||||||
if (method.GenericParameters.Count > 0)
|
|
||||||
continue;
|
|
||||||
if (method.Name == ".cctor")
|
|
||||||
continue;
|
|
||||||
if (method.Body == null)
|
|
||||||
continue;
|
|
||||||
var instrs = method.Body.Instructions;
|
|
||||||
if (instrs.Count < 2)
|
|
||||||
continue;
|
|
||||||
|
|
||||||
switch (instrs[0].OpCode.Code) {
|
|
||||||
case Code.Ldc_I4:
|
|
||||||
case Code.Ldc_I4_0:
|
|
||||||
case Code.Ldc_I4_1:
|
|
||||||
case Code.Ldc_I4_2:
|
|
||||||
case Code.Ldc_I4_3:
|
|
||||||
case Code.Ldc_I4_4:
|
|
||||||
case Code.Ldc_I4_5:
|
|
||||||
case Code.Ldc_I4_6:
|
|
||||||
case Code.Ldc_I4_7:
|
|
||||||
case Code.Ldc_I4_8:
|
|
||||||
case Code.Ldc_I4_M1:
|
|
||||||
case Code.Ldc_I4_S:
|
|
||||||
case Code.Ldc_I8:
|
|
||||||
case Code.Ldc_R4:
|
|
||||||
case Code.Ldc_R8:
|
|
||||||
case Code.Ldftn:
|
|
||||||
case Code.Ldnull:
|
|
||||||
case Code.Ldstr:
|
|
||||||
case Code.Ldtoken:
|
|
||||||
case Code.Ldsfld:
|
|
||||||
case Code.Ldsflda:
|
|
||||||
if (instrs[1].OpCode.Code != Code.Ret)
|
|
||||||
continue;
|
|
||||||
break;
|
|
||||||
|
|
||||||
case Code.Ldarg:
|
|
||||||
case Code.Ldarg_S:
|
|
||||||
case Code.Ldarg_0:
|
|
||||||
case Code.Ldarg_1:
|
|
||||||
case Code.Ldarg_2:
|
|
||||||
case Code.Ldarg_3:
|
|
||||||
case Code.Call:
|
|
||||||
if (!isCallMethod(method))
|
|
||||||
continue;
|
|
||||||
break;
|
|
||||||
|
|
||||||
default:
|
|
||||||
continue;
|
|
||||||
}
|
|
||||||
|
|
||||||
inlinedMethods.Add(method);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
addMethodsToBeRemoved(new UnusedMethodsFinder(module, inlinedMethods).find(), "Inlined method");
|
|
||||||
}
|
|
||||||
|
|
||||||
bool isCallMethod(MethodDefinition method) {
|
|
||||||
int loadIndex = 0;
|
|
||||||
int methodArgsCount = DotNetUtils.getArgsCount(method);
|
|
||||||
var instrs = method.Body.Instructions;
|
|
||||||
int i = 0;
|
|
||||||
for (; i < instrs.Count && i < methodArgsCount; i++) {
|
|
||||||
var instr = instrs[i];
|
|
||||||
switch (instr.OpCode.Code) {
|
|
||||||
case Code.Ldarg:
|
|
||||||
case Code.Ldarg_S:
|
|
||||||
case Code.Ldarg_0:
|
|
||||||
case Code.Ldarg_1:
|
|
||||||
case Code.Ldarg_2:
|
|
||||||
case Code.Ldarg_3:
|
|
||||||
if (DotNetUtils.getArgIndex(method, instr) != loadIndex)
|
|
||||||
return false;
|
|
||||||
loadIndex++;
|
|
||||||
continue;
|
|
||||||
}
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
if (loadIndex != methodArgsCount)
|
|
||||||
return false;
|
|
||||||
if (i + 1 >= instrs.Count)
|
|
||||||
return false;
|
|
||||||
|
|
||||||
if (instrs[i].OpCode.Code != Code.Call && instrs[i].OpCode.Code != Code.Callvirt)
|
|
||||||
return false;
|
|
||||||
if (instrs[i + 1].OpCode.Code != Code.Ret)
|
|
||||||
return false;
|
|
||||||
|
|
||||||
return true;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
public override IEnumerable<string> getStringDecrypterMethods() {
|
public override IEnumerable<string> getStringDecrypterMethods() {
|
|
@ -20,7 +20,7 @@
|
||||||
using Mono.Cecil;
|
using Mono.Cecil;
|
||||||
using de4dot.blocks;
|
using de4dot.blocks;
|
||||||
|
|
||||||
namespace de4dot.code.deobfuscators.dotNET_Reactor {
|
namespace de4dot.code.deobfuscators.dotNET_Reactor4 {
|
||||||
// Detect some empty class that is called from most .ctor's
|
// Detect some empty class that is called from most .ctor's
|
||||||
class EmptyClass {
|
class EmptyClass {
|
||||||
ModuleDefinition module;
|
ModuleDefinition module;
|
|
@ -25,7 +25,7 @@ using Mono.Cecil;
|
||||||
using Mono.Cecil.Cil;
|
using Mono.Cecil.Cil;
|
||||||
using de4dot.blocks;
|
using de4dot.blocks;
|
||||||
|
|
||||||
namespace de4dot.code.deobfuscators.dotNET_Reactor {
|
namespace de4dot.code.deobfuscators.dotNET_Reactor4 {
|
||||||
class EncryptedResource {
|
class EncryptedResource {
|
||||||
ModuleDefinition module;
|
ModuleDefinition module;
|
||||||
MethodDefinition resourceDecrypterMethod;
|
MethodDefinition resourceDecrypterMethod;
|
|
@ -21,7 +21,7 @@ using Mono.Cecil;
|
||||||
using Mono.Cecil.Cil;
|
using Mono.Cecil.Cil;
|
||||||
using de4dot.blocks;
|
using de4dot.blocks;
|
||||||
|
|
||||||
namespace de4dot.code.deobfuscators.dotNET_Reactor {
|
namespace de4dot.code.deobfuscators.dotNET_Reactor4 {
|
||||||
// Find the class that returns a RuntimeTypeHandle/RuntimeFieldHandle. The value passed to
|
// Find the class that returns a RuntimeTypeHandle/RuntimeFieldHandle. The value passed to
|
||||||
// its methods is the original metadata token, which will be different when we save the file.
|
// its methods is the original metadata token, which will be different when we save the file.
|
||||||
class MetadataTokenObfuscator {
|
class MetadataTokenObfuscator {
|
|
@ -26,7 +26,7 @@ using Mono.MyStuff;
|
||||||
using de4dot.blocks;
|
using de4dot.blocks;
|
||||||
using de4dot.code.PE;
|
using de4dot.code.PE;
|
||||||
|
|
||||||
namespace de4dot.code.deobfuscators.dotNET_Reactor {
|
namespace de4dot.code.deobfuscators.dotNET_Reactor4 {
|
||||||
class MethodsDecrypter {
|
class MethodsDecrypter {
|
||||||
ModuleDefinition module;
|
ModuleDefinition module;
|
||||||
EncryptedResource encryptedResource;
|
EncryptedResource encryptedResource;
|
|
@ -19,7 +19,7 @@
|
||||||
|
|
||||||
using System;
|
using System;
|
||||||
|
|
||||||
namespace de4dot.code.deobfuscators.dotNET_Reactor {
|
namespace de4dot.code.deobfuscators.dotNET_Reactor4 {
|
||||||
class NativeFileDecrypter {
|
class NativeFileDecrypter {
|
||||||
byte[] key;
|
byte[] key;
|
||||||
byte kb = 0;
|
byte kb = 0;
|
|
@ -22,7 +22,7 @@ using System.IO;
|
||||||
using ICSharpCode.SharpZipLib.Zip.Compression;
|
using ICSharpCode.SharpZipLib.Zip.Compression;
|
||||||
using de4dot.code.PE;
|
using de4dot.code.PE;
|
||||||
|
|
||||||
namespace de4dot.code.deobfuscators.dotNET_Reactor {
|
namespace de4dot.code.deobfuscators.dotNET_Reactor4 {
|
||||||
class NativeImageUnpacker {
|
class NativeImageUnpacker {
|
||||||
PeImage peImage;
|
PeImage peImage;
|
||||||
bool isNet1x;
|
bool isNet1x;
|
|
@ -23,7 +23,7 @@ using Mono.Cecil;
|
||||||
using Mono.Cecil.Cil;
|
using Mono.Cecil.Cil;
|
||||||
using de4dot.blocks;
|
using de4dot.blocks;
|
||||||
|
|
||||||
namespace de4dot.code.deobfuscators.dotNET_Reactor {
|
namespace de4dot.code.deobfuscators.dotNET_Reactor4 {
|
||||||
class ResourceResolver {
|
class ResourceResolver {
|
||||||
ModuleDefinition module;
|
ModuleDefinition module;
|
||||||
EncryptedResource encryptedResource;
|
EncryptedResource encryptedResource;
|
|
@ -26,7 +26,7 @@ using Mono.Cecil.Cil;
|
||||||
using de4dot.blocks;
|
using de4dot.blocks;
|
||||||
using de4dot.code.PE;
|
using de4dot.code.PE;
|
||||||
|
|
||||||
namespace de4dot.code.deobfuscators.dotNET_Reactor {
|
namespace de4dot.code.deobfuscators.dotNET_Reactor4 {
|
||||||
class StringDecrypter {
|
class StringDecrypter {
|
||||||
ModuleDefinition module;
|
ModuleDefinition module;
|
||||||
EncryptedResource encryptedResource;
|
EncryptedResource encryptedResource;
|
|
@ -33,7 +33,8 @@ namespace de4dot.cui {
|
||||||
new de4dot.code.deobfuscators.CliSecure.DeobfuscatorInfo(),
|
new de4dot.code.deobfuscators.CliSecure.DeobfuscatorInfo(),
|
||||||
new de4dot.code.deobfuscators.CryptoObfuscator.DeobfuscatorInfo(),
|
new de4dot.code.deobfuscators.CryptoObfuscator.DeobfuscatorInfo(),
|
||||||
new de4dot.code.deobfuscators.Dotfuscator.DeobfuscatorInfo(),
|
new de4dot.code.deobfuscators.Dotfuscator.DeobfuscatorInfo(),
|
||||||
new de4dot.code.deobfuscators.dotNET_Reactor.DeobfuscatorInfo(),
|
new de4dot.code.deobfuscators.dotNET_Reactor3.DeobfuscatorInfo(),
|
||||||
|
new de4dot.code.deobfuscators.dotNET_Reactor4.DeobfuscatorInfo(),
|
||||||
new de4dot.code.deobfuscators.Eazfuscator.DeobfuscatorInfo(),
|
new de4dot.code.deobfuscators.Eazfuscator.DeobfuscatorInfo(),
|
||||||
new de4dot.code.deobfuscators.SmartAssembly.DeobfuscatorInfo(),
|
new de4dot.code.deobfuscators.SmartAssembly.DeobfuscatorInfo(),
|
||||||
new de4dot.code.deobfuscators.Xenocode.DeobfuscatorInfo(),
|
new de4dot.code.deobfuscators.Xenocode.DeobfuscatorInfo(),
|
||||||
|
|
Loading…
Reference in New Issue
Block a user