Update DNR version number detection code
This commit is contained in:
parent
7505f6096f
commit
0ddbe16349
|
@ -20,6 +20,7 @@
|
||||||
using System.IO;
|
using System.IO;
|
||||||
using System.Collections.Generic;
|
using System.Collections.Generic;
|
||||||
using Mono.Cecil;
|
using Mono.Cecil;
|
||||||
|
using Mono.Cecil.Cil;
|
||||||
using Mono.MyStuff;
|
using Mono.MyStuff;
|
||||||
using de4dot.blocks;
|
using de4dot.blocks;
|
||||||
|
|
||||||
|
@ -141,11 +142,10 @@ namespace de4dot.deobfuscators.dotNET_Reactor {
|
||||||
- "System.Int32[]"
|
- "System.Int32[]"
|
||||||
+ "System.Diagnostics.StackFrame"
|
+ "System.Diagnostics.StackFrame"
|
||||||
|
|
||||||
4.3.1.0 (jitter):
|
4.0.0.0: (jitter)
|
||||||
- "System.Diagnostics.StackFrame"
|
- "System.Diagnostics.StackFrame"
|
||||||
- "System.Object"
|
- "System.Object"
|
||||||
+ "System.Boolean"
|
+ "System.Boolean"
|
||||||
+ "System.Byte&"
|
|
||||||
+ "System.Collections.IEnumerator"
|
+ "System.Collections.IEnumerator"
|
||||||
+ "System.Delegate"
|
+ "System.Delegate"
|
||||||
+ "System.Diagnostics.Process"
|
+ "System.Diagnostics.Process"
|
||||||
|
@ -155,6 +155,12 @@ namespace de4dot.deobfuscators.dotNET_Reactor {
|
||||||
+ "System.Int64"
|
+ "System.Int64"
|
||||||
+ "System.UInt32"
|
+ "System.UInt32"
|
||||||
+ "System.UInt64"
|
+ "System.UInt64"
|
||||||
|
|
||||||
|
4.1.0.0: (jitter)
|
||||||
|
+ "System.Reflection.Assembly"
|
||||||
|
|
||||||
|
4.3.1.0: (jitter)
|
||||||
|
+ "System.Byte&"
|
||||||
*/
|
*/
|
||||||
|
|
||||||
LocalTypes localTypes;
|
LocalTypes localTypes;
|
||||||
|
@ -181,12 +187,72 @@ namespace de4dot.deobfuscators.dotNET_Reactor {
|
||||||
return ".NET Reactor 3.8.4.1 - 3.9.0.1";
|
return ".NET Reactor 3.8.4.1 - 3.9.0.1";
|
||||||
return ".NET Reactor <= 3.9.0.1";
|
return ".NET Reactor <= 3.9.0.1";
|
||||||
}
|
}
|
||||||
|
if (!localTypes.exists("System.Diagnostics.Process")) { // If < 4.0
|
||||||
|
if (localTypes.exists("System.Diagnostics.StackFrame"))
|
||||||
|
return ".NET Reactor 3.9.8.0";
|
||||||
|
}
|
||||||
|
|
||||||
|
var compileMethod = findDnrCompileMethod(methodsDecrypter.MethodsDecrypterMethod.DeclaringType);
|
||||||
|
if (compileMethod == null)
|
||||||
|
return ".NET Reactor < 4.0";
|
||||||
|
DeobfuscatedFile.deobfuscate(compileMethod);
|
||||||
|
bool compileMethodHasConstant_0x70000000 = findConstant(compileMethod, 0x70000000); // 4.0-4.1
|
||||||
|
DeobfuscatedFile.deobfuscate(methodsDecrypter.MethodsDecrypterMethod);
|
||||||
|
bool hasCorEnableProfilingString = findString(methodsDecrypter.MethodsDecrypterMethod, "Cor_Enable_Profiling"); // 4.1-4.4
|
||||||
|
|
||||||
|
if (compileMethodHasConstant_0x70000000) {
|
||||||
|
if (hasCorEnableProfilingString)
|
||||||
|
return ".NET Reactor 4.1";
|
||||||
|
return ".NET Reactor 4.0";
|
||||||
|
}
|
||||||
|
if (!hasCorEnableProfilingString)
|
||||||
|
return ".NET Reactor";
|
||||||
|
// 4.2-4.4
|
||||||
|
|
||||||
if (localTypes.exists("System.Diagnostics.StackFrame"))
|
|
||||||
return ".NET Reactor 3.9.8.0 - 4.2";
|
|
||||||
if (!localTypes.exists("System.Byte&"))
|
if (!localTypes.exists("System.Byte&"))
|
||||||
return ".NET Reactor 4.0-4.2";
|
return ".NET Reactor 4.2";
|
||||||
return ".NET Reactor 4.3-4.4";
|
|
||||||
|
localTypes = new LocalTypes(compileMethod);
|
||||||
|
if (localTypes.exists("System.Object"))
|
||||||
|
return ".NET Reactor 4.4";
|
||||||
|
return ".NET Reactor 4.3";
|
||||||
|
}
|
||||||
|
|
||||||
|
static bool findString(MethodDefinition method, string s) {
|
||||||
|
if (method == null || method.Body == null)
|
||||||
|
return false;
|
||||||
|
foreach (var instr in method.Body.Instructions) {
|
||||||
|
if (instr.OpCode.Code != Code.Ldstr)
|
||||||
|
continue;
|
||||||
|
if (s == (string)instr.Operand)
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
static bool findConstant(MethodDefinition method, int constant) {
|
||||||
|
if (method == null || method.Body == null)
|
||||||
|
return false;
|
||||||
|
foreach (var instr in method.Body.Instructions) {
|
||||||
|
if (instr.OpCode.Code != Code.Ldc_I4)
|
||||||
|
continue;
|
||||||
|
if (constant == (int)instr.Operand)
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
static MethodDefinition findDnrCompileMethod(TypeDefinition type) {
|
||||||
|
foreach (var method in type.Methods) {
|
||||||
|
if (!method.IsStatic || method.Body == null)
|
||||||
|
continue;
|
||||||
|
if (method.Parameters.Count != 6)
|
||||||
|
continue;
|
||||||
|
if (!DotNetUtils.isMethod(method, "System.UInt32", "(System.UInt64&,System.IntPtr,System.IntPtr,System.UInt32,System.IntPtr&,System.UInt32&)"))
|
||||||
|
continue;
|
||||||
|
return method;
|
||||||
|
}
|
||||||
|
return null;
|
||||||
}
|
}
|
||||||
|
|
||||||
public override bool getDecryptedModule(ref byte[] newFileData, ref Dictionary<uint, DumpedMethod> dumpedMethods) {
|
public override bool getDecryptedModule(ref byte[] newFileData, ref Dictionary<uint, DumpedMethod> dumpedMethods) {
|
||||||
|
|
Loading…
Reference in New Issue
Block a user