Refactor method call inliner code
This commit is contained in:
parent
9079445e01
commit
17327902c3
|
@ -44,10 +44,13 @@
|
|||
<Compile Include="cflow\DeadCodeRemover.cs" />
|
||||
<Compile Include="cflow\DeadStoreRemover.cs" />
|
||||
<Compile Include="cflow\ICflowDeobfuscator.cs" />
|
||||
<Compile Include="cflow\IMethodCallInliner.cs" />
|
||||
<Compile Include="cflow\InstructionEmulator.cs" />
|
||||
<Compile Include="cflow\Int32Value.cs" />
|
||||
<Compile Include="cflow\Int64Value.cs" />
|
||||
<Compile Include="cflow\MethodCallInliner.cs" />
|
||||
<Compile Include="cflow\MethodCallInlinerBase.cs" />
|
||||
<Compile Include="cflow\NoMethodInliner.cs" />
|
||||
<Compile Include="cflow\Real8Value.cs" />
|
||||
<Compile Include="cflow\StLdlocFixer.cs" />
|
||||
<Compile Include="cflow\SwitchCflowDeobfuscator.cs" />
|
||||
|
|
|
@ -30,14 +30,12 @@ namespace de4dot.blocks.cflow {
|
|||
DeadCodeRemover deadCodeRemover = new DeadCodeRemover();
|
||||
DeadStoreRemover deadStoreRemover = new DeadStoreRemover();
|
||||
StLdlocFixer stLdlocFixer = new StLdlocFixer();
|
||||
MethodCallInliner methodCallInliner = new MethodCallInliner();
|
||||
IMethodCallInliner methodCallInliner;
|
||||
ConstantsFolder constantsFolder = new ConstantsFolder();
|
||||
|
||||
public bool InlineMethods { get; set; }
|
||||
public bool InlineInstanceMethods { get; set; }
|
||||
|
||||
public void init(Blocks blocks) {
|
||||
public void init(Blocks blocks, IMethodCallInliner methodCallInliner) {
|
||||
this.blocks = blocks;
|
||||
this.methodCallInliner = methodCallInliner;
|
||||
}
|
||||
|
||||
public void deobfuscate() {
|
||||
|
@ -54,11 +52,9 @@ namespace de4dot.blocks.cflow {
|
|||
if (iterations == 0)
|
||||
changed |= fixDotfuscatorLoop();
|
||||
|
||||
if (InlineMethods) {
|
||||
foreach (var block in allBlocks) {
|
||||
methodCallInliner.init(blocks, block, InlineInstanceMethods);
|
||||
changed |= methodCallInliner.deobfuscate();
|
||||
}
|
||||
foreach (var block in allBlocks) {
|
||||
methodCallInliner.init(blocks, block);
|
||||
changed |= methodCallInliner.deobfuscate();
|
||||
}
|
||||
|
||||
foreach (var block in allBlocks) {
|
||||
|
|
|
@ -24,20 +24,15 @@ using Mono.Cecil.Cil;
|
|||
namespace de4dot.blocks.cflow {
|
||||
public class CflowDeobfuscator : ICflowDeobfuscator {
|
||||
BlocksCflowDeobfuscator cflowDeobfuscator = new BlocksCflowDeobfuscator();
|
||||
IMethodCallInliner methodCallInliner;
|
||||
|
||||
public bool InlineMethods { get; set; }
|
||||
public bool InlineInstanceMethods { get; set; }
|
||||
|
||||
public CflowDeobfuscator() {
|
||||
InlineMethods = true;
|
||||
InlineInstanceMethods = false;
|
||||
public CflowDeobfuscator(IMethodCallInliner methodCallInliner) {
|
||||
this.methodCallInliner = methodCallInliner;
|
||||
}
|
||||
|
||||
public void deobfuscate(MethodDefinition method) {
|
||||
deobfuscate(method, (blocks) => {
|
||||
cflowDeobfuscator.InlineMethods = InlineMethods;
|
||||
cflowDeobfuscator.InlineInstanceMethods = InlineInstanceMethods;
|
||||
cflowDeobfuscator.init(blocks);
|
||||
cflowDeobfuscator.init(blocks, methodCallInliner);
|
||||
cflowDeobfuscator.deobfuscate();
|
||||
});
|
||||
}
|
||||
|
|
27
blocks/cflow/IMethodCallInliner.cs
Normal file
27
blocks/cflow/IMethodCallInliner.cs
Normal file
|
@ -0,0 +1,27 @@
|
|||
/*
|
||||
Copyright (C) 2011-2012 de4dot@gmail.com
|
||||
|
||||
This file is part of de4dot.
|
||||
|
||||
de4dot is free software: you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
the Free Software Foundation, either version 3 of the License, or
|
||||
(at your option) any later version.
|
||||
|
||||
de4dot is distributed in the hope that it will be useful,
|
||||
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
GNU General Public License for more details.
|
||||
|
||||
You should have received a copy of the GNU General Public License
|
||||
along with de4dot. If not, see <http://www.gnu.org/licenses/>.
|
||||
*/
|
||||
|
||||
namespace de4dot.blocks.cflow {
|
||||
public interface IMethodCallInliner {
|
||||
void init(Blocks blocks, Block block);
|
||||
|
||||
// Returns true if something was inlined
|
||||
bool deobfuscate();
|
||||
}
|
||||
}
|
|
@ -22,26 +22,14 @@ using Mono.Cecil;
|
|||
using Mono.Cecil.Cil;
|
||||
|
||||
namespace de4dot.blocks.cflow {
|
||||
class MethodCallInliner {
|
||||
// We can't catch all infinite loops, so inline methods at most this many times
|
||||
const int MAX_ITERATIONS = 10;
|
||||
|
||||
Blocks blocks;
|
||||
Block block;
|
||||
int iteration;
|
||||
public class MethodCallInliner : MethodCallInlinerBase {
|
||||
bool inlineInstanceMethods;
|
||||
|
||||
public void init(Blocks blocks, Block block, bool inlineInstanceMethods) {
|
||||
this.blocks = blocks;
|
||||
this.block = block;
|
||||
this.iteration = 0;
|
||||
public MethodCallInliner(bool inlineInstanceMethods) {
|
||||
this.inlineInstanceMethods = inlineInstanceMethods;
|
||||
}
|
||||
|
||||
public bool deobfuscate() {
|
||||
if (iteration++ >= MAX_ITERATIONS)
|
||||
return false;
|
||||
|
||||
protected override bool deobfuscateInternal() {
|
||||
bool changed = false;
|
||||
var instructions = block.Instructions;
|
||||
for (int i = 0; i < instructions.Count; i++) {
|
||||
|
|
44
blocks/cflow/MethodCallInlinerBase.cs
Normal file
44
blocks/cflow/MethodCallInlinerBase.cs
Normal file
|
@ -0,0 +1,44 @@
|
|||
/*
|
||||
Copyright (C) 2011-2012 de4dot@gmail.com
|
||||
|
||||
This file is part of de4dot.
|
||||
|
||||
de4dot is free software: you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
the Free Software Foundation, either version 3 of the License, or
|
||||
(at your option) any later version.
|
||||
|
||||
de4dot is distributed in the hope that it will be useful,
|
||||
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
GNU General Public License for more details.
|
||||
|
||||
You should have received a copy of the GNU General Public License
|
||||
along with de4dot. If not, see <http://www.gnu.org/licenses/>.
|
||||
*/
|
||||
|
||||
namespace de4dot.blocks.cflow {
|
||||
public abstract class MethodCallInlinerBase : IMethodCallInliner {
|
||||
// We can't catch all infinite loops, so inline methods at most this many times
|
||||
const int MAX_ITERATIONS = 10;
|
||||
|
||||
protected Blocks blocks;
|
||||
protected Block block;
|
||||
int iteration;
|
||||
|
||||
public void init(Blocks blocks, Block block) {
|
||||
this.blocks = blocks;
|
||||
this.block = block;
|
||||
this.iteration = 0;
|
||||
}
|
||||
|
||||
public bool deobfuscate() {
|
||||
if (iteration++ >= MAX_ITERATIONS)
|
||||
return false;
|
||||
|
||||
return deobfuscateInternal();
|
||||
}
|
||||
|
||||
protected abstract bool deobfuscateInternal();
|
||||
}
|
||||
}
|
29
blocks/cflow/NoMethodInliner.cs
Normal file
29
blocks/cflow/NoMethodInliner.cs
Normal file
|
@ -0,0 +1,29 @@
|
|||
/*
|
||||
Copyright (C) 2011-2012 de4dot@gmail.com
|
||||
|
||||
This file is part of de4dot.
|
||||
|
||||
de4dot is free software: you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
the Free Software Foundation, either version 3 of the License, or
|
||||
(at your option) any later version.
|
||||
|
||||
de4dot is distributed in the hope that it will be useful,
|
||||
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
GNU General Public License for more details.
|
||||
|
||||
You should have received a copy of the GNU General Public License
|
||||
along with de4dot. If not, see <http://www.gnu.org/licenses/>.
|
||||
*/
|
||||
|
||||
namespace de4dot.blocks.cflow {
|
||||
public class NoMethodInliner : IMethodCallInliner {
|
||||
public void init(Blocks blocks, Block block) {
|
||||
}
|
||||
|
||||
public bool deobfuscate() {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
}
|
|
@ -537,13 +537,14 @@ namespace de4dot.code {
|
|||
|
||||
Log.v("Deobfuscating methods");
|
||||
var methodPrinter = new MethodPrinter();
|
||||
var cflowDeobfuscator = new BlocksCflowDeobfuscator { InlineMethods = deob.CanInlineMethods };
|
||||
var cflowDeobfuscator = new BlocksCflowDeobfuscator();
|
||||
var methodCallInliner = deob.MethodCallInliner;
|
||||
foreach (var method in allMethods) {
|
||||
Log.v("Deobfuscating {0} ({1:X8})", Utils.removeNewlines(method), method.MetadataToken.ToUInt32());
|
||||
Log.indent();
|
||||
|
||||
try {
|
||||
deobfuscate(method, cflowDeobfuscator, methodPrinter);
|
||||
deobfuscate(method, cflowDeobfuscator, methodCallInliner, methodPrinter);
|
||||
}
|
||||
catch (ApplicationException) {
|
||||
throw;
|
||||
|
@ -559,7 +560,7 @@ namespace de4dot.code {
|
|||
}
|
||||
}
|
||||
|
||||
void deobfuscate(MethodDefinition method, BlocksCflowDeobfuscator cflowDeobfuscator, MethodPrinter methodPrinter) {
|
||||
void deobfuscate(MethodDefinition method, BlocksCflowDeobfuscator cflowDeobfuscator, IMethodCallInliner methodCallInliner, MethodPrinter methodPrinter) {
|
||||
if (!hasNonEmptyBody(method))
|
||||
return;
|
||||
|
||||
|
@ -569,7 +570,7 @@ namespace de4dot.code {
|
|||
|
||||
deob.deobfuscateMethodBegin(blocks);
|
||||
if (options.ControlFlowDeobfuscation) {
|
||||
cflowDeobfuscator.init(blocks);
|
||||
cflowDeobfuscator.init(blocks, methodCallInliner);
|
||||
cflowDeobfuscator.deobfuscate();
|
||||
}
|
||||
|
||||
|
@ -894,8 +895,7 @@ namespace de4dot.code {
|
|||
|
||||
deobfuscate(method, "Deobfuscating control flow", (blocks) => {
|
||||
var cflowDeobfuscator = new BlocksCflowDeobfuscator();
|
||||
cflowDeobfuscator.InlineMethods = deob.CanInlineMethods;
|
||||
cflowDeobfuscator.init(blocks);
|
||||
cflowDeobfuscator.init(blocks, deob.MethodCallInliner);
|
||||
cflowDeobfuscator.deobfuscate();
|
||||
});
|
||||
}
|
||||
|
|
|
@ -23,6 +23,7 @@ using Mono.Cecil;
|
|||
using Mono.Cecil.Cil;
|
||||
using Mono.MyStuff;
|
||||
using de4dot.blocks;
|
||||
using de4dot.blocks.cflow;
|
||||
using de4dot.code.PE;
|
||||
|
||||
namespace de4dot.code.deobfuscators {
|
||||
|
@ -81,10 +82,18 @@ namespace de4dot.code.deobfuscators {
|
|||
public abstract string TypeLong { get; }
|
||||
public abstract string Name { get; }
|
||||
|
||||
public virtual bool CanInlineMethods {
|
||||
protected virtual bool CanInlineMethods {
|
||||
get { return false; }
|
||||
}
|
||||
|
||||
public virtual IMethodCallInliner MethodCallInliner {
|
||||
get {
|
||||
if (CanInlineMethods)
|
||||
return new MethodCallInliner(false);
|
||||
return new NoMethodInliner();
|
||||
}
|
||||
}
|
||||
|
||||
public DeobfuscatorBase(OptionsBase optionsBase) {
|
||||
this.optionsBase = optionsBase;
|
||||
StringFeatures = StringFeatures.AllowAll;
|
||||
|
|
|
@ -22,6 +22,7 @@ using System.Collections.Generic;
|
|||
using Mono.Cecil;
|
||||
using Mono.MyStuff;
|
||||
using de4dot.blocks;
|
||||
using de4dot.blocks.cflow;
|
||||
using de4dot.code.renamer;
|
||||
using de4dot.code.PE;
|
||||
|
||||
|
@ -60,13 +61,11 @@ namespace de4dot.code.deobfuscators {
|
|||
StringFeatures StringFeatures { get; }
|
||||
RenamingOptions RenamingOptions { get; }
|
||||
DecrypterType DefaultDecrypterType { get; }
|
||||
IMethodCallInliner MethodCallInliner { get; }
|
||||
|
||||
// This is non-null only in detect() and deobfuscateBegin().
|
||||
IDeobfuscatedFile DeobfuscatedFile { get; set; }
|
||||
|
||||
// Return true if methods can be inlined
|
||||
bool CanInlineMethods { get; }
|
||||
|
||||
// Returns null or the unpacked .NET PE file
|
||||
byte[] unpackNativeFile(PeImage peImage);
|
||||
|
||||
|
|
|
@ -49,10 +49,7 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v3 {
|
|||
}
|
||||
|
||||
void find() {
|
||||
var cflowDeobfuscator = new CflowDeobfuscator() {
|
||||
InlineMethods = true,
|
||||
InlineInstanceMethods = true,
|
||||
};
|
||||
var cflowDeobfuscator = new CflowDeobfuscator(new MethodCallInliner(true));
|
||||
|
||||
foreach (var type in module.Types) {
|
||||
if (DotNetUtils.getPInvokeMethod(type, "kernel32", "CloseHandle") == null)
|
||||
|
|
|
@ -111,7 +111,7 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v3 {
|
|||
get { return obfuscatorName; }
|
||||
}
|
||||
|
||||
public override bool CanInlineMethods {
|
||||
protected override bool CanInlineMethods {
|
||||
get { return startedDeobfuscating ? options.InlineMethods : true; }
|
||||
}
|
||||
|
||||
|
|
|
@ -142,7 +142,7 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
|
|||
get { return obfuscatorName; }
|
||||
}
|
||||
|
||||
public override bool CanInlineMethods {
|
||||
protected override bool CanInlineMethods {
|
||||
get { return startedDeobfuscating ? options.InlineMethods : true; }
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in New Issue
Block a user