Refactor method call inliner code
This commit is contained in:
parent
9079445e01
commit
17327902c3
|
@ -44,10 +44,13 @@
|
||||||
<Compile Include="cflow\DeadCodeRemover.cs" />
|
<Compile Include="cflow\DeadCodeRemover.cs" />
|
||||||
<Compile Include="cflow\DeadStoreRemover.cs" />
|
<Compile Include="cflow\DeadStoreRemover.cs" />
|
||||||
<Compile Include="cflow\ICflowDeobfuscator.cs" />
|
<Compile Include="cflow\ICflowDeobfuscator.cs" />
|
||||||
|
<Compile Include="cflow\IMethodCallInliner.cs" />
|
||||||
<Compile Include="cflow\InstructionEmulator.cs" />
|
<Compile Include="cflow\InstructionEmulator.cs" />
|
||||||
<Compile Include="cflow\Int32Value.cs" />
|
<Compile Include="cflow\Int32Value.cs" />
|
||||||
<Compile Include="cflow\Int64Value.cs" />
|
<Compile Include="cflow\Int64Value.cs" />
|
||||||
<Compile Include="cflow\MethodCallInliner.cs" />
|
<Compile Include="cflow\MethodCallInliner.cs" />
|
||||||
|
<Compile Include="cflow\MethodCallInlinerBase.cs" />
|
||||||
|
<Compile Include="cflow\NoMethodInliner.cs" />
|
||||||
<Compile Include="cflow\Real8Value.cs" />
|
<Compile Include="cflow\Real8Value.cs" />
|
||||||
<Compile Include="cflow\StLdlocFixer.cs" />
|
<Compile Include="cflow\StLdlocFixer.cs" />
|
||||||
<Compile Include="cflow\SwitchCflowDeobfuscator.cs" />
|
<Compile Include="cflow\SwitchCflowDeobfuscator.cs" />
|
||||||
|
|
|
@ -30,14 +30,12 @@ namespace de4dot.blocks.cflow {
|
||||||
DeadCodeRemover deadCodeRemover = new DeadCodeRemover();
|
DeadCodeRemover deadCodeRemover = new DeadCodeRemover();
|
||||||
DeadStoreRemover deadStoreRemover = new DeadStoreRemover();
|
DeadStoreRemover deadStoreRemover = new DeadStoreRemover();
|
||||||
StLdlocFixer stLdlocFixer = new StLdlocFixer();
|
StLdlocFixer stLdlocFixer = new StLdlocFixer();
|
||||||
MethodCallInliner methodCallInliner = new MethodCallInliner();
|
IMethodCallInliner methodCallInliner;
|
||||||
ConstantsFolder constantsFolder = new ConstantsFolder();
|
ConstantsFolder constantsFolder = new ConstantsFolder();
|
||||||
|
|
||||||
public bool InlineMethods { get; set; }
|
public void init(Blocks blocks, IMethodCallInliner methodCallInliner) {
|
||||||
public bool InlineInstanceMethods { get; set; }
|
|
||||||
|
|
||||||
public void init(Blocks blocks) {
|
|
||||||
this.blocks = blocks;
|
this.blocks = blocks;
|
||||||
|
this.methodCallInliner = methodCallInliner;
|
||||||
}
|
}
|
||||||
|
|
||||||
public void deobfuscate() {
|
public void deobfuscate() {
|
||||||
|
@ -54,11 +52,9 @@ namespace de4dot.blocks.cflow {
|
||||||
if (iterations == 0)
|
if (iterations == 0)
|
||||||
changed |= fixDotfuscatorLoop();
|
changed |= fixDotfuscatorLoop();
|
||||||
|
|
||||||
if (InlineMethods) {
|
foreach (var block in allBlocks) {
|
||||||
foreach (var block in allBlocks) {
|
methodCallInliner.init(blocks, block);
|
||||||
methodCallInliner.init(blocks, block, InlineInstanceMethods);
|
changed |= methodCallInliner.deobfuscate();
|
||||||
changed |= methodCallInliner.deobfuscate();
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
foreach (var block in allBlocks) {
|
foreach (var block in allBlocks) {
|
||||||
|
|
|
@ -24,20 +24,15 @@ using Mono.Cecil.Cil;
|
||||||
namespace de4dot.blocks.cflow {
|
namespace de4dot.blocks.cflow {
|
||||||
public class CflowDeobfuscator : ICflowDeobfuscator {
|
public class CflowDeobfuscator : ICflowDeobfuscator {
|
||||||
BlocksCflowDeobfuscator cflowDeobfuscator = new BlocksCflowDeobfuscator();
|
BlocksCflowDeobfuscator cflowDeobfuscator = new BlocksCflowDeobfuscator();
|
||||||
|
IMethodCallInliner methodCallInliner;
|
||||||
|
|
||||||
public bool InlineMethods { get; set; }
|
public CflowDeobfuscator(IMethodCallInliner methodCallInliner) {
|
||||||
public bool InlineInstanceMethods { get; set; }
|
this.methodCallInliner = methodCallInliner;
|
||||||
|
|
||||||
public CflowDeobfuscator() {
|
|
||||||
InlineMethods = true;
|
|
||||||
InlineInstanceMethods = false;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
public void deobfuscate(MethodDefinition method) {
|
public void deobfuscate(MethodDefinition method) {
|
||||||
deobfuscate(method, (blocks) => {
|
deobfuscate(method, (blocks) => {
|
||||||
cflowDeobfuscator.InlineMethods = InlineMethods;
|
cflowDeobfuscator.init(blocks, methodCallInliner);
|
||||||
cflowDeobfuscator.InlineInstanceMethods = InlineInstanceMethods;
|
|
||||||
cflowDeobfuscator.init(blocks);
|
|
||||||
cflowDeobfuscator.deobfuscate();
|
cflowDeobfuscator.deobfuscate();
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
27
blocks/cflow/IMethodCallInliner.cs
Normal file
27
blocks/cflow/IMethodCallInliner.cs
Normal file
|
@ -0,0 +1,27 @@
|
||||||
|
/*
|
||||||
|
Copyright (C) 2011-2012 de4dot@gmail.com
|
||||||
|
|
||||||
|
This file is part of de4dot.
|
||||||
|
|
||||||
|
de4dot is free software: you can redistribute it and/or modify
|
||||||
|
it under the terms of the GNU General Public License as published by
|
||||||
|
the Free Software Foundation, either version 3 of the License, or
|
||||||
|
(at your option) any later version.
|
||||||
|
|
||||||
|
de4dot is distributed in the hope that it will be useful,
|
||||||
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
GNU General Public License for more details.
|
||||||
|
|
||||||
|
You should have received a copy of the GNU General Public License
|
||||||
|
along with de4dot. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
*/
|
||||||
|
|
||||||
|
namespace de4dot.blocks.cflow {
|
||||||
|
public interface IMethodCallInliner {
|
||||||
|
void init(Blocks blocks, Block block);
|
||||||
|
|
||||||
|
// Returns true if something was inlined
|
||||||
|
bool deobfuscate();
|
||||||
|
}
|
||||||
|
}
|
|
@ -22,26 +22,14 @@ using Mono.Cecil;
|
||||||
using Mono.Cecil.Cil;
|
using Mono.Cecil.Cil;
|
||||||
|
|
||||||
namespace de4dot.blocks.cflow {
|
namespace de4dot.blocks.cflow {
|
||||||
class MethodCallInliner {
|
public class MethodCallInliner : MethodCallInlinerBase {
|
||||||
// We can't catch all infinite loops, so inline methods at most this many times
|
|
||||||
const int MAX_ITERATIONS = 10;
|
|
||||||
|
|
||||||
Blocks blocks;
|
|
||||||
Block block;
|
|
||||||
int iteration;
|
|
||||||
bool inlineInstanceMethods;
|
bool inlineInstanceMethods;
|
||||||
|
|
||||||
public void init(Blocks blocks, Block block, bool inlineInstanceMethods) {
|
public MethodCallInliner(bool inlineInstanceMethods) {
|
||||||
this.blocks = blocks;
|
|
||||||
this.block = block;
|
|
||||||
this.iteration = 0;
|
|
||||||
this.inlineInstanceMethods = inlineInstanceMethods;
|
this.inlineInstanceMethods = inlineInstanceMethods;
|
||||||
}
|
}
|
||||||
|
|
||||||
public bool deobfuscate() {
|
protected override bool deobfuscateInternal() {
|
||||||
if (iteration++ >= MAX_ITERATIONS)
|
|
||||||
return false;
|
|
||||||
|
|
||||||
bool changed = false;
|
bool changed = false;
|
||||||
var instructions = block.Instructions;
|
var instructions = block.Instructions;
|
||||||
for (int i = 0; i < instructions.Count; i++) {
|
for (int i = 0; i < instructions.Count; i++) {
|
||||||
|
|
44
blocks/cflow/MethodCallInlinerBase.cs
Normal file
44
blocks/cflow/MethodCallInlinerBase.cs
Normal file
|
@ -0,0 +1,44 @@
|
||||||
|
/*
|
||||||
|
Copyright (C) 2011-2012 de4dot@gmail.com
|
||||||
|
|
||||||
|
This file is part of de4dot.
|
||||||
|
|
||||||
|
de4dot is free software: you can redistribute it and/or modify
|
||||||
|
it under the terms of the GNU General Public License as published by
|
||||||
|
the Free Software Foundation, either version 3 of the License, or
|
||||||
|
(at your option) any later version.
|
||||||
|
|
||||||
|
de4dot is distributed in the hope that it will be useful,
|
||||||
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
GNU General Public License for more details.
|
||||||
|
|
||||||
|
You should have received a copy of the GNU General Public License
|
||||||
|
along with de4dot. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
*/
|
||||||
|
|
||||||
|
namespace de4dot.blocks.cflow {
|
||||||
|
public abstract class MethodCallInlinerBase : IMethodCallInliner {
|
||||||
|
// We can't catch all infinite loops, so inline methods at most this many times
|
||||||
|
const int MAX_ITERATIONS = 10;
|
||||||
|
|
||||||
|
protected Blocks blocks;
|
||||||
|
protected Block block;
|
||||||
|
int iteration;
|
||||||
|
|
||||||
|
public void init(Blocks blocks, Block block) {
|
||||||
|
this.blocks = blocks;
|
||||||
|
this.block = block;
|
||||||
|
this.iteration = 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
public bool deobfuscate() {
|
||||||
|
if (iteration++ >= MAX_ITERATIONS)
|
||||||
|
return false;
|
||||||
|
|
||||||
|
return deobfuscateInternal();
|
||||||
|
}
|
||||||
|
|
||||||
|
protected abstract bool deobfuscateInternal();
|
||||||
|
}
|
||||||
|
}
|
29
blocks/cflow/NoMethodInliner.cs
Normal file
29
blocks/cflow/NoMethodInliner.cs
Normal file
|
@ -0,0 +1,29 @@
|
||||||
|
/*
|
||||||
|
Copyright (C) 2011-2012 de4dot@gmail.com
|
||||||
|
|
||||||
|
This file is part of de4dot.
|
||||||
|
|
||||||
|
de4dot is free software: you can redistribute it and/or modify
|
||||||
|
it under the terms of the GNU General Public License as published by
|
||||||
|
the Free Software Foundation, either version 3 of the License, or
|
||||||
|
(at your option) any later version.
|
||||||
|
|
||||||
|
de4dot is distributed in the hope that it will be useful,
|
||||||
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
GNU General Public License for more details.
|
||||||
|
|
||||||
|
You should have received a copy of the GNU General Public License
|
||||||
|
along with de4dot. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
*/
|
||||||
|
|
||||||
|
namespace de4dot.blocks.cflow {
|
||||||
|
public class NoMethodInliner : IMethodCallInliner {
|
||||||
|
public void init(Blocks blocks, Block block) {
|
||||||
|
}
|
||||||
|
|
||||||
|
public bool deobfuscate() {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
|
@ -537,13 +537,14 @@ namespace de4dot.code {
|
||||||
|
|
||||||
Log.v("Deobfuscating methods");
|
Log.v("Deobfuscating methods");
|
||||||
var methodPrinter = new MethodPrinter();
|
var methodPrinter = new MethodPrinter();
|
||||||
var cflowDeobfuscator = new BlocksCflowDeobfuscator { InlineMethods = deob.CanInlineMethods };
|
var cflowDeobfuscator = new BlocksCflowDeobfuscator();
|
||||||
|
var methodCallInliner = deob.MethodCallInliner;
|
||||||
foreach (var method in allMethods) {
|
foreach (var method in allMethods) {
|
||||||
Log.v("Deobfuscating {0} ({1:X8})", Utils.removeNewlines(method), method.MetadataToken.ToUInt32());
|
Log.v("Deobfuscating {0} ({1:X8})", Utils.removeNewlines(method), method.MetadataToken.ToUInt32());
|
||||||
Log.indent();
|
Log.indent();
|
||||||
|
|
||||||
try {
|
try {
|
||||||
deobfuscate(method, cflowDeobfuscator, methodPrinter);
|
deobfuscate(method, cflowDeobfuscator, methodCallInliner, methodPrinter);
|
||||||
}
|
}
|
||||||
catch (ApplicationException) {
|
catch (ApplicationException) {
|
||||||
throw;
|
throw;
|
||||||
|
@ -559,7 +560,7 @@ namespace de4dot.code {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
void deobfuscate(MethodDefinition method, BlocksCflowDeobfuscator cflowDeobfuscator, MethodPrinter methodPrinter) {
|
void deobfuscate(MethodDefinition method, BlocksCflowDeobfuscator cflowDeobfuscator, IMethodCallInliner methodCallInliner, MethodPrinter methodPrinter) {
|
||||||
if (!hasNonEmptyBody(method))
|
if (!hasNonEmptyBody(method))
|
||||||
return;
|
return;
|
||||||
|
|
||||||
|
@ -569,7 +570,7 @@ namespace de4dot.code {
|
||||||
|
|
||||||
deob.deobfuscateMethodBegin(blocks);
|
deob.deobfuscateMethodBegin(blocks);
|
||||||
if (options.ControlFlowDeobfuscation) {
|
if (options.ControlFlowDeobfuscation) {
|
||||||
cflowDeobfuscator.init(blocks);
|
cflowDeobfuscator.init(blocks, methodCallInliner);
|
||||||
cflowDeobfuscator.deobfuscate();
|
cflowDeobfuscator.deobfuscate();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -894,8 +895,7 @@ namespace de4dot.code {
|
||||||
|
|
||||||
deobfuscate(method, "Deobfuscating control flow", (blocks) => {
|
deobfuscate(method, "Deobfuscating control flow", (blocks) => {
|
||||||
var cflowDeobfuscator = new BlocksCflowDeobfuscator();
|
var cflowDeobfuscator = new BlocksCflowDeobfuscator();
|
||||||
cflowDeobfuscator.InlineMethods = deob.CanInlineMethods;
|
cflowDeobfuscator.init(blocks, deob.MethodCallInliner);
|
||||||
cflowDeobfuscator.init(blocks);
|
|
||||||
cflowDeobfuscator.deobfuscate();
|
cflowDeobfuscator.deobfuscate();
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
|
@ -23,6 +23,7 @@ using Mono.Cecil;
|
||||||
using Mono.Cecil.Cil;
|
using Mono.Cecil.Cil;
|
||||||
using Mono.MyStuff;
|
using Mono.MyStuff;
|
||||||
using de4dot.blocks;
|
using de4dot.blocks;
|
||||||
|
using de4dot.blocks.cflow;
|
||||||
using de4dot.code.PE;
|
using de4dot.code.PE;
|
||||||
|
|
||||||
namespace de4dot.code.deobfuscators {
|
namespace de4dot.code.deobfuscators {
|
||||||
|
@ -81,10 +82,18 @@ namespace de4dot.code.deobfuscators {
|
||||||
public abstract string TypeLong { get; }
|
public abstract string TypeLong { get; }
|
||||||
public abstract string Name { get; }
|
public abstract string Name { get; }
|
||||||
|
|
||||||
public virtual bool CanInlineMethods {
|
protected virtual bool CanInlineMethods {
|
||||||
get { return false; }
|
get { return false; }
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public virtual IMethodCallInliner MethodCallInliner {
|
||||||
|
get {
|
||||||
|
if (CanInlineMethods)
|
||||||
|
return new MethodCallInliner(false);
|
||||||
|
return new NoMethodInliner();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
public DeobfuscatorBase(OptionsBase optionsBase) {
|
public DeobfuscatorBase(OptionsBase optionsBase) {
|
||||||
this.optionsBase = optionsBase;
|
this.optionsBase = optionsBase;
|
||||||
StringFeatures = StringFeatures.AllowAll;
|
StringFeatures = StringFeatures.AllowAll;
|
||||||
|
|
|
@ -22,6 +22,7 @@ using System.Collections.Generic;
|
||||||
using Mono.Cecil;
|
using Mono.Cecil;
|
||||||
using Mono.MyStuff;
|
using Mono.MyStuff;
|
||||||
using de4dot.blocks;
|
using de4dot.blocks;
|
||||||
|
using de4dot.blocks.cflow;
|
||||||
using de4dot.code.renamer;
|
using de4dot.code.renamer;
|
||||||
using de4dot.code.PE;
|
using de4dot.code.PE;
|
||||||
|
|
||||||
|
@ -60,13 +61,11 @@ namespace de4dot.code.deobfuscators {
|
||||||
StringFeatures StringFeatures { get; }
|
StringFeatures StringFeatures { get; }
|
||||||
RenamingOptions RenamingOptions { get; }
|
RenamingOptions RenamingOptions { get; }
|
||||||
DecrypterType DefaultDecrypterType { get; }
|
DecrypterType DefaultDecrypterType { get; }
|
||||||
|
IMethodCallInliner MethodCallInliner { get; }
|
||||||
|
|
||||||
// This is non-null only in detect() and deobfuscateBegin().
|
// This is non-null only in detect() and deobfuscateBegin().
|
||||||
IDeobfuscatedFile DeobfuscatedFile { get; set; }
|
IDeobfuscatedFile DeobfuscatedFile { get; set; }
|
||||||
|
|
||||||
// Return true if methods can be inlined
|
|
||||||
bool CanInlineMethods { get; }
|
|
||||||
|
|
||||||
// Returns null or the unpacked .NET PE file
|
// Returns null or the unpacked .NET PE file
|
||||||
byte[] unpackNativeFile(PeImage peImage);
|
byte[] unpackNativeFile(PeImage peImage);
|
||||||
|
|
||||||
|
|
|
@ -49,10 +49,7 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v3 {
|
||||||
}
|
}
|
||||||
|
|
||||||
void find() {
|
void find() {
|
||||||
var cflowDeobfuscator = new CflowDeobfuscator() {
|
var cflowDeobfuscator = new CflowDeobfuscator(new MethodCallInliner(true));
|
||||||
InlineMethods = true,
|
|
||||||
InlineInstanceMethods = true,
|
|
||||||
};
|
|
||||||
|
|
||||||
foreach (var type in module.Types) {
|
foreach (var type in module.Types) {
|
||||||
if (DotNetUtils.getPInvokeMethod(type, "kernel32", "CloseHandle") == null)
|
if (DotNetUtils.getPInvokeMethod(type, "kernel32", "CloseHandle") == null)
|
||||||
|
|
|
@ -111,7 +111,7 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v3 {
|
||||||
get { return obfuscatorName; }
|
get { return obfuscatorName; }
|
||||||
}
|
}
|
||||||
|
|
||||||
public override bool CanInlineMethods {
|
protected override bool CanInlineMethods {
|
||||||
get { return startedDeobfuscating ? options.InlineMethods : true; }
|
get { return startedDeobfuscating ? options.InlineMethods : true; }
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -142,7 +142,7 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
|
||||||
get { return obfuscatorName; }
|
get { return obfuscatorName; }
|
||||||
}
|
}
|
||||||
|
|
||||||
public override bool CanInlineMethods {
|
protected override bool CanInlineMethods {
|
||||||
get { return startedDeobfuscating ? options.InlineMethods : true; }
|
get { return startedDeobfuscating ? options.InlineMethods : true; }
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue
Block a user