From 1768de1d6b3e34782d8556d323092139b5bfca62 Mon Sep 17 00:00:00 2001 From: de4dot Date: Mon, 13 Aug 2012 00:54:46 +0200 Subject: [PATCH] Remove earlyDetect() --- de4dot.code/ObfuscatedFile.cs | 26 ++----------------- de4dot.code/deobfuscators/DeobfuscatorBase.cs | 4 --- de4dot.code/deobfuscators/IDeobfuscator.cs | 5 ---- .../deobfuscators/Unknown/Deobfuscator.cs | 15 ++--------- 4 files changed, 4 insertions(+), 46 deletions(-) diff --git a/de4dot.code/ObfuscatedFile.cs b/de4dot.code/ObfuscatedFile.cs index 8fe501a8..88b33c45 100644 --- a/de4dot.code/ObfuscatedFile.cs +++ b/de4dot.code/ObfuscatedFile.cs @@ -248,7 +248,6 @@ namespace de4dot.code { if (this.deob != null) { deob.init(module); deob.DeobfuscatedFile = this; - deob.earlyDetect(); deob.detect(); return; } @@ -261,35 +260,14 @@ namespace de4dot.code { if (options.ForcedObfuscatorType != null) { foreach (var deob in deobfuscators) { if (string.Equals(options.ForcedObfuscatorType, deob.Type, StringComparison.OrdinalIgnoreCase)) { - deob.earlyDetect(); this.deob = deob; deob.detect(); return; } } } - else { - this.deob = earlyDetectObfuscator(deobfuscators); - if (this.deob == null) - this.deob = detectObfuscator2(deobfuscators); - else - this.deob.detect(); - } - } - - IDeobfuscator earlyDetectObfuscator(IEnumerable deobfuscators) { - IDeobfuscator detected = null; - int detectVal = 0; - foreach (var deob in deobfuscators) { - int val = deob.earlyDetect(); - if (val > 0) - Log.v("{0,3}: {1}", val, deob.TypeLong); - if (val > detectVal) { - detectVal = val; - detected = deob; - } - } - return detected; + else + this.deob = detectObfuscator2(deobfuscators); } IDeobfuscator detectObfuscator2(IEnumerable deobfuscators) { diff --git a/de4dot.code/deobfuscators/DeobfuscatorBase.cs b/de4dot.code/deobfuscators/DeobfuscatorBase.cs index 701ebdbb..63943cb6 100644 --- a/de4dot.code/deobfuscators/DeobfuscatorBase.cs +++ b/de4dot.code/deobfuscators/DeobfuscatorBase.cs @@ -127,10 +127,6 @@ namespace de4dot.code.deobfuscators { return optionsBase.ValidNameRegex.isMatch(name); } - public virtual int earlyDetect() { - return 0; - } - public virtual int detect() { scanForObfuscator(); return detectInternal(); diff --git a/de4dot.code/deobfuscators/IDeobfuscator.cs b/de4dot.code/deobfuscators/IDeobfuscator.cs index dd852c71..e13fe2ec 100644 --- a/de4dot.code/deobfuscators/IDeobfuscator.cs +++ b/de4dot.code/deobfuscators/IDeobfuscator.cs @@ -72,11 +72,6 @@ namespace de4dot.code.deobfuscators { void init(ModuleDefinition module); - // Same as detect() but may be used by deobfuscators to detect obfuscator that decrypt - // metadata at runtime. Code in detect() assume they can access everything. 0 should be - // returned if not detected. - int earlyDetect(); - // Returns 0 if it's not detected, or > 0 if detected (higher value => more likely true). // This method is always called. int detect(); diff --git a/de4dot.code/deobfuscators/Unknown/Deobfuscator.cs b/de4dot.code/deobfuscators/Unknown/Deobfuscator.cs index 0df5d542..4a3308cd 100644 --- a/de4dot.code/deobfuscators/Unknown/Deobfuscator.cs +++ b/de4dot.code/deobfuscators/Unknown/Deobfuscator.cs @@ -76,19 +76,6 @@ namespace de4dot.code.deobfuscators.Unknown { obfuscatorName = string.Format("{0} (not supported)", name); } - public override int earlyDetect() { - setName(earlyScanTypes()); - return obfuscatorName != null ? 1 : 0; - } - - string earlyScanTypes() { - foreach (var type in module.Types) { - if (type.FullName == "ConfusedByAttribute") - return "Confuser"; - } - return null; - } - protected override int detectInternal() { setName(scanTypes()); return 1; @@ -99,6 +86,8 @@ namespace de4dot.code.deobfuscators.Unknown { string scanTypes() { foreach (var type in module.Types) { + if (type.FullName == "ConfusedByAttribute") + return "Confuser"; if (type.FullName == "ZYXDNGuarder") return "DNGuard HVM"; if (type.Name.Contains("();\t"))