monocul.us/de4dot-cex
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Move patcher code to DecrypterType

Browse Source
This commit is contained in:
de4dot 2011-12-21 16:56:12 +01:00
parent ceca34e12c
commit 1fd7319b19
3 changed files with 44 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
de4dot.code/deobfuscators/dotNET_Reactor3/DecrypterType.cs
View File

@ -22,6 +22,7 @@ using System.Collections.Generic;
using System.Text;
using Mono.Cecil;
using de4dot.blocks;
using de4dot.code.PE;
namespace de4dot.code.deobfuscators.dotNET_Reactor3 {
// Find the type that decrypts strings and calls the native lib
@ -133,5 +134,46 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor3 {
public string decrypt2(string s) {
return Encoding.Unicode.GetString(Convert.FromBase64String(s));
}
public bool patch(PeImage peImage) {
try {
return patch2(peImage);
}
catch {
Log.w("Could not patch the file");
return false;
}
}
bool patch2(PeImage peImage) {
uint numPatches = peImage.offsetReadUInt32(peImage.ImageLength - 4);
uint offset = checked(peImage.ImageLength - 4 - numPatches * 8);
for (uint i = 0; i < numPatches; i++, offset += 8) {
uint rva = getValue(peImage.offsetReadUInt32(offset));
var value = peImage.offsetReadUInt32(offset + 4);
if (value == 4) {
i++;
offset += 8;
rva = getValue(peImage.offsetReadUInt32(offset));
value = peImage.offsetReadUInt32(offset + 4);
}
else
value = getValue(value);
peImage.dotNetSafeWrite(rva, BitConverter.GetBytes(value));
}
return true;
}
static uint getValue(uint value) {
const uint magic = 2749;
value = checked(value - magic);
if (value % 3 != 0)
throw new Exception();
return value / 3;
}
}
}

4
de4dot.code/deobfuscators/dotNET_Reactor3/Deobfuscator.cs
View File

@ -136,12 +136,12 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor3 {
}
public override bool getDecryptedModule(ref byte[] newFileData, ref Dictionary<uint, DumpedMethod> dumpedMethods) {
if (!nativeLibSaver.Detected)
if (!decrypterType.Detected)
return false;
var fileData = ModuleBytes ?? DeobUtils.readModule(module);
var peImage = new PeImage(fileData);
if (!nativeLibSaver.patch(peImage))
if (!decrypterType.patch(peImage))
return false;
newFileData = fileData;

42
de4dot.code/deobfuscators/dotNET_Reactor3/NativeLibSaver.cs
View File

@ -20,7 +20,6 @@
using System;
using Mono.Cecil;
using de4dot.blocks;
using de4dot.code.PE;
namespace de4dot.code.deobfuscators.dotNET_Reactor3 {
// Finds the type that saves the native lib (if in resources) to disk
@ -82,46 +81,5 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor3 {
return;
}
}
public bool patch(PeImage peImage) {
try {
return patch2(peImage);
}
catch {
Log.w("Could not patch the file");
return false;
}
}
bool patch2(PeImage peImage) {
uint numPatches = peImage.offsetReadUInt32(peImage.ImageLength - 4);
uint offset = checked(peImage.ImageLength - 4 - numPatches * 8);
for (uint i = 0; i < numPatches; i++, offset += 8) {
uint rva = getValue(peImage.offsetReadUInt32(offset));
var value = peImage.offsetReadUInt32(offset + 4);
if (value == 4) {
i++;
offset += 8;
rva = getValue(peImage.offsetReadUInt32(offset));
value = peImage.offsetReadUInt32(offset + 4);
}
else
value = getValue(value);
peImage.dotNetSafeWrite(rva, BitConverter.GetBytes(value));
}
return true;
}
static uint getValue(uint value) {
const uint magic = 2749;
value = checked(value - magic);
if (value % 3 != 0)
throw new Exception();
return value / 3;
}
}
}