From 1fd7319b1945397fb8ac4c4ef9a2a2746b100af5 Mon Sep 17 00:00:00 2001 From: de4dot Date: Wed, 21 Dec 2011 16:56:12 +0100 Subject: [PATCH] Move patcher code to DecrypterType --- .../dotNET_Reactor3/DecrypterType.cs | 42 +++++++++++++++++++ .../dotNET_Reactor3/Deobfuscator.cs | 4 +- .../dotNET_Reactor3/NativeLibSaver.cs | 42 ------------------- 3 files changed, 44 insertions(+), 44 deletions(-) diff --git a/de4dot.code/deobfuscators/dotNET_Reactor3/DecrypterType.cs b/de4dot.code/deobfuscators/dotNET_Reactor3/DecrypterType.cs index cee37502..d6aefdda 100644 --- a/de4dot.code/deobfuscators/dotNET_Reactor3/DecrypterType.cs +++ b/de4dot.code/deobfuscators/dotNET_Reactor3/DecrypterType.cs @@ -22,6 +22,7 @@ using System.Collections.Generic; using System.Text; using Mono.Cecil; using de4dot.blocks; +using de4dot.code.PE; namespace de4dot.code.deobfuscators.dotNET_Reactor3 { // Find the type that decrypts strings and calls the native lib @@ -133,5 +134,46 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor3 { public string decrypt2(string s) { return Encoding.Unicode.GetString(Convert.FromBase64String(s)); } + + public bool patch(PeImage peImage) { + try { + return patch2(peImage); + } + catch { + Log.w("Could not patch the file"); + return false; + } + } + + bool patch2(PeImage peImage) { + uint numPatches = peImage.offsetReadUInt32(peImage.ImageLength - 4); + uint offset = checked(peImage.ImageLength - 4 - numPatches * 8); + + for (uint i = 0; i < numPatches; i++, offset += 8) { + uint rva = getValue(peImage.offsetReadUInt32(offset)); + var value = peImage.offsetReadUInt32(offset + 4); + + if (value == 4) { + i++; + offset += 8; + rva = getValue(peImage.offsetReadUInt32(offset)); + value = peImage.offsetReadUInt32(offset + 4); + } + else + value = getValue(value); + + peImage.dotNetSafeWrite(rva, BitConverter.GetBytes(value)); + } + + return true; + } + + static uint getValue(uint value) { + const uint magic = 2749; + value = checked(value - magic); + if (value % 3 != 0) + throw new Exception(); + return value / 3; + } } } diff --git a/de4dot.code/deobfuscators/dotNET_Reactor3/Deobfuscator.cs b/de4dot.code/deobfuscators/dotNET_Reactor3/Deobfuscator.cs index 52ab8e4b..525da51d 100644 --- a/de4dot.code/deobfuscators/dotNET_Reactor3/Deobfuscator.cs +++ b/de4dot.code/deobfuscators/dotNET_Reactor3/Deobfuscator.cs @@ -136,12 +136,12 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor3 { } public override bool getDecryptedModule(ref byte[] newFileData, ref Dictionary dumpedMethods) { - if (!nativeLibSaver.Detected) + if (!decrypterType.Detected) return false; var fileData = ModuleBytes ?? DeobUtils.readModule(module); var peImage = new PeImage(fileData); - if (!nativeLibSaver.patch(peImage)) + if (!decrypterType.patch(peImage)) return false; newFileData = fileData; diff --git a/de4dot.code/deobfuscators/dotNET_Reactor3/NativeLibSaver.cs b/de4dot.code/deobfuscators/dotNET_Reactor3/NativeLibSaver.cs index 6e5a7e11..7aafffc0 100644 --- a/de4dot.code/deobfuscators/dotNET_Reactor3/NativeLibSaver.cs +++ b/de4dot.code/deobfuscators/dotNET_Reactor3/NativeLibSaver.cs @@ -20,7 +20,6 @@ using System; using Mono.Cecil; using de4dot.blocks; -using de4dot.code.PE; namespace de4dot.code.deobfuscators.dotNET_Reactor3 { // Finds the type that saves the native lib (if in resources) to disk @@ -82,46 +81,5 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor3 { return; } } - - public bool patch(PeImage peImage) { - try { - return patch2(peImage); - } - catch { - Log.w("Could not patch the file"); - return false; - } - } - - bool patch2(PeImage peImage) { - uint numPatches = peImage.offsetReadUInt32(peImage.ImageLength - 4); - uint offset = checked(peImage.ImageLength - 4 - numPatches * 8); - - for (uint i = 0; i < numPatches; i++, offset += 8) { - uint rva = getValue(peImage.offsetReadUInt32(offset)); - var value = peImage.offsetReadUInt32(offset + 4); - - if (value == 4) { - i++; - offset += 8; - rva = getValue(peImage.offsetReadUInt32(offset)); - value = peImage.offsetReadUInt32(offset + 4); - } - else - value = getValue(value); - - peImage.dotNetSafeWrite(rva, BitConverter.GetBytes(value)); - } - - return true; - } - - static uint getValue(uint value) { - const uint magic = 2749; - value = checked(value - magic); - if (value % 3 != 0) - throw new Exception(); - return value / 3; - } } }