Deobfuscate asm resolver method
This commit is contained in:
parent
f9ed45c670
commit
24b22268e3
|
@ -67,7 +67,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
||||||
this.module = module;
|
this.module = module;
|
||||||
}
|
}
|
||||||
|
|
||||||
public void Find() {
|
public void Find(ISimpleDeobfuscator simpleDeobfuscator) {
|
||||||
var cctor = DotNetUtils.GetModuleTypeCctor(module);
|
var cctor = DotNetUtils.GetModuleTypeCctor(module);
|
||||||
if (cctor == null)
|
if (cctor == null)
|
||||||
return;
|
return;
|
||||||
|
@ -77,14 +77,15 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
||||||
continue;
|
continue;
|
||||||
if (!method.IsStatic || !DotNetUtils.IsMethod(method, "System.Void", "()"))
|
if (!method.IsStatic || !DotNetUtils.IsMethod(method, "System.Void", "()"))
|
||||||
continue;
|
continue;
|
||||||
if (CheckType(method.DeclaringType, method))
|
if (CheckType(method.DeclaringType, method, simpleDeobfuscator))
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
bool CheckType(TypeDef type, MethodDef initMethod) {
|
bool CheckType(TypeDef type, MethodDef initMethod, ISimpleDeobfuscator simpleDeobfuscator) {
|
||||||
if (DotNetUtils.FindFieldType(type, "System.Collections.Hashtable", true) == null)
|
if (DotNetUtils.FindFieldType(type, "System.Collections.Hashtable", true) == null)
|
||||||
return false;
|
return false;
|
||||||
|
simpleDeobfuscator.Deobfuscate(initMethod);
|
||||||
if (!CheckInitMethod(initMethod))
|
if (!CheckInitMethod(initMethod))
|
||||||
return false;
|
return false;
|
||||||
if ((asmSeparator = FindAssemblySeparator(initMethod)) == null)
|
if ((asmSeparator = FindAssemblySeparator(initMethod)) == null)
|
||||||
|
|
|
@ -210,7 +210,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
||||||
resourceResolver = new ResourceResolver(module, resourceDecrypter);
|
resourceResolver = new ResourceResolver(module, resourceDecrypter);
|
||||||
assemblyResolver = new AssemblyResolver(module);
|
assemblyResolver = new AssemblyResolver(module);
|
||||||
resourceResolver.Find();
|
resourceResolver.Find();
|
||||||
assemblyResolver.Find();
|
assemblyResolver.Find(DeobfuscatedFile);
|
||||||
|
|
||||||
DecryptResources();
|
DecryptResources();
|
||||||
stringDecrypter.Initialize(resourceDecrypter);
|
stringDecrypter.Initialize(resourceDecrypter);
|
||||||
|
@ -225,7 +225,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
||||||
|
|
||||||
if (methodsDecrypter.Detected) {
|
if (methodsDecrypter.Detected) {
|
||||||
if (!assemblyResolver.Detected)
|
if (!assemblyResolver.Detected)
|
||||||
assemblyResolver.Find();
|
assemblyResolver.Find(DeobfuscatedFile);
|
||||||
if (!tamperDetection.Detected)
|
if (!tamperDetection.Detected)
|
||||||
tamperDetection.Find();
|
tamperDetection.Find();
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue
Block a user