monocul.us/de4dot-cex
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Deobfuscate asm resolver method

Browse Source
This commit is contained in:
de4dot 2013-09-28 19:43:05 +02:00
parent f9ed45c670
commit 24b22268e3
2 changed files with 6 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
de4dot.code/deobfuscators/CryptoObfuscator/AssemblyResolver.cs
View File

@ -67,7 +67,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
this.module = module; this.module = module;
} }
public void Find() { public void Find(ISimpleDeobfuscator simpleDeobfuscator) {
var cctor = DotNetUtils.GetModuleTypeCctor(module); var cctor = DotNetUtils.GetModuleTypeCctor(module);
if (cctor == null) if (cctor == null)
return; return;
@ -77,14 +77,15 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
continue; continue;
if (!method.IsStatic || !DotNetUtils.IsMethod(method, "System.Void", "()")) if (!method.IsStatic || !DotNetUtils.IsMethod(method, "System.Void", "()"))
continue; continue;
if (CheckType(method.DeclaringType, method)) if (CheckType(method.DeclaringType, method, simpleDeobfuscator))
break; break;
} }
} }
bool CheckType(TypeDef type, MethodDef initMethod) { bool CheckType(TypeDef type, MethodDef initMethod, ISimpleDeobfuscator simpleDeobfuscator) {
if (DotNetUtils.FindFieldType(type, "System.Collections.Hashtable", true) == null) if (DotNetUtils.FindFieldType(type, "System.Collections.Hashtable", true) == null)
return false; return false;
simpleDeobfuscator.Deobfuscate(initMethod);
if (!CheckInitMethod(initMethod)) if (!CheckInitMethod(initMethod))
return false; return false;
if ((asmSeparator = FindAssemblySeparator(initMethod)) == null) if ((asmSeparator = FindAssemblySeparator(initMethod)) == null)

4
de4dot.code/deobfuscators/CryptoObfuscator/Deobfuscator.cs
View File

@ -210,7 +210,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
resourceResolver = new ResourceResolver(module, resourceDecrypter); resourceResolver = new ResourceResolver(module, resourceDecrypter);
assemblyResolver = new AssemblyResolver(module); assemblyResolver = new AssemblyResolver(module);
resourceResolver.Find(); resourceResolver.Find();
assemblyResolver.Find(); assemblyResolver.Find(DeobfuscatedFile);
DecryptResources(); DecryptResources();
stringDecrypter.Initialize(resourceDecrypter); stringDecrypter.Initialize(resourceDecrypter);
@ -225,7 +225,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
if (methodsDecrypter.Detected) { if (methodsDecrypter.Detected) {
if (!assemblyResolver.Detected) if (!assemblyResolver.Detected)
assemblyResolver.Find(); assemblyResolver.Find(DeobfuscatedFile);
if (!tamperDetection.Detected) if (!tamperDetection.Detected)
tamperDetection.Find(); tamperDetection.Find();
} }