From 24c43d5a666dfe13e6b5bd91b0ae5d1a2274eb94 Mon Sep 17 00:00:00 2001 From: de4dot Date: Thu, 1 Nov 2012 21:09:09 +0100 Subject: [PATCH] Port some more code --- blocks/DotNetUtils.cs | 13 ++ de4dot.code/IObfuscatedFile.cs | 4 +- de4dot.code/ObfuscatedFile.cs | 6 +- de4dot.code/deobfuscators/IDeobfuscator.cs | 6 +- .../deobfuscators/MemberReferenceBuilder.cs | 6 +- .../deobfuscators/MethodCallRestorerBase.cs | 10 +- de4dot.code/deobfuscators/TypesRestorer.cs | 167 ++++++++---------- .../deobfuscators/Unknown/Deobfuscator.cs | 11 +- de4dot.code/resources/ResourceDataCreator.cs | 22 +-- de4dot.code/resources/ResourceReader.cs | 8 +- de4dot.code/resources/ResourceWriter.cs | 12 +- dot10 | 2 +- 12 files changed, 129 insertions(+), 138 deletions(-) diff --git a/blocks/DotNetUtils.cs b/blocks/DotNetUtils.cs index 36be5578..d2aad77c 100644 --- a/blocks/DotNetUtils.cs +++ b/blocks/DotNetUtils.cs @@ -713,6 +713,13 @@ namespace de4dot.blocks { return type.EType != ElementType.Void; } + public static bool hasReturnValue(DN.IMethod method) { + if (method == null || method.MethodSig == null) + return false; + //TODO: Also remove modifiers from RetType before comparing etype + return method.MethodSig.RetType.ElementType != DN.ElementType.Void; + } + public static void updateStack(Instruction instr, ref int stack, bool methodHasReturnValue) { int pushes, pops; calculateStackUsage(instr, methodHasReturnValue, out pushes, out pops); @@ -924,6 +931,12 @@ namespace de4dot.blocks { return null; } + public static DN.Parameter getParameter(IList parameters, int index) { + if (0 <= index && index < parameters.Count) + return parameters[index]; + return null; + } + public static List getArgs(MethodReference method) { var args = new List(method.Parameters.Count + 1); if (method.HasImplicitThis) diff --git a/de4dot.code/IObfuscatedFile.cs b/de4dot.code/IObfuscatedFile.cs index be2c1e0c..12e9c4b4 100644 --- a/de4dot.code/IObfuscatedFile.cs +++ b/de4dot.code/IObfuscatedFile.cs @@ -19,14 +19,14 @@ using System.Collections.Generic; using de4dot.code.deobfuscators; -using Mono.Cecil; +using dot10.DotNet; #if PORT using de4dot.code.renamer; #endif namespace de4dot.code { public interface IObfuscatedFile { - ModuleDefinition ModuleDefinition { get; } + ModuleDefMD ModuleDefMD { get; } IDeobfuscator Deobfuscator { get; } IDeobfuscatorContext DeobfuscatorContext { get; set; } string Filename { get; } diff --git a/de4dot.code/ObfuscatedFile.cs b/de4dot.code/ObfuscatedFile.cs index 013f1d7e..bbaa7a49 100644 --- a/de4dot.code/ObfuscatedFile.cs +++ b/de4dot.code/ObfuscatedFile.cs @@ -24,6 +24,7 @@ using System.IO; using System.Text; using dot10.DotNet; using dot10.DotNet.Emit; +using dot10.PE; using de4dot.code.deobfuscators; using de4dot.blocks; using de4dot.blocks.cflow; @@ -31,7 +32,6 @@ using de4dot.code.AssemblyClient; #if PORT using de4dot.code.renamer; #endif -using de4dot.PE; namespace de4dot.code { public class ObfuscatedFile : IObfuscatedFile, IDeobfuscatedFile { @@ -185,7 +185,7 @@ namespace de4dot.code { } bool unpackNativeImage(IEnumerable deobfuscators) { - var peImage = new PeImage(Utils.readFile(Filename)); + var peImage = new PEImage(Filename); foreach (var deob in deobfuscators) { byte[] unpackedData = null; @@ -731,11 +731,9 @@ namespace de4dot.code { return; deobfuscate(method, "Deobfuscating control flow", (blocks) => { -#if PORT var cflowDeobfuscator = new BlocksCflowDeobfuscator(deob.BlocksDeobfuscators); cflowDeobfuscator.init(blocks); cflowDeobfuscator.deobfuscate(); -#endif }); } diff --git a/de4dot.code/deobfuscators/IDeobfuscator.cs b/de4dot.code/deobfuscators/IDeobfuscator.cs index 09b6cb36..ef7aab77 100644 --- a/de4dot.code/deobfuscators/IDeobfuscator.cs +++ b/de4dot.code/deobfuscators/IDeobfuscator.cs @@ -20,12 +20,12 @@ using System; using System.Collections.Generic; using dot10.DotNet; +using dot10.PE; using de4dot.blocks; using de4dot.blocks.cflow; #if PORT using de4dot.code.renamer; #endif -using de4dot.PE; namespace de4dot.code.deobfuscators { public interface IDeobfuscatorOptions { @@ -67,15 +67,13 @@ namespace de4dot.code.deobfuscators { StringFeatures StringFeatures { get; } RenamingOptions RenamingOptions { get; } DecrypterType DefaultDecrypterType { get; } -#if PORT IEnumerable BlocksDeobfuscators { get; } -#endif // This is non-null only in detect() and deobfuscateBegin(). IDeobfuscatedFile DeobfuscatedFile { get; set; } // Returns null or the unpacked .NET PE file - byte[] unpackNativeFile(PeImage peImage); + byte[] unpackNativeFile(PEImage peImage); void init(ModuleDefMD module); diff --git a/de4dot.code/deobfuscators/MemberReferenceBuilder.cs b/de4dot.code/deobfuscators/MemberReferenceBuilder.cs index 29bbff42..5a87781b 100644 --- a/de4dot.code/deobfuscators/MemberReferenceBuilder.cs +++ b/de4dot.code/deobfuscators/MemberReferenceBuilder.cs @@ -24,7 +24,7 @@ using dot10.DotNet.MD; using de4dot.blocks; namespace de4dot.code.deobfuscators { - class MemberReferenceBuilder : ICorLibTypes { + class MemberReferenceBuilder { ModuleDefMD module; Dictionary createdTypes = new Dictionary(TypeEqualityComparer.Instance); @@ -36,10 +36,6 @@ namespace de4dot.code.deobfuscators { get { return module.CorLibTypes.AssemblyRef; } } - public AssemblyRef AssemblyRef { - get { return module.CorLibTypes.AssemblyRef; } - } - public CorLibTypeSig Object { get { return module.CorLibTypes.Object; } } diff --git a/de4dot.code/deobfuscators/MethodCallRestorerBase.cs b/de4dot.code/deobfuscators/MethodCallRestorerBase.cs index dead9901..011f80e4 100644 --- a/de4dot.code/deobfuscators/MethodCallRestorerBase.cs +++ b/de4dot.code/deobfuscators/MethodCallRestorerBase.cs @@ -48,7 +48,7 @@ namespace de4dot.code.deobfuscators { return; var assemblyType = builder.type("System.Reflection", "Assembly", builder.CorLib); var streamType = builder.type("System.IO", "Stream", builder.CorLib); - var newMethod = builder.instanceMethod("GetManifestResourceStream", assemblyType, streamType, builder.String); + var newMethod = builder.instanceMethod("GetManifestResourceStream", assemblyType.TypeDefOrRef, streamType, builder.String); add(oldMethod, newMethod, OpCodes.Callvirt); } @@ -58,7 +58,7 @@ namespace de4dot.code.deobfuscators { var assemblyType = builder.type("System.Reflection", "Assembly", builder.CorLib); var typeType = builder.type("System", "Type", builder.CorLib); var streamType = builder.type("System.IO", "Stream", builder.CorLib); - var newMethod = builder.instanceMethod("GetManifestResourceStream", assemblyType, streamType, typeType, builder.String); + var newMethod = builder.instanceMethod("GetManifestResourceStream", assemblyType.TypeDefOrRef, streamType, typeType, builder.String); add(oldMethod, newMethod, OpCodes.Callvirt); } @@ -67,7 +67,7 @@ namespace de4dot.code.deobfuscators { return; var assemblyType = builder.type("System.Reflection", "Assembly", builder.CorLib); var stringArrayType = builder.array(builder.String); - var newMethod = builder.instanceMethod("GetManifestResourceNames", assemblyType, stringArrayType); + var newMethod = builder.instanceMethod("GetManifestResourceNames", assemblyType.TypeDefOrRef, stringArrayType); add(oldMethod, newMethod, OpCodes.Callvirt); } @@ -76,7 +76,7 @@ namespace de4dot.code.deobfuscators { return; var bitmapType = builder.type("System.Drawing", "Bitmap", "System.Drawing"); var typeType = builder.type("System", "Type", builder.CorLib); - var newMethod = builder.instanceMethod(".ctor", bitmapType, builder.Void, typeType, builder.String); + var newMethod = builder.instanceMethod(".ctor", bitmapType.TypeDefOrRef, builder.Void, typeType, builder.String); add(oldMethod, newMethod, OpCodes.Newobj); } @@ -85,7 +85,7 @@ namespace de4dot.code.deobfuscators { return; var iconType = builder.type("System.Drawing", "Icon", "System.Drawing"); var typeType = builder.type("System", "Type", builder.CorLib); - var newMethod = builder.instanceMethod(".ctor", iconType, builder.Void, typeType, builder.String); + var newMethod = builder.instanceMethod(".ctor", iconType.TypeDefOrRef, builder.Void, typeType, builder.String); add(oldMethod, newMethod, OpCodes.Newobj); } diff --git a/de4dot.code/deobfuscators/TypesRestorer.cs b/de4dot.code/deobfuscators/TypesRestorer.cs index d55fbf0b..e45c3a72 100644 --- a/de4dot.code/deobfuscators/TypesRestorer.cs +++ b/de4dot.code/deobfuscators/TypesRestorer.cs @@ -57,12 +57,12 @@ namespace de4dot.code.deobfuscators { } class TypeInfo { - Dictionary types = new Dictionary(); - public TypeReference newType = null; + Dictionary types = new Dictionary(TypeEqualityComparer.Instance); + public TypeSig newType = null; public T arg; bool newobjTypes; - public Dictionary Types { + public Dictionary Types { get { return types; } } @@ -70,11 +70,11 @@ namespace de4dot.code.deobfuscators { this.arg = arg; } - public void add(TypeReference type) { + public void add(TypeSig type) { add(type, false); } - public void add(TypeReference type, bool wasNewobj) { + public void add(TypeSig type, bool wasNewobj) { if (wasNewobj) { if (!newobjTypes) clear(); @@ -82,7 +82,7 @@ namespace de4dot.code.deobfuscators { } else if (newobjTypes) return; - types[new TypeReferenceKey(type)] = true; + types[type] = true; } public void clear() { @@ -93,19 +93,19 @@ namespace de4dot.code.deobfuscators { if (types.Count == 0) return false; - TypeReference theNewType = null; + TypeSig theNewType = null; foreach (var key in types.Keys) { if (theNewType == null) { - theNewType = key.TypeReference; + theNewType = key; continue; } - theNewType = getCommonBaseClass(module, theNewType, key.TypeReference); + theNewType = getCommonBaseClass(module, theNewType, key); if (theNewType == null) break; } if (theNewType == null) return false; - if (MemberReferenceHelper.compareTypes(theNewType, newType)) + if (new SigComparer().Equals(theNewType, newType)) return false; newType = theNewType; @@ -226,19 +226,19 @@ namespace de4dot.code.deobfuscators { bool deobfuscateMethods() { bool changed = false; foreach (var method in allMethods) { - methodReturnInfo = new TypeInfo(method.MethodReturnType.Parameter2); + methodReturnInfo = new TypeInfo(method.Parameters.ReturnParameter); deobfuscateMethod(method); if (methodReturnInfo.updateNewType(module)) { getUpdatedMethod(method).newReturnType = methodReturnInfo.newType; - method.MethodReturnType.ReturnType = methodReturnInfo.newType; + method.MethodSig.RetType = methodReturnInfo.newType; changed = true; } foreach (var info in argInfos.Values) { if (info.updateNewType(module)) { - getUpdatedMethod(method).newArgTypes[DotNetUtils.getArgIndex(info.arg)] = info.newType; - info.arg.ParameterType = info.newType; + getUpdatedMethod(method).newArgTypes[info.arg.Index] = info.newType; + info.arg.Type = info.newType; changed = true; } } @@ -250,14 +250,14 @@ namespace de4dot.code.deobfuscators { if (a.arg.Method.MDToken.ToInt32() < b.arg.Method.MDToken.ToInt32()) return -1; if (a.arg.Method.MDToken.ToInt32() > b.arg.Method.MDToken.ToInt32()) return 1; - return a.arg.Sequence.CompareTo(b.arg.Sequence); + return a.arg.Index.CompareTo(b.arg.Index); } void deobfuscateMethod(MethodDef method) { - if (!method.IsStatic || method.Body == null) + if (!method.IsStatic || method.CilBody == null) return; - bool fixReturnType = isUnknownType(method.MethodReturnType); + bool fixReturnType = isUnknownType(method.MethodSig.RetType); argInfos.Clear(); foreach (var arg in method.Parameters) { @@ -268,9 +268,9 @@ namespace de4dot.code.deobfuscators { if (argInfos.Count == 0 && !fixReturnType) return; - var methodParams = DotNetUtils.getParameters(method); + var methodParams = method.Parameters; PushedArgs pushedArgs; - var instructions = method.Body.Instructions; + var instructions = method.CilBody.Instructions; for (int i = 0; i < instructions.Count; i++) { var instr = instructions[i]; switch (instr.OpCode.Code) { @@ -289,7 +289,7 @@ namespace de4dot.code.deobfuscators { case Code.Callvirt: case Code.Newobj: pushedArgs = MethodStack.getPushedArgInstructions(instructions, i); - var calledMethod = instr.Operand as MethodReference; + var calledMethod = instr.Operand as IMethod; if (calledMethod == null) break; var calledMethodParams = DotNetUtils.getParameters(calledMethod); @@ -316,7 +316,7 @@ namespace de4dot.code.deobfuscators { pushedArgs = MethodStack.getPushedArgInstructions(instructions, i); if (pushedArgs.NumValidArgs < 1) break; - addMethodArgType(method, getParameter(methodParams, pushedArgs.getEnd(0)), instr.Operand as TypeReference); + addMethodArgType(method, getParameter(methodParams, pushedArgs.getEnd(0)), instr.Operand as ITypeDefOrRef); break; case Code.Stloc: @@ -328,20 +328,20 @@ namespace de4dot.code.deobfuscators { pushedArgs = MethodStack.getPushedArgInstructions(instructions, i); if (pushedArgs.NumValidArgs < 1) break; - addMethodArgType(method, getParameter(methodParams, pushedArgs.getEnd(0)), DotNetUtils.getLocalVar(method.Body.Variables, instr)); + addMethodArgType(method, getParameter(methodParams, pushedArgs.getEnd(0)), instr.GetLocal(method.CilBody.LocalList)); break; case Code.Stsfld: pushedArgs = MethodStack.getPushedArgInstructions(instructions, i); if (pushedArgs.NumValidArgs < 1) break; - addMethodArgType(method, getParameter(methodParams, pushedArgs.getEnd(0)), instr.Operand as FieldReference); + addMethodArgType(method, getParameter(methodParams, pushedArgs.getEnd(0)), instr.Operand as IField); break; case Code.Stfld: pushedArgs = MethodStack.getPushedArgInstructions(instructions, i); if (pushedArgs.NumValidArgs >= 1) { - var field = instr.Operand as FieldReference; + var field = instr.Operand as IField; addMethodArgType(method, getParameter(methodParams, pushedArgs.getEnd(0)), field); if (pushedArgs.NumValidArgs >= 2 && field != null) addMethodArgType(method, getParameter(methodParams, pushedArgs.getEnd(1)), field.DeclaringType); @@ -353,7 +353,7 @@ namespace de4dot.code.deobfuscators { pushedArgs = MethodStack.getPushedArgInstructions(instructions, i); if (pushedArgs.NumValidArgs < 1) break; - addMethodArgType(method, getParameter(methodParams, pushedArgs.getEnd(0)), instr.Operand as FieldReference); + addMethodArgType(method, getParameter(methodParams, pushedArgs.getEnd(0)), instr.Operand as IField); break; //TODO: For better results, these should be checked: @@ -422,32 +422,36 @@ namespace de4dot.code.deobfuscators { case Code.Ldarg_1: case Code.Ldarg_2: case Code.Ldarg_3: - return DotNetUtils.getParameter(parameters, instr); + return instr.GetParameter(parameters); default: return null; } } - bool addMethodArgType(IGenericParameterProvider gpp, Parameter methodParam, FieldReference field) { - if (field == null) + bool addMethodArgType(IGenericParameterProvider gpp, Parameter methodParam, IField field) { + if (field == null || field.FieldSig == null) return false; - return addMethodArgType(gpp, methodParam, field.FieldType); + return addMethodArgType(gpp, methodParam, field.FieldSig.Type); } - bool addMethodArgType(IGenericParameterProvider gpp, Parameter methodParam, VariableDefinition otherLocal) { + bool addMethodArgType(IGenericParameterProvider gpp, Parameter methodParam, Local otherLocal) { if (otherLocal == null) return false; - return addMethodArgType(gpp, methodParam, otherLocal.VariableType); + return addMethodArgType(gpp, methodParam, otherLocal.Type); } bool addMethodArgType(IGenericParameterProvider gpp, Parameter methodParam, Parameter otherParam) { if (otherParam == null) return false; - return addMethodArgType(gpp, methodParam, otherParam.ParameterType); + return addMethodArgType(gpp, methodParam, otherParam.Type); } - bool addMethodArgType(IGenericParameterProvider gpp, Parameter methodParam, TypeReference type) { + bool addMethodArgType(IGenericParameterProvider gpp, Parameter methodParam, ITypeDefOrRef type) { + return addMethodArgType(gpp, methodParam, type.ToTypeSig()); + } + + bool addMethodArgType(IGenericParameterProvider gpp, Parameter methodParam, TypeSig type) { if (methodParam == null || type == null) return false; @@ -457,7 +461,7 @@ namespace de4dot.code.deobfuscators { TypeInfo info; if (!argInfos.TryGetValue(methodParam, out info)) return false; - if (info.Types.ContainsKey(new TypeReferenceKey(type))) + if (info.Types.ContainsKey(type)) return false; info.add(type); @@ -469,18 +473,18 @@ namespace de4dot.code.deobfuscators { info.clear(); foreach (var method in allMethods) { - if (method.Body == null) + if (method.CilBody == null) continue; - var instructions = method.Body.Instructions; + var instructions = method.CilBody.Instructions; for (int i = 0; i < instructions.Count; i++) { var instr = instructions[i]; - TypeReference fieldType = null; + TypeSig fieldType = null; TypeInfo info = null; - FieldReference field; + IField field; switch (instr.OpCode.Code) { case Code.Stfld: case Code.Stsfld: - field = instr.Operand as FieldReference; + field = instr.Operand as IField; if (field == null) continue; if (!fieldWrites.TryGetValue(new FieldReferenceAndDeclaringTypeKey(field), out info)) @@ -497,17 +501,17 @@ namespace de4dot.code.deobfuscators { case Code.Callvirt: case Code.Newobj: var pushedArgs = MethodStack.getPushedArgInstructions(instructions, i); - var calledMethod = instr.Operand as MethodReference; + var calledMethod = instr.Operand as IMethod; if (calledMethod == null) continue; - IList calledMethodArgs = DotNetUtils.getArgs(calledMethod); + IList calledMethodArgs = DotNetUtils.getArgs(calledMethod); calledMethodArgs = DotNetUtils.replaceGenericParameters(calledMethod.DeclaringType as GenericInstanceType, calledMethod as GenericInstanceMethod, calledMethodArgs); for (int j = 0; j < pushedArgs.NumValidArgs; j++) { var pushInstr = pushedArgs.getEnd(j); if (pushInstr.OpCode.Code != Code.Ldfld && pushInstr.OpCode.Code != Code.Ldsfld) continue; - field = pushInstr.Operand as FieldReference; + field = pushInstr.Operand as IField; if (field == null) continue; if (!fieldWrites.TryGetValue(new FieldReferenceAndDeclaringTypeKey(field), out info)) @@ -531,7 +535,7 @@ namespace de4dot.code.deobfuscators { if (info.updateNewType(module)) { removeThese.Add(info.arg); getUpdatedField(info.arg).newFieldType = info.newType; - info.arg.FieldType = info.newType; + info.arg.FieldSig.Type = info.newType; changed = true; } } @@ -540,63 +544,52 @@ namespace de4dot.code.deobfuscators { return changed; } - TypeReference getLoadedType(IGenericParameterProvider gpp, MethodDef method, IList instructions, int instrIndex, out bool wasNewobj) { + TypeSig getLoadedType(IGenericParameterProvider gpp, MethodDef method, IList instructions, int instrIndex, out bool wasNewobj) { var fieldType = MethodStack.getLoadedType(method, instructions, instrIndex, out wasNewobj); if (fieldType == null || !isValidType(gpp, fieldType)) return null; return fieldType; } - protected virtual bool isValidType(IGenericParameterProvider gpp, TypeReference type) { + protected virtual bool isValidType(IGenericParameterProvider gpp, TypeSig type) { if (type == null) return false; - if (type.EType == ElementType.Void) + if (type.ElementType == ElementType.Void) return false; while (type != null) { - switch (MemberReferenceHelper.getMemberReferenceType(type)) { - case CecilType.GenericInstanceType: - foreach (var ga in ((GenericInstanceType)type).GenericArguments) { + switch (type.ElementType) { + case ElementType.GenericInst: + foreach (var ga in ((GenericInstSig)type).GenericArguments) { if (!isValidType(gpp, ga)) return false; } break; - case CecilType.ArrayType: - case CecilType.PointerType: - case CecilType.TypeDefinition: - case CecilType.TypeReference: + case ElementType.SZArray: + case ElementType.Array: + case ElementType.Ptr: + case ElementType.Class: + case ElementType.ValueType: break; - case CecilType.GenericParameter: - var gp = (GenericParameter)type; - var methodRef = gpp as MethodReference; - var typeRef = gpp as TypeReference; - if (methodRef != null) { - if (methodRef.DeclaringType != gp.Owner && methodRef != gp.Owner) - return false; - } - else if (typeRef != null) { - if (typeRef != gp.Owner) - return false; - } - else - return false; - break; + case ElementType.Var: + case ElementType.MVar: + // TODO: Return false for now. We don't know whether the Var is a Var in + // this type or from some other type. + return false; - case CecilType.ByReferenceType: - case CecilType.FunctionPointerType: - case CecilType.OptionalModifierType: - case CecilType.PinnedType: - case CecilType.RequiredModifierType: - case CecilType.SentinelType: + case ElementType.ByRef: + case ElementType.FnPtr: + case ElementType.CModOpt: + case ElementType.CModReqd: + case ElementType.Pinned: + case ElementType.Sentinel: default: return false; } - if (!(type is TypeSpecification)) - break; - type = ((TypeSpecification)type).ElementType; + type = type.Next; } return type != null; @@ -604,10 +597,10 @@ namespace de4dot.code.deobfuscators { protected abstract bool isUnknownType(object o); - static TypeReference getCommonBaseClass(ModuleDef module, TypeReference a, TypeReference b) { - if (DotNetUtils.isDelegate(a) && DotNetUtils.derivesFromDelegate(DotNetUtils.getType(module, b))) + static TypeSig getCommonBaseClass(ModuleDef module, TypeSig a, TypeSig b) { + if (DotNetUtils.isDelegate(a) && DotNetUtils.derivesFromDelegate(module.Find(b.ToTypeDefOrRef()))) return b; - if (DotNetUtils.isDelegate(b) && DotNetUtils.derivesFromDelegate(DotNetUtils.getType(module, a))) + if (DotNetUtils.isDelegate(b) && DotNetUtils.derivesFromDelegate(module.Find(a.ToTypeDefOrRef()))) return a; return null; //TODO: } @@ -618,12 +611,12 @@ namespace de4dot.code.deobfuscators { : base(module) { } - protected override bool isValidType(IGenericParameterProvider gpp, TypeReference type) { + protected override bool isValidType(IGenericParameterProvider gpp, TypeSig type) { if (type == null) return false; - if (type.IsValueType) + if (type.ElementType == ElementType.ValueType) return false; - if (MemberReferenceHelper.isSystemObject(type)) + if (type.ElementType == ElementType.Object) return false; return base.isValidType(gpp, type); } @@ -631,15 +624,11 @@ namespace de4dot.code.deobfuscators { protected override bool isUnknownType(object o) { var arg = o as Parameter; if (arg != null) - return MemberReferenceHelper.isSystemObject(arg.ParameterType); + return arg.Type != null && arg.Type.ElementType == ElementType.Object; var field = o as FieldDef; if (field != null) - return MemberReferenceHelper.isSystemObject(field.FieldType); - - var retType = o as MethodReturnType; - if (retType != null) - return MemberReferenceHelper.isSystemObject(retType.ReturnType); + return field.FieldSig != null && field.FieldSig.Type != null && field.FieldSig.Type.ElementType == ElementType.Object; throw new ApplicationException(string.Format("Unknown type: {0}", o.GetType())); } diff --git a/de4dot.code/deobfuscators/Unknown/Deobfuscator.cs b/de4dot.code/deobfuscators/Unknown/Deobfuscator.cs index 4a3308cd..8cf49820 100644 --- a/de4dot.code/deobfuscators/Unknown/Deobfuscator.cs +++ b/de4dot.code/deobfuscators/Unknown/Deobfuscator.cs @@ -86,15 +86,16 @@ namespace de4dot.code.deobfuscators.Unknown { string scanTypes() { foreach (var type in module.Types) { - if (type.FullName == "ConfusedByAttribute") + var fn = type.FullName; + if (fn == "ConfusedByAttribute") return "Confuser"; - if (type.FullName == "ZYXDNGuarder") + if (fn == "ZYXDNGuarder") return "DNGuard HVM"; - if (type.Name.Contains("();\t")) + if (type.Name.String.Contains("();\t")) return "Manco .NET Obfuscator"; - if (Regex.IsMatch(type.FullName, @"^EMyPID_\d+_$")) + if (Regex.IsMatch(fn, @"^EMyPID_\d+_$")) return "BitHelmet Obfuscator"; - if (type.FullName == "YanoAttribute") + if (fn == "YanoAttribute") return "Yano Obfuscator"; } return null; diff --git a/de4dot.code/resources/ResourceDataCreator.cs b/de4dot.code/resources/ResourceDataCreator.cs index 8269c860..4701714c 100644 --- a/de4dot.code/resources/ResourceDataCreator.cs +++ b/de4dot.code/resources/ResourceDataCreator.cs @@ -22,15 +22,16 @@ using System.Collections.Generic; using System.IO; using System.Runtime.Serialization; using System.Runtime.Serialization.Formatters.Binary; -using Mono.Cecil; +using dot10.DotNet; +using dot10.DotNet.MD; namespace de4dot.code.resources { class ResourceDataCreator { - ModuleDefinition module; + ModuleDefMD module; Dictionary dict = new Dictionary(StringComparer.Ordinal); Dictionary asmNameToAsmFullName = new Dictionary(StringComparer.Ordinal); - public ResourceDataCreator(ModuleDefinition module) { + public ResourceDataCreator(ModuleDefMD module) { this.module = module; } @@ -210,19 +211,14 @@ namespace de4dot.code.resources { string tryGetRealAssemblyName(string assemblyName) { var simpleName = Utils.getAssemblySimpleName(assemblyName); - foreach (var asmRef in module.AssemblyReferences) { - if (asmRef.Name == simpleName) + var name = new UTF8String(simpleName); + foreach (var asmRef in module.GetAssemblyRefs()) { + if (asmRef.Name == name) return asmRef.FullName; } - try { - return AssemblyResolver.Instance.Resolve(simpleName).FullName; - } - catch (ResolutionException) { - } - catch (AssemblyResolutionException) { - } - return null; + var asm = AssemblyResolver.Instance.Resolve(new AssemblyNameInfo(simpleName), module); + return asm == null ? null : asm.FullName; } public List getSortedTypes() { diff --git a/de4dot.code/resources/ResourceReader.cs b/de4dot.code/resources/ResourceReader.cs index 57806aa6..6a32b081 100644 --- a/de4dot.code/resources/ResourceReader.cs +++ b/de4dot.code/resources/ResourceReader.cs @@ -22,7 +22,7 @@ using System.Collections.Generic; using System.IO; using System.Text; using System.Text.RegularExpressions; -using Mono.Cecil; +using dot10.DotNet; namespace de4dot.code.resources { [Serializable] @@ -33,17 +33,17 @@ namespace de4dot.code.resources { } class ResourceReader { - ModuleDefinition module; + ModuleDefMD module; BinaryReader reader; ResourceDataCreator resourceDataCreator; - ResourceReader(ModuleDefinition module, Stream stream) { + ResourceReader(ModuleDefMD module, Stream stream) { this.module = module; this.reader = new BinaryReader(stream); this.resourceDataCreator = new ResourceDataCreator(module); } - public static ResourceElementSet read(ModuleDefinition module, Stream stream) { + public static ResourceElementSet read(ModuleDefMD module, Stream stream) { return new ResourceReader(module, stream).read(); } diff --git a/de4dot.code/resources/ResourceWriter.cs b/de4dot.code/resources/ResourceWriter.cs index b3e60f30..56274369 100644 --- a/de4dot.code/resources/ResourceWriter.cs +++ b/de4dot.code/resources/ResourceWriter.cs @@ -23,24 +23,24 @@ using System.IO; using System.Runtime.Serialization; using System.Runtime.Serialization.Formatters.Binary; using System.Text; -using Mono.Cecil; +using dot10.DotNet; namespace de4dot.code.resources { class ResourceWriter { - ModuleDefinition module; + ModuleDefMD module; BinaryWriter writer; ResourceElementSet resources; ResourceDataCreator typeCreator; Dictionary dataToNewType = new Dictionary(); - ResourceWriter(ModuleDefinition module, Stream stream, ResourceElementSet resources) { + ResourceWriter(ModuleDefMD module, Stream stream, ResourceElementSet resources) { this.module = module; this.typeCreator = new ResourceDataCreator(module); this.writer = new BinaryWriter(stream); this.resources = resources; } - public static void write(ModuleDefinition module, Stream stream, ResourceElementSet resources) { + public static void write(ModuleDefMD module, Stream stream, ResourceElementSet resources) { new ResourceWriter(module, stream, resources).write(); } @@ -138,8 +138,8 @@ namespace de4dot.code.resources { } string getMscorlibFullname() { - AssemblyNameReference mscorlibRef = null; - foreach (var asmRef in module.AssemblyReferences) { + AssemblyRef mscorlibRef = null; + foreach (var asmRef in module.GetAssemblyRefs()) { if (asmRef.Name != "mscorlib") continue; if (mscorlibRef == null || mscorlibRef.Version == null || (asmRef.Version != null && asmRef.Version >= mscorlibRef.Version)) diff --git a/dot10 b/dot10 index 3b128874..4030f90e 160000 --- a/dot10 +++ b/dot10 @@ -1 +1 @@ -Subproject commit 3b128874ff6bd531f588c487e9aeb76fb62acfec +Subproject commit 4030f90eb8d1a71793dfd1772efc7b5e5513dff4