Port some more code
This commit is contained in:
parent
1341cc7199
commit
24c43d5a66
|
@ -713,6 +713,13 @@ namespace de4dot.blocks {
|
|||
return type.EType != ElementType.Void;
|
||||
}
|
||||
|
||||
public static bool hasReturnValue(DN.IMethod method) {
|
||||
if (method == null || method.MethodSig == null)
|
||||
return false;
|
||||
//TODO: Also remove modifiers from RetType before comparing etype
|
||||
return method.MethodSig.RetType.ElementType != DN.ElementType.Void;
|
||||
}
|
||||
|
||||
public static void updateStack(Instruction instr, ref int stack, bool methodHasReturnValue) {
|
||||
int pushes, pops;
|
||||
calculateStackUsage(instr, methodHasReturnValue, out pushes, out pops);
|
||||
|
@ -924,6 +931,12 @@ namespace de4dot.blocks {
|
|||
return null;
|
||||
}
|
||||
|
||||
public static DN.Parameter getParameter(IList<DN.Parameter> parameters, int index) {
|
||||
if (0 <= index && index < parameters.Count)
|
||||
return parameters[index];
|
||||
return null;
|
||||
}
|
||||
|
||||
public static List<TypeReference> getArgs(MethodReference method) {
|
||||
var args = new List<TypeReference>(method.Parameters.Count + 1);
|
||||
if (method.HasImplicitThis)
|
||||
|
|
|
@ -19,14 +19,14 @@
|
|||
|
||||
using System.Collections.Generic;
|
||||
using de4dot.code.deobfuscators;
|
||||
using Mono.Cecil;
|
||||
using dot10.DotNet;
|
||||
#if PORT
|
||||
using de4dot.code.renamer;
|
||||
#endif
|
||||
|
||||
namespace de4dot.code {
|
||||
public interface IObfuscatedFile {
|
||||
ModuleDefinition ModuleDefinition { get; }
|
||||
ModuleDefMD ModuleDefMD { get; }
|
||||
IDeobfuscator Deobfuscator { get; }
|
||||
IDeobfuscatorContext DeobfuscatorContext { get; set; }
|
||||
string Filename { get; }
|
||||
|
|
|
@ -24,6 +24,7 @@ using System.IO;
|
|||
using System.Text;
|
||||
using dot10.DotNet;
|
||||
using dot10.DotNet.Emit;
|
||||
using dot10.PE;
|
||||
using de4dot.code.deobfuscators;
|
||||
using de4dot.blocks;
|
||||
using de4dot.blocks.cflow;
|
||||
|
@ -31,7 +32,6 @@ using de4dot.code.AssemblyClient;
|
|||
#if PORT
|
||||
using de4dot.code.renamer;
|
||||
#endif
|
||||
using de4dot.PE;
|
||||
|
||||
namespace de4dot.code {
|
||||
public class ObfuscatedFile : IObfuscatedFile, IDeobfuscatedFile {
|
||||
|
@ -185,7 +185,7 @@ namespace de4dot.code {
|
|||
}
|
||||
|
||||
bool unpackNativeImage(IEnumerable<IDeobfuscator> deobfuscators) {
|
||||
var peImage = new PeImage(Utils.readFile(Filename));
|
||||
var peImage = new PEImage(Filename);
|
||||
|
||||
foreach (var deob in deobfuscators) {
|
||||
byte[] unpackedData = null;
|
||||
|
@ -731,11 +731,9 @@ namespace de4dot.code {
|
|||
return;
|
||||
|
||||
deobfuscate(method, "Deobfuscating control flow", (blocks) => {
|
||||
#if PORT
|
||||
var cflowDeobfuscator = new BlocksCflowDeobfuscator(deob.BlocksDeobfuscators);
|
||||
cflowDeobfuscator.init(blocks);
|
||||
cflowDeobfuscator.deobfuscate();
|
||||
#endif
|
||||
});
|
||||
}
|
||||
|
||||
|
|
|
@ -20,12 +20,12 @@
|
|||
using System;
|
||||
using System.Collections.Generic;
|
||||
using dot10.DotNet;
|
||||
using dot10.PE;
|
||||
using de4dot.blocks;
|
||||
using de4dot.blocks.cflow;
|
||||
#if PORT
|
||||
using de4dot.code.renamer;
|
||||
#endif
|
||||
using de4dot.PE;
|
||||
|
||||
namespace de4dot.code.deobfuscators {
|
||||
public interface IDeobfuscatorOptions {
|
||||
|
@ -67,15 +67,13 @@ namespace de4dot.code.deobfuscators {
|
|||
StringFeatures StringFeatures { get; }
|
||||
RenamingOptions RenamingOptions { get; }
|
||||
DecrypterType DefaultDecrypterType { get; }
|
||||
#if PORT
|
||||
IEnumerable<IBlocksDeobfuscator> BlocksDeobfuscators { get; }
|
||||
#endif
|
||||
|
||||
// This is non-null only in detect() and deobfuscateBegin().
|
||||
IDeobfuscatedFile DeobfuscatedFile { get; set; }
|
||||
|
||||
// Returns null or the unpacked .NET PE file
|
||||
byte[] unpackNativeFile(PeImage peImage);
|
||||
byte[] unpackNativeFile(PEImage peImage);
|
||||
|
||||
void init(ModuleDefMD module);
|
||||
|
||||
|
|
|
@ -24,7 +24,7 @@ using dot10.DotNet.MD;
|
|||
using de4dot.blocks;
|
||||
|
||||
namespace de4dot.code.deobfuscators {
|
||||
class MemberReferenceBuilder : ICorLibTypes {
|
||||
class MemberReferenceBuilder {
|
||||
ModuleDefMD module;
|
||||
Dictionary<TypeSig, TypeSig> createdTypes = new Dictionary<TypeSig, TypeSig>(TypeEqualityComparer.Instance);
|
||||
|
||||
|
@ -36,10 +36,6 @@ namespace de4dot.code.deobfuscators {
|
|||
get { return module.CorLibTypes.AssemblyRef; }
|
||||
}
|
||||
|
||||
public AssemblyRef AssemblyRef {
|
||||
get { return module.CorLibTypes.AssemblyRef; }
|
||||
}
|
||||
|
||||
public CorLibTypeSig Object {
|
||||
get { return module.CorLibTypes.Object; }
|
||||
}
|
||||
|
|
|
@ -48,7 +48,7 @@ namespace de4dot.code.deobfuscators {
|
|||
return;
|
||||
var assemblyType = builder.type("System.Reflection", "Assembly", builder.CorLib);
|
||||
var streamType = builder.type("System.IO", "Stream", builder.CorLib);
|
||||
var newMethod = builder.instanceMethod("GetManifestResourceStream", assemblyType, streamType, builder.String);
|
||||
var newMethod = builder.instanceMethod("GetManifestResourceStream", assemblyType.TypeDefOrRef, streamType, builder.String);
|
||||
add(oldMethod, newMethod, OpCodes.Callvirt);
|
||||
}
|
||||
|
||||
|
@ -58,7 +58,7 @@ namespace de4dot.code.deobfuscators {
|
|||
var assemblyType = builder.type("System.Reflection", "Assembly", builder.CorLib);
|
||||
var typeType = builder.type("System", "Type", builder.CorLib);
|
||||
var streamType = builder.type("System.IO", "Stream", builder.CorLib);
|
||||
var newMethod = builder.instanceMethod("GetManifestResourceStream", assemblyType, streamType, typeType, builder.String);
|
||||
var newMethod = builder.instanceMethod("GetManifestResourceStream", assemblyType.TypeDefOrRef, streamType, typeType, builder.String);
|
||||
add(oldMethod, newMethod, OpCodes.Callvirt);
|
||||
}
|
||||
|
||||
|
@ -67,7 +67,7 @@ namespace de4dot.code.deobfuscators {
|
|||
return;
|
||||
var assemblyType = builder.type("System.Reflection", "Assembly", builder.CorLib);
|
||||
var stringArrayType = builder.array(builder.String);
|
||||
var newMethod = builder.instanceMethod("GetManifestResourceNames", assemblyType, stringArrayType);
|
||||
var newMethod = builder.instanceMethod("GetManifestResourceNames", assemblyType.TypeDefOrRef, stringArrayType);
|
||||
add(oldMethod, newMethod, OpCodes.Callvirt);
|
||||
}
|
||||
|
||||
|
@ -76,7 +76,7 @@ namespace de4dot.code.deobfuscators {
|
|||
return;
|
||||
var bitmapType = builder.type("System.Drawing", "Bitmap", "System.Drawing");
|
||||
var typeType = builder.type("System", "Type", builder.CorLib);
|
||||
var newMethod = builder.instanceMethod(".ctor", bitmapType, builder.Void, typeType, builder.String);
|
||||
var newMethod = builder.instanceMethod(".ctor", bitmapType.TypeDefOrRef, builder.Void, typeType, builder.String);
|
||||
add(oldMethod, newMethod, OpCodes.Newobj);
|
||||
}
|
||||
|
||||
|
@ -85,7 +85,7 @@ namespace de4dot.code.deobfuscators {
|
|||
return;
|
||||
var iconType = builder.type("System.Drawing", "Icon", "System.Drawing");
|
||||
var typeType = builder.type("System", "Type", builder.CorLib);
|
||||
var newMethod = builder.instanceMethod(".ctor", iconType, builder.Void, typeType, builder.String);
|
||||
var newMethod = builder.instanceMethod(".ctor", iconType.TypeDefOrRef, builder.Void, typeType, builder.String);
|
||||
add(oldMethod, newMethod, OpCodes.Newobj);
|
||||
}
|
||||
|
||||
|
|
|
@ -57,12 +57,12 @@ namespace de4dot.code.deobfuscators {
|
|||
}
|
||||
|
||||
class TypeInfo<T> {
|
||||
Dictionary<TypeReferenceKey, bool> types = new Dictionary<TypeReferenceKey, bool>();
|
||||
public TypeReference newType = null;
|
||||
Dictionary<TypeSig, bool> types = new Dictionary<TypeSig, bool>(TypeEqualityComparer.Instance);
|
||||
public TypeSig newType = null;
|
||||
public T arg;
|
||||
bool newobjTypes;
|
||||
|
||||
public Dictionary<TypeReferenceKey, bool> Types {
|
||||
public Dictionary<TypeSig, bool> Types {
|
||||
get { return types; }
|
||||
}
|
||||
|
||||
|
@ -70,11 +70,11 @@ namespace de4dot.code.deobfuscators {
|
|||
this.arg = arg;
|
||||
}
|
||||
|
||||
public void add(TypeReference type) {
|
||||
public void add(TypeSig type) {
|
||||
add(type, false);
|
||||
}
|
||||
|
||||
public void add(TypeReference type, bool wasNewobj) {
|
||||
public void add(TypeSig type, bool wasNewobj) {
|
||||
if (wasNewobj) {
|
||||
if (!newobjTypes)
|
||||
clear();
|
||||
|
@ -82,7 +82,7 @@ namespace de4dot.code.deobfuscators {
|
|||
}
|
||||
else if (newobjTypes)
|
||||
return;
|
||||
types[new TypeReferenceKey(type)] = true;
|
||||
types[type] = true;
|
||||
}
|
||||
|
||||
public void clear() {
|
||||
|
@ -93,19 +93,19 @@ namespace de4dot.code.deobfuscators {
|
|||
if (types.Count == 0)
|
||||
return false;
|
||||
|
||||
TypeReference theNewType = null;
|
||||
TypeSig theNewType = null;
|
||||
foreach (var key in types.Keys) {
|
||||
if (theNewType == null) {
|
||||
theNewType = key.TypeReference;
|
||||
theNewType = key;
|
||||
continue;
|
||||
}
|
||||
theNewType = getCommonBaseClass(module, theNewType, key.TypeReference);
|
||||
theNewType = getCommonBaseClass(module, theNewType, key);
|
||||
if (theNewType == null)
|
||||
break;
|
||||
}
|
||||
if (theNewType == null)
|
||||
return false;
|
||||
if (MemberReferenceHelper.compareTypes(theNewType, newType))
|
||||
if (new SigComparer().Equals(theNewType, newType))
|
||||
return false;
|
||||
|
||||
newType = theNewType;
|
||||
|
@ -226,19 +226,19 @@ namespace de4dot.code.deobfuscators {
|
|||
bool deobfuscateMethods() {
|
||||
bool changed = false;
|
||||
foreach (var method in allMethods) {
|
||||
methodReturnInfo = new TypeInfo<Parameter>(method.MethodReturnType.Parameter2);
|
||||
methodReturnInfo = new TypeInfo<Parameter>(method.Parameters.ReturnParameter);
|
||||
deobfuscateMethod(method);
|
||||
|
||||
if (methodReturnInfo.updateNewType(module)) {
|
||||
getUpdatedMethod(method).newReturnType = methodReturnInfo.newType;
|
||||
method.MethodReturnType.ReturnType = methodReturnInfo.newType;
|
||||
method.MethodSig.RetType = methodReturnInfo.newType;
|
||||
changed = true;
|
||||
}
|
||||
|
||||
foreach (var info in argInfos.Values) {
|
||||
if (info.updateNewType(module)) {
|
||||
getUpdatedMethod(method).newArgTypes[DotNetUtils.getArgIndex(info.arg)] = info.newType;
|
||||
info.arg.ParameterType = info.newType;
|
||||
getUpdatedMethod(method).newArgTypes[info.arg.Index] = info.newType;
|
||||
info.arg.Type = info.newType;
|
||||
changed = true;
|
||||
}
|
||||
}
|
||||
|
@ -250,14 +250,14 @@ namespace de4dot.code.deobfuscators {
|
|||
if (a.arg.Method.MDToken.ToInt32() < b.arg.Method.MDToken.ToInt32()) return -1;
|
||||
if (a.arg.Method.MDToken.ToInt32() > b.arg.Method.MDToken.ToInt32()) return 1;
|
||||
|
||||
return a.arg.Sequence.CompareTo(b.arg.Sequence);
|
||||
return a.arg.Index.CompareTo(b.arg.Index);
|
||||
}
|
||||
|
||||
void deobfuscateMethod(MethodDef method) {
|
||||
if (!method.IsStatic || method.Body == null)
|
||||
if (!method.IsStatic || method.CilBody == null)
|
||||
return;
|
||||
|
||||
bool fixReturnType = isUnknownType(method.MethodReturnType);
|
||||
bool fixReturnType = isUnknownType(method.MethodSig.RetType);
|
||||
|
||||
argInfos.Clear();
|
||||
foreach (var arg in method.Parameters) {
|
||||
|
@ -268,9 +268,9 @@ namespace de4dot.code.deobfuscators {
|
|||
if (argInfos.Count == 0 && !fixReturnType)
|
||||
return;
|
||||
|
||||
var methodParams = DotNetUtils.getParameters(method);
|
||||
var methodParams = method.Parameters;
|
||||
PushedArgs pushedArgs;
|
||||
var instructions = method.Body.Instructions;
|
||||
var instructions = method.CilBody.Instructions;
|
||||
for (int i = 0; i < instructions.Count; i++) {
|
||||
var instr = instructions[i];
|
||||
switch (instr.OpCode.Code) {
|
||||
|
@ -289,7 +289,7 @@ namespace de4dot.code.deobfuscators {
|
|||
case Code.Callvirt:
|
||||
case Code.Newobj:
|
||||
pushedArgs = MethodStack.getPushedArgInstructions(instructions, i);
|
||||
var calledMethod = instr.Operand as MethodReference;
|
||||
var calledMethod = instr.Operand as IMethod;
|
||||
if (calledMethod == null)
|
||||
break;
|
||||
var calledMethodParams = DotNetUtils.getParameters(calledMethod);
|
||||
|
@ -316,7 +316,7 @@ namespace de4dot.code.deobfuscators {
|
|||
pushedArgs = MethodStack.getPushedArgInstructions(instructions, i);
|
||||
if (pushedArgs.NumValidArgs < 1)
|
||||
break;
|
||||
addMethodArgType(method, getParameter(methodParams, pushedArgs.getEnd(0)), instr.Operand as TypeReference);
|
||||
addMethodArgType(method, getParameter(methodParams, pushedArgs.getEnd(0)), instr.Operand as ITypeDefOrRef);
|
||||
break;
|
||||
|
||||
case Code.Stloc:
|
||||
|
@ -328,20 +328,20 @@ namespace de4dot.code.deobfuscators {
|
|||
pushedArgs = MethodStack.getPushedArgInstructions(instructions, i);
|
||||
if (pushedArgs.NumValidArgs < 1)
|
||||
break;
|
||||
addMethodArgType(method, getParameter(methodParams, pushedArgs.getEnd(0)), DotNetUtils.getLocalVar(method.Body.Variables, instr));
|
||||
addMethodArgType(method, getParameter(methodParams, pushedArgs.getEnd(0)), instr.GetLocal(method.CilBody.LocalList));
|
||||
break;
|
||||
|
||||
case Code.Stsfld:
|
||||
pushedArgs = MethodStack.getPushedArgInstructions(instructions, i);
|
||||
if (pushedArgs.NumValidArgs < 1)
|
||||
break;
|
||||
addMethodArgType(method, getParameter(methodParams, pushedArgs.getEnd(0)), instr.Operand as FieldReference);
|
||||
addMethodArgType(method, getParameter(methodParams, pushedArgs.getEnd(0)), instr.Operand as IField);
|
||||
break;
|
||||
|
||||
case Code.Stfld:
|
||||
pushedArgs = MethodStack.getPushedArgInstructions(instructions, i);
|
||||
if (pushedArgs.NumValidArgs >= 1) {
|
||||
var field = instr.Operand as FieldReference;
|
||||
var field = instr.Operand as IField;
|
||||
addMethodArgType(method, getParameter(methodParams, pushedArgs.getEnd(0)), field);
|
||||
if (pushedArgs.NumValidArgs >= 2 && field != null)
|
||||
addMethodArgType(method, getParameter(methodParams, pushedArgs.getEnd(1)), field.DeclaringType);
|
||||
|
@ -353,7 +353,7 @@ namespace de4dot.code.deobfuscators {
|
|||
pushedArgs = MethodStack.getPushedArgInstructions(instructions, i);
|
||||
if (pushedArgs.NumValidArgs < 1)
|
||||
break;
|
||||
addMethodArgType(method, getParameter(methodParams, pushedArgs.getEnd(0)), instr.Operand as FieldReference);
|
||||
addMethodArgType(method, getParameter(methodParams, pushedArgs.getEnd(0)), instr.Operand as IField);
|
||||
break;
|
||||
|
||||
//TODO: For better results, these should be checked:
|
||||
|
@ -422,32 +422,36 @@ namespace de4dot.code.deobfuscators {
|
|||
case Code.Ldarg_1:
|
||||
case Code.Ldarg_2:
|
||||
case Code.Ldarg_3:
|
||||
return DotNetUtils.getParameter(parameters, instr);
|
||||
return instr.GetParameter(parameters);
|
||||
|
||||
default:
|
||||
return null;
|
||||
}
|
||||
}
|
||||
|
||||
bool addMethodArgType(IGenericParameterProvider gpp, Parameter methodParam, FieldReference field) {
|
||||
if (field == null)
|
||||
bool addMethodArgType(IGenericParameterProvider gpp, Parameter methodParam, IField field) {
|
||||
if (field == null || field.FieldSig == null)
|
||||
return false;
|
||||
return addMethodArgType(gpp, methodParam, field.FieldType);
|
||||
return addMethodArgType(gpp, methodParam, field.FieldSig.Type);
|
||||
}
|
||||
|
||||
bool addMethodArgType(IGenericParameterProvider gpp, Parameter methodParam, VariableDefinition otherLocal) {
|
||||
bool addMethodArgType(IGenericParameterProvider gpp, Parameter methodParam, Local otherLocal) {
|
||||
if (otherLocal == null)
|
||||
return false;
|
||||
return addMethodArgType(gpp, methodParam, otherLocal.VariableType);
|
||||
return addMethodArgType(gpp, methodParam, otherLocal.Type);
|
||||
}
|
||||
|
||||
bool addMethodArgType(IGenericParameterProvider gpp, Parameter methodParam, Parameter otherParam) {
|
||||
if (otherParam == null)
|
||||
return false;
|
||||
return addMethodArgType(gpp, methodParam, otherParam.ParameterType);
|
||||
return addMethodArgType(gpp, methodParam, otherParam.Type);
|
||||
}
|
||||
|
||||
bool addMethodArgType(IGenericParameterProvider gpp, Parameter methodParam, TypeReference type) {
|
||||
bool addMethodArgType(IGenericParameterProvider gpp, Parameter methodParam, ITypeDefOrRef type) {
|
||||
return addMethodArgType(gpp, methodParam, type.ToTypeSig());
|
||||
}
|
||||
|
||||
bool addMethodArgType(IGenericParameterProvider gpp, Parameter methodParam, TypeSig type) {
|
||||
if (methodParam == null || type == null)
|
||||
return false;
|
||||
|
||||
|
@ -457,7 +461,7 @@ namespace de4dot.code.deobfuscators {
|
|||
TypeInfo<Parameter> info;
|
||||
if (!argInfos.TryGetValue(methodParam, out info))
|
||||
return false;
|
||||
if (info.Types.ContainsKey(new TypeReferenceKey(type)))
|
||||
if (info.Types.ContainsKey(type))
|
||||
return false;
|
||||
|
||||
info.add(type);
|
||||
|
@ -469,18 +473,18 @@ namespace de4dot.code.deobfuscators {
|
|||
info.clear();
|
||||
|
||||
foreach (var method in allMethods) {
|
||||
if (method.Body == null)
|
||||
if (method.CilBody == null)
|
||||
continue;
|
||||
var instructions = method.Body.Instructions;
|
||||
var instructions = method.CilBody.Instructions;
|
||||
for (int i = 0; i < instructions.Count; i++) {
|
||||
var instr = instructions[i];
|
||||
TypeReference fieldType = null;
|
||||
TypeSig fieldType = null;
|
||||
TypeInfo<FieldDef> info = null;
|
||||
FieldReference field;
|
||||
IField field;
|
||||
switch (instr.OpCode.Code) {
|
||||
case Code.Stfld:
|
||||
case Code.Stsfld:
|
||||
field = instr.Operand as FieldReference;
|
||||
field = instr.Operand as IField;
|
||||
if (field == null)
|
||||
continue;
|
||||
if (!fieldWrites.TryGetValue(new FieldReferenceAndDeclaringTypeKey(field), out info))
|
||||
|
@ -497,17 +501,17 @@ namespace de4dot.code.deobfuscators {
|
|||
case Code.Callvirt:
|
||||
case Code.Newobj:
|
||||
var pushedArgs = MethodStack.getPushedArgInstructions(instructions, i);
|
||||
var calledMethod = instr.Operand as MethodReference;
|
||||
var calledMethod = instr.Operand as IMethod;
|
||||
if (calledMethod == null)
|
||||
continue;
|
||||
IList<TypeReference> calledMethodArgs = DotNetUtils.getArgs(calledMethod);
|
||||
IList<TypeSig> calledMethodArgs = DotNetUtils.getArgs(calledMethod);
|
||||
calledMethodArgs = DotNetUtils.replaceGenericParameters(calledMethod.DeclaringType as GenericInstanceType, calledMethod as GenericInstanceMethod, calledMethodArgs);
|
||||
for (int j = 0; j < pushedArgs.NumValidArgs; j++) {
|
||||
var pushInstr = pushedArgs.getEnd(j);
|
||||
if (pushInstr.OpCode.Code != Code.Ldfld && pushInstr.OpCode.Code != Code.Ldsfld)
|
||||
continue;
|
||||
|
||||
field = pushInstr.Operand as FieldReference;
|
||||
field = pushInstr.Operand as IField;
|
||||
if (field == null)
|
||||
continue;
|
||||
if (!fieldWrites.TryGetValue(new FieldReferenceAndDeclaringTypeKey(field), out info))
|
||||
|
@ -531,7 +535,7 @@ namespace de4dot.code.deobfuscators {
|
|||
if (info.updateNewType(module)) {
|
||||
removeThese.Add(info.arg);
|
||||
getUpdatedField(info.arg).newFieldType = info.newType;
|
||||
info.arg.FieldType = info.newType;
|
||||
info.arg.FieldSig.Type = info.newType;
|
||||
changed = true;
|
||||
}
|
||||
}
|
||||
|
@ -540,63 +544,52 @@ namespace de4dot.code.deobfuscators {
|
|||
return changed;
|
||||
}
|
||||
|
||||
TypeReference getLoadedType(IGenericParameterProvider gpp, MethodDef method, IList<Instruction> instructions, int instrIndex, out bool wasNewobj) {
|
||||
TypeSig getLoadedType(IGenericParameterProvider gpp, MethodDef method, IList<Instruction> instructions, int instrIndex, out bool wasNewobj) {
|
||||
var fieldType = MethodStack.getLoadedType(method, instructions, instrIndex, out wasNewobj);
|
||||
if (fieldType == null || !isValidType(gpp, fieldType))
|
||||
return null;
|
||||
return fieldType;
|
||||
}
|
||||
|
||||
protected virtual bool isValidType(IGenericParameterProvider gpp, TypeReference type) {
|
||||
protected virtual bool isValidType(IGenericParameterProvider gpp, TypeSig type) {
|
||||
if (type == null)
|
||||
return false;
|
||||
if (type.EType == ElementType.Void)
|
||||
if (type.ElementType == ElementType.Void)
|
||||
return false;
|
||||
|
||||
while (type != null) {
|
||||
switch (MemberReferenceHelper.getMemberReferenceType(type)) {
|
||||
case CecilType.GenericInstanceType:
|
||||
foreach (var ga in ((GenericInstanceType)type).GenericArguments) {
|
||||
switch (type.ElementType) {
|
||||
case ElementType.GenericInst:
|
||||
foreach (var ga in ((GenericInstSig)type).GenericArguments) {
|
||||
if (!isValidType(gpp, ga))
|
||||
return false;
|
||||
}
|
||||
break;
|
||||
|
||||
case CecilType.ArrayType:
|
||||
case CecilType.PointerType:
|
||||
case CecilType.TypeDefinition:
|
||||
case CecilType.TypeReference:
|
||||
case ElementType.SZArray:
|
||||
case ElementType.Array:
|
||||
case ElementType.Ptr:
|
||||
case ElementType.Class:
|
||||
case ElementType.ValueType:
|
||||
break;
|
||||
|
||||
case CecilType.GenericParameter:
|
||||
var gp = (GenericParameter)type;
|
||||
var methodRef = gpp as MethodReference;
|
||||
var typeRef = gpp as TypeReference;
|
||||
if (methodRef != null) {
|
||||
if (methodRef.DeclaringType != gp.Owner && methodRef != gp.Owner)
|
||||
case ElementType.Var:
|
||||
case ElementType.MVar:
|
||||
// TODO: Return false for now. We don't know whether the Var is a Var in
|
||||
// this type or from some other type.
|
||||
return false;
|
||||
}
|
||||
else if (typeRef != null) {
|
||||
if (typeRef != gp.Owner)
|
||||
return false;
|
||||
}
|
||||
else
|
||||
return false;
|
||||
break;
|
||||
|
||||
case CecilType.ByReferenceType:
|
||||
case CecilType.FunctionPointerType:
|
||||
case CecilType.OptionalModifierType:
|
||||
case CecilType.PinnedType:
|
||||
case CecilType.RequiredModifierType:
|
||||
case CecilType.SentinelType:
|
||||
case ElementType.ByRef:
|
||||
case ElementType.FnPtr:
|
||||
case ElementType.CModOpt:
|
||||
case ElementType.CModReqd:
|
||||
case ElementType.Pinned:
|
||||
case ElementType.Sentinel:
|
||||
default:
|
||||
return false;
|
||||
}
|
||||
|
||||
if (!(type is TypeSpecification))
|
||||
break;
|
||||
type = ((TypeSpecification)type).ElementType;
|
||||
type = type.Next;
|
||||
}
|
||||
|
||||
return type != null;
|
||||
|
@ -604,10 +597,10 @@ namespace de4dot.code.deobfuscators {
|
|||
|
||||
protected abstract bool isUnknownType(object o);
|
||||
|
||||
static TypeReference getCommonBaseClass(ModuleDef module, TypeReference a, TypeReference b) {
|
||||
if (DotNetUtils.isDelegate(a) && DotNetUtils.derivesFromDelegate(DotNetUtils.getType(module, b)))
|
||||
static TypeSig getCommonBaseClass(ModuleDef module, TypeSig a, TypeSig b) {
|
||||
if (DotNetUtils.isDelegate(a) && DotNetUtils.derivesFromDelegate(module.Find(b.ToTypeDefOrRef())))
|
||||
return b;
|
||||
if (DotNetUtils.isDelegate(b) && DotNetUtils.derivesFromDelegate(DotNetUtils.getType(module, a)))
|
||||
if (DotNetUtils.isDelegate(b) && DotNetUtils.derivesFromDelegate(module.Find(a.ToTypeDefOrRef())))
|
||||
return a;
|
||||
return null; //TODO:
|
||||
}
|
||||
|
@ -618,12 +611,12 @@ namespace de4dot.code.deobfuscators {
|
|||
: base(module) {
|
||||
}
|
||||
|
||||
protected override bool isValidType(IGenericParameterProvider gpp, TypeReference type) {
|
||||
protected override bool isValidType(IGenericParameterProvider gpp, TypeSig type) {
|
||||
if (type == null)
|
||||
return false;
|
||||
if (type.IsValueType)
|
||||
if (type.ElementType == ElementType.ValueType)
|
||||
return false;
|
||||
if (MemberReferenceHelper.isSystemObject(type))
|
||||
if (type.ElementType == ElementType.Object)
|
||||
return false;
|
||||
return base.isValidType(gpp, type);
|
||||
}
|
||||
|
@ -631,15 +624,11 @@ namespace de4dot.code.deobfuscators {
|
|||
protected override bool isUnknownType(object o) {
|
||||
var arg = o as Parameter;
|
||||
if (arg != null)
|
||||
return MemberReferenceHelper.isSystemObject(arg.ParameterType);
|
||||
return arg.Type != null && arg.Type.ElementType == ElementType.Object;
|
||||
|
||||
var field = o as FieldDef;
|
||||
if (field != null)
|
||||
return MemberReferenceHelper.isSystemObject(field.FieldType);
|
||||
|
||||
var retType = o as MethodReturnType;
|
||||
if (retType != null)
|
||||
return MemberReferenceHelper.isSystemObject(retType.ReturnType);
|
||||
return field.FieldSig != null && field.FieldSig.Type != null && field.FieldSig.Type.ElementType == ElementType.Object;
|
||||
|
||||
throw new ApplicationException(string.Format("Unknown type: {0}", o.GetType()));
|
||||
}
|
||||
|
|
|
@ -86,15 +86,16 @@ namespace de4dot.code.deobfuscators.Unknown {
|
|||
|
||||
string scanTypes() {
|
||||
foreach (var type in module.Types) {
|
||||
if (type.FullName == "ConfusedByAttribute")
|
||||
var fn = type.FullName;
|
||||
if (fn == "ConfusedByAttribute")
|
||||
return "Confuser";
|
||||
if (type.FullName == "ZYXDNGuarder")
|
||||
if (fn == "ZYXDNGuarder")
|
||||
return "DNGuard HVM";
|
||||
if (type.Name.Contains("();\t"))
|
||||
if (type.Name.String.Contains("();\t"))
|
||||
return "Manco .NET Obfuscator";
|
||||
if (Regex.IsMatch(type.FullName, @"^EMyPID_\d+_$"))
|
||||
if (Regex.IsMatch(fn, @"^EMyPID_\d+_$"))
|
||||
return "BitHelmet Obfuscator";
|
||||
if (type.FullName == "YanoAttribute")
|
||||
if (fn == "YanoAttribute")
|
||||
return "Yano Obfuscator";
|
||||
}
|
||||
return null;
|
||||
|
|
|
@ -22,15 +22,16 @@ using System.Collections.Generic;
|
|||
using System.IO;
|
||||
using System.Runtime.Serialization;
|
||||
using System.Runtime.Serialization.Formatters.Binary;
|
||||
using Mono.Cecil;
|
||||
using dot10.DotNet;
|
||||
using dot10.DotNet.MD;
|
||||
|
||||
namespace de4dot.code.resources {
|
||||
class ResourceDataCreator {
|
||||
ModuleDefinition module;
|
||||
ModuleDefMD module;
|
||||
Dictionary<string, UserResourceType> dict = new Dictionary<string, UserResourceType>(StringComparer.Ordinal);
|
||||
Dictionary<string, string> asmNameToAsmFullName = new Dictionary<string, string>(StringComparer.Ordinal);
|
||||
|
||||
public ResourceDataCreator(ModuleDefinition module) {
|
||||
public ResourceDataCreator(ModuleDefMD module) {
|
||||
this.module = module;
|
||||
}
|
||||
|
||||
|
@ -210,19 +211,14 @@ namespace de4dot.code.resources {
|
|||
string tryGetRealAssemblyName(string assemblyName) {
|
||||
var simpleName = Utils.getAssemblySimpleName(assemblyName);
|
||||
|
||||
foreach (var asmRef in module.AssemblyReferences) {
|
||||
if (asmRef.Name == simpleName)
|
||||
var name = new UTF8String(simpleName);
|
||||
foreach (var asmRef in module.GetAssemblyRefs()) {
|
||||
if (asmRef.Name == name)
|
||||
return asmRef.FullName;
|
||||
}
|
||||
|
||||
try {
|
||||
return AssemblyResolver.Instance.Resolve(simpleName).FullName;
|
||||
}
|
||||
catch (ResolutionException) {
|
||||
}
|
||||
catch (AssemblyResolutionException) {
|
||||
}
|
||||
return null;
|
||||
var asm = AssemblyResolver.Instance.Resolve(new AssemblyNameInfo(simpleName), module);
|
||||
return asm == null ? null : asm.FullName;
|
||||
}
|
||||
|
||||
public List<UserResourceType> getSortedTypes() {
|
||||
|
|
|
@ -22,7 +22,7 @@ using System.Collections.Generic;
|
|||
using System.IO;
|
||||
using System.Text;
|
||||
using System.Text.RegularExpressions;
|
||||
using Mono.Cecil;
|
||||
using dot10.DotNet;
|
||||
|
||||
namespace de4dot.code.resources {
|
||||
[Serializable]
|
||||
|
@ -33,17 +33,17 @@ namespace de4dot.code.resources {
|
|||
}
|
||||
|
||||
class ResourceReader {
|
||||
ModuleDefinition module;
|
||||
ModuleDefMD module;
|
||||
BinaryReader reader;
|
||||
ResourceDataCreator resourceDataCreator;
|
||||
|
||||
ResourceReader(ModuleDefinition module, Stream stream) {
|
||||
ResourceReader(ModuleDefMD module, Stream stream) {
|
||||
this.module = module;
|
||||
this.reader = new BinaryReader(stream);
|
||||
this.resourceDataCreator = new ResourceDataCreator(module);
|
||||
}
|
||||
|
||||
public static ResourceElementSet read(ModuleDefinition module, Stream stream) {
|
||||
public static ResourceElementSet read(ModuleDefMD module, Stream stream) {
|
||||
return new ResourceReader(module, stream).read();
|
||||
}
|
||||
|
||||
|
|
|
@ -23,24 +23,24 @@ using System.IO;
|
|||
using System.Runtime.Serialization;
|
||||
using System.Runtime.Serialization.Formatters.Binary;
|
||||
using System.Text;
|
||||
using Mono.Cecil;
|
||||
using dot10.DotNet;
|
||||
|
||||
namespace de4dot.code.resources {
|
||||
class ResourceWriter {
|
||||
ModuleDefinition module;
|
||||
ModuleDefMD module;
|
||||
BinaryWriter writer;
|
||||
ResourceElementSet resources;
|
||||
ResourceDataCreator typeCreator;
|
||||
Dictionary<UserResourceData, UserResourceType> dataToNewType = new Dictionary<UserResourceData, UserResourceType>();
|
||||
|
||||
ResourceWriter(ModuleDefinition module, Stream stream, ResourceElementSet resources) {
|
||||
ResourceWriter(ModuleDefMD module, Stream stream, ResourceElementSet resources) {
|
||||
this.module = module;
|
||||
this.typeCreator = new ResourceDataCreator(module);
|
||||
this.writer = new BinaryWriter(stream);
|
||||
this.resources = resources;
|
||||
}
|
||||
|
||||
public static void write(ModuleDefinition module, Stream stream, ResourceElementSet resources) {
|
||||
public static void write(ModuleDefMD module, Stream stream, ResourceElementSet resources) {
|
||||
new ResourceWriter(module, stream, resources).write();
|
||||
}
|
||||
|
||||
|
@ -138,8 +138,8 @@ namespace de4dot.code.resources {
|
|||
}
|
||||
|
||||
string getMscorlibFullname() {
|
||||
AssemblyNameReference mscorlibRef = null;
|
||||
foreach (var asmRef in module.AssemblyReferences) {
|
||||
AssemblyRef mscorlibRef = null;
|
||||
foreach (var asmRef in module.GetAssemblyRefs()) {
|
||||
if (asmRef.Name != "mscorlib")
|
||||
continue;
|
||||
if (mscorlibRef == null || mscorlibRef.Version == null || (asmRef.Version != null && asmRef.Version >= mscorlibRef.Version))
|
||||
|
|
2
dot10
2
dot10
|
@ -1 +1 @@
|
|||
Subproject commit 3b128874ff6bd531f588c487e9aeb76fb62acfec
|
||||
Subproject commit 4030f90eb8d1a71793dfd1772efc7b5e5513dff4
|
Loading…
Reference in New Issue
Block a user