Port Skater.NET deobfuscator
This commit is contained in:
parent
19ed1ac219
commit
25cee0e206
|
@ -338,16 +338,26 @@ namespace de4dot.blocks {
|
|||
return getMethod(module, method, method.DeclaringType.ScopeType);
|
||||
}
|
||||
|
||||
static TypeDef getType(ModuleDef module, ITypeDefOrRef type) {
|
||||
public static TypeDef getType(ModuleDef module, TypeSig type) {
|
||||
type = type.RemovePinnedAndModifiers();
|
||||
var tdr = type as TypeDefOrRefSig;
|
||||
if (tdr == null)
|
||||
return null;
|
||||
return getType(module, tdr.TypeDefOrRef);
|
||||
}
|
||||
|
||||
public static TypeDef getType(ModuleDef module, ITypeDefOrRef type) {
|
||||
var td = type as TypeDef;
|
||||
if (td != null)
|
||||
return td;
|
||||
|
||||
var tr = type as TypeRef;
|
||||
if (tr != null)
|
||||
return tr.Resolve();
|
||||
|
||||
return null;
|
||||
if (td == null) {
|
||||
var tr = type as TypeRef;
|
||||
if (tr != null) {
|
||||
var trAsm = tr.DefinitionAssembly;
|
||||
var modAsm = module.Assembly;
|
||||
if (trAsm != null && modAsm != null && trAsm.Name == modAsm.Name)
|
||||
td = tr.Resolve();
|
||||
}
|
||||
}
|
||||
return td != null && td.OwnerModule == module ? td : null;
|
||||
}
|
||||
|
||||
static MethodDef getMethod(ModuleDef module, IMethod method, ITypeDefOrRef declaringType) {
|
||||
|
@ -751,13 +761,12 @@ namespace de4dot.blocks {
|
|||
return UTF8String.ToSystemStringOrEmpty((UTF8String)carg.Value);
|
||||
}
|
||||
|
||||
#if PORT
|
||||
public static IEnumerable<MethodDef> getCalledMethods(ModuleDefinition module, MethodDef method) {
|
||||
public static IEnumerable<MethodDef> getCalledMethods(ModuleDef module, MethodDef method) {
|
||||
if (method != null && method.HasBody) {
|
||||
foreach (var call in method.Body.Instructions) {
|
||||
if (call.OpCode.Code != Code.Call && call.OpCode.Code != Code.Callvirt)
|
||||
continue;
|
||||
var methodRef = call.Operand as MethodReference;
|
||||
var methodRef = call.Operand as IMethod;
|
||||
if (methodRef == null)
|
||||
continue;
|
||||
var type = getType(module, methodRef.DeclaringType);
|
||||
|
@ -768,6 +777,7 @@ namespace de4dot.blocks {
|
|||
}
|
||||
}
|
||||
|
||||
#if PORT
|
||||
public static IList<Instruction> getInstructions(IList<Instruction> instructions, int i, params OpCode[] opcodes) {
|
||||
if (i + opcodes.Length > instructions.Count)
|
||||
return null;
|
||||
|
@ -1263,7 +1273,6 @@ namespace de4dot.blocks {
|
|||
return count;
|
||||
}
|
||||
|
||||
#if PORT
|
||||
public static bool callsMethod(MethodDef method, string methodFullName) {
|
||||
if (method == null || method.Body == null)
|
||||
return false;
|
||||
|
@ -1271,7 +1280,7 @@ namespace de4dot.blocks {
|
|||
foreach (var instr in method.Body.Instructions) {
|
||||
if (instr.OpCode.Code != Code.Call && instr.OpCode.Code != Code.Callvirt && instr.OpCode.Code != Code.Newobj)
|
||||
continue;
|
||||
var calledMethod = instr.Operand as MethodReference;
|
||||
var calledMethod = instr.Operand as IMethod;
|
||||
if (calledMethod == null)
|
||||
continue;
|
||||
if (calledMethod.FullName == methodFullName)
|
||||
|
@ -1281,6 +1290,7 @@ namespace de4dot.blocks {
|
|||
return false;
|
||||
}
|
||||
|
||||
#if PORT
|
||||
public static bool callsMethod(MethodDef method, string returnType, string parameters) {
|
||||
if (method == null || method.Body == null)
|
||||
return false;
|
||||
|
|
|
@ -231,9 +231,9 @@
|
|||
<Compile Include="deobfuscators\RandomNameChecker.cs" />
|
||||
<None Include="deobfuscators\Rummage\Deobfuscator.cs" />
|
||||
<None Include="deobfuscators\Rummage\StringDecrypter.cs" />
|
||||
<None Include="deobfuscators\Skater_NET\Deobfuscator.cs" />
|
||||
<None Include="deobfuscators\Skater_NET\EnumClassFinder.cs" />
|
||||
<None Include="deobfuscators\Skater_NET\StringDecrypter.cs" />
|
||||
<Compile Include="deobfuscators\Skater_NET\Deobfuscator.cs" />
|
||||
<Compile Include="deobfuscators\Skater_NET\EnumClassFinder.cs" />
|
||||
<Compile Include="deobfuscators\Skater_NET\StringDecrypter.cs" />
|
||||
<None Include="deobfuscators\SmartAssembly\AssemblyResolver.cs" />
|
||||
<None Include="deobfuscators\SmartAssembly\AssemblyResolverInfo.cs" />
|
||||
<None Include="deobfuscators\SmartAssembly\AutomatedErrorReportingFinder.cs" />
|
||||
|
|
|
@ -90,7 +90,7 @@ namespace de4dot.code.deobfuscators.Skater_NET {
|
|||
}
|
||||
|
||||
bool hasAssemblyReference(string name) {
|
||||
foreach (var asmRef in module.AssemblyReferences) {
|
||||
foreach (var asmRef in module.GetAssemblyRefs()) {
|
||||
if (asmRef.Name == name)
|
||||
return true;
|
||||
}
|
||||
|
|
|
@ -23,10 +23,10 @@ using de4dot.blocks;
|
|||
|
||||
namespace de4dot.code.deobfuscators.Skater_NET {
|
||||
class EnumClassFinder {
|
||||
ModuleDefinition module;
|
||||
ModuleDefMD module;
|
||||
FieldDef enumField;
|
||||
|
||||
public EnumClassFinder(ModuleDefinition module) {
|
||||
public EnumClassFinder(ModuleDefMD module) {
|
||||
this.module = module;
|
||||
find();
|
||||
}
|
||||
|
@ -43,7 +43,7 @@ namespace de4dot.code.deobfuscators.Skater_NET {
|
|||
if (method.Name != ".ctor")
|
||||
continue;
|
||||
var field = type.Fields[0];
|
||||
var fieldType = DotNetUtils.getType(module, field.FieldType);
|
||||
var fieldType = DotNetUtils.getType(module, field.FieldSig.GetFieldType());
|
||||
if (fieldType == null)
|
||||
continue;
|
||||
if (!fieldType.IsEnum)
|
||||
|
@ -69,8 +69,8 @@ namespace de4dot.code.deobfuscators.Skater_NET {
|
|||
if (stfld.OpCode.Code != Code.Stfld)
|
||||
continue;
|
||||
|
||||
var field = stfld.Operand as FieldReference;
|
||||
if (!MemberReferenceHelper.compareFieldReferenceAndDeclaringType(enumField, field))
|
||||
var field = stfld.Operand as IField;
|
||||
if (!FieldEqualityComparer.CompareDeclaringTypes.Equals(enumField, field))
|
||||
continue;
|
||||
block.remove(i, 3);
|
||||
i--;
|
||||
|
|
|
@ -29,7 +29,7 @@ using de4dot.blocks;
|
|||
|
||||
namespace de4dot.code.deobfuscators.Skater_NET {
|
||||
class StringDecrypter {
|
||||
ModuleDefinition module;
|
||||
ModuleDefMD module;
|
||||
TypeDef decrypterType;
|
||||
MethodDef decrypterCctor;
|
||||
FieldDefinitionAndDeclaringTypeDict<string> fieldToDecryptedString = new FieldDefinitionAndDeclaringTypeDict<string>();
|
||||
|
@ -88,7 +88,7 @@ namespace de4dot.code.deobfuscators.Skater_NET {
|
|||
get { return decrypterType; }
|
||||
}
|
||||
|
||||
public StringDecrypter(ModuleDefinition module) {
|
||||
public StringDecrypter(ModuleDefMD module) {
|
||||
this.module = module;
|
||||
}
|
||||
|
||||
|
@ -97,7 +97,7 @@ namespace de4dot.code.deobfuscators.Skater_NET {
|
|||
if (type.HasProperties || type.HasEvents)
|
||||
continue;
|
||||
|
||||
var cctor = DotNetUtils.getMethod(type, ".cctor");
|
||||
var cctor = type.FindClassConstructor();
|
||||
if (cctor == null)
|
||||
continue;
|
||||
|
||||
|
@ -134,7 +134,7 @@ namespace de4dot.code.deobfuscators.Skater_NET {
|
|||
var field = instrs[i + 4].Operand as FieldDef;
|
||||
if (field == null)
|
||||
continue;
|
||||
if (!MemberReferenceHelper.compareTypes(field.DeclaringType, decrypterType))
|
||||
if (!new SigComparer().Equals(field.DeclaringType, decrypterType))
|
||||
continue;
|
||||
|
||||
fieldToDecryptedString.add(field, decrypter.decrypt(encryptedString));
|
||||
|
@ -228,7 +228,7 @@ namespace de4dot.code.deobfuscators.Skater_NET {
|
|||
foreach (var method in DotNetUtils.getCalledMethods(module, decryptMethod)) {
|
||||
if (!method.IsStatic || method.Body == null)
|
||||
continue;
|
||||
if (!MemberReferenceHelper.compareTypes(method.DeclaringType, decryptMethod.DeclaringType))
|
||||
if (!new SigComparer().Equals(method.DeclaringType, decryptMethod.DeclaringType))
|
||||
continue;
|
||||
if (!DotNetUtils.isMethod(method, "System.String", "()"))
|
||||
continue;
|
||||
|
@ -291,14 +291,14 @@ namespace de4dot.code.deobfuscators.Skater_NET {
|
|||
if (instr.OpCode.Code == Code.Call || instr.OpCode.Code == Code.Callvirt) {
|
||||
if (blocks.Method.DeclaringType == decrypterType)
|
||||
continue;
|
||||
var calledMethod = instr.Operand as MethodReference;
|
||||
var calledMethod = instr.Operand as IMethod;
|
||||
if (calledMethod != null && calledMethod.DeclaringType == decrypterType)
|
||||
canRemoveType = false;
|
||||
}
|
||||
else if (instr.OpCode.Code == Code.Ldsfld) {
|
||||
if (instr.OpCode.Code != Code.Ldsfld)
|
||||
continue;
|
||||
var field = instr.Operand as FieldReference;
|
||||
var field = instr.Operand as IField;
|
||||
if (field == null)
|
||||
continue;
|
||||
var decrypted = fieldToDecryptedString.find(field);
|
||||
|
|
|
@ -56,7 +56,9 @@ namespace de4dot.cui {
|
|||
new de4dot.code.deobfuscators.MaxtoCode.DeobfuscatorInfo(),
|
||||
new de4dot.code.deobfuscators.MPRESS.DeobfuscatorInfo(),
|
||||
new de4dot.code.deobfuscators.Rummage.DeobfuscatorInfo(),
|
||||
#endif
|
||||
new de4dot.code.deobfuscators.Skater_NET.DeobfuscatorInfo(),
|
||||
#if PORT
|
||||
new de4dot.code.deobfuscators.SmartAssembly.DeobfuscatorInfo(),
|
||||
new de4dot.code.deobfuscators.Spices_Net.DeobfuscatorInfo(),
|
||||
#endif
|
||||
|
|
Loading…
Reference in New Issue
Block a user