monocul.us/de4dot-cex
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Port Skater.NET deobfuscator

Browse Source
This commit is contained in:
de4dot 2012-11-06 17:15:11 +01:00
parent 19ed1ac219
commit 25cee0e206
6 changed files with 42 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
blocks/DotNetUtils.cs
View File

@ -338,16 +338,26 @@ namespace de4dot.blocks {
return getMethod(module, method, method.DeclaringType.ScopeType);
}
static TypeDef getType(ModuleDef module, ITypeDefOrRef type) {
public static TypeDef getType(ModuleDef module, TypeSig type) {
type = type.RemovePinnedAndModifiers();
var tdr = type as TypeDefOrRefSig;
if (tdr == null)
return null;
return getType(module, tdr.TypeDefOrRef);
}
public static TypeDef getType(ModuleDef module, ITypeDefOrRef type) {
var td = type as TypeDef;
if (td != null)
return td;
var tr = type as TypeRef;
if (tr != null)
return tr.Resolve();
return null;
if (td == null) {
var tr = type as TypeRef;
if (tr != null) {
var trAsm = tr.DefinitionAssembly;
var modAsm = module.Assembly;
if (trAsm != null && modAsm != null && trAsm.Name == modAsm.Name)
td = tr.Resolve();
}
}
return td != null && td.OwnerModule == module ? td : null;
}
static MethodDef getMethod(ModuleDef module, IMethod method, ITypeDefOrRef declaringType) {
@ -751,13 +761,12 @@ namespace de4dot.blocks {
return UTF8String.ToSystemStringOrEmpty((UTF8String)carg.Value);
}
#if PORT
public static IEnumerable<MethodDef> getCalledMethods(ModuleDefinition module, MethodDef method) {
public static IEnumerable<MethodDef> getCalledMethods(ModuleDef module, MethodDef method) {
if (method != null && method.HasBody) {
foreach (var call in method.Body.Instructions) {
if (call.OpCode.Code != Code.Call && call.OpCode.Code != Code.Callvirt)
continue;
var methodRef = call.Operand as MethodReference;
var methodRef = call.Operand as IMethod;
if (methodRef == null)
continue;
var type = getType(module, methodRef.DeclaringType);
@ -768,6 +777,7 @@ namespace de4dot.blocks {
}
}
#if PORT
public static IList<Instruction> getInstructions(IList<Instruction> instructions, int i, params OpCode[] opcodes) {
if (i + opcodes.Length > instructions.Count)
return null;
@ -1263,7 +1273,6 @@ namespace de4dot.blocks {
return count;
}
#if PORT
public static bool callsMethod(MethodDef method, string methodFullName) {
if (method == null || method.Body == null)
return false;
@ -1271,7 +1280,7 @@ namespace de4dot.blocks {
foreach (var instr in method.Body.Instructions) {
if (instr.OpCode.Code != Code.Call && instr.OpCode.Code != Code.Callvirt && instr.OpCode.Code != Code.Newobj)
continue;
var calledMethod = instr.Operand as MethodReference;
var calledMethod = instr.Operand as IMethod;
if (calledMethod == null)
continue;
if (calledMethod.FullName == methodFullName)
@ -1281,6 +1290,7 @@ namespace de4dot.blocks {
return false;
}
#if PORT
public static bool callsMethod(MethodDef method, string returnType, string parameters) {
if (method == null || method.Body == null)
return false;

6
de4dot.code/de4dot.code.csproj
View File

@ -231,9 +231,9 @@
<Compile Include="deobfuscators\RandomNameChecker.cs" />
<None Include="deobfuscators\Rummage\Deobfuscator.cs" />
<None Include="deobfuscators\Rummage\StringDecrypter.cs" />
<None Include="deobfuscators\Skater_NET\Deobfuscator.cs" />
<None Include="deobfuscators\Skater_NET\EnumClassFinder.cs" />
<None Include="deobfuscators\Skater_NET\StringDecrypter.cs" />
<Compile Include="deobfuscators\Skater_NET\Deobfuscator.cs" />
<Compile Include="deobfuscators\Skater_NET\EnumClassFinder.cs" />
<Compile Include="deobfuscators\Skater_NET\StringDecrypter.cs" />
<None Include="deobfuscators\SmartAssembly\AssemblyResolver.cs" />
<None Include="deobfuscators\SmartAssembly\AssemblyResolverInfo.cs" />
<None Include="deobfuscators\SmartAssembly\AutomatedErrorReportingFinder.cs" />

2
de4dot.code/deobfuscators/Skater_NET/Deobfuscator.cs
View File

@ -90,7 +90,7 @@ namespace de4dot.code.deobfuscators.Skater_NET {
}
bool hasAssemblyReference(string name) {
foreach (var asmRef in module.AssemblyReferences) {
foreach (var asmRef in module.GetAssemblyRefs()) {
if (asmRef.Name == name)
return true;
}

10
de4dot.code/deobfuscators/Skater_NET/EnumClassFinder.cs
View File

@ -23,10 +23,10 @@ using de4dot.blocks;
namespace de4dot.code.deobfuscators.Skater_NET {
class EnumClassFinder {
ModuleDefinition module;
ModuleDefMD module;
FieldDef enumField;
public EnumClassFinder(ModuleDefinition module) {
public EnumClassFinder(ModuleDefMD module) {
this.module = module;
find();
}
@ -43,7 +43,7 @@ namespace de4dot.code.deobfuscators.Skater_NET {
if (method.Name != ".ctor")
continue;
var field = type.Fields[0];
var fieldType = DotNetUtils.getType(module, field.FieldType);
var fieldType = DotNetUtils.getType(module, field.FieldSig.GetFieldType());
if (fieldType == null)
continue;
if (!fieldType.IsEnum)
@ -69,8 +69,8 @@ namespace de4dot.code.deobfuscators.Skater_NET {
if (stfld.OpCode.Code != Code.Stfld)
continue;
var field = stfld.Operand as FieldReference;
if (!MemberReferenceHelper.compareFieldReferenceAndDeclaringType(enumField, field))
var field = stfld.Operand as IField;
if (!FieldEqualityComparer.CompareDeclaringTypes.Equals(enumField, field))
continue;
block.remove(i, 3);
i--;

14
de4dot.code/deobfuscators/Skater_NET/StringDecrypter.cs
View File

@ -29,7 +29,7 @@ using de4dot.blocks;
namespace de4dot.code.deobfuscators.Skater_NET {
class StringDecrypter {
ModuleDefinition module;
ModuleDefMD module;
TypeDef decrypterType;
MethodDef decrypterCctor;
FieldDefinitionAndDeclaringTypeDict<string> fieldToDecryptedString = new FieldDefinitionAndDeclaringTypeDict<string>();
@ -88,7 +88,7 @@ namespace de4dot.code.deobfuscators.Skater_NET {
get { return decrypterType; }
}
public StringDecrypter(ModuleDefinition module) {
public StringDecrypter(ModuleDefMD module) {
this.module = module;
}
@ -97,7 +97,7 @@ namespace de4dot.code.deobfuscators.Skater_NET {
if (type.HasProperties || type.HasEvents)
continue;
var cctor = DotNetUtils.getMethod(type, ".cctor");
var cctor = type.FindClassConstructor();
if (cctor == null)
continue;
@ -134,7 +134,7 @@ namespace de4dot.code.deobfuscators.Skater_NET {
var field = instrs[i + 4].Operand as FieldDef;
if (field == null)
continue;
if (!MemberReferenceHelper.compareTypes(field.DeclaringType, decrypterType))
if (!new SigComparer().Equals(field.DeclaringType, decrypterType))
continue;
fieldToDecryptedString.add(field, decrypter.decrypt(encryptedString));
@ -228,7 +228,7 @@ namespace de4dot.code.deobfuscators.Skater_NET {
foreach (var method in DotNetUtils.getCalledMethods(module, decryptMethod)) {
if (!method.IsStatic || method.Body == null)
continue;
if (!MemberReferenceHelper.compareTypes(method.DeclaringType, decryptMethod.DeclaringType))
if (!new SigComparer().Equals(method.DeclaringType, decryptMethod.DeclaringType))
continue;
if (!DotNetUtils.isMethod(method, "System.String", "()"))
continue;
@ -291,14 +291,14 @@ namespace de4dot.code.deobfuscators.Skater_NET {
if (instr.OpCode.Code == Code.Call || instr.OpCode.Code == Code.Callvirt) {
if (blocks.Method.DeclaringType == decrypterType)
continue;
var calledMethod = instr.Operand as MethodReference;
var calledMethod = instr.Operand as IMethod;
if (calledMethod != null && calledMethod.DeclaringType == decrypterType)
canRemoveType = false;
}
else if (instr.OpCode.Code == Code.Ldsfld) {
if (instr.OpCode.Code != Code.Ldsfld)
continue;
var field = instr.Operand as FieldReference;
var field = instr.Operand as IField;
if (field == null)
continue;
var decrypted = fieldToDecryptedString.find(field);

2
de4dot.cui/Program.cs
View File

@ -56,7 +56,9 @@ namespace de4dot.cui {
new de4dot.code.deobfuscators.MaxtoCode.DeobfuscatorInfo(),
new de4dot.code.deobfuscators.MPRESS.DeobfuscatorInfo(),
new de4dot.code.deobfuscators.Rummage.DeobfuscatorInfo(),
#endif
new de4dot.code.deobfuscators.Skater_NET.DeobfuscatorInfo(),
#if PORT
new de4dot.code.deobfuscators.SmartAssembly.DeobfuscatorInfo(),
new de4dot.code.deobfuscators.Spices_Net.DeobfuscatorInfo(),
#endif