From 25cee0e206247ac4f504326c550713e2c425f943 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Tue, 6 Nov 2012 17:15:11 +0100
Subject: [PATCH] Port Skater.NET deobfuscator

---
 blocks/DotNetUtils.cs                         | 38 ++++++++++++-------
 de4dot.code/de4dot.code.csproj                |  6 +--
 .../deobfuscators/Skater_NET/Deobfuscator.cs  |  2 +-
 .../Skater_NET/EnumClassFinder.cs             | 10 ++---
 .../Skater_NET/StringDecrypter.cs             | 14 +++----
 de4dot.cui/Program.cs                         |  2 +
 6 files changed, 42 insertions(+), 30 deletions(-)

diff --git a/blocks/DotNetUtils.cs b/blocks/DotNetUtils.cs
index 2546976a..789ecfcb 100644
--- a/blocks/DotNetUtils.cs
+++ b/blocks/DotNetUtils.cs
@@ -338,16 +338,26 @@ namespace de4dot.blocks {
 			return getMethod(module, method, method.DeclaringType.ScopeType);
 		}
 
-		static TypeDef getType(ModuleDef module, ITypeDefOrRef type) {
+		public static TypeDef getType(ModuleDef module, TypeSig type) {
+			type = type.RemovePinnedAndModifiers();
+			var tdr = type as TypeDefOrRefSig;
+			if (tdr == null)
+				return null;
+			return getType(module, tdr.TypeDefOrRef);
+		}
+
+		public static TypeDef getType(ModuleDef module, ITypeDefOrRef type) {
 			var td = type as TypeDef;
-			if (td != null)
-				return td;
-
-			var tr = type as TypeRef;
-			if (tr != null)
-				return tr.Resolve();
-
-			return null;
+			if (td == null) {
+				var tr = type as TypeRef;
+				if (tr != null) {
+					var trAsm = tr.DefinitionAssembly;
+					var modAsm = module.Assembly;
+					if (trAsm != null && modAsm != null && trAsm.Name == modAsm.Name)
+						td = tr.Resolve();
+				}
+			}
+			return td != null && td.OwnerModule == module ? td : null;
 		}
 
 		static MethodDef getMethod(ModuleDef module, IMethod method, ITypeDefOrRef declaringType) {
@@ -751,13 +761,12 @@ namespace de4dot.blocks {
 			return UTF8String.ToSystemStringOrEmpty((UTF8String)carg.Value);
 		}
 
-#if PORT
-		public static IEnumerable<MethodDef> getCalledMethods(ModuleDefinition module, MethodDef method) {
+		public static IEnumerable<MethodDef> getCalledMethods(ModuleDef module, MethodDef method) {
 			if (method != null && method.HasBody) {
 				foreach (var call in method.Body.Instructions) {
 					if (call.OpCode.Code != Code.Call && call.OpCode.Code != Code.Callvirt)
 						continue;
-					var methodRef = call.Operand as MethodReference;
+					var methodRef = call.Operand as IMethod;
 					if (methodRef == null)
 						continue;
 					var type = getType(module, methodRef.DeclaringType);
@@ -768,6 +777,7 @@ namespace de4dot.blocks {
 			}
 		}
 
+#if PORT
 		public static IList<Instruction> getInstructions(IList<Instruction> instructions, int i, params OpCode[] opcodes) {
 			if (i + opcodes.Length > instructions.Count)
 				return null;
@@ -1263,7 +1273,6 @@ namespace de4dot.blocks {
 			return count;
 		}
 
-#if PORT
 		public static bool callsMethod(MethodDef method, string methodFullName) {
 			if (method == null || method.Body == null)
 				return false;
@@ -1271,7 +1280,7 @@ namespace de4dot.blocks {
 			foreach (var instr in method.Body.Instructions) {
 				if (instr.OpCode.Code != Code.Call && instr.OpCode.Code != Code.Callvirt && instr.OpCode.Code != Code.Newobj)
 					continue;
-				var calledMethod = instr.Operand as MethodReference;
+				var calledMethod = instr.Operand as IMethod;
 				if (calledMethod == null)
 					continue;
 				if (calledMethod.FullName == methodFullName)
@@ -1281,6 +1290,7 @@ namespace de4dot.blocks {
 			return false;
 		}
 
+#if PORT
 		public static bool callsMethod(MethodDef method, string returnType, string parameters) {
 			if (method == null || method.Body == null)
 				return false;
diff --git a/de4dot.code/de4dot.code.csproj b/de4dot.code/de4dot.code.csproj
index 0e8b1e9d..6ee00424 100644
--- a/de4dot.code/de4dot.code.csproj
+++ b/de4dot.code/de4dot.code.csproj
@@ -231,9 +231,9 @@
     <Compile Include="deobfuscators\RandomNameChecker.cs" />
     <None Include="deobfuscators\Rummage\Deobfuscator.cs" />
     <None Include="deobfuscators\Rummage\StringDecrypter.cs" />
-    <None Include="deobfuscators\Skater_NET\Deobfuscator.cs" />
-    <None Include="deobfuscators\Skater_NET\EnumClassFinder.cs" />
-    <None Include="deobfuscators\Skater_NET\StringDecrypter.cs" />
+    <Compile Include="deobfuscators\Skater_NET\Deobfuscator.cs" />
+    <Compile Include="deobfuscators\Skater_NET\EnumClassFinder.cs" />
+    <Compile Include="deobfuscators\Skater_NET\StringDecrypter.cs" />
     <None Include="deobfuscators\SmartAssembly\AssemblyResolver.cs" />
     <None Include="deobfuscators\SmartAssembly\AssemblyResolverInfo.cs" />
     <None Include="deobfuscators\SmartAssembly\AutomatedErrorReportingFinder.cs" />
diff --git a/de4dot.code/deobfuscators/Skater_NET/Deobfuscator.cs b/de4dot.code/deobfuscators/Skater_NET/Deobfuscator.cs
index 80759bad..16aa8d30 100644
--- a/de4dot.code/deobfuscators/Skater_NET/Deobfuscator.cs
+++ b/de4dot.code/deobfuscators/Skater_NET/Deobfuscator.cs
@@ -90,7 +90,7 @@ namespace de4dot.code.deobfuscators.Skater_NET {
 		}
 
 		bool hasAssemblyReference(string name) {
-			foreach (var asmRef in module.AssemblyReferences) {
+			foreach (var asmRef in module.GetAssemblyRefs()) {
 				if (asmRef.Name == name)
 					return true;
 			}
diff --git a/de4dot.code/deobfuscators/Skater_NET/EnumClassFinder.cs b/de4dot.code/deobfuscators/Skater_NET/EnumClassFinder.cs
index 0e98e01a..0f03a043 100644
--- a/de4dot.code/deobfuscators/Skater_NET/EnumClassFinder.cs
+++ b/de4dot.code/deobfuscators/Skater_NET/EnumClassFinder.cs
@@ -23,10 +23,10 @@ using de4dot.blocks;
 
 namespace de4dot.code.deobfuscators.Skater_NET {
 	class EnumClassFinder {
-		ModuleDefinition module;
+		ModuleDefMD module;
 		FieldDef enumField;
 
-		public EnumClassFinder(ModuleDefinition module) {
+		public EnumClassFinder(ModuleDefMD module) {
 			this.module = module;
 			find();
 		}
@@ -43,7 +43,7 @@ namespace de4dot.code.deobfuscators.Skater_NET {
 				if (method.Name != ".ctor")
 					continue;
 				var field = type.Fields[0];
-				var fieldType = DotNetUtils.getType(module, field.FieldType);
+				var fieldType = DotNetUtils.getType(module, field.FieldSig.GetFieldType());
 				if (fieldType == null)
 					continue;
 				if (!fieldType.IsEnum)
@@ -69,8 +69,8 @@ namespace de4dot.code.deobfuscators.Skater_NET {
 					if (stfld.OpCode.Code != Code.Stfld)
 						continue;
 
-					var field = stfld.Operand as FieldReference;
-					if (!MemberReferenceHelper.compareFieldReferenceAndDeclaringType(enumField, field))
+					var field = stfld.Operand as IField;
+					if (!FieldEqualityComparer.CompareDeclaringTypes.Equals(enumField, field))
 						continue;
 					block.remove(i, 3);
 					i--;
diff --git a/de4dot.code/deobfuscators/Skater_NET/StringDecrypter.cs b/de4dot.code/deobfuscators/Skater_NET/StringDecrypter.cs
index e004bffd..3eb560e0 100644
--- a/de4dot.code/deobfuscators/Skater_NET/StringDecrypter.cs
+++ b/de4dot.code/deobfuscators/Skater_NET/StringDecrypter.cs
@@ -29,7 +29,7 @@ using de4dot.blocks;
 
 namespace de4dot.code.deobfuscators.Skater_NET {
 	class StringDecrypter {
-		ModuleDefinition module;
+		ModuleDefMD module;
 		TypeDef decrypterType;
 		MethodDef decrypterCctor;
 		FieldDefinitionAndDeclaringTypeDict<string> fieldToDecryptedString = new FieldDefinitionAndDeclaringTypeDict<string>();
@@ -88,7 +88,7 @@ namespace de4dot.code.deobfuscators.Skater_NET {
 			get { return decrypterType; }
 		}
 
-		public StringDecrypter(ModuleDefinition module) {
+		public StringDecrypter(ModuleDefMD module) {
 			this.module = module;
 		}
 
@@ -97,7 +97,7 @@ namespace de4dot.code.deobfuscators.Skater_NET {
 				if (type.HasProperties || type.HasEvents)
 					continue;
 
-				var cctor = DotNetUtils.getMethod(type, ".cctor");
+				var cctor = type.FindClassConstructor();
 				if (cctor == null)
 					continue;
 
@@ -134,7 +134,7 @@ namespace de4dot.code.deobfuscators.Skater_NET {
 				var field = instrs[i + 4].Operand as FieldDef;
 				if (field == null)
 					continue;
-				if (!MemberReferenceHelper.compareTypes(field.DeclaringType, decrypterType))
+				if (!new SigComparer().Equals(field.DeclaringType, decrypterType))
 					continue;
 
 				fieldToDecryptedString.add(field, decrypter.decrypt(encryptedString));
@@ -228,7 +228,7 @@ namespace de4dot.code.deobfuscators.Skater_NET {
 			foreach (var method in DotNetUtils.getCalledMethods(module, decryptMethod)) {
 				if (!method.IsStatic || method.Body == null)
 					continue;
-				if (!MemberReferenceHelper.compareTypes(method.DeclaringType, decryptMethod.DeclaringType))
+				if (!new SigComparer().Equals(method.DeclaringType, decryptMethod.DeclaringType))
 					continue;
 				if (!DotNetUtils.isMethod(method, "System.String", "()"))
 					continue;
@@ -291,14 +291,14 @@ namespace de4dot.code.deobfuscators.Skater_NET {
 					if (instr.OpCode.Code == Code.Call || instr.OpCode.Code == Code.Callvirt) {
 						if (blocks.Method.DeclaringType == decrypterType)
 							continue;
-						var calledMethod = instr.Operand as MethodReference;
+						var calledMethod = instr.Operand as IMethod;
 						if (calledMethod != null && calledMethod.DeclaringType == decrypterType)
 							canRemoveType = false;
 					}
 					else if (instr.OpCode.Code == Code.Ldsfld) {
 						if (instr.OpCode.Code != Code.Ldsfld)
 							continue;
-						var field = instr.Operand as FieldReference;
+						var field = instr.Operand as IField;
 						if (field == null)
 							continue;
 						var decrypted = fieldToDecryptedString.find(field);
diff --git a/de4dot.cui/Program.cs b/de4dot.cui/Program.cs
index 6ec5bcc2..c420c042 100644
--- a/de4dot.cui/Program.cs
+++ b/de4dot.cui/Program.cs
@@ -56,7 +56,9 @@ namespace de4dot.cui {
 				new de4dot.code.deobfuscators.MaxtoCode.DeobfuscatorInfo(),
 				new de4dot.code.deobfuscators.MPRESS.DeobfuscatorInfo(),
 				new de4dot.code.deobfuscators.Rummage.DeobfuscatorInfo(),
+#endif
 				new de4dot.code.deobfuscators.Skater_NET.DeobfuscatorInfo(),
+#if PORT
 				new de4dot.code.deobfuscators.SmartAssembly.DeobfuscatorInfo(),
 				new de4dot.code.deobfuscators.Spices_Net.DeobfuscatorInfo(),
 #endif