Port Skater.NET deobfuscator
This commit is contained in:
de4dot
parent
19ed1ac219
commit
25cee0e206
|
|
@ -338,16 +338,26 @@ namespace de4dot.blocks {
|
||||||
return getMethod(module, method, method.DeclaringType.ScopeType);
|
return getMethod(module, method, method.DeclaringType.ScopeType);
|
||||||
}
|
}
|
||||||
|
|
||||||
static TypeDef getType(ModuleDef module, ITypeDefOrRef type) {
|
public static TypeDef getType(ModuleDef module, TypeSig type) {
|
||||||
|
type = type.RemovePinnedAndModifiers();
|
||||||
|
var tdr = type as TypeDefOrRefSig;
|
||||||
|
if (tdr == null)
|
||||||
|
return null;
|
||||||
|
return getType(module, tdr.TypeDefOrRef);
|
||||||
|
}
|
||||||
|
|
||||||
|
public static TypeDef getType(ModuleDef module, ITypeDefOrRef type) {
|
||||||
var td = type as TypeDef;
|
var td = type as TypeDef;
|
||||||
if (td != null)
|
if (td == null) {
|
||||||
return td;
|
var tr = type as TypeRef;
|
||||||
|
if (tr != null) {
|
||||||
var tr = type as TypeRef;
|
var trAsm = tr.DefinitionAssembly;
|
||||||
if (tr != null)
|
var modAsm = module.Assembly;
|
||||||
return tr.Resolve();
|
if (trAsm != null && modAsm != null && trAsm.Name == modAsm.Name)
|
||||||
|
td = tr.Resolve();
|
||||||
return null;
|
}
|
||||||
|
}
|
||||||
|
return td != null && td.OwnerModule == module ? td : null;
|
||||||
}
|
}
|
||||||
|
|
||||||
static MethodDef getMethod(ModuleDef module, IMethod method, ITypeDefOrRef declaringType) {
|
static MethodDef getMethod(ModuleDef module, IMethod method, ITypeDefOrRef declaringType) {
|
||||||
|
|
@ -751,13 +761,12 @@ namespace de4dot.blocks {
|
||||||
return UTF8String.ToSystemStringOrEmpty((UTF8String)carg.Value);
|
return UTF8String.ToSystemStringOrEmpty((UTF8String)carg.Value);
|
||||||
}
|
}
|
||||||
|
|
||||||
#if PORT
|
public static IEnumerable<MethodDef> getCalledMethods(ModuleDef module, MethodDef method) {
|
||||||
public static IEnumerable<MethodDef> getCalledMethods(ModuleDefinition module, MethodDef method) {
|
|
||||||
if (method != null && method.HasBody) {
|
if (method != null && method.HasBody) {
|
||||||
foreach (var call in method.Body.Instructions) {
|
foreach (var call in method.Body.Instructions) {
|
||||||
if (call.OpCode.Code != Code.Call && call.OpCode.Code != Code.Callvirt)
|
if (call.OpCode.Code != Code.Call && call.OpCode.Code != Code.Callvirt)
|
||||||
continue;
|
continue;
|
||||||
var methodRef = call.Operand as MethodReference;
|
var methodRef = call.Operand as IMethod;
|
||||||
if (methodRef == null)
|
if (methodRef == null)
|
||||||
continue;
|
continue;
|
||||||
var type = getType(module, methodRef.DeclaringType);
|
var type = getType(module, methodRef.DeclaringType);
|
||||||
|
|
@ -768,6 +777,7 @@ namespace de4dot.blocks {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#if PORT
|
||||||
public static IList<Instruction> getInstructions(IList<Instruction> instructions, int i, params OpCode[] opcodes) {
|
public static IList<Instruction> getInstructions(IList<Instruction> instructions, int i, params OpCode[] opcodes) {
|
||||||
if (i + opcodes.Length > instructions.Count)
|
if (i + opcodes.Length > instructions.Count)
|
||||||
return null;
|
return null;
|
||||||
|
|
@ -1263,7 +1273,6 @@ namespace de4dot.blocks {
|
||||||
return count;
|
return count;
|
||||||
}
|
}
|
||||||
|
|
||||||
#if PORT
|
|
||||||
public static bool callsMethod(MethodDef method, string methodFullName) {
|
public static bool callsMethod(MethodDef method, string methodFullName) {
|
||||||
if (method == null || method.Body == null)
|
if (method == null || method.Body == null)
|
||||||
return false;
|
return false;
|
||||||
|
|
@ -1271,7 +1280,7 @@ namespace de4dot.blocks {
|
||||||
foreach (var instr in method.Body.Instructions) {
|
foreach (var instr in method.Body.Instructions) {
|
||||||
if (instr.OpCode.Code != Code.Call && instr.OpCode.Code != Code.Callvirt && instr.OpCode.Code != Code.Newobj)
|
if (instr.OpCode.Code != Code.Call && instr.OpCode.Code != Code.Callvirt && instr.OpCode.Code != Code.Newobj)
|
||||||
continue;
|
continue;
|
||||||
var calledMethod = instr.Operand as MethodReference;
|
var calledMethod = instr.Operand as IMethod;
|
||||||
if (calledMethod == null)
|
if (calledMethod == null)
|
||||||
continue;
|
continue;
|
||||||
if (calledMethod.FullName == methodFullName)
|
if (calledMethod.FullName == methodFullName)
|
||||||
|
|
@ -1281,6 +1290,7 @@ namespace de4dot.blocks {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#if PORT
|
||||||
public static bool callsMethod(MethodDef method, string returnType, string parameters) {
|
public static bool callsMethod(MethodDef method, string returnType, string parameters) {
|
||||||
if (method == null || method.Body == null)
|
if (method == null || method.Body == null)
|
||||||
return false;
|
return false;
|
||||||
|
|
|
||||||
|
|
@ -231,9 +231,9 @@
|
||||||
<Compile Include="deobfuscators\RandomNameChecker.cs" />
|
<Compile Include="deobfuscators\RandomNameChecker.cs" />
|
||||||
<None Include="deobfuscators\Rummage\Deobfuscator.cs" />
|
<None Include="deobfuscators\Rummage\Deobfuscator.cs" />
|
||||||
<None Include="deobfuscators\Rummage\StringDecrypter.cs" />
|
<None Include="deobfuscators\Rummage\StringDecrypter.cs" />
|
||||||
<None Include="deobfuscators\Skater_NET\Deobfuscator.cs" />
|
<Compile Include="deobfuscators\Skater_NET\Deobfuscator.cs" />
|
||||||
<None Include="deobfuscators\Skater_NET\EnumClassFinder.cs" />
|
<Compile Include="deobfuscators\Skater_NET\EnumClassFinder.cs" />
|
||||||
<None Include="deobfuscators\Skater_NET\StringDecrypter.cs" />
|
<Compile Include="deobfuscators\Skater_NET\StringDecrypter.cs" />
|
||||||
<None Include="deobfuscators\SmartAssembly\AssemblyResolver.cs" />
|
<None Include="deobfuscators\SmartAssembly\AssemblyResolver.cs" />
|
||||||
<None Include="deobfuscators\SmartAssembly\AssemblyResolverInfo.cs" />
|
<None Include="deobfuscators\SmartAssembly\AssemblyResolverInfo.cs" />
|
||||||
<None Include="deobfuscators\SmartAssembly\AutomatedErrorReportingFinder.cs" />
|
<None Include="deobfuscators\SmartAssembly\AutomatedErrorReportingFinder.cs" />
|
||||||
|
|
|
||||||
|
|
@ -90,7 +90,7 @@ namespace de4dot.code.deobfuscators.Skater_NET {
|
||||||
}
|
}
|
||||||
|
|
||||||
bool hasAssemblyReference(string name) {
|
bool hasAssemblyReference(string name) {
|
||||||
foreach (var asmRef in module.AssemblyReferences) {
|
foreach (var asmRef in module.GetAssemblyRefs()) {
|
||||||
if (asmRef.Name == name)
|
if (asmRef.Name == name)
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -23,10 +23,10 @@ using de4dot.blocks;
|
||||||
|
|
||||||
namespace de4dot.code.deobfuscators.Skater_NET {
|
namespace de4dot.code.deobfuscators.Skater_NET {
|
||||||
class EnumClassFinder {
|
class EnumClassFinder {
|
||||||
ModuleDefinition module;
|
ModuleDefMD module;
|
||||||
FieldDef enumField;
|
FieldDef enumField;
|
||||||
|
|
||||||
public EnumClassFinder(ModuleDefinition module) {
|
public EnumClassFinder(ModuleDefMD module) {
|
||||||
this.module = module;
|
this.module = module;
|
||||||
find();
|
find();
|
||||||
}
|
}
|
||||||
|
|
@ -43,7 +43,7 @@ namespace de4dot.code.deobfuscators.Skater_NET {
|
||||||
if (method.Name != ".ctor")
|
if (method.Name != ".ctor")
|
||||||
continue;
|
continue;
|
||||||
var field = type.Fields[0];
|
var field = type.Fields[0];
|
||||||
var fieldType = DotNetUtils.getType(module, field.FieldType);
|
var fieldType = DotNetUtils.getType(module, field.FieldSig.GetFieldType());
|
||||||
if (fieldType == null)
|
if (fieldType == null)
|
||||||
continue;
|
continue;
|
||||||
if (!fieldType.IsEnum)
|
if (!fieldType.IsEnum)
|
||||||
|
|
@ -69,8 +69,8 @@ namespace de4dot.code.deobfuscators.Skater_NET {
|
||||||
if (stfld.OpCode.Code != Code.Stfld)
|
if (stfld.OpCode.Code != Code.Stfld)
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
var field = stfld.Operand as FieldReference;
|
var field = stfld.Operand as IField;
|
||||||
if (!MemberReferenceHelper.compareFieldReferenceAndDeclaringType(enumField, field))
|
if (!FieldEqualityComparer.CompareDeclaringTypes.Equals(enumField, field))
|
||||||
continue;
|
continue;
|
||||||
block.remove(i, 3);
|
block.remove(i, 3);
|
||||||
i--;
|
i--;
|
||||||
|
|
|
||||||
|
|
@ -29,7 +29,7 @@ using de4dot.blocks;
|
||||||
|
|
||||||
namespace de4dot.code.deobfuscators.Skater_NET {
|
namespace de4dot.code.deobfuscators.Skater_NET {
|
||||||
class StringDecrypter {
|
class StringDecrypter {
|
||||||
ModuleDefinition module;
|
ModuleDefMD module;
|
||||||
TypeDef decrypterType;
|
TypeDef decrypterType;
|
||||||
MethodDef decrypterCctor;
|
MethodDef decrypterCctor;
|
||||||
FieldDefinitionAndDeclaringTypeDict<string> fieldToDecryptedString = new FieldDefinitionAndDeclaringTypeDict<string>();
|
FieldDefinitionAndDeclaringTypeDict<string> fieldToDecryptedString = new FieldDefinitionAndDeclaringTypeDict<string>();
|
||||||
|
|
@ -88,7 +88,7 @@ namespace de4dot.code.deobfuscators.Skater_NET {
|
||||||
get { return decrypterType; }
|
get { return decrypterType; }
|
||||||
}
|
}
|
||||||
|
|
||||||
public StringDecrypter(ModuleDefinition module) {
|
public StringDecrypter(ModuleDefMD module) {
|
||||||
this.module = module;
|
this.module = module;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -97,7 +97,7 @@ namespace de4dot.code.deobfuscators.Skater_NET {
|
||||||
if (type.HasProperties || type.HasEvents)
|
if (type.HasProperties || type.HasEvents)
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
var cctor = DotNetUtils.getMethod(type, ".cctor");
|
var cctor = type.FindClassConstructor();
|
||||||
if (cctor == null)
|
if (cctor == null)
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
|
|
@ -134,7 +134,7 @@ namespace de4dot.code.deobfuscators.Skater_NET {
|
||||||
var field = instrs[i + 4].Operand as FieldDef;
|
var field = instrs[i + 4].Operand as FieldDef;
|
||||||
if (field == null)
|
if (field == null)
|
||||||
continue;
|
continue;
|
||||||
if (!MemberReferenceHelper.compareTypes(field.DeclaringType, decrypterType))
|
if (!new SigComparer().Equals(field.DeclaringType, decrypterType))
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
fieldToDecryptedString.add(field, decrypter.decrypt(encryptedString));
|
fieldToDecryptedString.add(field, decrypter.decrypt(encryptedString));
|
||||||
|
|
@ -228,7 +228,7 @@ namespace de4dot.code.deobfuscators.Skater_NET {
|
||||||
foreach (var method in DotNetUtils.getCalledMethods(module, decryptMethod)) {
|
foreach (var method in DotNetUtils.getCalledMethods(module, decryptMethod)) {
|
||||||
if (!method.IsStatic || method.Body == null)
|
if (!method.IsStatic || method.Body == null)
|
||||||
continue;
|
continue;
|
||||||
if (!MemberReferenceHelper.compareTypes(method.DeclaringType, decryptMethod.DeclaringType))
|
if (!new SigComparer().Equals(method.DeclaringType, decryptMethod.DeclaringType))
|
||||||
continue;
|
continue;
|
||||||
if (!DotNetUtils.isMethod(method, "System.String", "()"))
|
if (!DotNetUtils.isMethod(method, "System.String", "()"))
|
||||||
continue;
|
continue;
|
||||||
|
|
@ -291,14 +291,14 @@ namespace de4dot.code.deobfuscators.Skater_NET {
|
||||||
if (instr.OpCode.Code == Code.Call || instr.OpCode.Code == Code.Callvirt) {
|
if (instr.OpCode.Code == Code.Call || instr.OpCode.Code == Code.Callvirt) {
|
||||||
if (blocks.Method.DeclaringType == decrypterType)
|
if (blocks.Method.DeclaringType == decrypterType)
|
||||||
continue;
|
continue;
|
||||||
var calledMethod = instr.Operand as MethodReference;
|
var calledMethod = instr.Operand as IMethod;
|
||||||
if (calledMethod != null && calledMethod.DeclaringType == decrypterType)
|
if (calledMethod != null && calledMethod.DeclaringType == decrypterType)
|
||||||
canRemoveType = false;
|
canRemoveType = false;
|
||||||
}
|
}
|
||||||
else if (instr.OpCode.Code == Code.Ldsfld) {
|
else if (instr.OpCode.Code == Code.Ldsfld) {
|
||||||
if (instr.OpCode.Code != Code.Ldsfld)
|
if (instr.OpCode.Code != Code.Ldsfld)
|
||||||
continue;
|
continue;
|
||||||
var field = instr.Operand as FieldReference;
|
var field = instr.Operand as IField;
|
||||||
if (field == null)
|
if (field == null)
|
||||||
continue;
|
continue;
|
||||||
var decrypted = fieldToDecryptedString.find(field);
|
var decrypted = fieldToDecryptedString.find(field);
|
||||||
|
|
|
||||||
|
|
@ -56,7 +56,9 @@ namespace de4dot.cui {
|
||||||
new de4dot.code.deobfuscators.MaxtoCode.DeobfuscatorInfo(),
|
new de4dot.code.deobfuscators.MaxtoCode.DeobfuscatorInfo(),
|
||||||
new de4dot.code.deobfuscators.MPRESS.DeobfuscatorInfo(),
|
new de4dot.code.deobfuscators.MPRESS.DeobfuscatorInfo(),
|
||||||
new de4dot.code.deobfuscators.Rummage.DeobfuscatorInfo(),
|
new de4dot.code.deobfuscators.Rummage.DeobfuscatorInfo(),
|
||||||
|
#endif
|
||||||
new de4dot.code.deobfuscators.Skater_NET.DeobfuscatorInfo(),
|
new de4dot.code.deobfuscators.Skater_NET.DeobfuscatorInfo(),
|
||||||
|
#if PORT
|
||||||
new de4dot.code.deobfuscators.SmartAssembly.DeobfuscatorInfo(),
|
new de4dot.code.deobfuscators.SmartAssembly.DeobfuscatorInfo(),
|
||||||
new de4dot.code.deobfuscators.Spices_Net.DeobfuscatorInfo(),
|
new de4dot.code.deobfuscators.Spices_Net.DeobfuscatorInfo(),
|
||||||
#endif
|
#endif
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue
Block a user