Support Agile.NET 6.3.0.17

2014-03-27 11:41:18 +01:00 · 2014-03-27 11:41:18 +01:00 · 27694eb19c
commit 27694eb19c
parent 43453f3863
8 changed files with 31 additions and 5 deletions
--- a/de4dot.code/deobfuscators/Agile_NET/ResourceDecrypter.cs
+++ b/de4dot.code/deobfuscators/Agile_NET/ResourceDecrypter.cs
@ -62,10 +62,15 @@ namespace de4dot.code.deobfuscators.Agile_NET {
 			FindResourceType();
 		}

-		static readonly string[] requiredFields = new string[] {
+		static readonly string[] requiredFields1 = new string[] {
 			"System.Reflection.Assembly",
 			"System.String[]",
 		};
+		static readonly string[] requiredFields2 = new string[] {
+			"System.Reflection.Assembly",
+			"System.String[]",
+			"System.Collections.Hashtable",
+		};
 		void FindResourceType() {
 			var cctor = DotNetUtils.GetModuleTypeCctor(module);
 			if (cctor == null)
@ -77,7 +82,9 @@ namespace de4dot.code.deobfuscators.Agile_NET {
 				if (!DotNetUtils.IsMethod(calledMethod, "System.Void", "()"))
 					continue;
 				var type = calledMethod.DeclaringType;
-				if (!new FieldTypes(type).Exactly(requiredFields))
+				var fieldTypes = new FieldTypes(type);
+				if (!fieldTypes.Exactly(requiredFields1) &&
+					!fieldTypes.Exactly(requiredFields2))
 					continue;

 				var resolveHandler = DotNetUtils.GetMethod(type, "System.Reflection.Assembly", "(System.Object,System.ResolveEventArgs)");
--- a/de4dot.code/deobfuscators/Agile_NET/vm/v2/CSVM5.bin
+++ b/de4dot.code/deobfuscators/Agile_NET/vm/v2/CSVM5.bin
--- a/de4dot.code/deobfuscators/Agile_NET/vm/v2/CsvmInfo.cs
+++ b/de4dot.code/deobfuscators/Agile_NET/vm/v2/CsvmInfo.cs
@ -81,7 +81,7 @@ namespace de4dot.code.deobfuscators.Agile_NET.vm.v2 {
 			foreach (var type in module.Types) {
 				if (!type.IsPublic || !type.IsAbstract)
 					continue;
-				if (type.HasFields || type.HasProperties || type.HasEvents)
+				if (type.HasProperties || type.HasEvents)
 					continue;
 				if (type.BaseType == null || type.BaseType.FullName != "System.Object")
 					continue;
--- a/de4dot.code/deobfuscators/Agile_NET/vm/v2/CsvmResources.Designer.cs
+++ b/de4dot.code/deobfuscators/Agile_NET/vm/v2/CsvmResources.Designer.cs
@ -1,7 +1,7 @@
 //------------------------------------------------------------------------------
 // <auto-generated>
 //     This code was generated by a tool.
-//     Runtime Version:4.0.30319.18052
+//     Runtime Version:4.0.30319.18444
 //
 //     Changes to this file may cause incorrect behavior and will be lost if
 //     the code is regenerated.
@ -99,5 +99,15 @@ namespace de4dot.code.deobfuscators.Agile_NET.vm.v2 {
                return ((byte[])(obj));
            }
        }
+        
+        /// <summary>
+        ///   Looks up a localized resource of type System.Byte[].
+        /// </summary>
+        internal static byte[] CSVM5 {
+            get {
+                object obj = ResourceManager.GetObject("CSVM5", resourceCulture);
+                return ((byte[])(obj));
+            }
+        }
    }
 }
--- a/de4dot.code/deobfuscators/Agile_NET/vm/v2/CsvmResources.resx
+++ b/de4dot.code/deobfuscators/Agile_NET/vm/v2/CsvmResources.resx
@ -130,4 +130,8 @@
  <data name="CSVM4" type="System.Resources.ResXFileRef, System.Windows.Forms">
    <value>CSVM4.bin;System.Byte[], mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</value>
  </data>
+  <assembly alias="System.Windows.Forms" name="System.Windows.Forms, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
+  <data name="CSVM5" type="System.Resources.ResXFileRef, System.Windows.Forms">
+    <value>CSVM5.bin;System.Byte[], mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</value>
+  </data>
 </root>
--- a/de4dot.code/deobfuscators/Agile_NET/vm/v2/OpCodeHandlerInfos.cs
+++ b/de4dot.code/deobfuscators/Agile_NET/vm/v2/OpCodeHandlerInfos.cs
@ -75,6 +75,7 @@ namespace de4dot.code.deobfuscators.Agile_NET.vm.v2 {
 			ReadOpCodeHandlerInfos(CsvmResources.CSVM2),
 			ReadOpCodeHandlerInfos(CsvmResources.CSVM3),
 			ReadOpCodeHandlerInfos(CsvmResources.CSVM4),
+			ReadOpCodeHandlerInfos(CsvmResources.CSVM5),
 		};

 		static IList<MethodSigInfo> ReadOpCodeHandlerInfos(byte[] data) {
--- a/de4dot.code/deobfuscators/Agile_NET/vm/v2/VmOpCodeHandlerDetector.cs
+++ b/de4dot.code/deobfuscators/Agile_NET/vm/v2/VmOpCodeHandlerDetector.cs
@ -254,7 +254,8 @@ namespace de4dot.code.deobfuscators.Agile_NET.vm.v2 {
 				if (cctor == null)
 					continue;
 				requiredFields[0] = type.FullName;
-				if (!new FieldTypes(type).Exactly(requiredFields))
+				var fieldTypes = new FieldTypes(type);
+				if (!fieldTypes.All(requiredFields))
 					continue;

 				cflowDeobfuscator.Deobfuscate(cctor);
--- a/de4dot.mdecrypt/DynamicMethodsDecrypter.cs
+++ b/de4dot.mdecrypt/DynamicMethodsDecrypter.cs
@ -596,6 +596,9 @@ namespace de4dot.mdecrypt {
 			new PatchInfo(0x000110A5, new byte[] { 0x33, 0xC0, 0xC2, 0x04, 0x00 }, new byte[] { 0xE9, 0x36, 0x3A, 0x00, 0x00 }),
 			new PatchInfo(0x000110AF, new byte[] { 0x33, 0xC0, 0xC2, 0x04, 0x00 }, new byte[] { 0xE9, 0x4C, 0x3C, 0x00, 0x00 }),
 			new PatchInfo(0x000110AA, new byte[] { 0x33, 0xC0, 0xC2, 0x04, 0x00 }, new byte[] { 0xE9, 0xF1, 0x3A, 0x00, 0x00 }),
+			new PatchInfo(0x00011019, new byte[] { 0x33, 0xC0, 0xC2, 0x04, 0x00 }, new byte[] { 0xE9, 0x12, 0x4B, 0x00, 0x00 }),
+			new PatchInfo(0x00011019, new byte[] { 0x33, 0xC0, 0xC2, 0x04, 0x00 }, new byte[] { 0xE9, 0x02, 0x4B, 0x00, 0x00 }),
+			new PatchInfo(0x00011019, new byte[] { 0x33, 0xC0, 0xC2, 0x04, 0x00 }, new byte[] { 0xE9, 0xA2, 0x4B, 0x00, 0x00 }),
 		};

 		static unsafe bool PatchCM(IntPtr addr, IntPtr origValue, IntPtr newValue) {