monocul.us/de4dot-cex
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Support a (new?) version of CryptoObfuscator. Fixes #33

Browse Source
This commit is contained in:
de4dot 2012-03-14 22:23:19 +01:00
parent a405edf0fd
commit 27f382a017
3 changed files with 23 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
de4dot.code/deobfuscators/CryptoObfuscator/ProxyDelegateFinder.cs
View File

@ -125,7 +125,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
}
MethodDefinition getProxyCreateMethod(TypeDefinition type) {
if (type.Fields.Count != 1)
if (type.Fields.Count != 1 && type.Fields.Count != 2)
return null;
if (DotNetUtils.findFieldType(type, "System.ModuleHandle", true) == null)
return null;

15
de4dot.code/deobfuscators/CryptoObfuscator/ResourceDecrypter.cs
View File

@ -110,13 +110,16 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
var ldci4 = instructions[i - 1];
if (!DotNetUtils.isLdcI4(ldci4))
continue;
int flagValue = DotNetUtils.getLdcI4Value(ldci4);
if (!isFlag(flagValue))
continue;
var ldloc = instructions[i - 2];
if (!DotNetUtils.isLdloc(ldloc))
continue;
var local = DotNetUtils.getLocalVar(method.Body.Variables, ldloc);
if (local.VariableType.ToString() != "System.Byte")
if (!local.VariableType.IsPrimitive)
continue;
constants.Add(DotNetUtils.getLdcI4Value(ldci4));
constants.Add(flagValue);
}
if (constants.Count == 2) {
@ -128,6 +131,14 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
return false;
}
static bool isFlag(int value) {
for (uint tmp = (uint)value; tmp != 0; tmp >>= 1) {
if ((tmp & 1) != 0)
return tmp == 1;
}
return false;
}
MethodDefinition getPublicKeyTokenMethod() {
foreach (var method in resourceDecrypterType.Methods) {
if (isPublicKeyTokenMethod(method))

10
de4dot.code/deobfuscators/CryptoObfuscator/TamperDetection.cs
View File

@ -61,7 +61,15 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
continue;
if (type.Methods.Count < 3 || type.Methods.Count > 6)
continue;
if (DotNetUtils.getPInvokeMethod(type, "mscoree", "StrongNameSignatureVerificationEx") == null)
if (DotNetUtils.getPInvokeMethod(type, "mscoree", "StrongNameSignatureVerificationEx") != null) {
}
else if (DotNetUtils.getPInvokeMethod(type, "mscoree", "CLRCreateInstance") != null) {
if (type.NestedTypes.Count != 3)
continue;
if (!type.NestedTypes[0].IsInterface || !type.NestedTypes[1].IsInterface || !type.NestedTypes[2].IsInterface)
continue;
}
else
continue;
tamperType = type;