Update code and fix some bugs

2011-12-21 06:41:42 +01:00 · 2011-12-21 06:41:42 +01:00 · 2a651f5b5e
commit 2a651f5b5e
parent 289c11b296
4 changed files with 14 additions and 4 deletions
--- a/de4dot.code/deobfuscators/dotNET_Reactor3/ApplicationModeUnpacker.cs
+++ b/de4dot.code/deobfuscators/dotNET_Reactor3/ApplicationModeUnpacker.cs
@ -136,14 +136,24 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor3 {
 			for (int i = 1; i < filenames.Length; i++)
 				satelliteAssemblies.Add(unpackEmbeddedFile(i, decrypter));

+			clearDllBit(mainAssembly.data);
 			return mainAssembly.data;
 		}

+		static void clearDllBit(byte[] peImageData) {
+			var mainPeImage = new PeImage(peImageData);
+			uint characteristicsOffset = mainPeImage.FileHeaderOffset + 18;
+			ushort characteristics = mainPeImage.offsetReadUInt16(characteristicsOffset);
+			characteristics &= 0xDFFF;
+			characteristics |= 2;
+			mainPeImage.offsetWriteUInt16(characteristicsOffset, characteristics);
+		}
+
 		UnpackedFile unpackEmbeddedFile(int index, ApplicationModeDecrypter decrypter) {
 			uint offset = 0;
 			for (int i = 0; i < index + 1; i++)
 				offset += sizes[i];
-			string filename = Path.GetFileName(filenames[index]);
+			string filename = Win32Path.GetFileName(filenames[index]);
 			var data = peImage.offsetReadBytes(offset, (int)sizes[index + 1]);
 			data = DeobUtils.decrypt(data, decrypter.AssemblyKey, decrypter.AssemblyIv);
 			data = decompress(data);
--- a/de4dot.code/deobfuscators/dotNET_Reactor3/Deobfuscator.cs
+++ b/de4dot.code/deobfuscators/dotNET_Reactor3/Deobfuscator.cs
@ -272,7 +272,7 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor3 {

 		void dumpUnpackedFiles() {
 			foreach (var unpackedFile in unpackedFiles)
-				DeobfuscatedFile.createAssemblyFile(unpackedFile.data, Path.GetFileNameWithoutExtension(unpackedFile.filename), Path.GetExtension(unpackedFile.filename));
+				DeobfuscatedFile.createAssemblyFile(unpackedFile.data, Win32Path.GetFileNameWithoutExtension(unpackedFile.filename), Win32Path.GetExtension(unpackedFile.filename));
 		}

 		public override void deobfuscateEnd() {
--- a/de4dot.code/deobfuscators/dotNET_Reactor3/MemoryPatcher.cs
+++ b/de4dot.code/deobfuscators/dotNET_Reactor3/MemoryPatcher.cs
@ -106,7 +106,7 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor3 {
 			if (ary1 == null || ary2 == null)
 				return null;
 			ary2 = decrypt(ary2);
-			if (ary2 == null || ary2.Length != ary2.Length)
+			if (ary2 == null || ary1.Length != ary2.Length)
 				return null;

 			for (int i = 0; i < ary1.Length; i++)
--- a/de4dot.code/deobfuscators/dotNET_Reactor3/NativeLibSaver.cs
+++ b/de4dot.code/deobfuscators/dotNET_Reactor3/NativeLibSaver.cs
@ -106,7 +106,7 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor3 {
 					i++;
 					offset += 8;
 					rva = checked((peImage.offsetReadUInt32(offset) - magic) / 3);
-					value = peImage.offsetReadUInt32(offset);
+					value = peImage.offsetReadUInt32(offset + 4);
 				}
 				else
 					value = checked((value - magic) / 3);