From 37450a1515b4717d53ab59c41a7ffaeae6e5098e Mon Sep 17 00:00:00 2001 From: de4dot Date: Sat, 17 Mar 2012 14:05:54 +0100 Subject: [PATCH] Support old DS 3.0.3.41 - 3.0.4.44 --- .../deobfuscators/DeepSea/AssemblyResolver.cs | 37 ++++++++++++++++--- .../deobfuscators/DeepSea/ResolverBase.cs | 10 +++++ 2 files changed, 41 insertions(+), 6 deletions(-) diff --git a/de4dot.code/deobfuscators/DeepSea/AssemblyResolver.cs b/de4dot.code/deobfuscators/DeepSea/AssemblyResolver.cs index ec4c4bb4..2f4f1207 100644 --- a/de4dot.code/deobfuscators/DeepSea/AssemblyResolver.cs +++ b/de4dot.code/deobfuscators/DeepSea/AssemblyResolver.cs @@ -27,9 +27,16 @@ using de4dot.blocks; namespace de4dot.code.deobfuscators.DeepSea { class AssemblyResolver : ResolverBase { - bool isV3; + Version version; List fieldInfos; + enum Version { + Unknown, + V3Old, + V3, + V4, + } + public class AssemblyInfo { public byte[] data; public string fullName; @@ -70,7 +77,10 @@ namespace de4dot.code.deobfuscators.DeepSea { protected override bool checkHandlerMethodInternal(MethodDefinition handler) { if (checkHandlerV3(handler) || checkHandlerSL(handler)) { - isV3 = true; + if (isV3Old(handler)) + version = Version.V3Old; + else + version = Version.V3; return true; } @@ -78,7 +88,7 @@ namespace de4dot.code.deobfuscators.DeepSea { List fieldInfosTmp; if (checkHandlerV4(handler, out fieldInfosTmp) || checkHandlerV4_0_4(handler, out fieldInfosTmp)) { - isV3 = false; + version = Version.V4; fieldInfos = fieldInfosTmp; return true; } @@ -86,6 +96,11 @@ namespace de4dot.code.deobfuscators.DeepSea { return false; } + static bool isV3Old(MethodDefinition method) { + return DotNetUtils.callsMethod(method, "System.Int32 System.IO.Stream::Read(System.Byte[],System.Int32,System.Int32)") && + !DotNetUtils.callsMethod(method, "System.Int32 System.IO.Stream::ReadByte()"); + } + static string[] handlerLocalTypes_NET = new string[] { "System.Byte[]", "System.IO.Compression.DeflateStream", @@ -205,9 +220,18 @@ namespace de4dot.code.deobfuscators.DeepSea { } public IEnumerable getAssemblyInfos() { - if (isV3) + if (!Detected) + return new List(); + + switch (version) { + case Version.V3Old: + case Version.V3: return getAssemblyInfosV3(); - return getAssemblyInfosV4(); + case Version.V4: + return getAssemblyInfosV4(); + default: + throw new ApplicationException("Unknown version"); + } } IEnumerable getAssemblyInfosV3() { @@ -230,7 +254,8 @@ namespace de4dot.code.deobfuscators.DeepSea { AssemblyInfo getAssemblyInfoV3(EmbeddedResource resource) { try { - return getAssemblyInfo(decryptResourceV3(resource), resource); + var decrypted = version == Version.V3Old ? decryptResourceV3Old(resource) : decryptResourceV3(resource); + return getAssemblyInfo(decrypted, resource); } catch (Exception) { return null; diff --git a/de4dot.code/deobfuscators/DeepSea/ResolverBase.cs b/de4dot.code/deobfuscators/DeepSea/ResolverBase.cs index 44383596..2dd0b1ae 100644 --- a/de4dot.code/deobfuscators/DeepSea/ResolverBase.cs +++ b/de4dot.code/deobfuscators/DeepSea/ResolverBase.cs @@ -130,6 +130,16 @@ namespace de4dot.code.deobfuscators.DeepSea { protected abstract bool checkHandlerMethodInternal(MethodDefinition handler); + // 3.0.3.41 - 3.0.4.44 + protected static byte[] decryptResourceV3Old(EmbeddedResource resource) { + return decryptResourceV3Old(resource.GetResourceData()); + } + + // 3.0.3.41 - 3.0.4.44 + protected static byte[] decryptResourceV3Old(byte[] data) { + return decryptResource(data, 0, data.Length, 0); + } + protected static byte[] decryptResourceV3(EmbeddedResource resource) { return decryptResourceV3(resource.GetResourceData()); }