diff --git a/blocks/DotNetUtils.cs b/blocks/DotNetUtils.cs index f447f029..14b9e054 100644 --- a/blocks/DotNetUtils.cs +++ b/blocks/DotNetUtils.cs @@ -552,8 +552,9 @@ namespace de4dot.blocks { newGp.GenericParamConstraints.Add(new GenericParamConstraintUser(gpc.Constraint)); newMethod.GenericParams.Add(newGp); } + newMethod.Body = new CilBody(); copyBodyFromTo(method, newMethod); - return method; + return newMethod; } #if PORT @@ -1303,7 +1304,6 @@ namespace de4dot.blocks { return false; } -#if PORT public static IList getArgPushes(IList instrs, int index) { return getArgPushes(instrs, ref index); } @@ -1313,7 +1313,7 @@ namespace de4dot.blocks { return null; var startInstr = instrs[index]; int pushes, pops; - calculateStackUsage(startInstr, false, out pushes, out pops); + startInstr.CalculateStackUsage(false, out pushes, out pops); index--; int numArgs = pops; @@ -1321,7 +1321,7 @@ namespace de4dot.blocks { int stackSize = numArgs; while (index >= 0 && args.Count != numArgs) { var instr = instrs[index--]; - calculateStackUsage(instr, false, out pushes, out pops); + instr.CalculateStackUsage(false, out pushes, out pops); if (instr.OpCode.Code == Code.Dup) { args.Add(instr); stackSize--; @@ -1349,6 +1349,7 @@ namespace de4dot.blocks { return args; } +#if PORT public static AssemblyNameReference addAssemblyReference(ModuleDefinition module, AssemblyNameReference asmRef) { foreach (var modAsmRef in module.AssemblyReferences) { if (modAsmRef.FullName == asmRef.FullName) diff --git a/de4dot.code/de4dot.code.csproj b/de4dot.code/de4dot.code.csproj index c93591eb..4859bd23 100644 --- a/de4dot.code/de4dot.code.csproj +++ b/de4dot.code/de4dot.code.csproj @@ -135,19 +135,19 @@ - - - - - - - - - - - - - + + + + + + + + + + + + + diff --git a/de4dot.code/deobfuscators/DeepSea/ArrayBlockDeobfuscator.cs b/de4dot.code/deobfuscators/DeepSea/ArrayBlockDeobfuscator.cs index a51ea0a8..c757bd9e 100644 --- a/de4dot.code/deobfuscators/DeepSea/ArrayBlockDeobfuscator.cs +++ b/de4dot.code/deobfuscators/DeepSea/ArrayBlockDeobfuscator.cs @@ -26,7 +26,7 @@ using de4dot.blocks.cflow; namespace de4dot.code.deobfuscators.DeepSea { class ArrayBlockDeobfuscator : BlockDeobfuscator { ArrayBlockState arrayBlockState; - Dictionary localToInfo = new Dictionary(); + Dictionary localToInfo = new Dictionary(); DsConstantsReader constantsReader; public ArrayBlockDeobfuscator(ArrayBlockState arrayBlockState) { @@ -51,10 +51,10 @@ namespace de4dot.code.deobfuscators.DeepSea { if (!stloc.isStloc()) continue; - var info = arrayBlockState.getFieldInfo((FieldReference)ldsfld.Operand); + var info = arrayBlockState.getFieldInfo((IField)ldsfld.Operand); if (info == null) continue; - var local = DotNetUtils.getLocalVar(blocks.Locals, stloc.Instruction); + var local = stloc.Instruction.GetLocal(blocks.Locals); if (local == null) continue; @@ -99,7 +99,7 @@ namespace de4dot.code.deobfuscators.DeepSea { var ldloc = instrs[i]; if (!ldloc.isLdloc()) return false; - var local = DotNetUtils.getLocalVar(blocks.Locals, ldloc.Instruction); + var local = ldloc.Instruction.GetLocal(blocks.Locals); if (local == null) return false; ArrayBlockState.FieldInfo info; @@ -127,7 +127,7 @@ namespace de4dot.code.deobfuscators.DeepSea { var ldsfld = instrs[i]; if (ldsfld.OpCode.Code != Code.Ldsfld) return false; - var info = arrayBlockState.getFieldInfo(ldsfld.Operand as FieldReference); + var info = arrayBlockState.getFieldInfo(ldsfld.Operand as IField); if (info == null) return false; @@ -153,7 +153,7 @@ namespace de4dot.code.deobfuscators.DeepSea { var ldsfld = instrs[i]; if (ldsfld.OpCode.Code != Code.Ldsfld) return false; - var info = arrayBlockState.getFieldInfo(ldsfld.Operand as FieldReference); + var info = arrayBlockState.getFieldInfo(ldsfld.Operand as IField); if (info == null) return false; diff --git a/de4dot.code/deobfuscators/DeepSea/ArrayBlockState.cs b/de4dot.code/deobfuscators/DeepSea/ArrayBlockState.cs index 666e25b3..a0a9e3b1 100644 --- a/de4dot.code/deobfuscators/DeepSea/ArrayBlockState.cs +++ b/de4dot.code/deobfuscators/DeepSea/ArrayBlockState.cs @@ -20,12 +20,11 @@ using System.Collections.Generic; using dot10.DotNet; using dot10.DotNet.Emit; -using Mono.Cecil.Metadata; using de4dot.blocks; namespace de4dot.code.deobfuscators.DeepSea { class ArrayBlockState { - ModuleDefinition module; + ModuleDefMD module; FieldDefinitionAndDeclaringTypeDict fieldToInfo = new FieldDefinitionAndDeclaringTypeDict(); public class FieldInfo { @@ -44,7 +43,7 @@ namespace de4dot.code.deobfuscators.DeepSea { get { return fieldToInfo.Count != 0; } } - public ArrayBlockState(ModuleDefinition module) { + public ArrayBlockState(ModuleDefMD module) { this.module = module; } @@ -65,22 +64,22 @@ namespace de4dot.code.deobfuscators.DeepSea { var instructions = method.Body.Instructions; for (int i = 0; i < instructions.Count; i++) { var ldci4 = instructions[i]; - if (!DotNetUtils.isLdcI4(ldci4)) + if (!ldci4.IsLdcI4()) continue; i++; var instrs = DotNetUtils.getInstructions(instructions, i, OpCodes.Newarr, OpCodes.Dup, OpCodes.Ldtoken, OpCodes.Call, OpCodes.Stsfld); if (instrs == null) continue; - var arrayType = instrs[0].Operand as TypeReference; - if (arrayType == null || arrayType.EType != ElementType.U1) + var arrayType = instrs[0].Operand as ITypeDefOrRef; + if (arrayType == null || (arrayType.FullName != "System.Byte" && !arrayType.DefinitionAssembly.IsCorLib())) continue; var arrayInitField = instrs[2].Operand as FieldDef; if (arrayInitField == null || arrayInitField.InitialValue == null || arrayInitField.InitialValue.Length == 0) continue; - var calledMethod = instrs[3].Operand as MethodReference; + var calledMethod = instrs[3].Operand as IMethod; if (calledMethod == null || calledMethod.FullName != "System.Void System.Runtime.CompilerServices.RuntimeHelpers::InitializeArray(System.Array,System.RuntimeFieldHandle)") continue; @@ -96,7 +95,7 @@ namespace de4dot.code.deobfuscators.DeepSea { return foundField; } - public FieldInfo getFieldInfo(FieldReference fieldRef) { + public FieldInfo getFieldInfo(IField fieldRef) { if (fieldRef == null) return null; return fieldToInfo.find(fieldRef); @@ -118,7 +117,7 @@ namespace de4dot.code.deobfuscators.DeepSea { removedFields.Add(fieldInfo.arrayInitField); } fieldInfo.arrayInitField.InitialValue = new byte[1]; - fieldInfo.arrayInitField.FieldType = module.TypeSystem.Byte; + fieldInfo.arrayInitField.FieldSig.Type = module.CorLibTypes.Byte; } IList allInstructions; @@ -148,7 +147,7 @@ namespace de4dot.code.deobfuscators.DeepSea { var call = instrs[i + 4]; if (call.OpCode.Code != Code.Call) continue; - var calledMethod = call.Operand as MethodReference; + var calledMethod = call.Operand as IMethod; if (calledMethod == null || calledMethod.FullName != "System.Void System.Runtime.CompilerServices.RuntimeHelpers::InitializeArray(System.Array,System.RuntimeFieldHandle)") continue; var stsfld = instrs[i + 5]; @@ -174,7 +173,7 @@ namespace de4dot.code.deobfuscators.DeepSea { continue; foreach (var instr in method.Body.Instructions) { - var field = instr.Operand as FieldReference; + var field = instr.Operand as IField; if (field == null) continue; var fieldInfo = fieldToInfo.find(field); diff --git a/de4dot.code/deobfuscators/DeepSea/AssemblyResolver.cs b/de4dot.code/deobfuscators/DeepSea/AssemblyResolver.cs index 6a777f93..8805c058 100644 --- a/de4dot.code/deobfuscators/DeepSea/AssemblyResolver.cs +++ b/de4dot.code/deobfuscators/DeepSea/AssemblyResolver.cs @@ -75,7 +75,7 @@ namespace de4dot.code.deobfuscators.DeepSea { get { return decryptMethod; } } - public AssemblyResolver(ModuleDefinition module, ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) + public AssemblyResolver(ModuleDefMD module, ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) : base(module, simpleDeobfuscator, deob) { } @@ -128,11 +128,11 @@ namespace de4dot.code.deobfuscators.DeepSea { static bool isV3SL(MethodDef handler) { var instrs = handler.Body.Instructions; for (int i = 0; i < instrs.Count - 3; i++) { - if (!DotNetUtils.isLdloc(instrs[i])) + if (!instrs[i].IsLdloc()) continue; if (instrs[i + 1].OpCode.Code != Code.Add) continue; - if (!DotNetUtils.isLdcI4(instrs[i + 2])) + if (!instrs[i + 2].IsLdcI4()) continue; if (instrs[i + 3].OpCode.Code != Code.And) continue; @@ -144,11 +144,11 @@ namespace de4dot.code.deobfuscators.DeepSea { static bool isV41SL(MethodDef handler) { var instrs = handler.Body.Instructions; for (int i = 0; i < instrs.Count; i++) { - if (!DotNetUtils.isLdcI4(instrs[i]) || DotNetUtils.getLdcI4Value(instrs[i]) != 5) + if (!instrs[i].IsLdcI4() || instrs[i].GetLdcI4Value() != 5) continue; if (instrs[i + 1].OpCode.Code != Code.And) continue; - if (!DotNetUtils.isLdcI4(instrs[i + 2]) || DotNetUtils.getLdcI4Value(instrs[i + 2]) != 0x1F) + if (!instrs[i + 2].IsLdcI4() || instrs[i + 2].GetLdcI4Value() != 0x1F) continue; if (instrs[i + 3].OpCode.Code != Code.And) continue; @@ -237,18 +237,18 @@ namespace de4dot.code.deobfuscators.DeepSea { return false; var ldci4_len = instrs[index++]; - if (!DotNetUtils.isLdcI4(ldci4_len)) + if (!ldci4_len.IsLdcI4()) return false; - if (DotNetUtils.getLdcI4Value(ldci4_len) != field.InitialValue.Length) + if (ldci4_len.GetLdcI4Value() != field.InitialValue.Length) return false; var ldci4_magic = instrs[index++]; - if (!DotNetUtils.isLdcI4(ldci4_magic)) + if (!ldci4_magic.IsLdcI4()) return false; - int magic = DotNetUtils.getLdcI4Value(ldci4_magic); + int magic = ldci4_magic.GetLdcI4Value(); var call = instrs[index++]; - if (call.OpCode.Code == Code.Tail) + if (call.OpCode.Code == Code.Tailcall) call = instrs[index++]; if (call.OpCode.Code != Code.Call) return false; @@ -274,13 +274,13 @@ namespace de4dot.code.deobfuscators.DeepSea { int index = i; var ldci4_len = instrs[index++]; - if (!DotNetUtils.isLdcI4(ldci4_len)) + if (!ldci4_len.IsLdcI4()) continue; if (instrs[index++].OpCode.Code != Code.Newarr) continue; - if (!DotNetUtils.isStloc(instrs[index++])) + if (!instrs[index++].IsStloc()) continue; - if (!DotNetUtils.isLdloc(instrs[index++])) + if (!instrs[index++].IsLdloc()) continue; var ldtoken = instrs[index++]; @@ -293,7 +293,7 @@ namespace de4dot.code.deobfuscators.DeepSea { var call1 = instrs[index++]; if (call1.OpCode.Code != Code.Call) continue; - if (!DotNetUtils.isMethod(call1.Operand as MethodReference, "System.Void", "(System.Array,System.RuntimeFieldHandle)")) + if (!DotNetUtils.isMethod(call1.Operand as IMethod, "System.Void", "(System.Array,System.RuntimeFieldHandle)")) continue; int callIndex = getCallDecryptMethodIndex(instrs, index); @@ -351,19 +351,19 @@ namespace de4dot.code.deobfuscators.DeepSea { var instrs = method.Body.Instructions; for (int i = 0; i < instrs.Count - 4; i++) { int index = i; - if (!DotNetUtils.isLdloc(instrs[index++])) + if (!instrs[index++].IsLdloc()) continue; var ldarg = instrs[index++]; - if (!DotNetUtils.isLdarg(ldarg)) + if (!ldarg.IsLdarg()) continue; if (instrs[index++].OpCode.Code != Code.Add) continue; var ldci4 = instrs[index++]; - if (!DotNetUtils.isLdcI4(ldci4)) + if (!ldci4.IsLdcI4()) continue; - if (DotNetUtils.getLdcI4Value(ldci4) != 0xFF) + if (ldci4.GetLdcI4Value() != 0xFF) continue; - return DotNetUtils.getArgIndex(ldarg); + return ldarg.GetParameterIndex(); } return -1; } @@ -375,16 +375,16 @@ namespace de4dot.code.deobfuscators.DeepSea { if (instrs[index++].OpCode.Code != Code.Div) continue; var ldarg = instrs[index++]; - if (!DotNetUtils.isLdarg(ldarg)) + if (!ldarg.IsLdarg()) continue; if (instrs[index++].OpCode.Code != Code.Add) continue; var ldci4 = instrs[index++]; - if (!DotNetUtils.isLdcI4(ldci4)) + if (!ldci4.IsLdcI4()) continue; - if (DotNetUtils.getLdcI4Value(ldci4) != 0xFF) + if (ldci4.GetLdcI4Value() != 0xFF) continue; - return DotNetUtils.getArgIndex(ldarg); + return ldarg.GetParameterIndex(); } return -1; } @@ -399,8 +399,8 @@ namespace de4dot.code.deobfuscators.DeepSea { break; if (instr.OpCode.Code != Code.Call) continue; - var calledMethod = instr.Operand as MethodReference; - if (calledMethod == null || calledMethod.Parameters.Count < 2) + var calledMethod = instr.Operand as IMethod; + if (calledMethod == null || calledMethod.MethodSig.GetParamCount() < 2) continue; return i; @@ -457,7 +457,7 @@ namespace de4dot.code.deobfuscators.DeepSea { var resource = tmp as EmbeddedResource; if (resource == null) continue; - if (!Regex.IsMatch(resource.Name, @"^[0-9A-F]{40}$")) + if (!Regex.IsMatch(resource.Name.String, @"^[0-9A-F]{40}$")) continue; var info = getAssemblyInfo(resource, decrypter); if (info == null) @@ -479,9 +479,9 @@ namespace de4dot.code.deobfuscators.DeepSea { } AssemblyInfo getAssemblyInfo(byte[] decryptedData, EmbeddedResource resource) { - var asm = AssemblyDefinition.ReadAssembly(new MemoryStream(decryptedData)); - var fullName = asm.Name.FullName; - var simpleName = asm.Name.Name; + var asm = AssemblyDef.Load(decryptedData); + var fullName = asm.FullName; + var simpleName = asm.Name.String; var extension = DeobUtils.getExtension(asm.Modules[0].Kind); return new AssemblyInfo(decryptedData, fullName, simpleName, extension, resource); } @@ -496,7 +496,7 @@ namespace de4dot.code.deobfuscators.DeepSea { var decrypted = decrypter(fieldInfo.field.InitialValue, fieldInfo.magic); infos.Add(getAssemblyInfo(decrypted, null)); fieldInfo.field.InitialValue = new byte[1]; - fieldInfo.field.FieldType = module.TypeSystem.Byte; + fieldInfo.field.FieldSig.Type = module.CorLibTypes.Byte; } return infos; diff --git a/de4dot.code/deobfuscators/DeepSea/CastDeobfuscator.cs b/de4dot.code/deobfuscators/DeepSea/CastDeobfuscator.cs index 2458b358..798debcc 100644 --- a/de4dot.code/deobfuscators/DeepSea/CastDeobfuscator.cs +++ b/de4dot.code/deobfuscators/DeepSea/CastDeobfuscator.cs @@ -27,14 +27,14 @@ using dot10.DotNet.Emit; namespace de4dot.code.deobfuscators.DeepSea { class CastDeobfuscator : IBlocksDeobfuscator { Blocks blocks; - Dictionary localInfos = new Dictionary(); + Dictionary localInfos = new Dictionary(); class LocalInfo { - public readonly VariableDefinition local; - TypeReference type; + public readonly Local local; + ITypeDefOrRef type; bool isValid; - public TypeReference CastType { + public ITypeDefOrRef CastType { get { return type; } set { if (!isValid) @@ -45,7 +45,7 @@ namespace de4dot.code.deobfuscators.DeepSea { return; } - if (type != null && !MemberReferenceHelper.compareTypes(type, value)) { + if (type != null && !new SigComparer().Equals(type, value)) { invalid(); return; } @@ -54,7 +54,7 @@ namespace de4dot.code.deobfuscators.DeepSea { } } - public LocalInfo(VariableDefinition local) { + public LocalInfo(Local local) { this.local = local; this.isValid = true; } @@ -92,13 +92,13 @@ namespace de4dot.code.deobfuscators.DeepSea { for (int i = 0; i < instrs.Count - 1; i++) { var instr = instrs[i]; if (instr.OpCode.Code == Code.Ldloca || instr.OpCode.Code == Code.Ldloca_S) { - var local = instr.Operand as VariableDefinition; + var local = instr.Operand as Local; if (local == null) continue; localInfos[local].invalid(); } else if (instr.isLdloc()) { - var local = DotNetUtils.getLocalVar(blocks.Locals, instr.Instruction); + var local = instr.Instruction.GetLocal(blocks.Locals); if (local == null) continue; var localInfo = localInfos[local]; @@ -120,7 +120,7 @@ namespace de4dot.code.deobfuscators.DeepSea { foreach (var info in localInfos.Values) { if (info.CastType == null) continue; - info.local.VariableType = info.CastType; + info.local.Type = info.CastType.ToTypeSig(); } if (changed) { @@ -137,18 +137,18 @@ namespace de4dot.code.deobfuscators.DeepSea { } if (instr.isLdarg()) - addCast(block, castIndex, i + 1, DotNetUtils.getArgType(blocks.Method, instr.Instruction)); + addCast(block, castIndex, i + 1, instr.Instruction.GetArgumentType(blocks.Method.MethodSig, blocks.Method.DeclaringType)); else if (instr.OpCode.Code == Code.Ldfld || instr.OpCode.Code == Code.Ldsfld) { - var field = instr.Operand as FieldReference; + var field = instr.Operand as IField; if (field == null) continue; - addCast(block, castIndex, i + 1, field.FieldType); + addCast(block, castIndex, i + 1, field.FieldSig.GetFieldType()); } else if (instr.OpCode.Code == Code.Call || instr.OpCode.Code == Code.Callvirt) { - var calledMethod = instr.Operand as MethodReference; + var calledMethod = instr.Operand as IMethod; if (calledMethod == null || !DotNetUtils.hasReturnValue(calledMethod)) continue; - addCast(block, castIndex, i + 1, calledMethod.MethodReturnType.ReturnType); + addCast(block, castIndex, i + 1, calledMethod.MethodSig.GetRetType()); } } } @@ -157,7 +157,7 @@ namespace de4dot.code.deobfuscators.DeepSea { return changed; } - bool addCast(Block block, int castIndex, int index, TypeReference type) { + bool addCast(Block block, int castIndex, int index, TypeSig type) { if (type == null) return false; if (castIndex >= block.Instructions.Count || index >= block.Instructions.Count) @@ -165,14 +165,14 @@ namespace de4dot.code.deobfuscators.DeepSea { var stloc = block.Instructions[index]; if (!stloc.isStloc()) return false; - var local = DotNetUtils.getLocalVar(blocks.Locals, stloc.Instruction); + var local = stloc.Instruction.GetLocal(blocks.Locals); if (local == null) return false; var localInfo = localInfos[local]; if (localInfo.CastType == null) return false; - if (!MemberReferenceHelper.compareTypes(localInfo.CastType, type)) + if (!new SigComparer().Equals(localInfo.CastType, type)) block.insert(castIndex, new Instruction(OpCodes.Castclass, localInfo.CastType)); return true; } @@ -190,7 +190,7 @@ namespace de4dot.code.deobfuscators.DeepSea { var ldloc = instrs[i]; if (!ldloc.isLdloc()) continue; - var local = DotNetUtils.getLocalVar(blocks.Locals, ldloc.Instruction); + var local = ldloc.Instruction.GetLocal(blocks.Locals); if (local == null) continue; var localInfo = localInfos[local]; @@ -204,10 +204,10 @@ namespace de4dot.code.deobfuscators.DeepSea { return instr.OpCode.Code == Code.Castclass || instr.OpCode.Code == Code.Isinst; } - static TypeReference getCastType(Instr instr) { + static ITypeDefOrRef getCastType(Instr instr) { if (!isCast(instr)) return null; - return instr.Operand as TypeReference; + return instr.Operand as ITypeDefOrRef; } } } diff --git a/de4dot.code/deobfuscators/DeepSea/DsInlinedMethodsFinder.cs b/de4dot.code/deobfuscators/DeepSea/DsInlinedMethodsFinder.cs index 8809bba4..c4c5f5b5 100644 --- a/de4dot.code/deobfuscators/DeepSea/DsInlinedMethodsFinder.cs +++ b/de4dot.code/deobfuscators/DeepSea/DsInlinedMethodsFinder.cs @@ -22,7 +22,7 @@ using dot10.DotNet; namespace de4dot.code.deobfuscators.DeepSea { static class DsInlinedMethodsFinder { - public static List find(ModuleDefinition module, IEnumerable notInlinedMethods) { + public static List find(ModuleDefMD module, IEnumerable notInlinedMethods) { var notInlinedMethodsDict = new Dictionary(); foreach (var method in notInlinedMethods) notInlinedMethodsDict[method] = true; diff --git a/de4dot.code/deobfuscators/DeepSea/DsMethodCallInliner.cs b/de4dot.code/deobfuscators/DeepSea/DsMethodCallInliner.cs index 66bc416c..b5082297 100644 --- a/de4dot.code/deobfuscators/DeepSea/DsMethodCallInliner.cs +++ b/de4dot.code/deobfuscators/DeepSea/DsMethodCallInliner.cs @@ -20,15 +20,14 @@ using System.Collections.Generic; using dot10.DotNet; using dot10.DotNet.Emit; -using Mono.Cecil.Metadata; using de4dot.blocks; using de4dot.blocks.cflow; namespace de4dot.code.deobfuscators.DeepSea { class DsMethodCallInliner : MethodCallInlinerBase { InstructionEmulator instructionEmulator = new InstructionEmulator(); - List parameters; - ParameterDefinition arg1, arg2; + IList parameters; + Parameter arg1, arg2; Value returnValue; MethodDef methodToInline; CachedCflowDeobfuscator cflowDeobfuscator; @@ -73,14 +72,16 @@ namespace de4dot.code.deobfuscators.DeepSea { bool inlineMethod(MethodDef methodToInline, int instrIndex, int const1, int const2) { this.methodToInline = methodToInline = cflowDeobfuscator.deobfuscate(methodToInline); - parameters = DotNetUtils.getParameters(methodToInline); + parameters = methodToInline.Parameters; arg1 = parameters[parameters.Count - 2]; arg2 = parameters[parameters.Count - 1]; returnValue = null; instructionEmulator.init(methodToInline); foreach (var arg in parameters) { - if (arg.ParameterType.EType >= ElementType.Boolean && arg.ParameterType.EType <= ElementType.U4) + if (!arg.IsNormalMethodParameter) + continue; + if (arg.Type.ElementType >= ElementType.Boolean && arg.Type.ElementType <= ElementType.U4) instructionEmulator.setArg(arg, new Int32Value(0)); } instructionEmulator.setArg(arg1, new Int32Value(const1)); @@ -157,7 +158,7 @@ namespace de4dot.code.deobfuscators.DeepSea { case Code.Ldarg_1: case Code.Ldarg_2: case Code.Ldarg_3: - var arg = DotNetUtils.getParameter(parameters, instr); + var arg = instr.GetParameter(parameters); if (arg != arg1 && arg != arg2) { if (!allowUnknownArgs) goto done; @@ -269,7 +270,7 @@ done: bool emulateToReturn(int index, Instruction lastInstr) { int pushes, pops; - DotNetUtils.calculateStackUsage(lastInstr, false, out pushes, out pops); + lastInstr.CalculateStackUsage(false, out pushes, out pops); for (int i = 0; i < pops; i++) instructionEmulator.pop(); @@ -297,22 +298,22 @@ done: public static bool canInline(MethodDef method) { if (method == null || method.Body == null) return false; - if (method.Attributes != (MethodAttributes.Assembly | MethodAttributes.Static)) + if (method.Flags != (MethodAttributes.Assembly | MethodAttributes.Static)) return false; - if (method.GenericParameters.Count > 0) + if (method.GenericParams.Count > 0) return false; if (method.Body.ExceptionHandlers.Count > 0) return false; - var parameters = method.Parameters; + var parameters = method.MethodSig.GetParams(); int paramCount = parameters.Count; if (paramCount < 2) return false; var param1 = parameters[paramCount - 1]; var param2 = parameters[paramCount - 2]; - if (!isIntType(param1.ParameterType.EType)) + if (!isIntType(param1.ElementType)) return false; - if (!isIntType(param2.ParameterType.EType)) + if (!isIntType(param2.ElementType)) return false; return true; diff --git a/de4dot.code/deobfuscators/DeepSea/FieldsRestorer.cs b/de4dot.code/deobfuscators/DeepSea/FieldsRestorer.cs index a15346a7..cef51edf 100644 --- a/de4dot.code/deobfuscators/DeepSea/FieldsRestorer.cs +++ b/de4dot.code/deobfuscators/DeepSea/FieldsRestorer.cs @@ -21,13 +21,12 @@ using System; using System.Collections.Generic; using dot10.DotNet; using dot10.DotNet.Emit; -using Mono.Cecil.Metadata; using de4dot.blocks; namespace de4dot.code.deobfuscators.DeepSea { // DS 4.x can move fields from a class to a struct. This class restores the fields. class FieldsRestorer { - ModuleDefinition module; + ModuleDefMD module; TypeDefinitionDict> structToOwners = new TypeDefinitionDict>(); FieldDefinitionAndDeclaringTypeDict structFieldsToFix = new FieldDefinitionAndDeclaringTypeDict(); TypeDefinitionDict> typeToFieldsDict = new TypeDefinitionDict>(); @@ -50,17 +49,17 @@ namespace de4dot.code.deobfuscators.DeepSea { return true; if (type.BaseType == null) return false; - if (type.BaseType.EType != ElementType.Object) + if (type.BaseType.FullName != "System.Object") return false; if (type.Methods.Count != 1) return false; var ctor = type.Methods[0]; - if (ctor.Name != ".ctor" || ctor.Parameters.Count != 0) + if (ctor.Name != ".ctor" || ctor.MethodSig.GetParamCount() != 0) return false; return true; } - public FieldsRestorer(ModuleDefinition module) { + public FieldsRestorer(ModuleDefMD module) { this.module = module; } @@ -71,7 +70,7 @@ namespace de4dot.code.deobfuscators.DeepSea { foreach (var ownerType in kv.Value) { foreach (var ownerField in ownerType.Fields) { - if (DotNetUtils.getType(module, ownerField.FieldType) != structType) + if (DotNetUtils.getType(module, ownerField.FieldSig.GetFieldType()) != structType) continue; structFieldsToFix.add(ownerField, true); break; @@ -80,7 +79,7 @@ namespace de4dot.code.deobfuscators.DeepSea { var fieldsDict = new FieldDefinitionAndDeclaringTypeDict(); typeToFieldsDict.add(ownerType, fieldsDict); foreach (var structField in structType.Fields) { - var newField = DotNetUtils.createFieldDefinition(structField.Name, structField.Attributes, structField.FieldType); + var newField = module.UpdateRowId(new FieldDefUser(structField.Name, structField.FieldSig.Clone(), structField.Flags)); ownerType.Fields.Add(newField); fieldsDict.add(structField, newField); } @@ -93,16 +92,16 @@ namespace de4dot.code.deobfuscators.DeepSea { var typeToStruct = new Dictionary(); foreach (var type in module.GetTypes()) { foreach (var field in getPossibleFields(type)) { - var fieldType = DotNetUtils.getType(module, field.FieldType); + var fieldType = DotNetUtils.getType(module, field.FieldSig.GetFieldType()); if (fieldType == null) continue; if (!checkBaseType(fieldType)) continue; - if ((fieldType.Attributes & ~TypeAttributes.Sealed) != TypeAttributes.NestedAssembly) + if ((fieldType.Flags & ~TypeAttributes.Sealed) != TypeAttributes.NestedAssembly) continue; if (fieldType.NestedTypes.Count > 0) continue; - if (fieldType.GenericParameters.Count > 0) + if (fieldType.GenericParams.Count > 0) continue; if (fieldType.Fields.Count == 0) continue; @@ -127,16 +126,16 @@ namespace de4dot.code.deobfuscators.DeepSea { typeToStruct.TryGetValue(type, out structType); foreach (var field in type.Fields) { - if (field.IsStatic || field.FieldType != structType) - removeType(candidates, field.FieldType); + if (field.IsStatic || field.FieldSig.GetFieldType().TryGetTypeDef() != structType) + removeType(candidates, field.FieldSig.GetFieldType()); } foreach (var method in type.Methods) { - removeType(candidates, method.MethodReturnType.ReturnType); - foreach (var parameter in method.Parameters) - removeType(candidates, parameter.ParameterType); + removeType(candidates, method.MethodSig.GetRetType()); + foreach (var parameter in method.MethodSig.GetParams()) + removeType(candidates, parameter); if (method.Body != null) { - foreach (var local in method.Body.Variables) - removeType(candidates, local.VariableType); + foreach (var local in method.Body.LocalList) + removeType(candidates, local.Type); } } } @@ -147,9 +146,9 @@ namespace de4dot.code.deobfuscators.DeepSea { IEnumerable getPossibleFields(TypeDef type) { var typeToFields = new TypeDefinitionDict>(); foreach (var field in type.Fields) { - if (field.Attributes != FieldAttributes.Private) + if (field.Flags != FieldAttributes.Private) continue; - var fieldType = DotNetUtils.getType(module, field.FieldType); + var fieldType = DotNetUtils.getType(module, field.FieldSig.GetFieldType()); if (fieldType == null) continue; if (!checkBaseType(fieldType)) @@ -169,10 +168,11 @@ namespace de4dot.code.deobfuscators.DeepSea { static bool checkBaseType(TypeDef type) { if (type == null || type.BaseType == null) return false; - return type.BaseType.FullName == "System.ValueType" || type.BaseType.EType == ElementType.Object; + var fn = type.BaseType.FullName; + return fn == "System.ValueType" || fn == "System.Object"; } - void removeType(Dictionary> candidates, TypeReference type) { + void removeType(Dictionary> candidates, TypeSig type) { var typeDef = DotNetUtils.getType(module, type); if (typeDef == null) return; @@ -183,15 +183,15 @@ namespace de4dot.code.deobfuscators.DeepSea { foreach (var method in type.Methods) { if (method.Name == ".cctor") continue; - if (type.BaseType != null && type.BaseType.EType == ElementType.Object && method.Name == ".ctor" && method.Parameters.Count == 0) + if (type.BaseType != null && type.BaseType.FullName == "System.Object" && method.Name == ".ctor" && method.MethodSig.GetParamCount() == 0) continue; if (!method.IsStatic) return true; - if (method.GenericParameters.Count > 0) + if (method.GenericParams.Count > 0) return true; if (method.Body == null) return true; - if (method.HasPInvokeInfo || method.PInvokeInfo != null) + if (method.ImplMap != null) return true; } return false; @@ -223,12 +223,12 @@ namespace de4dot.code.deobfuscators.DeepSea { var instr = instrs[i]; if (instr.OpCode.Code != Code.Ldflda && instr.OpCode.Code != Code.Ldfld) continue; - var structField = instr.Operand as FieldReference; + var structField = instr.Operand as IField; if (structField == null || !structFieldsToFix.find(structField)) continue; var ldStFld = instrs[findLdStFieldIndex(instrs, i + 1)]; - ldStFld.Operand = getNewField(structField, ldStFld.Operand as FieldReference); + ldStFld.Operand = getNewField(structField, ldStFld.Operand as IField); instrsToRemove.Add(i); } if (instrsToRemove.Count > 0) @@ -246,7 +246,7 @@ namespace de4dot.code.deobfuscators.DeepSea { var stfld = instrs[i]; if (stfld.OpCode.Code != Code.Stfld) continue; - var field = stfld.Operand as FieldReference; + var field = stfld.Operand as IField; if (field == null) continue; if (!structFieldsToFix.find(field)) @@ -270,7 +270,7 @@ namespace de4dot.code.deobfuscators.DeepSea { return newInstrs; } - FieldDef getNewField(FieldReference structField, FieldReference oldFieldRef) { + FieldDef getNewField(IField structField, IField oldFieldRef) { var fieldsDict = typeToFieldsDict.find(structField.DeclaringType); if (fieldsDict == null) throw new ApplicationException("Could not find structField declaringType"); @@ -291,7 +291,7 @@ namespace de4dot.code.deobfuscators.DeepSea { return i; int pushes, pops; - DotNetUtils.calculateStackUsage(instr.Instruction, false, out pushes, out pops); + instr.Instruction.CalculateStackUsage(false, out pushes, out pops); stack -= pops; if (stack < 0) break; diff --git a/de4dot.code/deobfuscators/DeepSea/ResolverBase.cs b/de4dot.code/deobfuscators/DeepSea/ResolverBase.cs index 04f6b68a..ea764de2 100644 --- a/de4dot.code/deobfuscators/DeepSea/ResolverBase.cs +++ b/de4dot.code/deobfuscators/DeepSea/ResolverBase.cs @@ -25,7 +25,7 @@ using de4dot.blocks; namespace de4dot.code.deobfuscators.DeepSea { abstract class ResolverBase { - protected ModuleDefinition module; + protected ModuleDefMD module; protected ISimpleDeobfuscator simpleDeobfuscator; protected IDeobfuscator deob; protected MethodDef initMethod; @@ -44,7 +44,7 @@ namespace de4dot.code.deobfuscators.DeepSea { get { return initMethod != null; } } - public ResolverBase(ModuleDefinition module, ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) { + public ResolverBase(ModuleDefMD module, ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) { this.module = module; this.frameworkType = DotNetUtils.getFrameworkType(module); this.simpleDeobfuscator = simpleDeobfuscator; diff --git a/de4dot.code/deobfuscators/DeepSea/ResourceResolver.cs b/de4dot.code/deobfuscators/DeepSea/ResourceResolver.cs index a8b99866..9850e576 100644 --- a/de4dot.code/deobfuscators/DeepSea/ResourceResolver.cs +++ b/de4dot.code/deobfuscators/DeepSea/ResourceResolver.cs @@ -83,7 +83,7 @@ namespace de4dot.code.deobfuscators.DeepSea { get { return data30 != null ? data30.resource : null; } } - public ResourceResolver(ModuleDefinition module, ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) + public ResourceResolver(ModuleDefMD module, ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) : base(module, simpleDeobfuscator, deob) { } @@ -145,7 +145,7 @@ namespace de4dot.code.deobfuscators.DeepSea { magicArgIndex = getMagicArgIndex41Trial(info.handler); data41.isTrial = true; } - var asmVer = module.Assembly.Name.Version; + var asmVer = module.Assembly.Version; if (magicArgIndex < 0 || magicArgIndex >= info.args.Count) return false; var val = info.args[magicArgIndex]; @@ -165,16 +165,16 @@ namespace de4dot.code.deobfuscators.DeepSea { if (add.OpCode.Code != Code.Add) continue; var ldarg = instrs[i + 1]; - if (!DotNetUtils.isLdarg(ldarg)) + if (!ldarg.IsLdarg()) continue; var sub = instrs[i + 2]; if (sub.OpCode.Code != Code.Sub) continue; var ldci4 = instrs[i + 3]; - if (!DotNetUtils.isLdcI4(ldci4) || DotNetUtils.getLdcI4Value(ldci4) != 0xFF) + if (!ldci4.IsLdcI4() || ldci4.GetLdcI4Value() != 0xFF) continue; - return DotNetUtils.getArgIndex(ldarg); + return ldarg.GetParameterIndex(); } return -1; } @@ -183,14 +183,14 @@ namespace de4dot.code.deobfuscators.DeepSea { var instrs = method.Body.Instructions; for (int i = 0; i < instrs.Count - 2; i++) { var ldarg = instrs[i]; - if (!DotNetUtils.isLdarg(ldarg)) + if (!ldarg.IsLdarg()) continue; - if (!DotNetUtils.isLdcI4(instrs[i + 1])) + if (!instrs[i + 1].IsLdcI4()) continue; if (instrs[i + 2].OpCode.Code != Code.Shr) continue; - return DotNetUtils.getArgIndex(ldarg); + return ldarg.GetParameterIndex(); } return -1; } @@ -255,21 +255,21 @@ namespace de4dot.code.deobfuscators.DeepSea { continue; var ldci4_len = instrs[index++]; - if (!DotNetUtils.isLdcI4(ldci4_len)) + if (!ldci4_len.IsLdcI4()) continue; - if (DotNetUtils.getLdcI4Value(ldci4_len) != field.InitialValue.Length) + if (ldci4_len.GetLdcI4Value() != field.InitialValue.Length) continue; if (instrs[index++].OpCode.Code != Code.Ldstr) continue; var ldci4_magic = instrs[index++]; - if (!DotNetUtils.isLdcI4(ldci4_magic)) + if (!ldci4_magic.IsLdcI4()) continue; - data40.magic = DotNetUtils.getLdcI4Value(ldci4_magic); + data40.magic = ldci4_magic.GetLdcI4Value(); var call = instrs[index++]; - if (call.OpCode.Code == Code.Tail) + if (call.OpCode.Code == Code.Tailcall) call = instrs[index++]; if (call.OpCode.Code != Code.Call) continue; @@ -322,7 +322,7 @@ namespace de4dot.code.deobfuscators.DeepSea { if (data30.resource == null) return false; - DeobUtils.decryptAndAddResources(module, data30.resource.Name, () => decryptResourceV3(data30.resource)); + DeobUtils.decryptAndAddResources(module, data30.resource.Name.String, () => decryptResourceV3(data30.resource)); rsrc = data30.resource; return true; @@ -341,10 +341,10 @@ namespace de4dot.code.deobfuscators.DeepSea { if (resourceField == null) return false; - string name = string.Format("Embedded data field {0:X8} RVA {1:X8}", resourceField.MDToken.ToInt32(), resourceField.RVA); + string name = string.Format("Embedded data field {0:X8} RVA {1:X8}", resourceField.MDToken.ToInt32(), (uint)resourceField.RVA); DeobUtils.decryptAndAddResources(module, name, () => decryptResourceV4(resourceField.InitialValue, magic)); resourceField.InitialValue = new byte[1]; - resourceField.FieldType = module.TypeSystem.Byte; + resourceField.FieldSig.Type = module.CorLibTypes.Byte; return true; } } diff --git a/de4dot.code/deobfuscators/DeepSea/StringDecrypter.cs b/de4dot.code/deobfuscators/DeepSea/StringDecrypter.cs index 8a9af0ec..c9e1ce15 100644 --- a/de4dot.code/deobfuscators/DeepSea/StringDecrypter.cs +++ b/de4dot.code/deobfuscators/DeepSea/StringDecrypter.cs @@ -22,12 +22,11 @@ using System.Collections.Generic; using System.Text; using dot10.DotNet; using dot10.DotNet.Emit; -using Mono.Cecil.Metadata; using de4dot.blocks; namespace de4dot.code.deobfuscators.DeepSea { class StringDecrypter { - ModuleDefinition module; + ModuleDefMD module; MethodDefinitionAndDeclaringTypeDict methodToInfo = new MethodDefinitionAndDeclaringTypeDict(); DecrypterVersion version = DecrypterVersion.Unknown; @@ -55,7 +54,7 @@ namespace de4dot.code.deobfuscators.DeepSea { var instrs = initMethod.Body.Instructions; for (int i = 0; i < instrs.Count - 2; i++) { var ldci4 = instrs[i]; - if (!DotNetUtils.isLdcI4(ldci4)) + if (!ldci4.IsLdcI4()) continue; var newarr = instrs[i + 1]; if (newarr.OpCode.Code != Code.Newarr) @@ -64,13 +63,13 @@ namespace de4dot.code.deobfuscators.DeepSea { continue; var stloc = instrs[i + 2]; - if (!DotNetUtils.isStloc(stloc)) + if (!stloc.IsStloc()) continue; - var local = DotNetUtils.getLocalVar(initMethod.Body.Variables, stloc); + var local = stloc.GetLocal(initMethod.Body.LocalList); int startInitIndex = i; i++; - var array = ArrayFinder.getInitializedInt16Array(DotNetUtils.getLdcI4Value(ldci4), initMethod, ref i); + var array = ArrayFinder.getInitializedInt16Array(ldci4.GetLdcI4Value(), initMethod, ref i); if (array == null) continue; @@ -84,13 +83,13 @@ namespace de4dot.code.deobfuscators.DeepSea { return null; } - static FieldDef getStoreField(MethodDef method, int startIndex, VariableDefinition local) { + static FieldDef getStoreField(MethodDef method, int startIndex, Local local) { var instrs = method.Body.Instructions; for (int i = 0; i < instrs.Count - 1; i++) { var ldloc = instrs[i]; - if (!DotNetUtils.isLdloc(ldloc)) + if (!ldloc.IsLdloc()) continue; - if (DotNetUtils.getLocalVar(method.Body.Variables, ldloc) != local) + if (ldloc.GetLocal(method.Body.LocalList) != local) continue; var stsfld = instrs[i + 1]; @@ -110,16 +109,16 @@ namespace de4dot.code.deobfuscators.DeepSea { static bool findMagic(MethodDef method, out int arg1, out int arg2, out int magic) { var instrs = method.Body.Instructions; for (int i = 0; i < instrs.Count - 3; i++) { - if ((arg1 = DotNetUtils.getArgIndex(instrs[i])) < 0) + if ((arg1 = instrs[i].GetParameterIndex()) < 0) continue; var ldci4 = instrs[i + 1]; - if (!DotNetUtils.isLdcI4(ldci4)) + if (!ldci4.IsLdcI4()) continue; if (instrs[i + 2].OpCode.Code != Code.Xor) continue; - if ((arg2 = DotNetUtils.getArgIndex(instrs[i + 3])) < 0) + if ((arg2 = instrs[i + 3].GetParameterIndex()) < 0) continue; - magic = DotNetUtils.getLdcI4Value(ldci4); + magic = ldci4.GetLdcI4Value(); return true; } arg1 = arg2 = 0; @@ -139,7 +138,7 @@ namespace de4dot.code.deobfuscators.DeepSea { var call = instrs[i + 1]; if (call.OpCode.Code != Code.Call) continue; - var calledMethod = call.Operand as MethodReference; + var calledMethod = call.Operand as IMethod; if (calledMethod == null) continue; if (calledMethod.ToString() != "System.Void System.Runtime.CompilerServices.RuntimeHelpers::InitializeArray(System.Array,System.RuntimeFieldHandle)") @@ -163,11 +162,11 @@ namespace de4dot.code.deobfuscators.DeepSea { class ArrayInfo { public int sizeInElems; - public TypeReference elementType; + public ITypeDefOrRef elementType; public FieldDef initField; public FieldDef field; - public ArrayInfo(int sizeInElems, TypeReference elementType, FieldDef initField, FieldDef field) { + public ArrayInfo(int sizeInElems, ITypeDefOrRef elementType, FieldDef initField, FieldDef field) { this.sizeInElems = sizeInElems; this.elementType = elementType; this.initField = initField; @@ -197,11 +196,11 @@ namespace de4dot.code.deobfuscators.DeepSea { } static bool checkMethodSignature(MethodDef method) { - if (method.MethodReturnType.ReturnType.EType != ElementType.String) + if (method.MethodSig.GetRetType().GetElementType() != ElementType.String) return false; int count = 0; - foreach (var arg in method.Parameters) { - if (arg.ParameterType.EType == ElementType.I4) + foreach (var arg in method.MethodSig.GetParams()) { + if (arg.ElementType == ElementType.I4) count++; } return count >= 2; @@ -254,9 +253,9 @@ namespace de4dot.code.deobfuscators.DeepSea { int index = i; var ldci4 = instrs[index++]; - if (!DotNetUtils.isLdcI4(ldci4)) + if (!ldci4.IsLdcI4()) continue; - if (DotNetUtils.getLdcI4Value(ldci4) != 0xFF) + if (ldci4.GetLdcI4Value() != 0xFF) continue; if (instrs[index++].OpCode.Code != Code.And) @@ -265,13 +264,13 @@ namespace de4dot.code.deobfuscators.DeepSea { continue; var ldci4_2 = instrs[index++]; - if (!DotNetUtils.isLdcI4(ldci4_2)) + if (!ldci4_2.IsLdcI4()) continue; if (findNextFieldUse(method, index) < 0) continue; - return DotNetUtils.getLdcI4Value(ldci4_2); + return ldci4_2.GetLdcI4Value(); } return -1; } @@ -282,7 +281,7 @@ namespace de4dot.code.deobfuscators.DeepSea { var instr = instrs[i]; if (instr.OpCode.Code != Code.Ldsfld && instr.OpCode.Code != Code.Stsfld) continue; - var field = instr.Operand as FieldReference; + var field = instr.Operand as IField; if (!fields.find(field)) return -1; @@ -295,15 +294,15 @@ namespace de4dot.code.deobfuscators.DeepSea { var instructions = method.Body.Instructions; for (int i = 0; i < instructions.Count; i++) { var ldci4_arraySizeInBytes = instructions[i]; - if (!DotNetUtils.isLdcI4(ldci4_arraySizeInBytes)) + if (!ldci4_arraySizeInBytes.IsLdcI4()) continue; i++; var instrs = DotNetUtils.getInstructions(instructions, i, OpCodes.Newarr, OpCodes.Dup, OpCodes.Ldtoken, OpCodes.Call, OpCodes.Stsfld); if (instrs == null) continue; - int sizeInBytes = DotNetUtils.getLdcI4Value(ldci4_arraySizeInBytes); - var elementType = instrs[0].Operand as TypeReference; + int sizeInBytes = ldci4_arraySizeInBytes.GetLdcI4Value(); + var elementType = instrs[0].Operand as ITypeDefOrRef; var initField = instrs[2].Operand as FieldDef; var field = instrs[4].Operand as FieldDef; if (elementType == null) @@ -319,11 +318,11 @@ namespace de4dot.code.deobfuscators.DeepSea { } short[] findKey() { - if (cctor.Module.Assembly == null) + if (cctor.OwnerModule.Assembly == null) return null; - var pkt = cctor.Module.Assembly.Name.PublicKeyToken; - if (pkt != null && pkt.Length > 0) - return getPublicKeyTokenKey(pkt); + var pkt = cctor.OwnerModule.Assembly.PublicKeyToken; + if (!PublicKeyBase.IsNullOrEmpty2(pkt)) + return getPublicKeyTokenKey(pkt.Data); return findKey(cctor); } @@ -380,7 +379,7 @@ namespace de4dot.code.deobfuscators.DeepSea { public void cleanup() { arrayInfo.initField.InitialValue = new byte[1]; - arrayInfo.initField.FieldType = arrayInfo.initField.Module.TypeSystem.Byte; + arrayInfo.initField.FieldSig.Type = arrayInfo.initField.OwnerModule.CorLibTypes.Byte; removeInitializeArrayCall(cctor, arrayInfo.initField); } } @@ -447,9 +446,9 @@ namespace de4dot.code.deobfuscators.DeepSea { var field = instr.Operand as FieldDef; if (field == null) continue; - if (!MemberReferenceHelper.compareTypes(Method.DeclaringType, field.DeclaringType)) + if (!new SigComparer().Equals(Method.DeclaringType, field.DeclaringType)) continue; - switch (field.FieldType.FullName) { + switch (field.FieldSig.GetFieldType().GetFullName()) { case "System.Char[]": if (!charArrayFields.Contains(field)) charArrayFields.Add(field); @@ -493,20 +492,20 @@ namespace de4dot.code.deobfuscators.DeepSea { return null; } - static bool matches(IEnumerable ourFields, FieldReference field) { + static bool matches(IEnumerable ourFields, FieldDef field) { foreach (var ourField in ourFields) { - if (MemberReferenceHelper.compareFieldReferenceAndDeclaringType(ourField, field)) + if (FieldEqualityComparer.CompareDeclaringTypes.Equals(ourField, field)) return true; } return false; } short[] findKey() { - if (cctor.Module.Assembly == null) + if (cctor.OwnerModule.Assembly == null) return null; - var pkt = cctor.Module.Assembly.Name.PublicKeyToken; - if (pkt != null && pkt.Length > 0) - return getPublicKeyTokenKey(pkt); + var pkt = cctor.OwnerModule.Assembly.PublicKeyToken; + if (!PublicKeyBase.IsNullOrEmpty2(pkt)) + return getPublicKeyTokenKey(pkt.Data); return findKey(cctor); } @@ -539,7 +538,7 @@ namespace de4dot.code.deobfuscators.DeepSea { public void cleanup() { encryptedDataField.InitialValue = new byte[1]; - encryptedDataField.FieldType = encryptedDataField.Module.TypeSystem.Byte; + encryptedDataField.FieldSig.Type = encryptedDataField.OwnerModule.CorLibTypes.Byte; removeInitializeArrayCall(cctor, encryptedDataField); } } @@ -605,9 +604,9 @@ namespace de4dot.code.deobfuscators.DeepSea { var field = instr.Operand as FieldDef; if (field == null) continue; - if (!MemberReferenceHelper.compareTypes(Method.DeclaringType, field.DeclaringType)) + if (!new SigComparer().Equals(Method.DeclaringType, field.DeclaringType)) continue; - switch (field.FieldType.FullName) { + switch (field.FieldSig.GetFieldType().GetFullName()) { case "System.Char[]": if (keyField != null && keyField != field) return false; @@ -629,11 +628,11 @@ namespace de4dot.code.deobfuscators.DeepSea { } short[] findKey() { - if (cctor.Module.Assembly == null) + if (cctor.OwnerModule.Assembly == null) return null; - var pkt = cctor.Module.Assembly.Name.PublicKeyToken; - if (pkt != null && pkt.Length > 0) - return getPublicKeyTokenKey(pkt); + var pkt = cctor.OwnerModule.Assembly.PublicKeyToken; + if (!PublicKeyBase.IsNullOrEmpty2(pkt)) + return getPublicKeyTokenKey(pkt.Data); return findKey(cctor); } @@ -654,14 +653,14 @@ namespace de4dot.code.deobfuscators.DeepSea { var instrs = method.Body.Instructions; for (int i = 0; i < instrs.Count - 2; i++) { var ldarg = instrs[i]; - if (DotNetUtils.getArgIndex(ldarg) < 0) + if (ldarg.GetParameterIndex() < 0) continue; var ldci4 = instrs[i + 1]; - if (!DotNetUtils.isLdcI4(ldci4)) + if (!ldci4.IsLdcI4()) continue; if (instrs[i + 2].OpCode.Code != Code.Xor) continue; - magic = DotNetUtils.getLdcI4Value(ldci4); + magic = ldci4.GetLdcI4Value(); return true; } magic = 0; @@ -720,7 +719,7 @@ namespace de4dot.code.deobfuscators.DeepSea { } } - public StringDecrypter(ModuleDefinition module) { + public StringDecrypter(ModuleDefMD module) { this.module = module; } @@ -728,9 +727,10 @@ namespace de4dot.code.deobfuscators.DeepSea { if (module.Assembly == null) return; - bool hasPublicKeyToken = module.Assembly.Name.PublicKeyToken != null && module.Assembly.Name.PublicKeyToken.Length != 0; + var pkt = module.Assembly.PublicKeyToken; + bool hasPublicKeyToken = !PublicKeyBase.IsNullOrEmpty2(pkt); foreach (var type in module.GetTypes()) { - var cctor = DotNetUtils.getMethod(type, ".cctor"); + var cctor = type.FindClassConstructor(); if (cctor == null) continue; @@ -777,7 +777,7 @@ namespace de4dot.code.deobfuscators.DeepSea { foreach (var field in fields) { if (foundCharAry && foundStringAry) break; - switch (field.FieldType.FullName) { + switch (field.FieldSig.GetFieldType().GetFullName()) { case "System.Char[]": foundCharAry = true; break; @@ -810,7 +810,7 @@ namespace de4dot.code.deobfuscators.DeepSea { return info; } - public string decrypt(MethodReference method, object[] args) { + public string decrypt(IMethod method, object[] args) { var info = methodToInfo.find(method); return info.decrypt(args); } diff --git a/de4dot.cui/Program.cs b/de4dot.cui/Program.cs index 30b5433c..f4b45fef 100644 --- a/de4dot.cui/Program.cs +++ b/de4dot.cui/Program.cs @@ -43,9 +43,7 @@ namespace de4dot.cui { new de4dot.code.deobfuscators.CodeVeil.DeobfuscatorInfo(), new de4dot.code.deobfuscators.CodeWall.DeobfuscatorInfo(), new de4dot.code.deobfuscators.CryptoObfuscator.DeobfuscatorInfo(), -#if PORT new de4dot.code.deobfuscators.DeepSea.DeobfuscatorInfo(), -#endif new de4dot.code.deobfuscators.Dotfuscator.DeobfuscatorInfo(), #if PORT new de4dot.code.deobfuscators.dotNET_Reactor.v3.DeobfuscatorInfo(), diff --git a/dot10 b/dot10 index ba1fa213..acae785a 160000 --- a/dot10 +++ b/dot10 @@ -1 +1 @@ -Subproject commit ba1fa2135fec435ecee2ea041c9a7dae56e5dd47 +Subproject commit acae785a75c91f9ddabbf6e78d831febcbef16b3