Port .NET Reactor v3.x deobfuscator
This commit is contained in:
parent
7e1d16dafb
commit
413a032e0a
|
@ -198,7 +198,7 @@ namespace de4dot.code {
|
|||
module = assemblyModule.load(unpackedData);
|
||||
}
|
||||
catch {
|
||||
Logger.w("Could not load unpacked data. Deobfuscator: {0}", deob.TypeLong);
|
||||
Logger.w("Could not load unpacked data. File: {0}, deobfuscator: {0}", peImage.FileName ?? "(unknown filename)", deob.TypeLong);
|
||||
continue;
|
||||
}
|
||||
this.deob = deob;
|
||||
|
|
|
@ -153,16 +153,16 @@
|
|||
<Compile Include="deobfuscators\DeobUtils.cs" />
|
||||
<Compile Include="deobfuscators\Dotfuscator\Deobfuscator.cs" />
|
||||
<Compile Include="deobfuscators\Dotfuscator\StringDecrypter.cs" />
|
||||
<None Include="deobfuscators\dotNET_Reactor\v3\AntiStrongName.cs" />
|
||||
<None Include="deobfuscators\dotNET_Reactor\v3\ApplicationModeDecrypter.cs" />
|
||||
<None Include="deobfuscators\dotNET_Reactor\v3\ApplicationModeUnpacker.cs" />
|
||||
<None Include="deobfuscators\dotNET_Reactor\v3\AssemblyResolver.cs" />
|
||||
<None Include="deobfuscators\dotNET_Reactor\v3\DecrypterType.cs" />
|
||||
<None Include="deobfuscators\dotNET_Reactor\v3\DecryptMethod.cs" />
|
||||
<None Include="deobfuscators\dotNET_Reactor\v3\Deobfuscator.cs" />
|
||||
<None Include="deobfuscators\dotNET_Reactor\v3\LibAssemblyResolver.cs" />
|
||||
<None Include="deobfuscators\dotNET_Reactor\v3\MemoryPatcher.cs" />
|
||||
<None Include="deobfuscators\dotNET_Reactor\v3\NativeLibSaver.cs" />
|
||||
<Compile Include="deobfuscators\dotNET_Reactor\v3\AntiStrongName.cs" />
|
||||
<Compile Include="deobfuscators\dotNET_Reactor\v3\ApplicationModeDecrypter.cs" />
|
||||
<Compile Include="deobfuscators\dotNET_Reactor\v3\ApplicationModeUnpacker.cs" />
|
||||
<Compile Include="deobfuscators\dotNET_Reactor\v3\AssemblyResolver.cs" />
|
||||
<Compile Include="deobfuscators\dotNET_Reactor\v3\DecrypterType.cs" />
|
||||
<Compile Include="deobfuscators\dotNET_Reactor\v3\DecryptMethod.cs" />
|
||||
<Compile Include="deobfuscators\dotNET_Reactor\v3\Deobfuscator.cs" />
|
||||
<Compile Include="deobfuscators\dotNET_Reactor\v3\LibAssemblyResolver.cs" />
|
||||
<Compile Include="deobfuscators\dotNET_Reactor\v3\MemoryPatcher.cs" />
|
||||
<Compile Include="deobfuscators\dotNET_Reactor\v3\NativeLibSaver.cs" />
|
||||
<None Include="deobfuscators\dotNET_Reactor\v4\AntiStrongName.cs" />
|
||||
<None Include="deobfuscators\dotNET_Reactor\v4\AssemblyResolver.cs" />
|
||||
<None Include="deobfuscators\dotNET_Reactor\v4\BooleanDecrypter.cs" />
|
||||
|
|
|
@ -633,6 +633,10 @@ namespace de4dot.code.deobfuscators {
|
|||
if (field != null)
|
||||
return field.FieldSig.GetFieldType().GetElementType() == ElementType.Object;
|
||||
|
||||
var sig = o as TypeSig;
|
||||
if (sig != null)
|
||||
return sig.ElementType == ElementType.Object;
|
||||
|
||||
throw new ApplicationException(string.Format("Unknown type: {0}", o.GetType()));
|
||||
}
|
||||
}
|
||||
|
|
|
@ -120,7 +120,7 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v3 {
|
|||
static bool checkCall(Instr instr, string methodFullname) {
|
||||
if (instr.OpCode.Code != Code.Call && instr.OpCode.Code != Code.Callvirt)
|
||||
return false;
|
||||
var calledMethod = instr.Operand as MethodReference;
|
||||
var calledMethod = instr.Operand as IMethod;
|
||||
if (calledMethod == null)
|
||||
return false;
|
||||
return calledMethod.ToString() == methodFullname;
|
||||
|
@ -129,13 +129,13 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v3 {
|
|||
static bool checkCall(Instr instr, string returnType, string parameters) {
|
||||
if (instr.OpCode.Code != Code.Call && instr.OpCode.Code != Code.Callvirt)
|
||||
return false;
|
||||
var calledMethod = instr.Operand as MethodReference;
|
||||
var calledMethod = instr.Operand as IMethod;
|
||||
if (calledMethod == null)
|
||||
return false;
|
||||
return DotNetUtils.isMethod(calledMethod, returnType, parameters);
|
||||
}
|
||||
|
||||
static bool checkLdloc(IList<VariableDefinition> locals, Instr instr, VariableDefinition local) {
|
||||
static bool checkLdloc(IList<Local> locals, Instr instr, Local local) {
|
||||
if (!instr.isLdloc())
|
||||
return false;
|
||||
if (Instr.getLocalVar(locals, instr) != local)
|
||||
|
@ -143,7 +143,7 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v3 {
|
|||
return true;
|
||||
}
|
||||
|
||||
static bool checkStloc(IList<VariableDefinition> locals, Instr instr, VariableDefinition local) {
|
||||
static bool checkStloc(IList<Local> locals, Instr instr, Local local) {
|
||||
if (!instr.isStloc())
|
||||
return false;
|
||||
if (Instr.getLocalVar(locals, instr) != local)
|
||||
|
|
|
@ -23,7 +23,7 @@ using de4dot.blocks.cflow;
|
|||
|
||||
namespace de4dot.code.deobfuscators.dotNET_Reactor.v3 {
|
||||
class ApplicationModeDecrypter {
|
||||
ModuleDefinition module;
|
||||
ModuleDefMD module;
|
||||
AssemblyResolver assemblyResolver;
|
||||
MemoryPatcher memoryPatcher;
|
||||
|
||||
|
@ -43,7 +43,7 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v3 {
|
|||
get { return assemblyResolver != null; }
|
||||
}
|
||||
|
||||
public ApplicationModeDecrypter(ModuleDefinition module) {
|
||||
public ApplicationModeDecrypter(ModuleDefMD module) {
|
||||
this.module = module;
|
||||
find();
|
||||
}
|
||||
|
|
|
@ -22,10 +22,137 @@ using System.Collections.Generic;
|
|||
using System.IO;
|
||||
using System.Text;
|
||||
using System.Text.RegularExpressions;
|
||||
using dot10.IO;
|
||||
using dot10.PE;
|
||||
using dot10.DotNet;
|
||||
using de4dot.PE;
|
||||
using dot10.DotNet.MD;
|
||||
|
||||
namespace de4dot.code.deobfuscators.dotNET_Reactor.v3 {
|
||||
sealed class MyPEImage : IDisposable {
|
||||
IPEImage peImage;
|
||||
byte[] peImageData;
|
||||
IImageStream peStream;
|
||||
DotNetFile dnFile;
|
||||
ImageSectionHeader dotNetSection;
|
||||
bool ownPeImage;
|
||||
|
||||
public IPEImage PEImage {
|
||||
get { return peImage; }
|
||||
}
|
||||
|
||||
public uint Length {
|
||||
get { return (uint)peStream.Length; }
|
||||
}
|
||||
|
||||
public MyPEImage(IPEImage peImage) {
|
||||
initialize(peImage);
|
||||
}
|
||||
|
||||
public MyPEImage(byte[] peImageData) {
|
||||
this.ownPeImage = true;
|
||||
this.peImageData = peImageData;
|
||||
initialize(new PEImage(peImageData));
|
||||
}
|
||||
|
||||
void initialize(IPEImage peImage) {
|
||||
this.peImage = peImage;
|
||||
this.peStream = peImage.CreateFullStream();
|
||||
|
||||
//TODO: Only init this if they use the .NET MD
|
||||
var dotNetDir = peImage.ImageNTHeaders.OptionalHeader.DataDirectories[14];
|
||||
if (dotNetDir.VirtualAddress != 0 && dotNetDir.Size >= 0x48) {
|
||||
dnFile = DotNetFile.Load(peImage, false);
|
||||
dotNetSection = findSection(dotNetDir.VirtualAddress);
|
||||
}
|
||||
}
|
||||
|
||||
ImageSectionHeader findSection(RVA rva) {
|
||||
foreach (var section in peImage.ImageSectionHeaders) {
|
||||
if (section.VirtualAddress <= rva && rva < section.VirtualAddress + Math.Max(section.VirtualSize, section.SizeOfRawData))
|
||||
return section;
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
||||
static bool isInside(ImageSectionHeader section, uint offset, uint length) {
|
||||
return offset >= section.PointerToRawData && offset + length <= section.PointerToRawData + section.SizeOfRawData;
|
||||
}
|
||||
|
||||
public void offsetWriteUInt32(uint offset, uint val) {
|
||||
peImageData[offset + 0] = (byte)val;
|
||||
peImageData[offset + 1] = (byte)(val >> 8);
|
||||
peImageData[offset + 2] = (byte)(val >> 16);
|
||||
peImageData[offset + 3] = (byte)(val >> 24);
|
||||
}
|
||||
|
||||
public void offsetWriteUInt16(uint offset, ushort val) {
|
||||
peImageData[offset + 0] = (byte)val;
|
||||
peImageData[offset + 1] = (byte)(val >> 8);
|
||||
}
|
||||
|
||||
public uint offsetReadUInt32(uint offset) {
|
||||
peStream.Position = offset;
|
||||
return peStream.ReadUInt32();
|
||||
}
|
||||
|
||||
public ushort offsetReadUInt16(uint offset) {
|
||||
peStream.Position = offset;
|
||||
return peStream.ReadUInt16();
|
||||
}
|
||||
|
||||
public byte[] offsetReadBytes(uint offset, int size) {
|
||||
peStream.Position = offset;
|
||||
return peStream.ReadBytes(size);
|
||||
}
|
||||
|
||||
public void offsetWrite(uint offset, byte[] data) {
|
||||
Array.Copy(data, 0, peImageData, offset, data.Length);
|
||||
}
|
||||
|
||||
bool intersect(uint offset1, uint length1, uint offset2, uint length2) {
|
||||
return !(offset1 + length1 <= offset2 || offset2 + length2 <= offset1);
|
||||
}
|
||||
|
||||
bool intersect(uint offset, uint length, IFileSection location) {
|
||||
return intersect(offset, length, (uint)location.StartOffset, (uint)(location.EndOffset - location.StartOffset));
|
||||
}
|
||||
|
||||
public bool dotNetSafeWriteOffset(uint offset, byte[] data) {
|
||||
if (dnFile != null) {
|
||||
uint length = (uint)data.Length;
|
||||
|
||||
if (!isInside(dotNetSection, offset, length))
|
||||
return false;
|
||||
if (intersect(offset, length, dnFile.MetaData.ImageCor20Header))
|
||||
return false;
|
||||
if (intersect(offset, length, (uint)dnFile.MetaData.TablesStream.FileOffset, dnFile.MetaData.TablesStream.HeaderLength))
|
||||
return false;
|
||||
}
|
||||
|
||||
offsetWrite(offset, data);
|
||||
return true;
|
||||
}
|
||||
|
||||
public bool dotNetSafeWrite(uint rva, byte[] data) {
|
||||
return dotNetSafeWriteOffset((uint)peImage.ToFileOffset((RVA)rva), data);
|
||||
}
|
||||
|
||||
public void Dispose() {
|
||||
if (ownPeImage) {
|
||||
if (dnFile != null)
|
||||
dnFile.Dispose();
|
||||
if (peImage != null)
|
||||
peImage.Dispose();
|
||||
}
|
||||
if (peStream != null)
|
||||
peStream.Dispose();
|
||||
|
||||
dnFile = null;
|
||||
peImage = null;
|
||||
peStream = null;
|
||||
}
|
||||
}
|
||||
|
||||
class IniFile {
|
||||
Dictionary<string, string> nameToValue = new Dictionary<string, string>(StringComparer.OrdinalIgnoreCase);
|
||||
|
||||
|
@ -77,7 +204,7 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v3 {
|
|||
0x73, 0x33, 0x6E, 0x6D, 0x34, 0x32, 0x64, 0x35,
|
||||
};
|
||||
|
||||
PeImage peImage;
|
||||
IPEImage peImage;
|
||||
List<UnpackedFile> satelliteAssemblies = new List<UnpackedFile>();
|
||||
uint[] sizes;
|
||||
string[] filenames;
|
||||
|
@ -87,29 +214,35 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v3 {
|
|||
get { return satelliteAssemblies; }
|
||||
}
|
||||
|
||||
public ApplicationModeUnpacker(PeImage peImage) {
|
||||
public ApplicationModeUnpacker(IPEImage peImage) {
|
||||
this.peImage = peImage;
|
||||
}
|
||||
|
||||
public byte[] unpack() {
|
||||
byte[] data = null;
|
||||
MyPEImage myPeImage = null;
|
||||
try {
|
||||
data = unpack2();
|
||||
myPeImage = new MyPEImage(peImage);
|
||||
data = unpack2(myPeImage);
|
||||
}
|
||||
catch {
|
||||
}
|
||||
finally {
|
||||
if (myPeImage != null)
|
||||
myPeImage.Dispose();
|
||||
}
|
||||
if (data != null)
|
||||
return data;
|
||||
|
||||
if (shouldUnpack)
|
||||
Logger.w("Could not unpack the file");
|
||||
Logger.w("Could not unpack file: {0}", peImage.FileName ?? "(unknown filename)");
|
||||
return null;
|
||||
}
|
||||
|
||||
byte[] unpack2() {
|
||||
byte[] unpack2(MyPEImage peImage) {
|
||||
shouldUnpack = false;
|
||||
uint headerOffset = peImage.ImageLength - 12;
|
||||
uint offsetEncryptedAssembly = checkOffset(peImage.offsetReadUInt32(headerOffset));
|
||||
uint headerOffset = (uint)peImage.Length - 12;
|
||||
uint offsetEncryptedAssembly = checkOffset(peImage, peImage.offsetReadUInt32(headerOffset));
|
||||
uint ezencryptionLibLength = peImage.offsetReadUInt32(headerOffset + 4);
|
||||
uint iniFileLength = peImage.offsetReadUInt32(headerOffset + 8);
|
||||
|
||||
|
@ -135,30 +268,31 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v3 {
|
|||
return null;
|
||||
|
||||
byte[] ezencryptionLibData = decompress1(peImage.offsetReadBytes(ezencryptionLibOffset, (int)ezencryptionLibLength));
|
||||
var ezencryptionLibModule = ModuleDefinition.ReadModule(new MemoryStream(ezencryptionLibData));
|
||||
var ezencryptionLibModule = ModuleDefMD.Load(ezencryptionLibData);
|
||||
var decrypter = new ApplicationModeDecrypter(ezencryptionLibModule);
|
||||
if (!decrypter.Detected)
|
||||
return null;
|
||||
|
||||
var mainAssembly = unpackEmbeddedFile(0, decrypter);
|
||||
var mainAssembly = unpackEmbeddedFile(peImage, 0, decrypter);
|
||||
decrypter.MemoryPatcher.patch(mainAssembly.data);
|
||||
for (int i = 1; i < filenames.Length; i++)
|
||||
satelliteAssemblies.Add(unpackEmbeddedFile(i, decrypter));
|
||||
satelliteAssemblies.Add(unpackEmbeddedFile(peImage, i, decrypter));
|
||||
|
||||
clearDllBit(mainAssembly.data);
|
||||
return mainAssembly.data;
|
||||
}
|
||||
|
||||
static void clearDllBit(byte[] peImageData) {
|
||||
var mainPeImage = new PeImage(peImageData);
|
||||
uint characteristicsOffset = mainPeImage.FileHeaderOffset + 18;
|
||||
using (var mainPeImage = new MyPEImage(peImageData)) {
|
||||
uint characteristicsOffset = (uint)mainPeImage.PEImage.ImageNTHeaders.FileHeader.StartOffset + 18;
|
||||
ushort characteristics = mainPeImage.offsetReadUInt16(characteristicsOffset);
|
||||
characteristics &= 0xDFFF;
|
||||
characteristics |= 2;
|
||||
mainPeImage.offsetWriteUInt16(characteristicsOffset, characteristics);
|
||||
}
|
||||
}
|
||||
|
||||
UnpackedFile unpackEmbeddedFile(int index, ApplicationModeDecrypter decrypter) {
|
||||
UnpackedFile unpackEmbeddedFile(MyPEImage peImage, int index, ApplicationModeDecrypter decrypter) {
|
||||
uint offset = 0;
|
||||
for (int i = 0; i < index + 1; i++)
|
||||
offset += sizes[i];
|
||||
|
@ -178,8 +312,8 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v3 {
|
|||
return list.ToArray();
|
||||
}
|
||||
|
||||
uint checkOffset(uint offset) {
|
||||
if (offset >= peImage.ImageLength)
|
||||
uint checkOffset(MyPEImage peImage, uint offset) {
|
||||
if (offset >= peImage.Length)
|
||||
throw new Exception();
|
||||
return offset;
|
||||
}
|
||||
|
|
|
@ -27,12 +27,12 @@ using de4dot.PE;
|
|||
namespace de4dot.code.deobfuscators.dotNET_Reactor.v3 {
|
||||
// Find the type that decrypts strings and calls the native lib
|
||||
class DecrypterType {
|
||||
ModuleDefinition module;
|
||||
ModuleDefMD module;
|
||||
TypeDef decrypterType;
|
||||
MethodDef stringDecrypter1;
|
||||
MethodDef stringDecrypter2;
|
||||
List<MethodDef> initMethods = new List<MethodDef>();
|
||||
List<ModuleReference> moduleReferences = new List<ModuleReference>();
|
||||
List<ModuleRef> moduleReferences = new List<ModuleRef>();
|
||||
Resource linkedResource;
|
||||
|
||||
public bool Detected {
|
||||
|
@ -59,10 +59,6 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v3 {
|
|||
get { return initMethods; }
|
||||
}
|
||||
|
||||
public List<ModuleReference> ModuleReferences {
|
||||
get { return moduleReferences; }
|
||||
}
|
||||
|
||||
public IEnumerable<MethodDef> StringDecrypters {
|
||||
get {
|
||||
return new List<MethodDef> {
|
||||
|
@ -72,11 +68,11 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v3 {
|
|||
}
|
||||
}
|
||||
|
||||
public DecrypterType(ModuleDefinition module) {
|
||||
public DecrypterType(ModuleDefMD module) {
|
||||
this.module = module;
|
||||
}
|
||||
|
||||
public DecrypterType(ModuleDefinition module, DecrypterType oldOne) {
|
||||
public DecrypterType(ModuleDefMD module, DecrypterType oldOne) {
|
||||
this.module = module;
|
||||
this.decrypterType = lookup(oldOne.decrypterType, "Could not find decrypterType");
|
||||
this.stringDecrypter1 = lookup(oldOne.stringDecrypter1, "Could not find stringDecrypter1");
|
||||
|
@ -109,11 +105,11 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v3 {
|
|||
|
||||
void updateModuleReferences() {
|
||||
foreach (var method in decrypterType.Methods) {
|
||||
if (method.PInvokeInfo != null) {
|
||||
switch (method.PInvokeInfo.EntryPoint) {
|
||||
if (method.ImplMap != null) {
|
||||
switch (method.ImplMap.Name.String) {
|
||||
case "nr_nli":
|
||||
case "nr_startup":
|
||||
moduleReferences.Add(method.PInvokeInfo.Module);
|
||||
moduleReferences.Add(method.ImplMap.Module);
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
@ -123,7 +119,7 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v3 {
|
|||
|
||||
void updateLinkedResource() {
|
||||
foreach (var modref in moduleReferences) {
|
||||
var resource = DotNetUtils.getResource(module, modref.Name) as LinkedResource;
|
||||
var resource = DotNetUtils.getResource(module, modref.Name.String) as LinkedResource;
|
||||
if (resource == null)
|
||||
continue;
|
||||
|
||||
|
@ -133,7 +129,7 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v3 {
|
|||
}
|
||||
|
||||
MethodDef getStringDecrypter(TypeDef type, string name) {
|
||||
var method = DotNetUtils.getMethod(type, name);
|
||||
var method = type.FindMethod(name);
|
||||
if (method == null)
|
||||
return null;
|
||||
if (!DotNetUtils.isMethod(method, "System.String", "(System.String)"))
|
||||
|
@ -152,8 +148,9 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v3 {
|
|||
return Encoding.Unicode.GetString(Convert.FromBase64String(s));
|
||||
}
|
||||
|
||||
public bool patch(PeImage peImage) {
|
||||
public bool patch(byte[] peData) {
|
||||
try {
|
||||
using (var peImage = new MyPEImage(peData))
|
||||
return patch2(peImage);
|
||||
}
|
||||
catch {
|
||||
|
@ -162,9 +159,9 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v3 {
|
|||
}
|
||||
}
|
||||
|
||||
bool patch2(PeImage peImage) {
|
||||
uint numPatches = peImage.offsetReadUInt32(peImage.ImageLength - 4);
|
||||
uint offset = checked(peImage.ImageLength - 4 - numPatches * 8);
|
||||
bool patch2(MyPEImage peImage) {
|
||||
uint numPatches = peImage.offsetReadUInt32(peImage.Length - 4);
|
||||
uint offset = checked(peImage.Length - 4 - numPatches * 8);
|
||||
|
||||
bool startedPatchingBadData = false;
|
||||
for (uint i = 0; i < numPatches; i++, offset += 8) {
|
||||
|
|
|
@ -21,11 +21,11 @@ using System;
|
|||
using System.Collections.Generic;
|
||||
using System.IO;
|
||||
using System.Text.RegularExpressions;
|
||||
using dot10.IO;
|
||||
using dot10.PE;
|
||||
using dot10.DotNet;
|
||||
using dot10.DotNet.Emit;
|
||||
using Mono.MyStuff;
|
||||
using de4dot.blocks;
|
||||
using de4dot.PE;
|
||||
|
||||
namespace de4dot.code.deobfuscators.dotNET_Reactor.v3 {
|
||||
public class DeobfuscatorInfo : DeobfuscatorInfoBase {
|
||||
|
@ -125,7 +125,7 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v3 {
|
|||
this.RenamingOptions &= ~RenamingOptions.RemoveNamespaceIfOneType;
|
||||
}
|
||||
|
||||
public override byte[] unpackNativeFile(PeImage peImage) {
|
||||
public override byte[] unpackNativeFile(IPEImage peImage) {
|
||||
var unpacker = new ApplicationModeUnpacker(peImage);
|
||||
var data = unpacker.unpack();
|
||||
if (data == null)
|
||||
|
@ -146,15 +146,14 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v3 {
|
|||
return false;
|
||||
|
||||
var fileData = ModuleBytes ?? DeobUtils.readModule(module);
|
||||
var peImage = new PeImage(fileData);
|
||||
if (!decrypterType.patch(peImage))
|
||||
if (!decrypterType.patch(fileData))
|
||||
return false;
|
||||
|
||||
newFileData = fileData;
|
||||
return true;
|
||||
}
|
||||
|
||||
public override IDeobfuscator moduleReloaded(ModuleDefinition module) {
|
||||
public override IDeobfuscator moduleReloaded(ModuleDefMD module) {
|
||||
var newOne = new Deobfuscator(options);
|
||||
newOne.setModule(module);
|
||||
newOne.decrypterType = new DecrypterType(module, decrypterType);
|
||||
|
@ -162,7 +161,7 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v3 {
|
|||
return newOne;
|
||||
}
|
||||
|
||||
public override void init(ModuleDefinition module) {
|
||||
public override void init(ModuleDefMD module) {
|
||||
base.init(module);
|
||||
}
|
||||
|
||||
|
@ -298,7 +297,7 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v3 {
|
|||
|
||||
void dumpResourceFiles() {
|
||||
foreach (var resource in libAssemblyResolver.Resources) {
|
||||
var mod = ModuleDefinition.ReadModule(resource.GetResourceStream());
|
||||
var mod = ModuleDefMD.Load(resource.Data.ReadAllBytes());
|
||||
addResourceToBeRemoved(resource, string.Format("Embedded assembly: {0}", mod.Assembly.FullName));
|
||||
DeobfuscatedFile.createAssemblyFile(resource.GetResourceData(),
|
||||
Utils.getAssemblySimpleName(mod.Assembly.FullName),
|
||||
|
@ -324,7 +323,6 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v3 {
|
|||
|
||||
if (canRemoveDecrypterType && !isTypeCalled(decrypterType.Type)) {
|
||||
addTypeToBeRemoved(decrypterType.Type, "Decrypter type");
|
||||
addModuleReferencesToBeRemoved(decrypterType.ModuleReferences, "Native lib module reference");
|
||||
addResourceToBeRemoved(decrypterType.LinkedResource, "Native lib linked resource");
|
||||
}
|
||||
|
||||
|
|
|
@ -25,7 +25,7 @@ using de4dot.blocks;
|
|||
namespace de4dot.code.deobfuscators.dotNET_Reactor.v3 {
|
||||
// Find the assembly resolver that's used in lib mode (3.8+)
|
||||
class LibAssemblyResolver {
|
||||
ModuleDefinition module;
|
||||
ModuleDefMD module;
|
||||
MethodDef initMethod;
|
||||
List<EmbeddedResource> resources = new List<EmbeddedResource>();
|
||||
|
||||
|
@ -41,7 +41,7 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v3 {
|
|||
get { return resources; }
|
||||
}
|
||||
|
||||
public LibAssemblyResolver(ModuleDefinition module) {
|
||||
public LibAssemblyResolver(ModuleDefMD module) {
|
||||
this.module = module;
|
||||
}
|
||||
|
||||
|
@ -69,7 +69,7 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v3 {
|
|||
var type = method.DeclaringType;
|
||||
if (!new FieldTypes(type).exactly(requiredFields))
|
||||
continue;
|
||||
var ctor = DotNetUtils.getMethod(type, ".ctor");
|
||||
var ctor = type.FindMethod(".ctor");
|
||||
if (ctor == null)
|
||||
continue;
|
||||
var handler = DeobUtils.getResolveMethod(ctor);
|
||||
|
|
|
@ -135,7 +135,7 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v3 {
|
|||
}
|
||||
|
||||
public void patch(byte[] peImageData) {
|
||||
var peImage = new PeImage(peImageData);
|
||||
using (var peImage = new MyPEImage(peImageData)) {
|
||||
foreach (var info in patchInfos) {
|
||||
for (int i = 0; i < info.offsets.Length; i++)
|
||||
peImage.dotNetSafeWriteOffset((uint)info.offsets[i], BitConverter.GetBytes(info.values[i]));
|
||||
|
@ -143,3 +143,4 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v3 {
|
|||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -24,7 +24,7 @@ using de4dot.blocks;
|
|||
namespace de4dot.code.deobfuscators.dotNET_Reactor.v3 {
|
||||
// Finds the type that saves the native lib (if in resources) to disk
|
||||
class NativeLibSaver {
|
||||
ModuleDefinition module;
|
||||
ModuleDefMD module;
|
||||
TypeDef nativeLibCallerType;
|
||||
MethodDef initMethod;
|
||||
Resource nativeFileResource;
|
||||
|
@ -45,16 +45,16 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v3 {
|
|||
get { return nativeLibCallerType != null; }
|
||||
}
|
||||
|
||||
public NativeLibSaver(ModuleDefinition module) {
|
||||
public NativeLibSaver(ModuleDefMD module) {
|
||||
this.module = module;
|
||||
}
|
||||
|
||||
public NativeLibSaver(ModuleDefinition module, NativeLibSaver oldOne) {
|
||||
public NativeLibSaver(ModuleDefMD module, NativeLibSaver oldOne) {
|
||||
this.module = module;
|
||||
this.nativeLibCallerType = lookup(oldOne.nativeLibCallerType, "Could not find nativeLibCallerType");
|
||||
this.initMethod = lookup(oldOne.initMethod, "Could not find initMethod");
|
||||
if (oldOne.nativeFileResource != null) {
|
||||
this.nativeFileResource = DotNetUtils.getResource(module, oldOne.nativeFileResource.Name);
|
||||
this.nativeFileResource = DotNetUtils.getResource(module, oldOne.nativeFileResource.Name.String);
|
||||
if (this.nativeFileResource == null)
|
||||
throw new ApplicationException("Could not find nativeFileResource");
|
||||
}
|
||||
|
|
|
@ -46,8 +46,8 @@ namespace de4dot.cui {
|
|||
new de4dot.code.deobfuscators.CryptoObfuscator.DeobfuscatorInfo(),
|
||||
new de4dot.code.deobfuscators.DeepSea.DeobfuscatorInfo(),
|
||||
new de4dot.code.deobfuscators.Dotfuscator.DeobfuscatorInfo(),
|
||||
#if PORT
|
||||
new de4dot.code.deobfuscators.dotNET_Reactor.v3.DeobfuscatorInfo(),
|
||||
#if PORT
|
||||
new de4dot.code.deobfuscators.dotNET_Reactor.v4.DeobfuscatorInfo(),
|
||||
new de4dot.code.deobfuscators.Eazfuscator_NET.DeobfuscatorInfo(),
|
||||
new de4dot.code.deobfuscators.Goliath_NET.DeobfuscatorInfo(),
|
||||
|
|
Loading…
Reference in New Issue
Block a user