diff --git a/de4dot.code/de4dot.code.csproj b/de4dot.code/de4dot.code.csproj
index 796b3536..7f3850a6 100644
--- a/de4dot.code/de4dot.code.csproj
+++ b/de4dot.code/de4dot.code.csproj
@@ -57,11 +57,13 @@
+
+
diff --git a/de4dot.code/deobfuscators/CryptoObfuscator/AntiDebugger.cs b/de4dot.code/deobfuscators/CryptoObfuscator/AntiDebugger.cs
new file mode 100644
index 00000000..7c71b224
--- /dev/null
+++ b/de4dot.code/deobfuscators/CryptoObfuscator/AntiDebugger.cs
@@ -0,0 +1,75 @@
+/*
+ Copyright (C) 2011 de4dot@gmail.com
+
+ This file is part of de4dot.
+
+ de4dot is free software: you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation, either version 3 of the License, or
+ (at your option) any later version.
+
+ de4dot is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with de4dot. If not, see .
+*/
+
+using Mono.Cecil;
+using de4dot.blocks;
+
+namespace de4dot.deobfuscators.CryptoObfuscator {
+ class AntiDebugger {
+ ModuleDefinition module;
+ ISimpleDeobfuscator simpleDeobfuscator;
+ IDeobfuscator deob;
+ TypeDefinition antiDebuggerType;
+ MethodDefinition antiDebuggerMethod;
+
+ public AntiDebugger(ModuleDefinition module, ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) {
+ this.module = module;
+ this.simpleDeobfuscator = simpleDeobfuscator;
+ this.deob = deob;
+ }
+
+ public void find() {
+ var mainMethod = module.EntryPoint;
+ if (mainMethod == null)
+ return;
+
+ foreach (var info in DotNetUtils.getCalledMethods(module, mainMethod)) {
+ var type = info.Item1;
+ var method = info.Item2;
+
+ if (!method.IsStatic || !DotNetUtils.isMethod(method, "System.Void", "()"))
+ continue;
+ if (DotNetUtils.getPInvokeMethod(type, "kernel32", "LoadLibrary") == null)
+ continue;
+ if (DotNetUtils.getPInvokeMethod(type, "kernel32", "GetProcAddress") == null)
+ continue;
+ deobfuscate(method);
+ if (!containsString(method, "debugger was detected"))
+ continue;
+
+ antiDebuggerType = type;
+ antiDebuggerMethod = method;
+ return;
+ }
+ }
+
+ void deobfuscate(MethodDefinition method) {
+ simpleDeobfuscator.deobfuscate(method);
+ simpleDeobfuscator.decryptStrings(method, deob);
+ }
+
+ bool containsString(MethodDefinition method, string part) {
+ foreach (var s in DotNetUtils.getCodeStrings(method)) {
+ if (s.Contains(part))
+ return true;
+ }
+ return false;
+ }
+ }
+}
diff --git a/de4dot.code/deobfuscators/CryptoObfuscator/Deobfuscator.cs b/de4dot.code/deobfuscators/CryptoObfuscator/Deobfuscator.cs
index 42ac00e3..b6694886 100644
--- a/de4dot.code/deobfuscators/CryptoObfuscator/Deobfuscator.cs
+++ b/de4dot.code/deobfuscators/CryptoObfuscator/Deobfuscator.cs
@@ -25,8 +25,11 @@ using de4dot.blocks;
namespace de4dot.deobfuscators.CryptoObfuscator {
class DeobfuscatorInfo : DeobfuscatorInfoBase {
const string DEFAULT_REGEX = @"!^[A-Z]{1,3}(?:`\d+)?$&!^c[0-9a-f]{32}(?:`\d+)?$&" + DeobfuscatorBase.DEFAULT_VALID_NAME_REGEX;
+ BoolOption removeTamperProtection;
+
public DeobfuscatorInfo()
: base("co", DEFAULT_REGEX) {
+ removeTamperProtection = new BoolOption(null, makeArgName("tamper"), "Remove tamper protection code", true);
}
internal static string ObfuscatorType {
@@ -40,11 +43,13 @@ namespace de4dot.deobfuscators.CryptoObfuscator {
public override IDeobfuscator createDeobfuscator() {
return new Deobfuscator(new Deobfuscator.Options {
ValidNameRegex = validNameRegex.get(),
+ RemoveTamperProtection = removeTamperProtection.get(),
});
}
protected override IEnumerable