Use a new class instead of the dict
This commit is contained in:
parent
d09938ca47
commit
48758be8f0
2
cecil
2
cecil
|
@ -1 +1 @@
|
||||||
Subproject commit e71840599636807d69b0b39e164ab7292b10fe23
|
Subproject commit a9c9bd7f0cb8271c287e83d8a70678770ca0d078
|
|
@ -62,7 +62,7 @@ namespace de4dot.code {
|
||||||
module.Write(newFilename, writerParams);
|
module.Write(newFilename, writerParams);
|
||||||
}
|
}
|
||||||
|
|
||||||
public ModuleDefinition reload(byte[] newModuleData, Dictionary<uint, DumpedMethod> dumpedMethods) {
|
public ModuleDefinition reload(byte[] newModuleData, DumpedMethods dumpedMethods) {
|
||||||
AssemblyResolver.Instance.removeModule(module);
|
AssemblyResolver.Instance.removeModule(module);
|
||||||
DotNetUtils.typeCaches.invalidate(module);
|
DotNetUtils.typeCaches.invalidate(module);
|
||||||
return setModule(ModuleDefinition.ReadModule(new MemoryStream(newModuleData), getReaderParameters(), dumpedMethods));
|
return setModule(ModuleDefinition.ReadModule(new MemoryStream(newModuleData), getReaderParameters(), dumpedMethods));
|
||||||
|
|
|
@ -363,7 +363,7 @@ namespace de4dot.code {
|
||||||
initAssemblyClient();
|
initAssemblyClient();
|
||||||
|
|
||||||
byte[] fileData = null;
|
byte[] fileData = null;
|
||||||
Dictionary<uint, DumpedMethod> dumpedMethods = null;
|
DumpedMethods dumpedMethods = null;
|
||||||
if (deob.getDecryptedModule(ref fileData, ref dumpedMethods))
|
if (deob.getDecryptedModule(ref fileData, ref dumpedMethods))
|
||||||
reloadModule(fileData, dumpedMethods);
|
reloadModule(fileData, dumpedMethods);
|
||||||
|
|
||||||
|
@ -372,7 +372,7 @@ namespace de4dot.code {
|
||||||
deob.deobfuscateEnd();
|
deob.deobfuscateEnd();
|
||||||
}
|
}
|
||||||
|
|
||||||
void reloadModule(byte[] newModuleData, Dictionary<uint, DumpedMethod> dumpedMethods) {
|
void reloadModule(byte[] newModuleData, DumpedMethods dumpedMethods) {
|
||||||
Log.v("Reloading decrypted assembly (original filename: {0})", Filename);
|
Log.v("Reloading decrypted assembly (original filename: {0})", Filename);
|
||||||
simpleDeobfuscatorFlags.Clear();
|
simpleDeobfuscatorFlags.Clear();
|
||||||
module = assemblyModule.reload(newModuleData, dumpedMethods);
|
module = assemblyModule.reload(newModuleData, dumpedMethods);
|
||||||
|
|
|
@ -135,7 +135,7 @@ namespace de4dot.code.deobfuscators.CliSecure {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
public override bool getDecryptedModule(ref byte[] newFileData, ref Dictionary<uint, DumpedMethod> dumpedMethods) {
|
public override bool getDecryptedModule(ref byte[] newFileData, ref DumpedMethods dumpedMethods) {
|
||||||
if (!options.DecryptMethods)
|
if (!options.DecryptMethods)
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
|
|
|
@ -155,7 +155,7 @@ namespace de4dot.code.deobfuscators.CliSecure {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
public bool decrypt(PeImage peImage, ref Dictionary<uint, DumpedMethod> dumpedMethods) {
|
public bool decrypt(PeImage peImage, ref DumpedMethods dumpedMethods) {
|
||||||
this.peImage = peImage;
|
this.peImage = peImage;
|
||||||
|
|
||||||
uint offset = peImage.rvaToOffset(peImage.Cor20Header.metadataDirectory.virtualAddress + peImage.Cor20Header.metadataDirectory.size);
|
uint offset = peImage.rvaToOffset(peImage.Cor20Header.metadataDirectory.virtualAddress + peImage.Cor20Header.metadataDirectory.size);
|
||||||
|
@ -179,7 +179,7 @@ namespace de4dot.code.deobfuscators.CliSecure {
|
||||||
peImage.writeUint32(rva + 8, methodInfo.localVarSigTok);
|
peImage.writeUint32(rva + 8, methodInfo.localVarSigTok);
|
||||||
}
|
}
|
||||||
|
|
||||||
dumpedMethods = new Dictionary<uint, DumpedMethod>();
|
dumpedMethods = new DumpedMethods();
|
||||||
offset = methodDefTable.fileOffset;
|
offset = methodDefTable.fileOffset;
|
||||||
for (int i = 0; i < methodInfos.Count; i++, offset += methodDefTable.totalSize) {
|
for (int i = 0; i < methodInfos.Count; i++, offset += methodDefTable.totalSize) {
|
||||||
var methodInfo = methodInfos[i];
|
var methodInfo = methodInfos[i];
|
||||||
|
@ -211,7 +211,7 @@ namespace de4dot.code.deobfuscators.CliSecure {
|
||||||
dm.mhLocalVarSigTok = peImage.readUInt32(rva + 8);
|
dm.mhLocalVarSigTok = peImage.readUInt32(rva + 8);
|
||||||
}
|
}
|
||||||
|
|
||||||
dumpedMethods[dm.token] = dm;
|
dumpedMethods.add(dm);
|
||||||
}
|
}
|
||||||
|
|
||||||
return true;
|
return true;
|
||||||
|
|
|
@ -151,7 +151,7 @@ namespace de4dot.code.deobfuscators.CodeVeil {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
public override bool getDecryptedModule(ref byte[] newFileData, ref Dictionary<uint, DumpedMethod> dumpedMethods) {
|
public override bool getDecryptedModule(ref byte[] newFileData, ref DumpedMethods dumpedMethods) {
|
||||||
if (!methodsDecrypter.Detected)
|
if (!methodsDecrypter.Detected)
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
|
|
|
@ -160,7 +160,7 @@ namespace de4dot.code.deobfuscators.CodeVeil {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
public bool decrypt(byte[] fileData, ref Dictionary<uint, DumpedMethod> dumpedMethods) {
|
public bool decrypt(byte[] fileData, ref DumpedMethods dumpedMethods) {
|
||||||
if (decrypter == null)
|
if (decrypter == null)
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
|
@ -181,8 +181,8 @@ namespace de4dot.code.deobfuscators.CodeVeil {
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
Dictionary<uint, DumpedMethod> createDumpedMethods(PeImage peImage, byte[] fileData, byte[] methodsData) {
|
DumpedMethods createDumpedMethods(PeImage peImage, byte[] fileData, byte[] methodsData) {
|
||||||
var dumpedMethods = new Dictionary<uint, DumpedMethod>();
|
var dumpedMethods = new DumpedMethods();
|
||||||
|
|
||||||
var methodsDataReader = new BinaryReader(new MemoryStream(methodsData));
|
var methodsDataReader = new BinaryReader(new MemoryStream(methodsData));
|
||||||
var fileDataReader = new BinaryReader(new MemoryStream(fileData));
|
var fileDataReader = new BinaryReader(new MemoryStream(fileData));
|
||||||
|
@ -229,7 +229,7 @@ namespace de4dot.code.deobfuscators.CodeVeil {
|
||||||
if (!decrypter.decrypt(fileDataReader, dm))
|
if (!decrypter.decrypt(fileDataReader, dm))
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
dumpedMethods[dm.token] = dm;
|
dumpedMethods.add(dm);
|
||||||
}
|
}
|
||||||
|
|
||||||
return dumpedMethods;
|
return dumpedMethods;
|
||||||
|
|
|
@ -137,7 +137,7 @@ namespace de4dot.code.deobfuscators {
|
||||||
protected abstract void scanForObfuscator();
|
protected abstract void scanForObfuscator();
|
||||||
protected abstract int detectInternal();
|
protected abstract int detectInternal();
|
||||||
|
|
||||||
public virtual bool getDecryptedModule(ref byte[] newFileData, ref Dictionary<uint, DumpedMethod> dumpedMethods) {
|
public virtual bool getDecryptedModule(ref byte[] newFileData, ref DumpedMethods dumpedMethods) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -82,7 +82,7 @@ namespace de4dot.code.deobfuscators {
|
||||||
|
|
||||||
// If the obfuscator has encrypted parts of the file, then this method should return the
|
// If the obfuscator has encrypted parts of the file, then this method should return the
|
||||||
// decrypted file. true is returned if args have been initialized, false otherwise.
|
// decrypted file. true is returned if args have been initialized, false otherwise.
|
||||||
bool getDecryptedModule(ref byte[] newFileData, ref Dictionary<uint, DumpedMethod> dumpedMethods);
|
bool getDecryptedModule(ref byte[] newFileData, ref DumpedMethods dumpedMethods);
|
||||||
|
|
||||||
// This is only called if getDecryptedModule() != null, and after the module has been
|
// This is only called if getDecryptedModule() != null, and after the module has been
|
||||||
// reloaded. Should return a new IDeobfuscator with the same options and the new module.
|
// reloaded. Should return a new IDeobfuscator with the same options and the new module.
|
||||||
|
|
|
@ -141,7 +141,7 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v3 {
|
||||||
return decrypterType.LinkedResource != null || nativeLibSaver.Resource != null;
|
return decrypterType.LinkedResource != null || nativeLibSaver.Resource != null;
|
||||||
}
|
}
|
||||||
|
|
||||||
public override bool getDecryptedModule(ref byte[] newFileData, ref Dictionary<uint, DumpedMethod> dumpedMethods) {
|
public override bool getDecryptedModule(ref byte[] newFileData, ref DumpedMethods dumpedMethods) {
|
||||||
if (!needsPatching())
|
if (!needsPatching())
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
|
|
|
@ -362,7 +362,7 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
public override bool getDecryptedModule(ref byte[] newFileData, ref Dictionary<uint, DumpedMethod> dumpedMethods) {
|
public override bool getDecryptedModule(ref byte[] newFileData, ref DumpedMethods dumpedMethods) {
|
||||||
fileData = ModuleBytes ?? DeobUtils.readModule(module);
|
fileData = ModuleBytes ?? DeobUtils.readModule(module);
|
||||||
peImage = new PeImage(fileData);
|
peImage = new PeImage(fileData);
|
||||||
|
|
||||||
|
|
|
@ -123,7 +123,7 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
|
||||||
|
|
||||||
static short[] nativeLdci4 = new short[] { 0x55, 0x8B, 0xEC, 0xB8, -1, -1, -1, -1, 0x5D, 0xC3 };
|
static short[] nativeLdci4 = new short[] { 0x55, 0x8B, 0xEC, 0xB8, -1, -1, -1, -1, 0x5D, 0xC3 };
|
||||||
static short[] nativeLdci4_0 = new short[] { 0x55, 0x8B, 0xEC, 0x33, 0xC0, 0x5D, 0xC3 };
|
static short[] nativeLdci4_0 = new short[] { 0x55, 0x8B, 0xEC, 0x33, 0xC0, 0x5D, 0xC3 };
|
||||||
public bool decrypt(PeImage peImage, ISimpleDeobfuscator simpleDeobfuscator, ref Dictionary<uint, DumpedMethod> dumpedMethods, Dictionary<uint,byte[]> tokenToNativeCode) {
|
public bool decrypt(PeImage peImage, ISimpleDeobfuscator simpleDeobfuscator, ref DumpedMethods dumpedMethods, Dictionary<uint, byte[]> tokenToNativeCode) {
|
||||||
if (encryptedResource.Method == null)
|
if (encryptedResource.Method == null)
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
|
@ -189,7 +189,7 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
|
||||||
|
|
||||||
patchDwords(peImage, methodsDataReader, patchCount);
|
patchDwords(peImage, methodsDataReader, patchCount);
|
||||||
int count = methodsDataReader.ReadInt32();
|
int count = methodsDataReader.ReadInt32();
|
||||||
dumpedMethods = new Dictionary<uint, DumpedMethod>();
|
dumpedMethods = new DumpedMethods();
|
||||||
while (methodsDataReader.BaseStream.Position < methodsData.Length - 1) {
|
while (methodsDataReader.BaseStream.Position < methodsData.Length - 1) {
|
||||||
uint rva = methodsDataReader.ReadUInt32();
|
uint rva = methodsDataReader.ReadUInt32();
|
||||||
uint index = methodsDataReader.ReadUInt32();
|
uint index = methodsDataReader.ReadUInt32();
|
||||||
|
@ -257,7 +257,7 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
|
||||||
dm.mhLocalVarSigTok = peImage.readUInt32(rva + 8);
|
dm.mhLocalVarSigTok = peImage.readUInt32(rva + 8);
|
||||||
}
|
}
|
||||||
|
|
||||||
dumpedMethods[dm.token] = dm;
|
dumpedMethods.add(dm);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue
Block a user