monocul.us/de4dot-cex
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update Xenocode deobfuscator

Browse Source 
- Remove a type with thousands of methods
- Fix rename regex
- Fix names of attributes (lowercase c)
- Remove an invalid attribute added to the module
This commit is contained in:
de4dot 2012-12-30 12:34:21 +01:00
parent cb929f63dd
commit 488f592df3
1 changed files with 57 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
de4dot.code/deobfuscators/Xenocode/Deobfuscator.cs
View File

@ -24,7 +24,7 @@ namespace de4dot.code.deobfuscators.Xenocode {
public class DeobfuscatorInfo : DeobfuscatorInfoBase {
public const string THE_NAME = "Xenocode";
public const string THE_TYPE = "xc";
const string DEFAULT_REGEX = @"!^[oO01l]{4,}$&!^(get_|set_|add_|remove_|_)?x[a-f0-9]{16,}$&" + DeobfuscatorBase.DEFAULT_VALID_NAME_REGEX;
const string DEFAULT_REGEX = @"!^[oO01l]{4,}$&!^(get_|set_|add_|remove_|_)?[x_][a-f0-9]{16,}$&" + DeobfuscatorBase.DEFAULT_VALID_NAME_REGEX;
public DeobfuscatorInfo()
: base(DEFAULT_REGEX) {
}
@ -89,8 +89,8 @@ namespace de4dot.code.deobfuscators.Xenocode {
switch (type.FullName) {
case "Xenocode.Client.Attributes.AssemblyAttributes.ProcessedByXenocode":
case "Xenocode.Client.Attributes.AssemblyAttributes.SuppressDisassembly":
case "XenoCode.User.Attributes.AssemblyAttributes.ProcessedByXenoCode":
case "XenoCode.User.Attributes.AssemblyAttributes.SuppressDisassembly":
case "Xenocode.User.Attributes.AssemblyAttributes.ProcessedByXenoCode":
case "Xenocode.User.Attributes.AssemblyAttributes.SuppressDisassembly":
addAttributeToBeRemoved(type, "Obfuscator attribute");
foundXenocodeAttribute = true;
break;
@ -108,9 +108,63 @@ namespace de4dot.code.deobfuscators.Xenocode {
public override void deobfuscateEnd() {
if (CanRemoveStringDecrypterType)
addTypeToBeRemoved(stringDecrypter.Type, "String decrypter type");
var obfType = findTypeWithThousandsOfMethods();
if (obfType != null)
addTypeToBeRemoved(obfType, "Obfuscator type with thousands of empty methods");
removeInvalidAttributes(module);
removeInvalidAttributes(module.Assembly);
base.deobfuscateEnd();
}
TypeDef findTypeWithThousandsOfMethods() {
foreach (var type in module.Types) {
if (isTypeWithThousandsOfMethods(type))
return type;
}
return null;
}
bool isTypeWithThousandsOfMethods(TypeDef type) {
if (!type.IsNotPublic)
return false;
if (type.HasFields || type.HasEvents || type.HasProperties)
return false;
if (type.Methods.Count < 100)
return false;
foreach (var method in type.Methods) {
if (method.IsStaticConstructor)
return false;
if (method.IsConstructor) {
if (method.MethodSig.GetParamCount() != 0)
return false;
continue;
}
if (!method.IsPrivate || method.IsStatic)
return false;
if (method.Body == null)
return false;
if (method.Body.Instructions.Count != 1)
return false;
}
return true;
}
// Remove the attribute Xenocode adds that has an invalid ctor
void removeInvalidAttributes(IHasCustomAttribute hca) {
if (!CanRemoveTypes)
return;
if (hca == null)
return;
for (int i = hca.CustomAttributes.Count - 1; i >= 0; i--) {
var ca = hca.CustomAttributes[i];
if (ca.Constructor == null)
hca.CustomAttributes.RemoveAt(i);
}
}
public override IEnumerable<int> getStringDecrypterMethods() {
var list = new List<int>();
if (stringDecrypter.Method != null)