From 488f592df3da27e870dd73108860d669b617cb97 Mon Sep 17 00:00:00 2001 From: de4dot Date: Sun, 30 Dec 2012 12:34:21 +0100 Subject: [PATCH] Update Xenocode deobfuscator - Remove a type with thousands of methods - Fix rename regex - Fix names of attributes (lowercase c) - Remove an invalid attribute added to the module --- .../deobfuscators/Xenocode/Deobfuscator.cs | 60 ++++++++++++++++++- 1 file changed, 57 insertions(+), 3 deletions(-) diff --git a/de4dot.code/deobfuscators/Xenocode/Deobfuscator.cs b/de4dot.code/deobfuscators/Xenocode/Deobfuscator.cs index b12d844e..ff217c5f 100644 --- a/de4dot.code/deobfuscators/Xenocode/Deobfuscator.cs +++ b/de4dot.code/deobfuscators/Xenocode/Deobfuscator.cs @@ -24,7 +24,7 @@ namespace de4dot.code.deobfuscators.Xenocode { public class DeobfuscatorInfo : DeobfuscatorInfoBase { public const string THE_NAME = "Xenocode"; public const string THE_TYPE = "xc"; - const string DEFAULT_REGEX = @"!^[oO01l]{4,}$&!^(get_|set_|add_|remove_|_)?x[a-f0-9]{16,}$&" + DeobfuscatorBase.DEFAULT_VALID_NAME_REGEX; + const string DEFAULT_REGEX = @"!^[oO01l]{4,}$&!^(get_|set_|add_|remove_|_)?[x_][a-f0-9]{16,}$&" + DeobfuscatorBase.DEFAULT_VALID_NAME_REGEX; public DeobfuscatorInfo() : base(DEFAULT_REGEX) { } @@ -89,8 +89,8 @@ namespace de4dot.code.deobfuscators.Xenocode { switch (type.FullName) { case "Xenocode.Client.Attributes.AssemblyAttributes.ProcessedByXenocode": case "Xenocode.Client.Attributes.AssemblyAttributes.SuppressDisassembly": - case "XenoCode.User.Attributes.AssemblyAttributes.ProcessedByXenoCode": - case "XenoCode.User.Attributes.AssemblyAttributes.SuppressDisassembly": + case "Xenocode.User.Attributes.AssemblyAttributes.ProcessedByXenoCode": + case "Xenocode.User.Attributes.AssemblyAttributes.SuppressDisassembly": addAttributeToBeRemoved(type, "Obfuscator attribute"); foundXenocodeAttribute = true; break; @@ -108,9 +108,63 @@ namespace de4dot.code.deobfuscators.Xenocode { public override void deobfuscateEnd() { if (CanRemoveStringDecrypterType) addTypeToBeRemoved(stringDecrypter.Type, "String decrypter type"); + var obfType = findTypeWithThousandsOfMethods(); + if (obfType != null) + addTypeToBeRemoved(obfType, "Obfuscator type with thousands of empty methods"); + removeInvalidAttributes(module); + removeInvalidAttributes(module.Assembly); base.deobfuscateEnd(); } + TypeDef findTypeWithThousandsOfMethods() { + foreach (var type in module.Types) { + if (isTypeWithThousandsOfMethods(type)) + return type; + } + + return null; + } + + bool isTypeWithThousandsOfMethods(TypeDef type) { + if (!type.IsNotPublic) + return false; + if (type.HasFields || type.HasEvents || type.HasProperties) + return false; + if (type.Methods.Count < 100) + return false; + + foreach (var method in type.Methods) { + if (method.IsStaticConstructor) + return false; + if (method.IsConstructor) { + if (method.MethodSig.GetParamCount() != 0) + return false; + continue; + } + if (!method.IsPrivate || method.IsStatic) + return false; + if (method.Body == null) + return false; + if (method.Body.Instructions.Count != 1) + return false; + } + + return true; + } + + // Remove the attribute Xenocode adds that has an invalid ctor + void removeInvalidAttributes(IHasCustomAttribute hca) { + if (!CanRemoveTypes) + return; + if (hca == null) + return; + for (int i = hca.CustomAttributes.Count - 1; i >= 0; i--) { + var ca = hca.CustomAttributes[i]; + if (ca.Constructor == null) + hca.CustomAttributes.RemoveAt(i); + } + } + public override IEnumerable getStringDecrypterMethods() { var list = new List(); if (stringDecrypter.Method != null)