Update Xenocode deobfuscator
- Remove a type with thousands of methods - Fix rename regex - Fix names of attributes (lowercase c) - Remove an invalid attribute added to the module
This commit is contained in:
parent
cb929f63dd
commit
488f592df3
|
@ -24,7 +24,7 @@ namespace de4dot.code.deobfuscators.Xenocode {
|
||||||
public class DeobfuscatorInfo : DeobfuscatorInfoBase {
|
public class DeobfuscatorInfo : DeobfuscatorInfoBase {
|
||||||
public const string THE_NAME = "Xenocode";
|
public const string THE_NAME = "Xenocode";
|
||||||
public const string THE_TYPE = "xc";
|
public const string THE_TYPE = "xc";
|
||||||
const string DEFAULT_REGEX = @"!^[oO01l]{4,}$&!^(get_|set_|add_|remove_|_)?x[a-f0-9]{16,}$&" + DeobfuscatorBase.DEFAULT_VALID_NAME_REGEX;
|
const string DEFAULT_REGEX = @"!^[oO01l]{4,}$&!^(get_|set_|add_|remove_|_)?[x_][a-f0-9]{16,}$&" + DeobfuscatorBase.DEFAULT_VALID_NAME_REGEX;
|
||||||
public DeobfuscatorInfo()
|
public DeobfuscatorInfo()
|
||||||
: base(DEFAULT_REGEX) {
|
: base(DEFAULT_REGEX) {
|
||||||
}
|
}
|
||||||
|
@ -89,8 +89,8 @@ namespace de4dot.code.deobfuscators.Xenocode {
|
||||||
switch (type.FullName) {
|
switch (type.FullName) {
|
||||||
case "Xenocode.Client.Attributes.AssemblyAttributes.ProcessedByXenocode":
|
case "Xenocode.Client.Attributes.AssemblyAttributes.ProcessedByXenocode":
|
||||||
case "Xenocode.Client.Attributes.AssemblyAttributes.SuppressDisassembly":
|
case "Xenocode.Client.Attributes.AssemblyAttributes.SuppressDisassembly":
|
||||||
case "XenoCode.User.Attributes.AssemblyAttributes.ProcessedByXenoCode":
|
case "Xenocode.User.Attributes.AssemblyAttributes.ProcessedByXenoCode":
|
||||||
case "XenoCode.User.Attributes.AssemblyAttributes.SuppressDisassembly":
|
case "Xenocode.User.Attributes.AssemblyAttributes.SuppressDisassembly":
|
||||||
addAttributeToBeRemoved(type, "Obfuscator attribute");
|
addAttributeToBeRemoved(type, "Obfuscator attribute");
|
||||||
foundXenocodeAttribute = true;
|
foundXenocodeAttribute = true;
|
||||||
break;
|
break;
|
||||||
|
@ -108,9 +108,63 @@ namespace de4dot.code.deobfuscators.Xenocode {
|
||||||
public override void deobfuscateEnd() {
|
public override void deobfuscateEnd() {
|
||||||
if (CanRemoveStringDecrypterType)
|
if (CanRemoveStringDecrypterType)
|
||||||
addTypeToBeRemoved(stringDecrypter.Type, "String decrypter type");
|
addTypeToBeRemoved(stringDecrypter.Type, "String decrypter type");
|
||||||
|
var obfType = findTypeWithThousandsOfMethods();
|
||||||
|
if (obfType != null)
|
||||||
|
addTypeToBeRemoved(obfType, "Obfuscator type with thousands of empty methods");
|
||||||
|
removeInvalidAttributes(module);
|
||||||
|
removeInvalidAttributes(module.Assembly);
|
||||||
base.deobfuscateEnd();
|
base.deobfuscateEnd();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
TypeDef findTypeWithThousandsOfMethods() {
|
||||||
|
foreach (var type in module.Types) {
|
||||||
|
if (isTypeWithThousandsOfMethods(type))
|
||||||
|
return type;
|
||||||
|
}
|
||||||
|
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
|
||||||
|
bool isTypeWithThousandsOfMethods(TypeDef type) {
|
||||||
|
if (!type.IsNotPublic)
|
||||||
|
return false;
|
||||||
|
if (type.HasFields || type.HasEvents || type.HasProperties)
|
||||||
|
return false;
|
||||||
|
if (type.Methods.Count < 100)
|
||||||
|
return false;
|
||||||
|
|
||||||
|
foreach (var method in type.Methods) {
|
||||||
|
if (method.IsStaticConstructor)
|
||||||
|
return false;
|
||||||
|
if (method.IsConstructor) {
|
||||||
|
if (method.MethodSig.GetParamCount() != 0)
|
||||||
|
return false;
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
if (!method.IsPrivate || method.IsStatic)
|
||||||
|
return false;
|
||||||
|
if (method.Body == null)
|
||||||
|
return false;
|
||||||
|
if (method.Body.Instructions.Count != 1)
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
// Remove the attribute Xenocode adds that has an invalid ctor
|
||||||
|
void removeInvalidAttributes(IHasCustomAttribute hca) {
|
||||||
|
if (!CanRemoveTypes)
|
||||||
|
return;
|
||||||
|
if (hca == null)
|
||||||
|
return;
|
||||||
|
for (int i = hca.CustomAttributes.Count - 1; i >= 0; i--) {
|
||||||
|
var ca = hca.CustomAttributes[i];
|
||||||
|
if (ca.Constructor == null)
|
||||||
|
hca.CustomAttributes.RemoveAt(i);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
public override IEnumerable<int> getStringDecrypterMethods() {
|
public override IEnumerable<int> getStringDecrypterMethods() {
|
||||||
var list = new List<int>();
|
var list = new List<int>();
|
||||||
if (stringDecrypter.Method != null)
|
if (stringDecrypter.Method != null)
|
||||||
|
|
Loading…
Reference in New Issue
Block a user