From 4f34e5c374bcb08c63d1b6a6812136af4d3ce5a4 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Mon, 23 Apr 2012 02:04:34 +0200
Subject: [PATCH] Restore .NET data directory so it can be deobfuscated

---
 .../deobfuscators/CliSecure/Deobfuscator.cs   | 30 ++++++++++++++++++-
 1 file changed, 29 insertions(+), 1 deletion(-)

diff --git a/de4dot.code/deobfuscators/CliSecure/Deobfuscator.cs b/de4dot.code/deobfuscators/CliSecure/Deobfuscator.cs
index 1a38925f..f58b2606 100644
--- a/de4dot.code/deobfuscators/CliSecure/Deobfuscator.cs
+++ b/de4dot.code/deobfuscators/CliSecure/Deobfuscator.cs
@@ -17,6 +17,7 @@
     along with de4dot.  If not, see <http://www.gnu.org/licenses/>.
 */
 
+using System;
 using System.Collections.Generic;
 using Mono.Cecil;
 using Mono.MyStuff;
@@ -108,6 +109,33 @@ namespace de4dot.code.deobfuscators.CliSecure {
 			base.init(module);
 		}
 
+		public override byte[] unpackNativeFile(PeImage peImage) {
+			const int dataDirNum = 6;	// debug dir
+			const int dotNetDirNum = 14;
+
+			if (peImage.OptionalHeader.dataDirectories[dataDirNum].virtualAddress == 0)
+				return null;
+			if (peImage.OptionalHeader.dataDirectories[dataDirNum].size != 0x48)
+				return null;
+
+			var fileData = peImage.readAllBytes();
+			int dataDir = (int)peImage.OptionalHeader.offsetOfDataDirectory(dataDirNum);
+			int dotNetDir = (int)peImage.OptionalHeader.offsetOfDataDirectory(dotNetDirNum);
+			writeUInt32(fileData, dotNetDir, BitConverter.ToUInt32(fileData, dataDir));
+			writeUInt32(fileData, dotNetDir + 4, BitConverter.ToUInt32(fileData, dataDir + 4));
+			writeUInt32(fileData, dataDir, 0);
+			writeUInt32(fileData, dataDir + 4, 0);
+			ModuleBytes = fileData;
+			return fileData;
+		}
+
+		static void writeUInt32(byte[] data, int offset, uint value) {
+			data[offset] = (byte)value;
+			data[offset + 1] = (byte)(value >> 8);
+			data[offset + 2] = (byte)(value >> 16);
+			data[offset + 3] = (byte)(value >> 24);
+		}
+
 		protected override int detectInternal() {
 			int val = 0;
 
@@ -148,7 +176,7 @@ namespace de4dot.code.deobfuscators.CliSecure {
 			if (!options.DecryptMethods)
 				return false;
 
-			byte[] fileData = DeobUtils.readModule(module);
+			byte[] fileData = ModuleBytes ?? DeobUtils.readModule(module);
 			var peImage = new PeImage(fileData);
 
 			if (!new MethodsDecrypter().decrypt(peImage, module.FullyQualifiedName, cliSecureRtType, ref dumpedMethods)) {