monocul.us/de4dot-cex
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Most deobfuscators now don't rename everything with east asian chars

Browse Source
This commit is contained in:
de4dot 2013-11-18 15:43:08 +01:00
parent 9c924d2aa3
commit 544aa9f145
23 changed files with 31 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
de4dot.code/deobfuscators/Agile_NET/Deobfuscator.cs
View File

@ -28,7 +28,7 @@ namespace de4dot.code.deobfuscators.Agile_NET {
public class DeobfuscatorInfo : DeobfuscatorInfoBase {
public const string THE_NAME = "Agile.NET";
public const string THE_TYPE = "an";
const string DEFAULT_REGEX = @"[a-zA-Z_0-9>}$]$";
const string DEFAULT_REGEX = DeobfuscatorBase.DEFAULT_ASIAN_VALID_NAME_REGEX;
BoolOption decryptMethods;
BoolOption decryptResources;
BoolOption removeStackFrameHelper;

3
de4dot.code/deobfuscators/Babel_NET/Deobfuscator.cs
View File

@ -27,6 +27,7 @@ namespace de4dot.code.deobfuscators.Babel_NET {
public class DeobfuscatorInfo : DeobfuscatorInfoBase {
public const string THE_NAME = "Babel .NET";
public const string THE_TYPE = "bl";
const string DEFAULT_REGEX = DeobfuscatorBase.DEFAULT_ASIAN_VALID_NAME_REGEX;
BoolOption inlineMethods;
BoolOption removeInlinedMethods;
BoolOption decryptMethods;
@ -35,7 +36,7 @@ namespace de4dot.code.deobfuscators.Babel_NET {
BoolOption dumpEmbeddedAssemblies;
public DeobfuscatorInfo()
: base() {
: base(DEFAULT_REGEX) {
inlineMethods = new BoolOption(null, MakeArgName("inline"), "Inline short methods", true);
removeInlinedMethods = new BoolOption(null, MakeArgName("remove-inlined"), "Remove inlined methods", true);
decryptMethods = new BoolOption(null, MakeArgName("methods"), "Decrypt methods", true);

2
de4dot.code/deobfuscators/CodeFort/Deobfuscator.cs
View File

@ -26,7 +26,7 @@ namespace de4dot.code.deobfuscators.CodeFort {
public class DeobfuscatorInfo : DeobfuscatorInfoBase {
public const string THE_NAME = "CodeFort";
public const string THE_TYPE = "cf";
const string DEFAULT_REGEX = @"!^[a-zA-Z]{1,3}$&!^[_<>{}$.`-]$&" + DeobfuscatorBase.DEFAULT_VALID_NAME_REGEX;
const string DEFAULT_REGEX = @"!^[a-zA-Z]{1,3}$&!^[_<>{}$.`-]$&" + DeobfuscatorBase.DEFAULT_ASIAN_VALID_NAME_REGEX;
BoolOption dumpEmbeddedAssemblies;
public DeobfuscatorInfo()

2
de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs
View File

@ -26,7 +26,7 @@ namespace de4dot.code.deobfuscators.CodeVeil {
public class DeobfuscatorInfo : DeobfuscatorInfoBase {
public const string THE_NAME = "CodeVeil";
public const string THE_TYPE = "cv";
const string DEFAULT_REGEX = @"!^[A-Za-z]{1,2}$&" + DeobfuscatorBase.DEFAULT_VALID_NAME_REGEX;
const string DEFAULT_REGEX = @"!^[A-Za-z]{1,2}$&" + DeobfuscatorBase.DEFAULT_ASIAN_VALID_NAME_REGEX;
public DeobfuscatorInfo()
: base(DEFAULT_REGEX) {

2
de4dot.code/deobfuscators/CodeWall/Deobfuscator.cs
View File

@ -26,7 +26,7 @@ namespace de4dot.code.deobfuscators.CodeWall {
public class DeobfuscatorInfo : DeobfuscatorInfoBase {
public const string THE_NAME = "CodeWall";
public const string THE_TYPE = "cw";
const string DEFAULT_REGEX = @"!^[0-9A-F]{32}$&!^[_<>{}$.`-]$&" + DeobfuscatorBase.DEFAULT_VALID_NAME_REGEX;
const string DEFAULT_REGEX = @"!^[0-9A-F]{32}$&!^[_<>{}$.`-]$&" + DeobfuscatorBase.DEFAULT_ASIAN_VALID_NAME_REGEX;
BoolOption dumpEmbeddedAssemblies;
BoolOption decryptMainAsm;

2
de4dot.code/deobfuscators/CryptoObfuscator/Deobfuscator.cs
View File

@ -28,7 +28,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
public class DeobfuscatorInfo : DeobfuscatorInfoBase {
public const string THE_NAME = "Crypto Obfuscator";
public const string THE_TYPE = "co";
const string DEFAULT_REGEX = @"!^(get_|set_|add_|remove_)?[A-Z]{1,3}(?:`\d+)?$&!^(get_|set_|add_|remove_)?c[0-9a-f]{32}(?:`\d+)?$&" + DeobfuscatorBase.DEFAULT_VALID_NAME_REGEX;
const string DEFAULT_REGEX = @"!^(get_|set_|add_|remove_)?[A-Z]{1,3}(?:`\d+)?$&!^(get_|set_|add_|remove_)?c[0-9a-f]{32}(?:`\d+)?$&" + DeobfuscatorBase.DEFAULT_ASIAN_VALID_NAME_REGEX;
BoolOption removeTamperProtection;
BoolOption decryptConstants;
BoolOption inlineMethods;

3
de4dot.code/deobfuscators/DeepSea/Deobfuscator.cs
View File

@ -26,6 +26,7 @@ namespace de4dot.code.deobfuscators.DeepSea {
public class DeobfuscatorInfo : DeobfuscatorInfoBase {
public const string THE_NAME = "DeepSea";
public const string THE_TYPE = "ds";
const string DEFAULT_REGEX = DeobfuscatorBase.DEFAULT_ASIAN_VALID_NAME_REGEX;
BoolOption inlineMethods;
BoolOption removeInlinedMethods;
BoolOption decryptResources;
@ -35,7 +36,7 @@ namespace de4dot.code.deobfuscators.DeepSea {
BoolOption castDeobfuscation;
public DeobfuscatorInfo()
: base() {
: base(DEFAULT_REGEX) {
inlineMethods = new BoolOption(null, MakeArgName("inline"), "Inline short methods", true);
removeInlinedMethods = new BoolOption(null, MakeArgName("remove-inlined"), "Remove inlined methods", true);
decryptResources = new BoolOption(null, MakeArgName("rsrc"), "Decrypt resources", true);

1
de4dot.code/deobfuscators/DeobfuscatorBase.cs
View File

@ -29,6 +29,7 @@ using de4dot.blocks.cflow;
namespace de4dot.code.deobfuscators {
abstract class DeobfuscatorBase : IDeobfuscator, IModuleWriterListener {
public const string DEFAULT_VALID_NAME_REGEX = @"^[a-zA-Z_<{$][a-zA-Z_0-9<>{}$.`-]*$";
public const string DEFAULT_ASIAN_VALID_NAME_REGEX = @"^[\u2E80-\u9FFFa-zA-Z_<{$][\u2E80-\u9FFFa-zA-Z_0-9<>{}$.`-]*$";
class RemoveInfo<T> {
public T obj;

4
de4dot.code/deobfuscators/DeobfuscatorInfoBase.cs
View File

@ -23,10 +23,6 @@ namespace de4dot.code.deobfuscators {
public abstract class DeobfuscatorInfoBase : IDeobfuscatorInfo {
protected NameRegexOption validNameRegex;
public DeobfuscatorInfoBase()
: this(null) {
}
public DeobfuscatorInfoBase(string nameRegex) {
validNameRegex = new NameRegexOption(null, MakeArgName("name"), "Valid name regex pattern", nameRegex ?? DeobfuscatorBase.DEFAULT_VALID_NAME_REGEX);
}

2
de4dot.code/deobfuscators/Dotfuscator/Deobfuscator.cs
View File

@ -25,7 +25,7 @@ namespace de4dot.code.deobfuscators.Dotfuscator {
public class DeobfuscatorInfo : DeobfuscatorInfoBase {
public const string THE_NAME = "Dotfuscator";
public const string THE_TYPE = "df";
const string DEFAULT_REGEX = @"!^[a-z][a-z0-9]{0,2}$&!^A_[0-9]+$&" + DeobfuscatorBase.DEFAULT_VALID_NAME_REGEX;
const string DEFAULT_REGEX = @"!^[a-z][a-z0-9]{0,2}$&!^A_[0-9]+$&" + DeobfuscatorBase.DEFAULT_ASIAN_VALID_NAME_REGEX;
public DeobfuscatorInfo()
: base(DEFAULT_REGEX) {
}

2
de4dot.code/deobfuscators/Eazfuscator_NET/Deobfuscator.cs
View File

@ -28,7 +28,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
public class DeobfuscatorInfo : DeobfuscatorInfoBase {
public const string THE_NAME = "Eazfuscator.NET";
public const string THE_TYPE = "ef";
const string DEFAULT_REGEX = @"!^#=&!^dje_.+_ejd$&" + DeobfuscatorBase.DEFAULT_VALID_NAME_REGEX;
const string DEFAULT_REGEX = @"!^#=&!^dje_.+_ejd$&" + DeobfuscatorBase.DEFAULT_ASIAN_VALID_NAME_REGEX;
public DeobfuscatorInfo()
: base(DEFAULT_REGEX) {
}

2
de4dot.code/deobfuscators/Goliath_NET/Deobfuscator.cs
View File

@ -25,7 +25,7 @@ namespace de4dot.code.deobfuscators.Goliath_NET {
public class DeobfuscatorInfo : DeobfuscatorInfoBase {
public const string THE_NAME = "Goliath.NET";
public const string THE_TYPE = "go";
const string DEFAULT_REGEX = @"!^[A-Za-z]{1,2}(?:`\d+)?$&" + DeobfuscatorBase.DEFAULT_VALID_NAME_REGEX;
const string DEFAULT_REGEX = @"!^[A-Za-z]{1,2}(?:`\d+)?$&" + DeobfuscatorBase.DEFAULT_ASIAN_VALID_NAME_REGEX;
BoolOption inlineMethods;
BoolOption removeInlinedMethods;
BoolOption restoreLocals;

3
de4dot.code/deobfuscators/ILProtector/Deobfuscator.cs
View File

@ -26,9 +26,10 @@ namespace de4dot.code.deobfuscators.ILProtector {
public class DeobfuscatorInfo : DeobfuscatorInfoBase {
public const string THE_NAME = "ILProtector";
public const string THE_TYPE = "il";
const string DEFAULT_REGEX = DeobfuscatorBase.DEFAULT_ASIAN_VALID_NAME_REGEX;
public DeobfuscatorInfo()
: base() {
: base(DEFAULT_REGEX) {
}
public override string Name {

4
de4dot.code/deobfuscators/MPRESS/Deobfuscator.cs
View File

@ -29,8 +29,10 @@ namespace de4dot.code.deobfuscators.MPRESS {
public class DeobfuscatorInfo : DeobfuscatorInfoBase {
public const string THE_NAME = "MPRESS";
public const string THE_TYPE = "mp";
const string DEFAULT_REGEX = DeobfuscatorBase.DEFAULT_ASIAN_VALID_NAME_REGEX;
public DeobfuscatorInfo()
: base() {
: base(DEFAULT_REGEX) {
}
public override string Name {

2
de4dot.code/deobfuscators/MaxtoCode/Deobfuscator.cs
View File

@ -27,7 +27,7 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
public class DeobfuscatorInfo : DeobfuscatorInfoBase {
public const string THE_NAME = "MaxtoCode";
public const string THE_TYPE = "mc";
const string DEFAULT_REGEX = @"!^[oO01l]+$&!^[A-F0-9]{20,}$&" + DeobfuscatorBase.DEFAULT_VALID_NAME_REGEX;
const string DEFAULT_REGEX = @"!^[oO01l]+$&!^[A-F0-9]{20,}$&" + DeobfuscatorBase.DEFAULT_ASIAN_VALID_NAME_REGEX;
IntOption stringCodePage;
public DeobfuscatorInfo()

1
de4dot.code/deobfuscators/Rummage/Deobfuscator.cs
View File

@ -26,6 +26,7 @@ namespace de4dot.code.deobfuscators.Rummage {
public const string THE_NAME = "Rummage";
public const string THE_TYPE = "rm";
const string DEFAULT_REGEX = @"!.";
public DeobfuscatorInfo()
: base(DEFAULT_REGEX) {
}

2
de4dot.code/deobfuscators/Skater_NET/Deobfuscator.cs
View File

@ -25,7 +25,7 @@ namespace de4dot.code.deobfuscators.Skater_NET {
public class DeobfuscatorInfo : DeobfuscatorInfoBase {
public const string THE_NAME = "Skater .NET";
public const string THE_TYPE = "sk";
const string DEFAULT_REGEX = @"!`[^0-9]+&" + DeobfuscatorBase.DEFAULT_VALID_NAME_REGEX;
const string DEFAULT_REGEX = @"!`[^0-9]+&" + DeobfuscatorBase.DEFAULT_ASIAN_VALID_NAME_REGEX;
public DeobfuscatorInfo()
: base(DEFAULT_REGEX) {

3
de4dot.code/deobfuscators/SmartAssembly/Deobfuscator.cs
View File

@ -29,12 +29,13 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
public class DeobfuscatorInfo : DeobfuscatorInfoBase {
public const string THE_NAME = "SmartAssembly";
public const string THE_TYPE = "sa";
const string DEFAULT_REGEX = DeobfuscatorBase.DEFAULT_ASIAN_VALID_NAME_REGEX;
BoolOption removeAutomatedErrorReporting;
BoolOption removeTamperProtection;
BoolOption removeMemoryManager;
public DeobfuscatorInfo()
: base() {
: base(DEFAULT_REGEX) {
removeAutomatedErrorReporting = new BoolOption(null, MakeArgName("error"), "Remove automated error reporting code", true);
removeTamperProtection = new BoolOption(null, MakeArgName("tamper"), "Remove tamper protection code", true);
removeMemoryManager = new BoolOption(null, MakeArgName("memory"), "Remove memory manager code", true);

2
de4dot.code/deobfuscators/Spices_Net/Deobfuscator.cs
View File

@ -26,7 +26,7 @@ namespace de4dot.code.deobfuscators.Spices_Net {
public class DeobfuscatorInfo : DeobfuscatorInfoBase {
public const string THE_NAME = "Spices.Net";
public const string THE_TYPE = "sn";
const string DEFAULT_REGEX = @"!^[a-zA-Z0-9]{1,2}$&" + DeobfuscatorBase.DEFAULT_VALID_NAME_REGEX;
const string DEFAULT_REGEX = @"!^[a-zA-Z0-9]{1,2}$&" + DeobfuscatorBase.DEFAULT_ASIAN_VALID_NAME_REGEX;
BoolOption inlineMethods;
BoolOption removeInlinedMethods;
BoolOption removeNamespaces;

4
de4dot.code/deobfuscators/Unknown/Deobfuscator.cs
View File

@ -25,8 +25,10 @@ namespace de4dot.code.deobfuscators.Unknown {
public class DeobfuscatorInfo : DeobfuscatorInfoBase {
public const string THE_NAME = "Unknown";
public const string THE_TYPE = "un";
const string DEFAULT_REGEX = DeobfuscatorBase.DEFAULT_VALID_NAME_REGEX;
public DeobfuscatorInfo()
: base() {
: base(DEFAULT_REGEX) {
}
public override string Name {

3
de4dot.code/deobfuscators/Xenocode/Deobfuscator.cs
View File

@ -24,7 +24,8 @@ namespace de4dot.code.deobfuscators.Xenocode {
public class DeobfuscatorInfo : DeobfuscatorInfoBase {
public const string THE_NAME = "Xenocode";
public const string THE_TYPE = "xc";
const string DEFAULT_REGEX = @"!^[oO01l]{4,}$&!^(get_|set_|add_|remove_|_)?[x_][a-f0-9]{16,}$&" + DeobfuscatorBase.DEFAULT_VALID_NAME_REGEX;
const string DEFAULT_REGEX = @"!^[oO01l]{4,}$&!^(get_|set_|add_|remove_|_)?[x_][a-f0-9]{16,}$&" + DeobfuscatorBase.DEFAULT_ASIAN_VALID_NAME_REGEX;
public DeobfuscatorInfo()
: base(DEFAULT_REGEX) {
}

2
de4dot.code/deobfuscators/dotNET_Reactor/v3/Deobfuscator.cs
View File

@ -31,7 +31,7 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v3 {
public class DeobfuscatorInfo : DeobfuscatorInfoBase {
public const string THE_NAME = ".NET Reactor";
public const string THE_TYPE = "dr3";
const string DEFAULT_REGEX = DeobfuscatorBase.DEFAULT_VALID_NAME_REGEX;
const string DEFAULT_REGEX = DeobfuscatorBase.DEFAULT_ASIAN_VALID_NAME_REGEX;
BoolOption restoreTypes;
BoolOption inlineMethods;
BoolOption removeInlinedMethods;

2
de4dot.code/deobfuscators/dotNET_Reactor/v4/Deobfuscator.cs
View File

@ -32,7 +32,7 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
public class DeobfuscatorInfo : DeobfuscatorInfoBase {
public const string THE_NAME = ".NET Reactor";
public const string THE_TYPE = "dr4";
const string DEFAULT_REGEX = @"!^[A-Za-z0-9]{2,3}$&" + DeobfuscatorBase.DEFAULT_VALID_NAME_REGEX;
const string DEFAULT_REGEX = @"!^[A-Za-z0-9]{2,3}$&" + DeobfuscatorBase.DEFAULT_ASIAN_VALID_NAME_REGEX;
BoolOption decryptMethods;
BoolOption decryptBools;
BoolOption restoreTypes;