Don't decrypt already decrypted resources
This commit is contained in:
parent
239bfbfc2b
commit
5d6db10ba4
|
@ -765,9 +765,14 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
|
||||||
var peImage = decrypterInfo.peImage;
|
var peImage = decrypterInfo.peImage;
|
||||||
var fileData = decrypterInfo.fileData;
|
var fileData = decrypterInfo.fileData;
|
||||||
|
|
||||||
|
uint decryptedResources = peHeader.ReadUInt32(0xFE8) ^ mcKey.ReadUInt32(0);
|
||||||
uint resourceRva = peHeader.GetRva(0x0E10, mcKey.ReadUInt32(0x00A0));
|
uint resourceRva = peHeader.GetRva(0x0E10, mcKey.ReadUInt32(0x00A0));
|
||||||
uint resourceSize = peHeader.ReadUInt32(0x0E14) ^ mcKey.ReadUInt32(0x00AA);
|
int resourceSize = (int)(peHeader.ReadUInt32(0x0E14) ^ mcKey.ReadUInt32(0x00AA));
|
||||||
if (resourceRva == 0 || resourceSize == 0)
|
if (decryptedResources == 1) {
|
||||||
|
Logger.v("Resources have already been decrypted");
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
if (resourceRva == 0 || resourceSize <= 0)
|
||||||
return;
|
return;
|
||||||
if (resourceRva != (uint)peImage.Cor20Header.Resources.VirtualAddress ||
|
if (resourceRva != (uint)peImage.Cor20Header.Resources.VirtualAddress ||
|
||||||
resourceSize != peImage.Cor20Header.Resources.Size) {
|
resourceSize != peImage.Cor20Header.Resources.Size) {
|
||||||
|
|
Loading…
Reference in New Issue
Block a user