Inline methods
This commit is contained in:
de4dot
parent
13ef523d58
commit
67c9e76276
|
|
@ -126,9 +126,11 @@
|
|||
<Compile Include="deobfuscators\CRC32.cs" />
|
||||
<Compile Include="deobfuscators\CryptoObfuscator\AntiDebugger.cs" />
|
||||
<Compile Include="deobfuscators\CryptoObfuscator\AssemblyResolver.cs" />
|
||||
<Compile Include="deobfuscators\CryptoObfuscator\CoMethodCallInliner.cs" />
|
||||
<Compile Include="deobfuscators\CryptoObfuscator\ConstantsDecrypter.cs" />
|
||||
<Compile Include="deobfuscators\CryptoObfuscator\CoUtils.cs" />
|
||||
<Compile Include="deobfuscators\CryptoObfuscator\Deobfuscator.cs" />
|
||||
<Compile Include="deobfuscators\CryptoObfuscator\InlinedMethodTypes.cs" />
|
||||
<Compile Include="deobfuscators\CryptoObfuscator\MethodBodyReader.cs" />
|
||||
<Compile Include="deobfuscators\CryptoObfuscator\MethodsDecrypter.cs" />
|
||||
<Compile Include="deobfuscators\CryptoObfuscator\ProxyCallFixer.cs" />
|
||||
|
|
|
|||
|
|
@ -0,0 +1,53 @@
|
|||
/*
|
||||
Copyright (C) 2011-2013 de4dot@gmail.com
|
||||
|
||||
This file is part of de4dot.
|
||||
|
||||
de4dot is free software: you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
the Free Software Foundation, either version 3 of the License, or
|
||||
(at your option) any later version.
|
||||
|
||||
de4dot is distributed in the hope that it will be useful,
|
||||
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
GNU General Public License for more details.
|
||||
|
||||
You should have received a copy of the GNU General Public License
|
||||
along with de4dot. If not, see <http://www.gnu.org/licenses/>.
|
||||
*/
|
||||
|
||||
using dnlib.DotNet;
|
||||
using de4dot.blocks.cflow;
|
||||
|
||||
namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
||||
class CoMethodCallInliner : MethodCallInliner {
|
||||
readonly InlinedMethodTypes inlinedMethodTypes;
|
||||
|
||||
public CoMethodCallInliner(InlinedMethodTypes inlinedMethodTypes)
|
||||
: base(false) {
|
||||
this.inlinedMethodTypes = inlinedMethodTypes;
|
||||
}
|
||||
|
||||
protected override bool CanInline(MethodDef method) {
|
||||
if (method == null)
|
||||
return false;
|
||||
|
||||
if (method.Attributes != (MethodAttributes.Assembly | MethodAttributes.Static | MethodAttributes.HideBySig))
|
||||
return false;
|
||||
if (method.HasGenericParameters)
|
||||
return false;
|
||||
if (!inlinedMethodTypes.IsValidMethodType(method.DeclaringType))
|
||||
return false;
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
protected override void OnInlinedMethod(MethodDef methodToInline, bool inlinedMethod) {
|
||||
if (inlinedMethod)
|
||||
inlinedMethodTypes.Add(methodToInline.DeclaringType);
|
||||
else
|
||||
inlinedMethodTypes.DontRemoveType(methodToInline.DeclaringType);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -22,6 +22,7 @@ using System.Collections.Generic;
|
|||
using System.Text.RegularExpressions;
|
||||
using dnlib.DotNet;
|
||||
using de4dot.blocks;
|
||||
using de4dot.blocks.cflow;
|
||||
|
||||
namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
||||
public class DeobfuscatorInfo : DeobfuscatorInfoBase {
|
||||
|
|
@ -30,11 +31,13 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
|||
const string DEFAULT_REGEX = @"!^(get_|set_|add_|remove_)?[A-Z]{1,3}(?:`\d+)?$&!^(get_|set_|add_|remove_)?c[0-9a-f]{32}(?:`\d+)?$&" + DeobfuscatorBase.DEFAULT_VALID_NAME_REGEX;
|
||||
BoolOption removeTamperProtection;
|
||||
BoolOption decryptConstants;
|
||||
BoolOption inlineMethods;
|
||||
|
||||
public DeobfuscatorInfo()
|
||||
: base(DEFAULT_REGEX) {
|
||||
removeTamperProtection = new BoolOption(null, MakeArgName("tamper"), "Remove tamper protection code", true);
|
||||
decryptConstants = new BoolOption(null, MakeArgName("consts"), "Decrypt constants", true);
|
||||
inlineMethods = new BoolOption(null, MakeArgName("inline"), "Inline short methods", true);
|
||||
}
|
||||
|
||||
public override string Name {
|
||||
|
|
@ -50,6 +53,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
|||
ValidNameRegex = validNameRegex.get(),
|
||||
RemoveTamperProtection = removeTamperProtection.get(),
|
||||
DecryptConstants = decryptConstants.get(),
|
||||
InlineMethods = inlineMethods.get(),
|
||||
});
|
||||
}
|
||||
|
||||
|
|
@ -57,6 +61,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
|||
return new List<Option>() {
|
||||
removeTamperProtection,
|
||||
decryptConstants,
|
||||
inlineMethods,
|
||||
};
|
||||
}
|
||||
}
|
||||
|
|
@ -67,6 +72,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
|||
bool foundCryptoObfuscatorAttribute = false;
|
||||
bool foundObfuscatedSymbols = false;
|
||||
bool foundObfuscatorUserString = false;
|
||||
bool startedDeobfuscating = false;
|
||||
|
||||
MethodsDecrypter methodsDecrypter;
|
||||
ProxyCallFixer proxyCallFixer;
|
||||
|
|
@ -81,10 +87,12 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
|||
Int64ValueInliner int64ValueInliner;
|
||||
SingleValueInliner singleValueInliner;
|
||||
DoubleValueInliner doubleValueInliner;
|
||||
InlinedMethodTypes inlinedMethodTypes;
|
||||
|
||||
internal class Options : OptionsBase {
|
||||
public bool RemoveTamperProtection { get; set; }
|
||||
public bool DecryptConstants { get; set; }
|
||||
public bool InlineMethods { get; set; }
|
||||
}
|
||||
|
||||
public override string Type {
|
||||
|
|
@ -99,6 +107,19 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
|||
get { return obfuscatorName; }
|
||||
}
|
||||
|
||||
protected override bool CanInlineMethods {
|
||||
get { return startedDeobfuscating ? options.InlineMethods : true; }
|
||||
}
|
||||
|
||||
public override IEnumerable<IBlocksDeobfuscator> BlocksDeobfuscators {
|
||||
get {
|
||||
var list = new List<IBlocksDeobfuscator>();
|
||||
if (CanInlineMethods)
|
||||
list.Add(new CoMethodCallInliner(inlinedMethodTypes));
|
||||
return list;
|
||||
}
|
||||
}
|
||||
|
||||
public Deobfuscator(Options options)
|
||||
: base(options) {
|
||||
this.options = options;
|
||||
|
|
@ -136,6 +157,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
|||
if (CheckCryptoObfuscator())
|
||||
foundObfuscatedSymbols = true;
|
||||
|
||||
inlinedMethodTypes = new InlinedMethodTypes();
|
||||
methodsDecrypter = new MethodsDecrypter(module);
|
||||
methodsDecrypter.Find();
|
||||
proxyCallFixer = new ProxyCallFixer(module);
|
||||
|
|
@ -236,6 +258,8 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
|||
proxyCallFixer.Find();
|
||||
|
||||
DumpEmbeddedAssemblies();
|
||||
|
||||
startedDeobfuscating = true;
|
||||
}
|
||||
|
||||
public override void DeobfuscateMethodEnd(Blocks blocks) {
|
||||
|
|
@ -256,6 +280,8 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
|||
AddResourceToBeRemoved(stringDecrypter.Resource, "Encrypted strings");
|
||||
AddTypeToBeRemoved(stringDecrypter.Type, "String decrypter type");
|
||||
}
|
||||
if (options.InlineMethods)
|
||||
AddTypesToBeRemoved(inlinedMethodTypes.Types, "Inlined methods types");
|
||||
base.DeobfuscateEnd();
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -0,0 +1,90 @@
|
|||
/*
|
||||
Copyright (C) 2011-2013 de4dot@gmail.com
|
||||
|
||||
This file is part of de4dot.
|
||||
|
||||
de4dot is free software: you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
the Free Software Foundation, either version 3 of the License, or
|
||||
(at your option) any later version.
|
||||
|
||||
de4dot is distributed in the hope that it will be useful,
|
||||
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
GNU General Public License for more details.
|
||||
|
||||
You should have received a copy of the GNU General Public License
|
||||
along with de4dot. If not, see <http://www.gnu.org/licenses/>.
|
||||
*/
|
||||
|
||||
using System;
|
||||
using System.Collections.Generic;
|
||||
using dnlib.DotNet;
|
||||
|
||||
namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
||||
class InlinedMethodTypes {
|
||||
Dictionary<TypeDef, TypeFlags> types = new Dictionary<TypeDef, TypeFlags>();
|
||||
|
||||
[Flags]
|
||||
enum TypeFlags {
|
||||
DontRemoveType = 1,
|
||||
}
|
||||
|
||||
public IEnumerable<TypeDef> Types {
|
||||
get {
|
||||
foreach (var kv in types) {
|
||||
if ((kv.Value & TypeFlags.DontRemoveType) == 0)
|
||||
yield return kv.Key;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
bool IsValidType(TypeDef type) {
|
||||
if (type == null)
|
||||
return false;
|
||||
|
||||
if (type.BaseType == null || type.BaseType.FullName != "System.Object")
|
||||
return false;
|
||||
if (type.DeclaringType != null)
|
||||
return false;
|
||||
if (type.Attributes != (TypeAttributes.NotPublic | TypeAttributes.AutoLayout |
|
||||
TypeAttributes.Class | TypeAttributes.Sealed | TypeAttributes.AnsiClass))
|
||||
return false;
|
||||
if (type.HasProperties || type.HasEvents)
|
||||
return false;
|
||||
if (type.HasInterfaces)
|
||||
return false;
|
||||
if (type.HasGenericParameters)
|
||||
return false;
|
||||
if (type.HasNestedTypes)
|
||||
return false;
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
public bool IsValidMethodType(TypeDef type) {
|
||||
if (!IsValidType(type))
|
||||
return false;
|
||||
|
||||
if (type.HasFields)
|
||||
return false;
|
||||
if (type.Methods.Count != 1)
|
||||
return false;
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
public void Add(TypeDef type) {
|
||||
if (type == null || types.ContainsKey(type))
|
||||
return;
|
||||
types[type] = 0;
|
||||
}
|
||||
|
||||
public void DontRemoveType(TypeDef type) {
|
||||
TypeFlags flags;
|
||||
types.TryGetValue(type, out flags);
|
||||
flags |= TypeFlags.DontRemoveType;
|
||||
types[type] = flags;
|
||||
}
|
||||
}
|
||||
}
|
||||
Loading…
Reference in New Issue
Block a user