Inline methods
This commit is contained in:
parent
13ef523d58
commit
67c9e76276
|
@ -126,9 +126,11 @@
|
||||||
<Compile Include="deobfuscators\CRC32.cs" />
|
<Compile Include="deobfuscators\CRC32.cs" />
|
||||||
<Compile Include="deobfuscators\CryptoObfuscator\AntiDebugger.cs" />
|
<Compile Include="deobfuscators\CryptoObfuscator\AntiDebugger.cs" />
|
||||||
<Compile Include="deobfuscators\CryptoObfuscator\AssemblyResolver.cs" />
|
<Compile Include="deobfuscators\CryptoObfuscator\AssemblyResolver.cs" />
|
||||||
|
<Compile Include="deobfuscators\CryptoObfuscator\CoMethodCallInliner.cs" />
|
||||||
<Compile Include="deobfuscators\CryptoObfuscator\ConstantsDecrypter.cs" />
|
<Compile Include="deobfuscators\CryptoObfuscator\ConstantsDecrypter.cs" />
|
||||||
<Compile Include="deobfuscators\CryptoObfuscator\CoUtils.cs" />
|
<Compile Include="deobfuscators\CryptoObfuscator\CoUtils.cs" />
|
||||||
<Compile Include="deobfuscators\CryptoObfuscator\Deobfuscator.cs" />
|
<Compile Include="deobfuscators\CryptoObfuscator\Deobfuscator.cs" />
|
||||||
|
<Compile Include="deobfuscators\CryptoObfuscator\InlinedMethodTypes.cs" />
|
||||||
<Compile Include="deobfuscators\CryptoObfuscator\MethodBodyReader.cs" />
|
<Compile Include="deobfuscators\CryptoObfuscator\MethodBodyReader.cs" />
|
||||||
<Compile Include="deobfuscators\CryptoObfuscator\MethodsDecrypter.cs" />
|
<Compile Include="deobfuscators\CryptoObfuscator\MethodsDecrypter.cs" />
|
||||||
<Compile Include="deobfuscators\CryptoObfuscator\ProxyCallFixer.cs" />
|
<Compile Include="deobfuscators\CryptoObfuscator\ProxyCallFixer.cs" />
|
||||||
|
|
|
@ -0,0 +1,53 @@
|
||||||
|
/*
|
||||||
|
Copyright (C) 2011-2013 de4dot@gmail.com
|
||||||
|
|
||||||
|
This file is part of de4dot.
|
||||||
|
|
||||||
|
de4dot is free software: you can redistribute it and/or modify
|
||||||
|
it under the terms of the GNU General Public License as published by
|
||||||
|
the Free Software Foundation, either version 3 of the License, or
|
||||||
|
(at your option) any later version.
|
||||||
|
|
||||||
|
de4dot is distributed in the hope that it will be useful,
|
||||||
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
GNU General Public License for more details.
|
||||||
|
|
||||||
|
You should have received a copy of the GNU General Public License
|
||||||
|
along with de4dot. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
*/
|
||||||
|
|
||||||
|
using dnlib.DotNet;
|
||||||
|
using de4dot.blocks.cflow;
|
||||||
|
|
||||||
|
namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
||||||
|
class CoMethodCallInliner : MethodCallInliner {
|
||||||
|
readonly InlinedMethodTypes inlinedMethodTypes;
|
||||||
|
|
||||||
|
public CoMethodCallInliner(InlinedMethodTypes inlinedMethodTypes)
|
||||||
|
: base(false) {
|
||||||
|
this.inlinedMethodTypes = inlinedMethodTypes;
|
||||||
|
}
|
||||||
|
|
||||||
|
protected override bool CanInline(MethodDef method) {
|
||||||
|
if (method == null)
|
||||||
|
return false;
|
||||||
|
|
||||||
|
if (method.Attributes != (MethodAttributes.Assembly | MethodAttributes.Static | MethodAttributes.HideBySig))
|
||||||
|
return false;
|
||||||
|
if (method.HasGenericParameters)
|
||||||
|
return false;
|
||||||
|
if (!inlinedMethodTypes.IsValidMethodType(method.DeclaringType))
|
||||||
|
return false;
|
||||||
|
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
protected override void OnInlinedMethod(MethodDef methodToInline, bool inlinedMethod) {
|
||||||
|
if (inlinedMethod)
|
||||||
|
inlinedMethodTypes.Add(methodToInline.DeclaringType);
|
||||||
|
else
|
||||||
|
inlinedMethodTypes.DontRemoveType(methodToInline.DeclaringType);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
|
@ -22,6 +22,7 @@ using System.Collections.Generic;
|
||||||
using System.Text.RegularExpressions;
|
using System.Text.RegularExpressions;
|
||||||
using dnlib.DotNet;
|
using dnlib.DotNet;
|
||||||
using de4dot.blocks;
|
using de4dot.blocks;
|
||||||
|
using de4dot.blocks.cflow;
|
||||||
|
|
||||||
namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
||||||
public class DeobfuscatorInfo : DeobfuscatorInfoBase {
|
public class DeobfuscatorInfo : DeobfuscatorInfoBase {
|
||||||
|
@ -30,11 +31,13 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
||||||
const string DEFAULT_REGEX = @"!^(get_|set_|add_|remove_)?[A-Z]{1,3}(?:`\d+)?$&!^(get_|set_|add_|remove_)?c[0-9a-f]{32}(?:`\d+)?$&" + DeobfuscatorBase.DEFAULT_VALID_NAME_REGEX;
|
const string DEFAULT_REGEX = @"!^(get_|set_|add_|remove_)?[A-Z]{1,3}(?:`\d+)?$&!^(get_|set_|add_|remove_)?c[0-9a-f]{32}(?:`\d+)?$&" + DeobfuscatorBase.DEFAULT_VALID_NAME_REGEX;
|
||||||
BoolOption removeTamperProtection;
|
BoolOption removeTamperProtection;
|
||||||
BoolOption decryptConstants;
|
BoolOption decryptConstants;
|
||||||
|
BoolOption inlineMethods;
|
||||||
|
|
||||||
public DeobfuscatorInfo()
|
public DeobfuscatorInfo()
|
||||||
: base(DEFAULT_REGEX) {
|
: base(DEFAULT_REGEX) {
|
||||||
removeTamperProtection = new BoolOption(null, MakeArgName("tamper"), "Remove tamper protection code", true);
|
removeTamperProtection = new BoolOption(null, MakeArgName("tamper"), "Remove tamper protection code", true);
|
||||||
decryptConstants = new BoolOption(null, MakeArgName("consts"), "Decrypt constants", true);
|
decryptConstants = new BoolOption(null, MakeArgName("consts"), "Decrypt constants", true);
|
||||||
|
inlineMethods = new BoolOption(null, MakeArgName("inline"), "Inline short methods", true);
|
||||||
}
|
}
|
||||||
|
|
||||||
public override string Name {
|
public override string Name {
|
||||||
|
@ -50,6 +53,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
||||||
ValidNameRegex = validNameRegex.get(),
|
ValidNameRegex = validNameRegex.get(),
|
||||||
RemoveTamperProtection = removeTamperProtection.get(),
|
RemoveTamperProtection = removeTamperProtection.get(),
|
||||||
DecryptConstants = decryptConstants.get(),
|
DecryptConstants = decryptConstants.get(),
|
||||||
|
InlineMethods = inlineMethods.get(),
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -57,6 +61,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
||||||
return new List<Option>() {
|
return new List<Option>() {
|
||||||
removeTamperProtection,
|
removeTamperProtection,
|
||||||
decryptConstants,
|
decryptConstants,
|
||||||
|
inlineMethods,
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -67,6 +72,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
||||||
bool foundCryptoObfuscatorAttribute = false;
|
bool foundCryptoObfuscatorAttribute = false;
|
||||||
bool foundObfuscatedSymbols = false;
|
bool foundObfuscatedSymbols = false;
|
||||||
bool foundObfuscatorUserString = false;
|
bool foundObfuscatorUserString = false;
|
||||||
|
bool startedDeobfuscating = false;
|
||||||
|
|
||||||
MethodsDecrypter methodsDecrypter;
|
MethodsDecrypter methodsDecrypter;
|
||||||
ProxyCallFixer proxyCallFixer;
|
ProxyCallFixer proxyCallFixer;
|
||||||
|
@ -81,10 +87,12 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
||||||
Int64ValueInliner int64ValueInliner;
|
Int64ValueInliner int64ValueInliner;
|
||||||
SingleValueInliner singleValueInliner;
|
SingleValueInliner singleValueInliner;
|
||||||
DoubleValueInliner doubleValueInliner;
|
DoubleValueInliner doubleValueInliner;
|
||||||
|
InlinedMethodTypes inlinedMethodTypes;
|
||||||
|
|
||||||
internal class Options : OptionsBase {
|
internal class Options : OptionsBase {
|
||||||
public bool RemoveTamperProtection { get; set; }
|
public bool RemoveTamperProtection { get; set; }
|
||||||
public bool DecryptConstants { get; set; }
|
public bool DecryptConstants { get; set; }
|
||||||
|
public bool InlineMethods { get; set; }
|
||||||
}
|
}
|
||||||
|
|
||||||
public override string Type {
|
public override string Type {
|
||||||
|
@ -99,6 +107,19 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
||||||
get { return obfuscatorName; }
|
get { return obfuscatorName; }
|
||||||
}
|
}
|
||||||
|
|
||||||
|
protected override bool CanInlineMethods {
|
||||||
|
get { return startedDeobfuscating ? options.InlineMethods : true; }
|
||||||
|
}
|
||||||
|
|
||||||
|
public override IEnumerable<IBlocksDeobfuscator> BlocksDeobfuscators {
|
||||||
|
get {
|
||||||
|
var list = new List<IBlocksDeobfuscator>();
|
||||||
|
if (CanInlineMethods)
|
||||||
|
list.Add(new CoMethodCallInliner(inlinedMethodTypes));
|
||||||
|
return list;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
public Deobfuscator(Options options)
|
public Deobfuscator(Options options)
|
||||||
: base(options) {
|
: base(options) {
|
||||||
this.options = options;
|
this.options = options;
|
||||||
|
@ -136,6 +157,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
||||||
if (CheckCryptoObfuscator())
|
if (CheckCryptoObfuscator())
|
||||||
foundObfuscatedSymbols = true;
|
foundObfuscatedSymbols = true;
|
||||||
|
|
||||||
|
inlinedMethodTypes = new InlinedMethodTypes();
|
||||||
methodsDecrypter = new MethodsDecrypter(module);
|
methodsDecrypter = new MethodsDecrypter(module);
|
||||||
methodsDecrypter.Find();
|
methodsDecrypter.Find();
|
||||||
proxyCallFixer = new ProxyCallFixer(module);
|
proxyCallFixer = new ProxyCallFixer(module);
|
||||||
|
@ -236,6 +258,8 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
||||||
proxyCallFixer.Find();
|
proxyCallFixer.Find();
|
||||||
|
|
||||||
DumpEmbeddedAssemblies();
|
DumpEmbeddedAssemblies();
|
||||||
|
|
||||||
|
startedDeobfuscating = true;
|
||||||
}
|
}
|
||||||
|
|
||||||
public override void DeobfuscateMethodEnd(Blocks blocks) {
|
public override void DeobfuscateMethodEnd(Blocks blocks) {
|
||||||
|
@ -256,6 +280,8 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
||||||
AddResourceToBeRemoved(stringDecrypter.Resource, "Encrypted strings");
|
AddResourceToBeRemoved(stringDecrypter.Resource, "Encrypted strings");
|
||||||
AddTypeToBeRemoved(stringDecrypter.Type, "String decrypter type");
|
AddTypeToBeRemoved(stringDecrypter.Type, "String decrypter type");
|
||||||
}
|
}
|
||||||
|
if (options.InlineMethods)
|
||||||
|
AddTypesToBeRemoved(inlinedMethodTypes.Types, "Inlined methods types");
|
||||||
base.DeobfuscateEnd();
|
base.DeobfuscateEnd();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,90 @@
|
||||||
|
/*
|
||||||
|
Copyright (C) 2011-2013 de4dot@gmail.com
|
||||||
|
|
||||||
|
This file is part of de4dot.
|
||||||
|
|
||||||
|
de4dot is free software: you can redistribute it and/or modify
|
||||||
|
it under the terms of the GNU General Public License as published by
|
||||||
|
the Free Software Foundation, either version 3 of the License, or
|
||||||
|
(at your option) any later version.
|
||||||
|
|
||||||
|
de4dot is distributed in the hope that it will be useful,
|
||||||
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
GNU General Public License for more details.
|
||||||
|
|
||||||
|
You should have received a copy of the GNU General Public License
|
||||||
|
along with de4dot. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
*/
|
||||||
|
|
||||||
|
using System;
|
||||||
|
using System.Collections.Generic;
|
||||||
|
using dnlib.DotNet;
|
||||||
|
|
||||||
|
namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
||||||
|
class InlinedMethodTypes {
|
||||||
|
Dictionary<TypeDef, TypeFlags> types = new Dictionary<TypeDef, TypeFlags>();
|
||||||
|
|
||||||
|
[Flags]
|
||||||
|
enum TypeFlags {
|
||||||
|
DontRemoveType = 1,
|
||||||
|
}
|
||||||
|
|
||||||
|
public IEnumerable<TypeDef> Types {
|
||||||
|
get {
|
||||||
|
foreach (var kv in types) {
|
||||||
|
if ((kv.Value & TypeFlags.DontRemoveType) == 0)
|
||||||
|
yield return kv.Key;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
bool IsValidType(TypeDef type) {
|
||||||
|
if (type == null)
|
||||||
|
return false;
|
||||||
|
|
||||||
|
if (type.BaseType == null || type.BaseType.FullName != "System.Object")
|
||||||
|
return false;
|
||||||
|
if (type.DeclaringType != null)
|
||||||
|
return false;
|
||||||
|
if (type.Attributes != (TypeAttributes.NotPublic | TypeAttributes.AutoLayout |
|
||||||
|
TypeAttributes.Class | TypeAttributes.Sealed | TypeAttributes.AnsiClass))
|
||||||
|
return false;
|
||||||
|
if (type.HasProperties || type.HasEvents)
|
||||||
|
return false;
|
||||||
|
if (type.HasInterfaces)
|
||||||
|
return false;
|
||||||
|
if (type.HasGenericParameters)
|
||||||
|
return false;
|
||||||
|
if (type.HasNestedTypes)
|
||||||
|
return false;
|
||||||
|
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
public bool IsValidMethodType(TypeDef type) {
|
||||||
|
if (!IsValidType(type))
|
||||||
|
return false;
|
||||||
|
|
||||||
|
if (type.HasFields)
|
||||||
|
return false;
|
||||||
|
if (type.Methods.Count != 1)
|
||||||
|
return false;
|
||||||
|
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
public void Add(TypeDef type) {
|
||||||
|
if (type == null || types.ContainsKey(type))
|
||||||
|
return;
|
||||||
|
types[type] = 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
public void DontRemoveType(TypeDef type) {
|
||||||
|
TypeFlags flags;
|
||||||
|
types.TryGetValue(type, out flags);
|
||||||
|
flags |= TypeFlags.DontRemoveType;
|
||||||
|
types[type] = flags;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
Loading…
Reference in New Issue
Block a user