Update detection of obfuscator types
This commit is contained in:
parent
e4fe749559
commit
67cb85e7ce
|
@ -82,7 +82,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
|||
stsfldCount++;
|
||||
}
|
||||
}
|
||||
return stsfldCount == cctor.DeclaringType.Fields.Count;
|
||||
return stsfldCount >= cctor.DeclaringType.Fields.Count;
|
||||
}
|
||||
|
||||
void initializeDecrypterFlags(ISimpleDeobfuscator simpleDeobfuscator) {
|
||||
|
|
|
@ -32,6 +32,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
|||
bool mergedIt = false;
|
||||
|
||||
enum ResolverVersion {
|
||||
None,
|
||||
V1,
|
||||
V2,
|
||||
}
|
||||
|
@ -60,7 +61,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
|||
continue;
|
||||
if (!method.IsStatic || !DotNetUtils.isMethod(method, "System.Void", "()"))
|
||||
continue;
|
||||
if (checkType(tuple.Item1, method))
|
||||
if (checkType(method))
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
@ -86,13 +87,25 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
|||
}
|
||||
}
|
||||
|
||||
bool checkType(TypeDefinition type, MethodDefinition initMethod) {
|
||||
bool checkType(MethodDefinition initMethod) {
|
||||
if (!initMethod.HasBody)
|
||||
return false;
|
||||
if (DotNetUtils.findFieldType(type, "System.Reflection.Assembly", true) == null)
|
||||
if (DotNetUtils.findFieldType(initMethod.DeclaringType, "System.Reflection.Assembly", true) == null)
|
||||
return false;
|
||||
|
||||
var instructions = initMethod.Body.Instructions;
|
||||
resolverVersion = checkSetupMethod(initMethod);
|
||||
if (resolverVersion == ResolverVersion.None)
|
||||
resolverVersion = checkSetupMethod(DotNetUtils.getMethod(initMethod.DeclaringType, ".cctor"));
|
||||
if (resolverVersion == ResolverVersion.None)
|
||||
return false;
|
||||
|
||||
resolverType = initMethod.DeclaringType;
|
||||
resolverMethod = initMethod;
|
||||
return true;
|
||||
}
|
||||
|
||||
ResolverVersion checkSetupMethod(MethodDefinition setupMethod) {
|
||||
var instructions = setupMethod.Body.Instructions;
|
||||
int foundCount = 0;
|
||||
for (int i = 0; i < instructions.Count; i++) {
|
||||
var instrs = DotNetUtils.getInstructions(instructions, i, OpCodes.Ldnull, OpCodes.Ldftn, OpCodes.Newobj);
|
||||
|
@ -104,7 +117,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
|||
var newobj = instrs[2];
|
||||
|
||||
methodRef = ldftn.Operand as MethodReference;
|
||||
if (methodRef == null || !MemberReferenceHelper.compareTypes(type, methodRef.DeclaringType))
|
||||
if (methodRef == null || !MemberReferenceHelper.compareTypes(setupMethod.DeclaringType, methodRef.DeclaringType))
|
||||
continue;
|
||||
|
||||
methodRef = newobj.Operand as MethodReference;
|
||||
|
@ -114,22 +127,13 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
|||
foundCount++;
|
||||
}
|
||||
if (foundCount == 0)
|
||||
return false;
|
||||
return ResolverVersion.None;
|
||||
|
||||
switch (foundCount) {
|
||||
case 1:
|
||||
resolverVersion = ResolverVersion.V1;
|
||||
break;
|
||||
case 2:
|
||||
resolverVersion = ResolverVersion.V2;
|
||||
break;
|
||||
default:
|
||||
return false;
|
||||
case 1: return ResolverVersion.V1;
|
||||
case 2: return ResolverVersion.V2;
|
||||
default: return ResolverVersion.None;
|
||||
}
|
||||
|
||||
resolverType = type;
|
||||
resolverMethod = initMethod;
|
||||
return true;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue
Block a user