monocul.us/de4dot-cex
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update detection of obfuscator types

Browse Source
This commit is contained in:
de4dot 2012-03-15 09:15:12 +01:00
parent e4fe749559
commit 67cb85e7ce
2 changed files with 23 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
de4dot.code/deobfuscators/CryptoObfuscator/ResourceDecrypter.cs
View File

@ -82,7 +82,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
stsfldCount++;
}
}
return stsfldCount == cctor.DeclaringType.Fields.Count;
return stsfldCount >= cctor.DeclaringType.Fields.Count;
}
void initializeDecrypterFlags(ISimpleDeobfuscator simpleDeobfuscator) {

40
de4dot.code/deobfuscators/CryptoObfuscator/ResourceResolver.cs
View File

@ -32,6 +32,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
bool mergedIt = false;
enum ResolverVersion {
None,
V1,
V2,
}
@ -60,7 +61,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
continue;
if (!method.IsStatic || !DotNetUtils.isMethod(method, "System.Void", "()"))
continue;
if (checkType(tuple.Item1, method))
if (checkType(method))
break;
}
}
@ -86,13 +87,25 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
}
}
bool checkType(TypeDefinition type, MethodDefinition initMethod) {
bool checkType(MethodDefinition initMethod) {
if (!initMethod.HasBody)
return false;
if (DotNetUtils.findFieldType(type, "System.Reflection.Assembly", true) == null)
if (DotNetUtils.findFieldType(initMethod.DeclaringType, "System.Reflection.Assembly", true) == null)
return false;
var instructions = initMethod.Body.Instructions;
resolverVersion = checkSetupMethod(initMethod);
if (resolverVersion == ResolverVersion.None)
resolverVersion = checkSetupMethod(DotNetUtils.getMethod(initMethod.DeclaringType, ".cctor"));
if (resolverVersion == ResolverVersion.None)
return false;
resolverType = initMethod.DeclaringType;
resolverMethod = initMethod;
return true;
}
ResolverVersion checkSetupMethod(MethodDefinition setupMethod) {
var instructions = setupMethod.Body.Instructions;
int foundCount = 0;
for (int i = 0; i < instructions.Count; i++) {
var instrs = DotNetUtils.getInstructions(instructions, i, OpCodes.Ldnull, OpCodes.Ldftn, OpCodes.Newobj);
@ -104,7 +117,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
var newobj = instrs[2];
methodRef = ldftn.Operand as MethodReference;
if (methodRef == null || !MemberReferenceHelper.compareTypes(type, methodRef.DeclaringType))
if (methodRef == null || !MemberReferenceHelper.compareTypes(setupMethod.DeclaringType, methodRef.DeclaringType))
continue;
methodRef = newobj.Operand as MethodReference;
@ -114,22 +127,13 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
foundCount++;
}
if (foundCount == 0)
return false;
return ResolverVersion.None;
switch (foundCount) {
case 1:
resolverVersion = ResolverVersion.V1;
break;
case 2:
resolverVersion = ResolverVersion.V2;
break;
default:
return false;
case 1: return ResolverVersion.V1;
case 2: return ResolverVersion.V2;
default: return ResolverVersion.None;
}
resolverType = type;
resolverMethod = initMethod;
return true;
}
}
}