monocul.us/de4dot-cex
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update decrypter and version detecter code

Browse Source
This commit is contained in:
de4dot 2011-10-31 00:09:38 +01:00
parent 11781b2875
commit 6b04c23036
2 changed files with 23 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
de4dot.code/deobfuscators/dotNET_Reactor/Deobfuscator.cs
View File

@ -192,7 +192,7 @@ namespace de4dot.deobfuscators.dotNET_Reactor {
return ".NET Reactor 3.9.8.0";
}
var compileMethod = findDnrCompileMethod(methodsDecrypter.MethodsDecrypterMethod.DeclaringType);
var compileMethod = MethodsDecrypter.findDnrCompileMethod(methodsDecrypter.MethodsDecrypterMethod.DeclaringType);
if (compileMethod == null)
return ".NET Reactor < 4.0";
DeobfuscatedFile.deobfuscate(compileMethod);
@ -219,12 +219,8 @@ namespace de4dot.deobfuscators.dotNET_Reactor {
}
static bool findString(MethodDefinition method, string s) {
if (method == null || method.Body == null)
return false;
foreach (var instr in method.Body.Instructions) {
if (instr.OpCode.Code != Code.Ldstr)
continue;
if (s == (string)instr.Operand)
foreach (var cs in DotNetUtils.getCodeStrings(method)) {
if (cs == s)
return true;
}
return false;
@ -242,19 +238,6 @@ namespace de4dot.deobfuscators.dotNET_Reactor {
return false;
}
static MethodDefinition findDnrCompileMethod(TypeDefinition type) {
foreach (var method in type.Methods) {
if (!method.IsStatic || method.Body == null)
continue;
if (method.Parameters.Count != 6)
continue;
if (!DotNetUtils.isMethod(method, "System.UInt32", "(System.UInt64&,System.IntPtr,System.IntPtr,System.UInt32,System.IntPtr&,System.UInt32&)"))
continue;
return method;
}
return null;
}
public override bool getDecryptedModule(ref byte[] newFileData, ref Dictionary<uint, DumpedMethod> dumpedMethods) {
using (var fileStream = new FileStream(module.FullyQualifiedName, FileMode.Open, FileAccess.Read, FileShare.Read)) {
fileData = new byte[(int)fileStream.Length];

31
de4dot.code/deobfuscators/dotNET_Reactor/MethodsDecrypter.cs
View File

@ -29,8 +29,6 @@ namespace de4dot.deobfuscators.dotNET_Reactor {
class MethodsDecrypter {
ModuleDefinition module;
EncryptedResource encryptedResource;
long xorKey;
bool useXorKey;
public bool Detected {
get { return encryptedResource.ResourceDecrypterMethod != null; }
@ -97,13 +95,12 @@ namespace de4dot.deobfuscators.dotNET_Reactor {
return false;
encryptedResource.init(simpleDeobfuscator);
initXorKey();
var methodsData = encryptedResource.decrypt();
ArrayFinder arrayFinder = new ArrayFinder(encryptedResource.ResourceDecrypterMethod);
bool hooksJitter = arrayFinder.exists(new byte[] { (byte)'g', (byte)'e', (byte)'t', (byte)'J', (byte)'i', (byte)'t' });
bool hooksJitter = findDnrCompileMethod(encryptedResource.ResourceDecrypterMethod.DeclaringType) != null;
if (useXorKey) {
long xorKey;
if (getXorKey(out xorKey)) {
// DNR 4.3, 4.4
var stream = new MemoryStream(methodsData);
var reader = new BinaryReader(stream);
@ -229,9 +226,7 @@ namespace de4dot.deobfuscators.dotNET_Reactor {
}
}
void initXorKey() {
useXorKey = false;
bool getXorKey(out long xorKey) {
var instructions = encryptedResource.ResourceDecrypterMethod.Body.Instructions;
for (int i = 0; i < instructions.Count - 1; i++) {
if (instructions[i].OpCode.Code != Code.Ldind_I8)
@ -241,9 +236,23 @@ namespace de4dot.deobfuscators.dotNET_Reactor {
continue;
xorKey = DotNetUtils.getLdcI4Value(ldci4);
useXorKey = true;
return;
return true;
}
xorKey = 0;
return false;
}
public static MethodDefinition findDnrCompileMethod(TypeDefinition type) {
foreach (var method in type.Methods) {
if (!method.IsStatic || method.Body == null)
continue;
if (method.Parameters.Count != 6)
continue;
if (!DotNetUtils.isMethod(method, "System.UInt32", "(System.UInt64&,System.IntPtr,System.IntPtr,System.UInt32,System.IntPtr&,System.UInt32&)"))
continue;
return method;
}
return null;
}
}
}