Update decrypter and version detecter code
This commit is contained in:
parent
11781b2875
commit
6b04c23036
|
@ -192,7 +192,7 @@ namespace de4dot.deobfuscators.dotNET_Reactor {
|
|||
return ".NET Reactor 3.9.8.0";
|
||||
}
|
||||
|
||||
var compileMethod = findDnrCompileMethod(methodsDecrypter.MethodsDecrypterMethod.DeclaringType);
|
||||
var compileMethod = MethodsDecrypter.findDnrCompileMethod(methodsDecrypter.MethodsDecrypterMethod.DeclaringType);
|
||||
if (compileMethod == null)
|
||||
return ".NET Reactor < 4.0";
|
||||
DeobfuscatedFile.deobfuscate(compileMethod);
|
||||
|
@ -219,12 +219,8 @@ namespace de4dot.deobfuscators.dotNET_Reactor {
|
|||
}
|
||||
|
||||
static bool findString(MethodDefinition method, string s) {
|
||||
if (method == null || method.Body == null)
|
||||
return false;
|
||||
foreach (var instr in method.Body.Instructions) {
|
||||
if (instr.OpCode.Code != Code.Ldstr)
|
||||
continue;
|
||||
if (s == (string)instr.Operand)
|
||||
foreach (var cs in DotNetUtils.getCodeStrings(method)) {
|
||||
if (cs == s)
|
||||
return true;
|
||||
}
|
||||
return false;
|
||||
|
@ -242,19 +238,6 @@ namespace de4dot.deobfuscators.dotNET_Reactor {
|
|||
return false;
|
||||
}
|
||||
|
||||
static MethodDefinition findDnrCompileMethod(TypeDefinition type) {
|
||||
foreach (var method in type.Methods) {
|
||||
if (!method.IsStatic || method.Body == null)
|
||||
continue;
|
||||
if (method.Parameters.Count != 6)
|
||||
continue;
|
||||
if (!DotNetUtils.isMethod(method, "System.UInt32", "(System.UInt64&,System.IntPtr,System.IntPtr,System.UInt32,System.IntPtr&,System.UInt32&)"))
|
||||
continue;
|
||||
return method;
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
||||
public override bool getDecryptedModule(ref byte[] newFileData, ref Dictionary<uint, DumpedMethod> dumpedMethods) {
|
||||
using (var fileStream = new FileStream(module.FullyQualifiedName, FileMode.Open, FileAccess.Read, FileShare.Read)) {
|
||||
fileData = new byte[(int)fileStream.Length];
|
||||
|
|
|
@ -29,8 +29,6 @@ namespace de4dot.deobfuscators.dotNET_Reactor {
|
|||
class MethodsDecrypter {
|
||||
ModuleDefinition module;
|
||||
EncryptedResource encryptedResource;
|
||||
long xorKey;
|
||||
bool useXorKey;
|
||||
|
||||
public bool Detected {
|
||||
get { return encryptedResource.ResourceDecrypterMethod != null; }
|
||||
|
@ -97,13 +95,12 @@ namespace de4dot.deobfuscators.dotNET_Reactor {
|
|||
return false;
|
||||
|
||||
encryptedResource.init(simpleDeobfuscator);
|
||||
initXorKey();
|
||||
var methodsData = encryptedResource.decrypt();
|
||||
|
||||
ArrayFinder arrayFinder = new ArrayFinder(encryptedResource.ResourceDecrypterMethod);
|
||||
bool hooksJitter = arrayFinder.exists(new byte[] { (byte)'g', (byte)'e', (byte)'t', (byte)'J', (byte)'i', (byte)'t' });
|
||||
bool hooksJitter = findDnrCompileMethod(encryptedResource.ResourceDecrypterMethod.DeclaringType) != null;
|
||||
|
||||
if (useXorKey) {
|
||||
long xorKey;
|
||||
if (getXorKey(out xorKey)) {
|
||||
// DNR 4.3, 4.4
|
||||
var stream = new MemoryStream(methodsData);
|
||||
var reader = new BinaryReader(stream);
|
||||
|
@ -229,9 +226,7 @@ namespace de4dot.deobfuscators.dotNET_Reactor {
|
|||
}
|
||||
}
|
||||
|
||||
void initXorKey() {
|
||||
useXorKey = false;
|
||||
|
||||
bool getXorKey(out long xorKey) {
|
||||
var instructions = encryptedResource.ResourceDecrypterMethod.Body.Instructions;
|
||||
for (int i = 0; i < instructions.Count - 1; i++) {
|
||||
if (instructions[i].OpCode.Code != Code.Ldind_I8)
|
||||
|
@ -241,9 +236,23 @@ namespace de4dot.deobfuscators.dotNET_Reactor {
|
|||
continue;
|
||||
|
||||
xorKey = DotNetUtils.getLdcI4Value(ldci4);
|
||||
useXorKey = true;
|
||||
return;
|
||||
}
|
||||
return true;
|
||||
}
|
||||
xorKey = 0;
|
||||
return false;
|
||||
}
|
||||
|
||||
public static MethodDefinition findDnrCompileMethod(TypeDefinition type) {
|
||||
foreach (var method in type.Methods) {
|
||||
if (!method.IsStatic || method.Body == null)
|
||||
continue;
|
||||
if (method.Parameters.Count != 6)
|
||||
continue;
|
||||
if (!DotNetUtils.isMethod(method, "System.UInt32", "(System.UInt64&,System.IntPtr,System.IntPtr,System.UInt32,System.IntPtr&,System.UInt32&)"))
|
||||
continue;
|
||||
return method;
|
||||
}
|
||||
return null;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue
Block a user