Remove native lib module refs

2011-12-21 00:41:09 +01:00 · 2011-12-21 00:41:09 +01:00 · 74b8299ef2
commit 74b8299ef2
parent c516d61ad7
3 changed files with 28 additions and 1 deletions
--- a/de4dot.code/deobfuscators/DeobfuscatorBase.cs
+++ b/de4dot.code/deobfuscators/DeobfuscatorBase.cs
@ -304,6 +304,11 @@ namespace de4dot.code.deobfuscators {
 			resourcesToRemove.Add(new RemoveInfo<Resource>(resource, reason));
 		}

+		protected void addModuleReferencesToBeRemoved(IEnumerable<ModuleReference> modrefs, string reason) {
+			foreach (var modref in modrefs)
+				addModuleReferenceToBeRemoved(modref, reason);
+		}
+
 		protected void addModuleReferenceToBeRemoved(ModuleReference modref, string reason) {
 			modrefsToRemove.Add(new RemoveInfo<ModuleReference>(modref, reason));
 		}
--- a/de4dot.code/deobfuscators/dotNET_Reactor3/DecrypterType.cs
+++ b/de4dot.code/deobfuscators/dotNET_Reactor3/DecrypterType.cs
@ -31,6 +31,7 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor3 {
 		MethodDefinition stringDecrypter1;
 		MethodDefinition stringDecrypter2;
 		List<MethodDefinition> initMethods = new List<MethodDefinition>();
+		List<ModuleReference> moduleReferences = new List<ModuleReference>();

 		public bool Detected {
 			get { return decrypterType != null; }
@ -52,6 +53,10 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor3 {
 			get { return initMethods; }
 		}

+		public List<ModuleReference> ModuleReferences {
+			get { return moduleReferences; }
+		}
+
 		public IEnumerable<MethodDefinition> StringDecrypters {
 			get {
 				return new List<MethodDefinition> {
@ -72,6 +77,7 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor3 {
 			this.stringDecrypter2 = lookup(oldOne.stringDecrypter2, "Could not find stringDecrypter2");
 			foreach (var method in oldOne.initMethods)
 				initMethods.Add(lookup(method, "Could not find initMethod"));
+			updateModuleReferences();
 		}

 		T lookup<T>(T def, string errorMessage) where T : MemberReference {
@ -90,10 +96,24 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor3 {
 					if (DotNetUtils.isMethod(method, "System.Void", "()"))
 						initMethods.Add(method);
 				}
+				updateModuleReferences();
 				return;
 			}
 		}

+		void updateModuleReferences() {
+			foreach (var method in decrypterType.Methods) {
+				if (method.PInvokeInfo != null) {
+					switch (method.PInvokeInfo.EntryPoint) {
+					case "nr_nli":
+					case "nr_startup":
+						moduleReferences.Add(method.PInvokeInfo.Module);
+						break;
+					}
+				}
+			}
+		}
+
 		MethodDefinition addStringDecrypter(TypeDefinition type, string name) {
 			var method = DotNetUtils.getMethod(type, name);
 			if (method == null)
--- a/de4dot.code/deobfuscators/dotNET_Reactor3/Deobfuscator.cs
+++ b/de4dot.code/deobfuscators/dotNET_Reactor3/Deobfuscator.cs
@ -280,8 +280,10 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor3 {
 			if (options.RestoreTypes)
 				new TypesRestorer(module).deobfuscate();

-			if (canRemoveDecrypterType && !isTypeCalled(decrypterType.Type))
+			if (canRemoveDecrypterType && !isTypeCalled(decrypterType.Type)) {
 				addTypeToBeRemoved(decrypterType.Type, "Decrypter type");
+				addModuleReferencesToBeRemoved(decrypterType.ModuleReferences, "Native lib module references");
+			}

 			base.deobfuscateEnd();
 		}