Remove types CO adds to each assembly
This commit is contained in:
parent
a1e6f555ef
commit
78397f9c4f
|
@ -28,6 +28,14 @@ namespace de4dot.deobfuscators.CryptoObfuscator {
|
||||||
TypeDefinition antiDebuggerType;
|
TypeDefinition antiDebuggerType;
|
||||||
MethodDefinition antiDebuggerMethod;
|
MethodDefinition antiDebuggerMethod;
|
||||||
|
|
||||||
|
public TypeDefinition AntiDebuggerType {
|
||||||
|
get { return antiDebuggerType; }
|
||||||
|
}
|
||||||
|
|
||||||
|
public MethodDefinition AntiDebuggerMethod {
|
||||||
|
get { return antiDebuggerMethod; }
|
||||||
|
}
|
||||||
|
|
||||||
public AntiDebugger(ModuleDefinition module, ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) {
|
public AntiDebugger(ModuleDefinition module, ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) {
|
||||||
this.module = module;
|
this.module = module;
|
||||||
this.simpleDeobfuscator = simpleDeobfuscator;
|
this.simpleDeobfuscator = simpleDeobfuscator;
|
||||||
|
|
|
@ -28,6 +28,7 @@ namespace de4dot.deobfuscators.CryptoObfuscator {
|
||||||
class AssemblyResolver {
|
class AssemblyResolver {
|
||||||
ModuleDefinition module;
|
ModuleDefinition module;
|
||||||
TypeDefinition resolverType;
|
TypeDefinition resolverType;
|
||||||
|
MethodDefinition resolverMethod;
|
||||||
List<AssemblyInfo> assemblyInfos = new List<AssemblyInfo>();
|
List<AssemblyInfo> assemblyInfos = new List<AssemblyInfo>();
|
||||||
|
|
||||||
public class AssemblyInfo {
|
public class AssemblyInfo {
|
||||||
|
@ -49,6 +50,14 @@ namespace de4dot.deobfuscators.CryptoObfuscator {
|
||||||
get { return assemblyInfos; }
|
get { return assemblyInfos; }
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public TypeDefinition ResolverType {
|
||||||
|
get { return resolverType; }
|
||||||
|
}
|
||||||
|
|
||||||
|
public MethodDefinition ResolverMethod {
|
||||||
|
get { return resolverMethod; }
|
||||||
|
}
|
||||||
|
|
||||||
public AssemblyResolver(ModuleDefinition module) {
|
public AssemblyResolver(ModuleDefinition module) {
|
||||||
this.module = module;
|
this.module = module;
|
||||||
}
|
}
|
||||||
|
@ -85,6 +94,7 @@ namespace de4dot.deobfuscators.CryptoObfuscator {
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
resolverType = type;
|
resolverType = type;
|
||||||
|
resolverMethod = initMethod;
|
||||||
assemblyInfos = newAssemblyInfos;
|
assemblyInfos = newAssemblyInfos;
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
|
@ -171,6 +171,15 @@ namespace de4dot.deobfuscators.CryptoObfuscator {
|
||||||
antiDebugger = new AntiDebugger(module, DeobfuscatedFile, this);
|
antiDebugger = new AntiDebugger(module, DeobfuscatedFile, this);
|
||||||
antiDebugger.find();
|
antiDebugger.find();
|
||||||
|
|
||||||
|
addModuleCctorInitCallToBeRemoved(resourceResolver.ResolverMethod);
|
||||||
|
addModuleCctorInitCallToBeRemoved(assemblyResolver.ResolverMethod);
|
||||||
|
addCallToBeRemoved(module.EntryPoint, tamperDetection.TamperMethod);
|
||||||
|
addCallToBeRemoved(module.EntryPoint, antiDebugger.AntiDebuggerMethod);
|
||||||
|
addTypeToBeRemoved(resourceResolver.ResolverType, "Resource resolver type");
|
||||||
|
addTypeToBeRemoved(assemblyResolver.ResolverType, "Assembly resolver type");
|
||||||
|
addTypeToBeRemoved(tamperDetection.TamperType, "Tamper detection type");
|
||||||
|
addTypeToBeRemoved(antiDebugger.AntiDebuggerType, "Anti-debugger type");
|
||||||
|
|
||||||
dumpEmbeddedAssemblies();
|
dumpEmbeddedAssemblies();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -27,8 +27,17 @@ namespace de4dot.deobfuscators.CryptoObfuscator {
|
||||||
ModuleDefinition module;
|
ModuleDefinition module;
|
||||||
ResourceDecrypter resourceDecrypter;
|
ResourceDecrypter resourceDecrypter;
|
||||||
TypeDefinition resolverType;
|
TypeDefinition resolverType;
|
||||||
|
MethodDefinition resolverMethod;
|
||||||
bool mergedIt = false;
|
bool mergedIt = false;
|
||||||
|
|
||||||
|
public TypeDefinition ResolverType {
|
||||||
|
get { return resolverType; }
|
||||||
|
}
|
||||||
|
|
||||||
|
public MethodDefinition ResolverMethod {
|
||||||
|
get { return resolverMethod; }
|
||||||
|
}
|
||||||
|
|
||||||
public ResourceResolver(ModuleDefinition module, ResourceDecrypter resourceDecrypter) {
|
public ResourceResolver(ModuleDefinition module, ResourceDecrypter resourceDecrypter) {
|
||||||
this.module = module;
|
this.module = module;
|
||||||
this.resourceDecrypter = resourceDecrypter;
|
this.resourceDecrypter = resourceDecrypter;
|
||||||
|
@ -88,6 +97,7 @@ namespace de4dot.deobfuscators.CryptoObfuscator {
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
resolverType = type;
|
resolverType = type;
|
||||||
|
resolverMethod = initMethod;
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -30,6 +30,14 @@ namespace de4dot.deobfuscators.CryptoObfuscator {
|
||||||
get { return tamperMethod != null; }
|
get { return tamperMethod != null; }
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public TypeDefinition TamperType {
|
||||||
|
get { return tamperType; }
|
||||||
|
}
|
||||||
|
|
||||||
|
public MethodDefinition TamperMethod {
|
||||||
|
get { return tamperMethod; }
|
||||||
|
}
|
||||||
|
|
||||||
public TamperDetection(ModuleDefinition module) {
|
public TamperDetection(ModuleDefinition module) {
|
||||||
this.module = module;
|
this.module = module;
|
||||||
}
|
}
|
||||||
|
|
|
@ -174,9 +174,6 @@ namespace de4dot.deobfuscators {
|
||||||
}
|
}
|
||||||
|
|
||||||
public void removeAll(Blocks blocks) {
|
public void removeAll(Blocks blocks) {
|
||||||
if (blocks.Method.Name != ".cctor")
|
|
||||||
return;
|
|
||||||
|
|
||||||
var allBlocks = blocks.MethodBlocks.getAllBlocks();
|
var allBlocks = blocks.MethodBlocks.getAllBlocks();
|
||||||
|
|
||||||
removeAll(allBlocks, blocks, blocks.Method.Name);
|
removeAll(allBlocks, blocks, blocks.Method.Name);
|
||||||
|
|
Loading…
Reference in New Issue
Block a user