Update CO code. Fixes #39

2012-03-31 13:26:11 +02:00 · 2012-03-31 13:26:11 +02:00 · 7c8259905b
commit 7c8259905b
parent 7782331ad5
2 changed files with 26 additions and 1 deletions
--- a/de4dot.code/deobfuscators/CryptoObfuscator/ProxyDelegateFinder.cs
+++ b/de4dot.code/deobfuscators/CryptoObfuscator/ProxyDelegateFinder.cs
@ -125,7 +125,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
 		}

 		MethodDefinition getProxyCreateMethod(TypeDefinition type) {
-			if (type.Fields.Count != 1 && type.Fields.Count != 2)
+			if (type.Fields.Count < 1 || type.Fields.Count > 3)
 				return null;
 			if (DotNetUtils.findFieldType(type, "System.ModuleHandle", true) == null)
 				return null;
--- a/de4dot.code/deobfuscators/CryptoObfuscator/ResourceDecrypter.cs
+++ b/de4dot.code/deobfuscators/CryptoObfuscator/ResourceDecrypter.cs
@ -37,6 +37,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
 		byte deflatedFlag;
 		byte bitwiseNotEncryptedFlag;
 		FrameworkType frameworkType;
+		bool flipFlagsBits;

 		public ResourceDecrypter(ModuleDefinition module, ISimpleDeobfuscator simpleDeobfuscator) {
 			this.module = module;
@ -178,6 +179,26 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
 			bitwiseNotEncryptedFlag = 4;
 		}

+		static bool checkFlipBits(MethodDefinition method) {
+			var instrs = method.Body.Instructions;
+			for (int i = 0; i < instrs.Count - 1; i++) {
+				var ldloc = instrs[i];
+				if (!DotNetUtils.isLdloc(ldloc))
+					continue;
+				var local = DotNetUtils.getLocalVar(method.Body.Variables, ldloc);
+				if (local == null || !local.VariableType.IsPrimitive)
+					continue;
+
+				var not = instrs[i + 1];
+				if (not.OpCode.Code != Code.Not)
+					continue;
+
+				return true;
+			}
+
+			return false;
+		}
+
 		bool updateFlags(MethodDefinition method, ISimpleDeobfuscator simpleDeobfuscator) {
 			if (method == null || method.Body == null)
 				return false;
@ -204,6 +225,8 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
 				constants.Add(flagValue);
 			}

+			flipFlagsBits = checkFlipBits(method);
+
 			switch (frameworkType) {
 			case FrameworkType.Desktop:
 				if (module.Runtime >= TargetRuntime.Net_2_0) {
@ -261,6 +284,8 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {

 		public byte[] decrypt(Stream resourceStream) {
 			byte flags = (byte)resourceStream.ReadByte();
+			if (flipFlagsBits)
+				flags = (byte)~flags;
 			Stream sourceStream = resourceStream;
 			int sourceStreamOffset = 1;
 			bool didSomething = false;