monocul.us/de4dot-cex
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update CO code. Fixes #39

Browse Source
This commit is contained in:
de4dot 2012-03-31 13:26:11 +02:00
parent 7782331ad5
commit 7c8259905b
2 changed files with 26 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
de4dot.code/deobfuscators/CryptoObfuscator/ProxyDelegateFinder.cs
View File

@ -125,7 +125,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
} }
MethodDefinition getProxyCreateMethod(TypeDefinition type) { MethodDefinition getProxyCreateMethod(TypeDefinition type) {
if (type.Fields.Count != 1 && type.Fields.Count != 2) if (type.Fields.Count < 1 || type.Fields.Count > 3)
return null; return null;
if (DotNetUtils.findFieldType(type, "System.ModuleHandle", true) == null) if (DotNetUtils.findFieldType(type, "System.ModuleHandle", true) == null)
return null; return null;

25
de4dot.code/deobfuscators/CryptoObfuscator/ResourceDecrypter.cs
View File

@ -37,6 +37,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
byte deflatedFlag; byte deflatedFlag;
byte bitwiseNotEncryptedFlag; byte bitwiseNotEncryptedFlag;
FrameworkType frameworkType; FrameworkType frameworkType;
bool flipFlagsBits;
public ResourceDecrypter(ModuleDefinition module, ISimpleDeobfuscator simpleDeobfuscator) { public ResourceDecrypter(ModuleDefinition module, ISimpleDeobfuscator simpleDeobfuscator) {
this.module = module; this.module = module;
@ -178,6 +179,26 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
bitwiseNotEncryptedFlag = 4; bitwiseNotEncryptedFlag = 4;
} }
static bool checkFlipBits(MethodDefinition method) {
var instrs = method.Body.Instructions;
for (int i = 0; i < instrs.Count - 1; i++) {
var ldloc = instrs[i];
if (!DotNetUtils.isLdloc(ldloc))
continue;
var local = DotNetUtils.getLocalVar(method.Body.Variables, ldloc);
if (local == null || !local.VariableType.IsPrimitive)
continue;
var not = instrs[i + 1];
if (not.OpCode.Code != Code.Not)
continue;
return true;
}
return false;
}
bool updateFlags(MethodDefinition method, ISimpleDeobfuscator simpleDeobfuscator) { bool updateFlags(MethodDefinition method, ISimpleDeobfuscator simpleDeobfuscator) {
if (method == null || method.Body == null) if (method == null || method.Body == null)
return false; return false;
@ -204,6 +225,8 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
constants.Add(flagValue); constants.Add(flagValue);
} }
flipFlagsBits = checkFlipBits(method);
switch (frameworkType) { switch (frameworkType) {
case FrameworkType.Desktop: case FrameworkType.Desktop:
if (module.Runtime >= TargetRuntime.Net_2_0) { if (module.Runtime >= TargetRuntime.Net_2_0) {
@ -261,6 +284,8 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
public byte[] decrypt(Stream resourceStream) { public byte[] decrypt(Stream resourceStream) {
byte flags = (byte)resourceStream.ReadByte(); byte flags = (byte)resourceStream.ReadByte();
if (flipFlagsBits)
flags = (byte)~flags;
Stream sourceStream = resourceStream; Stream sourceStream = resourceStream;
int sourceStreamOffset = 1; int sourceStreamOffset = 1;
bool didSomething = false; bool didSomething = false;