monocul.us/de4dot-cex
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Move code to ConfuserUtils

Browse Source
This commit is contained in:
de4dot 2012-08-01 11:40:15 +02:00
parent 7b3cb1e007
commit 8477e79b88
2 changed files with 52 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
de4dot.code/deobfuscators/Confuser/ConfuserUtils.cs
View File

@ -20,6 +20,7 @@
using System.Collections.Generic;
using Mono.Cecil;
using Mono.Cecil.Cil;
using de4dot.blocks;
namespace de4dot.code.deobfuscators.Confuser {
static class ConfuserUtils {
@ -39,5 +40,55 @@ namespace de4dot.code.deobfuscators.Confuser {
var calledMethod = instr.Operand as MethodReference;
return calledMethod != null && calledMethod.FullName == methodFullName;
}
public static bool removeResourceHookCode(Blocks blocks, MethodDefinition handler) {
return removeResolveHandlerCode(blocks, handler, "System.Void System.AppDomain::add_ResourceResolve(System.ResolveEventHandler)");
}
public static bool removeAssemblyHookCode(Blocks blocks, MethodDefinition handler) {
return removeResolveHandlerCode(blocks, handler, "System.Void System.AppDomain::add_AssemblyResolve(System.ResolveEventHandler)");
}
static bool removeResolveHandlerCode(Blocks blocks, MethodDefinition handler, string installHandlerMethod) {
bool modified = false;
foreach (var block in blocks.MethodBlocks.getAllBlocks()) {
var instrs = block.Instructions;
for (int i = 0; i < instrs.Count - 4; i++) {
var call = instrs[i];
if (call.OpCode.Code != Code.Call)
continue;
var calledMethod = call.Operand as MethodReference;
if (calledMethod == null || calledMethod.FullName != "System.AppDomain System.AppDomain::get_CurrentDomain()")
continue;
if (instrs[i + 1].OpCode.Code != Code.Ldnull)
continue;
var ldftn = instrs[i + 2];
if (ldftn.OpCode.Code != Code.Ldftn)
continue;
if (ldftn.Operand != handler)
continue;
var newobj = instrs[i + 3];
if (newobj.OpCode.Code != Code.Newobj)
continue;
var ctor = newobj.Operand as MethodReference;
if (ctor == null || ctor.FullName != "System.Void System.ResolveEventHandler::.ctor(System.Object,System.IntPtr)")
continue;
var callvirt = instrs[i + 4];
if (callvirt.OpCode.Code != Code.Callvirt)
continue;
calledMethod = callvirt.Operand as MethodReference;
if (calledMethod == null || calledMethod.FullName != installHandlerMethod)
continue;
block.remove(i, 5);
modified = true;
}
}
return modified;
}
}
}

39
de4dot.code/deobfuscators/Confuser/ResourceDecrypter.cs
View File

@ -289,44 +289,7 @@ namespace de4dot.code.deobfuscators.Confuser {
public void deobfuscate(Blocks blocks) {
if (blocks.Method != installMethod)
return;
foreach (var block in blocks.MethodBlocks.getAllBlocks()) {
var instrs = block.Instructions;
for (int i = 0; i < instrs.Count - 4; i++) {
var call = instrs[i];
if (call.OpCode.Code != Code.Call)
continue;
var calledMethod = call.Operand as MethodReference;
if (calledMethod == null || calledMethod.FullName != "System.AppDomain System.AppDomain::get_CurrentDomain()")
continue;
if (instrs[i + 1].OpCode.Code != Code.Ldnull)
continue;
var ldftn = instrs[i + 2];
if (ldftn.OpCode.Code != Code.Ldftn)
continue;
if (ldftn.Operand != handler)
continue;
var newobj = instrs[i + 3];
if (newobj.OpCode.Code != Code.Newobj)
continue;
var ctor = newobj.Operand as MethodReference;
if (ctor == null || ctor.FullName != "System.Void System.ResolveEventHandler::.ctor(System.Object,System.IntPtr)")
continue;
var callvirt = instrs[i + 4];
if (callvirt.OpCode.Code != Code.Callvirt)
continue;
calledMethod = callvirt.Operand as MethodReference;
if (calledMethod == null || calledMethod.FullName != "System.Void System.AppDomain::add_ResourceResolve(System.ResolveEventHandler)")
continue;
block.remove(i, 5);
return;
}
}
ConfuserUtils.removeResourceHookCode(blocks, handler);
}
}
}