From 8477e79b882dda2b0a561d68db7cfc9eeb846bfc Mon Sep 17 00:00:00 2001 From: de4dot Date: Wed, 1 Aug 2012 11:40:15 +0200 Subject: [PATCH] Move code to ConfuserUtils --- .../deobfuscators/Confuser/ConfuserUtils.cs | 51 +++++++++++++++++++ .../Confuser/ResourceDecrypter.cs | 39 +------------- 2 files changed, 52 insertions(+), 38 deletions(-) diff --git a/de4dot.code/deobfuscators/Confuser/ConfuserUtils.cs b/de4dot.code/deobfuscators/Confuser/ConfuserUtils.cs index fdf747cc..0a9f25fe 100644 --- a/de4dot.code/deobfuscators/Confuser/ConfuserUtils.cs +++ b/de4dot.code/deobfuscators/Confuser/ConfuserUtils.cs @@ -20,6 +20,7 @@ using System.Collections.Generic; using Mono.Cecil; using Mono.Cecil.Cil; +using de4dot.blocks; namespace de4dot.code.deobfuscators.Confuser { static class ConfuserUtils { @@ -39,5 +40,55 @@ namespace de4dot.code.deobfuscators.Confuser { var calledMethod = instr.Operand as MethodReference; return calledMethod != null && calledMethod.FullName == methodFullName; } + + public static bool removeResourceHookCode(Blocks blocks, MethodDefinition handler) { + return removeResolveHandlerCode(blocks, handler, "System.Void System.AppDomain::add_ResourceResolve(System.ResolveEventHandler)"); + } + + public static bool removeAssemblyHookCode(Blocks blocks, MethodDefinition handler) { + return removeResolveHandlerCode(blocks, handler, "System.Void System.AppDomain::add_AssemblyResolve(System.ResolveEventHandler)"); + } + + static bool removeResolveHandlerCode(Blocks blocks, MethodDefinition handler, string installHandlerMethod) { + bool modified = false; + foreach (var block in blocks.MethodBlocks.getAllBlocks()) { + var instrs = block.Instructions; + for (int i = 0; i < instrs.Count - 4; i++) { + var call = instrs[i]; + if (call.OpCode.Code != Code.Call) + continue; + var calledMethod = call.Operand as MethodReference; + if (calledMethod == null || calledMethod.FullName != "System.AppDomain System.AppDomain::get_CurrentDomain()") + continue; + + if (instrs[i + 1].OpCode.Code != Code.Ldnull) + continue; + + var ldftn = instrs[i + 2]; + if (ldftn.OpCode.Code != Code.Ldftn) + continue; + if (ldftn.Operand != handler) + continue; + + var newobj = instrs[i + 3]; + if (newobj.OpCode.Code != Code.Newobj) + continue; + var ctor = newobj.Operand as MethodReference; + if (ctor == null || ctor.FullName != "System.Void System.ResolveEventHandler::.ctor(System.Object,System.IntPtr)") + continue; + + var callvirt = instrs[i + 4]; + if (callvirt.OpCode.Code != Code.Callvirt) + continue; + calledMethod = callvirt.Operand as MethodReference; + if (calledMethod == null || calledMethod.FullName != installHandlerMethod) + continue; + + block.remove(i, 5); + modified = true; + } + } + return modified; + } } } diff --git a/de4dot.code/deobfuscators/Confuser/ResourceDecrypter.cs b/de4dot.code/deobfuscators/Confuser/ResourceDecrypter.cs index 721d5e65..49ce634a 100644 --- a/de4dot.code/deobfuscators/Confuser/ResourceDecrypter.cs +++ b/de4dot.code/deobfuscators/Confuser/ResourceDecrypter.cs @@ -289,44 +289,7 @@ namespace de4dot.code.deobfuscators.Confuser { public void deobfuscate(Blocks blocks) { if (blocks.Method != installMethod) return; - - foreach (var block in blocks.MethodBlocks.getAllBlocks()) { - var instrs = block.Instructions; - for (int i = 0; i < instrs.Count - 4; i++) { - var call = instrs[i]; - if (call.OpCode.Code != Code.Call) - continue; - var calledMethod = call.Operand as MethodReference; - if (calledMethod == null || calledMethod.FullName != "System.AppDomain System.AppDomain::get_CurrentDomain()") - continue; - - if (instrs[i + 1].OpCode.Code != Code.Ldnull) - continue; - - var ldftn = instrs[i + 2]; - if (ldftn.OpCode.Code != Code.Ldftn) - continue; - if (ldftn.Operand != handler) - continue; - - var newobj = instrs[i + 3]; - if (newobj.OpCode.Code != Code.Newobj) - continue; - var ctor = newobj.Operand as MethodReference; - if (ctor == null || ctor.FullName != "System.Void System.ResolveEventHandler::.ctor(System.Object,System.IntPtr)") - continue; - - var callvirt = instrs[i + 4]; - if (callvirt.OpCode.Code != Code.Callvirt) - continue; - calledMethod = callvirt.Operand as MethodReference; - if (calledMethod == null || calledMethod.FullName != "System.Void System.AppDomain::add_ResourceResolve(System.ResolveEventHandler)") - continue; - - block.remove(i, 5); - return; - } - } + ConfuserUtils.removeResourceHookCode(blocks, handler); } } }