Move code to ConfuserUtils
This commit is contained in:
parent
7b3cb1e007
commit
8477e79b88
|
@ -20,6 +20,7 @@
|
||||||
using System.Collections.Generic;
|
using System.Collections.Generic;
|
||||||
using Mono.Cecil;
|
using Mono.Cecil;
|
||||||
using Mono.Cecil.Cil;
|
using Mono.Cecil.Cil;
|
||||||
|
using de4dot.blocks;
|
||||||
|
|
||||||
namespace de4dot.code.deobfuscators.Confuser {
|
namespace de4dot.code.deobfuscators.Confuser {
|
||||||
static class ConfuserUtils {
|
static class ConfuserUtils {
|
||||||
|
@ -39,5 +40,55 @@ namespace de4dot.code.deobfuscators.Confuser {
|
||||||
var calledMethod = instr.Operand as MethodReference;
|
var calledMethod = instr.Operand as MethodReference;
|
||||||
return calledMethod != null && calledMethod.FullName == methodFullName;
|
return calledMethod != null && calledMethod.FullName == methodFullName;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public static bool removeResourceHookCode(Blocks blocks, MethodDefinition handler) {
|
||||||
|
return removeResolveHandlerCode(blocks, handler, "System.Void System.AppDomain::add_ResourceResolve(System.ResolveEventHandler)");
|
||||||
|
}
|
||||||
|
|
||||||
|
public static bool removeAssemblyHookCode(Blocks blocks, MethodDefinition handler) {
|
||||||
|
return removeResolveHandlerCode(blocks, handler, "System.Void System.AppDomain::add_AssemblyResolve(System.ResolveEventHandler)");
|
||||||
|
}
|
||||||
|
|
||||||
|
static bool removeResolveHandlerCode(Blocks blocks, MethodDefinition handler, string installHandlerMethod) {
|
||||||
|
bool modified = false;
|
||||||
|
foreach (var block in blocks.MethodBlocks.getAllBlocks()) {
|
||||||
|
var instrs = block.Instructions;
|
||||||
|
for (int i = 0; i < instrs.Count - 4; i++) {
|
||||||
|
var call = instrs[i];
|
||||||
|
if (call.OpCode.Code != Code.Call)
|
||||||
|
continue;
|
||||||
|
var calledMethod = call.Operand as MethodReference;
|
||||||
|
if (calledMethod == null || calledMethod.FullName != "System.AppDomain System.AppDomain::get_CurrentDomain()")
|
||||||
|
continue;
|
||||||
|
|
||||||
|
if (instrs[i + 1].OpCode.Code != Code.Ldnull)
|
||||||
|
continue;
|
||||||
|
|
||||||
|
var ldftn = instrs[i + 2];
|
||||||
|
if (ldftn.OpCode.Code != Code.Ldftn)
|
||||||
|
continue;
|
||||||
|
if (ldftn.Operand != handler)
|
||||||
|
continue;
|
||||||
|
|
||||||
|
var newobj = instrs[i + 3];
|
||||||
|
if (newobj.OpCode.Code != Code.Newobj)
|
||||||
|
continue;
|
||||||
|
var ctor = newobj.Operand as MethodReference;
|
||||||
|
if (ctor == null || ctor.FullName != "System.Void System.ResolveEventHandler::.ctor(System.Object,System.IntPtr)")
|
||||||
|
continue;
|
||||||
|
|
||||||
|
var callvirt = instrs[i + 4];
|
||||||
|
if (callvirt.OpCode.Code != Code.Callvirt)
|
||||||
|
continue;
|
||||||
|
calledMethod = callvirt.Operand as MethodReference;
|
||||||
|
if (calledMethod == null || calledMethod.FullName != installHandlerMethod)
|
||||||
|
continue;
|
||||||
|
|
||||||
|
block.remove(i, 5);
|
||||||
|
modified = true;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return modified;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -289,44 +289,7 @@ namespace de4dot.code.deobfuscators.Confuser {
|
||||||
public void deobfuscate(Blocks blocks) {
|
public void deobfuscate(Blocks blocks) {
|
||||||
if (blocks.Method != installMethod)
|
if (blocks.Method != installMethod)
|
||||||
return;
|
return;
|
||||||
|
ConfuserUtils.removeResourceHookCode(blocks, handler);
|
||||||
foreach (var block in blocks.MethodBlocks.getAllBlocks()) {
|
|
||||||
var instrs = block.Instructions;
|
|
||||||
for (int i = 0; i < instrs.Count - 4; i++) {
|
|
||||||
var call = instrs[i];
|
|
||||||
if (call.OpCode.Code != Code.Call)
|
|
||||||
continue;
|
|
||||||
var calledMethod = call.Operand as MethodReference;
|
|
||||||
if (calledMethod == null || calledMethod.FullName != "System.AppDomain System.AppDomain::get_CurrentDomain()")
|
|
||||||
continue;
|
|
||||||
|
|
||||||
if (instrs[i + 1].OpCode.Code != Code.Ldnull)
|
|
||||||
continue;
|
|
||||||
|
|
||||||
var ldftn = instrs[i + 2];
|
|
||||||
if (ldftn.OpCode.Code != Code.Ldftn)
|
|
||||||
continue;
|
|
||||||
if (ldftn.Operand != handler)
|
|
||||||
continue;
|
|
||||||
|
|
||||||
var newobj = instrs[i + 3];
|
|
||||||
if (newobj.OpCode.Code != Code.Newobj)
|
|
||||||
continue;
|
|
||||||
var ctor = newobj.Operand as MethodReference;
|
|
||||||
if (ctor == null || ctor.FullName != "System.Void System.ResolveEventHandler::.ctor(System.Object,System.IntPtr)")
|
|
||||||
continue;
|
|
||||||
|
|
||||||
var callvirt = instrs[i + 4];
|
|
||||||
if (callvirt.OpCode.Code != Code.Callvirt)
|
|
||||||
continue;
|
|
||||||
calledMethod = callvirt.Operand as MethodReference;
|
|
||||||
if (calledMethod == null || calledMethod.FullName != "System.Void System.AppDomain::add_ResourceResolve(System.ResolveEventHandler)")
|
|
||||||
continue;
|
|
||||||
|
|
||||||
block.remove(i, 5);
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue
Block a user