Fix the calculation of magic
It seems that Eazfuscator.NET sometimes calculates the magic with different constants so I had to get them programmatically
This commit is contained in:
parent
63607a6678
commit
84e0aa0b77
|
@ -216,6 +216,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
|||
return false;
|
||||
}
|
||||
|
||||
|
||||
static List<MethodDef> GetBinaryIntMethods(TypeDef type) {
|
||||
var list = new List<MethodDef>();
|
||||
foreach (var method in type.Methods) {
|
||||
|
@ -336,6 +337,51 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
|||
return BinOp1(efConstMethods[5].DeclaringType.MDToken.ToInt32(), BinOp3(BinOp2(efConstMethods[4].DeclaringType.MDToken.ToInt32(), efConstMethods[0].DeclaringType.MDToken.ToInt32()), BinOp3(efConstMethods[2].DeclaringType.MDToken.ToInt32() ^ i3, ConstMethod5())));
|
||||
}
|
||||
|
||||
bool FindShiftInts(MethodDef method, out List<int> bytes) {
|
||||
var instrs = method.Body.Instructions;
|
||||
var constantsReader = new EfConstantsReader(method);
|
||||
bytes = new List<int>(8);
|
||||
|
||||
for (int i = 0; i < instrs.Count - 4; i++) {
|
||||
if (bytes.Count >= 8)
|
||||
return true;
|
||||
|
||||
var ldloc1 = instrs[i];
|
||||
if (ldloc1.OpCode.Code != Code.Ldloc_1)
|
||||
continue;
|
||||
|
||||
var ldlocs = instrs[i + 1];
|
||||
if (ldlocs.OpCode.Code != Code.Ldloc_S)
|
||||
continue;
|
||||
|
||||
var maybe = instrs[i + 2];
|
||||
if (maybe.OpCode.Code == Code.Conv_U1) {
|
||||
var callvirt = instrs[i + 3];
|
||||
if (callvirt.OpCode.Code != Code.Callvirt)
|
||||
return false;
|
||||
|
||||
bytes.Add(0);
|
||||
continue;
|
||||
}
|
||||
var shr = instrs[i + 3];
|
||||
if (shr.OpCode.Code != Code.Shr)
|
||||
return false;
|
||||
|
||||
var convu1 = instrs[i + 4];
|
||||
if (convu1.OpCode.Code != Code.Conv_U1)
|
||||
return false;
|
||||
|
||||
int constant;
|
||||
int index = i + 2;
|
||||
if (!constantsReader.GetInt32(ref index, out constant))
|
||||
return false;
|
||||
|
||||
bytes.Add(constant);
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
public ulong GetMagic() {
|
||||
if (type == null)
|
||||
throw new ApplicationException("Can't calculate magic since type isn't initialized");
|
||||
|
@ -346,15 +392,22 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
|||
bytes.AddRange(module.Assembly.PublicKeyToken.Data);
|
||||
bytes.AddRange(Encoding.Unicode.GetBytes(module.Assembly.Name.String));
|
||||
}
|
||||
int cm1 = ConstMethod1();
|
||||
bytes.Add((byte)(type.MDToken.ToInt32() >> 24));
|
||||
bytes.Add((byte)(cm1 >> 16));
|
||||
bytes.Add((byte)(type.MDToken.ToInt32() >> 8));
|
||||
bytes.Add((byte)cm1);
|
||||
bytes.Add((byte)(type.MDToken.ToInt32() >> 16));
|
||||
bytes.Add((byte)(cm1 >> 8));
|
||||
bytes.Add((byte)type.MDToken.ToInt32());
|
||||
bytes.Add((byte)(cm1 >> 24));
|
||||
|
||||
List<int> shiftConsts;
|
||||
if (!FindShiftInts(int64Method, out shiftConsts))
|
||||
throw new ApplicationException("Could not extract magic constants");
|
||||
|
||||
int num3 = ConstMethod1();
|
||||
int num2 = type.MDToken.ToInt32();
|
||||
|
||||
bytes.Add((byte)(num2 >> shiftConsts[0]));
|
||||
bytes.Add((byte)(num3 >> shiftConsts[1]));
|
||||
bytes.Add((byte)(num2 >> shiftConsts[2]));
|
||||
bytes.Add((byte)(num3 >> shiftConsts[3]));
|
||||
bytes.Add((byte)(num2 >> shiftConsts[4]));
|
||||
bytes.Add((byte)(num3 >> shiftConsts[5]));
|
||||
bytes.Add((byte)(num2 >> shiftConsts[6]));
|
||||
bytes.Add((byte)(num3 >> shiftConsts[7]));
|
||||
|
||||
ulong magic = 0;
|
||||
foreach (var b in bytes) {
|
||||
|
|
Loading…
Reference in New Issue