Port Rummage deobfuscator
This commit is contained in:
parent
25cee0e206
commit
90ab31eda2
|
@ -229,8 +229,8 @@
|
||||||
<Compile Include="deobfuscators\ProxyCallFixerBase.cs" />
|
<Compile Include="deobfuscators\ProxyCallFixerBase.cs" />
|
||||||
<Compile Include="deobfuscators\QuickLZ.cs" />
|
<Compile Include="deobfuscators\QuickLZ.cs" />
|
||||||
<Compile Include="deobfuscators\RandomNameChecker.cs" />
|
<Compile Include="deobfuscators\RandomNameChecker.cs" />
|
||||||
<None Include="deobfuscators\Rummage\Deobfuscator.cs" />
|
<Compile Include="deobfuscators\Rummage\Deobfuscator.cs" />
|
||||||
<None Include="deobfuscators\Rummage\StringDecrypter.cs" />
|
<Compile Include="deobfuscators\Rummage\StringDecrypter.cs" />
|
||||||
<Compile Include="deobfuscators\Skater_NET\Deobfuscator.cs" />
|
<Compile Include="deobfuscators\Skater_NET\Deobfuscator.cs" />
|
||||||
<Compile Include="deobfuscators\Skater_NET\EnumClassFinder.cs" />
|
<Compile Include="deobfuscators\Skater_NET\EnumClassFinder.cs" />
|
||||||
<Compile Include="deobfuscators\Skater_NET\StringDecrypter.cs" />
|
<Compile Include="deobfuscators\Skater_NET\StringDecrypter.cs" />
|
||||||
|
|
|
@ -27,7 +27,7 @@ using de4dot.blocks;
|
||||||
|
|
||||||
namespace de4dot.code.deobfuscators.Rummage {
|
namespace de4dot.code.deobfuscators.Rummage {
|
||||||
class StringDecrypter {
|
class StringDecrypter {
|
||||||
ModuleDefinition module;
|
ModuleDefMD module;
|
||||||
MethodDef stringDecrypterMethod;
|
MethodDef stringDecrypterMethod;
|
||||||
FieldDefinitionAndDeclaringTypeDict<StringInfo> stringInfos = new FieldDefinitionAndDeclaringTypeDict<StringInfo>();
|
FieldDefinitionAndDeclaringTypeDict<StringInfo> stringInfos = new FieldDefinitionAndDeclaringTypeDict<StringInfo>();
|
||||||
int fileDispl;
|
int fileDispl;
|
||||||
|
@ -68,7 +68,7 @@ namespace de4dot.code.deobfuscators.Rummage {
|
||||||
get { return stringDecrypterMethod != null; }
|
get { return stringDecrypterMethod != null; }
|
||||||
}
|
}
|
||||||
|
|
||||||
public StringDecrypter(ModuleDefinition module) {
|
public StringDecrypter(ModuleDefMD module) {
|
||||||
this.module = module;
|
this.module = module;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -96,7 +96,7 @@ namespace de4dot.code.deobfuscators.Rummage {
|
||||||
static MethodDef checkType(TypeDef type) {
|
static MethodDef checkType(TypeDef type) {
|
||||||
if (!new FieldTypes(type).exactly(requiredFields))
|
if (!new FieldTypes(type).exactly(requiredFields))
|
||||||
return null;
|
return null;
|
||||||
var cctor = DotNetUtils.getMethod(type, ".cctor");
|
var cctor = type.FindClassConstructor();
|
||||||
if (cctor == null)
|
if (cctor == null)
|
||||||
return null;
|
return null;
|
||||||
if (!new LocalTypes(cctor).all(requiredLocals))
|
if (!new LocalTypes(cctor).all(requiredLocals))
|
||||||
|
@ -131,14 +131,14 @@ namespace de4dot.code.deobfuscators.Rummage {
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
var ldci4 = instrs[i + 1];
|
var ldci4 = instrs[i + 1];
|
||||||
if (!DotNetUtils.isLdcI4(ldci4))
|
if (!ldci4.IsLdcI4())
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
var sub = instrs[i + 2];
|
var sub = instrs[i + 2];
|
||||||
if (sub.OpCode.Code != Code.Sub)
|
if (sub.OpCode.Code != Code.Sub)
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
displ = DotNetUtils.getLdcI4Value(ldci4);
|
displ = ldci4.GetLdcI4Value();
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -146,7 +146,7 @@ namespace de4dot.code.deobfuscators.Rummage {
|
||||||
}
|
}
|
||||||
|
|
||||||
public void initialize() {
|
public void initialize() {
|
||||||
reader = new BinaryReader(new FileStream(module.FullyQualifiedName, FileMode.Open, FileAccess.Read, FileShare.Read));
|
reader = new BinaryReader(new FileStream(module.Location, FileMode.Open, FileAccess.Read, FileShare.Read));
|
||||||
initKey();
|
initKey();
|
||||||
|
|
||||||
foreach (var type in module.Types)
|
foreach (var type in module.Types)
|
||||||
|
@ -161,7 +161,7 @@ namespace de4dot.code.deobfuscators.Rummage {
|
||||||
}
|
}
|
||||||
|
|
||||||
void initType(TypeDef type) {
|
void initType(TypeDef type) {
|
||||||
var cctor = DotNetUtils.getMethod(type, ".cctor");
|
var cctor = type.FindClassConstructor();
|
||||||
if (cctor == null)
|
if (cctor == null)
|
||||||
return;
|
return;
|
||||||
var info = getStringInfo(cctor);
|
var info = getStringInfo(cctor);
|
||||||
|
@ -177,15 +177,15 @@ namespace de4dot.code.deobfuscators.Rummage {
|
||||||
var instrs = method.Body.Instructions;
|
var instrs = method.Body.Instructions;
|
||||||
for (int i = 0; i < instrs.Count - 2; i++) {
|
for (int i = 0; i < instrs.Count - 2; i++) {
|
||||||
var ldci4 = instrs[i];
|
var ldci4 = instrs[i];
|
||||||
if (!DotNetUtils.isLdcI4(ldci4))
|
if (!ldci4.IsLdcI4())
|
||||||
continue;
|
continue;
|
||||||
int stringId = DotNetUtils.getLdcI4Value(ldci4);
|
int stringId = ldci4.GetLdcI4Value();
|
||||||
|
|
||||||
var call = instrs[i + 1];
|
var call = instrs[i + 1];
|
||||||
if (call.OpCode.Code != Code.Call)
|
if (call.OpCode.Code != Code.Call)
|
||||||
continue;
|
continue;
|
||||||
var calledMethod = call.Operand as MethodReference;
|
var calledMethod = call.Operand as IMethod;
|
||||||
if (!MemberReferenceHelper.compareMethodReferenceAndDeclaringType(stringDecrypterMethod, calledMethod))
|
if (!MethodEqualityComparer.CompareDeclaringTypes.Equals(stringDecrypterMethod, calledMethod))
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
var stsfld = instrs[i + 2];
|
var stsfld = instrs[i + 2];
|
||||||
|
@ -210,7 +210,7 @@ namespace de4dot.code.deobfuscators.Rummage {
|
||||||
if (instr.OpCode.Code != Code.Ldsfld)
|
if (instr.OpCode.Code != Code.Ldsfld)
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
var field = instr.Operand as FieldReference;
|
var field = instr.Operand as IField;
|
||||||
if (field == null)
|
if (field == null)
|
||||||
continue;
|
continue;
|
||||||
var info = stringInfos.find(field);
|
var info = stringInfos.find(field);
|
||||||
|
|
|
@ -55,8 +55,8 @@ namespace de4dot.cui {
|
||||||
new de4dot.code.deobfuscators.ILProtector.DeobfuscatorInfo(),
|
new de4dot.code.deobfuscators.ILProtector.DeobfuscatorInfo(),
|
||||||
new de4dot.code.deobfuscators.MaxtoCode.DeobfuscatorInfo(),
|
new de4dot.code.deobfuscators.MaxtoCode.DeobfuscatorInfo(),
|
||||||
new de4dot.code.deobfuscators.MPRESS.DeobfuscatorInfo(),
|
new de4dot.code.deobfuscators.MPRESS.DeobfuscatorInfo(),
|
||||||
new de4dot.code.deobfuscators.Rummage.DeobfuscatorInfo(),
|
|
||||||
#endif
|
#endif
|
||||||
|
new de4dot.code.deobfuscators.Rummage.DeobfuscatorInfo(),
|
||||||
new de4dot.code.deobfuscators.Skater_NET.DeobfuscatorInfo(),
|
new de4dot.code.deobfuscators.Skater_NET.DeobfuscatorInfo(),
|
||||||
#if PORT
|
#if PORT
|
||||||
new de4dot.code.deobfuscators.SmartAssembly.DeobfuscatorInfo(),
|
new de4dot.code.deobfuscators.SmartAssembly.DeobfuscatorInfo(),
|
||||||
|
|
Loading…
Reference in New Issue
Block a user