Set initlocals and add an option to disable it

2012-04-29 06:16:53 +02:00 · 2012-04-29 06:16:53 +02:00 · 920f079855
commit 920f079855
parent eb17298625
2 changed files with 41 additions and 0 deletions
--- a/de4dot.code/deobfuscators/CliSecure/Deobfuscator.cs
+++ b/de4dot.code/deobfuscators/CliSecure/Deobfuscator.cs
@ -33,6 +33,7 @@ namespace de4dot.code.deobfuscators.CliSecure {
 		BoolOption decryptResources;
 		BoolOption removeStackFrameHelper;
 		BoolOption restoreVmCode;
+		BoolOption setInitLocals;

 		public DeobfuscatorInfo()
 			: base(DEFAULT_REGEX) {
@ -40,6 +41,7 @@ namespace de4dot.code.deobfuscators.CliSecure {
 			decryptResources = new BoolOption(null, makeArgName("rsrc"), "Decrypt resources", true);
 			removeStackFrameHelper = new BoolOption(null, makeArgName("stack"), "Remove all StackFrameHelper code", true);
 			restoreVmCode = new BoolOption(null, makeArgName("vm"), "Restore VM code", true);
+			setInitLocals = new BoolOption(null, makeArgName("initlocals"), "Set initlocals in method header", true);
 		}

 		public override string Name {
@ -57,6 +59,7 @@ namespace de4dot.code.deobfuscators.CliSecure {
 				DecryptResources = decryptResources.get(),
 				RemoveStackFrameHelper = removeStackFrameHelper.get(),
 				RestoreVmCode = restoreVmCode.get(),
+				SetInitLocals = setInitLocals.get(),
 			});
 		}

@ -66,6 +69,7 @@ namespace de4dot.code.deobfuscators.CliSecure {
 				decryptResources,
 				removeStackFrameHelper,
 				restoreVmCode,
+				setInitLocals,
 			};
 		}
 	}
@ -88,6 +92,7 @@ namespace de4dot.code.deobfuscators.CliSecure {
 			public bool DecryptResources { get; set; }
 			public bool RemoveStackFrameHelper { get; set; }
 			public bool RestoreVmCode { get; set; }
+			public bool SetInitLocals { get; set; }
 		}

 		public override string Type {
@ -289,6 +294,8 @@ namespace de4dot.code.deobfuscators.CliSecure {
 		}

 		public override void deobfuscateEnd() {
+			if (options.SetInitLocals)
+				setInitLocals();
 			removeProxyDelegates(proxyDelegateFinder);
 			if (options.RemoveStackFrameHelper) {
 				if (stackFrameHelper.ExceptionLoggerRemover.NumRemovedExceptionLoggers > 0)
--- a/de4dot.code/deobfuscators/DeobfuscatorBase.cs
+++ b/de4dot.code/deobfuscators/DeobfuscatorBase.cs
@ -588,6 +588,40 @@ namespace de4dot.code.deobfuscators {
 			Log.deIndent();
 		}

+		protected void setInitLocals() {
+			foreach (var type in module.GetTypes()) {
+				foreach (var method in type.Methods) {
+					if (isFatHeader(method))
+						method.Body.InitLocals = true;
+				}
+			}
+		}
+
+		static bool isFatHeader(MethodDefinition method) {
+			if (method == null || method.Body == null)
+				return false;
+			var body = method.Body;
+			if (body.InitLocals || body.MaxStackSize > 8)
+				return true;
+			if (body.Variables.Count > 0)
+				return true;
+			if (body.ExceptionHandlers.Count > 0)
+				return true;
+			if (getCodeSize(method) > 63)
+				return true;
+
+			return false;
+		}
+
+		static int getCodeSize(MethodDefinition method) {
+			if (method == null || method.Body == null)
+				return 0;
+			int size = 0;
+			foreach (var instr in method.Body.Instructions)
+				size += instr.GetSize();
+			return size;
+		}
+
 		public override string ToString() {
 			return Name;
 		}