From 941929cf7aefc8bbc8eb069ba65239a7be687962 Mon Sep 17 00:00:00 2001 From: de4dot Date: Sun, 15 Apr 2012 23:42:11 +0200 Subject: [PATCH] Support latest CO build --- .../CryptoObfuscator/ProxyDelegateFinder.cs | 4 +-- .../CryptoObfuscator/ResourceDecrypter.cs | 27 +++++++++++++++++-- 2 files changed, 27 insertions(+), 4 deletions(-) diff --git a/de4dot.code/deobfuscators/CryptoObfuscator/ProxyDelegateFinder.cs b/de4dot.code/deobfuscators/CryptoObfuscator/ProxyDelegateFinder.cs index d38f4a37..72e427c3 100644 --- a/de4dot.code/deobfuscators/CryptoObfuscator/ProxyDelegateFinder.cs +++ b/de4dot.code/deobfuscators/CryptoObfuscator/ProxyDelegateFinder.cs @@ -125,10 +125,10 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator { } MethodDefinition getProxyCreateMethod(TypeDefinition type) { - if (type.Fields.Count < 1 || type.Fields.Count > 3) - return null; if (DotNetUtils.findFieldType(type, "System.ModuleHandle", true) == null) return null; + if (type.Fields.Count < 1 || type.Fields.Count > 4) + return null; MethodDefinition createMethod = null; foreach (var m in type.Methods) { diff --git a/de4dot.code/deobfuscators/CryptoObfuscator/ResourceDecrypter.cs b/de4dot.code/deobfuscators/CryptoObfuscator/ResourceDecrypter.cs index 95ef8436..2736d3b5 100644 --- a/de4dot.code/deobfuscators/CryptoObfuscator/ResourceDecrypter.cs +++ b/de4dot.code/deobfuscators/CryptoObfuscator/ResourceDecrypter.cs @@ -38,6 +38,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator { byte bitwiseNotEncryptedFlag; FrameworkType frameworkType; bool flipFlagsBits; + int skipBytes; public ResourceDecrypter(ModuleDefinition module, ISimpleDeobfuscator simpleDeobfuscator) { this.module = module; @@ -67,7 +68,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator { break; } - initializeDecrypterFlags(simpleDeobfuscator); + initializeHeaderInfo(simpleDeobfuscator); } static string[] requiredTypes = new string[] { @@ -168,7 +169,9 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator { } } - void initializeDecrypterFlags(ISimpleDeobfuscator simpleDeobfuscator) { + void initializeHeaderInfo(ISimpleDeobfuscator simpleDeobfuscator) { + skipBytes = 0; + if (resourceDecrypterType != null) { if (updateFlags(getDecrypterMethod(), simpleDeobfuscator)) return; @@ -226,6 +229,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator { } flipFlagsBits = checkFlipBits(method); + skipBytes = getHeaderSkipBytes(method); switch (frameworkType) { case FrameworkType.Desktop: @@ -262,6 +266,22 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator { return false; } + static int getHeaderSkipBytes(MethodDefinition method) { + var instrs = method.Body.Instructions; + for (int i = 0; i < instrs.Count - 1; i++) { + var ldci4 = instrs[i]; + if (!DotNetUtils.isLdcI4(ldci4)) + continue; + if (DotNetUtils.getLdcI4Value(ldci4) != 2) + continue; + var blt = instrs[i + 1]; + if (blt.OpCode.Code != Code.Blt && blt.OpCode.Code != Code.Blt_S) + continue; + return 1; + } + return 0; + } + static bool isFlag(int value) { for (uint tmp = (uint)value; tmp != 0; tmp >>= 1) { if ((tmp & 1) != 0) @@ -290,6 +310,9 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator { int sourceStreamOffset = 1; bool didSomething = false; + sourceStream.Position += skipBytes; + sourceStreamOffset += skipBytes; + byte allFlags = (byte)(desEncryptedFlag | deflatedFlag | bitwiseNotEncryptedFlag); if ((flags & ~allFlags) != 0) Log.w("Found unknown resource encryption flags: 0x{0:X2}", flags);