monocul.us/de4dot-cex
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Support latest CO build

Browse Source
This commit is contained in:
de4dot 2012-04-15 23:42:11 +02:00
parent 32997da3ba
commit 941929cf7a
2 changed files with 27 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
de4dot.code/deobfuscators/CryptoObfuscator/ProxyDelegateFinder.cs
View File

@ -125,10 +125,10 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
} }
MethodDefinition getProxyCreateMethod(TypeDefinition type) { MethodDefinition getProxyCreateMethod(TypeDefinition type) {
if (type.Fields.Count < 1 || type.Fields.Count > 3)
return null;
if (DotNetUtils.findFieldType(type, "System.ModuleHandle", true) == null) if (DotNetUtils.findFieldType(type, "System.ModuleHandle", true) == null)
return null; return null;
if (type.Fields.Count < 1 || type.Fields.Count > 4)
return null;
MethodDefinition createMethod = null; MethodDefinition createMethod = null;
foreach (var m in type.Methods) { foreach (var m in type.Methods) {

27
de4dot.code/deobfuscators/CryptoObfuscator/ResourceDecrypter.cs
View File

@ -38,6 +38,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
byte bitwiseNotEncryptedFlag; byte bitwiseNotEncryptedFlag;
FrameworkType frameworkType; FrameworkType frameworkType;
bool flipFlagsBits; bool flipFlagsBits;
int skipBytes;
public ResourceDecrypter(ModuleDefinition module, ISimpleDeobfuscator simpleDeobfuscator) { public ResourceDecrypter(ModuleDefinition module, ISimpleDeobfuscator simpleDeobfuscator) {
this.module = module; this.module = module;
@ -67,7 +68,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
break; break;
} }
initializeDecrypterFlags(simpleDeobfuscator); initializeHeaderInfo(simpleDeobfuscator);
} }
static string[] requiredTypes = new string[] { static string[] requiredTypes = new string[] {
@ -168,7 +169,9 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
} }
} }
void initializeDecrypterFlags(ISimpleDeobfuscator simpleDeobfuscator) { void initializeHeaderInfo(ISimpleDeobfuscator simpleDeobfuscator) {
skipBytes = 0;
if (resourceDecrypterType != null) { if (resourceDecrypterType != null) {
if (updateFlags(getDecrypterMethod(), simpleDeobfuscator)) if (updateFlags(getDecrypterMethod(), simpleDeobfuscator))
return; return;
@ -226,6 +229,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
} }
flipFlagsBits = checkFlipBits(method); flipFlagsBits = checkFlipBits(method);
skipBytes = getHeaderSkipBytes(method);
switch (frameworkType) { switch (frameworkType) {
case FrameworkType.Desktop: case FrameworkType.Desktop:
@ -262,6 +266,22 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
return false; return false;
} }
static int getHeaderSkipBytes(MethodDefinition method) {
var instrs = method.Body.Instructions;
for (int i = 0; i < instrs.Count - 1; i++) {
var ldci4 = instrs[i];
if (!DotNetUtils.isLdcI4(ldci4))
continue;
if (DotNetUtils.getLdcI4Value(ldci4) != 2)
continue;
var blt = instrs[i + 1];
if (blt.OpCode.Code != Code.Blt && blt.OpCode.Code != Code.Blt_S)
continue;
return 1;
}
return 0;
}
static bool isFlag(int value) { static bool isFlag(int value) {
for (uint tmp = (uint)value; tmp != 0; tmp >>= 1) { for (uint tmp = (uint)value; tmp != 0; tmp >>= 1) {
if ((tmp & 1) != 0) if ((tmp & 1) != 0)
@ -290,6 +310,9 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
int sourceStreamOffset = 1; int sourceStreamOffset = 1;
bool didSomething = false; bool didSomething = false;
sourceStream.Position += skipBytes;
sourceStreamOffset += skipBytes;
byte allFlags = (byte)(desEncryptedFlag | deflatedFlag | bitwiseNotEncryptedFlag); byte allFlags = (byte)(desEncryptedFlag | deflatedFlag | bitwiseNotEncryptedFlag);
if ((flags & ~allFlags) != 0) if ((flags & ~allFlags) != 0)
Log.w("Found unknown resource encryption flags: 0x{0:X2}", flags); Log.w("Found unknown resource encryption flags: 0x{0:X2}", flags);