Support latest CO build
This commit is contained in:
parent
32997da3ba
commit
941929cf7a
|
@ -125,10 +125,10 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
||||||
}
|
}
|
||||||
|
|
||||||
MethodDefinition getProxyCreateMethod(TypeDefinition type) {
|
MethodDefinition getProxyCreateMethod(TypeDefinition type) {
|
||||||
if (type.Fields.Count < 1 || type.Fields.Count > 3)
|
|
||||||
return null;
|
|
||||||
if (DotNetUtils.findFieldType(type, "System.ModuleHandle", true) == null)
|
if (DotNetUtils.findFieldType(type, "System.ModuleHandle", true) == null)
|
||||||
return null;
|
return null;
|
||||||
|
if (type.Fields.Count < 1 || type.Fields.Count > 4)
|
||||||
|
return null;
|
||||||
|
|
||||||
MethodDefinition createMethod = null;
|
MethodDefinition createMethod = null;
|
||||||
foreach (var m in type.Methods) {
|
foreach (var m in type.Methods) {
|
||||||
|
|
|
@ -38,6 +38,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
||||||
byte bitwiseNotEncryptedFlag;
|
byte bitwiseNotEncryptedFlag;
|
||||||
FrameworkType frameworkType;
|
FrameworkType frameworkType;
|
||||||
bool flipFlagsBits;
|
bool flipFlagsBits;
|
||||||
|
int skipBytes;
|
||||||
|
|
||||||
public ResourceDecrypter(ModuleDefinition module, ISimpleDeobfuscator simpleDeobfuscator) {
|
public ResourceDecrypter(ModuleDefinition module, ISimpleDeobfuscator simpleDeobfuscator) {
|
||||||
this.module = module;
|
this.module = module;
|
||||||
|
@ -67,7 +68,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
||||||
initializeDecrypterFlags(simpleDeobfuscator);
|
initializeHeaderInfo(simpleDeobfuscator);
|
||||||
}
|
}
|
||||||
|
|
||||||
static string[] requiredTypes = new string[] {
|
static string[] requiredTypes = new string[] {
|
||||||
|
@ -168,7 +169,9 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
void initializeDecrypterFlags(ISimpleDeobfuscator simpleDeobfuscator) {
|
void initializeHeaderInfo(ISimpleDeobfuscator simpleDeobfuscator) {
|
||||||
|
skipBytes = 0;
|
||||||
|
|
||||||
if (resourceDecrypterType != null) {
|
if (resourceDecrypterType != null) {
|
||||||
if (updateFlags(getDecrypterMethod(), simpleDeobfuscator))
|
if (updateFlags(getDecrypterMethod(), simpleDeobfuscator))
|
||||||
return;
|
return;
|
||||||
|
@ -226,6 +229,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
||||||
}
|
}
|
||||||
|
|
||||||
flipFlagsBits = checkFlipBits(method);
|
flipFlagsBits = checkFlipBits(method);
|
||||||
|
skipBytes = getHeaderSkipBytes(method);
|
||||||
|
|
||||||
switch (frameworkType) {
|
switch (frameworkType) {
|
||||||
case FrameworkType.Desktop:
|
case FrameworkType.Desktop:
|
||||||
|
@ -262,6 +266,22 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static int getHeaderSkipBytes(MethodDefinition method) {
|
||||||
|
var instrs = method.Body.Instructions;
|
||||||
|
for (int i = 0; i < instrs.Count - 1; i++) {
|
||||||
|
var ldci4 = instrs[i];
|
||||||
|
if (!DotNetUtils.isLdcI4(ldci4))
|
||||||
|
continue;
|
||||||
|
if (DotNetUtils.getLdcI4Value(ldci4) != 2)
|
||||||
|
continue;
|
||||||
|
var blt = instrs[i + 1];
|
||||||
|
if (blt.OpCode.Code != Code.Blt && blt.OpCode.Code != Code.Blt_S)
|
||||||
|
continue;
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
static bool isFlag(int value) {
|
static bool isFlag(int value) {
|
||||||
for (uint tmp = (uint)value; tmp != 0; tmp >>= 1) {
|
for (uint tmp = (uint)value; tmp != 0; tmp >>= 1) {
|
||||||
if ((tmp & 1) != 0)
|
if ((tmp & 1) != 0)
|
||||||
|
@ -290,6 +310,9 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
||||||
int sourceStreamOffset = 1;
|
int sourceStreamOffset = 1;
|
||||||
bool didSomething = false;
|
bool didSomething = false;
|
||||||
|
|
||||||
|
sourceStream.Position += skipBytes;
|
||||||
|
sourceStreamOffset += skipBytes;
|
||||||
|
|
||||||
byte allFlags = (byte)(desEncryptedFlag | deflatedFlag | bitwiseNotEncryptedFlag);
|
byte allFlags = (byte)(desEncryptedFlag | deflatedFlag | bitwiseNotEncryptedFlag);
|
||||||
if ((flags & ~allFlags) != 0)
|
if ((flags & ~allFlags) != 0)
|
||||||
Log.w("Found unknown resource encryption flags: 0x{0:X2}", flags);
|
Log.w("Found unknown resource encryption flags: 0x{0:X2}", flags);
|
||||||
|
|
Loading…
Reference in New Issue
Block a user