monocul.us/de4dot-cex
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix detection of DS string decrypter

Browse Source
This commit is contained in:
de4dot 2012-11-20 05:35:05 +01:00
parent 36a5272e40
commit 989e364481
1 changed files with 13 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
de4dot.code/deobfuscators/DeepSea/StringDecrypter.cs
View File

@ -185,7 +185,7 @@ namespace de4dot.code.deobfuscators.DeepSea {
Method = method;
}
public static bool isPossibleDecrypterMethod(MethodDef method, bool firstTime) {
public static bool isPossibleDecrypterMethod(MethodDef method, ref bool? state) {
if (!checkMethodSignature(method))
return false;
var fields = getFields(method);
@ -406,8 +406,10 @@ namespace de4dot.code.deobfuscators.DeepSea {
this.Method = method;
}
public static bool isPossibleDecrypterMethod(MethodDef method, bool firstTime) {
if (!firstTime || !checkFields(method.DeclaringType.Fields))
public static bool isPossibleDecrypterMethod(MethodDef method, ref bool? state) {
if (state == null)
state = checkFields(method.DeclaringType.Fields);
if (!state.Value)
return false;
return DotNetUtils.isMethod(method, "System.String", "(System.Int32,System.Int32)");
}
@ -559,8 +561,10 @@ namespace de4dot.code.deobfuscators.DeepSea {
get { return DecrypterVersion.V1_3; }
}
public static bool isPossibleDecrypterMethod(MethodDef method, bool firstTime) {
if (!firstTime || !checkFields(method.DeclaringType.Fields))
public static bool isPossibleDecrypterMethod(MethodDef method, ref bool? state) {
if (state == null)
state = checkFields(method.DeclaringType.Fields);
if (!state.Value)
return false;
return DotNetUtils.isMethod(method, "System.String", "(System.Int32)");
}
@ -737,29 +741,28 @@ namespace de4dot.code.deobfuscators.DeepSea {
continue;
bool deobfuscatedCctor = false;
bool firstTime = true;
bool? v13State = null, v40State = null, v41State = null;
foreach (var method in type.Methods) {
if (!method.IsStatic || method.Body == null)
continue;
IDecrypterInfo info = null;
if (DecrypterInfo13.isPossibleDecrypterMethod(method, firstTime)) {
if (DecrypterInfo13.isPossibleDecrypterMethod(method, ref v13State)) {
deobfuscateCctor(simpleDeobfuscator, cctor, ref deobfuscatedCctor, hasPublicKeyToken);
simpleDeobfuscator.deobfuscate(method);
info = getInfoV13(cctor, method);
}
else if (DecrypterInfo40.isPossibleDecrypterMethod(method, firstTime)) {
else if (DecrypterInfo40.isPossibleDecrypterMethod(method, ref v40State)) {
deobfuscateCctor(simpleDeobfuscator, cctor, ref deobfuscatedCctor, hasPublicKeyToken);
simpleDeobfuscator.deobfuscate(method);
info = getInfoV40(cctor, method);
}
else if (DecrypterInfo41.isPossibleDecrypterMethod(method, firstTime)) {
else if (DecrypterInfo41.isPossibleDecrypterMethod(method, ref v41State)) {
deobfuscateCctor(simpleDeobfuscator, cctor, ref deobfuscatedCctor, hasPublicKeyToken);
simpleDeobfuscator.deobfuscate(method);
info = getInfoV41(cctor, method);
}
firstTime = false;
if (info == null)
continue;