monocul.us/de4dot-cex
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix detection of DS string decrypter

Browse Source
This commit is contained in:
de4dot 2012-11-20 05:35:05 +01:00
parent 36a5272e40
commit 989e364481
1 changed files with 13 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
de4dot.code/deobfuscators/DeepSea/StringDecrypter.cs
View File

@ -185,7 +185,7 @@ namespace de4dot.code.deobfuscators.DeepSea {
Method = method; Method = method;
} }
public static bool isPossibleDecrypterMethod(MethodDef method, bool firstTime) { public static bool isPossibleDecrypterMethod(MethodDef method, ref bool? state) {
if (!checkMethodSignature(method)) if (!checkMethodSignature(method))
return false; return false;
var fields = getFields(method); var fields = getFields(method);
@ -406,8 +406,10 @@ namespace de4dot.code.deobfuscators.DeepSea {
this.Method = method; this.Method = method;
} }
public static bool isPossibleDecrypterMethod(MethodDef method, bool firstTime) { public static bool isPossibleDecrypterMethod(MethodDef method, ref bool? state) {
if (!firstTime || !checkFields(method.DeclaringType.Fields)) if (state == null)
state = checkFields(method.DeclaringType.Fields);
if (!state.Value)
return false; return false;
return DotNetUtils.isMethod(method, "System.String", "(System.Int32,System.Int32)"); return DotNetUtils.isMethod(method, "System.String", "(System.Int32,System.Int32)");
} }
@ -559,8 +561,10 @@ namespace de4dot.code.deobfuscators.DeepSea {
get { return DecrypterVersion.V1_3; } get { return DecrypterVersion.V1_3; }
} }
public static bool isPossibleDecrypterMethod(MethodDef method, bool firstTime) { public static bool isPossibleDecrypterMethod(MethodDef method, ref bool? state) {
if (!firstTime || !checkFields(method.DeclaringType.Fields)) if (state == null)
state = checkFields(method.DeclaringType.Fields);
if (!state.Value)
return false; return false;
return DotNetUtils.isMethod(method, "System.String", "(System.Int32)"); return DotNetUtils.isMethod(method, "System.String", "(System.Int32)");
} }
@ -737,29 +741,28 @@ namespace de4dot.code.deobfuscators.DeepSea {
continue; continue;
bool deobfuscatedCctor = false; bool deobfuscatedCctor = false;
bool firstTime = true; bool? v13State = null, v40State = null, v41State = null;
foreach (var method in type.Methods) { foreach (var method in type.Methods) {
if (!method.IsStatic || method.Body == null) if (!method.IsStatic || method.Body == null)
continue; continue;
IDecrypterInfo info = null; IDecrypterInfo info = null;
if (DecrypterInfo13.isPossibleDecrypterMethod(method, firstTime)) { if (DecrypterInfo13.isPossibleDecrypterMethod(method, ref v13State)) {
deobfuscateCctor(simpleDeobfuscator, cctor, ref deobfuscatedCctor, hasPublicKeyToken); deobfuscateCctor(simpleDeobfuscator, cctor, ref deobfuscatedCctor, hasPublicKeyToken);
simpleDeobfuscator.deobfuscate(method); simpleDeobfuscator.deobfuscate(method);
info = getInfoV13(cctor, method); info = getInfoV13(cctor, method);
} }
else if (DecrypterInfo40.isPossibleDecrypterMethod(method, firstTime)) { else if (DecrypterInfo40.isPossibleDecrypterMethod(method, ref v40State)) {
deobfuscateCctor(simpleDeobfuscator, cctor, ref deobfuscatedCctor, hasPublicKeyToken); deobfuscateCctor(simpleDeobfuscator, cctor, ref deobfuscatedCctor, hasPublicKeyToken);
simpleDeobfuscator.deobfuscate(method); simpleDeobfuscator.deobfuscate(method);
info = getInfoV40(cctor, method); info = getInfoV40(cctor, method);
} }
else if (DecrypterInfo41.isPossibleDecrypterMethod(method, firstTime)) { else if (DecrypterInfo41.isPossibleDecrypterMethod(method, ref v41State)) {
deobfuscateCctor(simpleDeobfuscator, cctor, ref deobfuscatedCctor, hasPublicKeyToken); deobfuscateCctor(simpleDeobfuscator, cctor, ref deobfuscatedCctor, hasPublicKeyToken);
simpleDeobfuscator.deobfuscate(method); simpleDeobfuscator.deobfuscate(method);
info = getInfoV41(cctor, method); info = getInfoV41(cctor, method);
} }
firstTime = false;
if (info == null) if (info == null)
continue; continue;