Fix detection of DS string decrypter
This commit is contained in:
parent
36a5272e40
commit
989e364481
|
@ -185,7 +185,7 @@ namespace de4dot.code.deobfuscators.DeepSea {
|
||||||
Method = method;
|
Method = method;
|
||||||
}
|
}
|
||||||
|
|
||||||
public static bool isPossibleDecrypterMethod(MethodDef method, bool firstTime) {
|
public static bool isPossibleDecrypterMethod(MethodDef method, ref bool? state) {
|
||||||
if (!checkMethodSignature(method))
|
if (!checkMethodSignature(method))
|
||||||
return false;
|
return false;
|
||||||
var fields = getFields(method);
|
var fields = getFields(method);
|
||||||
|
@ -406,8 +406,10 @@ namespace de4dot.code.deobfuscators.DeepSea {
|
||||||
this.Method = method;
|
this.Method = method;
|
||||||
}
|
}
|
||||||
|
|
||||||
public static bool isPossibleDecrypterMethod(MethodDef method, bool firstTime) {
|
public static bool isPossibleDecrypterMethod(MethodDef method, ref bool? state) {
|
||||||
if (!firstTime || !checkFields(method.DeclaringType.Fields))
|
if (state == null)
|
||||||
|
state = checkFields(method.DeclaringType.Fields);
|
||||||
|
if (!state.Value)
|
||||||
return false;
|
return false;
|
||||||
return DotNetUtils.isMethod(method, "System.String", "(System.Int32,System.Int32)");
|
return DotNetUtils.isMethod(method, "System.String", "(System.Int32,System.Int32)");
|
||||||
}
|
}
|
||||||
|
@ -559,8 +561,10 @@ namespace de4dot.code.deobfuscators.DeepSea {
|
||||||
get { return DecrypterVersion.V1_3; }
|
get { return DecrypterVersion.V1_3; }
|
||||||
}
|
}
|
||||||
|
|
||||||
public static bool isPossibleDecrypterMethod(MethodDef method, bool firstTime) {
|
public static bool isPossibleDecrypterMethod(MethodDef method, ref bool? state) {
|
||||||
if (!firstTime || !checkFields(method.DeclaringType.Fields))
|
if (state == null)
|
||||||
|
state = checkFields(method.DeclaringType.Fields);
|
||||||
|
if (!state.Value)
|
||||||
return false;
|
return false;
|
||||||
return DotNetUtils.isMethod(method, "System.String", "(System.Int32)");
|
return DotNetUtils.isMethod(method, "System.String", "(System.Int32)");
|
||||||
}
|
}
|
||||||
|
@ -737,29 +741,28 @@ namespace de4dot.code.deobfuscators.DeepSea {
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
bool deobfuscatedCctor = false;
|
bool deobfuscatedCctor = false;
|
||||||
bool firstTime = true;
|
bool? v13State = null, v40State = null, v41State = null;
|
||||||
foreach (var method in type.Methods) {
|
foreach (var method in type.Methods) {
|
||||||
if (!method.IsStatic || method.Body == null)
|
if (!method.IsStatic || method.Body == null)
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
IDecrypterInfo info = null;
|
IDecrypterInfo info = null;
|
||||||
|
|
||||||
if (DecrypterInfo13.isPossibleDecrypterMethod(method, firstTime)) {
|
if (DecrypterInfo13.isPossibleDecrypterMethod(method, ref v13State)) {
|
||||||
deobfuscateCctor(simpleDeobfuscator, cctor, ref deobfuscatedCctor, hasPublicKeyToken);
|
deobfuscateCctor(simpleDeobfuscator, cctor, ref deobfuscatedCctor, hasPublicKeyToken);
|
||||||
simpleDeobfuscator.deobfuscate(method);
|
simpleDeobfuscator.deobfuscate(method);
|
||||||
info = getInfoV13(cctor, method);
|
info = getInfoV13(cctor, method);
|
||||||
}
|
}
|
||||||
else if (DecrypterInfo40.isPossibleDecrypterMethod(method, firstTime)) {
|
else if (DecrypterInfo40.isPossibleDecrypterMethod(method, ref v40State)) {
|
||||||
deobfuscateCctor(simpleDeobfuscator, cctor, ref deobfuscatedCctor, hasPublicKeyToken);
|
deobfuscateCctor(simpleDeobfuscator, cctor, ref deobfuscatedCctor, hasPublicKeyToken);
|
||||||
simpleDeobfuscator.deobfuscate(method);
|
simpleDeobfuscator.deobfuscate(method);
|
||||||
info = getInfoV40(cctor, method);
|
info = getInfoV40(cctor, method);
|
||||||
}
|
}
|
||||||
else if (DecrypterInfo41.isPossibleDecrypterMethod(method, firstTime)) {
|
else if (DecrypterInfo41.isPossibleDecrypterMethod(method, ref v41State)) {
|
||||||
deobfuscateCctor(simpleDeobfuscator, cctor, ref deobfuscatedCctor, hasPublicKeyToken);
|
deobfuscateCctor(simpleDeobfuscator, cctor, ref deobfuscatedCctor, hasPublicKeyToken);
|
||||||
simpleDeobfuscator.deobfuscate(method);
|
simpleDeobfuscator.deobfuscate(method);
|
||||||
info = getInfoV41(cctor, method);
|
info = getInfoV41(cctor, method);
|
||||||
}
|
}
|
||||||
firstTime = false;
|
|
||||||
|
|
||||||
if (info == null)
|
if (info == null)
|
||||||
continue;
|
continue;
|
||||||
|
|
Loading…
Reference in New Issue
Block a user