Load target asm's CLR version when decrypting strings dynamically

2012-12-01 01:40:23 +01:00 · 2012-12-01 01:40:23 +01:00 · 99c7cf8eb5
commit 99c7cf8eb5
parent a67529ff35
3 changed files with 27 additions and 17 deletions
--- a/de4dot.code/AssemblyClient/AssemblyClientFactory.cs
+++ b/de4dot.code/AssemblyClient/AssemblyClientFactory.cs
@ -17,6 +17,8 @@
    along with de4dot.  If not, see <http://www.gnu.org/licenses/>.
 */

+using dot10.DotNet;
+
 namespace de4dot.code.AssemblyClient {
 	public interface IAssemblyClientFactory {
 		IAssemblyClient create();
@ -45,8 +47,27 @@ namespace de4dot.code.AssemblyClient {
 			this.serverVersion = serverVersion;
 		}

+		public IAssemblyClient create(ModuleDef module) {
+			return new AssemblyClient(new NewProcessAssemblyServerLoader(getServerClrVersion(module)));
+		}
+
 		public IAssemblyClient create() {
 			return new AssemblyClient(new NewProcessAssemblyServerLoader(serverVersion));
 		}
+
+		internal static ServerClrVersion getServerClrVersion(ModuleDef module) {
+			switch (module.GetPointerSize()) {
+			default:
+			case 4:
+				if (module.IsClr40)
+					return ServerClrVersion.CLR_v40_x86;
+				return ServerClrVersion.CLR_v20_x86;
+
+			case 8:
+				if (module.IsClr40)
+					return ServerClrVersion.CLR_v40_x64;
+				return ServerClrVersion.CLR_v20_x64;
+			}
+		}
 	}
 }
--- a/de4dot.code/ObfuscatedFile.cs
+++ b/de4dot.code/ObfuscatedFile.cs
@ -355,7 +355,11 @@ namespace de4dot.code {
 			case DecrypterType.Delegate:
 			case DecrypterType.Emulate:
 				checkSupportedStringDecrypter(StringFeatures.AllowDynamicDecryption);
-				assemblyClient = assemblyClientFactory.create();
+				var newProcFactory = assemblyClientFactory as NewProcessAssemblyClientFactory;
+				if (newProcFactory != null)
+					assemblyClient = newProcFactory.create(module);
+				else
+					assemblyClient = assemblyClientFactory.create();
 				assemblyClient.connect();
 				break;

--- a/de4dot.code/deobfuscators/MethodsDecrypter.cs
+++ b/de4dot.code/deobfuscators/MethodsDecrypter.cs
@ -25,7 +25,7 @@ using de4dot.mdecrypt;
 namespace de4dot.code.deobfuscators {
 	static class MethodsDecrypter {
 		public static DumpedMethods decrypt(ModuleDef module, byte[] moduleCctorBytes) {
-			return decrypt(getServerClrVersion(module), module.Location, moduleCctorBytes);
+			return decrypt(NewProcessAssemblyClientFactory.getServerClrVersion(module), module.Location, moduleCctorBytes);
 		}

 		public static DumpedMethods decrypt(ServerClrVersion serverVersion, string filename, byte[] moduleCctorBytes) {
@ -39,20 +39,5 @@ namespace de4dot.code.deobfuscators {
 				return client.Service.decryptMethods();
 			}
 		}
-
-		static ServerClrVersion getServerClrVersion(ModuleDef module) {
-			switch (module.GetPointerSize()) {
-			default:
-			case 4:
-				if (module.IsClr40)
-					return ServerClrVersion.CLR_v40_x86;
-				return ServerClrVersion.CLR_v20_x86;
-
-			case 8:
-				if (module.IsClr40)
-					return ServerClrVersion.CLR_v40_x64;
-				return ServerClrVersion.CLR_v20_x64;
-			}
-		}
 	}
 }