Update method call remover code
This commit is contained in:
parent
c0a8eb1bbd
commit
a1e6f555ef
|
@ -47,7 +47,7 @@ namespace de4dot.deobfuscators {
|
||||||
IList<RemoveInfo<ModuleReference>> modrefsToRemove = new List<RemoveInfo<ModuleReference>>();
|
IList<RemoveInfo<ModuleReference>> modrefsToRemove = new List<RemoveInfo<ModuleReference>>();
|
||||||
List<string> namesToPossiblyRemove = new List<string>();
|
List<string> namesToPossiblyRemove = new List<string>();
|
||||||
bool scanForObfuscatorCalled = false;
|
bool scanForObfuscatorCalled = false;
|
||||||
Dictionary<MethodReferenceAndDeclaringTypeKey, MethodDefinition> cctorInitCallsToRemove = new Dictionary<MethodReferenceAndDeclaringTypeKey, MethodDefinition>();
|
MethodCallRemover methodCallRemover = new MethodCallRemover();
|
||||||
|
|
||||||
internal class OptionsBase : IDeobfuscatorOptions {
|
internal class OptionsBase : IDeobfuscatorOptions {
|
||||||
public bool RenameResourcesInCode { get; set; }
|
public bool RenameResourcesInCode { get; set; }
|
||||||
|
@ -109,7 +109,7 @@ namespace de4dot.deobfuscators {
|
||||||
}
|
}
|
||||||
|
|
||||||
public virtual void deobfuscateMethodEnd(Blocks blocks) {
|
public virtual void deobfuscateMethodEnd(Blocks blocks) {
|
||||||
removeInitializeMethodCalls(blocks);
|
removeMethodCalls(blocks);
|
||||||
}
|
}
|
||||||
|
|
||||||
public virtual void deobfuscateStrings(Blocks blocks) {
|
public virtual void deobfuscateStrings(Blocks blocks) {
|
||||||
|
@ -139,39 +139,105 @@ namespace de4dot.deobfuscators {
|
||||||
return new List<string>();
|
return new List<string>();
|
||||||
}
|
}
|
||||||
|
|
||||||
public void addCctorInitCallToBeRemoved(MethodDefinition method) {
|
class MethodCallRemover {
|
||||||
if (method == null)
|
Dictionary<string, Dictionary<MethodReferenceAndDeclaringTypeKey, bool>> methodNameInfos = new Dictionary<string, Dictionary<MethodReferenceAndDeclaringTypeKey, bool>>(StringComparer.Ordinal);
|
||||||
return;
|
Dictionary<MethodReferenceAndDeclaringTypeKey, Dictionary<MethodReferenceAndDeclaringTypeKey, bool>> methodRefInfos = new Dictionary<MethodReferenceAndDeclaringTypeKey, Dictionary<MethodReferenceAndDeclaringTypeKey, bool>>();
|
||||||
if (method.Parameters.Count != 0)
|
|
||||||
throw new ApplicationException(string.Format("Method takes params: {0}", method));
|
|
||||||
if (DotNetUtils.hasReturnValue(method))
|
|
||||||
throw new ApplicationException(string.Format("Method has a return value: {0}", method));
|
|
||||||
cctorInitCallsToRemove[new MethodReferenceAndDeclaringTypeKey(method)] = method;
|
|
||||||
}
|
|
||||||
|
|
||||||
void removeInitializeMethodCalls(Blocks blocks) {
|
void checkMethod(MethodReference methodToBeRemoved) {
|
||||||
if (blocks.Method.Name != ".cctor")
|
if (methodToBeRemoved.Parameters.Count != 0)
|
||||||
return;
|
throw new ApplicationException(string.Format("Method takes params: {0}", methodToBeRemoved));
|
||||||
|
if (DotNetUtils.hasReturnValue(methodToBeRemoved))
|
||||||
|
throw new ApplicationException(string.Format("Method has a return value: {0}", methodToBeRemoved));
|
||||||
|
}
|
||||||
|
|
||||||
foreach (var block in blocks.MethodBlocks.getAllBlocks()) {
|
public void add(string method, MethodReference methodToBeRemoved) {
|
||||||
|
if (methodToBeRemoved == null)
|
||||||
|
return;
|
||||||
|
checkMethod(methodToBeRemoved);
|
||||||
|
|
||||||
|
Dictionary<MethodReferenceAndDeclaringTypeKey, bool> dict;
|
||||||
|
if (!methodNameInfos.TryGetValue(method, out dict))
|
||||||
|
methodNameInfos[method] = dict = new Dictionary<MethodReferenceAndDeclaringTypeKey, bool>();
|
||||||
|
dict[new MethodReferenceAndDeclaringTypeKey(methodToBeRemoved)] = true;
|
||||||
|
}
|
||||||
|
|
||||||
|
public void add(MethodDefinition method, MethodReference methodToBeRemoved) {
|
||||||
|
if (method == null || methodToBeRemoved == null)
|
||||||
|
return;
|
||||||
|
checkMethod(methodToBeRemoved);
|
||||||
|
|
||||||
|
Dictionary<MethodReferenceAndDeclaringTypeKey, bool> dict;
|
||||||
|
var methodKey = new MethodReferenceAndDeclaringTypeKey(method);
|
||||||
|
if (!methodRefInfos.TryGetValue(methodKey, out dict))
|
||||||
|
methodRefInfos[methodKey] = dict = new Dictionary<MethodReferenceAndDeclaringTypeKey, bool>();
|
||||||
|
dict[new MethodReferenceAndDeclaringTypeKey(methodToBeRemoved)] = true;
|
||||||
|
}
|
||||||
|
|
||||||
|
public void removeAll(Blocks blocks) {
|
||||||
|
if (blocks.Method.Name != ".cctor")
|
||||||
|
return;
|
||||||
|
|
||||||
|
var allBlocks = blocks.MethodBlocks.getAllBlocks();
|
||||||
|
|
||||||
|
removeAll(allBlocks, blocks, blocks.Method.Name);
|
||||||
|
removeAll(allBlocks, blocks, blocks.Method);
|
||||||
|
}
|
||||||
|
|
||||||
|
void removeAll(IList<Block> allBlocks, Blocks blocks, string method) {
|
||||||
|
Dictionary<MethodReferenceAndDeclaringTypeKey, bool> info;
|
||||||
|
if (!methodNameInfos.TryGetValue(method, out info))
|
||||||
|
return;
|
||||||
|
|
||||||
|
removeCalls(allBlocks, blocks, info);
|
||||||
|
}
|
||||||
|
|
||||||
|
void removeAll(IList<Block> allBlocks, Blocks blocks, MethodDefinition method) {
|
||||||
|
Dictionary<MethodReferenceAndDeclaringTypeKey, bool> info;
|
||||||
|
if (!methodRefInfos.TryGetValue(new MethodReferenceAndDeclaringTypeKey(method), out info))
|
||||||
|
return;
|
||||||
|
|
||||||
|
removeCalls(allBlocks, blocks, info);
|
||||||
|
}
|
||||||
|
|
||||||
|
void removeCalls(IList<Block> allBlocks, Blocks blocks, Dictionary<MethodReferenceAndDeclaringTypeKey, bool> info) {
|
||||||
var instrsToDelete = new List<int>();
|
var instrsToDelete = new List<int>();
|
||||||
for (int i = 0; i < block.Instructions.Count; i++) {
|
foreach (var block in allBlocks) {
|
||||||
var instr = block.Instructions[i];
|
instrsToDelete.Clear();
|
||||||
if (instr.OpCode == OpCodes.Call) {
|
for (int i = 0; i < block.Instructions.Count; i++) {
|
||||||
|
var instr = block.Instructions[i];
|
||||||
|
if (instr.OpCode != OpCodes.Call)
|
||||||
|
continue;
|
||||||
var destMethod = instr.Operand as MethodReference;
|
var destMethod = instr.Operand as MethodReference;
|
||||||
if (destMethod == null)
|
if (destMethod == null)
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
var key = new MethodReferenceAndDeclaringTypeKey(destMethod);
|
var key = new MethodReferenceAndDeclaringTypeKey(destMethod);
|
||||||
if (cctorInitCallsToRemove.ContainsKey(key)) {
|
if (info.ContainsKey(key)) {
|
||||||
Log.v("Removed call to {0}", destMethod);
|
Log.v("Removed call to {0}", destMethod);
|
||||||
instrsToDelete.Add(i);
|
instrsToDelete.Add(i);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
block.remove(instrsToDelete);
|
||||||
}
|
}
|
||||||
block.remove(instrsToDelete);
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public void addCctorInitCallToBeRemoved(MethodReference methodToBeRemoved) {
|
||||||
|
methodCallRemover.add(".cctor", methodToBeRemoved);
|
||||||
|
}
|
||||||
|
|
||||||
|
public void addModuleCctorInitCallToBeRemoved(MethodReference methodToBeRemoved) {
|
||||||
|
methodCallRemover.add(DotNetUtils.getMethod(DotNetUtils.getModuleType(module), ".cctor"), methodToBeRemoved);
|
||||||
|
}
|
||||||
|
|
||||||
|
public void addCallToBeRemoved(MethodDefinition method, MethodReference methodToBeRemoved) {
|
||||||
|
methodCallRemover.add(method, methodToBeRemoved);
|
||||||
|
}
|
||||||
|
|
||||||
|
void removeMethodCalls(Blocks blocks) {
|
||||||
|
methodCallRemover.removeAll(blocks);
|
||||||
|
}
|
||||||
|
|
||||||
protected void addMethodsToBeRemoved(IEnumerable<MethodDefinition> methods, string reason) {
|
protected void addMethodsToBeRemoved(IEnumerable<MethodDefinition> methods, string reason) {
|
||||||
foreach (var method in methods)
|
foreach (var method in methods)
|
||||||
addMethodToBeRemoved(method, reason);
|
addMethodToBeRemoved(method, reason);
|
||||||
|
|
|
@ -292,7 +292,7 @@ namespace de4dot.deobfuscators.SmartAssembly {
|
||||||
public override void deobfuscateBegin() {
|
public override void deobfuscateBegin() {
|
||||||
base.deobfuscateBegin();
|
base.deobfuscateBegin();
|
||||||
if (options.RemoveMemoryManager)
|
if (options.RemoveMemoryManager)
|
||||||
addCctorInitCallToBeRemoved(memoryManagerInfo.CctorInitMethod);
|
addModuleCctorInitCallToBeRemoved(memoryManagerInfo.CctorInitMethod);
|
||||||
initDecrypters();
|
initDecrypters();
|
||||||
proxyDelegateFinder.find();
|
proxyDelegateFinder.find();
|
||||||
}
|
}
|
||||||
|
@ -309,8 +309,8 @@ namespace de4dot.deobfuscators.SmartAssembly {
|
||||||
assemblyResolverInfo.findTypes();
|
assemblyResolverInfo.findTypes();
|
||||||
resourceResolverInfo.findTypes();
|
resourceResolverInfo.findTypes();
|
||||||
|
|
||||||
addCctorInitCallToBeRemoved(assemblyResolverInfo.CallResolverMethod);
|
addModuleCctorInitCallToBeRemoved(assemblyResolverInfo.CallResolverMethod);
|
||||||
addCctorInitCallToBeRemoved(resourceResolverInfo.CallResolverMethod);
|
addModuleCctorInitCallToBeRemoved(resourceResolverInfo.CallResolverMethod);
|
||||||
|
|
||||||
resourceDecrypterInfo.setSimpleZipType(getGlobalSimpleZipType(), DeobfuscatedFile);
|
resourceDecrypterInfo.setSimpleZipType(getGlobalSimpleZipType(), DeobfuscatedFile);
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue
Block a user