monocul.us/de4dot-cex
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Move methods to ConfuserUtils

Browse Source
This commit is contained in:
de4dot 2012-07-27 08:07:17 +02:00
parent 135dcd5a3c
commit a48a03b9ab
3 changed files with 50 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
de4dot.code/de4dot.code.csproj
View File

@ -67,6 +67,7 @@
<Compile Include="deobfuscators\Babel_NET\MemberReferenceConverter.cs" />
<Compile Include="deobfuscators\Babel_NET\MethodBodyReader.cs" />
<Compile Include="deobfuscators\Babel_NET\MethodReferenceReader.cs" />
<Compile Include="deobfuscators\Confuser\ConfuserUtils.cs" />
<Compile Include="deobfuscators\Confuser\ConstantsFolder.cs" />
<Compile Include="deobfuscators\Confuser\Deobfuscator.cs" />
<Compile Include="deobfuscators\Confuser\JitMethodsDecrypter.cs" />

43
de4dot.code/deobfuscators/Confuser/ConfuserUtils.cs Normal file
View File

@ -0,0 +1,43 @@
/*
Copyright (C) 2011-2012 de4dot@gmail.com
This file is part of de4dot.
de4dot is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
de4dot is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with de4dot. If not, see <http://www.gnu.org/licenses/>.
*/
using System.Collections.Generic;
using Mono.Cecil;
using Mono.Cecil.Cil;
namespace de4dot.code.deobfuscators.Confuser {
static class ConfuserUtils {
public static int findCallMethod(IList<Instruction> instrs, int index, Code callCode, string methodFullName) {
for (int i = index; i < instrs.Count; i++) {
if (!isCallMethod(instrs[i], callCode, methodFullName))
continue;
return i;
}
return -1;
}
public static bool isCallMethod(Instruction instr, Code callCode, string methodFullName) {
if (instr.OpCode.Code != callCode)
return false;
var calledMethod = instr.Operand as MethodReference;
return calledMethod != null && calledMethod.FullName == methodFullName;
}
}
}

29
de4dot.code/deobfuscators/Confuser/JitMethodsDecrypter.cs
View File

@ -315,14 +315,14 @@ namespace de4dot.code.deobfuscators.Confuser {
return false;
if (!DotNetUtils.isLdloc(instrs[i++]))
return false;
if (!isCallMethod(instrs[i++], Code.Callvirt, "System.Int32 System.IO.BinaryReader::ReadInt32()"))
if (!ConfuserUtils.isCallMethod(instrs[i++], Code.Callvirt, "System.Int32 System.IO.BinaryReader::ReadInt32()"))
return false;
var ldci4 = instrs[i++];
if (!DotNetUtils.isLdcI4(ldci4))
return false;
if (instrs[i++].OpCode.Code != Code.Xor)
return false;
if (!isCallMethod(instrs[i++], Code.Callvirt, "System.Byte[] System.IO.BinaryReader::ReadBytes(System.Int32)"))
if (!ConfuserUtils.isCallMethod(instrs[i++], Code.Callvirt, "System.Byte[] System.IO.BinaryReader::ReadBytes(System.Int32)"))
return false;
if (!DotNetUtils.isStloc(instrs[i++]))
return false;
@ -335,7 +335,7 @@ namespace de4dot.code.deobfuscators.Confuser {
static bool findKey4(MethodDefinition method, out uint key) {
var instrs = method.Body.Instructions;
for (int index = 0; index < instrs.Count; index++) {
index = findCallMethod(instrs, index, Code.Call, "System.Void System.Runtime.InteropServices.Marshal::Copy(System.Byte[],System.Int32,System.IntPtr,System.Int32)");
index = ConfuserUtils.findCallMethod(instrs, index, Code.Call, "System.Void System.Runtime.InteropServices.Marshal::Copy(System.Byte[],System.Int32,System.IntPtr,System.Int32)");
if (index < 0)
break;
if (index + 2 >= instrs.Count)
@ -411,7 +411,7 @@ namespace de4dot.code.deobfuscators.Confuser {
if (!DotNetUtils.isLdloc(instrs[index]))
return false;
if (!isCallMethod(instrs[index + 1], Code.Callvirt, "System.UInt32 System.IO.BinaryReader::ReadUInt32()"))
if (!ConfuserUtils.isCallMethod(instrs[index + 1], Code.Callvirt, "System.UInt32 System.IO.BinaryReader::ReadUInt32()"))
return false;
if (!DotNetUtils.isStloc(instrs[index + 2]))
return false;
@ -421,28 +421,11 @@ namespace de4dot.code.deobfuscators.Confuser {
}
static int findCallvirtReadUInt32(IList<Instruction> instrs, int index) {
return findCallMethod(instrs, index, Code.Callvirt, "System.UInt32 System.IO.BinaryReader::ReadUInt32()");
return ConfuserUtils.findCallMethod(instrs, index, Code.Callvirt, "System.UInt32 System.IO.BinaryReader::ReadUInt32()");
}
static int findCallvirtReadUInt64(IList<Instruction> instrs, int index) {
return findCallMethod(instrs, index, Code.Callvirt, "System.UInt64 System.IO.BinaryReader::ReadUInt64()");
}
static int findCallMethod(IList<Instruction> instrs, int index, Code callCode, string methodFullName) {
for (int i = index; i < instrs.Count; i++) {
if (!isCallMethod(instrs[i], callCode, methodFullName))
continue;
return i;
}
return -1;
}
static bool isCallMethod(Instruction instr, Code callCode, string methodFullName) {
if (instr.OpCode.Code != callCode)
return false;
var calledMethod = instr.Operand as MethodReference;
return calledMethod != null && calledMethod.FullName == methodFullName;
return ConfuserUtils.findCallMethod(instrs, index, Code.Callvirt, "System.UInt64 System.IO.BinaryReader::ReadUInt64()");
}
bool initializeMethodDataIndexes(MethodDefinition method) {