From ab60692c2ff5a0cdab2fb5ca2a13ea829dc400fc Mon Sep 17 00:00:00 2001 From: de4dot Date: Thu, 26 Apr 2012 01:48:59 +0200 Subject: [PATCH] Return the correct return value --- .../CliSecure/MethodsDecrypter.cs | 45 ++++++++++--------- 1 file changed, 25 insertions(+), 20 deletions(-) diff --git a/de4dot.code/deobfuscators/CliSecure/MethodsDecrypter.cs b/de4dot.code/deobfuscators/CliSecure/MethodsDecrypter.cs index 15133db1..36d98270 100644 --- a/de4dot.code/deobfuscators/CliSecure/MethodsDecrypter.cs +++ b/de4dot.code/deobfuscators/CliSecure/MethodsDecrypter.cs @@ -402,16 +402,29 @@ namespace de4dot.code.deobfuscators.CliSecure { } } + enum DecryptResult { + NotEncrypted, + Decrypted, + Error, + } + public bool decrypt(PeImage peImage, string filename, CliSecureRtType csRtType, ref DumpedMethods dumpedMethods) { this.peImage = peImage; this.csRtType = csRtType; - if (decrypt2(ref dumpedMethods)) + + switch (decrypt2(ref dumpedMethods)) { + case DecryptResult.Decrypted: return true; + case DecryptResult.NotEncrypted: return false; + + case DecryptResult.Error: + Log.w("Using dynamic method decryption"); + byte[] moduleCctorBytes = getModuleCctorBytes(csRtType); + dumpedMethods = de4dot.code.deobfuscators.MethodsDecrypter.decrypt(filename, moduleCctorBytes); return true; - Log.w("Using dynamic method decryption"); - byte[] moduleCctorBytes = getModuleCctorBytes(csRtType); - dumpedMethods = de4dot.code.deobfuscators.MethodsDecrypter.decrypt(filename, moduleCctorBytes); - return true; + default: + throw new ApplicationException("Invalid DecryptResult"); + } } static byte[] getModuleCctorBytes(CliSecureRtType csRtType) { @@ -433,10 +446,11 @@ namespace de4dot.code.deobfuscators.CliSecure { return peImage.rvaToOffset(peImage.Cor20Header.metadataDirectory.virtualAddress + peImage.Cor20Header.metadataDirectory.size); } - bool decrypt2(ref DumpedMethods dumpedMethods) { + DecryptResult decrypt2(ref DumpedMethods dumpedMethods) { uint codeHeaderOffset = getCodeHeaderOffset(peImage); - if (!readCodeHeader(codeHeaderOffset)) - return false; + readCodeHeader(codeHeaderOffset); + if (!isValidSignature(codeHeader.signature)) + return DecryptResult.NotEncrypted; var metadataTables = peImage.Cor20Header.createMetadataTables(); var methodDefTable = metadataTables.getMetadataType(MetadataIndex.iMethodDef); @@ -444,13 +458,13 @@ namespace de4dot.code.deobfuscators.CliSecure { foreach (var version in getCsHeaderVersions(codeHeaderOffset, methodDefTable)) { try { decryptMethods(codeHeaderOffset, methodDefTable, createCsHeader(version), ref dumpedMethods); - return true; + return DecryptResult.Decrypted; } catch { } } - return false; + return DecryptResult.Error; } void decryptMethods(uint codeHeaderOffset, MetadataType methodDefTable, ICsHeader csHeader, ref DumpedMethods dumpedMethods) { @@ -484,22 +498,13 @@ namespace de4dot.code.deobfuscators.CliSecure { } } - bool readCodeHeader(uint offset) { + void readCodeHeader(uint offset) { codeHeader.signature = peImage.offsetReadBytes(offset, 16); codeHeader.decryptionKey = peImage.offsetReadBytes(offset + 0x10, 16); codeHeader.totalCodeSize = peImage.offsetReadUInt32(offset + 0x20); codeHeader.numMethods = peImage.offsetReadUInt32(offset + 0x24); codeHeader.methodDefTableOffset = peImage.offsetReadUInt32(offset + 0x28); codeHeader.methodDefElemSize = peImage.offsetReadUInt32(offset + 0x2C); - - if (!isValidSignature(codeHeader.signature)) - return false; - if (codeHeader.totalCodeSize > 0x10000000) - return false; - if (codeHeader.numMethods > 512*1024) - return false; - - return true; } static SigType getSigType(byte[] sig) {