monocul.us/de4dot-cex
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Remove decrypt method and other init method

Browse Source
This commit is contained in:
de4dot 2012-05-10 13:39:14 +02:00
parent c5f8aaeb1a
commit ae7e32ae5b
3 changed files with 37 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
de4dot.code/deobfuscators/DeepSea/AssemblyResolver.cs
View File

@ -29,6 +29,7 @@ namespace de4dot.code.deobfuscators.DeepSea {
class AssemblyResolver : ResolverBase { class AssemblyResolver : ResolverBase {
Version version; Version version;
List<FieldInfo> fieldInfos; List<FieldInfo> fieldInfos;
MethodDefinition decryptMethod;
enum Version { enum Version {
Unknown, Unknown,
@ -69,6 +70,10 @@ namespace de4dot.code.deobfuscators.DeepSea {
} }
} }
public MethodDefinition DecryptMethod {
get { return decryptMethod; }
}
public AssemblyResolver(ModuleDefinition module, ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) public AssemblyResolver(ModuleDefinition module, ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob)
: base(module, simpleDeobfuscator, deob) { : base(module, simpleDeobfuscator, deob) {
} }
@ -129,16 +134,19 @@ namespace de4dot.code.deobfuscators.DeepSea {
simpleDeobfuscator.deobfuscate(handler); simpleDeobfuscator.deobfuscate(handler);
List<FieldInfo> fieldInfosTmp; List<FieldInfo> fieldInfosTmp;
if (checkHandlerV4(handler, out fieldInfosTmp)) { MethodDefinition decryptMethodTmp;
if (checkHandlerV4(handler, out fieldInfosTmp, out decryptMethodTmp)) {
version = Version.V4; version = Version.V4;
fieldInfos = fieldInfosTmp; fieldInfos = fieldInfosTmp;
decryptMethod = decryptMethodTmp;
return true; return true;
} }
Version versionTmp = checkHandlerV404_41(handler, out fieldInfosTmp); Version versionTmp = checkHandlerV404_41(handler, out fieldInfosTmp, out decryptMethodTmp);
if (fieldInfosTmp.Count != 0) { if (fieldInfosTmp.Count != 0) {
version = versionTmp; version = versionTmp;
fieldInfos = fieldInfosTmp; fieldInfos = fieldInfosTmp;
decryptMethod = decryptMethodTmp;
return true; return true;
} }
@ -171,8 +179,9 @@ namespace de4dot.code.deobfuscators.DeepSea {
} }
// 4.0.1.18 .. 4.0.3 // 4.0.1.18 .. 4.0.3
bool checkHandlerV4(MethodDefinition handler, out List<FieldInfo> fieldInfos) { bool checkHandlerV4(MethodDefinition handler, out List<FieldInfo> fieldInfos, out MethodDefinition decryptMethod) {
fieldInfos = new List<FieldInfo>(); fieldInfos = new List<FieldInfo>();
decryptMethod = null;
var instrs = handler.Body.Instructions; var instrs = handler.Body.Instructions;
for (int i = 0; i < instrs.Count - 3; i++) { for (int i = 0; i < instrs.Count - 3; i++) {
@ -201,9 +210,11 @@ namespace de4dot.code.deobfuscators.DeepSea {
call = instrs[index++]; call = instrs[index++];
if (call.OpCode.Code != Code.Call) if (call.OpCode.Code != Code.Call)
return false; return false;
if (!DotNetUtils.isMethod(call.Operand as MethodReference, "System.Reflection.Assembly", "(System.RuntimeFieldHandle,System.Int32,System.Int32)")) var decryptMethodTmp = call.Operand as MethodDefinition;
if (!DotNetUtils.isMethod(decryptMethodTmp, "System.Reflection.Assembly", "(System.RuntimeFieldHandle,System.Int32,System.Int32)"))
return false; return false;
decryptMethod = decryptMethodTmp;
fieldInfos.Add(new FieldInfo(field, magic)); fieldInfos.Add(new FieldInfo(field, magic));
} }
@ -211,9 +222,10 @@ namespace de4dot.code.deobfuscators.DeepSea {
} }
// 4.0.4, 4.1+ // 4.0.4, 4.1+
Version checkHandlerV404_41(MethodDefinition handler, out List<FieldInfo> fieldInfos) { Version checkHandlerV404_41(MethodDefinition handler, out List<FieldInfo> fieldInfos, out MethodDefinition decryptMethod) {
Version version = Version.Unknown; Version version = Version.Unknown;
fieldInfos = new List<FieldInfo>(); fieldInfos = new List<FieldInfo>();
decryptMethod = null;
var instrs = handler.Body.Instructions; var instrs = handler.Body.Instructions;
for (int i = 0; i < instrs.Count - 6; i++) { for (int i = 0; i < instrs.Count - 6; i++) {
@ -248,14 +260,15 @@ namespace de4dot.code.deobfuscators.DeepSea {
var args = DsUtils.getArgValues(instrs, callIndex); var args = DsUtils.getArgValues(instrs, callIndex);
if (args == null) if (args == null)
continue; continue;
var decryptMethod = instrs[callIndex].Operand as MethodDefinition; var decryptMethodTmp = instrs[callIndex].Operand as MethodDefinition;
if (decryptMethod == null) if (decryptMethodTmp == null)
continue; continue;
int magic; int magic;
Version versionTmp; Version versionTmp;
getMagic(decryptMethod, args, out versionTmp, out magic); getMagic(decryptMethodTmp, args, out versionTmp, out magic);
version = versionTmp; version = versionTmp;
decryptMethod = decryptMethodTmp;
fieldInfos.Add(new FieldInfo(field, magic)); fieldInfos.Add(new FieldInfo(field, magic));
} }

2
de4dot.code/deobfuscators/DeepSea/Deobfuscator.cs
View File

@ -238,6 +238,7 @@ done:
addCctorInitCallToBeRemoved(resourceResolver.InitMethod); addCctorInitCallToBeRemoved(resourceResolver.InitMethod);
addCallToBeRemoved(module.EntryPoint, resourceResolver.InitMethod); addCallToBeRemoved(module.EntryPoint, resourceResolver.InitMethod);
addMethodToBeRemoved(resourceResolver.InitMethod, "Resource resolver init method"); addMethodToBeRemoved(resourceResolver.InitMethod, "Resource resolver init method");
addMethodToBeRemoved(resourceResolver.InitMethod2, "Resource resolver init method #2");
addMethodToBeRemoved(resourceResolver.HandlerMethod, "Resource resolver handler method"); addMethodToBeRemoved(resourceResolver.HandlerMethod, "Resource resolver handler method");
addMethodToBeRemoved(resourceResolver.GetDataMethod, "Resource resolver 'get resource data' method"); addMethodToBeRemoved(resourceResolver.GetDataMethod, "Resource resolver 'get resource data' method");
} }
@ -255,6 +256,7 @@ done:
addCallToBeRemoved(module.EntryPoint, assemblyResolver.InitMethod); addCallToBeRemoved(module.EntryPoint, assemblyResolver.InitMethod);
addMethodToBeRemoved(assemblyResolver.InitMethod, "Assembly resolver init method"); addMethodToBeRemoved(assemblyResolver.InitMethod, "Assembly resolver init method");
addMethodToBeRemoved(assemblyResolver.HandlerMethod, "Assembly resolver handler method"); addMethodToBeRemoved(assemblyResolver.HandlerMethod, "Assembly resolver handler method");
addMethodToBeRemoved(assemblyResolver.DecryptMethod, "Assembly resolver decrypt method");
} }
public override void deobfuscateMethodEnd(Blocks blocks) { public override void deobfuscateMethodEnd(Blocks blocks) {

15
de4dot.code/deobfuscators/DeepSea/ResourceResolver.cs
View File

@ -43,6 +43,7 @@ namespace de4dot.code.deobfuscators.DeepSea {
class Data40 { class Data40 {
public FieldDefinition resourceField; public FieldDefinition resourceField;
public MethodDefinition resolveHandler2;
public MethodDefinition getDataMethod; public MethodDefinition getDataMethod;
public int magic; public int magic;
} }
@ -64,6 +65,16 @@ namespace de4dot.code.deobfuscators.DeepSea {
} }
} }
public MethodDefinition InitMethod2 {
get {
if (data40 != null)
return data40.resolveHandler2;
if (data41 != null)
return data41.resolveHandler2;
return null;
}
}
public MethodDefinition GetDataMethod { public MethodDefinition GetDataMethod {
get { return data40 != null ? data40.getDataMethod : null; } get { return data40 != null ? data40.getDataMethod : null; }
} }
@ -260,11 +271,13 @@ namespace de4dot.code.deobfuscators.DeepSea {
call = instrs[index++]; call = instrs[index++];
if (call.OpCode.Code != Code.Call) if (call.OpCode.Code != Code.Call)
continue; continue;
if (!DotNetUtils.isMethod(call.Operand as MethodReference, "System.Reflection.Assembly", methodSig)) var resolveHandler2 = call.Operand as MethodDefinition;
if (!DotNetUtils.isMethod(resolveHandler2, "System.Reflection.Assembly", methodSig))
continue; continue;
data40.resourceField = field; data40.resourceField = field;
data40.getDataMethod = method; data40.getDataMethod = method;
data40.resolveHandler2 = resolveHandler2;
return data40; return data40;
} }