Remove decrypt method and other init method
This commit is contained in:
parent
c5f8aaeb1a
commit
ae7e32ae5b
|
@ -29,6 +29,7 @@ namespace de4dot.code.deobfuscators.DeepSea {
|
||||||
class AssemblyResolver : ResolverBase {
|
class AssemblyResolver : ResolverBase {
|
||||||
Version version;
|
Version version;
|
||||||
List<FieldInfo> fieldInfos;
|
List<FieldInfo> fieldInfos;
|
||||||
|
MethodDefinition decryptMethod;
|
||||||
|
|
||||||
enum Version {
|
enum Version {
|
||||||
Unknown,
|
Unknown,
|
||||||
|
@ -69,6 +70,10 @@ namespace de4dot.code.deobfuscators.DeepSea {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public MethodDefinition DecryptMethod {
|
||||||
|
get { return decryptMethod; }
|
||||||
|
}
|
||||||
|
|
||||||
public AssemblyResolver(ModuleDefinition module, ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob)
|
public AssemblyResolver(ModuleDefinition module, ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob)
|
||||||
: base(module, simpleDeobfuscator, deob) {
|
: base(module, simpleDeobfuscator, deob) {
|
||||||
}
|
}
|
||||||
|
@ -129,16 +134,19 @@ namespace de4dot.code.deobfuscators.DeepSea {
|
||||||
|
|
||||||
simpleDeobfuscator.deobfuscate(handler);
|
simpleDeobfuscator.deobfuscate(handler);
|
||||||
List<FieldInfo> fieldInfosTmp;
|
List<FieldInfo> fieldInfosTmp;
|
||||||
if (checkHandlerV4(handler, out fieldInfosTmp)) {
|
MethodDefinition decryptMethodTmp;
|
||||||
|
if (checkHandlerV4(handler, out fieldInfosTmp, out decryptMethodTmp)) {
|
||||||
version = Version.V4;
|
version = Version.V4;
|
||||||
fieldInfos = fieldInfosTmp;
|
fieldInfos = fieldInfosTmp;
|
||||||
|
decryptMethod = decryptMethodTmp;
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
Version versionTmp = checkHandlerV404_41(handler, out fieldInfosTmp);
|
Version versionTmp = checkHandlerV404_41(handler, out fieldInfosTmp, out decryptMethodTmp);
|
||||||
if (fieldInfosTmp.Count != 0) {
|
if (fieldInfosTmp.Count != 0) {
|
||||||
version = versionTmp;
|
version = versionTmp;
|
||||||
fieldInfos = fieldInfosTmp;
|
fieldInfos = fieldInfosTmp;
|
||||||
|
decryptMethod = decryptMethodTmp;
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -171,8 +179,9 @@ namespace de4dot.code.deobfuscators.DeepSea {
|
||||||
}
|
}
|
||||||
|
|
||||||
// 4.0.1.18 .. 4.0.3
|
// 4.0.1.18 .. 4.0.3
|
||||||
bool checkHandlerV4(MethodDefinition handler, out List<FieldInfo> fieldInfos) {
|
bool checkHandlerV4(MethodDefinition handler, out List<FieldInfo> fieldInfos, out MethodDefinition decryptMethod) {
|
||||||
fieldInfos = new List<FieldInfo>();
|
fieldInfos = new List<FieldInfo>();
|
||||||
|
decryptMethod = null;
|
||||||
|
|
||||||
var instrs = handler.Body.Instructions;
|
var instrs = handler.Body.Instructions;
|
||||||
for (int i = 0; i < instrs.Count - 3; i++) {
|
for (int i = 0; i < instrs.Count - 3; i++) {
|
||||||
|
@ -201,9 +210,11 @@ namespace de4dot.code.deobfuscators.DeepSea {
|
||||||
call = instrs[index++];
|
call = instrs[index++];
|
||||||
if (call.OpCode.Code != Code.Call)
|
if (call.OpCode.Code != Code.Call)
|
||||||
return false;
|
return false;
|
||||||
if (!DotNetUtils.isMethod(call.Operand as MethodReference, "System.Reflection.Assembly", "(System.RuntimeFieldHandle,System.Int32,System.Int32)"))
|
var decryptMethodTmp = call.Operand as MethodDefinition;
|
||||||
|
if (!DotNetUtils.isMethod(decryptMethodTmp, "System.Reflection.Assembly", "(System.RuntimeFieldHandle,System.Int32,System.Int32)"))
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
|
decryptMethod = decryptMethodTmp;
|
||||||
fieldInfos.Add(new FieldInfo(field, magic));
|
fieldInfos.Add(new FieldInfo(field, magic));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -211,9 +222,10 @@ namespace de4dot.code.deobfuscators.DeepSea {
|
||||||
}
|
}
|
||||||
|
|
||||||
// 4.0.4, 4.1+
|
// 4.0.4, 4.1+
|
||||||
Version checkHandlerV404_41(MethodDefinition handler, out List<FieldInfo> fieldInfos) {
|
Version checkHandlerV404_41(MethodDefinition handler, out List<FieldInfo> fieldInfos, out MethodDefinition decryptMethod) {
|
||||||
Version version = Version.Unknown;
|
Version version = Version.Unknown;
|
||||||
fieldInfos = new List<FieldInfo>();
|
fieldInfos = new List<FieldInfo>();
|
||||||
|
decryptMethod = null;
|
||||||
|
|
||||||
var instrs = handler.Body.Instructions;
|
var instrs = handler.Body.Instructions;
|
||||||
for (int i = 0; i < instrs.Count - 6; i++) {
|
for (int i = 0; i < instrs.Count - 6; i++) {
|
||||||
|
@ -248,14 +260,15 @@ namespace de4dot.code.deobfuscators.DeepSea {
|
||||||
var args = DsUtils.getArgValues(instrs, callIndex);
|
var args = DsUtils.getArgValues(instrs, callIndex);
|
||||||
if (args == null)
|
if (args == null)
|
||||||
continue;
|
continue;
|
||||||
var decryptMethod = instrs[callIndex].Operand as MethodDefinition;
|
var decryptMethodTmp = instrs[callIndex].Operand as MethodDefinition;
|
||||||
if (decryptMethod == null)
|
if (decryptMethodTmp == null)
|
||||||
continue;
|
continue;
|
||||||
int magic;
|
int magic;
|
||||||
Version versionTmp;
|
Version versionTmp;
|
||||||
getMagic(decryptMethod, args, out versionTmp, out magic);
|
getMagic(decryptMethodTmp, args, out versionTmp, out magic);
|
||||||
|
|
||||||
version = versionTmp;
|
version = versionTmp;
|
||||||
|
decryptMethod = decryptMethodTmp;
|
||||||
fieldInfos.Add(new FieldInfo(field, magic));
|
fieldInfos.Add(new FieldInfo(field, magic));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -238,6 +238,7 @@ done:
|
||||||
addCctorInitCallToBeRemoved(resourceResolver.InitMethod);
|
addCctorInitCallToBeRemoved(resourceResolver.InitMethod);
|
||||||
addCallToBeRemoved(module.EntryPoint, resourceResolver.InitMethod);
|
addCallToBeRemoved(module.EntryPoint, resourceResolver.InitMethod);
|
||||||
addMethodToBeRemoved(resourceResolver.InitMethod, "Resource resolver init method");
|
addMethodToBeRemoved(resourceResolver.InitMethod, "Resource resolver init method");
|
||||||
|
addMethodToBeRemoved(resourceResolver.InitMethod2, "Resource resolver init method #2");
|
||||||
addMethodToBeRemoved(resourceResolver.HandlerMethod, "Resource resolver handler method");
|
addMethodToBeRemoved(resourceResolver.HandlerMethod, "Resource resolver handler method");
|
||||||
addMethodToBeRemoved(resourceResolver.GetDataMethod, "Resource resolver 'get resource data' method");
|
addMethodToBeRemoved(resourceResolver.GetDataMethod, "Resource resolver 'get resource data' method");
|
||||||
}
|
}
|
||||||
|
@ -255,6 +256,7 @@ done:
|
||||||
addCallToBeRemoved(module.EntryPoint, assemblyResolver.InitMethod);
|
addCallToBeRemoved(module.EntryPoint, assemblyResolver.InitMethod);
|
||||||
addMethodToBeRemoved(assemblyResolver.InitMethod, "Assembly resolver init method");
|
addMethodToBeRemoved(assemblyResolver.InitMethod, "Assembly resolver init method");
|
||||||
addMethodToBeRemoved(assemblyResolver.HandlerMethod, "Assembly resolver handler method");
|
addMethodToBeRemoved(assemblyResolver.HandlerMethod, "Assembly resolver handler method");
|
||||||
|
addMethodToBeRemoved(assemblyResolver.DecryptMethod, "Assembly resolver decrypt method");
|
||||||
}
|
}
|
||||||
|
|
||||||
public override void deobfuscateMethodEnd(Blocks blocks) {
|
public override void deobfuscateMethodEnd(Blocks blocks) {
|
||||||
|
|
|
@ -43,6 +43,7 @@ namespace de4dot.code.deobfuscators.DeepSea {
|
||||||
|
|
||||||
class Data40 {
|
class Data40 {
|
||||||
public FieldDefinition resourceField;
|
public FieldDefinition resourceField;
|
||||||
|
public MethodDefinition resolveHandler2;
|
||||||
public MethodDefinition getDataMethod;
|
public MethodDefinition getDataMethod;
|
||||||
public int magic;
|
public int magic;
|
||||||
}
|
}
|
||||||
|
@ -64,6 +65,16 @@ namespace de4dot.code.deobfuscators.DeepSea {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public MethodDefinition InitMethod2 {
|
||||||
|
get {
|
||||||
|
if (data40 != null)
|
||||||
|
return data40.resolveHandler2;
|
||||||
|
if (data41 != null)
|
||||||
|
return data41.resolveHandler2;
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
public MethodDefinition GetDataMethod {
|
public MethodDefinition GetDataMethod {
|
||||||
get { return data40 != null ? data40.getDataMethod : null; }
|
get { return data40 != null ? data40.getDataMethod : null; }
|
||||||
}
|
}
|
||||||
|
@ -260,11 +271,13 @@ namespace de4dot.code.deobfuscators.DeepSea {
|
||||||
call = instrs[index++];
|
call = instrs[index++];
|
||||||
if (call.OpCode.Code != Code.Call)
|
if (call.OpCode.Code != Code.Call)
|
||||||
continue;
|
continue;
|
||||||
if (!DotNetUtils.isMethod(call.Operand as MethodReference, "System.Reflection.Assembly", methodSig))
|
var resolveHandler2 = call.Operand as MethodDefinition;
|
||||||
|
if (!DotNetUtils.isMethod(resolveHandler2, "System.Reflection.Assembly", methodSig))
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
data40.resourceField = field;
|
data40.resourceField = field;
|
||||||
data40.getDataMethod = method;
|
data40.getDataMethod = method;
|
||||||
|
data40.resolveHandler2 = resolveHandler2;
|
||||||
return data40;
|
return data40;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue
Block a user