Remove decrypt method and other init method
This commit is contained in:
parent
c5f8aaeb1a
commit
ae7e32ae5b
|
@ -29,6 +29,7 @@ namespace de4dot.code.deobfuscators.DeepSea {
|
|||
class AssemblyResolver : ResolverBase {
|
||||
Version version;
|
||||
List<FieldInfo> fieldInfos;
|
||||
MethodDefinition decryptMethod;
|
||||
|
||||
enum Version {
|
||||
Unknown,
|
||||
|
@ -69,6 +70,10 @@ namespace de4dot.code.deobfuscators.DeepSea {
|
|||
}
|
||||
}
|
||||
|
||||
public MethodDefinition DecryptMethod {
|
||||
get { return decryptMethod; }
|
||||
}
|
||||
|
||||
public AssemblyResolver(ModuleDefinition module, ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob)
|
||||
: base(module, simpleDeobfuscator, deob) {
|
||||
}
|
||||
|
@ -129,16 +134,19 @@ namespace de4dot.code.deobfuscators.DeepSea {
|
|||
|
||||
simpleDeobfuscator.deobfuscate(handler);
|
||||
List<FieldInfo> fieldInfosTmp;
|
||||
if (checkHandlerV4(handler, out fieldInfosTmp)) {
|
||||
MethodDefinition decryptMethodTmp;
|
||||
if (checkHandlerV4(handler, out fieldInfosTmp, out decryptMethodTmp)) {
|
||||
version = Version.V4;
|
||||
fieldInfos = fieldInfosTmp;
|
||||
decryptMethod = decryptMethodTmp;
|
||||
return true;
|
||||
}
|
||||
|
||||
Version versionTmp = checkHandlerV404_41(handler, out fieldInfosTmp);
|
||||
Version versionTmp = checkHandlerV404_41(handler, out fieldInfosTmp, out decryptMethodTmp);
|
||||
if (fieldInfosTmp.Count != 0) {
|
||||
version = versionTmp;
|
||||
fieldInfos = fieldInfosTmp;
|
||||
decryptMethod = decryptMethodTmp;
|
||||
return true;
|
||||
}
|
||||
|
||||
|
@ -171,8 +179,9 @@ namespace de4dot.code.deobfuscators.DeepSea {
|
|||
}
|
||||
|
||||
// 4.0.1.18 .. 4.0.3
|
||||
bool checkHandlerV4(MethodDefinition handler, out List<FieldInfo> fieldInfos) {
|
||||
bool checkHandlerV4(MethodDefinition handler, out List<FieldInfo> fieldInfos, out MethodDefinition decryptMethod) {
|
||||
fieldInfos = new List<FieldInfo>();
|
||||
decryptMethod = null;
|
||||
|
||||
var instrs = handler.Body.Instructions;
|
||||
for (int i = 0; i < instrs.Count - 3; i++) {
|
||||
|
@ -201,9 +210,11 @@ namespace de4dot.code.deobfuscators.DeepSea {
|
|||
call = instrs[index++];
|
||||
if (call.OpCode.Code != Code.Call)
|
||||
return false;
|
||||
if (!DotNetUtils.isMethod(call.Operand as MethodReference, "System.Reflection.Assembly", "(System.RuntimeFieldHandle,System.Int32,System.Int32)"))
|
||||
var decryptMethodTmp = call.Operand as MethodDefinition;
|
||||
if (!DotNetUtils.isMethod(decryptMethodTmp, "System.Reflection.Assembly", "(System.RuntimeFieldHandle,System.Int32,System.Int32)"))
|
||||
return false;
|
||||
|
||||
decryptMethod = decryptMethodTmp;
|
||||
fieldInfos.Add(new FieldInfo(field, magic));
|
||||
}
|
||||
|
||||
|
@ -211,9 +222,10 @@ namespace de4dot.code.deobfuscators.DeepSea {
|
|||
}
|
||||
|
||||
// 4.0.4, 4.1+
|
||||
Version checkHandlerV404_41(MethodDefinition handler, out List<FieldInfo> fieldInfos) {
|
||||
Version checkHandlerV404_41(MethodDefinition handler, out List<FieldInfo> fieldInfos, out MethodDefinition decryptMethod) {
|
||||
Version version = Version.Unknown;
|
||||
fieldInfos = new List<FieldInfo>();
|
||||
decryptMethod = null;
|
||||
|
||||
var instrs = handler.Body.Instructions;
|
||||
for (int i = 0; i < instrs.Count - 6; i++) {
|
||||
|
@ -248,14 +260,15 @@ namespace de4dot.code.deobfuscators.DeepSea {
|
|||
var args = DsUtils.getArgValues(instrs, callIndex);
|
||||
if (args == null)
|
||||
continue;
|
||||
var decryptMethod = instrs[callIndex].Operand as MethodDefinition;
|
||||
if (decryptMethod == null)
|
||||
var decryptMethodTmp = instrs[callIndex].Operand as MethodDefinition;
|
||||
if (decryptMethodTmp == null)
|
||||
continue;
|
||||
int magic;
|
||||
Version versionTmp;
|
||||
getMagic(decryptMethod, args, out versionTmp, out magic);
|
||||
getMagic(decryptMethodTmp, args, out versionTmp, out magic);
|
||||
|
||||
version = versionTmp;
|
||||
decryptMethod = decryptMethodTmp;
|
||||
fieldInfos.Add(new FieldInfo(field, magic));
|
||||
}
|
||||
|
||||
|
|
|
@ -238,6 +238,7 @@ done:
|
|||
addCctorInitCallToBeRemoved(resourceResolver.InitMethod);
|
||||
addCallToBeRemoved(module.EntryPoint, resourceResolver.InitMethod);
|
||||
addMethodToBeRemoved(resourceResolver.InitMethod, "Resource resolver init method");
|
||||
addMethodToBeRemoved(resourceResolver.InitMethod2, "Resource resolver init method #2");
|
||||
addMethodToBeRemoved(resourceResolver.HandlerMethod, "Resource resolver handler method");
|
||||
addMethodToBeRemoved(resourceResolver.GetDataMethod, "Resource resolver 'get resource data' method");
|
||||
}
|
||||
|
@ -255,6 +256,7 @@ done:
|
|||
addCallToBeRemoved(module.EntryPoint, assemblyResolver.InitMethod);
|
||||
addMethodToBeRemoved(assemblyResolver.InitMethod, "Assembly resolver init method");
|
||||
addMethodToBeRemoved(assemblyResolver.HandlerMethod, "Assembly resolver handler method");
|
||||
addMethodToBeRemoved(assemblyResolver.DecryptMethod, "Assembly resolver decrypt method");
|
||||
}
|
||||
|
||||
public override void deobfuscateMethodEnd(Blocks blocks) {
|
||||
|
|
|
@ -43,6 +43,7 @@ namespace de4dot.code.deobfuscators.DeepSea {
|
|||
|
||||
class Data40 {
|
||||
public FieldDefinition resourceField;
|
||||
public MethodDefinition resolveHandler2;
|
||||
public MethodDefinition getDataMethod;
|
||||
public int magic;
|
||||
}
|
||||
|
@ -64,6 +65,16 @@ namespace de4dot.code.deobfuscators.DeepSea {
|
|||
}
|
||||
}
|
||||
|
||||
public MethodDefinition InitMethod2 {
|
||||
get {
|
||||
if (data40 != null)
|
||||
return data40.resolveHandler2;
|
||||
if (data41 != null)
|
||||
return data41.resolveHandler2;
|
||||
return null;
|
||||
}
|
||||
}
|
||||
|
||||
public MethodDefinition GetDataMethod {
|
||||
get { return data40 != null ? data40.getDataMethod : null; }
|
||||
}
|
||||
|
@ -260,11 +271,13 @@ namespace de4dot.code.deobfuscators.DeepSea {
|
|||
call = instrs[index++];
|
||||
if (call.OpCode.Code != Code.Call)
|
||||
continue;
|
||||
if (!DotNetUtils.isMethod(call.Operand as MethodReference, "System.Reflection.Assembly", methodSig))
|
||||
var resolveHandler2 = call.Operand as MethodDefinition;
|
||||
if (!DotNetUtils.isMethod(resolveHandler2, "System.Reflection.Assembly", methodSig))
|
||||
continue;
|
||||
|
||||
data40.resourceField = field;
|
||||
data40.getDataMethod = method;
|
||||
data40.resolveHandler2 = resolveHandler2;
|
||||
return data40;
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in New Issue
Block a user