Support the latest CryptoObfuscator version
This commit is contained in:
parent
245d875d5f
commit
b9d91043fc
|
@ -125,24 +125,25 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
||||||
if (type.Fields.Count != 0)
|
if (type.Fields.Count != 0)
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
var method = getDecrypterMethod(type);
|
foreach (var method in getDecrypterMethods(type)) {
|
||||||
if (method == null)
|
if (method == null)
|
||||||
continue;
|
continue;
|
||||||
if (!new LocalTypes(method).exactly(requiredLocals_v1))
|
if (!new LocalTypes(method).exactly(requiredLocals_v1))
|
||||||
continue;
|
continue;
|
||||||
if (!DotNetUtils.callsMethod(method, "System.Int64", "()"))
|
if (!DotNetUtils.callsMethod(method, "System.Int64", "()"))
|
||||||
continue;
|
continue;
|
||||||
if (!DotNetUtils.callsMethod(method, "System.Int32", "(System.Byte[],System.Int32,System.Int32)"))
|
if (!DotNetUtils.callsMethod(method, "System.Int32", "(System.Byte[],System.Int32,System.Int32)"))
|
||||||
continue;
|
continue;
|
||||||
if (!DotNetUtils.callsMethod(method, "System.Void", "(System.Array,System.Int32,System.Array,System.Int32,System.Int32)"))
|
if (!DotNetUtils.callsMethod(method, "System.Void", "(System.Array,System.Int32,System.Array,System.Int32,System.Int32)"))
|
||||||
continue;
|
continue;
|
||||||
if (!DotNetUtils.callsMethod(method, "System.Security.Cryptography.ICryptoTransform", "()"))
|
if (!DotNetUtils.callsMethod(method, "System.Security.Cryptography.ICryptoTransform", "()"))
|
||||||
continue;
|
continue;
|
||||||
if (!DotNetUtils.callsMethod(method, "System.Byte[]", "(System.Byte[],System.Int32,System.Int32)"))
|
if (!DotNetUtils.callsMethod(method, "System.Byte[]", "(System.Byte[],System.Int32,System.Int32)"))
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
resourceDecrypterType = type;
|
resourceDecrypterType = type;
|
||||||
return true;
|
return true;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
@ -158,22 +159,24 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
||||||
continue;
|
continue;
|
||||||
if (type.HasNestedTypes || type.HasGenericParameters)
|
if (type.HasNestedTypes || type.HasGenericParameters)
|
||||||
continue;
|
continue;
|
||||||
var method = getDecrypterMethod(type);
|
|
||||||
if (method == null)
|
|
||||||
continue;
|
|
||||||
if (!new LocalTypes(method).exactly(requiredLocals_sl))
|
|
||||||
continue;
|
|
||||||
|
|
||||||
resourceDecrypterType = type;
|
foreach (var method in getDecrypterMethods(type)) {
|
||||||
break;
|
if (method == null)
|
||||||
|
continue;
|
||||||
|
if (!new LocalTypes(method).exactly(requiredLocals_sl))
|
||||||
|
continue;
|
||||||
|
|
||||||
|
resourceDecrypterType = type;
|
||||||
|
return;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
void initializeHeaderInfo(ISimpleDeobfuscator simpleDeobfuscator) {
|
void initializeHeaderInfo(ISimpleDeobfuscator simpleDeobfuscator) {
|
||||||
skipBytes = 0;
|
skipBytes = 0;
|
||||||
|
|
||||||
if (resourceDecrypterType != null) {
|
foreach (var method in getDecrypterMethods(resourceDecrypterType)) {
|
||||||
if (updateFlags(getDecrypterMethod(), simpleDeobfuscator))
|
if (updateFlags(method, simpleDeobfuscator))
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -203,7 +206,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
||||||
}
|
}
|
||||||
|
|
||||||
bool updateFlags(MethodDef method, ISimpleDeobfuscator simpleDeobfuscator) {
|
bool updateFlags(MethodDef method, ISimpleDeobfuscator simpleDeobfuscator) {
|
||||||
if (method == null || method.Body == null)
|
if (method == null || method.Body == null || method.Body.Variables.Count < 3)
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
var constants = new List<int>();
|
var constants = new List<int>();
|
||||||
|
@ -276,7 +279,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
||||||
if (loopCount < 2 || loopCount > 3)
|
if (loopCount < 2 || loopCount > 3)
|
||||||
continue;
|
continue;
|
||||||
var blt = instrs[i + 1];
|
var blt = instrs[i + 1];
|
||||||
if (blt.OpCode.Code != Code.Blt && blt.OpCode.Code != Code.Blt_S)
|
if (blt.OpCode.Code != Code.Blt && blt.OpCode.Code != Code.Blt_S && blt.OpCode.Code != Code.Clt)
|
||||||
continue;
|
continue;
|
||||||
return loopCount - 1;
|
return loopCount - 1;
|
||||||
}
|
}
|
||||||
|
@ -291,28 +294,25 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
MethodDef getDecrypterMethod() {
|
static IEnumerable<MethodDef> getDecrypterMethods(TypeDef type) {
|
||||||
return getDecrypterMethod(resourceDecrypterType);
|
if (type == null)
|
||||||
}
|
yield break;
|
||||||
|
|
||||||
static MethodDef getDecrypterMethod(TypeDef type) {
|
|
||||||
foreach (var method in type.Methods) {
|
foreach (var method in type.Methods) {
|
||||||
if (DotNetUtils.isMethod(method, "System.Byte[]", "(System.IO.Stream)"))
|
if (DotNetUtils.isMethod(method, "System.Byte[]", "(System.IO.Stream)"))
|
||||||
return method;
|
yield return method;
|
||||||
if (DotNetUtils.isMethod(method, "System.Byte[]", "(System.Int32,System.IO.Stream)"))
|
else if (DotNetUtils.isMethod(method, "System.Byte[]", "(System.Int32,System.IO.Stream)"))
|
||||||
return method;
|
yield return method;
|
||||||
if (DotNetUtils.isMethod(method, "System.Byte[]", "(System.Int16,System.IO.Stream)"))
|
else if (DotNetUtils.isMethod(method, "System.Byte[]", "(System.Int16,System.IO.Stream)"))
|
||||||
return method;
|
yield return method;
|
||||||
if (DotNetUtils.isMethod(method, "System.Byte[]", "(System.Byte,System.IO.Stream)"))
|
else if (DotNetUtils.isMethod(method, "System.Byte[]", "(System.Byte,System.IO.Stream)"))
|
||||||
return method;
|
yield return method;
|
||||||
if (DotNetUtils.isMethod(method, "System.Byte[]", "(System.SByte,System.IO.Stream)"))
|
else if (DotNetUtils.isMethod(method, "System.Byte[]", "(System.SByte,System.IO.Stream)"))
|
||||||
return method;
|
yield return method;
|
||||||
if (DotNetUtils.isMethod(method, "System.Byte[]", "(System.Byte,System.IO.Stream,System.Int32)"))
|
else if (DotNetUtils.isMethod(method, "System.Byte[]", "(System.Byte,System.IO.Stream,System.Int32)"))
|
||||||
return method;
|
yield return method;
|
||||||
if (DotNetUtils.isMethod(method, "System.Byte[]", "(System.SByte,System.IO.Stream,System.UInt32)"))
|
else if (DotNetUtils.isMethod(method, "System.Byte[]", "(System.SByte,System.IO.Stream,System.UInt32)"))
|
||||||
return method;
|
yield return method;
|
||||||
}
|
}
|
||||||
return null;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
public byte[] decrypt(Stream resourceStream) {
|
public byte[] decrypt(Stream resourceStream) {
|
||||||
|
|
|
@ -84,7 +84,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
||||||
|
|
||||||
if (!method.IsStatic || !DotNetUtils.isMethod(method, "System.Void", "()"))
|
if (!method.IsStatic || !DotNetUtils.isMethod(method, "System.Void", "()"))
|
||||||
return false;
|
return false;
|
||||||
if (type.Methods.Count < 3 || type.Methods.Count > 14)
|
if (type.Methods.Count < 3 || type.Methods.Count > 16)
|
||||||
return false;
|
return false;
|
||||||
if (DotNetUtils.getPInvokeMethod(type, "mscoree", "StrongNameSignatureVerificationEx") != null) {
|
if (DotNetUtils.getPInvokeMethod(type, "mscoree", "StrongNameSignatureVerificationEx") != null) {
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue
Block a user