From bf00ccca2bed6a4122b185d99a85853103d8bb60 Mon Sep 17 00:00:00 2001 From: de4dot Date: Sun, 23 Oct 2011 17:23:33 +0200 Subject: [PATCH] Some minor updates --- .../deobfuscators/CryptoObfuscator/Deobfuscator.cs | 11 ++++------- .../CryptoObfuscator/ProxyDelegateFinder.cs | 6 +++--- .../CryptoObfuscator/ResourceResolver.cs | 2 +- 3 files changed, 8 insertions(+), 11 deletions(-) diff --git a/de4dot.code/deobfuscators/CryptoObfuscator/Deobfuscator.cs b/de4dot.code/deobfuscators/CryptoObfuscator/Deobfuscator.cs index eba497e9..273c6842 100644 --- a/de4dot.code/deobfuscators/CryptoObfuscator/Deobfuscator.cs +++ b/de4dot.code/deobfuscators/CryptoObfuscator/Deobfuscator.cs @@ -121,7 +121,7 @@ namespace de4dot.deobfuscators.CryptoObfuscator { foundObfuscatedSymbols = true; proxyDelegateFinder = new ProxyDelegateFinder(module); - proxyDelegateFinder.findDelegateCreator(module); + proxyDelegateFinder.findDelegateCreator(); stringDecrypter = new StringDecrypter(module); stringDecrypter.find(); tamperDetection = new TamperDetection(module); @@ -211,18 +211,15 @@ namespace de4dot.deobfuscators.CryptoObfuscator { void dumpEmbeddedAssemblies() { foreach (var info in assemblyResolver.AssemblyInfos) { - dumpEmbeddedFile(info.resource, info.assemblyName, true); + dumpEmbeddedFile(info.resource, info.assemblyName, ".dll", string.Format("Embedded assembly: {0}", info.assemblyName)); if (info.symbolsResource != null) - dumpEmbeddedFile(info.symbolsResource, info.assemblyName, false); + dumpEmbeddedFile(info.symbolsResource, info.assemblyName, ".pdb", string.Format("Embedded pdb: {0}", info.assemblyName)); } } - void dumpEmbeddedFile(EmbeddedResource resource, string assemblyName, bool isAssembly) { - string extension = isAssembly ? ".dll" : ".pdb"; + void dumpEmbeddedFile(EmbeddedResource resource, string assemblyName, string extension, string reason) { DeobfuscatedFile.createAssemblyFile(resourceDecrypter.decrypt(resource.GetResourceStream()), Utils.getAssemblySimpleName(assemblyName), extension); - string reason = isAssembly ? string.Format("Embedded assembly: {0}", assemblyName) : - string.Format("Embedded pdb: {0}", assemblyName); addResourceToBeRemoved(resource, reason); } diff --git a/de4dot.code/deobfuscators/CryptoObfuscator/ProxyDelegateFinder.cs b/de4dot.code/deobfuscators/CryptoObfuscator/ProxyDelegateFinder.cs index 1e0ee90d..3a4cb409 100644 --- a/de4dot.code/deobfuscators/CryptoObfuscator/ProxyDelegateFinder.cs +++ b/de4dot.code/deobfuscators/CryptoObfuscator/ProxyDelegateFinder.cs @@ -110,7 +110,7 @@ namespace de4dot.deobfuscators.CryptoObfuscator { calledMethod = module.LookupToken(ctx.methodToken) as MethodReference; } - public void findDelegateCreator(ModuleDefinition module) { + public void findDelegateCreator() { foreach (var type in module.Types) { var createMethod = getProxyCreateMethod(type); if (createMethod == null) @@ -134,13 +134,13 @@ namespace de4dot.deobfuscators.CryptoObfuscator { foreach (var m in type.Methods) { if (m.Name == ".ctor" || m.Name == ".cctor") continue; - if (createMethod == null || DotNetUtils.isMethod(m, "System.Void", "(System.Int32,System.Int32,System.Int32)")) { + if (createMethod == null && DotNetUtils.isMethod(m, "System.Void", "(System.Int32,System.Int32,System.Int32)")) { createMethod = m; continue; } return null; } - if (!createMethod.HasBody) + if (createMethod == null || !createMethod.HasBody) return null; if (type.HasEvents || type.HasProperties) return null; diff --git a/de4dot.code/deobfuscators/CryptoObfuscator/ResourceResolver.cs b/de4dot.code/deobfuscators/CryptoObfuscator/ResourceResolver.cs index 36231f52..8880c5d1 100644 --- a/de4dot.code/deobfuscators/CryptoObfuscator/ResourceResolver.cs +++ b/de4dot.code/deobfuscators/CryptoObfuscator/ResourceResolver.cs @@ -65,7 +65,7 @@ namespace de4dot.deobfuscators.CryptoObfuscator { var resource = DotNetUtils.getResource(module, module.Assembly.Name.Name) as EmbeddedResource; if (resource == null) - throw new ApplicationException("Could not find encrypted resources"); + return null; DeobUtils.decryptAndAddResources(module, resource.Name, () => resourceDecrypter.decrypt(resource.GetResourceStream())); mergedIt = true;