diff --git a/de4dot.code/deobfuscators/CliSecure/Deobfuscator.cs b/de4dot.code/deobfuscators/CliSecure/Deobfuscator.cs index ba2d8607..64447c55 100644 --- a/de4dot.code/deobfuscators/CliSecure/Deobfuscator.cs +++ b/de4dot.code/deobfuscators/CliSecure/Deobfuscator.cs @@ -104,9 +104,7 @@ namespace de4dot.deobfuscators.CliSecure { base.init(module); } - public override int detect() { - scanForObfuscator(); - + protected override int detectInternal() { int val = 0; if (cliSecureRtType != null || foundCliSecureAttribute) @@ -119,7 +117,7 @@ namespace de4dot.deobfuscators.CliSecure { return val; } - protected override void scanForObfuscatorInternal() { + protected override void scanForObfuscator() { proxyDelegateFinder = new ProxyDelegateFinder(module); findCliSecureAttribute(); findCliSecureRtType(); diff --git a/de4dot.code/deobfuscators/CryptoObfuscator/Deobfuscator.cs b/de4dot.code/deobfuscators/CryptoObfuscator/Deobfuscator.cs index 273c6842..2bfa90f0 100644 --- a/de4dot.code/deobfuscators/CryptoObfuscator/Deobfuscator.cs +++ b/de4dot.code/deobfuscators/CryptoObfuscator/Deobfuscator.cs @@ -90,9 +90,7 @@ namespace de4dot.deobfuscators.CryptoObfuscator { base.init(module); } - public override int detect() { - scanForObfuscator(); - + protected override int detectInternal() { int val = 0; if (foundCryptoObfuscatorAttribute) @@ -109,7 +107,7 @@ namespace de4dot.deobfuscators.CryptoObfuscator { return val; } - protected override void scanForObfuscatorInternal() { + protected override void scanForObfuscator() { foreach (var type in module.Types) { if (type.FullName == "CryptoObfuscator.ProtectedWithCryptoObfuscatorAttribute") { foundCryptoObfuscatorAttribute = true; diff --git a/de4dot.code/deobfuscators/DeobfuscatorBase.cs b/de4dot.code/deobfuscators/DeobfuscatorBase.cs index 2d66d363..026e0f5b 100644 --- a/de4dot.code/deobfuscators/DeobfuscatorBase.cs +++ b/de4dot.code/deobfuscators/DeobfuscatorBase.cs @@ -46,7 +46,6 @@ namespace de4dot.deobfuscators { IList> resourcesToRemove = new List>(); IList> modrefsToRemove = new List>(); List namesToPossiblyRemove = new List(); - bool scanForObfuscatorCalled = false; MethodCallRemover methodCallRemover = new MethodCallRemover(); internal class OptionsBase : IDeobfuscatorOptions { @@ -82,6 +81,10 @@ namespace de4dot.deobfuscators { } public virtual void init(ModuleDefinition module) { + setModule(module); + } + + protected void setModule(ModuleDefinition module) { this.module = module; } @@ -89,20 +92,23 @@ namespace de4dot.deobfuscators { return 0; } - protected void scanForObfuscator() { - if (scanForObfuscatorCalled) - return; - scanForObfuscatorCalled = true; - scanForObfuscatorInternal(); + public virtual int detect() { + scanForObfuscator(); + return detectInternal(); } - protected virtual void scanForObfuscatorInternal() { + protected abstract void scanForObfuscator(); + protected abstract int detectInternal(); + + public virtual byte[] getDecryptedModule() { + return null; } - public abstract int detect(); + public virtual IDeobfuscator moduleReloaded(ModuleDefinition module) { + throw new ApplicationException("moduleReloaded() must be overridden by the deobfuscator"); + } public virtual void deobfuscateBegin() { - scanForObfuscator(); } public virtual void deobfuscateMethodBegin(Blocks blocks) { diff --git a/de4dot.code/deobfuscators/Dotfuscator/Deobfuscator.cs b/de4dot.code/deobfuscators/Dotfuscator/Deobfuscator.cs index 953c0951..eb8cf7a5 100644 --- a/de4dot.code/deobfuscators/Dotfuscator/Deobfuscator.cs +++ b/de4dot.code/deobfuscators/Dotfuscator/Deobfuscator.cs @@ -76,9 +76,7 @@ namespace de4dot.deobfuscators.Dotfuscator { this.options = options; } - public override int detect() { - scanForObfuscator(); - + protected override int detectInternal() { int val = 0; if (foundDotfuscatorAttribute) @@ -89,7 +87,7 @@ namespace de4dot.deobfuscators.Dotfuscator { return val; } - protected override void scanForObfuscatorInternal() { + protected override void scanForObfuscator() { findDotfuscatorAttribute(); findStringDecrypterMethods(); } diff --git a/de4dot.code/deobfuscators/Eazfuscator/Deobfuscator.cs b/de4dot.code/deobfuscators/Eazfuscator/Deobfuscator.cs index 4eb3e4c2..eeda51ca 100644 --- a/de4dot.code/deobfuscators/Eazfuscator/Deobfuscator.cs +++ b/de4dot.code/deobfuscators/Eazfuscator/Deobfuscator.cs @@ -65,14 +65,13 @@ namespace de4dot.deobfuscators.Eazfuscator { DefaultDecrypterType = DecrypterType.Emulate; } - public override int detect() { - scanForObfuscator(); + protected override int detectInternal() { if (decryptStringMethod != null) return 100; return 0; } - protected override void scanForObfuscatorInternal() { + protected override void scanForObfuscator() { findStringDecrypterMethod(); } diff --git a/de4dot.code/deobfuscators/IDeobfuscator.cs b/de4dot.code/deobfuscators/IDeobfuscator.cs index 5e21b3ff..3fb711ac 100644 --- a/de4dot.code/deobfuscators/IDeobfuscator.cs +++ b/de4dot.code/deobfuscators/IDeobfuscator.cs @@ -62,9 +62,18 @@ namespace de4dot.deobfuscators { // returned if not detected. int earlyDetect(); - // Returns 0 if it's not detected, or > 0 if detected (higher value => more likely true) + // Returns 0 if it's not detected, or > 0 if detected (higher value => more likely true). + // This method is always called. int detect(); + // If the obfuscator has encrypted parts of the file, then this method should return the + // decrypted file. Return null if it's not been encrypted. + byte[] getDecryptedModule(); + + // This is only called if getDecryptedModule() != null, and after the module has been + // reloaded. Should return a new IDeobfuscator with the same options and the new module. + IDeobfuscator moduleReloaded(ModuleDefinition module); + // Called before all other deobfuscation methods void deobfuscateBegin(); diff --git a/de4dot.code/deobfuscators/SmartAssembly/Deobfuscator.cs b/de4dot.code/deobfuscators/SmartAssembly/Deobfuscator.cs index cbeb1b98..f79e3f2f 100644 --- a/de4dot.code/deobfuscators/SmartAssembly/Deobfuscator.cs +++ b/de4dot.code/deobfuscators/SmartAssembly/Deobfuscator.cs @@ -121,9 +121,7 @@ namespace de4dot.deobfuscators.SmartAssembly { tamperProtectionRemover = new TamperProtectionRemover(module); } - public override int detect() { - scanForObfuscator(); - + protected override int detectInternal() { int val = 0; if (foundSmartAssemblyAttribute) @@ -141,7 +139,7 @@ namespace de4dot.deobfuscators.SmartAssembly { return val; } - protected override void scanForObfuscatorInternal() { + protected override void scanForObfuscator() { proxyDelegateFinder = new ProxyDelegateFinder(module); findSmartAssemblyAttributes(); findAutomatedErrorReportingType(); diff --git a/de4dot.code/deobfuscators/Unknown/Deobfuscator.cs b/de4dot.code/deobfuscators/Unknown/Deobfuscator.cs index 3cff3cbb..fb1961d6 100644 --- a/de4dot.code/deobfuscators/Unknown/Deobfuscator.cs +++ b/de4dot.code/deobfuscators/Unknown/Deobfuscator.cs @@ -77,11 +77,14 @@ namespace de4dot.deobfuscators.Unknown { return null; } - public override int detect() { + protected override int detectInternal() { setName(scanTypes()); return 1; } + protected override void scanForObfuscator() { + } + string scanTypes() { foreach (var type in module.Types) { if (type.FullName == "BabelAttribute" || type.FullName == "BabelObfuscatorAttribute") diff --git a/de4dot.code/deobfuscators/dotNET_Reactor/Deobfuscator.cs b/de4dot.code/deobfuscators/dotNET_Reactor/Deobfuscator.cs index 3ddfad8a..7a0caa55 100644 --- a/de4dot.code/deobfuscators/dotNET_Reactor/Deobfuscator.cs +++ b/de4dot.code/deobfuscators/dotNET_Reactor/Deobfuscator.cs @@ -28,7 +28,7 @@ namespace de4dot.deobfuscators.dotNET_Reactor { } internal static string ObfuscatorType { - get { return "DotNetReactor"; } + get { return "dotNetReactor"; } } public override string Type { @@ -72,9 +72,7 @@ namespace de4dot.deobfuscators.dotNET_Reactor { base.init(module); } - public override int detect() { - scanForObfuscator(); - + protected override int detectInternal() { int val = 0; if (methodsDecrypter.Detected) @@ -83,7 +81,7 @@ namespace de4dot.deobfuscators.dotNET_Reactor { return val; } - protected override void scanForObfuscatorInternal() { + protected override void scanForObfuscator() { methodsDecrypter = new MethodsDecrypter(module); methodsDecrypter.find(); }