Port Eazfuscator.NET deobfuscator
This commit is contained in:
parent
33645432f1
commit
c596f5ddfc
|
@ -177,16 +177,16 @@
|
||||||
<Compile Include="deobfuscators\dotNET_Reactor\v4\ProxyCallFixer.cs" />
|
<Compile Include="deobfuscators\dotNET_Reactor\v4\ProxyCallFixer.cs" />
|
||||||
<Compile Include="deobfuscators\dotNET_Reactor\v4\ResourceResolver.cs" />
|
<Compile Include="deobfuscators\dotNET_Reactor\v4\ResourceResolver.cs" />
|
||||||
<Compile Include="deobfuscators\dotNET_Reactor\v4\StringDecrypter.cs" />
|
<Compile Include="deobfuscators\dotNET_Reactor\v4\StringDecrypter.cs" />
|
||||||
<None Include="deobfuscators\Eazfuscator_NET\AssemblyResolver.cs" />
|
<Compile Include="deobfuscators\Eazfuscator_NET\AssemblyResolver.cs" />
|
||||||
<None Include="deobfuscators\Eazfuscator_NET\CodeCompilerMethodCallRestorer.cs" />
|
<Compile Include="deobfuscators\Eazfuscator_NET\CodeCompilerMethodCallRestorer.cs" />
|
||||||
<None Include="deobfuscators\Eazfuscator_NET\DecrypterType.cs" />
|
<Compile Include="deobfuscators\Eazfuscator_NET\DecrypterType.cs" />
|
||||||
<None Include="deobfuscators\Eazfuscator_NET\Deobfuscator.cs" />
|
<Compile Include="deobfuscators\Eazfuscator_NET\Deobfuscator.cs" />
|
||||||
<None Include="deobfuscators\Eazfuscator_NET\EfConstantsReader.cs" />
|
<Compile Include="deobfuscators\Eazfuscator_NET\EfConstantsReader.cs" />
|
||||||
<None Include="deobfuscators\Eazfuscator_NET\EfUtils.cs" />
|
<Compile Include="deobfuscators\Eazfuscator_NET\EfUtils.cs" />
|
||||||
<None Include="deobfuscators\Eazfuscator_NET\ResourceMethodsRestorer.cs" />
|
<Compile Include="deobfuscators\Eazfuscator_NET\ResourceMethodsRestorer.cs" />
|
||||||
<None Include="deobfuscators\Eazfuscator_NET\ResourceResolver.cs" />
|
<Compile Include="deobfuscators\Eazfuscator_NET\ResourceResolver.cs" />
|
||||||
<None Include="deobfuscators\Eazfuscator_NET\StringDecrypter.cs" />
|
<Compile Include="deobfuscators\Eazfuscator_NET\StringDecrypter.cs" />
|
||||||
<None Include="deobfuscators\Eazfuscator_NET\VersionDetector.cs" />
|
<Compile Include="deobfuscators\Eazfuscator_NET\VersionDetector.cs" />
|
||||||
<Compile Include="deobfuscators\ExceptionLoggerRemover.cs" />
|
<Compile Include="deobfuscators\ExceptionLoggerRemover.cs" />
|
||||||
<None Include="deobfuscators\Goliath_NET\ArrayDecrypter.cs" />
|
<None Include="deobfuscators\Goliath_NET\ArrayDecrypter.cs" />
|
||||||
<None Include="deobfuscators\Goliath_NET\ArrayValueInliner.cs" />
|
<None Include="deobfuscators\Goliath_NET\ArrayValueInliner.cs" />
|
||||||
|
|
|
@ -28,7 +28,7 @@ using de4dot.blocks;
|
||||||
|
|
||||||
namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
class AssemblyResolver {
|
class AssemblyResolver {
|
||||||
ModuleDefinition module;
|
ModuleDefMD module;
|
||||||
DecrypterType decrypterType;
|
DecrypterType decrypterType;
|
||||||
TypeDef resolverType;
|
TypeDef resolverType;
|
||||||
MethodDef initMethod;
|
MethodDef initMethod;
|
||||||
|
@ -76,7 +76,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
get { return resolverType != null; }
|
get { return resolverType != null; }
|
||||||
}
|
}
|
||||||
|
|
||||||
public AssemblyResolver(ModuleDefinition module, DecrypterType decrypterType) {
|
public AssemblyResolver(ModuleDefMD module, DecrypterType decrypterType) {
|
||||||
this.module = module;
|
this.module = module;
|
||||||
this.frameworkType = DotNetUtils.getFrameworkType(module);
|
this.frameworkType = DotNetUtils.getFrameworkType(module);
|
||||||
this.decrypterType = decrypterType;
|
this.decrypterType = decrypterType;
|
||||||
|
@ -356,9 +356,9 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
|
|
||||||
static void initializeNameAndExtension(AssemblyInfo info) {
|
static void initializeNameAndExtension(AssemblyInfo info) {
|
||||||
try {
|
try {
|
||||||
var mod = ModuleDefinition.ReadModule(new MemoryStream(info.Data));
|
var mod = ModuleDefMD.Load(info.Data);
|
||||||
info.AssemblyFullName = mod.Assembly.FullName;
|
info.AssemblyFullName = mod.Assembly.FullName;
|
||||||
info.SimpleName = mod.Assembly.Name.Name;
|
info.SimpleName = mod.Assembly.Name.String;
|
||||||
info.Extension = DeobUtils.getExtension(mod.Kind);
|
info.Extension = DeobUtils.getExtension(mod.Kind);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
|
@ -21,45 +21,45 @@ using dot10.DotNet;
|
||||||
|
|
||||||
namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
class CodeCompilerMethodCallRestorer : MethodCallRestorerBase {
|
class CodeCompilerMethodCallRestorer : MethodCallRestorerBase {
|
||||||
TypeReference CodeDomProvider {
|
ITypeDefOrRef CodeDomProvider {
|
||||||
get {
|
get {
|
||||||
return builder.type("System.CodeDom.Compiler", "CodeDomProvider", "System");
|
return builder.type("System.CodeDom.Compiler", "CodeDomProvider", "System").ToTypeDefOrRef();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
TypeReference ICodeCompiler {
|
ITypeDefOrRef ICodeCompiler {
|
||||||
get {
|
get {
|
||||||
return builder.type("System.CodeDom.Compiler", "ICodeCompiler", "System");
|
return builder.type("System.CodeDom.Compiler", "ICodeCompiler", "System").ToTypeDefOrRef();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
TypeReference CompilerResults {
|
TypeSig CompilerResults {
|
||||||
get {
|
get {
|
||||||
return builder.type("System.CodeDom.Compiler", "CompilerResults", "System");
|
return builder.type("System.CodeDom.Compiler", "CompilerResults", "System");
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
TypeReference CompilerParameters {
|
TypeSig CompilerParameters {
|
||||||
get {
|
get {
|
||||||
return builder.type("System.CodeDom.Compiler", "CompilerParameters", "System");
|
return builder.type("System.CodeDom.Compiler", "CompilerParameters", "System");
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
TypeReference CodeCompileUnit {
|
TypeSig CodeCompileUnit {
|
||||||
get {
|
get {
|
||||||
return builder.type("System.CodeDom", "CodeCompileUnit", "System");
|
return builder.type("System.CodeDom", "CodeCompileUnit", "System");
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
TypeReference CodeCompileUnitArray {
|
TypeSig CodeCompileUnitArray {
|
||||||
get { return builder.array(CodeCompileUnit); }
|
get { return builder.array(CodeCompileUnit); }
|
||||||
}
|
}
|
||||||
|
|
||||||
TypeReference StringArray {
|
TypeSig StringArray {
|
||||||
get { return builder.array(builder.String); }
|
get { return builder.array(builder.String); }
|
||||||
}
|
}
|
||||||
|
|
||||||
public CodeCompilerMethodCallRestorer(ModuleDefinition module)
|
public CodeCompilerMethodCallRestorer(ModuleDefMD module)
|
||||||
: base(module) {
|
: base(module) {
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -26,7 +26,7 @@ using de4dot.blocks;
|
||||||
|
|
||||||
namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
class DecrypterType {
|
class DecrypterType {
|
||||||
ModuleDefinition module;
|
ModuleDefMD module;
|
||||||
ISimpleDeobfuscator simpleDeobfuscator;
|
ISimpleDeobfuscator simpleDeobfuscator;
|
||||||
TypeDef type;
|
TypeDef type;
|
||||||
MethodDef int64Method;
|
MethodDef int64Method;
|
||||||
|
@ -50,7 +50,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
get { return type != null; }
|
get { return type != null; }
|
||||||
}
|
}
|
||||||
|
|
||||||
public DecrypterType(ModuleDefinition module, ISimpleDeobfuscator simpleDeobfuscator) {
|
public DecrypterType(ModuleDefMD module, ISimpleDeobfuscator simpleDeobfuscator) {
|
||||||
this.module = module;
|
this.module = module;
|
||||||
this.simpleDeobfuscator = simpleDeobfuscator;
|
this.simpleDeobfuscator = simpleDeobfuscator;
|
||||||
}
|
}
|
||||||
|
@ -338,9 +338,9 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
|
|
||||||
var bytes = new List<byte>();
|
var bytes = new List<byte>();
|
||||||
if (module.Assembly != null) {
|
if (module.Assembly != null) {
|
||||||
if (module.Assembly.Name.PublicKeyToken != null)
|
if (!PublicKeyBase.IsNullOrEmpty2(module.Assembly.PublicKey))
|
||||||
bytes.AddRange(module.Assembly.Name.PublicKeyToken);
|
bytes.AddRange(module.Assembly.PublicKeyToken.Data);
|
||||||
bytes.AddRange(Encoding.Unicode.GetBytes(module.Assembly.Name.Name));
|
bytes.AddRange(Encoding.Unicode.GetBytes(module.Assembly.Name.String));
|
||||||
}
|
}
|
||||||
int cm1 = constMethod1();
|
int cm1 = constMethod1();
|
||||||
bytes.Add((byte)(type.MDToken.ToInt32() >> 24));
|
bytes.Add((byte)(type.MDToken.ToInt32() >> 24));
|
||||||
|
|
|
@ -18,7 +18,6 @@
|
||||||
*/
|
*/
|
||||||
|
|
||||||
using dot10.DotNet;
|
using dot10.DotNet;
|
||||||
using Mono.Cecil.Metadata;
|
|
||||||
using de4dot.blocks;
|
using de4dot.blocks;
|
||||||
|
|
||||||
namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
|
@ -38,10 +37,10 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
if (!getInt32(ref index, out value))
|
if (!getInt32(ref index, out value))
|
||||||
break;
|
break;
|
||||||
var stloc = instructions[index];
|
var stloc = instructions[index];
|
||||||
if (!DotNetUtils.isStloc(stloc))
|
if (!stloc.IsStloc())
|
||||||
break;
|
break;
|
||||||
var local = DotNetUtils.getLocalVar(locals, stloc);
|
var local = stloc.GetLocal(locals);
|
||||||
if (local == null || local.VariableType.EType != ElementType.I4)
|
if (local == null || local.Type.GetElementType() != ElementType.I4)
|
||||||
break;
|
break;
|
||||||
localsValuesInt32[local] = value;
|
localsValuesInt32[local] = value;
|
||||||
index++;
|
index++;
|
||||||
|
|
|
@ -33,7 +33,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
get { return getManifestResourceStreamTypeResource; }
|
get { return getManifestResourceStreamTypeResource; }
|
||||||
}
|
}
|
||||||
|
|
||||||
public ResourceMethodsRestorer(ModuleDefinition module)
|
public ResourceMethodsRestorer(ModuleDefMD module)
|
||||||
: base(module) {
|
: base(module) {
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -45,7 +45,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
continue;
|
continue;
|
||||||
if (DotNetUtils.getField(type, "System.Reflection.Assembly") == null)
|
if (DotNetUtils.getField(type, "System.Reflection.Assembly") == null)
|
||||||
continue;
|
continue;
|
||||||
if (DotNetUtils.getMethod(type, ".cctor") == null)
|
if (type.FindStaticConstructor() == null)
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
var getStream2 = getTheOnlyMethod(type, "System.IO.Stream", "(System.Reflection.Assembly,System.Type,System.String)");
|
var getStream2 = getTheOnlyMethod(type, "System.IO.Stream", "(System.Reflection.Assembly,System.Type,System.String)");
|
||||||
|
|
|
@ -26,7 +26,7 @@ using de4dot.blocks;
|
||||||
|
|
||||||
namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
class ResourceResolver {
|
class ResourceResolver {
|
||||||
ModuleDefinition module;
|
ModuleDefMD module;
|
||||||
AssemblyResolver assemblyResolver;
|
AssemblyResolver assemblyResolver;
|
||||||
TypeDef resolverType;
|
TypeDef resolverType;
|
||||||
MethodDef initMethod;
|
MethodDef initMethod;
|
||||||
|
@ -45,7 +45,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
get { return resolverType != null; }
|
get { return resolverType != null; }
|
||||||
}
|
}
|
||||||
|
|
||||||
public ResourceResolver(ModuleDefinition module, AssemblyResolver assemblyResolver) {
|
public ResourceResolver(ModuleDefMD module, AssemblyResolver assemblyResolver) {
|
||||||
this.module = module;
|
this.module = module;
|
||||||
this.assemblyResolver = assemblyResolver;
|
this.assemblyResolver = assemblyResolver;
|
||||||
}
|
}
|
||||||
|
|
|
@ -23,12 +23,11 @@ using System.IO;
|
||||||
using System.Text;
|
using System.Text;
|
||||||
using dot10.DotNet;
|
using dot10.DotNet;
|
||||||
using dot10.DotNet.Emit;
|
using dot10.DotNet.Emit;
|
||||||
using Mono.Cecil.Metadata;
|
|
||||||
using de4dot.blocks;
|
using de4dot.blocks;
|
||||||
|
|
||||||
namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
class StringDecrypter {
|
class StringDecrypter {
|
||||||
ModuleDefinition module;
|
ModuleDefMD module;
|
||||||
TypeDef stringType;
|
TypeDef stringType;
|
||||||
MethodDef stringMethod;
|
MethodDef stringMethod;
|
||||||
TypeDef dataDecrypterType;
|
TypeDef dataDecrypterType;
|
||||||
|
@ -102,7 +101,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
get { return stringType != null; }
|
get { return stringType != null; }
|
||||||
}
|
}
|
||||||
|
|
||||||
public StringDecrypter(ModuleDefinition module, DecrypterType decrypterType) {
|
public StringDecrypter(ModuleDefMD module, DecrypterType decrypterType) {
|
||||||
this.module = module;
|
this.module = module;
|
||||||
this.decrypterType = decrypterType;
|
this.decrypterType = decrypterType;
|
||||||
}
|
}
|
||||||
|
@ -110,7 +109,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
static bool checkIfV32OrLater(TypeDef type) {
|
static bool checkIfV32OrLater(TypeDef type) {
|
||||||
int numInts = 0;
|
int numInts = 0;
|
||||||
foreach (var field in type.Fields) {
|
foreach (var field in type.Fields) {
|
||||||
if (field.FieldType.EType == ElementType.I4)
|
if (field.FieldSig.GetFieldType().GetElementType() == ElementType.I4)
|
||||||
numInts++;
|
numInts++;
|
||||||
}
|
}
|
||||||
return numInts >= 2;
|
return numInts >= 2;
|
||||||
|
@ -161,7 +160,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
};
|
};
|
||||||
static StreamHelperType findStreamHelperType(TypeDef type) {
|
static StreamHelperType findStreamHelperType(TypeDef type) {
|
||||||
foreach (var field in type.Fields) {
|
foreach (var field in type.Fields) {
|
||||||
var nested = field.FieldType as TypeDef;
|
var nested = field.FieldSig.GetFieldType().TryGetTypeDef();
|
||||||
if (nested == null)
|
if (nested == null)
|
||||||
continue;
|
continue;
|
||||||
if (nested.DeclaringType != type)
|
if (nested.DeclaringType != type)
|
||||||
|
@ -197,7 +196,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
foreach (var instr in method.Body.Instructions) {
|
foreach (var instr in method.Body.Instructions) {
|
||||||
if (instr.OpCode != OpCodes.Callvirt)
|
if (instr.OpCode != OpCodes.Callvirt)
|
||||||
continue;
|
continue;
|
||||||
var calledMethod = instr.Operand as MethodReference;
|
var calledMethod = instr.Operand as IMethod;
|
||||||
if (calledMethod != null && calledMethod.FullName == "System.IO.Stream System.Reflection.Assembly::GetManifestResourceStream(System.String)")
|
if (calledMethod != null && calledMethod.FullName == "System.IO.Stream System.Reflection.Assembly::GetManifestResourceStream(System.String)")
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
@ -248,7 +247,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
if (!findInts(out initializedAll))
|
if (!findInts(out initializedAll))
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
var cctor = DotNetUtils.getMethod(stringType, ".cctor");
|
var cctor = stringType.FindStaticConstructor();
|
||||||
if (!initializedAll && cctor != null) {
|
if (!initializedAll && cctor != null) {
|
||||||
simpleDeobfuscator.deobfuscate(cctor);
|
simpleDeobfuscator.deobfuscate(cctor);
|
||||||
if (!findIntsCctor(cctor))
|
if (!findIntsCctor(cctor))
|
||||||
|
@ -292,10 +291,10 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
}
|
}
|
||||||
|
|
||||||
class FlagsInfo {
|
class FlagsInfo {
|
||||||
public VariableDefinition Local { get; set; }
|
public Local Local { get; set; }
|
||||||
public uint Value { get; set; }
|
public uint Value { get; set; }
|
||||||
public int Offset { get; set; }
|
public int Offset { get; set; }
|
||||||
public FlagsInfo(VariableDefinition local, uint value, int offset) {
|
public FlagsInfo(Local local, uint value, int offset) {
|
||||||
Local = local;
|
Local = local;
|
||||||
Value = value;
|
Value = value;
|
||||||
Offset = offset;
|
Offset = offset;
|
||||||
|
@ -307,7 +306,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
if (flags == null)
|
if (flags == null)
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
flags.Sort((a, b) => Utils.compareInt32(a.Offset, b.Offset));
|
flags.Sort((a, b) => a.Offset.CompareTo(b.Offset));
|
||||||
|
|
||||||
rldFlag = flags[0].Value;
|
rldFlag = flags[0].Value;
|
||||||
bytesFlag = flags[1].Value;
|
bytesFlag = flags[1].Value;
|
||||||
|
@ -344,13 +343,13 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
|
|
||||||
static int getFlagsOffset(MethodDef method, int index, VariableDefinition local) {
|
static int getFlagsOffset(MethodDef method, int index, Local local) {
|
||||||
var instrs = method.Body.Instructions;
|
var instrs = method.Body.Instructions;
|
||||||
for (; index < instrs.Count; index++) {
|
for (; index < instrs.Count; index++) {
|
||||||
var ldloc = instrs[index];
|
var ldloc = instrs[index];
|
||||||
if (!DotNetUtils.isLdloc(ldloc))
|
if (!ldloc.IsLdloc())
|
||||||
continue;
|
continue;
|
||||||
if (DotNetUtils.getLocalVar(method.Body.Variables, ldloc) != local)
|
if (ldloc.GetLocal(method.Body.LocalList) != local)
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
return index;
|
return index;
|
||||||
|
@ -358,7 +357,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
static VariableDefinition getFlagsLocal(MethodDef method, int index) {
|
static Local getFlagsLocal(MethodDef method, int index) {
|
||||||
var instrs = method.Body.Instructions;
|
var instrs = method.Body.Instructions;
|
||||||
if (index + 5 >= instrs.Count)
|
if (index + 5 >= instrs.Count)
|
||||||
return null;
|
return null;
|
||||||
|
@ -373,9 +372,9 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
if (instrs[index++].OpCode.Code != Code.Ceq)
|
if (instrs[index++].OpCode.Code != Code.Ceq)
|
||||||
return null;
|
return null;
|
||||||
var stloc = instrs[index++];
|
var stloc = instrs[index++];
|
||||||
if (!DotNetUtils.isStloc(stloc))
|
if (!stloc.IsStloc())
|
||||||
return null;
|
return null;
|
||||||
return DotNetUtils.getLocalVar(method.Body.Variables, stloc);
|
return stloc.GetLocal(method.Body.LocalList);
|
||||||
}
|
}
|
||||||
|
|
||||||
void initialize() {
|
void initialize() {
|
||||||
|
@ -415,10 +414,10 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
|
|
||||||
var bytes = reader.ReadBytes(flags & 0x1FFFFFFF);
|
var bytes = reader.ReadBytes(flags & 0x1FFFFFFF);
|
||||||
decrypt1(bytes, tmpKey);
|
decrypt1(bytes, tmpKey);
|
||||||
var pkt = module.Assembly.Name.PublicKeyToken;
|
var pkt = PublicKeyBase.ToPublicKeyToken(module.Assembly.PublicKey);
|
||||||
if (usePublicKeyToken && pkt != null && pkt.Length != 0) {
|
if (usePublicKeyToken && !PublicKeyBase.IsNullOrEmpty2(pkt)) {
|
||||||
for (int i = 0; i < bytes.Length; i++)
|
for (int i = 0; i < bytes.Length; i++)
|
||||||
bytes[i] ^= (byte)((pkt[i & 7] >> 5) + (pkt[i & 7] << 3));
|
bytes[i] ^= (byte)((pkt.Data[i & 7] >> 5) + (pkt.Data[i & 7] << 3));
|
||||||
}
|
}
|
||||||
|
|
||||||
if ((flags & rldFlag) != 0)
|
if ((flags & rldFlag) != 0)
|
||||||
|
@ -605,9 +604,9 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
int tmp;
|
int tmp;
|
||||||
if (!stringMethodConsts.getNextInt32(ref i, out tmp))
|
if (!stringMethodConsts.getNextInt32(ref i, out tmp))
|
||||||
continue;
|
continue;
|
||||||
if ((instrs[i - 1].OpCode.Code == Code.Xor && DotNetUtils.isStloc(instrs[i])) ||
|
if ((instrs[i - 1].OpCode.Code == Code.Xor && instrs[i].IsStloc()) ||
|
||||||
(instrs[i].OpCode.Code == Code.Xor && DotNetUtils.isStloc(instrs[i + 1])) ||
|
(instrs[i].OpCode.Code == Code.Xor && instrs[i + 1].IsStloc()) ||
|
||||||
DotNetUtils.isLdloc(instrs[i])) {
|
instrs[i].IsLdloc()) {
|
||||||
i2 ^= tmp;
|
i2 ^= tmp;
|
||||||
returnValue = true;
|
returnValue = true;
|
||||||
}
|
}
|
||||||
|
@ -637,10 +636,10 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
var instr = instrs[i + 2];
|
var instr = instrs[i + 2];
|
||||||
if (instr.OpCode.Code == Code.Ldsfld) {
|
if (instr.OpCode.Code == Code.Ldsfld) {
|
||||||
var loadField = instr.Operand as FieldDef;
|
var loadField = instr.Operand as FieldDef;
|
||||||
if (loadField == null || loadField.FieldType.EType != ElementType.I4)
|
if (loadField == null || loadField.FieldType.GetElementType() != ElementType.I4)
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
else if (DotNetUtils.isLdcI4(instr)) {
|
else if (instr.IsLdcI4()) {
|
||||||
initializedAll = true;
|
initializedAll = true;
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
|
@ -674,7 +673,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
int tmp4;
|
int tmp4;
|
||||||
if (!constantsReader.getNextInt32(ref index, out tmp4))
|
if (!constantsReader.getNextInt32(ref index, out tmp4))
|
||||||
break;
|
break;
|
||||||
if (index < instrs.Count && DotNetUtils.isLdloc(instrs[index]))
|
if (index < instrs.Count && instrs[index].IsLdloc())
|
||||||
tmp3 = tmp4;
|
tmp3 = tmp4;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -715,7 +714,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
var ldci4 = instrs[i + 1];
|
var ldci4 = instrs[i + 1];
|
||||||
if (!DotNetUtils.isLdcI4(ldci4))
|
if (!ldci4.IsLdcI4())
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
int index = i + 1;
|
int index = i + 1;
|
||||||
|
@ -755,7 +754,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
if (instrs[index++].OpCode.Code != Code.Xor)
|
if (instrs[index++].OpCode.Code != Code.Xor)
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
if (!DotNetUtils.isLdloc(instrs[index++]))
|
if (!instrs[index++].IsLdloc())
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
if (instrs[index++].OpCode.Code != Code.Xor)
|
if (instrs[index++].OpCode.Code != Code.Xor)
|
||||||
|
@ -811,9 +810,9 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
if (index <= 0)
|
if (index <= 0)
|
||||||
continue;
|
continue;
|
||||||
var ldci4 = stringMethod.Body.Instructions[index - 1];
|
var ldci4 = stringMethod.Body.Instructions[index - 1];
|
||||||
if (!DotNetUtils.isLdcI4(ldci4))
|
if (!ldci4.IsLdcI4())
|
||||||
continue;
|
continue;
|
||||||
if (DotNetUtils.getLdcI4Value(ldci4) != 4)
|
if (ldci4.GetLdcI4Value() != 4)
|
||||||
continue;
|
continue;
|
||||||
if (!stringMethodConsts.getNextInt32(ref index, out i5))
|
if (!stringMethodConsts.getNextInt32(ref index, out i5))
|
||||||
return false;
|
return false;
|
||||||
|
@ -848,7 +847,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
if (!findCallvirt(method, ref index))
|
if (!findCallvirt(method, ref index))
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
var calledMethod = method.Body.Instructions[index].Operand as MethodReference;
|
var calledMethod = method.Body.Instructions[index].Operand as IMethod;
|
||||||
if (calledMethod == null)
|
if (calledMethod == null)
|
||||||
continue;
|
continue;
|
||||||
if (calledMethod.ToString() != methodFullName)
|
if (calledMethod.ToString() != methodFullName)
|
||||||
|
|
|
@ -27,7 +27,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
StringDecrypter stringDecrypter;
|
StringDecrypter stringDecrypter;
|
||||||
FrameworkType frameworkType;
|
FrameworkType frameworkType;
|
||||||
|
|
||||||
public VersionDetector(ModuleDefinition module, StringDecrypter stringDecrypter) {
|
public VersionDetector(ModuleDefMD module, StringDecrypter stringDecrypter) {
|
||||||
this.stringDecrypter = stringDecrypter;
|
this.stringDecrypter = stringDecrypter;
|
||||||
this.frameworkType = DotNetUtils.getFrameworkType(module);
|
this.frameworkType = DotNetUtils.getFrameworkType(module);
|
||||||
}
|
}
|
||||||
|
@ -52,7 +52,6 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
return null;
|
return null;
|
||||||
|
|
||||||
bool hasConstantM2 = DeobUtils.hasInteger(decryptStringMethod, -2);
|
bool hasConstantM2 = DeobUtils.hasInteger(decryptStringMethod, -2);
|
||||||
var frameworkType = DotNetUtils.getFrameworkType(decryptStringType.Module);
|
|
||||||
|
|
||||||
/////////////////////////////////////////////////////////////////
|
/////////////////////////////////////////////////////////////////
|
||||||
/////////////////////////////////////////////////////////////////
|
/////////////////////////////////////////////////////////////////
|
||||||
|
@ -77,11 +76,11 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
if (otherMethods.Count == 0 &&
|
if (otherMethods.Count == 0 &&
|
||||||
decryptStringType.NestedTypes.Count == 0 &&
|
decryptStringType.NestedTypes.Count == 0 &&
|
||||||
!hasConstantM2 &&
|
!hasConstantM2 &&
|
||||||
!decryptStringMethod.NoInlining &&
|
!decryptStringMethod.IsNoInlining &&
|
||||||
decryptStringMethod.IsPublic &&
|
decryptStringMethod.IsPublic &&
|
||||||
decryptStringMethod.IsSynchronized &&
|
decryptStringMethod.IsSynchronized &&
|
||||||
decryptStringMethod.Body.MaxStackSize >= 35 &&
|
decryptStringMethod.Body.MaxStack >= 35 &&
|
||||||
decryptStringMethod.Body.MaxStackSize <= 50 &&
|
decryptStringMethod.Body.MaxStack <= 50 &&
|
||||||
decryptStringMethod.Body.ExceptionHandlers.Count == 0 &&
|
decryptStringMethod.Body.ExceptionHandlers.Count == 0 &&
|
||||||
new LocalTypes(decryptStringMethod).exactly(locals11) &&
|
new LocalTypes(decryptStringMethod).exactly(locals11) &&
|
||||||
checkTypeFields(fields11)) {
|
checkTypeFields(fields11)) {
|
||||||
|
@ -113,11 +112,11 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
if (otherMethods.Count == 0 &&
|
if (otherMethods.Count == 0 &&
|
||||||
decryptStringType.NestedTypes.Count == 0 &&
|
decryptStringType.NestedTypes.Count == 0 &&
|
||||||
!hasConstantM2 &&
|
!hasConstantM2 &&
|
||||||
!decryptStringMethod.NoInlining &&
|
!decryptStringMethod.IsNoInlining &&
|
||||||
decryptStringMethod.IsPublic &&
|
decryptStringMethod.IsPublic &&
|
||||||
decryptStringMethod.IsSynchronized &&
|
decryptStringMethod.IsSynchronized &&
|
||||||
decryptStringMethod.Body.MaxStackSize >= 35 &&
|
decryptStringMethod.Body.MaxStack >= 35 &&
|
||||||
decryptStringMethod.Body.MaxStackSize <= 50 &&
|
decryptStringMethod.Body.MaxStack <= 50 &&
|
||||||
decryptStringMethod.Body.ExceptionHandlers.Count == 0 &&
|
decryptStringMethod.Body.ExceptionHandlers.Count == 0 &&
|
||||||
new LocalTypes(decryptStringMethod).exactly(locals13) &&
|
new LocalTypes(decryptStringMethod).exactly(locals13) &&
|
||||||
checkTypeFields(fields13)) {
|
checkTypeFields(fields13)) {
|
||||||
|
@ -149,11 +148,11 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
if (otherMethods.Count == 0 &&
|
if (otherMethods.Count == 0 &&
|
||||||
decryptStringType.NestedTypes.Count == 0 &&
|
decryptStringType.NestedTypes.Count == 0 &&
|
||||||
!hasConstantM2 &&
|
!hasConstantM2 &&
|
||||||
!decryptStringMethod.NoInlining &&
|
!decryptStringMethod.IsNoInlining &&
|
||||||
decryptStringMethod.IsPublic &&
|
decryptStringMethod.IsPublic &&
|
||||||
decryptStringMethod.IsSynchronized &&
|
decryptStringMethod.IsSynchronized &&
|
||||||
decryptStringMethod.Body.MaxStackSize >= 150 &&
|
decryptStringMethod.Body.MaxStack >= 150 &&
|
||||||
decryptStringMethod.Body.MaxStackSize <= 200 &&
|
decryptStringMethod.Body.MaxStack <= 200 &&
|
||||||
decryptStringMethod.Body.ExceptionHandlers.Count == 0 &&
|
decryptStringMethod.Body.ExceptionHandlers.Count == 0 &&
|
||||||
new LocalTypes(decryptStringMethod).exactly(locals14) &&
|
new LocalTypes(decryptStringMethod).exactly(locals14) &&
|
||||||
checkTypeFields(fields14)) {
|
checkTypeFields(fields14)) {
|
||||||
|
@ -186,11 +185,11 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
if (otherMethods.Count == 0 &&
|
if (otherMethods.Count == 0 &&
|
||||||
decryptStringType.NestedTypes.Count == 0 &&
|
decryptStringType.NestedTypes.Count == 0 &&
|
||||||
!hasConstantM2 &&
|
!hasConstantM2 &&
|
||||||
!decryptStringMethod.NoInlining &&
|
!decryptStringMethod.IsNoInlining &&
|
||||||
decryptStringMethod.IsPublic &&
|
decryptStringMethod.IsPublic &&
|
||||||
decryptStringMethod.IsSynchronized &&
|
decryptStringMethod.IsSynchronized &&
|
||||||
decryptStringMethod.Body.MaxStackSize >= 1 &&
|
decryptStringMethod.Body.MaxStack >= 1 &&
|
||||||
decryptStringMethod.Body.MaxStackSize <= 8 &&
|
decryptStringMethod.Body.MaxStack <= 8 &&
|
||||||
decryptStringMethod.Body.ExceptionHandlers.Count == 0 &&
|
decryptStringMethod.Body.ExceptionHandlers.Count == 0 &&
|
||||||
new LocalTypes(decryptStringMethod).exactly(locals24) &&
|
new LocalTypes(decryptStringMethod).exactly(locals24) &&
|
||||||
checkTypeFields(fields24)) {
|
checkTypeFields(fields24)) {
|
||||||
|
@ -224,11 +223,11 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
if (otherMethods.Count == 0 &&
|
if (otherMethods.Count == 0 &&
|
||||||
decryptStringType.NestedTypes.Count == 0 &&
|
decryptStringType.NestedTypes.Count == 0 &&
|
||||||
!hasConstantM2 &&
|
!hasConstantM2 &&
|
||||||
!decryptStringMethod.NoInlining &&
|
!decryptStringMethod.IsNoInlining &&
|
||||||
decryptStringMethod.IsPublic &&
|
decryptStringMethod.IsPublic &&
|
||||||
!decryptStringMethod.IsSynchronized &&
|
!decryptStringMethod.IsSynchronized &&
|
||||||
decryptStringMethod.Body.MaxStackSize >= 1 &&
|
decryptStringMethod.Body.MaxStack >= 1 &&
|
||||||
decryptStringMethod.Body.MaxStackSize <= 8 &&
|
decryptStringMethod.Body.MaxStack <= 8 &&
|
||||||
decryptStringMethod.Body.ExceptionHandlers.Count == 1 &&
|
decryptStringMethod.Body.ExceptionHandlers.Count == 1 &&
|
||||||
new LocalTypes(decryptStringMethod).exactly(locals26) &&
|
new LocalTypes(decryptStringMethod).exactly(locals26) &&
|
||||||
checkTypeFields(fields26)) {
|
checkTypeFields(fields26)) {
|
||||||
|
@ -262,11 +261,11 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
if (otherMethods.Count == 0 &&
|
if (otherMethods.Count == 0 &&
|
||||||
decryptStringType.NestedTypes.Count == 0 &&
|
decryptStringType.NestedTypes.Count == 0 &&
|
||||||
!hasConstantM2 &&
|
!hasConstantM2 &&
|
||||||
decryptStringMethod.NoInlining &&
|
decryptStringMethod.IsNoInlining &&
|
||||||
decryptStringMethod.IsPublic &&
|
decryptStringMethod.IsPublic &&
|
||||||
!decryptStringMethod.IsSynchronized &&
|
!decryptStringMethod.IsSynchronized &&
|
||||||
decryptStringMethod.Body.MaxStackSize >= 1 &&
|
decryptStringMethod.Body.MaxStack >= 1 &&
|
||||||
decryptStringMethod.Body.MaxStackSize <= 8 &&
|
decryptStringMethod.Body.MaxStack <= 8 &&
|
||||||
decryptStringMethod.Body.ExceptionHandlers.Count == 1 &&
|
decryptStringMethod.Body.ExceptionHandlers.Count == 1 &&
|
||||||
new LocalTypes(decryptStringMethod).exactly(locals27) &&
|
new LocalTypes(decryptStringMethod).exactly(locals27) &&
|
||||||
checkTypeFields(fields27)) {
|
checkTypeFields(fields27)) {
|
||||||
|
@ -301,11 +300,11 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
if (otherMethods.Count == 0 &&
|
if (otherMethods.Count == 0 &&
|
||||||
decryptStringType.NestedTypes.Count == 0 &&
|
decryptStringType.NestedTypes.Count == 0 &&
|
||||||
!hasConstantM2 &&
|
!hasConstantM2 &&
|
||||||
decryptStringMethod.NoInlining &&
|
decryptStringMethod.IsNoInlining &&
|
||||||
decryptStringMethod.IsAssembly &&
|
decryptStringMethod.IsAssembly &&
|
||||||
!decryptStringMethod.IsSynchronized &&
|
!decryptStringMethod.IsSynchronized &&
|
||||||
decryptStringMethod.Body.MaxStackSize >= 1 &&
|
decryptStringMethod.Body.MaxStack >= 1 &&
|
||||||
decryptStringMethod.Body.MaxStackSize <= 8 &&
|
decryptStringMethod.Body.MaxStack <= 8 &&
|
||||||
decryptStringMethod.Body.ExceptionHandlers.Count == 1 &&
|
decryptStringMethod.Body.ExceptionHandlers.Count == 1 &&
|
||||||
new LocalTypes(decryptStringMethod).exactly(locals28) &&
|
new LocalTypes(decryptStringMethod).exactly(locals28) &&
|
||||||
checkTypeFields(fields28)) {
|
checkTypeFields(fields28)) {
|
||||||
|
@ -344,11 +343,11 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
if (otherMethods.Count == 0 &&
|
if (otherMethods.Count == 0 &&
|
||||||
decryptStringType.NestedTypes.Count == 0 &&
|
decryptStringType.NestedTypes.Count == 0 &&
|
||||||
!hasConstantM2 &&
|
!hasConstantM2 &&
|
||||||
decryptStringMethod.NoInlining &&
|
decryptStringMethod.IsNoInlining &&
|
||||||
decryptStringMethod.IsAssembly &&
|
decryptStringMethod.IsAssembly &&
|
||||||
!decryptStringMethod.IsSynchronized &&
|
!decryptStringMethod.IsSynchronized &&
|
||||||
decryptStringMethod.Body.MaxStackSize >= 1 &&
|
decryptStringMethod.Body.MaxStack >= 1 &&
|
||||||
decryptStringMethod.Body.MaxStackSize <= 8 &&
|
decryptStringMethod.Body.MaxStack <= 8 &&
|
||||||
(decryptStringMethod.Body.ExceptionHandlers.Count == 1 || decryptStringMethod.Body.ExceptionHandlers.Count == 2) &&
|
(decryptStringMethod.Body.ExceptionHandlers.Count == 1 || decryptStringMethod.Body.ExceptionHandlers.Count == 2) &&
|
||||||
new LocalTypes(decryptStringMethod).exactly(locals29) &&
|
new LocalTypes(decryptStringMethod).exactly(locals29) &&
|
||||||
checkTypeFields(fields29)) {
|
checkTypeFields(fields29)) {
|
||||||
|
@ -394,11 +393,11 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
otherMethods[0].IsStatic &&
|
otherMethods[0].IsStatic &&
|
||||||
new LocalTypes(otherMethods[0]).exactly(olocals30) &&
|
new LocalTypes(otherMethods[0]).exactly(olocals30) &&
|
||||||
!hasConstantM2 &&
|
!hasConstantM2 &&
|
||||||
decryptStringMethod.NoInlining &&
|
decryptStringMethod.IsNoInlining &&
|
||||||
decryptStringMethod.IsAssembly &&
|
decryptStringMethod.IsAssembly &&
|
||||||
!decryptStringMethod.IsSynchronized &&
|
!decryptStringMethod.IsSynchronized &&
|
||||||
decryptStringMethod.Body.MaxStackSize >= 1 &&
|
decryptStringMethod.Body.MaxStack >= 1 &&
|
||||||
decryptStringMethod.Body.MaxStackSize <= 8 &&
|
decryptStringMethod.Body.MaxStack <= 8 &&
|
||||||
(decryptStringMethod.Body.ExceptionHandlers.Count == 1 || decryptStringMethod.Body.ExceptionHandlers.Count == 2) &&
|
(decryptStringMethod.Body.ExceptionHandlers.Count == 1 || decryptStringMethod.Body.ExceptionHandlers.Count == 2) &&
|
||||||
new LocalTypes(decryptStringMethod).exactly(locals30) &&
|
new LocalTypes(decryptStringMethod).exactly(locals30) &&
|
||||||
checkTypeFields(fields30)) {
|
checkTypeFields(fields30)) {
|
||||||
|
@ -444,11 +443,11 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
otherMethods[0].IsStatic &&
|
otherMethods[0].IsStatic &&
|
||||||
new LocalTypes(otherMethods[0]).exactly(olocals31) &&
|
new LocalTypes(otherMethods[0]).exactly(olocals31) &&
|
||||||
hasConstantM2 &&
|
hasConstantM2 &&
|
||||||
decryptStringMethod.NoInlining &&
|
decryptStringMethod.IsNoInlining &&
|
||||||
decryptStringMethod.IsAssembly &&
|
decryptStringMethod.IsAssembly &&
|
||||||
!decryptStringMethod.IsSynchronized &&
|
!decryptStringMethod.IsSynchronized &&
|
||||||
decryptStringMethod.Body.MaxStackSize >= 1 &&
|
decryptStringMethod.Body.MaxStack >= 1 &&
|
||||||
decryptStringMethod.Body.MaxStackSize <= 8 &&
|
decryptStringMethod.Body.MaxStack <= 8 &&
|
||||||
(decryptStringMethod.Body.ExceptionHandlers.Count == 1 || decryptStringMethod.Body.ExceptionHandlers.Count == 2) &&
|
(decryptStringMethod.Body.ExceptionHandlers.Count == 1 || decryptStringMethod.Body.ExceptionHandlers.Count == 2) &&
|
||||||
new LocalTypes(decryptStringMethod).exactly(locals31) &&
|
new LocalTypes(decryptStringMethod).exactly(locals31) &&
|
||||||
checkTypeFields(fields31)) {
|
checkTypeFields(fields31)) {
|
||||||
|
@ -496,11 +495,11 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
otherMethods[0].IsStatic &&
|
otherMethods[0].IsStatic &&
|
||||||
new LocalTypes(otherMethods[0]).exactly(olocals32) &&
|
new LocalTypes(otherMethods[0]).exactly(olocals32) &&
|
||||||
hasConstantM2 &&
|
hasConstantM2 &&
|
||||||
decryptStringMethod.NoInlining &&
|
decryptStringMethod.IsNoInlining &&
|
||||||
decryptStringMethod.IsAssembly &&
|
decryptStringMethod.IsAssembly &&
|
||||||
!decryptStringMethod.IsSynchronized &&
|
!decryptStringMethod.IsSynchronized &&
|
||||||
decryptStringMethod.Body.MaxStackSize >= 1 &&
|
decryptStringMethod.Body.MaxStack >= 1 &&
|
||||||
decryptStringMethod.Body.MaxStackSize <= 8 &&
|
decryptStringMethod.Body.MaxStack <= 8 &&
|
||||||
(decryptStringMethod.Body.ExceptionHandlers.Count == 1 || decryptStringMethod.Body.ExceptionHandlers.Count == 2) &&
|
(decryptStringMethod.Body.ExceptionHandlers.Count == 1 || decryptStringMethod.Body.ExceptionHandlers.Count == 2) &&
|
||||||
new LocalTypes(decryptStringMethod).exactly(locals32) &&
|
new LocalTypes(decryptStringMethod).exactly(locals32) &&
|
||||||
checkTypeFields(fields32)) {
|
checkTypeFields(fields32)) {
|
||||||
|
@ -551,11 +550,11 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
otherMethods[0].IsStatic &&
|
otherMethods[0].IsStatic &&
|
||||||
new LocalTypes(otherMethods[0]).exactly(olocals33) &&
|
new LocalTypes(otherMethods[0]).exactly(olocals33) &&
|
||||||
hasConstantM2 &&
|
hasConstantM2 &&
|
||||||
decryptStringMethod.NoInlining &&
|
decryptStringMethod.IsNoInlining &&
|
||||||
decryptStringMethod.IsAssembly &&
|
decryptStringMethod.IsAssembly &&
|
||||||
!decryptStringMethod.IsSynchronized &&
|
!decryptStringMethod.IsSynchronized &&
|
||||||
decryptStringMethod.Body.MaxStackSize >= 1 &&
|
decryptStringMethod.Body.MaxStack >= 1 &&
|
||||||
decryptStringMethod.Body.MaxStackSize <= 8 &&
|
decryptStringMethod.Body.MaxStack <= 8 &&
|
||||||
(decryptStringMethod.Body.ExceptionHandlers.Count == 1 || decryptStringMethod.Body.ExceptionHandlers.Count == 2) &&
|
(decryptStringMethod.Body.ExceptionHandlers.Count == 1 || decryptStringMethod.Body.ExceptionHandlers.Count == 2) &&
|
||||||
new LocalTypes(decryptStringMethod).exactly(locals33) &&
|
new LocalTypes(decryptStringMethod).exactly(locals33) &&
|
||||||
checkTypeFields(fields33)) {
|
checkTypeFields(fields33)) {
|
||||||
|
@ -606,11 +605,11 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
otherMethods[0].IsPrivate &&
|
otherMethods[0].IsPrivate &&
|
||||||
otherMethods[0].IsStatic &&
|
otherMethods[0].IsStatic &&
|
||||||
new LocalTypes(otherMethods[0]).exactly(olocals33) &&
|
new LocalTypes(otherMethods[0]).exactly(olocals33) &&
|
||||||
decryptStringMethod.NoInlining &&
|
decryptStringMethod.IsNoInlining &&
|
||||||
decryptStringMethod.IsAssembly &&
|
decryptStringMethod.IsAssembly &&
|
||||||
!decryptStringMethod.IsSynchronized &&
|
!decryptStringMethod.IsSynchronized &&
|
||||||
decryptStringMethod.Body.MaxStackSize >= 1 &&
|
decryptStringMethod.Body.MaxStack >= 1 &&
|
||||||
decryptStringMethod.Body.MaxStackSize <= 8 &&
|
decryptStringMethod.Body.MaxStack <= 8 &&
|
||||||
(decryptStringMethod.Body.ExceptionHandlers.Count == 1 || decryptStringMethod.Body.ExceptionHandlers.Count == 2) &&
|
(decryptStringMethod.Body.ExceptionHandlers.Count == 1 || decryptStringMethod.Body.ExceptionHandlers.Count == 2) &&
|
||||||
new LocalTypes(decryptStringMethod).exactly(locals33) &&
|
new LocalTypes(decryptStringMethod).exactly(locals33) &&
|
||||||
checkTypeFields(fields33)) {
|
checkTypeFields(fields33)) {
|
||||||
|
@ -656,11 +655,11 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
otherMethods[0].IsPrivate &&
|
otherMethods[0].IsPrivate &&
|
||||||
otherMethods[0].IsStatic &&
|
otherMethods[0].IsStatic &&
|
||||||
new LocalTypes(otherMethods[0]).exactly(olocals33_149) &&
|
new LocalTypes(otherMethods[0]).exactly(olocals33_149) &&
|
||||||
decryptStringMethod.NoInlining &&
|
decryptStringMethod.IsNoInlining &&
|
||||||
decryptStringMethod.IsAssembly &&
|
decryptStringMethod.IsAssembly &&
|
||||||
!decryptStringMethod.IsSynchronized &&
|
!decryptStringMethod.IsSynchronized &&
|
||||||
decryptStringMethod.Body.MaxStackSize >= 1 &&
|
decryptStringMethod.Body.MaxStack >= 1 &&
|
||||||
decryptStringMethod.Body.MaxStackSize <= 8 &&
|
decryptStringMethod.Body.MaxStack <= 8 &&
|
||||||
(decryptStringMethod.Body.ExceptionHandlers.Count == 1 || decryptStringMethod.Body.ExceptionHandlers.Count == 2) &&
|
(decryptStringMethod.Body.ExceptionHandlers.Count == 1 || decryptStringMethod.Body.ExceptionHandlers.Count == 2) &&
|
||||||
new LocalTypes(decryptStringMethod).exactly(locals33_149) &&
|
new LocalTypes(decryptStringMethod).exactly(locals33_149) &&
|
||||||
checkTypeFields(fields33_149)) {
|
checkTypeFields(fields33_149)) {
|
||||||
|
@ -684,7 +683,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
|
|
||||||
if (fieldIndex >= type.Fields.Count)
|
if (fieldIndex >= type.Fields.Count)
|
||||||
return null;
|
return null;
|
||||||
var nestedType = type.Fields[fieldIndex].FieldType as TypeDef;
|
var nestedType = type.Fields[fieldIndex].FieldType.TryGetTypeDef();
|
||||||
if (nestedType == null || type.NestedTypes.IndexOf(nestedType) < 0)
|
if (nestedType == null || type.NestedTypes.IndexOf(nestedType) < 0)
|
||||||
return null;
|
return null;
|
||||||
|
|
||||||
|
|
|
@ -48,8 +48,8 @@ namespace de4dot.cui {
|
||||||
new de4dot.code.deobfuscators.Dotfuscator.DeobfuscatorInfo(),
|
new de4dot.code.deobfuscators.Dotfuscator.DeobfuscatorInfo(),
|
||||||
new de4dot.code.deobfuscators.dotNET_Reactor.v3.DeobfuscatorInfo(),
|
new de4dot.code.deobfuscators.dotNET_Reactor.v3.DeobfuscatorInfo(),
|
||||||
new de4dot.code.deobfuscators.dotNET_Reactor.v4.DeobfuscatorInfo(),
|
new de4dot.code.deobfuscators.dotNET_Reactor.v4.DeobfuscatorInfo(),
|
||||||
#if PORT
|
|
||||||
new de4dot.code.deobfuscators.Eazfuscator_NET.DeobfuscatorInfo(),
|
new de4dot.code.deobfuscators.Eazfuscator_NET.DeobfuscatorInfo(),
|
||||||
|
#if PORT
|
||||||
new de4dot.code.deobfuscators.Goliath_NET.DeobfuscatorInfo(),
|
new de4dot.code.deobfuscators.Goliath_NET.DeobfuscatorInfo(),
|
||||||
new de4dot.code.deobfuscators.ILProtector.DeobfuscatorInfo(),
|
new de4dot.code.deobfuscators.ILProtector.DeobfuscatorInfo(),
|
||||||
new de4dot.code.deobfuscators.MaxtoCode.DeobfuscatorInfo(),
|
new de4dot.code.deobfuscators.MaxtoCode.DeobfuscatorInfo(),
|
||||||
|
|
Loading…
Reference in New Issue
Block a user