Port SmartAssembly deobfuscator
This commit is contained in:
parent
cca8eba9ed
commit
c5f2043a6e
|
@ -375,18 +375,18 @@ namespace de4dot.blocks {
|
|||
return type.FindMethod(methodRef.Name, methodRef.MethodSig);
|
||||
}
|
||||
|
||||
#if PORT
|
||||
public static IEnumerable<MethodDef> getNormalMethods(TypeDefinition type) {
|
||||
public static IEnumerable<MethodDef> getNormalMethods(TypeDef type) {
|
||||
foreach (var method in type.Methods) {
|
||||
if (method.HasPInvokeInfo)
|
||||
if (method.HasImplMap)
|
||||
continue;
|
||||
if (method.Name == ".ctor" || method.Name == ".cctor")
|
||||
if (method.IsConstructor)
|
||||
continue;
|
||||
|
||||
yield return method;
|
||||
}
|
||||
}
|
||||
|
||||
#if PORT
|
||||
public static TypeDefinition getType(ModuleDefinition module, TypeReference typeReference) {
|
||||
if (typeReference == null)
|
||||
return null;
|
||||
|
@ -394,15 +394,15 @@ namespace de4dot.blocks {
|
|||
return (TypeDefinition)typeReference;
|
||||
return typeCaches.lookup(module, typeReference);
|
||||
}
|
||||
#endif
|
||||
|
||||
public static FieldDefinition getField(ModuleDefinition module, FieldReference field) {
|
||||
public static FieldDef getField(ModuleDef module, IField field) {
|
||||
if (field == null)
|
||||
return null;
|
||||
if (field is FieldDefinition)
|
||||
return (FieldDefinition)field;
|
||||
if (field is FieldDef)
|
||||
return (FieldDef)field;
|
||||
return getField(getType(module, field.DeclaringType), field);
|
||||
}
|
||||
#endif
|
||||
|
||||
public static FieldDef getField(TypeDef type, IField fieldReference) {
|
||||
if (type == null || fieldReference == null)
|
||||
|
@ -432,12 +432,13 @@ namespace de4dot.blocks {
|
|||
}
|
||||
return null;
|
||||
}
|
||||
#endif
|
||||
|
||||
public static IEnumerable<MethodReference> getMethodCalls(MethodDef method) {
|
||||
var list = new List<MethodReference>();
|
||||
public static IEnumerable<IMethod> getMethodCalls(MethodDef method) {
|
||||
var list = new List<IMethod>();
|
||||
if (method.HasBody) {
|
||||
foreach (var instr in method.Body.Instructions) {
|
||||
var calledMethod = instr.Operand as MethodReference;
|
||||
var calledMethod = instr.Operand as IMethod;
|
||||
if (calledMethod != null)
|
||||
list.Add(calledMethod);
|
||||
}
|
||||
|
@ -445,6 +446,7 @@ namespace de4dot.blocks {
|
|||
return list;
|
||||
}
|
||||
|
||||
#if PORT
|
||||
public static MethodCalls getMethodCallCounts(MethodDef method) {
|
||||
var methodCalls = new MethodCalls();
|
||||
methodCalls.addMethodCalls(method);
|
||||
|
|
|
@ -56,7 +56,6 @@
|
|||
<Compile Include="AssemblyModule.cs" />
|
||||
<Compile Include="AssemblyResolver.cs" />
|
||||
<Compile Include="DeobfuscatorContext.cs" />
|
||||
<Compile Include="deobfuscators\ArrayFinder.cs" />
|
||||
<Compile Include="deobfuscators\Agile_NET\CliSecureRtType.cs" />
|
||||
<Compile Include="deobfuscators\Agile_NET\CsBlowfish.cs" />
|
||||
<Compile Include="deobfuscators\Agile_NET\Deobfuscator.cs" />
|
||||
|
@ -76,6 +75,7 @@
|
|||
<Compile Include="deobfuscators\Agile_NET\vm\UnknownHandlerInfo.cs" />
|
||||
<Compile Include="deobfuscators\Agile_NET\vm\VmOpCodeHandlerDetector.cs" />
|
||||
<Compile Include="deobfuscators\Agile_NET\vm\VmOperands.cs" />
|
||||
<Compile Include="deobfuscators\ArrayFinder.cs" />
|
||||
<Compile Include="deobfuscators\Babel_NET\AssemblyResolver.cs" />
|
||||
<Compile Include="deobfuscators\Babel_NET\BabelInflater.cs" />
|
||||
<Compile Include="deobfuscators\Babel_NET\BabelMethodCallInliner.cs" />
|
||||
|
@ -235,22 +235,22 @@
|
|||
<Compile Include="deobfuscators\Skater_NET\Deobfuscator.cs" />
|
||||
<Compile Include="deobfuscators\Skater_NET\EnumClassFinder.cs" />
|
||||
<Compile Include="deobfuscators\Skater_NET\StringDecrypter.cs" />
|
||||
<None Include="deobfuscators\SmartAssembly\AssemblyResolver.cs" />
|
||||
<None Include="deobfuscators\SmartAssembly\AssemblyResolverInfo.cs" />
|
||||
<None Include="deobfuscators\SmartAssembly\AutomatedErrorReportingFinder.cs" />
|
||||
<None Include="deobfuscators\SmartAssembly\Deobfuscator.cs" />
|
||||
<None Include="deobfuscators\SmartAssembly\MemoryManagerInfo.cs" />
|
||||
<None Include="deobfuscators\SmartAssembly\ProxyCallFixer.cs" />
|
||||
<None Include="deobfuscators\SmartAssembly\ResolverInfoBase.cs" />
|
||||
<None Include="deobfuscators\SmartAssembly\ResourceDecrypter.cs" />
|
||||
<None Include="deobfuscators\SmartAssembly\ResourceDecrypterInfo.cs" />
|
||||
<None Include="deobfuscators\SmartAssembly\ResourceResolver.cs" />
|
||||
<None Include="deobfuscators\SmartAssembly\ResourceResolverInfo.cs" />
|
||||
<None Include="deobfuscators\SmartAssembly\SimpleZipInfo.cs" />
|
||||
<None Include="deobfuscators\SmartAssembly\StringDecrypter.cs" />
|
||||
<None Include="deobfuscators\SmartAssembly\StringDecrypterInfo.cs" />
|
||||
<None Include="deobfuscators\SmartAssembly\StringEncoderClassFinder.cs" />
|
||||
<None Include="deobfuscators\SmartAssembly\TamperProtectionRemover.cs" />
|
||||
<Compile Include="deobfuscators\SmartAssembly\AssemblyResolver.cs" />
|
||||
<Compile Include="deobfuscators\SmartAssembly\AssemblyResolverInfo.cs" />
|
||||
<Compile Include="deobfuscators\SmartAssembly\AutomatedErrorReportingFinder.cs" />
|
||||
<Compile Include="deobfuscators\SmartAssembly\Deobfuscator.cs" />
|
||||
<Compile Include="deobfuscators\SmartAssembly\MemoryManagerInfo.cs" />
|
||||
<Compile Include="deobfuscators\SmartAssembly\ProxyCallFixer.cs" />
|
||||
<Compile Include="deobfuscators\SmartAssembly\ResolverInfoBase.cs" />
|
||||
<Compile Include="deobfuscators\SmartAssembly\ResourceDecrypter.cs" />
|
||||
<Compile Include="deobfuscators\SmartAssembly\ResourceDecrypterInfo.cs" />
|
||||
<Compile Include="deobfuscators\SmartAssembly\ResourceResolver.cs" />
|
||||
<Compile Include="deobfuscators\SmartAssembly\ResourceResolverInfo.cs" />
|
||||
<Compile Include="deobfuscators\SmartAssembly\SimpleZipInfo.cs" />
|
||||
<Compile Include="deobfuscators\SmartAssembly\StringDecrypter.cs" />
|
||||
<Compile Include="deobfuscators\SmartAssembly\StringDecrypterInfo.cs" />
|
||||
<Compile Include="deobfuscators\SmartAssembly\StringEncoderClassFinder.cs" />
|
||||
<Compile Include="deobfuscators\SmartAssembly\TamperProtectionRemover.cs" />
|
||||
<Compile Include="deobfuscators\Spices_Net\Deobfuscator.cs" />
|
||||
<Compile Include="deobfuscators\Spices_Net\QclzDecompressor.cs" />
|
||||
<Compile Include="deobfuscators\Spices_Net\ResourceNamesRestorer.cs" />
|
||||
|
@ -264,10 +264,10 @@
|
|||
<Compile Include="deobfuscators\ValueInlinerBase.cs" />
|
||||
<Compile Include="deobfuscators\Xenocode\Deobfuscator.cs" />
|
||||
<Compile Include="deobfuscators\Xenocode\StringDecrypter.cs" />
|
||||
<Compile Include="DumpedMethodsRestorer.cs" />
|
||||
<Compile Include="IDeobfuscatorContext.cs" />
|
||||
<Compile Include="IObfuscatedFile.cs" />
|
||||
<Compile Include="Logger.cs" />
|
||||
<Compile Include="DumpedMethodsRestorer.cs" />
|
||||
<Compile Include="MethodPrinter.cs" />
|
||||
<Compile Include="MethodReturnValueInliner.cs" />
|
||||
<Compile Include="NameRegexes.cs" />
|
||||
|
|
|
@ -38,7 +38,7 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
|
|||
return assemblyName ?? base.ToString();
|
||||
}
|
||||
|
||||
public static EmbeddedAssemblyInfo create(ModuleDefinition module, string encName, string rsrcName) {
|
||||
public static EmbeddedAssemblyInfo create(ModuleDefMD module, string encName, string rsrcName) {
|
||||
var info = new EmbeddedAssemblyInfo();
|
||||
|
||||
try {
|
||||
|
@ -82,7 +82,7 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
|
|||
get { return embeddedAssemblyInfos; }
|
||||
}
|
||||
|
||||
public AssemblyResolverInfo(ModuleDefinition module, ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob)
|
||||
public AssemblyResolverInfo(ModuleDefMD module, ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob)
|
||||
: base(module, simpleDeobfuscator, deob) {
|
||||
}
|
||||
|
||||
|
@ -160,7 +160,7 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
|
|||
foreach (var call in method.Body.Instructions) {
|
||||
if (call.OpCode.Code != Code.Call)
|
||||
continue;
|
||||
var calledMethod = call.Operand as MethodReference;
|
||||
var calledMethod = call.Operand as IMethod;
|
||||
if (calledMethod == null)
|
||||
continue;
|
||||
if (!SimpleZipInfo.isSimpleZipDecryptMethod_QuickCheck(module, calledMethod, out simpleZipTypeMethod))
|
||||
|
|
|
@ -25,18 +25,18 @@ using de4dot.blocks;
|
|||
|
||||
namespace de4dot.code.deobfuscators.SmartAssembly {
|
||||
class AutomatedErrorReportingFinder : ExceptionLoggerRemover {
|
||||
ModuleDefinition module;
|
||||
ModuleDefMD module;
|
||||
bool enabled;
|
||||
|
||||
protected override bool HasExceptionLoggers {
|
||||
get { return enabled; }
|
||||
}
|
||||
|
||||
public AutomatedErrorReportingFinder(ModuleDefinition module) {
|
||||
public AutomatedErrorReportingFinder(ModuleDefMD module) {
|
||||
this.module = module;
|
||||
}
|
||||
|
||||
protected override bool isExceptionLogger(MethodReference method) {
|
||||
protected override bool isExceptionLogger(IMethod method) {
|
||||
return isExceptionLoggerMethod(method);
|
||||
}
|
||||
|
||||
|
@ -80,14 +80,14 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
|
|||
return isExceptionLoggerMethod(exceptionMethod);
|
||||
}
|
||||
|
||||
MethodReference checkHandler(IList<Instruction> instrs, int start, int end) {
|
||||
MethodReference calledMethod = null;
|
||||
IMethod checkHandler(IList<Instruction> instrs, int start, int end) {
|
||||
IMethod calledMethod = null;
|
||||
for (int i = start; i < end; i++) {
|
||||
var instr = instrs[i];
|
||||
if (instr.OpCode.Code == Code.Call || instr.OpCode.Code == Code.Callvirt) {
|
||||
if (calledMethod != null)
|
||||
return null;
|
||||
var method = instr.Operand as MethodReference;
|
||||
var method = instr.Operand as IMethod;
|
||||
if (method == null)
|
||||
return null;
|
||||
calledMethod = method;
|
||||
|
@ -97,24 +97,24 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
|
|||
return calledMethod;
|
||||
}
|
||||
|
||||
static bool isExceptionLoggerMethod(MethodReference method) {
|
||||
static bool isExceptionLoggerMethod(IMethod method) {
|
||||
if (method.Name == ".ctor" || method.Name == ".cctor")
|
||||
return false;
|
||||
|
||||
var parameters = method.Parameters;
|
||||
if (parameters.Count < 1)
|
||||
var sig = method.MethodSig;
|
||||
if (sig == null || sig.Params.Count < 1)
|
||||
return false;
|
||||
|
||||
var rtype = method.MethodReturnType.ReturnType.FullName;
|
||||
var type0 = parameters[0].ParameterType.FullName;
|
||||
var type1 = parameters.Count < 2 ? "" : parameters[1].ParameterType.FullName;
|
||||
var rtype = sig.RetType.GetFullName();
|
||||
var type0 = sig.Params[0].GetFullName();
|
||||
var type1 = sig.Params.Count < 2 ? "" : sig.Params[1].GetFullName();
|
||||
int index;
|
||||
if (rtype == "System.Void") {
|
||||
if (type0 == "System.Exception" && type1 == "System.Int32")
|
||||
index = 2;
|
||||
else if (type0 == "System.Object[]" && type1 == "System.Exception")
|
||||
return true;
|
||||
else if (parameters.Count == 2 && type0 == "System.Int32" && type1 == "System.Object[]")
|
||||
else if (sig.Params.Count == 2 && type0 == "System.Int32" && type1 == "System.Object[]")
|
||||
return true;
|
||||
else if (type0 == "System.Exception")
|
||||
index = 1;
|
||||
|
@ -126,7 +126,7 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
|
|||
index = 2;
|
||||
else if (type0 == "System.Int32" && type1 == "System.Exception")
|
||||
index = 2;
|
||||
else if (parameters.Count == 2 && type0 == "System.Int32" && type1 == "System.Object[]")
|
||||
else if (sig.Params.Count == 2 && type0 == "System.Int32" && type1 == "System.Object[]")
|
||||
return true;
|
||||
else if (type0 == "System.Exception")
|
||||
index = 1;
|
||||
|
@ -136,11 +136,11 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
|
|||
else
|
||||
return false;
|
||||
|
||||
if (index + 1 == parameters.Count && parameters[index].ParameterType.FullName == "System.Object[]")
|
||||
if (index + 1 == sig.Params.Count && sig.Params[index].GetFullName() == "System.Object[]")
|
||||
return true;
|
||||
|
||||
for (int i = index; i < parameters.Count; i++) {
|
||||
if (parameters[i].ParameterType.FullName != "System.Object")
|
||||
for (int i = index; i < sig.Params.Count; i++) {
|
||||
if (sig.Params[i].GetElementType() != ElementType.Object)
|
||||
return false;
|
||||
}
|
||||
|
||||
|
|
|
@ -25,9 +25,6 @@ using dot10.DotNet;
|
|||
using dot10.DotNet.Emit;
|
||||
using de4dot.blocks;
|
||||
|
||||
// SmartAssembly can add so much junk that it's very difficult to find and remove all of it.
|
||||
// I remove some safe types that are almost guaranteed not to have any references in the code.
|
||||
|
||||
namespace de4dot.code.deobfuscators.SmartAssembly {
|
||||
public class DeobfuscatorInfo : DeobfuscatorInfoBase {
|
||||
public const string THE_NAME = "SmartAssembly";
|
||||
|
@ -123,7 +120,7 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
|
|||
StringFeatures = StringFeatures.AllowStaticDecryption;
|
||||
}
|
||||
|
||||
public override void init(ModuleDefinition module) {
|
||||
public override void init(ModuleDefMD module) {
|
||||
base.init(module);
|
||||
}
|
||||
|
||||
|
@ -241,7 +238,7 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
|
|||
|
||||
var attrs2 = new Dictionary<TypeDef, bool>();
|
||||
foreach (var cattr in cattrs) {
|
||||
if (!DotNetUtils.isMethod(cattr.Constructor, "System.Void", "(System.Int32)"))
|
||||
if (!DotNetUtils.isMethod(cattr.Constructor as IMethod, "System.Void", "(System.Int32)"))
|
||||
continue;
|
||||
var attrType = cattr.AttributeType as TypeDef;
|
||||
if (attrType == null)
|
||||
|
@ -275,7 +272,7 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
|
|||
foreach (var type in module.Types) {
|
||||
if (type == moduleType)
|
||||
continue;
|
||||
var ns = type.Namespace;
|
||||
var ns = type.Namespace.String;
|
||||
if (!namespaces.ContainsKey(ns))
|
||||
namespaces[ns] = 0;
|
||||
if (type.Name != "" || type.IsPublic || type.HasFields || type.HasMethods || type.HasProperties || type.HasEvents)
|
||||
|
@ -417,8 +414,9 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
|
|||
Logger.v("Adding string decrypter. Resource: {0}", Utils.toCsharpString(info.StringsResource.Name));
|
||||
var decrypter = new StringDecrypter(info);
|
||||
if (decrypter.CanDecrypt) {
|
||||
staticStringInliner.add(DotNetUtils.getMethod(info.GetStringDelegate, "Invoke"), (method, gim, args) => {
|
||||
var fieldDefinition = DotNetUtils.getField(module, (FieldReference)args[0]);
|
||||
var invokeMethod = info.GetStringDelegate == null ? null : info.GetStringDelegate.FindMethod("Invoke");
|
||||
staticStringInliner.add(invokeMethod, (method, gim, args) => {
|
||||
var fieldDefinition = DotNetUtils.getField(module, (IField)args[0]);
|
||||
return decrypter.decrypt(fieldDefinition.MDToken.ToInt32(), (int)args[1]);
|
||||
});
|
||||
staticStringInliner.add(info.StringDecrypterMethod, (method, gim, args) => {
|
||||
|
|
|
@ -22,7 +22,7 @@ using de4dot.blocks;
|
|||
|
||||
namespace de4dot.code.deobfuscators.SmartAssembly {
|
||||
class MemoryManagerInfo {
|
||||
ModuleDefinition module;
|
||||
ModuleDefMD module;
|
||||
TypeDef memoryManagerType;
|
||||
MethodDef attachAppMethod;
|
||||
|
||||
|
@ -38,7 +38,7 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
|
|||
get { return attachAppMethod; }
|
||||
}
|
||||
|
||||
public MemoryManagerInfo(ModuleDefinition module) {
|
||||
public MemoryManagerInfo(ModuleDefMD module) {
|
||||
this.module = module;
|
||||
}
|
||||
|
||||
|
@ -72,7 +72,7 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
|
|||
// Only two fields: itself and a long
|
||||
int fields = 0;
|
||||
foreach (var field in type.Fields) {
|
||||
if (MemberReferenceHelper.compareTypes(field.FieldType, type) ||
|
||||
if (new SigComparer().Equals(field.FieldType, type) ||
|
||||
field.FieldType.FullName == "System.Int64") {
|
||||
fields++;
|
||||
continue;
|
||||
|
|
|
@ -37,7 +37,6 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
|
|||
'\x9E', '\x9F',
|
||||
};
|
||||
|
||||
IList<MemberReference> memberReferences;
|
||||
ISimpleDeobfuscator simpleDeobfuscator;
|
||||
|
||||
static ProxyCallFixer() {
|
||||
|
@ -45,9 +44,8 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
|
|||
specialCharsDict[specialChars[i]] = i;
|
||||
}
|
||||
|
||||
public ProxyCallFixer(ModuleDefinition module, ISimpleDeobfuscator simpleDeobfuscator)
|
||||
public ProxyCallFixer(ModuleDefMD module, ISimpleDeobfuscator simpleDeobfuscator)
|
||||
: base(module) {
|
||||
this.memberReferences = new List<MemberReference>(module.GetMemberReferences());
|
||||
this.simpleDeobfuscator = simpleDeobfuscator;
|
||||
}
|
||||
|
||||
|
@ -59,14 +57,14 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
|
|||
simpleDeobfuscator.deobfuscate(cctor);
|
||||
if (instrs.Count != 3)
|
||||
return null;
|
||||
if (!DotNetUtils.isLdcI4(instrs[0].OpCode.Code))
|
||||
if (!instrs[0].IsLdcI4())
|
||||
return null;
|
||||
if (instrs[1].OpCode != OpCodes.Call || !isDelegateCreatorMethod(instrs[1].Operand as MethodDef))
|
||||
return null;
|
||||
if (instrs[2].OpCode != OpCodes.Ret)
|
||||
return null;
|
||||
|
||||
int delegateToken = 0x02000001 + DotNetUtils.getLdcI4Value(instrs[0]);
|
||||
int delegateToken = 0x02000001 + instrs[0].GetLdcI4Value();
|
||||
if (type.MDToken.ToInt32() != delegateToken) {
|
||||
Logger.w("Delegate token is not current type");
|
||||
return null;
|
||||
|
@ -75,11 +73,11 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
|
|||
return new object();
|
||||
}
|
||||
|
||||
protected override void getCallInfo(object context, FieldDef field, out MethodReference calledMethod, out OpCode callOpcode) {
|
||||
protected override void getCallInfo(object context, FieldDef field, out IMethod calledMethod, out OpCode callOpcode) {
|
||||
callOpcode = OpCodes.Call;
|
||||
string name = field.Name;
|
||||
string name = field.Name.String;
|
||||
|
||||
int methodIndex = 0;
|
||||
uint memberRefRid = 0;
|
||||
for (int i = name.Length - 1; i >= 0; i--) {
|
||||
char c = name[i];
|
||||
if (c == '~') {
|
||||
|
@ -89,24 +87,21 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
|
|||
|
||||
int val;
|
||||
if (specialCharsDict.TryGetValue(c, out val))
|
||||
methodIndex = methodIndex * specialChars.Length + val;
|
||||
memberRefRid = memberRefRid * (uint)specialChars.Length + (uint)val;
|
||||
}
|
||||
memberRefRid++;
|
||||
|
||||
if (methodIndex >= memberReferences.Count) {
|
||||
Logger.w("Ignoring invalid methodIndex: {0:X8}, field: {1:X8}", methodIndex, field.MDToken.ToInt32());
|
||||
calledMethod = null;
|
||||
return;
|
||||
}
|
||||
|
||||
calledMethod = memberReferences[methodIndex] as MethodReference;
|
||||
calledMethod = module.ResolveMemberRef(memberRefRid);
|
||||
if (calledMethod == null)
|
||||
Logger.w("Ignoring invalid method RID: {0:X8}, field: {1:X8}", memberRefRid, field.MDToken.ToInt32());
|
||||
}
|
||||
|
||||
public void findDelegateCreator(ModuleDefinition module) {
|
||||
public void findDelegateCreator(ModuleDefMD module) {
|
||||
var callCounter = new CallCounter();
|
||||
foreach (var type in module.Types) {
|
||||
if (type.Namespace != "" || !DotNetUtils.derivesFromDelegate(type))
|
||||
continue;
|
||||
var cctor = DotNetUtils.getMethod(type, ".cctor");
|
||||
var cctor = type.FindStaticConstructor();
|
||||
if (cctor == null)
|
||||
continue;
|
||||
foreach (var method in DotNetUtils.getMethodCalls(cctor))
|
||||
|
|
|
@ -24,7 +24,7 @@ using de4dot.blocks;
|
|||
|
||||
namespace de4dot.code.deobfuscators.SmartAssembly {
|
||||
abstract class ResolverInfoBase {
|
||||
protected ModuleDefinition module;
|
||||
protected ModuleDefMD module;
|
||||
ISimpleDeobfuscator simpleDeobfuscator;
|
||||
IDeobfuscator deob;
|
||||
TypeDef resolverType;
|
||||
|
@ -48,7 +48,7 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
|
|||
get { return callResolverMethod; }
|
||||
}
|
||||
|
||||
public ResolverInfoBase(ModuleDefinition module, ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) {
|
||||
public ResolverInfoBase(ModuleDefMD module, ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) {
|
||||
this.module = module;
|
||||
this.simpleDeobfuscator = simpleDeobfuscator;
|
||||
this.deob = deob;
|
||||
|
@ -163,7 +163,7 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
|
|||
foreach (var instr in resolveHandler.Body.Instructions) {
|
||||
if (instr.OpCode.Code != Code.Ldsfld && instr.OpCode.Code != Code.Stsfld)
|
||||
continue;
|
||||
var field = DotNetUtils.getField(module, instr.Operand as FieldReference);
|
||||
var field = DotNetUtils.getField(module, instr.Operand as IField);
|
||||
if (field == null)
|
||||
continue;
|
||||
if (!checkResolverType(field.DeclaringType))
|
||||
|
@ -190,20 +190,20 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
|
|||
continue;
|
||||
|
||||
var call = instrs[0];
|
||||
if (!DotNetUtils.isMethod(call.Operand as MethodReference, "System.AppDomain", "()"))
|
||||
if (!DotNetUtils.isMethod(call.Operand as IMethod, "System.AppDomain", "()"))
|
||||
continue;
|
||||
|
||||
var ldftn = instrs[2];
|
||||
var handlerDef = DotNetUtils.getMethod(module, ldftn.Operand as MethodReference);
|
||||
var handlerDef = DotNetUtils.getMethod(module, ldftn.Operand as IMethod);
|
||||
if (handlerDef == null)
|
||||
continue;
|
||||
|
||||
var newobj = instrs[3];
|
||||
if (!DotNetUtils.isMethod(newobj.Operand as MethodReference, "System.Void", "(System.Object,System.IntPtr)"))
|
||||
if (!DotNetUtils.isMethod(newobj.Operand as IMethod, "System.Void", "(System.Object,System.IntPtr)"))
|
||||
continue;
|
||||
|
||||
var callvirt = instrs[4];
|
||||
if (!DotNetUtils.isMethod(callvirt.Operand as MethodReference, "System.Void", "(System.ResolveEventHandler)"))
|
||||
if (!DotNetUtils.isMethod(callvirt.Operand as IMethod, "System.Void", "(System.ResolveEventHandler)"))
|
||||
continue;
|
||||
|
||||
numHandlers++;
|
||||
|
|
|
@ -24,7 +24,7 @@ using de4dot.blocks;
|
|||
|
||||
namespace de4dot.code.deobfuscators.SmartAssembly {
|
||||
class ResourceDecrypterInfo {
|
||||
ModuleDefinition module;
|
||||
ModuleDefMD module;
|
||||
MethodDef simpleZipTypeDecryptMethod;
|
||||
|
||||
public byte[] DES_Key { get; private set; }
|
||||
|
@ -36,11 +36,11 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
|
|||
get { return simpleZipTypeDecryptMethod != null; }
|
||||
}
|
||||
|
||||
public ResourceDecrypterInfo(ModuleDefinition module) {
|
||||
public ResourceDecrypterInfo(ModuleDefMD module) {
|
||||
this.module = module;
|
||||
}
|
||||
|
||||
public ResourceDecrypterInfo(ModuleDefinition module, MethodDef simpleZipTypeDecryptMethod, ISimpleDeobfuscator simpleDeobfuscator)
|
||||
public ResourceDecrypterInfo(ModuleDefMD module, MethodDef simpleZipTypeDecryptMethod, ISimpleDeobfuscator simpleDeobfuscator)
|
||||
: this(module) {
|
||||
setSimpleZipType(simpleZipTypeDecryptMethod, simpleDeobfuscator);
|
||||
}
|
||||
|
@ -62,7 +62,7 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
|
|||
var ldtoken = instructions[i];
|
||||
if (ldtoken.OpCode.Code != Code.Ldtoken)
|
||||
continue;
|
||||
var field = DotNetUtils.getField(module, ldtoken.Operand as FieldReference);
|
||||
var field = DotNetUtils.getField(module, ldtoken.Operand as IField);
|
||||
if (field == null)
|
||||
continue;
|
||||
if (field.InitialValue == null)
|
||||
|
@ -71,7 +71,7 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
|
|||
var call = instructions[i + 1];
|
||||
if (call.OpCode.Code != Code.Call)
|
||||
continue;
|
||||
var calledMethod = call.Operand as MethodReference;
|
||||
var calledMethod = call.Operand as IMethod;
|
||||
if (!DotNetUtils.isMethod(calledMethod, "System.Void", "(System.Array,System.RuntimeFieldHandle)"))
|
||||
continue;
|
||||
|
||||
|
|
|
@ -24,12 +24,12 @@ using de4dot.blocks;
|
|||
|
||||
namespace de4dot.code.deobfuscators.SmartAssembly {
|
||||
class ResourceResolver {
|
||||
ModuleDefinition module;
|
||||
ModuleDefMD module;
|
||||
AssemblyResolver assemblyResolver;
|
||||
ResourceResolverInfo resourceResolverInfo;
|
||||
bool mergedIt = false;
|
||||
|
||||
public ResourceResolver(ModuleDefinition module, AssemblyResolver assemblyResolver, ResourceResolverInfo resourceResolverInfo) {
|
||||
public ResourceResolver(ModuleDefMD module, AssemblyResolver assemblyResolver, ResourceResolverInfo resourceResolverInfo) {
|
||||
this.module = module;
|
||||
this.assemblyResolver = assemblyResolver;
|
||||
this.resourceResolverInfo = resourceResolverInfo;
|
||||
|
|
|
@ -30,7 +30,7 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
|
|||
get { return resourceInfo; }
|
||||
}
|
||||
|
||||
public ResourceResolverInfo(ModuleDefinition module, ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob, AssemblyResolverInfo assemblyResolverInfo)
|
||||
public ResourceResolverInfo(ModuleDefMD module, ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob, AssemblyResolverInfo assemblyResolverInfo)
|
||||
: base(module, simpleDeobfuscator, deob) {
|
||||
this.assemblyResolverInfo = assemblyResolverInfo;
|
||||
}
|
||||
|
@ -51,7 +51,7 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
|
|||
continue;
|
||||
|
||||
var s = instrs[0].Operand as string;
|
||||
var calledMethod = instrs[1].Operand as MethodReference;
|
||||
var calledMethod = instrs[1].Operand as IMethod;
|
||||
if (s == null || calledMethod == null)
|
||||
continue;
|
||||
|
||||
|
|
|
@ -23,7 +23,7 @@ using de4dot.blocks;
|
|||
namespace de4dot.code.deobfuscators.SmartAssembly {
|
||||
class SimpleZipInfo {
|
||||
|
||||
public static bool isSimpleZipDecryptMethod_QuickCheck(ModuleDefinition module, MethodReference method, out MethodDef simpleZipTypeMethod) {
|
||||
public static bool isSimpleZipDecryptMethod_QuickCheck(ModuleDefMD module, IMethod method, out MethodDef simpleZipTypeMethod) {
|
||||
simpleZipTypeMethod = null;
|
||||
|
||||
if (!DotNetUtils.isMethod(method, "System.Byte[]", "(System.Byte[])"))
|
||||
|
|
|
@ -33,7 +33,7 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
|
|||
}
|
||||
|
||||
class StringDecrypterInfo {
|
||||
ModuleDefinition module;
|
||||
ModuleDefMD module;
|
||||
ResourceDecrypter resourceDecrypter;
|
||||
TypeDef stringsEncodingClass;
|
||||
EmbeddedResource stringsResource;
|
||||
|
@ -78,7 +78,7 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
|
|||
get { return stringDecrypterMethod; }
|
||||
}
|
||||
|
||||
public StringDecrypterInfo(ModuleDefinition module, TypeDef stringsEncodingClass) {
|
||||
public StringDecrypterInfo(ModuleDefMD module, TypeDef stringsEncodingClass) {
|
||||
this.module = module;
|
||||
this.stringsEncodingClass = stringsEncodingClass;
|
||||
}
|
||||
|
@ -103,7 +103,7 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
|
|||
}
|
||||
|
||||
public bool init(IDeobfuscator deob, ISimpleDeobfuscator simpleDeobfuscator) {
|
||||
var cctor = DotNetUtils.getMethod(stringsEncodingClass, ".cctor");
|
||||
var cctor = stringsEncodingClass.FindStaticConstructor();
|
||||
if (cctor != null)
|
||||
simpleDeobfuscator.deobfuscate(cctor);
|
||||
|
||||
|
@ -127,10 +127,10 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
|
|||
stringOffset = 0;
|
||||
if (decrypterVersion != StringDecrypterVersion.V1) {
|
||||
if (callsGetPublicKeyToken(initMethod)) {
|
||||
var pkt = module.Assembly.Name.PublicKeyToken;
|
||||
if (pkt != null) {
|
||||
for (int i = 0; i < pkt.Length - 1; i += 2)
|
||||
stringOffset ^= ((int)pkt[i] << 8) + pkt[i + 1];
|
||||
var pkt = PublicKeyBase.ToPublicKeyToken(module.Assembly.PublicKeyToken);
|
||||
if (!PublicKeyBase.IsNullOrEmpty2(pkt)) {
|
||||
for (int i = 0; i < pkt.Data.Length - 1; i += 2)
|
||||
stringOffset ^= ((int)pkt.Data[i] << 8) + pkt.Data[i + 1];
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -168,7 +168,7 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
|
|||
return true;
|
||||
|
||||
if (decrypterVersion <= StringDecrypterVersion.V3) {
|
||||
stringsResource = DotNetUtils.getResource(module, module.Mvid.ToString("B")) as EmbeddedResource;
|
||||
stringsResource = DotNetUtils.getResource(module, (module.Mvid ?? Guid.NewGuid()).ToString("B")) as EmbeddedResource;
|
||||
if (stringsResource != null)
|
||||
return true;
|
||||
}
|
||||
|
@ -217,7 +217,7 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
|
|||
|
||||
// Find the string decrypter string offset value or null if none found
|
||||
int? findOffsetValue(MethodDef method) {
|
||||
var fieldDict = new FieldDefinitionAndDeclaringTypeDict<FieldReference>();
|
||||
var fieldDict = new FieldDefinitionAndDeclaringTypeDict<IField>();
|
||||
foreach (var field in method.DeclaringType.Fields)
|
||||
fieldDict.add(field, field);
|
||||
|
||||
|
@ -228,22 +228,22 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
|
|||
return findOffsetValue(method, (FieldDef)fieldDict.find(offsetField), fieldDict);
|
||||
}
|
||||
|
||||
FieldReference findOffsetField(MethodDef method) {
|
||||
IField findOffsetField(MethodDef method) {
|
||||
var instructions = method.Body.Instructions;
|
||||
for (int i = 0; i <= instructions.Count - 2; i++) {
|
||||
var ldsfld = instructions[i];
|
||||
if (ldsfld.OpCode.Code != Code.Ldsfld)
|
||||
continue;
|
||||
var field = ldsfld.Operand as FieldReference;
|
||||
if (field == null || field.FieldType.FullName != "System.String")
|
||||
var field = ldsfld.Operand as IField;
|
||||
if (field == null || field.FieldSig.GetFieldType().GetElementType() != ElementType.String)
|
||||
continue;
|
||||
if (!MemberReferenceHelper.compareTypes(stringsEncodingClass, field.DeclaringType))
|
||||
if (!new SigComparer().Equals(stringsEncodingClass, field.DeclaringType))
|
||||
continue;
|
||||
|
||||
var call = instructions[i + 1];
|
||||
if (call.OpCode.Code != Code.Call)
|
||||
continue;
|
||||
var calledMethod = call.Operand as MethodReference;
|
||||
var calledMethod = call.Operand as IMethod;
|
||||
if (!DotNetUtils.isMethod(calledMethod, "System.Int32", "(System.String)"))
|
||||
continue;
|
||||
|
||||
|
@ -253,7 +253,7 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
|
|||
return null;
|
||||
}
|
||||
|
||||
int? findOffsetValue(MethodDef method, FieldDef offsetField, FieldDefinitionAndDeclaringTypeDict<FieldReference> fields) {
|
||||
int? findOffsetValue(MethodDef method, FieldDef offsetField, FieldDefinitionAndDeclaringTypeDict<IField> fields) {
|
||||
var instructions = method.Body.Instructions;
|
||||
for (int i = 0; i <= instructions.Count - 2; i++) {
|
||||
var ldstr = instructions[i];
|
||||
|
@ -266,7 +266,7 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
|
|||
var stsfld = instructions[i + 1];
|
||||
if (stsfld.OpCode.Code != Code.Stsfld)
|
||||
continue;
|
||||
var field = stsfld.Operand as FieldReference;
|
||||
var field = stsfld.Operand as IField;
|
||||
if (field == null || fields.find(field) != offsetField)
|
||||
continue;
|
||||
|
||||
|
@ -309,10 +309,10 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
|
|||
var stsfld = instructions[i + 1];
|
||||
if (stsfld.OpCode.Code != Code.Stsfld)
|
||||
continue;
|
||||
var field = stsfld.Operand as FieldReference;
|
||||
if (field == null || field.FieldType.FullName != "System.Byte[]")
|
||||
var field = stsfld.Operand as IField;
|
||||
if (field == null || field.FieldSig.GetFieldType().GetFullName() != "System.Byte[]")
|
||||
continue;
|
||||
if (!MemberReferenceHelper.compareTypes(stringsEncodingClass, field.DeclaringType))
|
||||
if (!new SigComparer().Equals(stringsEncodingClass, field.DeclaringType))
|
||||
continue;
|
||||
|
||||
return calledMethod;
|
||||
|
@ -322,9 +322,11 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
|
|||
}
|
||||
|
||||
public IEnumerable<FieldDef> getAllStringDelegateFields() {
|
||||
if (GetStringDelegate == null)
|
||||
yield break;
|
||||
foreach (var type in module.GetTypes()) {
|
||||
foreach (var field in type.Fields) {
|
||||
if (field.FieldType == GetStringDelegate)
|
||||
if (field.FieldType.TryGetTypeDef() == GetStringDelegate)
|
||||
yield return field;
|
||||
}
|
||||
}
|
||||
|
@ -347,8 +349,8 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
|
|||
var call = instructions[i];
|
||||
if (call.OpCode != OpCodes.Call)
|
||||
continue;
|
||||
var method = call.Operand as MethodReference;
|
||||
if (!MemberReferenceHelper.compareMethodReferenceAndDeclaringType(method, CreateStringDelegateMethod))
|
||||
var method = call.Operand as IMethod;
|
||||
if (!MethodEqualityComparer.CompareDeclaringTypes.Equals(method, CreateStringDelegateMethod))
|
||||
continue;
|
||||
|
||||
block.remove(i, 1);
|
||||
|
@ -364,21 +366,21 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
|
|||
var ldtoken = instructions[i];
|
||||
if (ldtoken.OpCode != OpCodes.Ldtoken)
|
||||
continue;
|
||||
if (!MemberReferenceHelper.compareTypes(blocks.Method.DeclaringType, ldtoken.Operand as TypeReference))
|
||||
if (!new SigComparer().Equals(blocks.Method.DeclaringType, ldtoken.Operand as ITypeDefOrRef))
|
||||
continue;
|
||||
|
||||
var call1 = instructions[i + 1];
|
||||
if (call1.OpCode != OpCodes.Call)
|
||||
continue;
|
||||
var method1 = call1.Operand as MethodReference;
|
||||
var method1 = call1.Operand as IMethod;
|
||||
if (method1 == null || method1.ToString() != "System.Type System.Type::GetTypeFromHandle(System.RuntimeTypeHandle)")
|
||||
continue;
|
||||
|
||||
var call2 = instructions[i + 2];
|
||||
if (call2.OpCode != OpCodes.Call)
|
||||
continue;
|
||||
var method2 = call2.Operand as MethodReference;
|
||||
if (!MemberReferenceHelper.compareMethodReferenceAndDeclaringType(method2, CreateStringDelegateMethod))
|
||||
var method2 = call2.Operand as IMethod;
|
||||
if (!MethodEqualityComparer.CompareDeclaringTypes.Equals(method2, CreateStringDelegateMethod))
|
||||
continue;
|
||||
|
||||
block.remove(i, 3);
|
||||
|
|
|
@ -35,7 +35,7 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
|
|||
}
|
||||
|
||||
class StringEncoderClassFinder {
|
||||
ModuleDefinition module;
|
||||
ModuleDefMD module;
|
||||
ISimpleDeobfuscator simpleDeobfuscator;
|
||||
IList<StringsEncoderInfo> stringsEncoderInfos = new List<StringsEncoderInfo>();
|
||||
|
||||
|
@ -43,12 +43,12 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
|
|||
get { return stringsEncoderInfos; }
|
||||
}
|
||||
|
||||
public StringEncoderClassFinder(ModuleDefinition module, ISimpleDeobfuscator simpleDeobfuscator) {
|
||||
public StringEncoderClassFinder(ModuleDefMD module, ISimpleDeobfuscator simpleDeobfuscator) {
|
||||
this.module = module;
|
||||
this.simpleDeobfuscator = simpleDeobfuscator;
|
||||
}
|
||||
|
||||
TypeDef getType(TypeReference typeReference) {
|
||||
TypeDef getType(ITypeDefOrRef typeReference) {
|
||||
return DotNetUtils.getType(module, typeReference);
|
||||
}
|
||||
|
||||
|
@ -113,13 +113,13 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
|
|||
foreach (var ldtoken in stringsCreateDelegateMethod.Body.Instructions) {
|
||||
if (ldtoken.OpCode.Code != Code.Ldtoken)
|
||||
continue;
|
||||
var typeToken = ldtoken.Operand as TypeReference;
|
||||
var typeToken = ldtoken.Operand as ITypeDefOrRef;
|
||||
if (typeToken == null)
|
||||
continue;
|
||||
var delegateType = getType(typeToken);
|
||||
if (!DotNetUtils.derivesFromDelegate(delegateType))
|
||||
continue;
|
||||
var invoke = DotNetUtils.getMethod(delegateType, "Invoke");
|
||||
var invoke = delegateType.FindMethod("Invoke");
|
||||
if (invoke == null || !DotNetUtils.isMethod(invoke, "System.String", "(System.Int32)"))
|
||||
continue;
|
||||
|
||||
|
@ -139,7 +139,7 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
|
|||
foreach (var ldtoken in stringsCreateDelegateMethod.Body.Instructions) {
|
||||
if (ldtoken.OpCode.Code != Code.Ldtoken)
|
||||
continue;
|
||||
var typeToken = ldtoken.Operand as TypeReference;
|
||||
var typeToken = ldtoken.Operand as ITypeDefOrRef;
|
||||
if (typeToken == null)
|
||||
continue;
|
||||
var type = getType(typeToken);
|
||||
|
@ -186,7 +186,7 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
|
|||
if (fields.exists("System.Collections.Hashtable") ||
|
||||
fields.exists("System.Collections.Generic.Dictionary`2<System.Int32,System.String>") ||
|
||||
fields.exactly(fields3x)) {
|
||||
if (DotNetUtils.getMethod(type, ".cctor") == null)
|
||||
if (type.FindStaticConstructor() == null)
|
||||
return false;
|
||||
}
|
||||
else if (fields.exactly(fields1x) || fields.exactly(fields2x)) {
|
||||
|
|
|
@ -25,7 +25,7 @@ using de4dot.blocks;
|
|||
|
||||
namespace de4dot.code.deobfuscators.SmartAssembly {
|
||||
class TamperProtectionRemover {
|
||||
ModuleDefinition module;
|
||||
ModuleDefMD module;
|
||||
List<MethodDef> pinvokeMethods = new List<MethodDef>();
|
||||
|
||||
enum Type {
|
||||
|
@ -37,7 +37,7 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
|
|||
get { return pinvokeMethods; }
|
||||
}
|
||||
|
||||
public TamperProtectionRemover(ModuleDefinition module) {
|
||||
public TamperProtectionRemover(ModuleDefMD module) {
|
||||
this.module = module;
|
||||
}
|
||||
|
||||
|
@ -89,7 +89,7 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
|
|||
return tamperBlocks;
|
||||
}
|
||||
|
||||
bool findFirstBlocks(TamperBlocks tamperBlocks, IList<Block> allBlocks, IList<VariableDefinition> locals) {
|
||||
bool findFirstBlocks(TamperBlocks tamperBlocks, IList<Block> allBlocks, IList<Local> locals) {
|
||||
foreach (var b in allBlocks) {
|
||||
try {
|
||||
if (findFirstBlocks(b, tamperBlocks, allBlocks, locals))
|
||||
|
@ -103,14 +103,14 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
|
|||
return false;
|
||||
}
|
||||
|
||||
static int findCallMethod(Block block, int index, bool keepLooking, Func<MethodReference, bool> func) {
|
||||
static int findCallMethod(Block block, int index, bool keepLooking, Func<IMethod, bool> func) {
|
||||
var instrs = block.Instructions;
|
||||
for (int i = index; i < instrs.Count; i++) {
|
||||
var instr = instrs[i];
|
||||
if (instr.OpCode.Code != Code.Call && instr.OpCode.Code != Code.Callvirt)
|
||||
continue;
|
||||
|
||||
var calledMethod = instr.Operand as MethodReference;
|
||||
var calledMethod = instr.Operand as IMethod;
|
||||
if (calledMethod != null && func(calledMethod))
|
||||
return i;
|
||||
if (!keepLooking)
|
||||
|
@ -119,7 +119,7 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
|
|||
return -1;
|
||||
}
|
||||
|
||||
bool findFirstBlocks(Block block, TamperBlocks tamperBlocks, IList<Block> allBlocks, IList<VariableDefinition> locals) {
|
||||
bool findFirstBlocks(Block block, TamperBlocks tamperBlocks, IList<Block> allBlocks, IList<Local> locals) {
|
||||
if (!block.LastInstr.isBrfalse())
|
||||
return false;
|
||||
|
||||
|
@ -146,7 +146,7 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
|
|||
var instrs = block.Instructions;
|
||||
int end = instrs.Count - 1;
|
||||
Instr instr;
|
||||
MethodReference method;
|
||||
IMethod method;
|
||||
tamperBlocks.type = Type.V1;
|
||||
|
||||
int index = 0;
|
||||
|
@ -223,8 +223,8 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
|
|||
instr = instrs[end++];
|
||||
if (instr.OpCode != OpCodes.Callvirt)
|
||||
return false;
|
||||
method = (MethodReference)instr.Operand;
|
||||
if (method.ToString() != "System.String System.Reflection.Assembly::get_FullName()")
|
||||
method = instr.Operand as IMethod;
|
||||
if (method == null || method.ToString() != "System.String System.Reflection.Assembly::get_FullName()")
|
||||
return false;
|
||||
|
||||
instr = instrs[end++];
|
||||
|
@ -234,8 +234,8 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
|
|||
instr = instrs[end++];
|
||||
if (instr.OpCode != OpCodes.Callvirt)
|
||||
return false;
|
||||
method = (MethodReference)instr.Operand;
|
||||
if (method.ToString() != "System.Boolean System.String::EndsWith(System.String)")
|
||||
method = instr.Operand as IMethod;
|
||||
if (method == null || method.ToString() != "System.Boolean System.String::EndsWith(System.String)")
|
||||
return false;
|
||||
|
||||
instr = instrs[end++];
|
||||
|
@ -274,8 +274,8 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
|
|||
instr = instrs[end++];
|
||||
if (instr.OpCode != OpCodes.Newobj)
|
||||
return null;
|
||||
var method = (MethodReference)instr.Operand;
|
||||
if (method.ToString() != "System.Void System.Security.SecurityException::.ctor(System.String)")
|
||||
var method = instr.Operand as IMethod;
|
||||
if (method == null || method.ToString() != "System.Void System.Security.SecurityException::.ctor(System.String)")
|
||||
return null;
|
||||
|
||||
instr = instrs[end++];
|
||||
|
|
|
@ -55,9 +55,7 @@ namespace de4dot.cui {
|
|||
new de4dot.code.deobfuscators.MPRESS.DeobfuscatorInfo(),
|
||||
new de4dot.code.deobfuscators.Rummage.DeobfuscatorInfo(),
|
||||
new de4dot.code.deobfuscators.Skater_NET.DeobfuscatorInfo(),
|
||||
#if PORT
|
||||
new de4dot.code.deobfuscators.SmartAssembly.DeobfuscatorInfo(),
|
||||
#endif
|
||||
new de4dot.code.deobfuscators.Spices_Net.DeobfuscatorInfo(),
|
||||
new de4dot.code.deobfuscators.Xenocode.DeobfuscatorInfo(),
|
||||
};
|
||||
|
|
Loading…
Reference in New Issue
Block a user