monocul.us/de4dot-cex
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update code to handle v3.5 obfuscated assemblies

Browse Source
This commit is contained in:
de4dot 2012-01-09 05:50:32 +01:00
parent 1805022073
commit c9e5b8e91e
2 changed files with 27 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
de4dot.code/deobfuscators/Babel_NET/ResourceDecrypter.cs
View File

@ -58,7 +58,11 @@ namespace de4dot.code.deobfuscators.Babel_NET {
bool getKeyIv(byte[] headerData, out byte[] key, out byte[] iv) {
var reader = new BinaryReader(new MemoryStream(headerData));
var license = reader.ReadString();
// 3.5 doesn't have this field
if (headerData[(int)reader.BaseStream.Position] != 8) {
var license = reader.ReadString();
}
// 4.2 (and earlier?) always compress the data
bool isCompressed = true;

26
de4dot.code/deobfuscators/Babel_NET/StringDecrypter.cs
View File

@ -76,12 +76,30 @@ namespace de4dot.code.deobfuscators.Babel_NET {
var nested = type.NestedTypes[0];
if (nested.HasProperties || nested.HasEvents)
return false;
if (nested.Fields.Count != 1)
return false;
if (!MemberReferenceHelper.compareTypes(nested.Fields[0].FieldType, nested))
if (nested.Fields.Count == 1) {
// 4.2+ (maybe 4.0+)
if (!MemberReferenceHelper.compareTypes(nested.Fields[0].FieldType, nested))
return false;
if (DotNetUtils.getMethod(nested, "System.Reflection.Emit.MethodBuilder", "(System.Reflection.Emit.TypeBuilder)") == null)
return false;
}
else if (nested.Fields.Count == 2) {
// 3.5 and maybe earlier
var field1 = nested.Fields[0];
var field2 = nested.Fields[1];
if (field1.FieldType.FullName != "System.Collections.Hashtable" && field2.FieldType.FullName != "System.Collections.Hashtable")
return false;
if (!MemberReferenceHelper.compareTypes(field1.FieldType, nested) && !MemberReferenceHelper.compareTypes(field2.FieldType, nested))
return false;
}
else
return false;
if (DotNetUtils.getMethod(nested, "System.Reflection.Emit.MethodBuilder", "(System.Reflection.Emit.TypeBuilder)") == null)
if (DotNetUtils.getMethod(nested, ".ctor") == null)
return false;
if (DotNetUtils.getMethod(nested, "System.String", "(System.Int32)") == null)
return false;