Port .NET Reactor v4.x deobfuscator
This commit is contained in:
parent
413a032e0a
commit
d52a1014ef
|
@ -81,36 +81,33 @@ namespace de4dot.blocks {
|
|||
}
|
||||
#endif
|
||||
|
||||
#if PORT
|
||||
public class CallCounter {
|
||||
Dictionary<de4dot.blocks.OLD_REMOVE.MethodReferenceAndDeclaringTypeKey, int> calls = new Dictionary<de4dot.blocks.OLD_REMOVE.MethodReferenceAndDeclaringTypeKey, int>();
|
||||
Dictionary<IMethod, int> calls = new Dictionary<IMethod, int>(MethodEqualityComparer.CompareDeclaringTypes);
|
||||
|
||||
public void add(MethodReference calledMethod) {
|
||||
public void add(IMethod calledMethod) {
|
||||
int count;
|
||||
var key = new de4dot.blocks.OLD_REMOVE.MethodReferenceAndDeclaringTypeKey(calledMethod);
|
||||
calls.TryGetValue(key, out count);
|
||||
calls[key] = count + 1;
|
||||
calls.TryGetValue(calledMethod, out count);
|
||||
calls[calledMethod] = count + 1;
|
||||
}
|
||||
|
||||
public MethodReference most() {
|
||||
public IMethod most() {
|
||||
int numCalls;
|
||||
return most(out numCalls);
|
||||
}
|
||||
|
||||
public MethodReference most(out int numCalls) {
|
||||
MethodReference method = null;
|
||||
public IMethod most(out int numCalls) {
|
||||
IMethod method = null;
|
||||
int callCount = 0;
|
||||
foreach (var key in calls.Keys) {
|
||||
if (calls[key] > callCount) {
|
||||
callCount = calls[key];
|
||||
method = key.MethodReference;
|
||||
method = key;
|
||||
}
|
||||
}
|
||||
numCalls = callCount;
|
||||
return method;
|
||||
}
|
||||
}
|
||||
#endif
|
||||
|
||||
#if PORT
|
||||
public class MethodCalls {
|
||||
|
@ -300,13 +297,13 @@ namespace de4dot.blocks {
|
|||
}
|
||||
return null;
|
||||
}
|
||||
#endif
|
||||
|
||||
public static MethodDef getMethod(ModuleDefinition module, MethodReference method) {
|
||||
public static MethodDef getMethod(ModuleDefMD module, IMethod method) {
|
||||
if (method == null)
|
||||
return null;
|
||||
return getMethod(module, method, method.DeclaringType);
|
||||
}
|
||||
#endif
|
||||
|
||||
public static MethodDef getMethod2(ModuleDefMD module, IMethod method) {
|
||||
if (method == null)
|
||||
|
@ -1090,29 +1087,22 @@ namespace de4dot.blocks {
|
|||
return count;
|
||||
}
|
||||
|
||||
#if PORT
|
||||
// Doesn't fix everything (eg. T[] aren't replaced with eg. int[], but T -> int will be fixed)
|
||||
public static IList<TypeReference> replaceGenericParameters(GenericInstanceType typeOwner, GenericInstanceMethod methodOwner, IList<TypeReference> types) {
|
||||
//TODO: You should use MemberRefInstance.cs
|
||||
public static IList<TypeSig> replaceGenericParameters(GenericInstSig typeOwner, MethodSpec methodOwner, IList<TypeSig> types) {
|
||||
if (typeOwner == null && methodOwner == null)
|
||||
return types;
|
||||
for (int i = 0; i < types.Count; i++)
|
||||
types[i] = getGenericArgument(typeOwner, methodOwner, types[i]);
|
||||
return types;
|
||||
}
|
||||
|
||||
public static TypeReference getGenericArgument(GenericInstanceType typeOwner, GenericInstanceMethod methodOwner, TypeReference type) {
|
||||
var gp = type as GenericParameter;
|
||||
if (gp == null)
|
||||
return type;
|
||||
|
||||
if (typeOwner != null && MemberReferenceHelper.compareTypes(typeOwner.ElementType, gp.Owner as TypeReference))
|
||||
return typeOwner.GenericArguments[gp.Position];
|
||||
|
||||
if (methodOwner != null && MemberReferenceHelper.compareMethodReferenceAndDeclaringType(methodOwner.ElementMethod, gp.Owner as MethodReference))
|
||||
return methodOwner.GenericArguments[gp.Position];
|
||||
|
||||
return type;
|
||||
public static TypeSig getGenericArgument(GenericInstSig typeOwner, MethodSpec methodOwner, TypeSig type) {
|
||||
var typeArgs = typeOwner == null ? null : typeOwner.GenericArguments;
|
||||
var genMethodArgs = methodOwner == null || methodOwner.GenericInstMethodSig == null ?
|
||||
null : methodOwner.GenericInstMethodSig.GenericArguments;
|
||||
return GenericArgsSubstitutor.create(type, typeArgs, genMethodArgs);
|
||||
}
|
||||
|
||||
#if PORT
|
||||
public static Instruction getInstruction(IList<Instruction> instructions, ref int index) {
|
||||
for (int i = 0; i < 10; i++) {
|
||||
if (index < 0 || index >= instructions.Count)
|
||||
|
|
|
@ -48,6 +48,13 @@ namespace de4dot.blocks {
|
|||
return new GenericArgsSubstitutor(genericArgs).create(type);
|
||||
}
|
||||
|
||||
public static TypeSig create(TypeSig type, IList<TypeSig> genericArgs, IList<TypeSig> genericMethodArgs) {
|
||||
if (type == null || ((genericArgs == null || genericArgs.Count == 0) &&
|
||||
(genericMethodArgs == null || genericMethodArgs.Count == 0)))
|
||||
return type;
|
||||
return new GenericArgsSubstitutor(genericArgs, genericMethodArgs).create(type);
|
||||
}
|
||||
|
||||
public static IField create(IField field, GenericInstSig git) {
|
||||
if (git == null)
|
||||
return field;
|
||||
|
|
|
@ -153,6 +153,7 @@
|
|||
<Compile Include="deobfuscators\DeobUtils.cs" />
|
||||
<Compile Include="deobfuscators\Dotfuscator\Deobfuscator.cs" />
|
||||
<Compile Include="deobfuscators\Dotfuscator\StringDecrypter.cs" />
|
||||
<Compile Include="deobfuscators\dotNET_Reactor\MyPEImage.cs" />
|
||||
<Compile Include="deobfuscators\dotNET_Reactor\v3\AntiStrongName.cs" />
|
||||
<Compile Include="deobfuscators\dotNET_Reactor\v3\ApplicationModeDecrypter.cs" />
|
||||
<Compile Include="deobfuscators\dotNET_Reactor\v3\ApplicationModeUnpacker.cs" />
|
||||
|
@ -163,19 +164,19 @@
|
|||
<Compile Include="deobfuscators\dotNET_Reactor\v3\LibAssemblyResolver.cs" />
|
||||
<Compile Include="deobfuscators\dotNET_Reactor\v3\MemoryPatcher.cs" />
|
||||
<Compile Include="deobfuscators\dotNET_Reactor\v3\NativeLibSaver.cs" />
|
||||
<None Include="deobfuscators\dotNET_Reactor\v4\AntiStrongName.cs" />
|
||||
<None Include="deobfuscators\dotNET_Reactor\v4\AssemblyResolver.cs" />
|
||||
<None Include="deobfuscators\dotNET_Reactor\v4\BooleanDecrypter.cs" />
|
||||
<None Include="deobfuscators\dotNET_Reactor\v4\Deobfuscator.cs" />
|
||||
<None Include="deobfuscators\dotNET_Reactor\v4\EmptyClass.cs" />
|
||||
<None Include="deobfuscators\dotNET_Reactor\v4\EncryptedResource.cs" />
|
||||
<None Include="deobfuscators\dotNET_Reactor\v4\MetadataTokenObfuscator.cs" />
|
||||
<None Include="deobfuscators\dotNET_Reactor\v4\MethodsDecrypter.cs" />
|
||||
<None Include="deobfuscators\dotNET_Reactor\v4\NativeFileDecrypter.cs" />
|
||||
<None Include="deobfuscators\dotNET_Reactor\v4\NativeImageUnpacker.cs" />
|
||||
<None Include="deobfuscators\dotNET_Reactor\v4\ProxyCallFixer.cs" />
|
||||
<None Include="deobfuscators\dotNET_Reactor\v4\ResourceResolver.cs" />
|
||||
<None Include="deobfuscators\dotNET_Reactor\v4\StringDecrypter.cs" />
|
||||
<Compile Include="deobfuscators\dotNET_Reactor\v4\AntiStrongName.cs" />
|
||||
<Compile Include="deobfuscators\dotNET_Reactor\v4\AssemblyResolver.cs" />
|
||||
<Compile Include="deobfuscators\dotNET_Reactor\v4\BooleanDecrypter.cs" />
|
||||
<Compile Include="deobfuscators\dotNET_Reactor\v4\Deobfuscator.cs" />
|
||||
<Compile Include="deobfuscators\dotNET_Reactor\v4\EmptyClass.cs" />
|
||||
<Compile Include="deobfuscators\dotNET_Reactor\v4\EncryptedResource.cs" />
|
||||
<Compile Include="deobfuscators\dotNET_Reactor\v4\MetadataTokenObfuscator.cs" />
|
||||
<Compile Include="deobfuscators\dotNET_Reactor\v4\MethodsDecrypter.cs" />
|
||||
<Compile Include="deobfuscators\dotNET_Reactor\v4\NativeFileDecrypter.cs" />
|
||||
<Compile Include="deobfuscators\dotNET_Reactor\v4\NativeImageUnpacker.cs" />
|
||||
<Compile Include="deobfuscators\dotNET_Reactor\v4\ProxyCallFixer.cs" />
|
||||
<Compile Include="deobfuscators\dotNET_Reactor\v4\ResourceResolver.cs" />
|
||||
<Compile Include="deobfuscators\dotNET_Reactor\v4\StringDecrypter.cs" />
|
||||
<None Include="deobfuscators\Eazfuscator_NET\AssemblyResolver.cs" />
|
||||
<None Include="deobfuscators\Eazfuscator_NET\CodeCompilerMethodCallRestorer.cs" />
|
||||
<None Include="deobfuscators\Eazfuscator_NET\DecrypterType.cs" />
|
||||
|
|
|
@ -505,10 +505,15 @@ namespace de4dot.code.deobfuscators {
|
|||
var calledMethod = instr.Operand as IMethod;
|
||||
if (calledMethod == null)
|
||||
continue;
|
||||
IList<TypeSig> calledMethodArgs = DotNetUtils.getArgs(calledMethod);
|
||||
#if PORT
|
||||
calledMethodArgs = DotNetUtils.replaceGenericParameters(calledMethod.DeclaringType as GenericInstanceType, calledMethod as GenericInstanceMethod, calledMethodArgs);
|
||||
#endif
|
||||
var calledMethodDefOrRef = calledMethod as IMethodDefOrRef;
|
||||
var calledMethodSpec = calledMethod as MethodSpec;
|
||||
if (calledMethodSpec != null)
|
||||
calledMethodDefOrRef = calledMethodSpec.Method;
|
||||
if (calledMethodDefOrRef == null)
|
||||
continue;
|
||||
|
||||
IList<TypeSig> calledMethodArgs = DotNetUtils.getArgs(calledMethodDefOrRef);
|
||||
calledMethodArgs = DotNetUtils.replaceGenericParameters(calledMethodDefOrRef.DeclaringType.ToGenericInstSig(), calledMethodSpec, calledMethodArgs);
|
||||
for (int j = 0; j < pushedArgs.NumValidArgs; j++) {
|
||||
var pushInstr = pushedArgs.getEnd(j);
|
||||
if (pushInstr.OpCode.Code != Code.Ldfld && pushInstr.OpCode.Code != Code.Ldsfld)
|
||||
|
@ -592,6 +597,8 @@ namespace de4dot.code.deobfuscators {
|
|||
return false;
|
||||
}
|
||||
|
||||
if (type.Next == null)
|
||||
break;
|
||||
type = type.Next;
|
||||
}
|
||||
|
||||
|
|
136
de4dot.code/deobfuscators/dotNET_Reactor/MyPEImage.cs
Normal file
136
de4dot.code/deobfuscators/dotNET_Reactor/MyPEImage.cs
Normal file
|
@ -0,0 +1,136 @@
|
|||
using System;
|
||||
using dot10.IO;
|
||||
using dot10.PE;
|
||||
using dot10.DotNet.MD;
|
||||
|
||||
namespace de4dot.code.deobfuscators.dotNET_Reactor {
|
||||
sealed class MyPEImage : IDisposable {
|
||||
IPEImage peImage;
|
||||
byte[] peImageData;
|
||||
IImageStream peStream;
|
||||
DotNetFile dnFile;
|
||||
ImageSectionHeader dotNetSection;
|
||||
bool ownPeImage;
|
||||
|
||||
public IPEImage PEImage {
|
||||
get { return peImage; }
|
||||
}
|
||||
|
||||
public uint Length {
|
||||
get { return (uint)peStream.Length; }
|
||||
}
|
||||
|
||||
public MyPEImage(IPEImage peImage) {
|
||||
initialize(peImage);
|
||||
}
|
||||
|
||||
public MyPEImage(byte[] peImageData) {
|
||||
this.ownPeImage = true;
|
||||
this.peImageData = peImageData;
|
||||
initialize(new PEImage(peImageData));
|
||||
}
|
||||
|
||||
void initialize(IPEImage peImage) {
|
||||
this.peImage = peImage;
|
||||
this.peStream = peImage.CreateFullStream();
|
||||
|
||||
//TODO: Only init this if they use the .NET MD
|
||||
var dotNetDir = peImage.ImageNTHeaders.OptionalHeader.DataDirectories[14];
|
||||
if (dotNetDir.VirtualAddress != 0 && dotNetDir.Size >= 0x48) {
|
||||
dnFile = DotNetFile.Load(peImage, false);
|
||||
dotNetSection = findSection(dotNetDir.VirtualAddress);
|
||||
}
|
||||
}
|
||||
|
||||
ImageSectionHeader findSection(RVA rva) {
|
||||
foreach (var section in peImage.ImageSectionHeaders) {
|
||||
if (section.VirtualAddress <= rva && rva < section.VirtualAddress + Math.Max(section.VirtualSize, section.SizeOfRawData))
|
||||
return section;
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
||||
static bool isInside(ImageSectionHeader section, uint offset, uint length) {
|
||||
return offset >= section.PointerToRawData && offset + length <= section.PointerToRawData + section.SizeOfRawData;
|
||||
}
|
||||
|
||||
public void offsetWriteUInt32(uint offset, uint val) {
|
||||
peImageData[offset + 0] = (byte)val;
|
||||
peImageData[offset + 1] = (byte)(val >> 8);
|
||||
peImageData[offset + 2] = (byte)(val >> 16);
|
||||
peImageData[offset + 3] = (byte)(val >> 24);
|
||||
}
|
||||
|
||||
public void offsetWriteUInt16(uint offset, ushort val) {
|
||||
peImageData[offset + 0] = (byte)val;
|
||||
peImageData[offset + 1] = (byte)(val >> 8);
|
||||
}
|
||||
|
||||
public uint offsetReadUInt32(uint offset) {
|
||||
peStream.Position = offset;
|
||||
return peStream.ReadUInt32();
|
||||
}
|
||||
|
||||
public ushort offsetReadUInt16(uint offset) {
|
||||
peStream.Position = offset;
|
||||
return peStream.ReadUInt16();
|
||||
}
|
||||
|
||||
public byte offsetReadByte(uint offset) {
|
||||
peStream.Position = offset;
|
||||
return peStream.ReadByte();
|
||||
}
|
||||
|
||||
public byte[] offsetReadBytes(uint offset, int size) {
|
||||
peStream.Position = offset;
|
||||
return peStream.ReadBytes(size);
|
||||
}
|
||||
|
||||
public void offsetWrite(uint offset, byte[] data) {
|
||||
Array.Copy(data, 0, peImageData, offset, data.Length);
|
||||
}
|
||||
|
||||
bool intersect(uint offset1, uint length1, uint offset2, uint length2) {
|
||||
return !(offset1 + length1 <= offset2 || offset2 + length2 <= offset1);
|
||||
}
|
||||
|
||||
bool intersect(uint offset, uint length, IFileSection location) {
|
||||
return intersect(offset, length, (uint)location.StartOffset, (uint)(location.EndOffset - location.StartOffset));
|
||||
}
|
||||
|
||||
public bool dotNetSafeWriteOffset(uint offset, byte[] data) {
|
||||
if (dnFile != null) {
|
||||
uint length = (uint)data.Length;
|
||||
|
||||
if (!isInside(dotNetSection, offset, length))
|
||||
return false;
|
||||
if (intersect(offset, length, dnFile.MetaData.ImageCor20Header))
|
||||
return false;
|
||||
if (intersect(offset, length, (uint)dnFile.MetaData.TablesStream.FileOffset, dnFile.MetaData.TablesStream.HeaderLength))
|
||||
return false;
|
||||
}
|
||||
|
||||
offsetWrite(offset, data);
|
||||
return true;
|
||||
}
|
||||
|
||||
public bool dotNetSafeWrite(uint rva, byte[] data) {
|
||||
return dotNetSafeWriteOffset((uint)peImage.ToFileOffset((RVA)rva), data);
|
||||
}
|
||||
|
||||
public void Dispose() {
|
||||
if (ownPeImage) {
|
||||
if (dnFile != null)
|
||||
dnFile.Dispose();
|
||||
if (peImage != null)
|
||||
peImage.Dispose();
|
||||
}
|
||||
if (peStream != null)
|
||||
peStream.Dispose();
|
||||
|
||||
dnFile = null;
|
||||
peImage = null;
|
||||
peStream = null;
|
||||
}
|
||||
}
|
||||
}
|
|
@ -28,131 +28,6 @@ using dot10.DotNet;
|
|||
using dot10.DotNet.MD;
|
||||
|
||||
namespace de4dot.code.deobfuscators.dotNET_Reactor.v3 {
|
||||
sealed class MyPEImage : IDisposable {
|
||||
IPEImage peImage;
|
||||
byte[] peImageData;
|
||||
IImageStream peStream;
|
||||
DotNetFile dnFile;
|
||||
ImageSectionHeader dotNetSection;
|
||||
bool ownPeImage;
|
||||
|
||||
public IPEImage PEImage {
|
||||
get { return peImage; }
|
||||
}
|
||||
|
||||
public uint Length {
|
||||
get { return (uint)peStream.Length; }
|
||||
}
|
||||
|
||||
public MyPEImage(IPEImage peImage) {
|
||||
initialize(peImage);
|
||||
}
|
||||
|
||||
public MyPEImage(byte[] peImageData) {
|
||||
this.ownPeImage = true;
|
||||
this.peImageData = peImageData;
|
||||
initialize(new PEImage(peImageData));
|
||||
}
|
||||
|
||||
void initialize(IPEImage peImage) {
|
||||
this.peImage = peImage;
|
||||
this.peStream = peImage.CreateFullStream();
|
||||
|
||||
//TODO: Only init this if they use the .NET MD
|
||||
var dotNetDir = peImage.ImageNTHeaders.OptionalHeader.DataDirectories[14];
|
||||
if (dotNetDir.VirtualAddress != 0 && dotNetDir.Size >= 0x48) {
|
||||
dnFile = DotNetFile.Load(peImage, false);
|
||||
dotNetSection = findSection(dotNetDir.VirtualAddress);
|
||||
}
|
||||
}
|
||||
|
||||
ImageSectionHeader findSection(RVA rva) {
|
||||
foreach (var section in peImage.ImageSectionHeaders) {
|
||||
if (section.VirtualAddress <= rva && rva < section.VirtualAddress + Math.Max(section.VirtualSize, section.SizeOfRawData))
|
||||
return section;
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
||||
static bool isInside(ImageSectionHeader section, uint offset, uint length) {
|
||||
return offset >= section.PointerToRawData && offset + length <= section.PointerToRawData + section.SizeOfRawData;
|
||||
}
|
||||
|
||||
public void offsetWriteUInt32(uint offset, uint val) {
|
||||
peImageData[offset + 0] = (byte)val;
|
||||
peImageData[offset + 1] = (byte)(val >> 8);
|
||||
peImageData[offset + 2] = (byte)(val >> 16);
|
||||
peImageData[offset + 3] = (byte)(val >> 24);
|
||||
}
|
||||
|
||||
public void offsetWriteUInt16(uint offset, ushort val) {
|
||||
peImageData[offset + 0] = (byte)val;
|
||||
peImageData[offset + 1] = (byte)(val >> 8);
|
||||
}
|
||||
|
||||
public uint offsetReadUInt32(uint offset) {
|
||||
peStream.Position = offset;
|
||||
return peStream.ReadUInt32();
|
||||
}
|
||||
|
||||
public ushort offsetReadUInt16(uint offset) {
|
||||
peStream.Position = offset;
|
||||
return peStream.ReadUInt16();
|
||||
}
|
||||
|
||||
public byte[] offsetReadBytes(uint offset, int size) {
|
||||
peStream.Position = offset;
|
||||
return peStream.ReadBytes(size);
|
||||
}
|
||||
|
||||
public void offsetWrite(uint offset, byte[] data) {
|
||||
Array.Copy(data, 0, peImageData, offset, data.Length);
|
||||
}
|
||||
|
||||
bool intersect(uint offset1, uint length1, uint offset2, uint length2) {
|
||||
return !(offset1 + length1 <= offset2 || offset2 + length2 <= offset1);
|
||||
}
|
||||
|
||||
bool intersect(uint offset, uint length, IFileSection location) {
|
||||
return intersect(offset, length, (uint)location.StartOffset, (uint)(location.EndOffset - location.StartOffset));
|
||||
}
|
||||
|
||||
public bool dotNetSafeWriteOffset(uint offset, byte[] data) {
|
||||
if (dnFile != null) {
|
||||
uint length = (uint)data.Length;
|
||||
|
||||
if (!isInside(dotNetSection, offset, length))
|
||||
return false;
|
||||
if (intersect(offset, length, dnFile.MetaData.ImageCor20Header))
|
||||
return false;
|
||||
if (intersect(offset, length, (uint)dnFile.MetaData.TablesStream.FileOffset, dnFile.MetaData.TablesStream.HeaderLength))
|
||||
return false;
|
||||
}
|
||||
|
||||
offsetWrite(offset, data);
|
||||
return true;
|
||||
}
|
||||
|
||||
public bool dotNetSafeWrite(uint rva, byte[] data) {
|
||||
return dotNetSafeWriteOffset((uint)peImage.ToFileOffset((RVA)rva), data);
|
||||
}
|
||||
|
||||
public void Dispose() {
|
||||
if (ownPeImage) {
|
||||
if (dnFile != null)
|
||||
dnFile.Dispose();
|
||||
if (peImage != null)
|
||||
peImage.Dispose();
|
||||
}
|
||||
if (peStream != null)
|
||||
peStream.Dispose();
|
||||
|
||||
dnFile = null;
|
||||
peImage = null;
|
||||
peStream = null;
|
||||
}
|
||||
}
|
||||
|
||||
class IniFile {
|
||||
Dictionary<string, string> nameToValue = new Dictionary<string, string>(StringComparer.OrdinalIgnoreCase);
|
||||
|
||||
|
|
|
@ -57,13 +57,14 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
|
|||
foreach (var method in type.Methods) {
|
||||
if (!method.IsStatic || method.Body == null)
|
||||
continue;
|
||||
if (method.Parameters.Count != 2)
|
||||
var sig = method.MethodSig;
|
||||
if (sig == null || sig.Params.Count != 2)
|
||||
continue;
|
||||
if (!checkType(method.MethodReturnType.ReturnType.FullName, "System.String"))
|
||||
if (!checkType(sig.RetType, ElementType.String))
|
||||
continue;
|
||||
if (!checkType(method.Parameters[0].ParameterType.FullName, "System.String"))
|
||||
if (!checkType(sig.Params[0], ElementType.String))
|
||||
continue;
|
||||
if (!checkType(method.Parameters[1].ParameterType.FullName, "System.String"))
|
||||
if (!checkType(sig.Params[1], ElementType.String))
|
||||
continue;
|
||||
|
||||
var localTypes = new LocalTypes(method);
|
||||
|
@ -77,8 +78,8 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
|
|||
return false;
|
||||
}
|
||||
|
||||
static bool checkType(string type, string expectedType) {
|
||||
return type == "System.Object" || type == expectedType;
|
||||
static bool checkType(TypeSig type, ElementType expectedType) {
|
||||
return type != null && (type.ElementType == ElementType.Object || type.ElementType == expectedType);
|
||||
}
|
||||
|
||||
public bool remove(Blocks blocks) {
|
||||
|
@ -129,7 +130,7 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
|
|||
int i = instructions.Count - NUM_INSTRS;
|
||||
if (instructions[i].OpCode.Code != Code.Ldtoken)
|
||||
continue;
|
||||
if (!(instructions[i].Operand is TypeReference))
|
||||
if (!(instructions[i].Operand is ITypeDefOrRef))
|
||||
continue;
|
||||
if (!checkCall(instructions[i + 1], "System.Type System.Type::GetTypeFromHandle(System.RuntimeTypeHandle)"))
|
||||
continue;
|
||||
|
@ -163,19 +164,19 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
|
|||
static bool checkCall(Instr instr, string methodFullName) {
|
||||
if (instr.OpCode.Code != Code.Call && instr.OpCode.Code != Code.Callvirt)
|
||||
return false;
|
||||
var calledMethod = instr.Operand as MethodReference;
|
||||
var calledMethod = instr.Operand as IMethod;
|
||||
if (calledMethod == null)
|
||||
return false;
|
||||
return calledMethod.FullName == methodFullName;
|
||||
}
|
||||
|
||||
static bool checkCall(Instr instr, MethodReference expectedMethod) {
|
||||
static bool checkCall(Instr instr, IMethod expectedMethod) {
|
||||
if (instr.OpCode.Code != Code.Call && instr.OpCode.Code != Code.Callvirt)
|
||||
return false;
|
||||
var calledMethod = instr.Operand as MethodReference;
|
||||
var calledMethod = instr.Operand as IMethod;
|
||||
if (calledMethod == null)
|
||||
return false;
|
||||
return MemberReferenceHelper.compareMethodReferenceAndDeclaringType(calledMethod, expectedMethod);
|
||||
return MethodEqualityComparer.CompareDeclaringTypes.Equals(calledMethod, expectedMethod);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -19,8 +19,8 @@
|
|||
|
||||
using System;
|
||||
using System.Collections.Generic;
|
||||
using System.IO;
|
||||
using dot10.DotNet;
|
||||
using dot10.IO;
|
||||
using de4dot.blocks;
|
||||
|
||||
namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
|
||||
|
@ -39,7 +39,7 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
|
|||
}
|
||||
|
||||
class AssemblyResolver {
|
||||
ModuleDefinition module;
|
||||
ModuleDefMD module;
|
||||
TypeDef assemblyResolverType;
|
||||
MethodDef assemblyResolverInitMethod;
|
||||
MethodDef assemblyResolverMethod;
|
||||
|
@ -56,11 +56,11 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
|
|||
get { return assemblyResolverInitMethod; }
|
||||
}
|
||||
|
||||
public AssemblyResolver(ModuleDefinition module) {
|
||||
public AssemblyResolver(ModuleDefMD module) {
|
||||
this.module = module;
|
||||
}
|
||||
|
||||
public AssemblyResolver(ModuleDefinition module, AssemblyResolver oldOne) {
|
||||
public AssemblyResolver(ModuleDefMD module, AssemblyResolver oldOne) {
|
||||
this.module = module;
|
||||
this.assemblyResolverType = lookup(oldOne.assemblyResolverType, "Could not find assembly resolver type");
|
||||
this.assemblyResolverMethod = lookup(oldOne.assemblyResolverMethod, "Could not find assembly resolver method");
|
||||
|
@ -75,7 +75,7 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
|
|||
if (checkMethod(simpleDeobfuscator, module.EntryPoint))
|
||||
return;
|
||||
if (module.EntryPoint != null) {
|
||||
if (checkMethod(simpleDeobfuscator, DotNetUtils.getMethod(module.EntryPoint.DeclaringType, ".cctor")))
|
||||
if (checkMethod(simpleDeobfuscator, module.EntryPoint.DeclaringType.FindStaticConstructor()))
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
@ -181,7 +181,7 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
|
|||
var resource = rsrc as EmbeddedResource;
|
||||
if (resource == null)
|
||||
continue;
|
||||
if (!Utils.StartsWith(resource.Name, prefix, StringComparison.Ordinal))
|
||||
if (!Utils.StartsWith(resource.Name.String, prefix, StringComparison.Ordinal))
|
||||
continue;
|
||||
|
||||
result.Add(resource);
|
||||
|
@ -193,8 +193,8 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
|
|||
static int unknownNameCounter = 0;
|
||||
static string getAssemblyName(EmbeddedResource resource) {
|
||||
try {
|
||||
var resourceModule = ModuleDefinition.ReadModule(new MemoryStream(resource.GetResourceData()));
|
||||
return resourceModule.Assembly.Name.FullName;
|
||||
var resourceModule = ModuleDefMD.Load(resource.Data.ReadAllBytes());
|
||||
return resourceModule.Assembly.FullName;
|
||||
}
|
||||
catch {
|
||||
return string.Format("unknown_name_{0}", unknownNameCounter++);
|
||||
|
|
|
@ -23,7 +23,7 @@ using de4dot.blocks;
|
|||
|
||||
namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
|
||||
class BooleanDecrypter {
|
||||
ModuleDefinition module;
|
||||
ModuleDefMD module;
|
||||
EncryptedResource encryptedResource;
|
||||
byte[] fileData;
|
||||
byte[] decryptedData;
|
||||
|
@ -44,12 +44,12 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
|
|||
get { return encryptedResource.Resource; }
|
||||
}
|
||||
|
||||
public BooleanDecrypter(ModuleDefinition module) {
|
||||
public BooleanDecrypter(ModuleDefMD module) {
|
||||
this.module = module;
|
||||
this.encryptedResource = new EncryptedResource(module);
|
||||
}
|
||||
|
||||
public BooleanDecrypter(ModuleDefinition module, BooleanDecrypter oldOne) {
|
||||
public BooleanDecrypter(ModuleDefMD module, BooleanDecrypter oldOne) {
|
||||
this.module = module;
|
||||
this.encryptedResource = new EncryptedResource(module, oldOne.encryptedResource);
|
||||
}
|
||||
|
|
|
@ -21,10 +21,10 @@ using System;
|
|||
using System.Collections.Generic;
|
||||
using System.IO;
|
||||
using System.Text.RegularExpressions;
|
||||
using dot10.PE;
|
||||
using dot10.DotNet;
|
||||
using dot10.DotNet.Emit;
|
||||
using dot10.DotNet.Writer;
|
||||
using Mono.MyStuff;
|
||||
using de4dot.blocks;
|
||||
using de4dot.PE;
|
||||
|
||||
|
@ -158,7 +158,7 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
|
|||
this.RenamingOptions &= ~RenamingOptions.RemoveNamespaceIfOneType;
|
||||
}
|
||||
|
||||
public override byte[] unpackNativeFile(PeImage peImage) {
|
||||
public override byte[] unpackNativeFile(IPEImage peImage) {
|
||||
var data = new NativeImageUnpacker(peImage).unpack();
|
||||
if (data == null)
|
||||
return null;
|
||||
|
@ -168,7 +168,7 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
|
|||
return data;
|
||||
}
|
||||
|
||||
public override void init(ModuleDefinition module) {
|
||||
public override void init(ModuleDefMD module) {
|
||||
base.init(module);
|
||||
}
|
||||
|
||||
|
@ -386,7 +386,7 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
|
|||
return false;
|
||||
|
||||
if (options.DumpNativeMethods) {
|
||||
using (var fileStream = new FileStream(module.FullyQualifiedName + ".native", FileMode.Create, FileAccess.Write, FileShare.Read)) {
|
||||
using (var fileStream = new FileStream(module.Location + ".native", FileMode.Create, FileAccess.Write, FileShare.Read)) {
|
||||
var sortedTokens = new List<uint>(tokenToNativeCode.Keys);
|
||||
sortedTokens.Sort();
|
||||
var writer = new BinaryWriter(fileStream);
|
||||
|
@ -404,7 +404,7 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
|
|||
return true;
|
||||
}
|
||||
|
||||
public override IDeobfuscator moduleReloaded(ModuleDefinition module) {
|
||||
public override IDeobfuscator moduleReloaded(ModuleDefMD module) {
|
||||
var newOne = new Deobfuscator(options);
|
||||
newOne.setModule(module);
|
||||
newOne.fileData = fileData;
|
||||
|
@ -567,7 +567,7 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
|
|||
var instr = instructions[i];
|
||||
if (instr.OpCode.Code != Code.Ldtoken)
|
||||
continue;
|
||||
if (!MemberReferenceHelper.compareTypes(type, instr.Operand as TypeReference))
|
||||
if (!new SigComparer().Equals(type, instr.Operand as ITypeDefOrRef))
|
||||
continue;
|
||||
instructions[i] = new Instr(Instruction.Create(OpCodes.Ldtoken, blocks.Method.DeclaringType));
|
||||
}
|
||||
|
@ -607,12 +607,14 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
|
|||
return list;
|
||||
}
|
||||
|
||||
public override void OnWriterEvent(ModuleWriter writer, ModuleWriterEvent evt) {
|
||||
public override void OnWriterEvent(ModuleWriterBase writer, ModuleWriterEvent evt) {
|
||||
if (evt != ModuleWriterEvent.EndWriteChunks)
|
||||
return;
|
||||
if (!options.DecryptMethods)
|
||||
return;
|
||||
#if PORT
|
||||
methodsDecrypter.encryptNativeMethods(writer);
|
||||
#endif
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -23,7 +23,7 @@ using de4dot.blocks;
|
|||
namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
|
||||
// Detect some empty class that is called from most .ctor's
|
||||
class EmptyClass {
|
||||
ModuleDefinition module;
|
||||
ModuleDefMD module;
|
||||
MethodDef emptyMethod;
|
||||
|
||||
public MethodDef Method {
|
||||
|
@ -34,7 +34,7 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
|
|||
get { return emptyMethod != null ? emptyMethod.DeclaringType : null; }
|
||||
}
|
||||
|
||||
public EmptyClass(ModuleDefinition module) {
|
||||
public EmptyClass(ModuleDefMD module) {
|
||||
this.module = module;
|
||||
init();
|
||||
}
|
||||
|
|
|
@ -27,7 +27,7 @@ using de4dot.blocks;
|
|||
|
||||
namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
|
||||
class EncryptedResource {
|
||||
ModuleDefinition module;
|
||||
ModuleDefMD module;
|
||||
MethodDef resourceDecrypterMethod;
|
||||
EmbeddedResource encryptedDataResource;
|
||||
byte[] key, iv;
|
||||
|
@ -49,15 +49,15 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
|
|||
get { return encryptedDataResource != null; }
|
||||
}
|
||||
|
||||
public EncryptedResource(ModuleDefinition module) {
|
||||
public EncryptedResource(ModuleDefMD module) {
|
||||
this.module = module;
|
||||
}
|
||||
|
||||
public EncryptedResource(ModuleDefinition module, EncryptedResource oldOne) {
|
||||
public EncryptedResource(ModuleDefMD module, EncryptedResource oldOne) {
|
||||
this.module = module;
|
||||
resourceDecrypterMethod = lookup(oldOne.resourceDecrypterMethod, "Could not find resource decrypter method");
|
||||
if (oldOne.encryptedDataResource != null)
|
||||
encryptedDataResource = DotNetUtils.getResource(module, oldOne.encryptedDataResource.Name) as EmbeddedResource;
|
||||
encryptedDataResource = DotNetUtils.getResource(module, oldOne.encryptedDataResource.Name.String) as EmbeddedResource;
|
||||
key = oldOne.key;
|
||||
iv = oldOne.iv;
|
||||
|
||||
|
@ -117,10 +117,10 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
|
|||
if (iv == null)
|
||||
throw new ApplicationException("Could not find resource decrypter IV");
|
||||
if (usesPublicKeyToken()) {
|
||||
var publicKeyToken = module.Assembly.Name.PublicKeyToken;
|
||||
if (publicKeyToken != null && publicKeyToken.Length > 0) {
|
||||
var publicKeyToken = module.Assembly.PublicKeyToken;
|
||||
if (publicKeyToken != null && publicKeyToken.Data.Length > 0) {
|
||||
for (int i = 0; i < 8; i++)
|
||||
iv[i * 2 + 1] = publicKeyToken[i];
|
||||
iv[i * 2 + 1] = publicKeyToken.Data[i];
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -133,9 +133,9 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
|
|||
pktIndex = 0;
|
||||
continue;
|
||||
}
|
||||
if (!DotNetUtils.isLdcI4(instr))
|
||||
if (!instr.IsLdcI4())
|
||||
continue;
|
||||
int val = DotNetUtils.getLdcI4Value(instr);
|
||||
int val = instr.GetLdcI4Value();
|
||||
if (val != pktIndexes[pktIndex++]) {
|
||||
pktIndex = 0;
|
||||
continue;
|
||||
|
@ -176,7 +176,7 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
|
|||
public void updateResource(byte[] encryptedData) {
|
||||
for (int i = 0; i < module.Resources.Count; i++) {
|
||||
if (module.Resources[i] == encryptedDataResource) {
|
||||
encryptedDataResource = new EmbeddedResource(encryptedDataResource.Name, encryptedDataResource.Attributes, encryptedData);
|
||||
encryptedDataResource = new EmbeddedResource(encryptedDataResource.Name, encryptedData, encryptedDataResource.Attributes);
|
||||
module.Resources[i] = encryptedDataResource;
|
||||
return;
|
||||
}
|
||||
|
|
|
@ -25,7 +25,7 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
|
|||
// Find the class that returns a RuntimeTypeHandle/RuntimeFieldHandle. The value passed to
|
||||
// its methods is the original metadata token, which will be different when we save the file.
|
||||
class MetadataTokenObfuscator {
|
||||
ModuleDefinition module;
|
||||
ModuleDefMD module;
|
||||
TypeDef type;
|
||||
MethodDef typeMethod;
|
||||
MethodDef fieldMethod;
|
||||
|
@ -34,7 +34,7 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
|
|||
get { return type; }
|
||||
}
|
||||
|
||||
public MetadataTokenObfuscator(ModuleDefinition module) {
|
||||
public MetadataTokenObfuscator(ModuleDefMD module) {
|
||||
this.module = module;
|
||||
find();
|
||||
}
|
||||
|
@ -51,13 +51,14 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
|
|||
|
||||
MethodDef fieldMethod = null, typeMethod = null;
|
||||
foreach (var method in type.Methods) {
|
||||
if (method.Parameters.Count != 1)
|
||||
var sig = method.MethodSig;
|
||||
if (sig == null || sig.Params.Count != 1)
|
||||
continue;
|
||||
if (method.Parameters[0].ParameterType.FullName != "System.Int32")
|
||||
if (sig.Params[0].GetElementType() != ElementType.I4)
|
||||
continue;
|
||||
if (method.MethodReturnType.ReturnType.FullName == "System.RuntimeTypeHandle")
|
||||
if (sig.RetType.GetFullName() == "System.RuntimeTypeHandle")
|
||||
typeMethod = method;
|
||||
else if (method.MethodReturnType.ReturnType.FullName == "System.RuntimeFieldHandle")
|
||||
else if (sig.RetType.GetFullName() == "System.RuntimeFieldHandle")
|
||||
fieldMethod = method;
|
||||
}
|
||||
|
||||
|
@ -84,10 +85,10 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
|
|||
var call = instrs[i + 1];
|
||||
if (call.OpCode.Code != Code.Call)
|
||||
continue;
|
||||
var method = call.Operand as MethodReference;
|
||||
var method = call.Operand as IMethod;
|
||||
if (method == null)
|
||||
continue;
|
||||
if (!MemberReferenceHelper.compareTypes(type, method.DeclaringType))
|
||||
if (!new SigComparer().Equals(type, method.DeclaringType))
|
||||
continue;
|
||||
var methodDef = DotNetUtils.getMethod(module, method);
|
||||
if (methodDef == null)
|
||||
|
@ -95,9 +96,9 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
|
|||
if (methodDef != typeMethod && methodDef != fieldMethod)
|
||||
continue;
|
||||
|
||||
int token = (int)instrs[i].Operand;
|
||||
uint token = (uint)(int)instrs[i].Operand;
|
||||
instrs[i] = new Instr(Instruction.Create(OpCodes.Nop));
|
||||
instrs[i + 1] = new Instr(new Instruction(OpCodes.Ldtoken, module.LookupToken(token) as MemberReference));
|
||||
instrs[i + 1] = new Instr(new Instruction(OpCodes.Ldtoken, module.ResolveToken(token) as IMethod));
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -22,13 +22,13 @@ using System.Collections.Generic;
|
|||
using System.IO;
|
||||
using dot10.DotNet;
|
||||
using dot10.DotNet.Emit;
|
||||
using Mono.MyStuff;
|
||||
using dot10.DotNet.Writer;
|
||||
using de4dot.blocks;
|
||||
using de4dot.PE;
|
||||
|
||||
namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
|
||||
class MethodsDecrypter {
|
||||
ModuleDefinition module;
|
||||
ModuleDefMD module;
|
||||
EncryptedResource encryptedResource;
|
||||
Dictionary<uint, byte[]> tokenToNativeMethod = new Dictionary<uint, byte[]>();
|
||||
Dictionary<MethodDef, byte[]> methodToNativeMethod = new Dictionary<MethodDef, byte[]>();
|
||||
|
@ -55,12 +55,12 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
|
|||
get { return encryptedResource.Resource; }
|
||||
}
|
||||
|
||||
public MethodsDecrypter(ModuleDefinition module) {
|
||||
public MethodsDecrypter(ModuleDefMD module) {
|
||||
this.module = module;
|
||||
this.encryptedResource = new EncryptedResource(module);
|
||||
}
|
||||
|
||||
public MethodsDecrypter(ModuleDefinition module, MethodsDecrypter oldOne) {
|
||||
public MethodsDecrypter(ModuleDefMD module, MethodsDecrypter oldOne) {
|
||||
this.module = module;
|
||||
this.encryptedResource = new EncryptedResource(module, oldOne.encryptedResource);
|
||||
this.tokenToNativeMethod = oldOne.tokenToNativeMethod;
|
||||
|
@ -73,29 +73,28 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
|
|||
"System.IntPtr",
|
||||
// "System.Reflection.Assembly", //TODO: Not in unknown DNR version with jitter support
|
||||
};
|
||||
var checkedMethods = new Dictionary<MethodReferenceAndDeclaringTypeKey, bool>();
|
||||
var checkedMethods = new Dictionary<IMethod, bool>(MethodEqualityComparer.CompareDeclaringTypes);
|
||||
var callCounter = new CallCounter();
|
||||
int typesLeft = 30;
|
||||
foreach (var type in module.GetTypes()) {
|
||||
var cctor = DotNetUtils.getMethod(type, ".cctor");
|
||||
var cctor = type.FindStaticConstructor();
|
||||
if (cctor == null || cctor.Body == null)
|
||||
continue;
|
||||
if (typesLeft-- <= 0)
|
||||
break;
|
||||
|
||||
foreach (var method in DotNetUtils.getCalledMethods(module, cctor)) {
|
||||
var key = new MethodReferenceAndDeclaringTypeKey(method);
|
||||
if (!checkedMethods.ContainsKey(key)) {
|
||||
checkedMethods[key] = false;
|
||||
if (!checkedMethods.ContainsKey(method)) {
|
||||
checkedMethods[method] = false;
|
||||
if (method.DeclaringType.BaseType == null || method.DeclaringType.BaseType.FullName != "System.Object")
|
||||
continue;
|
||||
if (!DotNetUtils.isMethod(method, "System.Void", "()"))
|
||||
continue;
|
||||
if (!encryptedResource.couldBeResourceDecrypter(method, additionalTypes))
|
||||
continue;
|
||||
checkedMethods[key] = true;
|
||||
checkedMethods[method] = true;
|
||||
}
|
||||
else if (!checkedMethods[key])
|
||||
else if (!checkedMethods[method])
|
||||
continue;
|
||||
callCounter.add(method);
|
||||
}
|
||||
|
@ -278,10 +277,10 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
|
|||
if (instructions[i].OpCode.Code != Code.Ldind_I8)
|
||||
continue;
|
||||
var ldci4 = instructions[i + 1];
|
||||
if (!DotNetUtils.isLdcI4(ldci4))
|
||||
if (!ldci4.IsLdcI4())
|
||||
continue;
|
||||
|
||||
return DotNetUtils.getLdcI4Value(ldci4);
|
||||
return ldci4.GetLdcI4Value();
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
@ -289,7 +288,7 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
|
|||
public void reloaded() {
|
||||
foreach (var pair in tokenToNativeMethod) {
|
||||
int token = (int)pair.Key;
|
||||
var method = module.LookupToken(token) as MethodDef;
|
||||
var method = module.ResolveToken(token) as MethodDef;
|
||||
if (method == null)
|
||||
throw new ApplicationException(string.Format("Could not find method {0:X8}", token));
|
||||
methodToNativeMethod[method] = pair.Value;
|
||||
|
@ -297,7 +296,8 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
|
|||
tokenToNativeMethod = null;
|
||||
}
|
||||
|
||||
public void encryptNativeMethods(ModuleWriter moduleWriter) {
|
||||
#if PORT
|
||||
public void encryptNativeMethods(ModuleWriterBase moduleWriter) {
|
||||
if (methodToNativeMethod.Count == 0)
|
||||
return;
|
||||
|
||||
|
@ -340,12 +340,14 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
|
|||
xorEncrypt(encryptedData);
|
||||
encryptedResource.updateResource(encryptedResource.encrypt(encryptedData));
|
||||
}
|
||||
#endif
|
||||
|
||||
public static MethodDef findDnrCompileMethod(TypeDef type) {
|
||||
foreach (var method in type.Methods) {
|
||||
if (!method.IsStatic || method.Body == null)
|
||||
continue;
|
||||
if (method.Parameters.Count != 6)
|
||||
var sig = method.MethodSig;
|
||||
if (sig == null || sig.Params.Count != 6)
|
||||
continue;
|
||||
if (!DotNetUtils.isMethod(method, "System.UInt32", "(System.UInt64&,System.IntPtr,System.IntPtr,System.UInt32,System.IntPtr&,System.UInt32&)"))
|
||||
continue;
|
||||
|
|
|
@ -20,31 +20,26 @@
|
|||
using System;
|
||||
using System.IO;
|
||||
using ICSharpCode.SharpZipLib.Zip.Compression;
|
||||
using de4dot.PE;
|
||||
using dot10.PE;
|
||||
using dot10.IO;
|
||||
|
||||
namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
|
||||
class NativeImageUnpacker {
|
||||
PeImage peImage;
|
||||
MyPEImage peImage;
|
||||
bool isNet1x;
|
||||
|
||||
public NativeImageUnpacker(PeImage peImage) {
|
||||
this.peImage = peImage;
|
||||
public NativeImageUnpacker(IPEImage peImage) {
|
||||
this.peImage = new MyPEImage(peImage);
|
||||
}
|
||||
|
||||
public byte[] unpack() {
|
||||
var resources = peImage.Resources;
|
||||
var dir = resources.getRoot();
|
||||
if ((dir = dir.getDirectory(10)) == null)
|
||||
if (peImage.PEImage.Win32Resources == null)
|
||||
return null;
|
||||
if ((dir = dir.getDirectory("__")) == null)
|
||||
return null;
|
||||
var dataEntry = dir.getData(0);
|
||||
var dataEntry = peImage.PEImage.Win32Resources.Find(10, "__", 0);
|
||||
if (dataEntry == null)
|
||||
return null;
|
||||
|
||||
var encryptedData = peImage.readBytes(dataEntry.RVA, (int)dataEntry.Size);
|
||||
if (encryptedData.Length != dataEntry.Size)
|
||||
return null;
|
||||
var encryptedData = dataEntry.Data.ReadAllBytes();
|
||||
|
||||
var keyData = getKeyData();
|
||||
if (keyData == null)
|
||||
|
|
|
@ -25,7 +25,7 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
|
|||
class ProxyCallFixer : ProxyCallFixer3 {
|
||||
ISimpleDeobfuscator simpleDeobfuscator;
|
||||
|
||||
public ProxyCallFixer(ModuleDefinition module, ISimpleDeobfuscator simpleDeobfuscator)
|
||||
public ProxyCallFixer(ModuleDefMD module, ISimpleDeobfuscator simpleDeobfuscator)
|
||||
: base(module) {
|
||||
this.simpleDeobfuscator = simpleDeobfuscator;
|
||||
}
|
||||
|
@ -47,7 +47,7 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
|
|||
static MethodDef checkType(TypeDef type) {
|
||||
if (!new FieldTypes(type).exactly(requiredFields))
|
||||
return null;
|
||||
if (DotNetUtils.getMethod(type, ".cctor") == null)
|
||||
if (type.FindStaticConstructor() == null)
|
||||
return null;
|
||||
|
||||
return checkMethods(type);
|
||||
|
@ -85,7 +85,7 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
|
|||
var instrs = method.Body.Instructions;
|
||||
for (int i = 0; i < instrs.Count - 1; i++) {
|
||||
var ldci4 = instrs[i];
|
||||
if (!DotNetUtils.isLdcI4(ldci4))
|
||||
if (!ldci4.IsLdcI4())
|
||||
continue;
|
||||
|
||||
var call = instrs[i + 1];
|
||||
|
@ -95,13 +95,13 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
|
|||
if (calledMethod == null || !isDelegateCreatorMethod(calledMethod))
|
||||
continue;
|
||||
|
||||
return module.LookupToken(0x02000000 + DotNetUtils.getLdcI4Value(ldci4)) as TypeDef;
|
||||
return module.ResolveToken(0x02000000 + ldci4.GetLdcI4Value()) as TypeDef;
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
||||
protected override void getCallInfo(object context, FieldDef field, out MethodReference calledMethod, out OpCode callOpcode) {
|
||||
calledMethod = module.LookupToken(0x06000000 + field.MDToken.ToInt32()) as MethodReference;
|
||||
protected override void getCallInfo(object context, FieldDef field, out IMethod calledMethod, out OpCode callOpcode) {
|
||||
calledMethod = module.ResolveToken(0x06000000 + field.MDToken.ToInt32()) as IMethod;
|
||||
callOpcode = OpCodes.Call;
|
||||
}
|
||||
}
|
||||
|
|
|
@ -25,7 +25,7 @@ using de4dot.blocks;
|
|||
|
||||
namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
|
||||
class ResourceResolver {
|
||||
ModuleDefinition module;
|
||||
ModuleDefMD module;
|
||||
EncryptedResource encryptedResource;
|
||||
MethodDef initMethod;
|
||||
|
||||
|
@ -45,12 +45,12 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
|
|||
get { return encryptedResource.FoundResource; }
|
||||
}
|
||||
|
||||
public ResourceResolver(ModuleDefinition module) {
|
||||
public ResourceResolver(ModuleDefMD module) {
|
||||
this.module = module;
|
||||
this.encryptedResource = new EncryptedResource(module);
|
||||
}
|
||||
|
||||
public ResourceResolver(ModuleDefinition module, ResourceResolver oldOne) {
|
||||
public ResourceResolver(ModuleDefMD module, ResourceResolver oldOne) {
|
||||
this.module = module;
|
||||
this.encryptedResource = new EncryptedResource(module, oldOne.encryptedResource);
|
||||
}
|
||||
|
@ -106,31 +106,31 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
|
|||
}
|
||||
|
||||
MethodDef findInitMethod(ISimpleDeobfuscator simpleDeobfuscator) {
|
||||
var ctor = DotNetUtils.getMethod(Type, ".ctor");
|
||||
var ctor = Type.FindMethod(".ctor");
|
||||
foreach (var method in Type.Methods) {
|
||||
if (!method.IsStatic || method.Body == null)
|
||||
continue;
|
||||
if (!DotNetUtils.isMethod(method, "System.Void", "()"))
|
||||
continue;
|
||||
if (method.Body.Variables.Count > 1)
|
||||
if (method.Body.LocalList.Count > 1)
|
||||
continue;
|
||||
|
||||
simpleDeobfuscator.deobfuscate(method);
|
||||
bool stsfldUsed = false, newobjUsed = false;
|
||||
foreach (var instr in method.Body.Instructions) {
|
||||
if (instr.OpCode.Code == Code.Stsfld) {
|
||||
var field = instr.Operand as FieldReference;
|
||||
if (field == null || field.FieldType.FullName != "System.Boolean")
|
||||
var field = instr.Operand as IField;
|
||||
if (field == null || field.FieldSig.GetFieldType().GetElementType() != ElementType.Boolean)
|
||||
continue;
|
||||
if (!MemberReferenceHelper.compareTypes(Type, field.DeclaringType))
|
||||
if (!new SigComparer().Equals(Type, field.DeclaringType))
|
||||
continue;
|
||||
stsfldUsed = true;
|
||||
}
|
||||
else if (instr.OpCode.Code == Code.Newobj) {
|
||||
var calledCtor = instr.Operand as MethodReference;
|
||||
var calledCtor = instr.Operand as IMethod;
|
||||
if (calledCtor == null)
|
||||
continue;
|
||||
if (!MemberReferenceHelper.compareMethodReferenceAndDeclaringType(calledCtor, ctor))
|
||||
if (!MethodEqualityComparer.CompareDeclaringTypes.Equals(calledCtor, ctor))
|
||||
continue;
|
||||
newobjUsed = true;
|
||||
}
|
||||
|
@ -146,7 +146,7 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
|
|||
public EmbeddedResource mergeResources() {
|
||||
if (encryptedResource.Resource == null)
|
||||
return null;
|
||||
DeobUtils.decryptAndAddResources(module, encryptedResource.Resource.Name, () => {
|
||||
DeobUtils.decryptAndAddResources(module, encryptedResource.Resource.Name.String, () => {
|
||||
return QuickLZ.decompress(encryptedResource.decrypt());
|
||||
});
|
||||
return encryptedResource.Resource;
|
||||
|
|
|
@ -27,7 +27,7 @@ using de4dot.PE;
|
|||
|
||||
namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
|
||||
class StringDecrypter {
|
||||
ModuleDefinition module;
|
||||
ModuleDefMD module;
|
||||
EncryptedResource encryptedResource;
|
||||
List<DecrypterInfo> decrypterInfos = new List<DecrypterInfo>();
|
||||
MethodDef otherStringDecrypter;
|
||||
|
@ -74,12 +74,12 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
|
|||
get { return otherStringDecrypter; }
|
||||
}
|
||||
|
||||
public StringDecrypter(ModuleDefinition module) {
|
||||
public StringDecrypter(ModuleDefMD module) {
|
||||
this.module = module;
|
||||
this.encryptedResource = new EncryptedResource(module);
|
||||
}
|
||||
|
||||
public StringDecrypter(ModuleDefinition module, StringDecrypter oldOne) {
|
||||
public StringDecrypter(ModuleDefMD module, StringDecrypter oldOne) {
|
||||
this.module = module;
|
||||
this.stringDecrypterVersion = oldOne.stringDecrypterVersion;
|
||||
this.encryptedResource = new EncryptedResource(module, oldOne.encryptedResource);
|
||||
|
@ -137,12 +137,15 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
|
|||
foreach (var method in type.Methods) {
|
||||
if (!method.IsStatic || !method.HasBody)
|
||||
continue;
|
||||
if (method.MethodReturnType.ReturnType.FullName != "System.String")
|
||||
var sig = method.MethodSig;
|
||||
if (sig == null)
|
||||
continue;
|
||||
if (method.Parameters.Count != 1)
|
||||
if (sig.RetType.GetElementType() != ElementType.String)
|
||||
continue;
|
||||
if (method.Parameters[0].ParameterType.FullName != "System.Object" &&
|
||||
method.Parameters[0].ParameterType.FullName != "System.String")
|
||||
if (sig.Params.Count != 1)
|
||||
continue;
|
||||
if (sig.Params[0].GetElementType() != ElementType.Object &&
|
||||
sig.Params[0].GetElementType() != ElementType.String)
|
||||
continue;
|
||||
|
||||
otherStringDecrypter = method;
|
||||
|
@ -176,7 +179,7 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
|
|||
foreach (var calledMethod in DotNetUtils.getCalledMethods(module, method)) {
|
||||
if (calledMethod.DeclaringType != method.DeclaringType)
|
||||
continue;
|
||||
if (calledMethod.MethodReturnType.ReturnType.FullName != "System.Byte[]")
|
||||
if (calledMethod.MethodSig.GetRetType().GetFullName() != "System.Byte[]")
|
||||
continue;
|
||||
var localTypes = new LocalTypes(calledMethod);
|
||||
if (!localTypes.all(requiredTypes))
|
||||
|
|
|
@ -47,8 +47,8 @@ namespace de4dot.cui {
|
|||
new de4dot.code.deobfuscators.DeepSea.DeobfuscatorInfo(),
|
||||
new de4dot.code.deobfuscators.Dotfuscator.DeobfuscatorInfo(),
|
||||
new de4dot.code.deobfuscators.dotNET_Reactor.v3.DeobfuscatorInfo(),
|
||||
#if PORT
|
||||
new de4dot.code.deobfuscators.dotNET_Reactor.v4.DeobfuscatorInfo(),
|
||||
#if PORT
|
||||
new de4dot.code.deobfuscators.Eazfuscator_NET.DeobfuscatorInfo(),
|
||||
new de4dot.code.deobfuscators.Goliath_NET.DeobfuscatorInfo(),
|
||||
new de4dot.code.deobfuscators.ILProtector.DeobfuscatorInfo(),
|
||||
|
|
2
dot10
2
dot10
|
@ -1 +1 @@
|
|||
Subproject commit 4f392d624e7a9e23133801f2d18b0948e13e4411
|
||||
Subproject commit 361768bfd38e6749d027ea8bf244b0a777c5d0d4
|
Loading…
Reference in New Issue
Block a user