Add code to restore dumped methods

2012-11-07 00:53:16 +01:00 · 2012-11-07 00:53:16 +01:00 · d98d4b10bb
commit d98d4b10bb
parent 4be7e4fe46
5 changed files with 89 additions and 5 deletions
--- a/de4dot.code/AssemblyModule.cs
+++ b/de4dot.code/AssemblyModule.cs
@ -60,10 +60,16 @@ namespace de4dot.code {
 			module.Write(newFilename, writerOptions);
 		}

-		public ModuleDefMD reload(byte[] newModuleData, DumpedMethods dumpedMethods) {
+		public ModuleDefMD reload(byte[] newModuleData, DumpedMethodsRestorer dumpedMethodsRestorer, IStringDecrypter stringDecrypter) {
 			TheAssemblyResolver.Instance.removeModule(module);
-			//TODO: Use dumped methods
-			return setModule(ModuleDefMD.Load(newModuleData, moduleContext));
+			var mod = ModuleDefMD.Load(newModuleData, moduleContext);
+			if (dumpedMethodsRestorer != null)
+				dumpedMethodsRestorer.Module = mod;
+			mod.StringDecrypter = stringDecrypter;
+			mod.MethodDecrypter = dumpedMethodsRestorer;
+			mod.TablesStream.ColumnReader = dumpedMethodsRestorer;
+			mod.TablesStream.MethodRowReader = dumpedMethodsRestorer;
+			return setModule(mod);
 		}

 		public override string ToString() {
--- a/de4dot.code/DumpedMethodsRestorer.cs
+++ b/de4dot.code/DumpedMethodsRestorer.cs
@ -0,0 +1,71 @@
+/*
+    Copyright (C) 2011-2012 de4dot@gmail.com
+
+    This file is part of de4dot.
+
+    de4dot is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    de4dot is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with de4dot.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+using System.Collections.Generic;
+using dot10.PE;
+using dot10.DotNet.MD;
+using dot10.DotNet.Emit;
+using dot10.DotNet;
+using de4dot.blocks;
+
+namespace de4dot.code {
+	class DumpedMethodsRestorer : IRowReader<RawMethodRow>, IColumnReader, IMethodDecrypter {
+		ModuleDefMD module;
+		DumpedMethods dumpedMethods;
+
+		public ModuleDefMD Module {
+			set { module = value; }
+		}
+
+		public DumpedMethodsRestorer(DumpedMethods dumpedMethods) {
+			this.dumpedMethods = dumpedMethods;
+		}
+
+		public virtual RawMethodRow ReadRow(uint rid) {
+			var dm = dumpedMethods.get(rid);
+			if (dm == null)
+				return null;
+			return new RawMethodRow(dm.mdRVA, dm.mdImplFlags, dm.mdFlags, dm.mdName, dm.mdSignature, dm.mdParamList);
+		}
+
+		public bool ReadColumn(MDTable table, uint rid, ColumnInfo column, out uint value) {
+			if (table.Table == Table.Method) {
+				var row = ReadRow(rid);
+				if (row != null) {
+					value = row.Read(column.Index);
+					return true;
+				}
+			}
+
+			value = 0;
+			return false;
+		}
+
+		public bool HasMethodBody(uint rid) {
+			return dumpedMethods.get(rid) != null;
+		}
+
+		public MethodBody GetMethodBody(uint rid, RVA rva, IList<Parameter> parameters) {
+			var dm = dumpedMethods.get(rid);
+			if (dm == null)
+				return null;
+			return MethodBodyReader.Create(module, dm.code, dm.extraSections, parameters);
+		}
+	}
+}
--- a/de4dot.code/ObfuscatedFile.cs
+++ b/de4dot.code/ObfuscatedFile.cs
@ -372,13 +372,19 @@ namespace de4dot.code {
 		void reloadModule(byte[] newModuleData, DumpedMethods dumpedMethods) {
 			Log.v("Reloading decrypted assembly (original filename: {0})", Filename);
 			simpleDeobfuscatorFlags.Clear();
-			module = assemblyModule.reload(newModuleData, dumpedMethods);
+			module = assemblyModule.reload(newModuleData, createDumpedMethodsRestorer(dumpedMethods), deob as IStringDecrypter);
 			deob = deob.moduleReloaded(module);
 			initializeDeobfuscator();
 			deob.DeobfuscatedFile = this;
 			updateDynamicStringInliner();
 		}

+		DumpedMethodsRestorer createDumpedMethodsRestorer(DumpedMethods dumpedMethods) {
+			if (dumpedMethods == null || dumpedMethods.Count == 0)
+				return null;
+			return new DumpedMethodsRestorer(dumpedMethods);
+		}
+
 		void initAssemblyClient() {
 			if (assemblyClient == null)
 				return;
--- a/de4dot.code/de4dot.code.csproj
+++ b/de4dot.code/de4dot.code.csproj
@ -266,6 +266,7 @@
    <Compile Include="IDeobfuscatorContext.cs" />
    <Compile Include="IObfuscatedFile.cs" />
    <Compile Include="Log.cs" />
+    <Compile Include="DumpedMethodsRestorer.cs" />
    <Compile Include="MethodPrinter.cs" />
    <Compile Include="MethodReturnValueInliner.cs" />
    <Compile Include="NameRegexes.cs" />
--- a/2
+++ b/2
@ -1 +1 @@
-Subproject commit 37baf8dadc492180aa050f726ab1a9557ffe44e1
+Subproject commit 467c01e824587bb5c09608c58adac718c465a356