Add code to restore dumped methods
This commit is contained in:
parent
4be7e4fe46
commit
d98d4b10bb
|
@ -60,10 +60,16 @@ namespace de4dot.code {
|
|||
module.Write(newFilename, writerOptions);
|
||||
}
|
||||
|
||||
public ModuleDefMD reload(byte[] newModuleData, DumpedMethods dumpedMethods) {
|
||||
public ModuleDefMD reload(byte[] newModuleData, DumpedMethodsRestorer dumpedMethodsRestorer, IStringDecrypter stringDecrypter) {
|
||||
TheAssemblyResolver.Instance.removeModule(module);
|
||||
//TODO: Use dumped methods
|
||||
return setModule(ModuleDefMD.Load(newModuleData, moduleContext));
|
||||
var mod = ModuleDefMD.Load(newModuleData, moduleContext);
|
||||
if (dumpedMethodsRestorer != null)
|
||||
dumpedMethodsRestorer.Module = mod;
|
||||
mod.StringDecrypter = stringDecrypter;
|
||||
mod.MethodDecrypter = dumpedMethodsRestorer;
|
||||
mod.TablesStream.ColumnReader = dumpedMethodsRestorer;
|
||||
mod.TablesStream.MethodRowReader = dumpedMethodsRestorer;
|
||||
return setModule(mod);
|
||||
}
|
||||
|
||||
public override string ToString() {
|
||||
|
|
71
de4dot.code/DumpedMethodsRestorer.cs
Normal file
71
de4dot.code/DumpedMethodsRestorer.cs
Normal file
|
@ -0,0 +1,71 @@
|
|||
/*
|
||||
Copyright (C) 2011-2012 de4dot@gmail.com
|
||||
|
||||
This file is part of de4dot.
|
||||
|
||||
de4dot is free software: you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
the Free Software Foundation, either version 3 of the License, or
|
||||
(at your option) any later version.
|
||||
|
||||
de4dot is distributed in the hope that it will be useful,
|
||||
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
GNU General Public License for more details.
|
||||
|
||||
You should have received a copy of the GNU General Public License
|
||||
along with de4dot. If not, see <http://www.gnu.org/licenses/>.
|
||||
*/
|
||||
|
||||
using System.Collections.Generic;
|
||||
using dot10.PE;
|
||||
using dot10.DotNet.MD;
|
||||
using dot10.DotNet.Emit;
|
||||
using dot10.DotNet;
|
||||
using de4dot.blocks;
|
||||
|
||||
namespace de4dot.code {
|
||||
class DumpedMethodsRestorer : IRowReader<RawMethodRow>, IColumnReader, IMethodDecrypter {
|
||||
ModuleDefMD module;
|
||||
DumpedMethods dumpedMethods;
|
||||
|
||||
public ModuleDefMD Module {
|
||||
set { module = value; }
|
||||
}
|
||||
|
||||
public DumpedMethodsRestorer(DumpedMethods dumpedMethods) {
|
||||
this.dumpedMethods = dumpedMethods;
|
||||
}
|
||||
|
||||
public virtual RawMethodRow ReadRow(uint rid) {
|
||||
var dm = dumpedMethods.get(rid);
|
||||
if (dm == null)
|
||||
return null;
|
||||
return new RawMethodRow(dm.mdRVA, dm.mdImplFlags, dm.mdFlags, dm.mdName, dm.mdSignature, dm.mdParamList);
|
||||
}
|
||||
|
||||
public bool ReadColumn(MDTable table, uint rid, ColumnInfo column, out uint value) {
|
||||
if (table.Table == Table.Method) {
|
||||
var row = ReadRow(rid);
|
||||
if (row != null) {
|
||||
value = row.Read(column.Index);
|
||||
return true;
|
||||
}
|
||||
}
|
||||
|
||||
value = 0;
|
||||
return false;
|
||||
}
|
||||
|
||||
public bool HasMethodBody(uint rid) {
|
||||
return dumpedMethods.get(rid) != null;
|
||||
}
|
||||
|
||||
public MethodBody GetMethodBody(uint rid, RVA rva, IList<Parameter> parameters) {
|
||||
var dm = dumpedMethods.get(rid);
|
||||
if (dm == null)
|
||||
return null;
|
||||
return MethodBodyReader.Create(module, dm.code, dm.extraSections, parameters);
|
||||
}
|
||||
}
|
||||
}
|
|
@ -372,13 +372,19 @@ namespace de4dot.code {
|
|||
void reloadModule(byte[] newModuleData, DumpedMethods dumpedMethods) {
|
||||
Log.v("Reloading decrypted assembly (original filename: {0})", Filename);
|
||||
simpleDeobfuscatorFlags.Clear();
|
||||
module = assemblyModule.reload(newModuleData, dumpedMethods);
|
||||
module = assemblyModule.reload(newModuleData, createDumpedMethodsRestorer(dumpedMethods), deob as IStringDecrypter);
|
||||
deob = deob.moduleReloaded(module);
|
||||
initializeDeobfuscator();
|
||||
deob.DeobfuscatedFile = this;
|
||||
updateDynamicStringInliner();
|
||||
}
|
||||
|
||||
DumpedMethodsRestorer createDumpedMethodsRestorer(DumpedMethods dumpedMethods) {
|
||||
if (dumpedMethods == null || dumpedMethods.Count == 0)
|
||||
return null;
|
||||
return new DumpedMethodsRestorer(dumpedMethods);
|
||||
}
|
||||
|
||||
void initAssemblyClient() {
|
||||
if (assemblyClient == null)
|
||||
return;
|
||||
|
|
|
@ -266,6 +266,7 @@
|
|||
<Compile Include="IDeobfuscatorContext.cs" />
|
||||
<Compile Include="IObfuscatedFile.cs" />
|
||||
<Compile Include="Log.cs" />
|
||||
<Compile Include="DumpedMethodsRestorer.cs" />
|
||||
<Compile Include="MethodPrinter.cs" />
|
||||
<Compile Include="MethodReturnValueInliner.cs" />
|
||||
<Compile Include="NameRegexes.cs" />
|
||||
|
|
2
dot10
2
dot10
|
@ -1 +1 @@
|
|||
Subproject commit 37baf8dadc492180aa050f726ab1a9557ffe44e1
|
||||
Subproject commit 467c01e824587bb5c09608c58adac718c465a356
|
Loading…
Reference in New Issue
Block a user