monocul.us/de4dot-cex
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Refactor code and support latest AN build

Browse Source
This commit is contained in:
de4dot 2012-06-02 07:26:21 +02:00
parent 6d82d9f686
commit ec8139f640
7 changed files with 1335 additions and 904 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
de4dot.code/de4dot.code.csproj
View File

@ -89,6 +89,7 @@
<Compile Include="deobfuscators\CliSecure\vm\CsvmToCilMethodConverter.cs" />
<Compile Include="deobfuscators\CliSecure\vm\FieldsInfo.cs" />
<Compile Include="deobfuscators\CliSecure\vm\OpCodeHandler.cs" />
<Compile Include="deobfuscators\CliSecure\vm\OpCodeHandlers.cs" />
<Compile Include="deobfuscators\CliSecure\vm\UnknownHandlerInfo.cs" />
<Compile Include="deobfuscators\CliSecure\vm\VmOpCodeHandlerDetector.cs" />
<Compile Include="deobfuscators\CliSecure\vm\VmOperands.cs" />

2
de4dot.code/deobfuscators/CliSecure/vm/CsvmToCilMethodConverter.cs
View File

@ -212,7 +212,7 @@ namespace de4dot.code.deobfuscators.CliSecure.vm {
int offset = 0;
while (reader.BaseStream.Position < reader.BaseStream.Length) {
int vmOpCode = reader.ReadUInt16();
var instr = opCodeDetector.Handlers[vmOpCode].read(reader);
var instr = opCodeDetector.Handlers[vmOpCode].Read(reader);
instr.Offset = offset;
offset += getInstructionSize(instr);
instrs.Add(instr);

964
de4dot.code/deobfuscators/CliSecure/vm/OpCodeHandler.cs
View File

File diff suppressed because it is too large Load Diff

1198
de4dot.code/deobfuscators/CliSecure/vm/OpCodeHandlers.cs Normal file
View File

File diff suppressed because it is too large Load Diff

2
de4dot.code/deobfuscators/CliSecure/vm/UnknownHandlerInfo.cs
View File

@ -74,7 +74,7 @@ namespace de4dot.code.deobfuscators.CliSecure.vm {
executeMethodPops = countPops(executeMethod);
}
static IEnumerable<FieldDefinition> getFields(TypeDefinition type) {
static internal IEnumerable<FieldDefinition> getFields(TypeDefinition type) {
var typeFields = new FieldDefinitionAndDeclaringTypeDict<FieldDefinition>();
foreach (var field in type.Fields)
typeFields.add(field, field);

69
de4dot.code/deobfuscators/CliSecure/vm/VmOpCodeHandlerDetector.cs
View File

@ -45,39 +45,6 @@ namespace de4dot.code.deobfuscators.CliSecure.vm {
class VmOpCodeHandlerDetector {
ModuleDefinition module;
static readonly OpCodeHandler[] opCodeHandlerDetectors = new OpCodeHandler[] {
new ArithmeticOpCodeHandler(),
new ArrayOpCodeHandler(),
new BoxOpCodeHandler(),
new CallOpCodeHandler(),
new CastOpCodeHandler(),
new CompareOpCodeHandler(),
new ConvertOpCodeHandler(),
new DupPopOpCodeHandler(),
new ElemOpCodeHandler(),
new EndfinallyOpCodeHandler(),
new FieldOpCodeHandler(),
new InitobjOpCodeHandler(),
new LdLocalArgOpCodeHandler(),
new LdLocalArgAddrOpCodeHandler(),
new LdelemaOpCodeHandler(),
new LdlenOpCodeHandler(),
new LdobjOpCodeHandler(),
new LdstrOpCodeHandler(),
new LdtokenOpCodeHandler(),
new LeaveOpCodeHandler(),
new LoadConstantOpCodeHandler(),
new LoadFuncOpCodeHandler(),
new LogicalOpCodeHandler(),
new NopOpCodeHandler(),
new RetOpCodeHandler(),
new RethrowOpCodeHandler(),
new StLocalArgOpCodeHandler(),
new StobjOpCodeHandler(),
new SwitchOpCodeHandler(),
new ThrowOpCodeHandler(),
new UnaryOpCodeHandler(),
};
List<OpCodeHandler> opCodeHandlers;
public List<OpCodeHandler> Handlers {
@ -95,12 +62,15 @@ namespace de4dot.code.deobfuscators.CliSecure.vm {
if (vmHandlerTypes == null)
throw new ApplicationException("Could not find CSVM opcode handler types");
detectHandlers(vmHandlerTypes, createCsvmInfo());
}
internal CsvmInfo createCsvmInfo() {
var csvmInfo = new CsvmInfo();
csvmInfo.StackValue = findStackValueType();
csvmInfo.Stack = findStackType(csvmInfo.StackValue);
initStackTypeMethods(csvmInfo);
detectHandlers(vmHandlerTypes, csvmInfo);
return csvmInfo;
}
TypeDefinition findStackValueType() {
@ -239,19 +209,26 @@ namespace de4dot.code.deobfuscators.CliSecure.vm {
void detectHandlers(List<TypeDefinition> handlerTypes, CsvmInfo csvmInfo) {
opCodeHandlers = new List<OpCodeHandler>();
var detected = new List<OpCodeHandler>();
foreach (var handlerType in handlerTypes) {
var info = new UnknownHandlerInfo(handlerType, csvmInfo);
detected.Clear();
foreach (var opCodeHandler in opCodeHandlerDetectors) {
if (opCodeHandler.detect(info))
detected.Add(opCodeHandler);
foreach (var handlersList in OpCodeHandlers.opcodeHandlers) {
opCodeHandlers.Clear();
foreach (var handlerType in handlerTypes) {
var info = new UnknownHandlerInfo(handlerType, csvmInfo);
detected.Clear();
foreach (var opCodeHandler in handlersList) {
if (opCodeHandler.detect(info))
detected.Add(opCodeHandler);
}
if (detected.Count != 1)
goto next;
opCodeHandlers.Add(detected[0]);
}
if (detected.Count != 1)
throw new ApplicationException("Could not detect VM opcode handler");
opCodeHandlers.Add(detected[0]);
if (new List<OpCodeHandler>(Utils.unique(opCodeHandlers)).Count == opCodeHandlers.Count)
return;
next: ;
}
if (new List<OpCodeHandler>(Utils.unique(opCodeHandlers)).Count != opCodeHandlers.Count)
throw new ApplicationException("Could not detect all VM opcode handlers");
throw new ApplicationException("Could not detect all VM opcode handlers");
}
}
}

3
de4dot.mdecrypt/DynamicMethodsDecrypter.cs
View File

@ -244,7 +244,8 @@ namespace de4dot.mdecrypt {
uint size = pSection->VirtualSize;
uint rva = pSection->VirtualAddress;
return new IntPtr((byte*)hDll + rva + size);
int displ = -4;
return new IntPtr((byte*)hDll + rva + size + displ);
}
throw new ApplicationException("Could not find .text section");