Refactor code and support latest AN build
This commit is contained in:
parent
6d82d9f686
commit
ec8139f640
|
@ -89,6 +89,7 @@
|
||||||
<Compile Include="deobfuscators\CliSecure\vm\CsvmToCilMethodConverter.cs" />
|
<Compile Include="deobfuscators\CliSecure\vm\CsvmToCilMethodConverter.cs" />
|
||||||
<Compile Include="deobfuscators\CliSecure\vm\FieldsInfo.cs" />
|
<Compile Include="deobfuscators\CliSecure\vm\FieldsInfo.cs" />
|
||||||
<Compile Include="deobfuscators\CliSecure\vm\OpCodeHandler.cs" />
|
<Compile Include="deobfuscators\CliSecure\vm\OpCodeHandler.cs" />
|
||||||
|
<Compile Include="deobfuscators\CliSecure\vm\OpCodeHandlers.cs" />
|
||||||
<Compile Include="deobfuscators\CliSecure\vm\UnknownHandlerInfo.cs" />
|
<Compile Include="deobfuscators\CliSecure\vm\UnknownHandlerInfo.cs" />
|
||||||
<Compile Include="deobfuscators\CliSecure\vm\VmOpCodeHandlerDetector.cs" />
|
<Compile Include="deobfuscators\CliSecure\vm\VmOpCodeHandlerDetector.cs" />
|
||||||
<Compile Include="deobfuscators\CliSecure\vm\VmOperands.cs" />
|
<Compile Include="deobfuscators\CliSecure\vm\VmOperands.cs" />
|
||||||
|
|
|
@ -212,7 +212,7 @@ namespace de4dot.code.deobfuscators.CliSecure.vm {
|
||||||
int offset = 0;
|
int offset = 0;
|
||||||
while (reader.BaseStream.Position < reader.BaseStream.Length) {
|
while (reader.BaseStream.Position < reader.BaseStream.Length) {
|
||||||
int vmOpCode = reader.ReadUInt16();
|
int vmOpCode = reader.ReadUInt16();
|
||||||
var instr = opCodeDetector.Handlers[vmOpCode].read(reader);
|
var instr = opCodeDetector.Handlers[vmOpCode].Read(reader);
|
||||||
instr.Offset = offset;
|
instr.Offset = offset;
|
||||||
offset += getInstructionSize(instr);
|
offset += getInstructionSize(instr);
|
||||||
instrs.Add(instr);
|
instrs.Add(instr);
|
||||||
|
|
File diff suppressed because it is too large
Load Diff
1198
de4dot.code/deobfuscators/CliSecure/vm/OpCodeHandlers.cs
Normal file
1198
de4dot.code/deobfuscators/CliSecure/vm/OpCodeHandlers.cs
Normal file
File diff suppressed because it is too large
Load Diff
|
@ -74,7 +74,7 @@ namespace de4dot.code.deobfuscators.CliSecure.vm {
|
||||||
executeMethodPops = countPops(executeMethod);
|
executeMethodPops = countPops(executeMethod);
|
||||||
}
|
}
|
||||||
|
|
||||||
static IEnumerable<FieldDefinition> getFields(TypeDefinition type) {
|
static internal IEnumerable<FieldDefinition> getFields(TypeDefinition type) {
|
||||||
var typeFields = new FieldDefinitionAndDeclaringTypeDict<FieldDefinition>();
|
var typeFields = new FieldDefinitionAndDeclaringTypeDict<FieldDefinition>();
|
||||||
foreach (var field in type.Fields)
|
foreach (var field in type.Fields)
|
||||||
typeFields.add(field, field);
|
typeFields.add(field, field);
|
||||||
|
|
|
@ -45,39 +45,6 @@ namespace de4dot.code.deobfuscators.CliSecure.vm {
|
||||||
|
|
||||||
class VmOpCodeHandlerDetector {
|
class VmOpCodeHandlerDetector {
|
||||||
ModuleDefinition module;
|
ModuleDefinition module;
|
||||||
static readonly OpCodeHandler[] opCodeHandlerDetectors = new OpCodeHandler[] {
|
|
||||||
new ArithmeticOpCodeHandler(),
|
|
||||||
new ArrayOpCodeHandler(),
|
|
||||||
new BoxOpCodeHandler(),
|
|
||||||
new CallOpCodeHandler(),
|
|
||||||
new CastOpCodeHandler(),
|
|
||||||
new CompareOpCodeHandler(),
|
|
||||||
new ConvertOpCodeHandler(),
|
|
||||||
new DupPopOpCodeHandler(),
|
|
||||||
new ElemOpCodeHandler(),
|
|
||||||
new EndfinallyOpCodeHandler(),
|
|
||||||
new FieldOpCodeHandler(),
|
|
||||||
new InitobjOpCodeHandler(),
|
|
||||||
new LdLocalArgOpCodeHandler(),
|
|
||||||
new LdLocalArgAddrOpCodeHandler(),
|
|
||||||
new LdelemaOpCodeHandler(),
|
|
||||||
new LdlenOpCodeHandler(),
|
|
||||||
new LdobjOpCodeHandler(),
|
|
||||||
new LdstrOpCodeHandler(),
|
|
||||||
new LdtokenOpCodeHandler(),
|
|
||||||
new LeaveOpCodeHandler(),
|
|
||||||
new LoadConstantOpCodeHandler(),
|
|
||||||
new LoadFuncOpCodeHandler(),
|
|
||||||
new LogicalOpCodeHandler(),
|
|
||||||
new NopOpCodeHandler(),
|
|
||||||
new RetOpCodeHandler(),
|
|
||||||
new RethrowOpCodeHandler(),
|
|
||||||
new StLocalArgOpCodeHandler(),
|
|
||||||
new StobjOpCodeHandler(),
|
|
||||||
new SwitchOpCodeHandler(),
|
|
||||||
new ThrowOpCodeHandler(),
|
|
||||||
new UnaryOpCodeHandler(),
|
|
||||||
};
|
|
||||||
List<OpCodeHandler> opCodeHandlers;
|
List<OpCodeHandler> opCodeHandlers;
|
||||||
|
|
||||||
public List<OpCodeHandler> Handlers {
|
public List<OpCodeHandler> Handlers {
|
||||||
|
@ -95,12 +62,15 @@ namespace de4dot.code.deobfuscators.CliSecure.vm {
|
||||||
if (vmHandlerTypes == null)
|
if (vmHandlerTypes == null)
|
||||||
throw new ApplicationException("Could not find CSVM opcode handler types");
|
throw new ApplicationException("Could not find CSVM opcode handler types");
|
||||||
|
|
||||||
|
detectHandlers(vmHandlerTypes, createCsvmInfo());
|
||||||
|
}
|
||||||
|
|
||||||
|
internal CsvmInfo createCsvmInfo() {
|
||||||
var csvmInfo = new CsvmInfo();
|
var csvmInfo = new CsvmInfo();
|
||||||
csvmInfo.StackValue = findStackValueType();
|
csvmInfo.StackValue = findStackValueType();
|
||||||
csvmInfo.Stack = findStackType(csvmInfo.StackValue);
|
csvmInfo.Stack = findStackType(csvmInfo.StackValue);
|
||||||
initStackTypeMethods(csvmInfo);
|
initStackTypeMethods(csvmInfo);
|
||||||
|
return csvmInfo;
|
||||||
detectHandlers(vmHandlerTypes, csvmInfo);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
TypeDefinition findStackValueType() {
|
TypeDefinition findStackValueType() {
|
||||||
|
@ -239,18 +209,25 @@ namespace de4dot.code.deobfuscators.CliSecure.vm {
|
||||||
void detectHandlers(List<TypeDefinition> handlerTypes, CsvmInfo csvmInfo) {
|
void detectHandlers(List<TypeDefinition> handlerTypes, CsvmInfo csvmInfo) {
|
||||||
opCodeHandlers = new List<OpCodeHandler>();
|
opCodeHandlers = new List<OpCodeHandler>();
|
||||||
var detected = new List<OpCodeHandler>();
|
var detected = new List<OpCodeHandler>();
|
||||||
|
|
||||||
|
foreach (var handlersList in OpCodeHandlers.opcodeHandlers) {
|
||||||
|
opCodeHandlers.Clear();
|
||||||
|
|
||||||
foreach (var handlerType in handlerTypes) {
|
foreach (var handlerType in handlerTypes) {
|
||||||
var info = new UnknownHandlerInfo(handlerType, csvmInfo);
|
var info = new UnknownHandlerInfo(handlerType, csvmInfo);
|
||||||
detected.Clear();
|
detected.Clear();
|
||||||
foreach (var opCodeHandler in opCodeHandlerDetectors) {
|
foreach (var opCodeHandler in handlersList) {
|
||||||
if (opCodeHandler.detect(info))
|
if (opCodeHandler.detect(info))
|
||||||
detected.Add(opCodeHandler);
|
detected.Add(opCodeHandler);
|
||||||
}
|
}
|
||||||
if (detected.Count != 1)
|
if (detected.Count != 1)
|
||||||
throw new ApplicationException("Could not detect VM opcode handler");
|
goto next;
|
||||||
opCodeHandlers.Add(detected[0]);
|
opCodeHandlers.Add(detected[0]);
|
||||||
}
|
}
|
||||||
if (new List<OpCodeHandler>(Utils.unique(opCodeHandlers)).Count != opCodeHandlers.Count)
|
if (new List<OpCodeHandler>(Utils.unique(opCodeHandlers)).Count == opCodeHandlers.Count)
|
||||||
|
return;
|
||||||
|
next: ;
|
||||||
|
}
|
||||||
throw new ApplicationException("Could not detect all VM opcode handlers");
|
throw new ApplicationException("Could not detect all VM opcode handlers");
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -244,7 +244,8 @@ namespace de4dot.mdecrypt {
|
||||||
|
|
||||||
uint size = pSection->VirtualSize;
|
uint size = pSection->VirtualSize;
|
||||||
uint rva = pSection->VirtualAddress;
|
uint rva = pSection->VirtualAddress;
|
||||||
return new IntPtr((byte*)hDll + rva + size);
|
int displ = -4;
|
||||||
|
return new IntPtr((byte*)hDll + rva + size + displ);
|
||||||
}
|
}
|
||||||
|
|
||||||
throw new ApplicationException("Could not find .text section");
|
throw new ApplicationException("Could not find .text section");
|
||||||
|
|
Loading…
Reference in New Issue
Block a user