diff --git a/AssemblyData/Properties/AssemblyInfo.cs b/AssemblyData/Properties/AssemblyInfo.cs index 1c223116..9a1846a9 100644 --- a/AssemblyData/Properties/AssemblyInfo.cs +++ b/AssemblyData/Properties/AssemblyInfo.cs @@ -29,5 +29,5 @@ using System.Runtime.InteropServices; [assembly: AssemblyTrademark("")] [assembly: AssemblyCulture("")] [assembly: ComVisible(false)] -[assembly: AssemblyVersion("2.0.3.3405")] -[assembly: AssemblyFileVersion("2.0.3.3405")] +[assembly: AssemblyVersion("3.0.2.3405")] +[assembly: AssemblyFileVersion("3.0.2.3405")] diff --git a/AssemblyServer-CLR20-x64/Properties/AssemblyInfo.cs b/AssemblyServer-CLR20-x64/Properties/AssemblyInfo.cs index f4dcf7ac..a02dcb49 100644 --- a/AssemblyServer-CLR20-x64/Properties/AssemblyInfo.cs +++ b/AssemblyServer-CLR20-x64/Properties/AssemblyInfo.cs @@ -29,5 +29,5 @@ using System.Runtime.InteropServices; [assembly: AssemblyTrademark("")] [assembly: AssemblyCulture("")] [assembly: ComVisible(false)] -[assembly: AssemblyVersion("2.0.3.3405")] -[assembly: AssemblyFileVersion("2.0.3.3405")] +[assembly: AssemblyVersion("3.0.2.3405")] +[assembly: AssemblyFileVersion("3.0.2.3405")] diff --git a/AssemblyServer-CLR20/Properties/AssemblyInfo.cs b/AssemblyServer-CLR20/Properties/AssemblyInfo.cs index d11ab045..83599918 100644 --- a/AssemblyServer-CLR20/Properties/AssemblyInfo.cs +++ b/AssemblyServer-CLR20/Properties/AssemblyInfo.cs @@ -29,5 +29,5 @@ using System.Runtime.InteropServices; [assembly: AssemblyTrademark("")] [assembly: AssemblyCulture("")] [assembly: ComVisible(false)] -[assembly: AssemblyVersion("2.0.3.3405")] -[assembly: AssemblyFileVersion("2.0.3.3405")] +[assembly: AssemblyVersion("3.0.2.3405")] +[assembly: AssemblyFileVersion("3.0.2.3405")] diff --git a/AssemblyServer-CLR40-x64/Properties/AssemblyInfo.cs b/AssemblyServer-CLR40-x64/Properties/AssemblyInfo.cs index 86e3322b..04c2d642 100644 --- a/AssemblyServer-CLR40-x64/Properties/AssemblyInfo.cs +++ b/AssemblyServer-CLR40-x64/Properties/AssemblyInfo.cs @@ -29,5 +29,5 @@ using System.Runtime.InteropServices; [assembly: AssemblyTrademark("")] [assembly: AssemblyCulture("")] [assembly: ComVisible(false)] -[assembly: AssemblyVersion("2.0.3.3405")] -[assembly: AssemblyFileVersion("2.0.3.3405")] +[assembly: AssemblyVersion("3.0.2.3405")] +[assembly: AssemblyFileVersion("3.0.2.3405")] diff --git a/AssemblyServer-CLR40/Properties/AssemblyInfo.cs b/AssemblyServer-CLR40/Properties/AssemblyInfo.cs index 9ffff191..d3feeec2 100644 --- a/AssemblyServer-CLR40/Properties/AssemblyInfo.cs +++ b/AssemblyServer-CLR40/Properties/AssemblyInfo.cs @@ -29,5 +29,5 @@ using System.Runtime.InteropServices; [assembly: AssemblyTrademark("")] [assembly: AssemblyCulture("")] [assembly: ComVisible(false)] -[assembly: AssemblyVersion("2.0.3.3405")] -[assembly: AssemblyFileVersion("2.0.3.3405")] +[assembly: AssemblyVersion("3.0.2.3405")] +[assembly: AssemblyFileVersion("3.0.2.3405")] diff --git a/AssemblyServer-x64/Properties/AssemblyInfo.cs b/AssemblyServer-x64/Properties/AssemblyInfo.cs index 3024fb87..b799795f 100644 --- a/AssemblyServer-x64/Properties/AssemblyInfo.cs +++ b/AssemblyServer-x64/Properties/AssemblyInfo.cs @@ -29,5 +29,5 @@ using System.Runtime.InteropServices; [assembly: AssemblyTrademark("")] [assembly: AssemblyCulture("")] [assembly: ComVisible(false)] -[assembly: AssemblyVersion("2.0.3.3405")] -[assembly: AssemblyFileVersion("2.0.3.3405")] +[assembly: AssemblyVersion("3.0.2.3405")] +[assembly: AssemblyFileVersion("3.0.2.3405")] diff --git a/AssemblyServer/Properties/AssemblyInfo.cs b/AssemblyServer/Properties/AssemblyInfo.cs index 7e8d2c6b..460521ea 100644 --- a/AssemblyServer/Properties/AssemblyInfo.cs +++ b/AssemblyServer/Properties/AssemblyInfo.cs @@ -29,5 +29,5 @@ using System.Runtime.InteropServices; [assembly: AssemblyTrademark("")] [assembly: AssemblyCulture("")] [assembly: ComVisible(false)] -[assembly: AssemblyVersion("2.0.3.3405")] -[assembly: AssemblyFileVersion("2.0.3.3405")] +[assembly: AssemblyVersion("3.0.2.3405")] +[assembly: AssemblyFileVersion("3.0.2.3405")] diff --git a/README.md b/README.md index eb8f6c4b..506fcf9f 100644 --- a/README.md +++ b/README.md @@ -26,7 +26,6 @@ Here's a pseudo random list of the things it will do depending on what obfuscato * Fixes some peverify errors. Many of the obfuscators are buggy and create unverifiable code by mistake. * Restore the types of method parameters and fields - Supported obfuscators/packers ============================= @@ -52,6 +51,13 @@ Supported obfuscators/packers Some of the above obfuscators are rarely used (eg. Goliath.NET), so they have had much less testing. Help me out by reporting bugs or problems you find. +Warning +======= + +Sometimes the obfuscated assembly and all its dependencies are loaded into memory for execution. Use a safe sandbox environment if you suspect the assembly or assemblies to be malware. + +Even if the current version of de4dot doesn't load a certain assembly into memory for execution, a future version might. + How to use de4dot ================= @@ -166,13 +172,13 @@ The default regexes should be enough, except possibly the one that is used when Eg., currently the following is the default regex used when Dotfuscator is detected - !^[a-z][a-z0-9]{0,2}$&!^A_[0-9]+$&^[a-zA-Z_<{$][a-zA-Z_0-9<>{}$.`-]*$ + !^[a-z][a-z0-9]{0,2}$&!^A_[0-9]+$&^[\u2E80-\u9FFFa-zA-Z_<{$][\u2E80-\u9FFFa-zA-Z_0-9<>{}$.`-]*$ -As you can see, it's not just one regex, it's more than one. Each is separated by `&` and each regex can be negated by using `!` in front of it. To show it more clearly, these regexes are used: +As you can see, it's not just one regex, it's more than one. Each one is separated by `&` and each regex can be negated by using `!` in front of it. To show it more clearly, these regexes are used: (negated) ^[a-z][a-z0-9]{0,2}$ (negated) ^A_[0-9]+$ - ^[a-zA-Z_<{$][a-zA-Z_0-9<>{}$.`-]*$ + ^[\u2E80-\u9FFFa-zA-Z_<{$][\u2E80-\u9FFFa-zA-Z_0-9<>{}$.`-]*$ To change the regex(es), you must know the short type name of the obfuscator (see help screen). Eg. it's `sa` if it's SmartAssembly, and `un` if it's an unsupported/unknown obfuscator. The option to use is `--TYPE-name` (eg. `--sa-name` for SmartAssembly and `--un-name` for unknown/unsupported obfuscators): @@ -182,78 +188,3 @@ Other options ------------- Start `de4dot` without any arguments and it will show all options. - -Tiny FAQ -======== - -Is this a cracker only tool? ----------------------------- - -Of course. Not. Here's some legitimate uses of this software: - -* Malware analysis - -Many malware try to protect against analysis. They think obfuscating the code makes it hard. Mistake no. 1 was to use .NET. - -* Speed up a program / use less memory - -Unless only symbol renaming was used, the obfuscated assembly is usually slower and requires more memory at runtime compared to the original assembly. By unpacking and deobfuscating it, the program's memory usage and speed will be almost identical to the original program. - -* Make the assembly compatible with mono - -Most obfuscators don't support mono, even if the original assembly does. By unpacking and deobfuscating it, mono support will be restored. - -* You lost your source code and only have the obfuscated .NET assemblies - -By unpacking and deobfuscating your assemblies, you can then use any .NET decompiler (eg. the open source ILSpy) to get back your source code. - -* Obfuscator created unverifiable code but code must be verifiable - -Some of the obfuscators are buggy and create unverifiable code due to bugs in the software. Some of these errors are fixed by de4dot. - - -I've "protected" my app with some obfuscator but I just found out about de4dot. Is .NET obfuscation useless? ------------------------------------------------------------------------------------------------------------- - -Yes. It's simply way too easy to restore most of these "protections". - - -What do you think of these obfuscators? They're good, right? ------------------------------------------------------------- - -:D - -Speaking from experience with a lot of obfuscators, I can say that their protection is really weak. You see the same weak "protection" in pretty much every obfuscator. Copying ideas from other obfuscators seems to be their best skill. - -99% of the people working for these companies have absolutely no experience in reverse engineering. If you have no experience in what is a good or a bad protection, it's very unlikely that you're able to write a good protection. - -To show you an example, most obfuscators can encrypt all the strings in your assemblies. What they fail to tell you is that it's child's play to decrypt the strings. Here's an example from SecureTeam's Agile.NET (aka CliSecure). de4dot's Agile.NET string decrypter code is only 85 lines long, and that includes the GPLv3 comment at the top of the file and the code that detects the string decrypter in the assembly! - -The actual string decrypter code is 4 lines long, and it's a simple XOR loop! When Agile.NET (aka CliSecure) encrypts your strings, it replaces the original strings with an XOR'd copy, and adds a call to their string decrypter. This decrypter merely XOR's every character and returns the decrypted string. Here's the string decrypter code de4dot uses: - - :::C# - public string decrypt(string es) { - char[] buf = new char[es.Length]; - for (int i = 0; i < es.Length; i++) - buf[i] = (char)(es[i] ^ stringDecrypterKey[i % stringDecrypterKey.Length]); - return new string(buf); - } - -Your code might look like this: - - :::C# - string myString = "Hello World"; - -and the obfuscator (eg. Agile.NET / CliSecure) will replace that with something similar to this: - - :::C# - string myString = DecryptClass.decrypt("AoF41Fk5422"); - -Yes, Agile.NET's string encryption feature really is this bad! I bet you that none of their customers knows about this. And SecureTeam sure wants to keep it that way. :) - -Even though most of the other obfuscators' string encryption feature isn't as bad as Agile.NET's string encryption, they still have one thing in common: it's very easy to decrypt the strings again. - -I must use .NET so what's the best protection? ----------------------------------------------- - -If you don't count "don't distribute it" as a solution, the best obfuscator feature is symbol renaming. It's impossible to restore the symbols unless they're part of the assembly. All of the other "protections" are 100% reversible. diff --git a/Test.Rename.Dll/Properties/AssemblyInfo.cs b/Test.Rename.Dll/Properties/AssemblyInfo.cs index 968181df..3ce8ff50 100644 --- a/Test.Rename.Dll/Properties/AssemblyInfo.cs +++ b/Test.Rename.Dll/Properties/AssemblyInfo.cs @@ -29,5 +29,5 @@ using System.Runtime.InteropServices; [assembly: AssemblyTrademark("")] [assembly: AssemblyCulture("")] [assembly: ComVisible(false)] -[assembly: AssemblyVersion("2.0.3.3405")] -[assembly: AssemblyFileVersion("2.0.3.3405")] +[assembly: AssemblyVersion("3.0.2.3405")] +[assembly: AssemblyFileVersion("3.0.2.3405")] diff --git a/Test.Rename/Properties/AssemblyInfo.cs b/Test.Rename/Properties/AssemblyInfo.cs index 6e7ae2ef..676d6953 100644 --- a/Test.Rename/Properties/AssemblyInfo.cs +++ b/Test.Rename/Properties/AssemblyInfo.cs @@ -29,5 +29,5 @@ using System.Runtime.InteropServices; [assembly: AssemblyTrademark("")] [assembly: AssemblyCulture("")] [assembly: ComVisible(false)] -[assembly: AssemblyVersion("2.0.3.3405")] -[assembly: AssemblyFileVersion("2.0.3.3405")] +[assembly: AssemblyVersion("3.0.2.3405")] +[assembly: AssemblyFileVersion("3.0.2.3405")] diff --git a/de4dot-x64/Properties/AssemblyInfo.cs b/de4dot-x64/Properties/AssemblyInfo.cs index 0dbb5020..b395d652 100644 --- a/de4dot-x64/Properties/AssemblyInfo.cs +++ b/de4dot-x64/Properties/AssemblyInfo.cs @@ -29,5 +29,5 @@ using System.Runtime.InteropServices; [assembly: AssemblyTrademark("")] [assembly: AssemblyCulture("")] [assembly: ComVisible(false)] -[assembly: AssemblyVersion("2.0.3.3405")] -[assembly: AssemblyFileVersion("2.0.3.3405")] +[assembly: AssemblyVersion("3.0.2.3405")] +[assembly: AssemblyFileVersion("3.0.2.3405")] diff --git a/de4dot.blocks/Properties/AssemblyInfo.cs b/de4dot.blocks/Properties/AssemblyInfo.cs index 59432fe2..42bf3449 100644 --- a/de4dot.blocks/Properties/AssemblyInfo.cs +++ b/de4dot.blocks/Properties/AssemblyInfo.cs @@ -29,5 +29,5 @@ using System.Runtime.InteropServices; [assembly: AssemblyTrademark("")] [assembly: AssemblyCulture("")] [assembly: ComVisible(false)] -[assembly: AssemblyVersion("2.0.3.3405")] -[assembly: AssemblyFileVersion("2.0.3.3405")] +[assembly: AssemblyVersion("3.0.2.3405")] +[assembly: AssemblyFileVersion("3.0.2.3405")] diff --git a/de4dot.code/NameRegexes.cs b/de4dot.code/NameRegexes.cs index 5f1a411b..d98572d6 100644 --- a/de4dot.code/NameRegexes.cs +++ b/de4dot.code/NameRegexes.cs @@ -55,6 +55,10 @@ namespace de4dot.code { public bool DefaultValue { get; set; } public const char regexSeparatorChar = '&'; + public IList Regexes { + get { return regexes; } + } + public NameRegexes() : this("") { } diff --git a/de4dot.code/Option.cs b/de4dot.code/Option.cs index ff0039f4..5ee4e6fd 100644 --- a/de4dot.code/Option.cs +++ b/de4dot.code/Option.cs @@ -91,7 +91,7 @@ namespace de4dot.code { return true; } - public bool get() { + public bool Get() { return val; } } @@ -118,7 +118,7 @@ namespace de4dot.code { return true; } - public int get() { + public int Get() { return val; } } @@ -141,7 +141,7 @@ namespace de4dot.code { return true; } - public string get() { + public string Get() { return val; } } @@ -172,7 +172,7 @@ namespace de4dot.code { return true; } - public NameRegexes get() { + public NameRegexes Get() { return val; } } @@ -201,7 +201,7 @@ namespace de4dot.code { return true; } - public Regex get() { + public Regex Get() { return val; } } @@ -231,7 +231,7 @@ namespace de4dot.code { return true; } - public bool get() { + public bool Get() { return triggered; } } diff --git a/de4dot.code/Properties/AssemblyInfo.cs b/de4dot.code/Properties/AssemblyInfo.cs index 184fc384..4f35a9b1 100644 --- a/de4dot.code/Properties/AssemblyInfo.cs +++ b/de4dot.code/Properties/AssemblyInfo.cs @@ -29,5 +29,5 @@ using System.Runtime.InteropServices; [assembly: AssemblyTrademark("")] [assembly: AssemblyCulture("")] [assembly: ComVisible(false)] -[assembly: AssemblyVersion("2.0.3.3405")] -[assembly: AssemblyFileVersion("2.0.3.3405")] +[assembly: AssemblyVersion("3.0.2.3405")] +[assembly: AssemblyFileVersion("3.0.2.3405")] diff --git a/de4dot.code/deobfuscators/Agile_NET/Deobfuscator.cs b/de4dot.code/deobfuscators/Agile_NET/Deobfuscator.cs index e0546f3f..7c7df3fd 100644 --- a/de4dot.code/deobfuscators/Agile_NET/Deobfuscator.cs +++ b/de4dot.code/deobfuscators/Agile_NET/Deobfuscator.cs @@ -28,7 +28,7 @@ namespace de4dot.code.deobfuscators.Agile_NET { public class DeobfuscatorInfo : DeobfuscatorInfoBase { public const string THE_NAME = "Agile.NET"; public const string THE_TYPE = "an"; - const string DEFAULT_REGEX = @"[a-zA-Z_0-9>}$]$"; + const string DEFAULT_REGEX = DeobfuscatorBase.DEFAULT_ASIAN_VALID_NAME_REGEX; BoolOption decryptMethods; BoolOption decryptResources; BoolOption removeStackFrameHelper; @@ -54,12 +54,12 @@ namespace de4dot.code.deobfuscators.Agile_NET { public override IDeobfuscator CreateDeobfuscator() { return new Deobfuscator(new Deobfuscator.Options { - ValidNameRegex = validNameRegex.get(), - DecryptMethods = decryptMethods.get(), - DecryptResources = decryptResources.get(), - RemoveStackFrameHelper = removeStackFrameHelper.get(), - RestoreVmCode = restoreVmCode.get(), - SetInitLocals = setInitLocals.get(), + ValidNameRegex = validNameRegex.Get(), + DecryptMethods = decryptMethods.Get(), + DecryptResources = decryptResources.Get(), + RemoveStackFrameHelper = removeStackFrameHelper.Get(), + RestoreVmCode = restoreVmCode.Get(), + SetInitLocals = setInitLocals.Get(), }); } diff --git a/de4dot.code/deobfuscators/Babel_NET/Deobfuscator.cs b/de4dot.code/deobfuscators/Babel_NET/Deobfuscator.cs index 9b62c2e0..1874a634 100644 --- a/de4dot.code/deobfuscators/Babel_NET/Deobfuscator.cs +++ b/de4dot.code/deobfuscators/Babel_NET/Deobfuscator.cs @@ -27,6 +27,7 @@ namespace de4dot.code.deobfuscators.Babel_NET { public class DeobfuscatorInfo : DeobfuscatorInfoBase { public const string THE_NAME = "Babel .NET"; public const string THE_TYPE = "bl"; + const string DEFAULT_REGEX = DeobfuscatorBase.DEFAULT_ASIAN_VALID_NAME_REGEX; BoolOption inlineMethods; BoolOption removeInlinedMethods; BoolOption decryptMethods; @@ -35,7 +36,7 @@ namespace de4dot.code.deobfuscators.Babel_NET { BoolOption dumpEmbeddedAssemblies; public DeobfuscatorInfo() - : base() { + : base(DEFAULT_REGEX) { inlineMethods = new BoolOption(null, MakeArgName("inline"), "Inline short methods", true); removeInlinedMethods = new BoolOption(null, MakeArgName("remove-inlined"), "Remove inlined methods", true); decryptMethods = new BoolOption(null, MakeArgName("methods"), "Decrypt methods", true); @@ -54,13 +55,13 @@ namespace de4dot.code.deobfuscators.Babel_NET { public override IDeobfuscator CreateDeobfuscator() { return new Deobfuscator(new Deobfuscator.Options { - ValidNameRegex = validNameRegex.get(), - InlineMethods = inlineMethods.get(), - RemoveInlinedMethods = removeInlinedMethods.get(), - DecryptMethods = decryptMethods.get(), - DecryptResources = decryptResources.get(), - DecryptConstants = decryptConstants.get(), - DumpEmbeddedAssemblies = dumpEmbeddedAssemblies.get(), + ValidNameRegex = validNameRegex.Get(), + InlineMethods = inlineMethods.Get(), + RemoveInlinedMethods = removeInlinedMethods.Get(), + DecryptMethods = decryptMethods.Get(), + DecryptResources = decryptResources.Get(), + DecryptConstants = decryptConstants.Get(), + DumpEmbeddedAssemblies = dumpEmbeddedAssemblies.Get(), }); } diff --git a/de4dot.code/deobfuscators/CodeFort/Deobfuscator.cs b/de4dot.code/deobfuscators/CodeFort/Deobfuscator.cs index 62805fe6..d4638e73 100644 --- a/de4dot.code/deobfuscators/CodeFort/Deobfuscator.cs +++ b/de4dot.code/deobfuscators/CodeFort/Deobfuscator.cs @@ -26,7 +26,7 @@ namespace de4dot.code.deobfuscators.CodeFort { public class DeobfuscatorInfo : DeobfuscatorInfoBase { public const string THE_NAME = "CodeFort"; public const string THE_TYPE = "cf"; - const string DEFAULT_REGEX = @"!^[a-zA-Z]{1,3}$&!^[_<>{}$.`-]$&" + DeobfuscatorBase.DEFAULT_VALID_NAME_REGEX; + const string DEFAULT_REGEX = @"!^[a-zA-Z]{1,3}$&!^[_<>{}$.`-]$&" + DeobfuscatorBase.DEFAULT_ASIAN_VALID_NAME_REGEX; BoolOption dumpEmbeddedAssemblies; public DeobfuscatorInfo() @@ -44,8 +44,8 @@ namespace de4dot.code.deobfuscators.CodeFort { public override IDeobfuscator CreateDeobfuscator() { return new Deobfuscator(new Deobfuscator.Options { - ValidNameRegex = validNameRegex.get(), - DumpEmbeddedAssemblies = dumpEmbeddedAssemblies.get(), + ValidNameRegex = validNameRegex.Get(), + DumpEmbeddedAssemblies = dumpEmbeddedAssemblies.Get(), }); } diff --git a/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs b/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs index 6e546b4a..0b57c0ee 100644 --- a/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs +++ b/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs @@ -26,7 +26,7 @@ namespace de4dot.code.deobfuscators.CodeVeil { public class DeobfuscatorInfo : DeobfuscatorInfoBase { public const string THE_NAME = "CodeVeil"; public const string THE_TYPE = "cv"; - const string DEFAULT_REGEX = @"!^[A-Za-z]{1,2}$&" + DeobfuscatorBase.DEFAULT_VALID_NAME_REGEX; + const string DEFAULT_REGEX = @"!^[A-Za-z]{1,2}$&" + DeobfuscatorBase.DEFAULT_ASIAN_VALID_NAME_REGEX; public DeobfuscatorInfo() : base(DEFAULT_REGEX) { @@ -42,7 +42,7 @@ namespace de4dot.code.deobfuscators.CodeVeil { public override IDeobfuscator CreateDeobfuscator() { return new Deobfuscator(new Deobfuscator.Options { - ValidNameRegex = validNameRegex.get(), + ValidNameRegex = validNameRegex.Get(), }); } diff --git a/de4dot.code/deobfuscators/CodeWall/Deobfuscator.cs b/de4dot.code/deobfuscators/CodeWall/Deobfuscator.cs index 06f7f967..6954c380 100644 --- a/de4dot.code/deobfuscators/CodeWall/Deobfuscator.cs +++ b/de4dot.code/deobfuscators/CodeWall/Deobfuscator.cs @@ -26,7 +26,7 @@ namespace de4dot.code.deobfuscators.CodeWall { public class DeobfuscatorInfo : DeobfuscatorInfoBase { public const string THE_NAME = "CodeWall"; public const string THE_TYPE = "cw"; - const string DEFAULT_REGEX = @"!^[0-9A-F]{32}$&!^[_<>{}$.`-]$&" + DeobfuscatorBase.DEFAULT_VALID_NAME_REGEX; + const string DEFAULT_REGEX = @"!^[0-9A-F]{32}$&!^[_<>{}$.`-]$&" + DeobfuscatorBase.DEFAULT_ASIAN_VALID_NAME_REGEX; BoolOption dumpEmbeddedAssemblies; BoolOption decryptMainAsm; @@ -46,9 +46,9 @@ namespace de4dot.code.deobfuscators.CodeWall { public override IDeobfuscator CreateDeobfuscator() { return new Deobfuscator(new Deobfuscator.Options { - ValidNameRegex = validNameRegex.get(), - DumpEmbeddedAssemblies = dumpEmbeddedAssemblies.get(), - DecryptMainAsm = decryptMainAsm.get(), + ValidNameRegex = validNameRegex.Get(), + DumpEmbeddedAssemblies = dumpEmbeddedAssemblies.Get(), + DecryptMainAsm = decryptMainAsm.Get(), }); } diff --git a/de4dot.code/deobfuscators/CryptoObfuscator/Deobfuscator.cs b/de4dot.code/deobfuscators/CryptoObfuscator/Deobfuscator.cs index 1cb146eb..d0bb765f 100644 --- a/de4dot.code/deobfuscators/CryptoObfuscator/Deobfuscator.cs +++ b/de4dot.code/deobfuscators/CryptoObfuscator/Deobfuscator.cs @@ -28,7 +28,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator { public class DeobfuscatorInfo : DeobfuscatorInfoBase { public const string THE_NAME = "Crypto Obfuscator"; public const string THE_TYPE = "co"; - const string DEFAULT_REGEX = @"!^(get_|set_|add_|remove_)?[A-Z]{1,3}(?:`\d+)?$&!^(get_|set_|add_|remove_)?c[0-9a-f]{32}(?:`\d+)?$&" + DeobfuscatorBase.DEFAULT_VALID_NAME_REGEX; + const string DEFAULT_REGEX = @"!^(get_|set_|add_|remove_)?[A-Z]{1,3}(?:`\d+)?$&!^(get_|set_|add_|remove_)?c[0-9a-f]{32}(?:`\d+)?$&" + DeobfuscatorBase.DEFAULT_ASIAN_VALID_NAME_REGEX; BoolOption removeTamperProtection; BoolOption decryptConstants; BoolOption inlineMethods; @@ -52,11 +52,11 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator { public override IDeobfuscator CreateDeobfuscator() { return new Deobfuscator(new Deobfuscator.Options { - ValidNameRegex = validNameRegex.get(), - RemoveTamperProtection = removeTamperProtection.get(), - DecryptConstants = decryptConstants.get(), - InlineMethods = inlineMethods.get(), - FixLdnull = fixLdnull.get(), + ValidNameRegex = validNameRegex.Get(), + RemoveTamperProtection = removeTamperProtection.Get(), + DecryptConstants = decryptConstants.Get(), + InlineMethods = inlineMethods.Get(), + FixLdnull = fixLdnull.Get(), }); } diff --git a/de4dot.code/deobfuscators/DeepSea/Deobfuscator.cs b/de4dot.code/deobfuscators/DeepSea/Deobfuscator.cs index 503fed61..27aed66c 100644 --- a/de4dot.code/deobfuscators/DeepSea/Deobfuscator.cs +++ b/de4dot.code/deobfuscators/DeepSea/Deobfuscator.cs @@ -26,6 +26,7 @@ namespace de4dot.code.deobfuscators.DeepSea { public class DeobfuscatorInfo : DeobfuscatorInfoBase { public const string THE_NAME = "DeepSea"; public const string THE_TYPE = "ds"; + const string DEFAULT_REGEX = DeobfuscatorBase.DEFAULT_ASIAN_VALID_NAME_REGEX; BoolOption inlineMethods; BoolOption removeInlinedMethods; BoolOption decryptResources; @@ -35,7 +36,7 @@ namespace de4dot.code.deobfuscators.DeepSea { BoolOption castDeobfuscation; public DeobfuscatorInfo() - : base() { + : base(DEFAULT_REGEX) { inlineMethods = new BoolOption(null, MakeArgName("inline"), "Inline short methods", true); removeInlinedMethods = new BoolOption(null, MakeArgName("remove-inlined"), "Remove inlined methods", true); decryptResources = new BoolOption(null, MakeArgName("rsrc"), "Decrypt resources", true); @@ -55,14 +56,14 @@ namespace de4dot.code.deobfuscators.DeepSea { public override IDeobfuscator CreateDeobfuscator() { return new Deobfuscator(new Deobfuscator.Options { - ValidNameRegex = validNameRegex.get(), - InlineMethods = inlineMethods.get(), - RemoveInlinedMethods = removeInlinedMethods.get(), - DecryptResources = decryptResources.get(), - DumpEmbeddedAssemblies = dumpEmbeddedAssemblies.get(), - RestoreFields = restoreFields.get(), - RenameResourceKeys = renameResourceKeys.get(), - CastDeobfuscation = castDeobfuscation.get(), + ValidNameRegex = validNameRegex.Get(), + InlineMethods = inlineMethods.Get(), + RemoveInlinedMethods = removeInlinedMethods.Get(), + DecryptResources = decryptResources.Get(), + DumpEmbeddedAssemblies = dumpEmbeddedAssemblies.Get(), + RestoreFields = restoreFields.Get(), + RenameResourceKeys = renameResourceKeys.Get(), + CastDeobfuscation = castDeobfuscation.Get(), }); } diff --git a/de4dot.code/deobfuscators/DeobfuscatorBase.cs b/de4dot.code/deobfuscators/DeobfuscatorBase.cs index bfbf8de8..121c8479 100644 --- a/de4dot.code/deobfuscators/DeobfuscatorBase.cs +++ b/de4dot.code/deobfuscators/DeobfuscatorBase.cs @@ -29,6 +29,7 @@ using de4dot.blocks.cflow; namespace de4dot.code.deobfuscators { abstract class DeobfuscatorBase : IDeobfuscator, IModuleWriterListener { public const string DEFAULT_VALID_NAME_REGEX = @"^[a-zA-Z_<{$][a-zA-Z_0-9<>{}$.`-]*$"; + public const string DEFAULT_ASIAN_VALID_NAME_REGEX = @"^[\u2E80-\u9FFFa-zA-Z_<{$][\u2E80-\u9FFFa-zA-Z_0-9<>{}$.`-]*$"; class RemoveInfo { public T obj; diff --git a/de4dot.code/deobfuscators/DeobfuscatorInfoBase.cs b/de4dot.code/deobfuscators/DeobfuscatorInfoBase.cs index e5ca4b90..337d9225 100644 --- a/de4dot.code/deobfuscators/DeobfuscatorInfoBase.cs +++ b/de4dot.code/deobfuscators/DeobfuscatorInfoBase.cs @@ -23,10 +23,6 @@ namespace de4dot.code.deobfuscators { public abstract class DeobfuscatorInfoBase : IDeobfuscatorInfo { protected NameRegexOption validNameRegex; - public DeobfuscatorInfoBase() - : this(null) { - } - public DeobfuscatorInfoBase(string nameRegex) { validNameRegex = new NameRegexOption(null, MakeArgName("name"), "Valid name regex pattern", nameRegex ?? DeobfuscatorBase.DEFAULT_VALID_NAME_REGEX); } diff --git a/de4dot.code/deobfuscators/Dotfuscator/Deobfuscator.cs b/de4dot.code/deobfuscators/Dotfuscator/Deobfuscator.cs index b6e41355..9b88edb7 100644 --- a/de4dot.code/deobfuscators/Dotfuscator/Deobfuscator.cs +++ b/de4dot.code/deobfuscators/Dotfuscator/Deobfuscator.cs @@ -25,7 +25,7 @@ namespace de4dot.code.deobfuscators.Dotfuscator { public class DeobfuscatorInfo : DeobfuscatorInfoBase { public const string THE_NAME = "Dotfuscator"; public const string THE_TYPE = "df"; - const string DEFAULT_REGEX = @"!^[a-z][a-z0-9]{0,2}$&!^A_[0-9]+$&" + DeobfuscatorBase.DEFAULT_VALID_NAME_REGEX; + const string DEFAULT_REGEX = @"!^[a-z][a-z0-9]{0,2}$&!^A_[0-9]+$&" + DeobfuscatorBase.DEFAULT_ASIAN_VALID_NAME_REGEX; public DeobfuscatorInfo() : base(DEFAULT_REGEX) { } @@ -41,7 +41,7 @@ namespace de4dot.code.deobfuscators.Dotfuscator { public override IDeobfuscator CreateDeobfuscator() { return new Deobfuscator(new Deobfuscator.Options { RenameResourcesInCode = false, - ValidNameRegex = validNameRegex.get(), + ValidNameRegex = validNameRegex.Get(), }); } } diff --git a/de4dot.code/deobfuscators/Eazfuscator_NET/Deobfuscator.cs b/de4dot.code/deobfuscators/Eazfuscator_NET/Deobfuscator.cs index 74a3db9b..f21fc072 100644 --- a/de4dot.code/deobfuscators/Eazfuscator_NET/Deobfuscator.cs +++ b/de4dot.code/deobfuscators/Eazfuscator_NET/Deobfuscator.cs @@ -28,7 +28,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET { public class DeobfuscatorInfo : DeobfuscatorInfoBase { public const string THE_NAME = "Eazfuscator.NET"; public const string THE_TYPE = "ef"; - const string DEFAULT_REGEX = @"!^#=&!^dje_.+_ejd$&" + DeobfuscatorBase.DEFAULT_VALID_NAME_REGEX; + const string DEFAULT_REGEX = @"!^#=&!^dje_.+_ejd$&" + DeobfuscatorBase.DEFAULT_ASIAN_VALID_NAME_REGEX; public DeobfuscatorInfo() : base(DEFAULT_REGEX) { } @@ -43,7 +43,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET { public override IDeobfuscator CreateDeobfuscator() { return new Deobfuscator(new Deobfuscator.Options { - ValidNameRegex = validNameRegex.get(), + ValidNameRegex = validNameRegex.Get(), }); } } diff --git a/de4dot.code/deobfuscators/Goliath_NET/Deobfuscator.cs b/de4dot.code/deobfuscators/Goliath_NET/Deobfuscator.cs index d914d05d..8d55f183 100644 --- a/de4dot.code/deobfuscators/Goliath_NET/Deobfuscator.cs +++ b/de4dot.code/deobfuscators/Goliath_NET/Deobfuscator.cs @@ -25,7 +25,7 @@ namespace de4dot.code.deobfuscators.Goliath_NET { public class DeobfuscatorInfo : DeobfuscatorInfoBase { public const string THE_NAME = "Goliath.NET"; public const string THE_TYPE = "go"; - const string DEFAULT_REGEX = @"!^[A-Za-z]{1,2}(?:`\d+)?$&" + DeobfuscatorBase.DEFAULT_VALID_NAME_REGEX; + const string DEFAULT_REGEX = @"!^[A-Za-z]{1,2}(?:`\d+)?$&" + DeobfuscatorBase.DEFAULT_ASIAN_VALID_NAME_REGEX; BoolOption inlineMethods; BoolOption removeInlinedMethods; BoolOption restoreLocals; @@ -54,13 +54,13 @@ namespace de4dot.code.deobfuscators.Goliath_NET { public override IDeobfuscator CreateDeobfuscator() { return new Deobfuscator(new Deobfuscator.Options { RenameResourcesInCode = false, - ValidNameRegex = validNameRegex.get(), - InlineMethods = inlineMethods.get(), - RemoveInlinedMethods = removeInlinedMethods.get(), - RestoreLocals = restoreLocals.get(), - DecryptIntegers = decryptIntegers.get(), - DecryptArrays = decryptArrays.get(), - RemoveAntiStrongName = removeAntiStrongName.get(), + ValidNameRegex = validNameRegex.Get(), + InlineMethods = inlineMethods.Get(), + RemoveInlinedMethods = removeInlinedMethods.Get(), + RestoreLocals = restoreLocals.Get(), + DecryptIntegers = decryptIntegers.Get(), + DecryptArrays = decryptArrays.Get(), + RemoveAntiStrongName = removeAntiStrongName.Get(), }); } diff --git a/de4dot.code/deobfuscators/ILProtector/Deobfuscator.cs b/de4dot.code/deobfuscators/ILProtector/Deobfuscator.cs index 9ad0a082..a517e418 100644 --- a/de4dot.code/deobfuscators/ILProtector/Deobfuscator.cs +++ b/de4dot.code/deobfuscators/ILProtector/Deobfuscator.cs @@ -26,9 +26,10 @@ namespace de4dot.code.deobfuscators.ILProtector { public class DeobfuscatorInfo : DeobfuscatorInfoBase { public const string THE_NAME = "ILProtector"; public const string THE_TYPE = "il"; + const string DEFAULT_REGEX = DeobfuscatorBase.DEFAULT_ASIAN_VALID_NAME_REGEX; public DeobfuscatorInfo() - : base() { + : base(DEFAULT_REGEX) { } public override string Name { @@ -41,7 +42,7 @@ namespace de4dot.code.deobfuscators.ILProtector { public override IDeobfuscator CreateDeobfuscator() { return new Deobfuscator(new Deobfuscator.Options { - ValidNameRegex = validNameRegex.get(), + ValidNameRegex = validNameRegex.Get(), }); } diff --git a/de4dot.code/deobfuscators/MPRESS/Deobfuscator.cs b/de4dot.code/deobfuscators/MPRESS/Deobfuscator.cs index 84d4ce7f..508951c3 100644 --- a/de4dot.code/deobfuscators/MPRESS/Deobfuscator.cs +++ b/de4dot.code/deobfuscators/MPRESS/Deobfuscator.cs @@ -29,8 +29,10 @@ namespace de4dot.code.deobfuscators.MPRESS { public class DeobfuscatorInfo : DeobfuscatorInfoBase { public const string THE_NAME = "MPRESS"; public const string THE_TYPE = "mp"; + const string DEFAULT_REGEX = DeobfuscatorBase.DEFAULT_ASIAN_VALID_NAME_REGEX; + public DeobfuscatorInfo() - : base() { + : base(DEFAULT_REGEX) { } public override string Name { @@ -43,7 +45,7 @@ namespace de4dot.code.deobfuscators.MPRESS { public override IDeobfuscator CreateDeobfuscator() { return new Deobfuscator(new Deobfuscator.Options { - ValidNameRegex = validNameRegex.get(), + ValidNameRegex = validNameRegex.Get(), }); } diff --git a/de4dot.code/deobfuscators/MaxtoCode/Deobfuscator.cs b/de4dot.code/deobfuscators/MaxtoCode/Deobfuscator.cs index 62b57472..969e3473 100644 --- a/de4dot.code/deobfuscators/MaxtoCode/Deobfuscator.cs +++ b/de4dot.code/deobfuscators/MaxtoCode/Deobfuscator.cs @@ -27,7 +27,7 @@ namespace de4dot.code.deobfuscators.MaxtoCode { public class DeobfuscatorInfo : DeobfuscatorInfoBase { public const string THE_NAME = "MaxtoCode"; public const string THE_TYPE = "mc"; - const string DEFAULT_REGEX = @"!^[oO01l]+$&!^[A-F0-9]{20,}$&" + DeobfuscatorBase.DEFAULT_VALID_NAME_REGEX; + const string DEFAULT_REGEX = @"!^[oO01l]+$&!^[A-F0-9]{20,}$&" + DeobfuscatorBase.DEFAULT_ASIAN_VALID_NAME_REGEX; IntOption stringCodePage; public DeobfuscatorInfo() @@ -46,8 +46,8 @@ namespace de4dot.code.deobfuscators.MaxtoCode { public override IDeobfuscator CreateDeobfuscator() { return new Deobfuscator(new Deobfuscator.Options { RenameResourcesInCode = false, - ValidNameRegex = validNameRegex.get(), - StringCodePage = stringCodePage.get(), + ValidNameRegex = validNameRegex.Get(), + StringCodePage = stringCodePage.Get(), }); } diff --git a/de4dot.code/deobfuscators/Rummage/Deobfuscator.cs b/de4dot.code/deobfuscators/Rummage/Deobfuscator.cs index fb50b00f..6a4088bd 100644 --- a/de4dot.code/deobfuscators/Rummage/Deobfuscator.cs +++ b/de4dot.code/deobfuscators/Rummage/Deobfuscator.cs @@ -26,6 +26,7 @@ namespace de4dot.code.deobfuscators.Rummage { public const string THE_NAME = "Rummage"; public const string THE_TYPE = "rm"; const string DEFAULT_REGEX = @"!."; + public DeobfuscatorInfo() : base(DEFAULT_REGEX) { } @@ -40,7 +41,7 @@ namespace de4dot.code.deobfuscators.Rummage { public override IDeobfuscator CreateDeobfuscator() { return new Deobfuscator(new Deobfuscator.Options { - ValidNameRegex = validNameRegex.get(), + ValidNameRegex = validNameRegex.Get(), }); } } diff --git a/de4dot.code/deobfuscators/Skater_NET/Deobfuscator.cs b/de4dot.code/deobfuscators/Skater_NET/Deobfuscator.cs index c787abda..46b11a80 100644 --- a/de4dot.code/deobfuscators/Skater_NET/Deobfuscator.cs +++ b/de4dot.code/deobfuscators/Skater_NET/Deobfuscator.cs @@ -25,7 +25,7 @@ namespace de4dot.code.deobfuscators.Skater_NET { public class DeobfuscatorInfo : DeobfuscatorInfoBase { public const string THE_NAME = "Skater .NET"; public const string THE_TYPE = "sk"; - const string DEFAULT_REGEX = @"!`[^0-9]+&" + DeobfuscatorBase.DEFAULT_VALID_NAME_REGEX; + const string DEFAULT_REGEX = @"!`[^0-9]+&" + DeobfuscatorBase.DEFAULT_ASIAN_VALID_NAME_REGEX; public DeobfuscatorInfo() : base(DEFAULT_REGEX) { @@ -41,7 +41,7 @@ namespace de4dot.code.deobfuscators.Skater_NET { public override IDeobfuscator CreateDeobfuscator() { return new Deobfuscator(new Deobfuscator.Options { - ValidNameRegex = validNameRegex.get(), + ValidNameRegex = validNameRegex.Get(), }); } } diff --git a/de4dot.code/deobfuscators/SmartAssembly/AssemblyResolverInfo.cs b/de4dot.code/deobfuscators/SmartAssembly/AssemblyResolverInfo.cs index 668a76d0..da322687 100644 --- a/de4dot.code/deobfuscators/SmartAssembly/AssemblyResolverInfo.cs +++ b/de4dot.code/deobfuscators/SmartAssembly/AssemblyResolverInfo.cs @@ -101,7 +101,8 @@ namespace de4dot.code.deobfuscators.SmartAssembly { } protected override bool CheckResolverType(TypeDef type) { - if (DotNetUtils.FindFieldType(type, "System.Collections.Hashtable", true) != null) + if (DotNetUtils.FindFieldType(type, "System.Collections.Hashtable", true) != null || + DotNetUtils.FindFieldType(type, "System.Collections.Generic.Dictionary`2", true) != null) return true; foreach (var field in type.Fields) { diff --git a/de4dot.code/deobfuscators/SmartAssembly/Deobfuscator.cs b/de4dot.code/deobfuscators/SmartAssembly/Deobfuscator.cs index 7db5025d..70632d60 100644 --- a/de4dot.code/deobfuscators/SmartAssembly/Deobfuscator.cs +++ b/de4dot.code/deobfuscators/SmartAssembly/Deobfuscator.cs @@ -29,12 +29,13 @@ namespace de4dot.code.deobfuscators.SmartAssembly { public class DeobfuscatorInfo : DeobfuscatorInfoBase { public const string THE_NAME = "SmartAssembly"; public const string THE_TYPE = "sa"; + const string DEFAULT_REGEX = DeobfuscatorBase.DEFAULT_ASIAN_VALID_NAME_REGEX; BoolOption removeAutomatedErrorReporting; BoolOption removeTamperProtection; BoolOption removeMemoryManager; public DeobfuscatorInfo() - : base() { + : base(DEFAULT_REGEX) { removeAutomatedErrorReporting = new BoolOption(null, MakeArgName("error"), "Remove automated error reporting code", true); removeTamperProtection = new BoolOption(null, MakeArgName("tamper"), "Remove tamper protection code", true); removeMemoryManager = new BoolOption(null, MakeArgName("memory"), "Remove memory manager code", true); @@ -50,10 +51,10 @@ namespace de4dot.code.deobfuscators.SmartAssembly { public override IDeobfuscator CreateDeobfuscator() { return new Deobfuscator(new Deobfuscator.Options { - ValidNameRegex = validNameRegex.get(), - RemoveAutomatedErrorReporting = removeAutomatedErrorReporting.get(), - RemoveTamperProtection = removeTamperProtection.get(), - RemoveMemoryManager = removeMemoryManager.get(), + ValidNameRegex = validNameRegex.Get(), + RemoveAutomatedErrorReporting = removeAutomatedErrorReporting.Get(), + RemoveTamperProtection = removeTamperProtection.Get(), + RemoveMemoryManager = removeMemoryManager.Get(), }); } diff --git a/de4dot.code/deobfuscators/Spices_Net/Deobfuscator.cs b/de4dot.code/deobfuscators/Spices_Net/Deobfuscator.cs index c00124d5..715bd614 100644 --- a/de4dot.code/deobfuscators/Spices_Net/Deobfuscator.cs +++ b/de4dot.code/deobfuscators/Spices_Net/Deobfuscator.cs @@ -26,7 +26,7 @@ namespace de4dot.code.deobfuscators.Spices_Net { public class DeobfuscatorInfo : DeobfuscatorInfoBase { public const string THE_NAME = "Spices.Net"; public const string THE_TYPE = "sn"; - const string DEFAULT_REGEX = @"!^[a-zA-Z0-9]{1,2}$&" + DeobfuscatorBase.DEFAULT_VALID_NAME_REGEX; + const string DEFAULT_REGEX = @"!^[a-zA-Z0-9]{1,2}$&" + DeobfuscatorBase.DEFAULT_ASIAN_VALID_NAME_REGEX; BoolOption inlineMethods; BoolOption removeInlinedMethods; BoolOption removeNamespaces; @@ -50,11 +50,11 @@ namespace de4dot.code.deobfuscators.Spices_Net { public override IDeobfuscator CreateDeobfuscator() { return new Deobfuscator(new Deobfuscator.Options { - ValidNameRegex = validNameRegex.get(), - InlineMethods = inlineMethods.get(), - RemoveInlinedMethods = removeInlinedMethods.get(), - RemoveNamespaces = removeNamespaces.get(), - RestoreResourceNames = restoreResourceNames.get(), + ValidNameRegex = validNameRegex.Get(), + InlineMethods = inlineMethods.Get(), + RemoveInlinedMethods = removeInlinedMethods.Get(), + RemoveNamespaces = removeNamespaces.Get(), + RestoreResourceNames = restoreResourceNames.Get(), }); } diff --git a/de4dot.code/deobfuscators/Unknown/Deobfuscator.cs b/de4dot.code/deobfuscators/Unknown/Deobfuscator.cs index b4175e23..b7639915 100644 --- a/de4dot.code/deobfuscators/Unknown/Deobfuscator.cs +++ b/de4dot.code/deobfuscators/Unknown/Deobfuscator.cs @@ -25,8 +25,10 @@ namespace de4dot.code.deobfuscators.Unknown { public class DeobfuscatorInfo : DeobfuscatorInfoBase { public const string THE_NAME = "Unknown"; public const string THE_TYPE = "un"; + const string DEFAULT_REGEX = DeobfuscatorBase.DEFAULT_VALID_NAME_REGEX; + public DeobfuscatorInfo() - : base() { + : base(DEFAULT_REGEX) { } public override string Name { @@ -40,7 +42,7 @@ namespace de4dot.code.deobfuscators.Unknown { public override IDeobfuscator CreateDeobfuscator() { return new Deobfuscator(new Deobfuscator.Options { RenameResourcesInCode = false, - ValidNameRegex = validNameRegex.get(), + ValidNameRegex = validNameRegex.Get(), }); } } diff --git a/de4dot.code/deobfuscators/Xenocode/Deobfuscator.cs b/de4dot.code/deobfuscators/Xenocode/Deobfuscator.cs index eac785f5..f42cb14d 100644 --- a/de4dot.code/deobfuscators/Xenocode/Deobfuscator.cs +++ b/de4dot.code/deobfuscators/Xenocode/Deobfuscator.cs @@ -24,7 +24,8 @@ namespace de4dot.code.deobfuscators.Xenocode { public class DeobfuscatorInfo : DeobfuscatorInfoBase { public const string THE_NAME = "Xenocode"; public const string THE_TYPE = "xc"; - const string DEFAULT_REGEX = @"!^[oO01l]{4,}$&!^(get_|set_|add_|remove_|_)?[x_][a-f0-9]{16,}$&" + DeobfuscatorBase.DEFAULT_VALID_NAME_REGEX; + const string DEFAULT_REGEX = @"!^[oO01l]{4,}$&!^(get_|set_|add_|remove_|_)?[x_][a-f0-9]{16,}$&" + DeobfuscatorBase.DEFAULT_ASIAN_VALID_NAME_REGEX; + public DeobfuscatorInfo() : base(DEFAULT_REGEX) { } @@ -39,7 +40,7 @@ namespace de4dot.code.deobfuscators.Xenocode { public override IDeobfuscator CreateDeobfuscator() { return new Deobfuscator(new Deobfuscator.Options { - ValidNameRegex = validNameRegex.get(), + ValidNameRegex = validNameRegex.Get(), }); } } diff --git a/de4dot.code/deobfuscators/dotNET_Reactor/v3/Deobfuscator.cs b/de4dot.code/deobfuscators/dotNET_Reactor/v3/Deobfuscator.cs index b3bb4080..070c1dd8 100644 --- a/de4dot.code/deobfuscators/dotNET_Reactor/v3/Deobfuscator.cs +++ b/de4dot.code/deobfuscators/dotNET_Reactor/v3/Deobfuscator.cs @@ -31,7 +31,7 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v3 { public class DeobfuscatorInfo : DeobfuscatorInfoBase { public const string THE_NAME = ".NET Reactor"; public const string THE_TYPE = "dr3"; - const string DEFAULT_REGEX = DeobfuscatorBase.DEFAULT_VALID_NAME_REGEX; + const string DEFAULT_REGEX = DeobfuscatorBase.DEFAULT_ASIAN_VALID_NAME_REGEX; BoolOption restoreTypes; BoolOption inlineMethods; BoolOption removeInlinedMethods; @@ -57,12 +57,12 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v3 { public override IDeobfuscator CreateDeobfuscator() { return new Deobfuscator(new Deobfuscator.Options { - ValidNameRegex = validNameRegex.get(), - RestoreTypes = restoreTypes.get(), - InlineMethods = inlineMethods.get(), - RemoveInlinedMethods = removeInlinedMethods.get(), - RemoveNamespaces = removeNamespaces.get(), - RemoveAntiStrongName = removeAntiStrongName.get(), + ValidNameRegex = validNameRegex.Get(), + RestoreTypes = restoreTypes.Get(), + InlineMethods = inlineMethods.Get(), + RemoveInlinedMethods = removeInlinedMethods.Get(), + RemoveNamespaces = removeNamespaces.Get(), + RemoveAntiStrongName = removeAntiStrongName.Get(), }); } diff --git a/de4dot.code/deobfuscators/dotNET_Reactor/v4/Deobfuscator.cs b/de4dot.code/deobfuscators/dotNET_Reactor/v4/Deobfuscator.cs index 70e24bca..0cbca43c 100644 --- a/de4dot.code/deobfuscators/dotNET_Reactor/v4/Deobfuscator.cs +++ b/de4dot.code/deobfuscators/dotNET_Reactor/v4/Deobfuscator.cs @@ -32,7 +32,8 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 { public class DeobfuscatorInfo : DeobfuscatorInfoBase { public const string THE_NAME = ".NET Reactor"; public const string THE_TYPE = "dr4"; - const string DEFAULT_REGEX = @"!^[A-Za-z0-9]{2,3}$&" + DeobfuscatorBase.DEFAULT_VALID_NAME_REGEX; + public const string SHORT_NAME_REGEX = @"!^[A-Za-z0-9]{2,3}$"; + const string DEFAULT_REGEX = DeobfuscatorBase.DEFAULT_ASIAN_VALID_NAME_REGEX; BoolOption decryptMethods; BoolOption decryptBools; BoolOption restoreTypes; @@ -42,6 +43,7 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 { BoolOption decryptResources; BoolOption removeNamespaces; BoolOption removeAntiStrongName; + BoolOption renameShort; public DeobfuscatorInfo() : base(DEFAULT_REGEX) { @@ -54,6 +56,7 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 { decryptResources = new BoolOption(null, MakeArgName("rsrc"), "Decrypt resources", true); removeNamespaces = new BoolOption(null, MakeArgName("ns1"), "Clear namespace if there's only one class in it", true); removeAntiStrongName = new BoolOption(null, MakeArgName("sn"), "Remove anti strong name code", true); + renameShort = new BoolOption(null, MakeArgName("sname"), "Rename short names", false); } public override string Name { @@ -66,16 +69,17 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 { public override IDeobfuscator CreateDeobfuscator() { return new Deobfuscator(new Deobfuscator.Options { - ValidNameRegex = validNameRegex.get(), - DecryptMethods = decryptMethods.get(), - DecryptBools = decryptBools.get(), - RestoreTypes = restoreTypes.get(), - InlineMethods = inlineMethods.get(), - RemoveInlinedMethods = removeInlinedMethods.get(), - DumpEmbeddedAssemblies = dumpEmbeddedAssemblies.get(), - DecryptResources = decryptResources.get(), - RemoveNamespaces = removeNamespaces.get(), - RemoveAntiStrongName = removeAntiStrongName.get(), + ValidNameRegex = validNameRegex.Get(), + DecryptMethods = decryptMethods.Get(), + DecryptBools = decryptBools.Get(), + RestoreTypes = restoreTypes.Get(), + InlineMethods = inlineMethods.Get(), + RemoveInlinedMethods = removeInlinedMethods.Get(), + DumpEmbeddedAssemblies = dumpEmbeddedAssemblies.Get(), + DecryptResources = decryptResources.Get(), + RemoveNamespaces = removeNamespaces.Get(), + RemoveAntiStrongName = removeAntiStrongName.Get(), + RenameShort = renameShort.Get(), }); } @@ -90,6 +94,7 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 { decryptResources, removeNamespaces, removeAntiStrongName, + renameShort, }; } } @@ -125,6 +130,7 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 { public bool DecryptResources { get; set; } public bool RemoveNamespaces { get; set; } public bool RemoveAntiStrongName { get; set; } + public bool RenameShort { get; set; } } public override string Type { @@ -160,6 +166,8 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 { this.RenamingOptions |= RenamingOptions.RemoveNamespaceIfOneType; else this.RenamingOptions &= ~RenamingOptions.RemoveNamespaceIfOneType; + if (options.RenameShort) + options.ValidNameRegex.Regexes.Insert(0, new NameRegex(DeobfuscatorInfo.SHORT_NAME_REGEX)); } public override byte[] UnpackNativeFile(IPEImage peImage) { diff --git a/de4dot.cui/Properties/AssemblyInfo.cs b/de4dot.cui/Properties/AssemblyInfo.cs index 56f00f7c..bab31dd0 100644 --- a/de4dot.cui/Properties/AssemblyInfo.cs +++ b/de4dot.cui/Properties/AssemblyInfo.cs @@ -30,7 +30,7 @@ using System.Runtime.InteropServices; [assembly: AssemblyTrademark("")] [assembly: AssemblyCulture("")] [assembly: ComVisible(false)] -[assembly: AssemblyVersion("2.0.3.3405")] -[assembly: AssemblyFileVersion("2.0.3.3405")] +[assembly: AssemblyVersion("3.0.2.3405")] +[assembly: AssemblyFileVersion("3.0.2.3405")] [assembly: InternalsVisibleTo("de4dot, PublicKey=00240000048000009400000006020000002400005253413100040000010001007b5ffd8f48f1397cd4e21c9e30a5cb36b2c013d6f20688c90e3f0c2d24e6d67cbeea7a6ec3faf9ba081f3d6b6fbe389677adbb8337d3a16187cd13b16a34008a22b89089da41c4a08fd35615c77de0827adcca6d49b08c0ed3e0404a1c44b7d083be614acb1779e4fb275e14427f3687f375d03f3b465c8a6cdeebd1f8c7f4ea")] [assembly: InternalsVisibleTo("de4dot-x64, PublicKey=00240000048000009400000006020000002400005253413100040000010001007b5ffd8f48f1397cd4e21c9e30a5cb36b2c013d6f20688c90e3f0c2d24e6d67cbeea7a6ec3faf9ba081f3d6b6fbe389677adbb8337d3a16187cd13b16a34008a22b89089da41c4a08fd35615c77de0827adcca6d49b08c0ed3e0404a1c44b7d083be614acb1779e4fb275e14427f3687f375d03f3b465c8a6cdeebd1f8c7f4ea")] diff --git a/de4dot.mdecrypt/Properties/AssemblyInfo.cs b/de4dot.mdecrypt/Properties/AssemblyInfo.cs index 9ff8696c..9966c65e 100644 --- a/de4dot.mdecrypt/Properties/AssemblyInfo.cs +++ b/de4dot.mdecrypt/Properties/AssemblyInfo.cs @@ -29,5 +29,5 @@ using System.Runtime.InteropServices; [assembly: AssemblyTrademark("")] [assembly: AssemblyCulture("")] [assembly: ComVisible(false)] -[assembly: AssemblyVersion("2.0.3.3405")] -[assembly: AssemblyFileVersion("2.0.3.3405")] +[assembly: AssemblyVersion("3.0.2.3405")] +[assembly: AssemblyFileVersion("3.0.2.3405")] diff --git a/de4dot/Properties/AssemblyInfo.cs b/de4dot/Properties/AssemblyInfo.cs index 265b7381..4822cc61 100644 --- a/de4dot/Properties/AssemblyInfo.cs +++ b/de4dot/Properties/AssemblyInfo.cs @@ -29,5 +29,5 @@ using System.Runtime.InteropServices; [assembly: AssemblyTrademark("")] [assembly: AssemblyCulture("")] [assembly: ComVisible(false)] -[assembly: AssemblyVersion("2.0.3.3405")] -[assembly: AssemblyFileVersion("2.0.3.3405")] +[assembly: AssemblyVersion("3.0.2.3405")] +[assembly: AssemblyFileVersion("3.0.2.3405")] diff --git a/dnlib b/dnlib index bd9b2498..08030682 160000 --- a/dnlib +++ b/dnlib @@ -1 +1 @@ -Subproject commit bd9b249820ebb1dd561fe376316d1b070f02d3e4 +Subproject commit 080306826f27fc4205f79a64b56247a04073991a