Restore ldnull instructions
This commit is contained in:
parent
67c9e76276
commit
f9ed45c670
|
@ -131,6 +131,7 @@
|
||||||
<Compile Include="deobfuscators\CryptoObfuscator\CoUtils.cs" />
|
<Compile Include="deobfuscators\CryptoObfuscator\CoUtils.cs" />
|
||||||
<Compile Include="deobfuscators\CryptoObfuscator\Deobfuscator.cs" />
|
<Compile Include="deobfuscators\CryptoObfuscator\Deobfuscator.cs" />
|
||||||
<Compile Include="deobfuscators\CryptoObfuscator\InlinedMethodTypes.cs" />
|
<Compile Include="deobfuscators\CryptoObfuscator\InlinedMethodTypes.cs" />
|
||||||
|
<Compile Include="deobfuscators\CryptoObfuscator\LdnullFixer.cs" />
|
||||||
<Compile Include="deobfuscators\CryptoObfuscator\MethodBodyReader.cs" />
|
<Compile Include="deobfuscators\CryptoObfuscator\MethodBodyReader.cs" />
|
||||||
<Compile Include="deobfuscators\CryptoObfuscator\MethodsDecrypter.cs" />
|
<Compile Include="deobfuscators\CryptoObfuscator\MethodsDecrypter.cs" />
|
||||||
<Compile Include="deobfuscators\CryptoObfuscator\ProxyCallFixer.cs" />
|
<Compile Include="deobfuscators\CryptoObfuscator\ProxyCallFixer.cs" />
|
||||||
|
|
|
@ -37,7 +37,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
||||||
return false;
|
return false;
|
||||||
if (method.HasGenericParameters)
|
if (method.HasGenericParameters)
|
||||||
return false;
|
return false;
|
||||||
if (!inlinedMethodTypes.IsValidMethodType(method.DeclaringType))
|
if (!InlinedMethodTypes.IsValidMethodType(method.DeclaringType))
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
return true;
|
return true;
|
||||||
|
|
|
@ -32,12 +32,14 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
||||||
BoolOption removeTamperProtection;
|
BoolOption removeTamperProtection;
|
||||||
BoolOption decryptConstants;
|
BoolOption decryptConstants;
|
||||||
BoolOption inlineMethods;
|
BoolOption inlineMethods;
|
||||||
|
BoolOption fixLdnull;
|
||||||
|
|
||||||
public DeobfuscatorInfo()
|
public DeobfuscatorInfo()
|
||||||
: base(DEFAULT_REGEX) {
|
: base(DEFAULT_REGEX) {
|
||||||
removeTamperProtection = new BoolOption(null, MakeArgName("tamper"), "Remove tamper protection code", true);
|
removeTamperProtection = new BoolOption(null, MakeArgName("tamper"), "Remove tamper protection code", true);
|
||||||
decryptConstants = new BoolOption(null, MakeArgName("consts"), "Decrypt constants", true);
|
decryptConstants = new BoolOption(null, MakeArgName("consts"), "Decrypt constants", true);
|
||||||
inlineMethods = new BoolOption(null, MakeArgName("inline"), "Inline short methods", true);
|
inlineMethods = new BoolOption(null, MakeArgName("inline"), "Inline short methods", true);
|
||||||
|
fixLdnull = new BoolOption(null, MakeArgName("ldnull"), "Restore ldnull instructions", true);
|
||||||
}
|
}
|
||||||
|
|
||||||
public override string Name {
|
public override string Name {
|
||||||
|
@ -54,6 +56,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
||||||
RemoveTamperProtection = removeTamperProtection.get(),
|
RemoveTamperProtection = removeTamperProtection.get(),
|
||||||
DecryptConstants = decryptConstants.get(),
|
DecryptConstants = decryptConstants.get(),
|
||||||
InlineMethods = inlineMethods.get(),
|
InlineMethods = inlineMethods.get(),
|
||||||
|
FixLdnull = fixLdnull.get(),
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -62,6 +65,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
||||||
removeTamperProtection,
|
removeTamperProtection,
|
||||||
decryptConstants,
|
decryptConstants,
|
||||||
inlineMethods,
|
inlineMethods,
|
||||||
|
fixLdnull,
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -93,6 +97,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
||||||
public bool RemoveTamperProtection { get; set; }
|
public bool RemoveTamperProtection { get; set; }
|
||||||
public bool DecryptConstants { get; set; }
|
public bool DecryptConstants { get; set; }
|
||||||
public bool InlineMethods { get; set; }
|
public bool InlineMethods { get; set; }
|
||||||
|
public bool FixLdnull { get; set; }
|
||||||
}
|
}
|
||||||
|
|
||||||
public override string Type {
|
public override string Type {
|
||||||
|
@ -275,13 +280,14 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
||||||
}
|
}
|
||||||
|
|
||||||
public override void DeobfuscateEnd() {
|
public override void DeobfuscateEnd() {
|
||||||
|
if (options.FixLdnull)
|
||||||
|
new LdnullFixer(module, inlinedMethodTypes).Restore();
|
||||||
RemoveProxyDelegates(proxyCallFixer);
|
RemoveProxyDelegates(proxyCallFixer);
|
||||||
if (CanRemoveStringDecrypterType) {
|
if (CanRemoveStringDecrypterType) {
|
||||||
AddResourceToBeRemoved(stringDecrypter.Resource, "Encrypted strings");
|
AddResourceToBeRemoved(stringDecrypter.Resource, "Encrypted strings");
|
||||||
AddTypeToBeRemoved(stringDecrypter.Type, "String decrypter type");
|
AddTypeToBeRemoved(stringDecrypter.Type, "String decrypter type");
|
||||||
}
|
}
|
||||||
if (options.InlineMethods)
|
AddTypesToBeRemoved(inlinedMethodTypes.Types, "Inlined methods type");
|
||||||
AddTypesToBeRemoved(inlinedMethodTypes.Types, "Inlined methods types");
|
|
||||||
base.DeobfuscateEnd();
|
base.DeobfuscateEnd();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -39,7 +39,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
bool IsValidType(TypeDef type) {
|
static bool IsValidType(TypeDef type) {
|
||||||
if (type == null)
|
if (type == null)
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
|
@ -62,7 +62,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
public bool IsValidMethodType(TypeDef type) {
|
public static bool IsValidMethodType(TypeDef type) {
|
||||||
if (!IsValidType(type))
|
if (!IsValidType(type))
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
|
@ -74,6 +74,18 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public static bool IsValidFieldType(TypeDef type) {
|
||||||
|
if (!IsValidType(type))
|
||||||
|
return false;
|
||||||
|
|
||||||
|
if (type.HasMethods)
|
||||||
|
return false;
|
||||||
|
if (type.Fields.Count != 1)
|
||||||
|
return false;
|
||||||
|
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
public void Add(TypeDef type) {
|
public void Add(TypeDef type) {
|
||||||
if (type == null || types.ContainsKey(type))
|
if (type == null || types.ContainsKey(type))
|
||||||
return;
|
return;
|
||||||
|
|
126
de4dot.code/deobfuscators/CryptoObfuscator/LdnullFixer.cs
Normal file
126
de4dot.code/deobfuscators/CryptoObfuscator/LdnullFixer.cs
Normal file
|
@ -0,0 +1,126 @@
|
||||||
|
/*
|
||||||
|
Copyright (C) 2011-2013 de4dot@gmail.com
|
||||||
|
|
||||||
|
This file is part of de4dot.
|
||||||
|
|
||||||
|
de4dot is free software: you can redistribute it and/or modify
|
||||||
|
it under the terms of the GNU General Public License as published by
|
||||||
|
the Free Software Foundation, either version 3 of the License, or
|
||||||
|
(at your option) any later version.
|
||||||
|
|
||||||
|
de4dot is distributed in the hope that it will be useful,
|
||||||
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
GNU General Public License for more details.
|
||||||
|
|
||||||
|
You should have received a copy of the GNU General Public License
|
||||||
|
along with de4dot. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
*/
|
||||||
|
|
||||||
|
using System.Collections.Generic;
|
||||||
|
using de4dot.blocks;
|
||||||
|
using dnlib.DotNet;
|
||||||
|
using dnlib.DotNet.Emit;
|
||||||
|
|
||||||
|
namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
||||||
|
class LdnullFixer {
|
||||||
|
readonly ModuleDef module;
|
||||||
|
readonly InlinedMethodTypes inlinedMethodTypes;
|
||||||
|
|
||||||
|
public LdnullFixer(ModuleDef module, InlinedMethodTypes inlinedMethodTypes) {
|
||||||
|
this.module = module;
|
||||||
|
this.inlinedMethodTypes = inlinedMethodTypes;
|
||||||
|
}
|
||||||
|
|
||||||
|
public void Restore() {
|
||||||
|
var fields = FindFieldTypes(FindFieldTypes());
|
||||||
|
Restore(fields);
|
||||||
|
foreach (var field in fields.Keys)
|
||||||
|
inlinedMethodTypes.Add(field.DeclaringType);
|
||||||
|
}
|
||||||
|
|
||||||
|
FieldDefAndDeclaringTypeDict<FieldDef> FindFieldTypes() {
|
||||||
|
var dict = new FieldDefAndDeclaringTypeDict<FieldDef>();
|
||||||
|
|
||||||
|
foreach (var type in module.GetTypes()) {
|
||||||
|
foreach (var method in type.Methods) {
|
||||||
|
var body = method.Body;
|
||||||
|
if (body == null)
|
||||||
|
continue;
|
||||||
|
foreach (var instr in body.Instructions) {
|
||||||
|
if (instr.OpCode.Code != Code.Ldsfld)
|
||||||
|
continue;
|
||||||
|
var field = instr.Operand as FieldDef;
|
||||||
|
if (field == null)
|
||||||
|
continue;
|
||||||
|
var declType = field.DeclaringType;
|
||||||
|
if (declType == null)
|
||||||
|
continue;
|
||||||
|
if (!InlinedMethodTypes.IsValidFieldType(declType))
|
||||||
|
continue;
|
||||||
|
dict.Add(field, field);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return dict;
|
||||||
|
}
|
||||||
|
|
||||||
|
Dictionary<FieldDef, bool> FindFieldTypes(FieldDefAndDeclaringTypeDict<FieldDef> fields) {
|
||||||
|
var validFields = new Dictionary<FieldDef, bool>(fields.Count);
|
||||||
|
foreach (var field in fields.GetKeys())
|
||||||
|
validFields.Add(field, false);
|
||||||
|
|
||||||
|
foreach (var type in module.GetTypes()) {
|
||||||
|
if (validFields.Count == 0)
|
||||||
|
break;
|
||||||
|
|
||||||
|
foreach (var method in type.Methods) {
|
||||||
|
var body = method.Body;
|
||||||
|
if (body == null)
|
||||||
|
continue;
|
||||||
|
foreach (var instr in body.Instructions) {
|
||||||
|
if (instr.OpCode.Code == Code.Ldsfld)
|
||||||
|
continue;
|
||||||
|
var field = instr.Operand as IField;
|
||||||
|
if (field == null)
|
||||||
|
continue;
|
||||||
|
|
||||||
|
var validType = fields.Find(field);
|
||||||
|
if (validType == null)
|
||||||
|
continue;
|
||||||
|
|
||||||
|
validFields.Remove(validType);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return validFields;
|
||||||
|
}
|
||||||
|
|
||||||
|
int Restore(Dictionary<FieldDef, bool> nullFields) {
|
||||||
|
int numRestored = 0;
|
||||||
|
foreach (var type in module.GetTypes()) {
|
||||||
|
foreach (var method in type.Methods) {
|
||||||
|
var body = method.Body;
|
||||||
|
if (body == null)
|
||||||
|
continue;
|
||||||
|
foreach (var instr in body.Instructions) {
|
||||||
|
if (instr.OpCode.Code != Code.Ldsfld)
|
||||||
|
continue;
|
||||||
|
var field = instr.Operand as FieldDef;
|
||||||
|
if (field == null)
|
||||||
|
continue;
|
||||||
|
if (!nullFields.ContainsKey(field))
|
||||||
|
continue;
|
||||||
|
|
||||||
|
instr.OpCode = OpCodes.Ldnull;
|
||||||
|
instr.Operand = null;
|
||||||
|
numRestored++;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return numRestored;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
Loading…
Reference in New Issue
Block a user