Restore ldnull instructions
This commit is contained in:
parent
67c9e76276
commit
f9ed45c670
|
@ -131,6 +131,7 @@
|
|||
<Compile Include="deobfuscators\CryptoObfuscator\CoUtils.cs" />
|
||||
<Compile Include="deobfuscators\CryptoObfuscator\Deobfuscator.cs" />
|
||||
<Compile Include="deobfuscators\CryptoObfuscator\InlinedMethodTypes.cs" />
|
||||
<Compile Include="deobfuscators\CryptoObfuscator\LdnullFixer.cs" />
|
||||
<Compile Include="deobfuscators\CryptoObfuscator\MethodBodyReader.cs" />
|
||||
<Compile Include="deobfuscators\CryptoObfuscator\MethodsDecrypter.cs" />
|
||||
<Compile Include="deobfuscators\CryptoObfuscator\ProxyCallFixer.cs" />
|
||||
|
|
|
@ -37,7 +37,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
|||
return false;
|
||||
if (method.HasGenericParameters)
|
||||
return false;
|
||||
if (!inlinedMethodTypes.IsValidMethodType(method.DeclaringType))
|
||||
if (!InlinedMethodTypes.IsValidMethodType(method.DeclaringType))
|
||||
return false;
|
||||
|
||||
return true;
|
||||
|
|
|
@ -32,12 +32,14 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
|||
BoolOption removeTamperProtection;
|
||||
BoolOption decryptConstants;
|
||||
BoolOption inlineMethods;
|
||||
BoolOption fixLdnull;
|
||||
|
||||
public DeobfuscatorInfo()
|
||||
: base(DEFAULT_REGEX) {
|
||||
removeTamperProtection = new BoolOption(null, MakeArgName("tamper"), "Remove tamper protection code", true);
|
||||
decryptConstants = new BoolOption(null, MakeArgName("consts"), "Decrypt constants", true);
|
||||
inlineMethods = new BoolOption(null, MakeArgName("inline"), "Inline short methods", true);
|
||||
fixLdnull = new BoolOption(null, MakeArgName("ldnull"), "Restore ldnull instructions", true);
|
||||
}
|
||||
|
||||
public override string Name {
|
||||
|
@ -54,6 +56,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
|||
RemoveTamperProtection = removeTamperProtection.get(),
|
||||
DecryptConstants = decryptConstants.get(),
|
||||
InlineMethods = inlineMethods.get(),
|
||||
FixLdnull = fixLdnull.get(),
|
||||
});
|
||||
}
|
||||
|
||||
|
@ -62,6 +65,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
|||
removeTamperProtection,
|
||||
decryptConstants,
|
||||
inlineMethods,
|
||||
fixLdnull,
|
||||
};
|
||||
}
|
||||
}
|
||||
|
@ -93,6 +97,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
|||
public bool RemoveTamperProtection { get; set; }
|
||||
public bool DecryptConstants { get; set; }
|
||||
public bool InlineMethods { get; set; }
|
||||
public bool FixLdnull { get; set; }
|
||||
}
|
||||
|
||||
public override string Type {
|
||||
|
@ -275,13 +280,14 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
|||
}
|
||||
|
||||
public override void DeobfuscateEnd() {
|
||||
if (options.FixLdnull)
|
||||
new LdnullFixer(module, inlinedMethodTypes).Restore();
|
||||
RemoveProxyDelegates(proxyCallFixer);
|
||||
if (CanRemoveStringDecrypterType) {
|
||||
AddResourceToBeRemoved(stringDecrypter.Resource, "Encrypted strings");
|
||||
AddTypeToBeRemoved(stringDecrypter.Type, "String decrypter type");
|
||||
}
|
||||
if (options.InlineMethods)
|
||||
AddTypesToBeRemoved(inlinedMethodTypes.Types, "Inlined methods types");
|
||||
AddTypesToBeRemoved(inlinedMethodTypes.Types, "Inlined methods type");
|
||||
base.DeobfuscateEnd();
|
||||
}
|
||||
|
||||
|
|
|
@ -39,7 +39,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
|||
}
|
||||
}
|
||||
|
||||
bool IsValidType(TypeDef type) {
|
||||
static bool IsValidType(TypeDef type) {
|
||||
if (type == null)
|
||||
return false;
|
||||
|
||||
|
@ -62,7 +62,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
|||
return true;
|
||||
}
|
||||
|
||||
public bool IsValidMethodType(TypeDef type) {
|
||||
public static bool IsValidMethodType(TypeDef type) {
|
||||
if (!IsValidType(type))
|
||||
return false;
|
||||
|
||||
|
@ -74,6 +74,18 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
|||
return true;
|
||||
}
|
||||
|
||||
public static bool IsValidFieldType(TypeDef type) {
|
||||
if (!IsValidType(type))
|
||||
return false;
|
||||
|
||||
if (type.HasMethods)
|
||||
return false;
|
||||
if (type.Fields.Count != 1)
|
||||
return false;
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
public void Add(TypeDef type) {
|
||||
if (type == null || types.ContainsKey(type))
|
||||
return;
|
||||
|
|
126
de4dot.code/deobfuscators/CryptoObfuscator/LdnullFixer.cs
Normal file
126
de4dot.code/deobfuscators/CryptoObfuscator/LdnullFixer.cs
Normal file
|
@ -0,0 +1,126 @@
|
|||
/*
|
||||
Copyright (C) 2011-2013 de4dot@gmail.com
|
||||
|
||||
This file is part of de4dot.
|
||||
|
||||
de4dot is free software: you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
the Free Software Foundation, either version 3 of the License, or
|
||||
(at your option) any later version.
|
||||
|
||||
de4dot is distributed in the hope that it will be useful,
|
||||
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
GNU General Public License for more details.
|
||||
|
||||
You should have received a copy of the GNU General Public License
|
||||
along with de4dot. If not, see <http://www.gnu.org/licenses/>.
|
||||
*/
|
||||
|
||||
using System.Collections.Generic;
|
||||
using de4dot.blocks;
|
||||
using dnlib.DotNet;
|
||||
using dnlib.DotNet.Emit;
|
||||
|
||||
namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
||||
class LdnullFixer {
|
||||
readonly ModuleDef module;
|
||||
readonly InlinedMethodTypes inlinedMethodTypes;
|
||||
|
||||
public LdnullFixer(ModuleDef module, InlinedMethodTypes inlinedMethodTypes) {
|
||||
this.module = module;
|
||||
this.inlinedMethodTypes = inlinedMethodTypes;
|
||||
}
|
||||
|
||||
public void Restore() {
|
||||
var fields = FindFieldTypes(FindFieldTypes());
|
||||
Restore(fields);
|
||||
foreach (var field in fields.Keys)
|
||||
inlinedMethodTypes.Add(field.DeclaringType);
|
||||
}
|
||||
|
||||
FieldDefAndDeclaringTypeDict<FieldDef> FindFieldTypes() {
|
||||
var dict = new FieldDefAndDeclaringTypeDict<FieldDef>();
|
||||
|
||||
foreach (var type in module.GetTypes()) {
|
||||
foreach (var method in type.Methods) {
|
||||
var body = method.Body;
|
||||
if (body == null)
|
||||
continue;
|
||||
foreach (var instr in body.Instructions) {
|
||||
if (instr.OpCode.Code != Code.Ldsfld)
|
||||
continue;
|
||||
var field = instr.Operand as FieldDef;
|
||||
if (field == null)
|
||||
continue;
|
||||
var declType = field.DeclaringType;
|
||||
if (declType == null)
|
||||
continue;
|
||||
if (!InlinedMethodTypes.IsValidFieldType(declType))
|
||||
continue;
|
||||
dict.Add(field, field);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return dict;
|
||||
}
|
||||
|
||||
Dictionary<FieldDef, bool> FindFieldTypes(FieldDefAndDeclaringTypeDict<FieldDef> fields) {
|
||||
var validFields = new Dictionary<FieldDef, bool>(fields.Count);
|
||||
foreach (var field in fields.GetKeys())
|
||||
validFields.Add(field, false);
|
||||
|
||||
foreach (var type in module.GetTypes()) {
|
||||
if (validFields.Count == 0)
|
||||
break;
|
||||
|
||||
foreach (var method in type.Methods) {
|
||||
var body = method.Body;
|
||||
if (body == null)
|
||||
continue;
|
||||
foreach (var instr in body.Instructions) {
|
||||
if (instr.OpCode.Code == Code.Ldsfld)
|
||||
continue;
|
||||
var field = instr.Operand as IField;
|
||||
if (field == null)
|
||||
continue;
|
||||
|
||||
var validType = fields.Find(field);
|
||||
if (validType == null)
|
||||
continue;
|
||||
|
||||
validFields.Remove(validType);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return validFields;
|
||||
}
|
||||
|
||||
int Restore(Dictionary<FieldDef, bool> nullFields) {
|
||||
int numRestored = 0;
|
||||
foreach (var type in module.GetTypes()) {
|
||||
foreach (var method in type.Methods) {
|
||||
var body = method.Body;
|
||||
if (body == null)
|
||||
continue;
|
||||
foreach (var instr in body.Instructions) {
|
||||
if (instr.OpCode.Code != Code.Ldsfld)
|
||||
continue;
|
||||
var field = instr.Operand as FieldDef;
|
||||
if (field == null)
|
||||
continue;
|
||||
if (!nullFields.ContainsKey(field))
|
||||
continue;
|
||||
|
||||
instr.OpCode = OpCodes.Ldnull;
|
||||
instr.Operand = null;
|
||||
numRestored++;
|
||||
}
|
||||
}
|
||||
}
|
||||
return numRestored;
|
||||
}
|
||||
}
|
||||
}
|
Loading…
Reference in New Issue
Block a user