Decrypt methods (CS RT is embedded inside the assembly)
This commit is contained in:
de4dot
parent
4d8eb601f2
commit
fbba6a2aa8
|
|
@ -18,8 +18,10 @@
|
|||
*/
|
||||
|
||||
using System;
|
||||
using System.IO;
|
||||
using Mono.Cecil;
|
||||
using de4dot.blocks;
|
||||
using de4dot.PE;
|
||||
|
||||
namespace de4dot.code.deobfuscators.CliSecure {
|
||||
class CliSecureRtType {
|
||||
|
|
@ -29,9 +31,10 @@ namespace de4dot.code.deobfuscators.CliSecure {
|
|||
MethodDefinition initializeMethod;
|
||||
MethodDefinition stringDecrypterMethod;
|
||||
MethodDefinition loadMethod;
|
||||
bool foundSig;
|
||||
|
||||
public bool Detected {
|
||||
get { return cliSecureRtType != null; }
|
||||
get { return foundSig || cliSecureRtType != null; }
|
||||
}
|
||||
|
||||
public TypeDefinition Type {
|
||||
|
|
@ -76,7 +79,9 @@ namespace de4dot.code.deobfuscators.CliSecure {
|
|||
return;
|
||||
if (find2())
|
||||
return;
|
||||
findOld();
|
||||
if (findOld())
|
||||
return;
|
||||
findNativeCode();
|
||||
}
|
||||
|
||||
bool find2() {
|
||||
|
|
@ -143,6 +148,15 @@ namespace de4dot.code.deobfuscators.CliSecure {
|
|||
return false;
|
||||
}
|
||||
|
||||
bool findNativeCode() {
|
||||
if ((module.Attributes & ModuleAttributes.ILOnly) != 0)
|
||||
return false;
|
||||
|
||||
var peImage = new PeImage(new FileStream(module.FullyQualifiedName, FileMode.Open, FileAccess.Read, FileShare.Read));
|
||||
foundSig = MethodsDecrypter.detect(peImage);
|
||||
return foundSig;
|
||||
}
|
||||
|
||||
static bool hasPinvokeMethod(TypeDefinition type, string methodName) {
|
||||
foreach (var method in type.Methods) {
|
||||
if (method.PInvokeInfo == null)
|
||||
|
|
|
|||
|
|
@ -278,8 +278,12 @@ namespace de4dot.code.deobfuscators.CliSecure {
|
|||
return new CsHeader5(this);
|
||||
}
|
||||
|
||||
static uint getCodeHeaderOffset(PeImage peImage) {
|
||||
return peImage.rvaToOffset(peImage.Cor20Header.metadataDirectory.virtualAddress + peImage.Cor20Header.metadataDirectory.size);
|
||||
}
|
||||
|
||||
public bool decrypt2(ref DumpedMethods dumpedMethods) {
|
||||
uint codeHeaderOffset = peImage.rvaToOffset(peImage.Cor20Header.metadataDirectory.virtualAddress + peImage.Cor20Header.metadataDirectory.size);
|
||||
uint codeHeaderOffset = getCodeHeaderOffset(peImage);
|
||||
if (!readCodeHeader(codeHeaderOffset))
|
||||
return false;
|
||||
|
||||
|
|
@ -350,5 +354,16 @@ namespace de4dot.code.deobfuscators.CliSecure {
|
|||
|
||||
return true;
|
||||
}
|
||||
|
||||
public static bool detect(PeImage peImage) {
|
||||
try {
|
||||
uint codeHeaderOffset = getCodeHeaderOffset(peImage);
|
||||
var sig = peImage.offsetReadBytes(codeHeaderOffset, 16);
|
||||
return Utils.compare(sig, normalSignature) || Utils.compare(sig, proSignature);
|
||||
}
|
||||
catch {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue
Block a user