Commit Graph

1288 Commits

Author SHA1 Message Date
de4dot
b9d91043fc Support the latest CryptoObfuscator version 2012-12-11 12:02:40 +01:00
de4dot
245d875d5f Support Eazfuscator.NET 3.5 string encrypter 2012-12-11 00:23:16 +01:00
de4dot
d5681d9db4 Emulate instructions instead of finding constants 2012-12-10 21:43:56 +01:00
de4dot
ac7694b237 Add Int64Method property 2012-12-10 21:42:49 +01:00
de4dot
61eff40082 Add props to access the locals / values 2012-12-10 21:42:37 +01:00
de4dot
721cd1578a Update EF version detector 2012-12-10 21:42:14 +01:00
de4dot
dcbcaa098e Work around a bug in EF 2012-12-08 01:12:20 +01:00
de4dot
f5967715f2 Only remove the type if we rename types 2012-12-07 15:07:30 +01:00
de4dot
8e79777cdf Return immediately if there's nothing to do 2012-12-07 15:06:52 +01:00
de4dot
fa4e1fcc6b Add RenamerFlags 2012-12-07 15:06:38 +01:00
de4dot
0ba3a0c1e2 Better support of DNR + .NET 1.x assemblies 2012-12-04 23:58:34 +01:00
de4dot
8e69452edb Support .NET Reactor 4.5 2012-12-04 02:29:41 +01:00
de4dot
faf37a4a47 Use a char[] instead of a StringBuilder since length is known 2012-12-03 01:22:14 +01:00
de4dot
9a4cd237e5 Fix detection of SN string decrypter 2012-12-02 23:24:00 +01:00
de4dot
ca6812bca7 Support latest Rummage 2012-12-02 16:20:25 +01:00
de4dot
8a36c8eea6 Add an option to not rename delegate fields 2012-12-01 04:35:39 +01:00
de4dot
643e155cf8 Add options to preserve rids, heaps 2012-12-01 03:24:12 +01:00
de4dot
dcdbe25a0f Add option to disable creating new ParamDefs when renaming 2012-12-01 02:22:59 +01:00
de4dot
99c7cf8eb5 Load target asm's CLR version when decrypting strings dynamically 2012-12-01 01:40:23 +01:00
de4dot
3e62b328d1 Add FileHeader and OptionalHeader props 2012-11-30 21:04:05 +01:00
de4dot
87b20b00f2 Set new locals by calling SetLocals(), not by writing to the field 2012-11-30 03:24:15 +01:00
de4dot
a2cdfdb9e3 Add AssemblyServer projects for CLR v2.0/4.0 x86/x64 2012-11-23 07:12:43 +01:00
de4dot
9263a3df3d Remove all cecil code/comment refs 2012-11-22 09:14:51 +01:00
de4dot
fd129aa3c0 Remove non-referenced method 2012-11-22 05:50:15 +01:00
de4dot
3a519b51d8 This shouldn't be a warning 2012-11-22 05:50:05 +01:00
de4dot
7ce782215e Print 4.x when DNR 4 version is unknown 2012-11-21 14:20:38 +01:00
de4dot
8858205344 IDeobfuscator now implements IDisposable 2012-11-21 13:57:13 +01:00
de4dot
5b43e33a35 Remove old PeImage code and use the new one 2012-11-21 11:14:20 +01:00
de4dot
ced43ca70b Use File.WriteAllBytes() 2012-11-21 11:07:40 +01:00
de4dot
bcb9a2958c Dispose() of the PEImage 2012-11-21 11:07:25 +01:00
de4dot
9577bd2118 Reset resource data position 2012-11-20 07:53:54 +01:00
de4dot
bde935c6d8 Remove invalid resources 2012-11-20 07:25:10 +01:00
de4dot
e8155e7eb0 Update detection of invalid CV methods 2012-11-20 06:45:23 +01:00
de4dot
989e364481 Fix detection of DS string decrypter 2012-11-20 05:35:05 +01:00
de4dot
87a83a2757 Exit if string decrypter wasn't detected 2012-11-20 04:42:19 +01:00
de4dot
48ce6a29b9 Return an SZArraySig, not an ArraySig 2012-11-20 02:18:18 +01:00
de4dot
5c2237b439 Remove useless property 2012-11-20 01:16:02 +01:00
de4dot
4658e911a2 Reset resource data positions 2012-11-20 01:15:27 +01:00
de4dot
d8e73e70e6 Use MetaDataHeader 2012-11-20 01:14:34 +01:00
de4dot
d9bc6ea480 Fix operand restorer 2012-11-20 01:14:05 +01:00
de4dot
969d41c089 Default name is CliSecure 2012-11-20 01:13:36 +01:00
de4dot
5ce21b18a7 Call IAssemblyResolver.Remove() 2012-11-20 01:13:18 +01:00
de4dot
5ad2e18695 Update code since submodule was updated 2012-11-19 17:58:34 +01:00
de4dot
c5f2043a6e Port SmartAssembly deobfuscator 2012-11-18 17:07:02 +01:00
de4dot
cca8eba9ed Port ILProtector deobfuscator 2012-11-18 08:13:51 +01:00
de4dot
db223d089b Port MaxtoCode deobfuscator 2012-11-18 07:34:51 +01:00
de4dot
2e61a8a757 Move disposing of module to caller
The reason is that some deobfuscators require it to be non-disposed
when their reload() method is called.
2012-11-18 07:32:57 +01:00
de4dot
9a8218e68f Add Logger.LogErrorDontIgnore() 2012-11-18 03:20:40 +01:00
de4dot
0e16e3e51b Dispose() of all modules we don't need 2012-11-18 03:17:53 +01:00
de4dot
1c4b3a7382 Port Goliath.NET deobfuscator 2012-11-18 03:02:12 +01:00
de4dot
c596f5ddfc Port Eazfuscator.NET deobfuscator 2012-11-18 01:09:07 +01:00
de4dot
33645432f1 Fix TypesRestorer porting bug 2012-11-18 00:20:07 +01:00
de4dot
e5ab5ee23c Re-encrypt x86 methods if any (DNR v4.x) 2012-11-17 23:49:19 +01:00
de4dot
d52a1014ef Port .NET Reactor v4.x deobfuscator 2012-11-17 18:57:36 +01:00
de4dot
413a032e0a Port .NET Reactor v3.x deobfuscator 2012-11-17 15:46:02 +01:00
de4dot
7e1d16dafb Clear RVA when resetting field type and initial value 2012-11-17 11:45:24 +01:00
de4dot
6a7ddbaa56 Update code; submodule was updated 2012-11-16 23:50:52 +01:00
de4dot
4be5776da7 Also add all methods found in VTableFixups 2012-11-16 20:52:10 +01:00
de4dot
0dc129d340 Fix renaming of non-external pinvoke methods 2012-11-16 02:15:36 +01:00
de4dot
686f9953fd Also remove Spices.Net watermark attribute 2012-11-14 21:45:12 +01:00
de4dot
9e708ed4fd Ignore req/opt modifiers 2012-11-14 21:44:57 +01:00
de4dot
475c597a60 Port Spices.Net deobfuscator 2012-11-14 19:29:29 +01:00
de4dot
445b68f4f5 Don't treat System.Void as a value type 2012-11-14 19:28:46 +01:00
de4dot
226d18dff7 Only set ILOnly if there are no native methods 2012-11-14 11:33:47 +01:00
de4dot
6d43a7d6ee Update code since submodule was updated 2012-11-14 10:23:29 +01:00
de4dot
76d898a285 Keep extra PE data and keep orig Win32 resources 2012-11-13 07:45:34 +01:00
de4dot
8c228e6e70 Also preserve #Blob offsets when preserving MD tokens 2012-11-13 07:44:25 +01:00
de4dot
3bd00c99bc Use NativeModuleWriterOptions when saving a mixed-mode assembly 2012-11-13 07:42:35 +01:00
de4dot
2f6e5badb1 Update code since submodule got updated 2012-11-12 22:06:13 +01:00
de4dot
ac9168599b Use IPEImage.FindWin32ResourceData() 2012-11-12 04:40:48 +01:00
de4dot
3646bca56b Align the numbers 2012-11-11 16:56:29 +01:00
de4dot
99b38ac22f Don't Dispose() of the resource data reader 2012-11-11 14:46:00 +01:00
de4dot
c47039c2ef Don't call logger.v() unless verbose log level is enabled 2012-11-11 11:37:40 +01:00
de4dot
5a9d76e8c7 Speed up DeepSea string decrypter detector 2012-11-11 07:54:26 +01:00
de4dot
b152362088 Update logger
- It's not static anymore
- It implements ILogger
- It can ignore errors/warnings but an option to disable it
2012-11-11 05:41:54 +01:00
de4dot
7b0ba43248 UTF8String was moved to DotNet ns. Fix code 2012-11-10 00:45:04 +01:00
de4dot
311a3c9c05 Remove now useless using statements 2012-11-10 00:02:11 +01:00
de4dot
73e15c0919 Change method sig to take a IPEImage instead of a PEImage 2012-11-09 11:34:23 +01:00
de4dot
d47a03f51a Unpack CS packed files 2012-11-09 11:32:29 +01:00
de4dot
d00fcb79e4 Don't remove fields if we should keep all types 2012-11-09 02:15:28 +01:00
de4dot
3b740a4106 Port DeepSea deobfuscator 2012-11-09 00:21:45 +01:00
de4dot
5d25a499aa Port CryptoObfuscator deobfuscator 2012-11-08 22:24:13 +01:00
de4dot
472d57ed0f Use ModuleDefMD.GetAssemblyRef() 2012-11-08 11:26:14 +01:00
de4dot
f2f156dc40 Port CodeWall deobfuscator 2012-11-08 10:40:58 +01:00
de4dot
eb7d4c5f88 Use CreateStream() instead of creating a MemoryStream from a byte[] 2012-11-08 10:16:58 +01:00
de4dot
f6b5a3117f Port CodeVeil deobfuscator 2012-11-08 09:48:05 +01:00
de4dot
10e83acebc Port CodeFort deobfuscator 2012-11-08 07:43:57 +01:00
de4dot
4393df31d9 Update detection of CSVM asm ref 2012-11-08 07:07:02 +01:00
de4dot
f699017197 Port Babel.NET deobfuscator 2012-11-08 07:06:46 +01:00
de4dot
ce6659510e Use ToGenericInstSig() ext method 2012-11-08 07:05:41 +01:00
de4dot
e600696182 Use IBinaryReader.ReadRemainingBytes() 2012-11-07 07:29:39 +01:00
de4dot
ab78e97423 Use the new name of this obfuscator 2012-11-07 05:47:33 +01:00
de4dot
9c64165d15 Add a getDumpedMethod() method 2012-11-07 05:38:06 +01:00
de4dot
583d4201f5 Port Agile.NET deobfuscator 2012-11-07 05:17:45 +01:00
de4dot
cc1e36389d Update resolve{Method,Field}() sigs with a more general arg type 2012-11-07 04:46:19 +01:00
de4dot
814c3d3944 Fix method decrypter 2012-11-07 04:45:36 +01:00
de4dot
b6537dc188 Fix lookup<T> method sigs 2012-11-07 04:45:05 +01:00
de4dot
6efb96740d Update code since EntryPoint was renamed ManagedEntryPoint 2012-11-07 02:02:38 +01:00
de4dot
427ea38595 Port MPRESS unpacker 2012-11-07 01:52:15 +01:00
de4dot
d98d4b10bb Add code to restore dumped methods 2012-11-07 01:15:52 +01:00
de4dot
4be7e4fe46 Initialize DumpedMethod.mdRVA 2012-11-07 00:26:36 +01:00
de4dot
001b67804f Move DumpedMethod{,s} to de4dot.blocks namespace 2012-11-06 22:25:19 +01:00
de4dot
90ab31eda2 Port Rummage deobfuscator 2012-11-06 17:21:56 +01:00
de4dot
25cee0e206 Port Skater.NET deobfuscator 2012-11-06 17:15:11 +01:00
de4dot
19ed1ac219 Rename CliSecure -> Agile_NET 2012-11-06 16:38:39 +01:00
de4dot
c67c267c8e Port Dotfuscator deobfuscator 2012-11-06 16:30:39 +01:00
de4dot
ac171e3f29 Fix code since CilBody/HasCilBody were renamed 2012-11-06 15:58:55 +01:00
de4dot
3ed2daebd1 Port Xenocode deobfuscator 2012-11-06 15:58:21 +01:00
de4dot
f5ec3e2a27 String can be empty so return early if so 2012-11-06 01:59:40 +01:00
de4dot
c8039d249e Add more checks when input has lots of invalid metadata 2012-11-06 00:18:02 +01:00
de4dot
6d45a3499f Fix porting mistakes 2012-11-05 19:21:33 +01:00
de4dot
ea001865c9 Rename FnPtr args, and also null type sigs params 2012-11-05 02:42:48 +01:00
de4dot
2aedcc730c Preserve tokens if necessary 2012-11-04 23:24:12 +01:00
de4dot
c9f1f8073e MethodDef.Parameters contains the hidden 'this' param, so add some fixes to old code 2012-11-04 22:41:45 +01:00
de4dot
6a8e8dcb78 Initialize loaded modules' module context 2012-11-04 20:06:58 +01:00
de4dot
d5838aa6c2 Use the IModuleWriterListener interface 2012-11-04 19:40:36 +01:00
de4dot
f4ce67d836 Remove useless class and fix a porting todo 2012-11-04 13:25:14 +01:00
de4dot
83cb59718a Move GenericArgsSubstitutor and add more methods 2012-11-04 12:13:13 +01:00
de4dot
f7f424efe7 Remove more "#if PORT" 2012-11-04 11:50:10 +01:00
de4dot
9376aa0de5 Rename method return parameters 2012-11-04 11:45:04 +01:00
de4dot
7ba4905cc7 Port more code, including renamer 2012-11-04 01:05:52 +01:00
de4dot
db6875859a Port more code 2012-11-03 22:49:52 +01:00
de4dot
9b6c698dc1 Port some code 2012-11-02 22:53:24 +01:00
de4dot
89cd55a071 Port more code 2012-11-02 20:10:34 +01:00
de4dot
00177034b9 Rename cecil names; add new MemberRefFinder class 2012-11-02 16:08:11 +01:00
de4dot
65e6887fbc Port more code; remove cecil refs 2012-11-02 08:28:39 +01:00
de4dot
70916173f3 Update code since dot10 was updated 2012-11-02 07:36:02 +01:00
de4dot
24c43d5a66 Port some more code 2012-11-01 21:09:09 +01:00
de4dot
1341cc7199 Port more code 2012-11-01 16:42:02 +01:00
de4dot
3b6ef4fa1f Port more code 2012-11-01 14:39:39 +01:00
de4dot
c5d183983b Port more code 2012-11-01 11:28:09 +01:00
de4dot
eeef8a2580 Use dot10.PE 2012-11-01 07:51:08 +01:00
de4dot
04e1568c61 Port ConstantsReader 2012-10-31 17:09:58 +01:00
de4dot
6f73696cc5 Port ..... 2012-10-31 16:54:20 +01:00
de4dot
ee7826576c Sort project file 2012-10-31 13:48:12 +01:00
de4dot
95d49c5b9e Add more assembly search paths 2012-09-20 05:57:16 +02:00
de4dot
d29ac1a4cf Check for generic params in all generic arguments too 2012-09-19 22:51:49 +02:00
de4dot
13a5fd8ff0 Add a fix for when type.Scope is null 2012-08-31 00:24:42 +02:00
de4dot
30a73371c8 Fat header type is encoded in the lower 3 bits 2012-08-23 12:02:09 +02:00
de4dot
a34b3f7855 Support latest CO build 2012-08-22 18:33:27 +02:00
de4dot
f1a725cd19 Restore MaxStack 2012-08-21 20:17:35 +02:00
de4dot
58b1b27c69 Use correct upper limit in loop, and return false on failure... 2012-08-21 20:17:21 +02:00
de4dot
3b9ba16df6 Make restoreMethod() virtual 2012-08-21 20:14:43 +02:00
de4dot
2c68ae14ee New version: 1.9.1 2012-08-21 15:40:23 +02:00
de4dot
64cc8e3856 Decrypt CO encrypted methods 2012-08-21 15:40:06 +02:00
de4dot
0a5973e541 Update detection of CO types 2012-08-21 15:06:42 +02:00
de4dot
957a8ab8dd Move method to new CoUtils class 2012-08-21 15:04:40 +02:00
de4dot
729780c235 Update MethodBodyReaderBase
- Change field types to IList<T>
- Add restoreMethod()
- Add readInstructionsNumBytes()
2012-08-21 14:59:46 +02:00
de4dot
bfcd42804e Add getModuleAttribute() 2012-08-15 19:33:57 +02:00
de4dot
1768de1d6b Remove earlyDetect() 2012-08-13 00:54:46 +02:00
de4dot
47a3034259 Call method later 2012-08-03 17:57:45 +02:00
de4dot
b455ae8dab Fix arg name 2012-08-02 19:53:30 +02:00
de4dot
e496cea7da Add an option to remove a present unbox.any instr 2012-08-01 22:20:35 +02:00
de4dot
9cbbea2c01 Use a better resource key 2012-07-31 12:50:55 +02:00
de4dot
c005ab2998 Check for div by zero 2012-07-31 12:43:23 +02:00
de4dot
dace82cca9 Add find2() method for derived classes 2012-07-31 07:13:07 +02:00
de4dot
329efd9a0f Add code to let a derived class to push new values 2012-07-31 04:40:45 +02:00
de4dot
87a8052cbe Declaring type is null if it's already been removed 2012-07-31 04:40:06 +02:00
de4dot
6be691ab6d Increment errors if there's an exception 2012-07-31 04:39:34 +02:00
de4dot
06b7374276 Add support for reading r8 values. Also rename some methods 2012-07-31 01:14:38 +02:00
de4dot
11256d6e76 Make property public 2012-07-30 10:26:49 +02:00
de4dot
83b805adc3 Move methods 2012-07-30 09:17:22 +02:00
de4dot
b2d72b153f Ignore exceptions when calling detect()
Most likely invalid code and/or metadata, which usually means it's still
encrypted.
2012-07-29 18:12:29 +02:00
de4dot
de8090df61 Add setConstant methods 2012-07-29 14:21:13 +02:00
de4dot
c924d84340 Add another decrypt() method 2012-07-29 13:20:35 +02:00
de4dot
c3c1ab64d8 Add setDeobfuscator() method 2012-07-29 13:19:12 +02:00
de4dot
f07f664553 Don't cast to a possible value type when result can be null 2012-07-29 09:49:00 +02:00
de4dot
cb6a3ac503 Support generic decrypter methods 2012-07-28 04:39:14 +02:00
de4dot
a2c8e99b3f Ignore any exceptions during deobfuscation 2012-07-28 04:18:11 +02:00
de4dot
e88479f71d Add OtherMethods prop 2012-07-27 08:03:02 +02:00
de4dot
3abb8de345 getFieldToMethodDictionary() is now a non-virtual method 2012-07-27 07:57:13 +02:00
de4dot
1a1ccb2121 Update code since GetUserString() arg is now a token 2012-07-26 20:07:27 +02:00
de4dot
bbd41a549c Add MD5 and SHA256 sum methods 2012-07-26 16:35:28 +02:00
de4dot
916948249e Add missing null check 2012-07-26 16:35:08 +02:00
de4dot
5fc6e1ac75 Add method to get a 64-bit int 2012-07-25 21:06:35 +02:00
de4dot
423c33a9f2 Append 32 to 32-bit methods and fields 2012-07-25 20:48:06 +02:00
de4dot
e2ec6548ed Add more ctors and add EmulateConvInstructions prop 2012-07-25 20:43:22 +02:00
de4dot
755c9ae21a New version: 1.9.0 2012-07-24 20:08:09 +02:00
de4dot
a815a70415 Rename arrays 2012-07-24 19:58:00 +02:00
de4dot
880441571e Update class comment 2012-07-24 19:52:34 +02:00
de4dot
c31e6c2c3d Main embedded asm doesn't always have the same asm name as the original asm 2012-07-24 19:05:50 +02:00
de4dot
e1f8793302 Add option to disable decrypting main embedded assembly 2012-07-24 18:52:39 +02:00
de4dot
490ce203b6 Update invalid name regex 2012-07-24 18:13:18 +02:00
de4dot
e54b026ae7 Make the embedded (original) start up assembly the new decrypted assembly 2012-07-24 17:49:04 +02:00
de4dot
4374a08020 getDecryptedModule() can now be called multiple times 2012-07-24 17:02:27 +02:00
de4dot
c8477bdbce Print a warning and use default encoding if the code page doesn't exist 2012-07-23 13:19:04 +02:00
de4dot
8a81e98b3f Fix invalid Mvid 2012-07-23 13:15:32 +02:00
de4dot
6c04a950e7 Remove duplicate resources 2012-07-23 10:22:39 +02:00
de4dot
b03cb46f53 Rename class 2012-07-23 10:08:13 +02:00
de4dot
ebbc8d2ab8 Remove encoding arg 2012-07-23 10:04:40 +02:00
de4dot
74aaf19257 Support the latest CO build 2012-07-22 20:35:33 +02:00
de4dot
2320c458cf Check for null (invalid method ref in call instr) 2012-07-21 23:13:34 +02:00
de4dot
762e043236 Merge branch 'co' into new_code
Conflicts:
	de4dot.code/de4dot.code.csproj
	de4dot.code/deobfuscators/CryptoObfuscator/Deobfuscator.cs
2012-07-21 12:14:04 +02:00
de4dot
940aa20534 Merge branch 'master' into new_code
Conflicts:
	de4dot.code/de4dot.code.csproj
2012-07-21 11:24:32 +02:00
de4dot
fd9d4a40cc Support another MC runtime 2012-07-21 11:13:59 +02:00
de4dot
816ff5f369 New version: 1.8.7 2012-07-20 21:55:12 +02:00
de4dot
e05bfc9c8a Decrypt strings 2012-07-20 21:54:56 +02:00
de4dot
dfafc4a94b Remove useless method 2012-07-20 18:32:49 +02:00
de4dot
9b48632354 Refactor 2012-07-20 18:15:40 +02:00
de4dot
8b82f8b47d Support the latest MC versions 2012-07-20 14:49:47 +02:00