monocul.us/de4dot-cex
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
2,020 Commits 2 Branches 1 Tag 5 MiB
v4.0.0
Commit Graph

1550 Commits

Author SHA1 Message Date
de4dot
3bfb100fd5 Add resource decrypter 2011-11-08 19:32:10 +01:00
de4dot
0f627d728c Use new FieldTypes code 2011-11-08 19:27:27 +01:00
de4dot
fec1ec7e35 Add FieldTypes class and re-use LocalTypes code 2011-11-08 19:26:59 +01:00
de4dot
6d1cca149a Only check static methods 2011-11-08 11:36:09 +01:00
de4dot
c381423c48 Remove metadata token obfuscator type 2011-11-08 10:39:35 +01:00
de4dot
4e8f8a295b Remove assembly resolver type only if we're inlining methods 2011-11-08 10:37:39 +01:00
de4dot
8c91b56cb5 Save embedded assemblies to disk 2011-11-08 10:27:18 +01:00
de4dot
5e3beef064 Remove unused variable 2011-11-08 10:26:27 +01:00
de4dot
a70b740088 Update printStackTrace() output 2011-11-08 10:26:07 +01:00
de4dot
7617d92b3b Decrypt methods encrypted with the new methods encrypter 2011-11-07 16:16:18 +01:00
de4dot
a94d1406db Rename some fields, and only remove types/etc if users wants it 2011-11-06 18:01:37 +01:00
de4dot
045e6ecf73 Use better property names 2011-11-06 15:24:30 +01:00
de4dot
a4e4a7284e Add Xenocode support (dumped modules only) 2011-11-06 14:42:52 +01:00
de4dot
d60ab64c25 Move code to read module data to DeobUtils.cs 2011-11-06 13:46:50 +01:00
de4dot
f87e338583 Update text when reloading an assembly 2011-11-06 12:34:09 +01:00
de4dot
7821fc03bf Remove support for .methods files. 2011-11-06 12:26:41 +01:00
de4dot
f424e8eabf Add static methods decrypter and refactor into multiple classes 2011-11-06 12:19:26 +01:00
de4dot
a0509d2735 Use the new lookup() method 2011-11-06 12:18:35 +01:00
de4dot
4ecedb5b01 Don't check whether method is virtual 2011-11-06 12:17:20 +01:00
de4dot
bee77cdfe7 Make delegateCreatorMethods list protected 2011-11-06 12:16:30 +01:00
de4dot
fb2707a49b Add lookup() generic method. Useful when reloading module. 2011-11-06 12:16:06 +01:00
de4dot
9a21b09fac Reset module name when reloading from byte[] 2011-11-06 12:15:24 +01:00
de4dot
a369d36553 Add compare() byte[] method 2011-11-06 12:14:16 +01:00
de4dot
9818f675cd Add some more methods 2011-11-06 12:13:31 +01:00
de4dot
75a464a7f4 Merge branch 'master' into dnr 2011-11-05 14:27:40 +01:00
de4dot
51fc70169d Handle case where asm resolver returns a later version 2011-11-05 13:58:03 +01:00
de4dot
432c321bab Catch SecurityDeclaration resolve exception 2011-11-05 10:30:38 +01:00
de4dot
198d5c3f74 Remove memory manager from Main() 2011-11-05 10:10:36 +01:00
de4dot
34a11ee555 Create methods to check whether a file/dir exists 2011-11-05 09:56:51 +01:00
de4dot
fe2fe0befe Add Visual Studio public assemblies search paths 2011-11-05 09:45:34 +01:00
de4dot
65a9e7dbc1 Add Silverlight assembly search paths 2011-11-05 09:35:36 +01:00
de4dot
93ad40d218 Rename --asmpath option to --asm-path 2011-11-05 08:43:40 +01:00
de4dot
81d890d94e Don't update method header max stack field if no cflow deob 2011-11-05 08:36:36 +01:00
de4dot
a23a889776 Ignore resolve errors. It's likely an obfuscator bug. 2011-11-05 08:08:16 +01:00
de4dot
13d5f8e37d Ignore assemblies that contain native code 2011-11-05 08:04:14 +01:00
de4dot
c66c062753 Fix problem when HasPInvokeInfo == true but PInvokeInfo == null 2011-11-05 07:46:24 +01:00
de4dot
f524989a1e Re-arrange some code 2011-11-05 07:42:58 +01:00
de4dot
2236300943 Update renamer to better rename methods and args 
Finds InitializeComponent() method and renames it if necessary.
Finds all event handlers and names the args sender and e respectively.
Finds all field event handlers and names them <field>_<event>, eg.
button_Click.
 2011-11-04 19:08:23 +01:00
de4dot
7486b73da3 Restore original WinForms class and field names 2011-11-04 15:39:16 +01:00
de4dot
df507526ba Update renamer code so it's less likely to use an existing name 2011-11-04 13:59:43 +01:00
de4dot
e01e3c4e7f Update valid name regex 2011-11-04 11:01:21 +01:00
de4dot
131a57342d Force field type to same type newobj/newarr calls 2011-11-04 08:22:25 +01:00
de4dot
49b2976965 Handle call instrs with invalid metadata tokens 2011-11-04 07:43:24 +01:00
de4dot
4ce90dbfc0 Only print "found native code" warning once 2011-11-04 07:37:33 +01:00
de4dot
bd3b1e9b20 Check for null before calling unload() 2011-11-04 07:33:14 +01:00
de4dot
37f12ba60f Some small updates 2011-11-04 07:21:12 +01:00
de4dot
30f713f8f8 Rename isDelegateType() -> derivesFromDelegate() 2011-11-04 00:39:48 +01:00
de4dot
e1715adb48 Update default regex 2011-11-04 00:35:07 +01:00
de4dot
c23d770fbc Add special case for delegates 2011-11-04 00:09:51 +01:00
de4dot
8b0bf54d62 Print <arg_N> if arg N name is empty 2011-11-03 23:32:33 +01:00
de4dot
7a0061e39e Don't save ByRef types, and method call should be getEnd(0) 2011-11-03 23:25:07 +01:00
de4dot
17f077e275 Update code to handle more cases 2011-11-03 23:01:51 +01:00
de4dot
b810292cee New files' default name is now origname-cleaned.ext 2011-11-03 20:07:50 +01:00
de4dot
a2ecd85044 Deobfuscator type is now 2 chars 2011-11-03 20:03:32 +01:00
de4dot
e7c42c6532 Print updated types when we're done so everything can be sorted 2011-11-03 19:46:29 +01:00
de4dot
42e7583659 Unload loaded modules when renaming is over 2011-11-03 18:55:14 +01:00
de4dot
98cdcf9ca5 Only protect *Invoke methods. Rename and remove a variable 2011-11-03 18:53:58 +01:00
de4dot
3dd8649859 Merge branch 'master' into dnr 2011-11-03 07:11:10 +01:00
de4dot
f351a09564 Update symbol renamer to load referenced assemblies. 
This way it's possible to use a rename-all regex (.*) without renaming
symbols that shouldn't be renamed (eg. methods that are defined in an
interface in a non-deobfuscated module, eg. Dispose()). A warning is
displayed if an assembly can't be loaded.
 2011-11-03 06:43:33 +01:00
de4dot
96d086ba2b Merge branch 'master' into dnr 2011-11-02 05:58:12 +01:00
de4dot
2a967dc699 Call onTypesRenamed() a little later and update throw message with token 2011-11-02 05:57:10 +01:00
de4dot
c918c8e964 Merge branch 'master' into dnr 2011-11-02 04:57:13 +01:00
de4dot
78960c759c Rebuild dictionaries when types have been renamed 2011-11-02 04:54:54 +01:00
de4dot
b8879e74e6 Merge branch 'master' into dnr 2011-11-02 04:26:12 +01:00
de4dot
ccff408a00 Update code so it can rename duplicate member references 2011-11-02 04:24:22 +01:00
de4dot
c177c2ff42 Don't print message since the code is now much faster 2011-11-02 02:39:53 +01:00
de4dot
e3b767adcc Don't create dest dirs if we're just detecting obfuscators 2011-11-02 02:38:20 +01:00
de4dot
2ddf6b00de Return an empty list instead of null 2011-11-02 02:28:51 +01:00
de4dot
8ff2115083 Remove unused methods, and inline method used only by SA code 2011-11-02 02:25:45 +01:00
de4dot
ade1720d32 Use type cache to look up types (huge speedup in DNR code) 2011-11-02 02:25:07 +01:00
de4dot
1938a1c497 Undo what VS did 2011-11-01 18:56:44 +01:00
de4dot
6a07ee5b5e It's generic code so move it to common parent dir 2011-11-01 18:48:52 +01:00
de4dot
7bdea53134 Check op for null and update detection code 2011-11-01 18:47:26 +01:00
de4dot
6f4447aa98 It's generic code so move it to common parent dir 2011-11-01 18:46:59 +01:00
de4dot
cc8e220281 Also use ldfld/ldflda to detect arg types 2011-11-01 15:53:51 +01:00
de4dot
c354ded987 Add code to restore ldtoken instructions 2011-11-01 15:17:26 +01:00
de4dot
5170e62e21 Add code to remove inlined methods and option to disable it 2011-11-01 14:23:30 +01:00
de4dot
e7ceb50382 Add CanInlineMethods to IDeobfuscator 2011-11-01 14:19:53 +01:00
de4dot
8faf7389ad Restore method return types 2011-11-01 02:22:05 +01:00
de4dot
2e2eafdb57 Add code to restore methods' arg types 2011-10-31 23:58:19 +01:00
de4dot
ed625e256d Restore field types and add option to disable it 2011-10-31 19:41:38 +01:00
de4dot
0ac072cf7b Add class to restore field types. It should work most of the time. 2011-10-31 19:40:57 +01:00
de4dot
5185dc8364 Throw if PInvokeInfo is null. The type was probably removed. 2011-10-31 00:18:11 +01:00
de4dot
6b04c23036 Update decrypter and version detecter code 2011-10-31 00:09:38 +01:00
de4dot
35005a1a51 getStringDecrypterMethods() now adds all string decrypter methods 2011-10-30 19:28:13 +01:00
de4dot
0ddbe16349 Update DNR version number detection code 2011-10-30 06:15:52 +01:00
de4dot
7505f6096f Clear deobfuscation flags when reloading module 2011-10-30 06:14:22 +01:00
de4dot
2ede24598d Detect DNR version 2011-10-29 20:28:29 +02:00
de4dot
efe98949b1 Minor updates 2011-10-29 20:26:59 +02:00
de4dot
37a64f77f2 Index should be set to instruction before we broke out of the loop 2011-10-29 20:25:41 +02:00
de4dot
b57c93eae4 Update DNR methods decrypter code 2011-10-29 03:39:32 +02:00
de4dot
040410d7ce Methods decrypter method could be null 2011-10-29 03:39:08 +02:00
de4dot
def4072bc5 Move array finder code to a new ArrayFinder class 2011-10-29 03:38:09 +02:00
de4dot
0a8d772c22 Decrypt methods sent to the JITter 2011-10-29 02:27:34 +02:00
de4dot
c4d6ba9ae9 Some minor updates 2011-10-29 02:25:31 +02:00
de4dot
3b87ab1294 Update getDecryptedModule() so it can return dumped methods 2011-10-29 02:23:48 +02:00
de4dot
a6dcd03d26 Allow passing dumped methods to reload() 2011-10-29 02:22:36 +02:00
de4dot
0e70d020b4 Add .NET metadata reader (ported from C++) 2011-10-29 02:20:44 +02:00
de4dot
89f90d3e75 Make sure publicKeyToken.Length > 0 2011-10-28 01:44:15 +02:00
de4dot
699ac4378d Support older string decrypter method and detect older methods decrypter 2011-10-28 01:33:05 +02:00
de4dot
eb002895e1 Don't throw if we can't find all method args in the same block 2011-10-28 01:28:08 +02:00
de4dot
09178a6e95 Update methods decrypter and string decrypter 2011-10-27 22:25:44 +02:00
de4dot
39dbf5d9b2 Ignore call if we can't get all args 2011-10-27 22:22:52 +02:00
de4dot
9c83c22469 Add .NET header and a method to more safely write to a .NET PE image 2011-10-27 22:21:45 +02:00
de4dot
5357b4f73c Update code to handle 4.1 obfuscated assemblies 2011-10-27 02:08:30 +02:00
de4dot
93d4ac1c9d Update type name 2011-10-27 02:07:33 +02:00
de4dot
41356b2d30 Check for methods with no body 2011-10-27 02:07:06 +02:00
de4dot
ceca5718ba Remove encrypted resources and call to methods decrypter 2011-10-26 23:00:01 +02:00
de4dot
dfb73f222f Add options to disable decryption of methods and bools 2011-10-26 22:24:31 +02:00
de4dot
63ab61fb12 Deobfuscate cflow again if a bool was decrypted 2011-10-26 22:16:51 +02:00
de4dot
bd7a6763a6 Return number of method calls that were replaced 2011-10-26 22:06:48 +02:00
de4dot
28b73d36ed It's a flags enum so should use unique bits 2011-10-26 22:00:32 +02:00
de4dot
db7edc2a72 Add BoolValueInliner class 2011-10-26 21:05:35 +02:00
de4dot
59863bf8b4 Refactor string decrypter to generic return value inliner class 2011-10-26 20:41:50 +02:00
de4dot
e4f2af221a Add BooleanDecrypter class 2011-10-26 20:23:45 +02:00
de4dot
f37a46a02b Decrypt strings 2011-10-26 19:49:25 +02:00
de4dot
03a8372319 Add readInt32() and readBytes() methods 2011-10-26 19:41:23 +02:00
de4dot
6bde8b8b20 Decrypt some DNR 4.0 non-native obfuscated assemblies 2011-10-26 14:40:55 +02:00
de4dot
1fbe902ed1 Always call detect(), and support reloading decrypted files 2011-10-26 14:32:50 +02:00
de4dot
3f7b1237b4 Don't call GetDirectoryName() if name is "" (loaded from byte[]) 2011-10-26 14:32:10 +02:00
de4dot
4f315fd65a Add reload() method when the file has been decrypted 2011-10-26 14:30:47 +02:00
de4dot
1eaa245618 Should ignore .cctor methods since .ctor is never static 2011-10-26 14:29:57 +02:00
de4dot
bfa0fa14c0 Add decrypt methods to IDeobfuscator. Change some method sigs. 2011-10-26 14:29:12 +02:00
de4dot
794b9dfd77 Add PE image reader/writer code 2011-10-26 14:20:38 +02:00
de4dot
685c5ba79c Add code to detect methods decrypter method 2011-10-25 08:27:36 +02:00
de4dot
6bb6f0930d Remember to create DNR's info class 2011-10-24 19:51:04 +02:00
de4dot
cb5589ee28 Add skeleton DNR file 2011-10-24 19:44:49 +02:00
de4dot
129da2e7f9 Set version 1.1.3 2011-10-24 15:48:19 +02:00
de4dot
46309f2f78 New version: 1.1.2 2011-10-23 22:09:27 +02:00
de4dot
4f02f84d84 Fix problem when resources aren't encrypted or compressed 2011-10-23 22:03:38 +02:00
de4dot
779d1a8a31 Update version to 1.1.1 2011-10-23 20:13:25 +02:00
de4dot
bf00ccca2b Some minor updates 2011-10-23 17:23:33 +02:00
de4dot
f776148574 Add proxy delegate fixer 2011-10-23 13:43:32 +02:00
de4dot
32bb14fa5a Decrypt encrypted SL resources 2011-10-23 09:19:50 +02:00
de4dot
9ad15e63e4 Remove string decrypter type and allow static + dynamic decryption 2011-10-23 09:07:47 +02:00
de4dot
78397f9c4f Remove types CO adds to each assembly 2011-10-23 09:03:00 +02:00
de4dot
a1e6f555ef Update method call remover code 2011-10-23 08:41:33 +02:00
de4dot
c0a8eb1bbd Print name of encrypted strings resource 2011-10-22 18:20:49 +02:00
de4dot
4490c976b3 Find anti-debugger and tamper detection code 2011-10-22 18:13:13 +02:00
de4dot
1a78c2dc8c Remove encrypted resources from output file 2011-10-22 17:29:49 +02:00
de4dot
adc2c277fd Strings and resources are decrypted 2011-10-22 17:13:28 +02:00
de4dot
65dacdf7cd Initialize assemblyInfos in case there's no embedded assemblies 2011-10-22 14:55:43 +02:00
de4dot
50a9421657 Assembly resolver doesn't need resource decrypter 2011-10-22 14:53:24 +02:00
de4dot
3f1b9152bd Add CO deobfuscator. Can decrypt embedded assemblies. 2011-10-22 14:31:38 +02:00
de4dot
99bd79e418 Change to version 1.1.0 2011-10-21 22:27:26 +02:00
de4dot
88f7a31ff1 Print number of removed instructions 2011-10-21 21:35:35 +02:00
de4dot
2ff8a0ea7a Remove old cflow deobfuscator code 2011-10-21 20:35:13 +02:00
de4dot
9d132bfeaf Change --no-control-flow-deob => --no-cflow-deob 2011-10-21 10:38:27 +02:00
de4dot
b1340bc84f Merge branch 'master' into newcode 2011-10-21 10:33:00 +02:00
de4dot
8c924617c3 Update CIL output when -vv is used 2011-10-21 10:32:43 +02:00
de4dot
d76afbf8a1 Ignore ArgumentOutOfRangeException when loading files 2011-10-20 12:28:15 +02:00
de4dot
f79b12d4f3 Make sure blocks are laid out in a verifiable order 2011-10-20 02:58:30 +02:00
de4dot
c8500b4f33 Remove unused local variables 2011-10-20 02:38:44 +02:00
de4dot
7fe71a963a Add inline bool method hack for DNR 2011-10-19 01:53:42 +02:00
de4dot
80acf1d59f Add switch cflow deobfuscator 2011-10-18 23:31:50 +02:00
de4dot
05065d6ac7 Start work on new cflow deobfuscator 2011-10-17 00:22:22 +02:00
de4dot
4c43807de7 Detect SA 1.x-5.1 assemblies 2011-10-13 12:22:17 +02:00
de4dot
01da4a979f Also make sure type.Name is empty 2011-10-12 23:30:57 +02:00
de4dot
58ff833d5c Detect SA 4.x, 5.0, 5.1 2011-10-12 23:16:03 +02:00
de4dot
b3463a3859 Remove automated error reporting code from SA 4.x assemblies 2011-10-12 22:50:19 +02:00
de4dot
9ed55629e6 Print deobfuscated method if -vv 2011-10-12 19:47:51 +02:00
de4dot
38b08dddfd Update DF version attribute parsing 2011-10-10 18:39:42 +02:00
de4dot
08f5b04675 Fix a problem with String.StartsWith() on mono 2011-10-09 13:19:26 +02:00
de4dot
2f5ded924f Get rid of dead code 2011-10-09 12:01:51 +02:00
de4dot
9ade539ecd Update version to 1.0.3 2011-10-08 20:03:10 +02:00
de4dot
5fbda45d6d Add earlyDetect() method to IDeobfuscator 2011-10-08 19:33:12 +02:00
de4dot
d305faae09 Detect another obfuscator 2011-10-08 18:43:22 +02:00
de4dot
5eb824693e Don't throw if invalid visibility 2011-10-08 18:42:09 +02:00
de4dot
c94fea2bfc Remove assembly if --one-file option is used 2011-10-08 15:01:51 +02:00
de4dot
ae9f59c918 Less memory are used when loading files one at a time 2011-10-08 13:33:48 +02:00
de4dot
3719e9a375 AssemblyResolver can now remove old unused assemblies 2011-10-08 13:28:39 +02:00
de4dot
d3fa227f1e Update -ru option text 2011-10-08 12:30:35 +02:00
de4dot
bea3a737d2 Don't rename resource if old name was empty string 2011-10-08 12:17:01 +02:00
de4dot
d69b1b465c Fix SA string decryption problem 2011-10-07 17:32:03 +02:00
de4dot
56da16086b Make sure user tries latest version... 2011-10-07 17:31:27 +02:00
de4dot
8ec3da7080 Update detection and some strings 2011-10-07 17:30:41 +02:00
de4dot
4cca5190da Detect another new obfuscator 2011-10-07 08:45:40 +02:00
de4dot
fa3a6457de Detects a few more obfuscators 2011-10-06 10:33:13 +02:00
de4dot
1c721b017e Detect some unsupported obfuscators 2011-10-05 17:22:56 +02:00
de4dot
d2b621b5b3 Netmodules are better supported now 2011-10-05 08:20:32 +02:00
de4dot
43085bc808 Fix serialization problem when calling exit() 2011-10-03 10:04:33 +02:00
de4dot
062ecaaef2 Ignore emtpy strings when renaming resources in code 2011-09-29 19:00:34 +02:00
de4dot
b71eb587db Make sure field/method ref has a declaring type before resolving it 2011-09-29 10:51:21 +02:00
de4dot
18756f90bf Updated log text 2011-09-29 10:50:10 +02:00
de4dot
004f25d818 Set version to 1.0.2 2011-09-29 01:29:02 +02:00
de4dot
65e0ef359a Enabled reading and loading of files from the network 2011-09-28 23:54:38 +02:00
de4dot
ee60bf14f2 Added 'default' string decrypter type 
Eazfuscator.NET deobfuscator defaults to 'emulate' and the others to
'static'.
 2011-09-28 16:06:10 +02:00
de4dot
500cdcaf1b Not ignoring all PE file load exceptions, but added null ref exception 2011-09-28 02:00:29 +02:00
de4dot
157a125894 Catch all exceptions and print warning if load fails 2011-09-28 01:44:32 +02:00
de4dot
37be012a11 Set Console.OutputEncoding to UTF-8 only if current encoding is single byte 2011-09-28 01:27:46 +02:00
de4dot
2094990a93 Added --one-file option to deobfuscate only one file at a time 2011-09-28 01:19:19 +02:00
de4dot
6fec29daab Func should take a MethodDefinition as first arg 2011-09-28 00:57:17 +02:00
de4dot
eeb12adf87 Removed 'in' and 'out' from delegates 2011-09-27 23:42:06 +02:00
de4dot
cd0e5c0169 Updated resource renaming of code strings 2011-09-27 23:29:38 +02:00
de4dot
c257f16787 Methodsrewriter is now working 2011-09-27 22:06:43 +02:00
de4dot
695dd81b43 Merged master 2011-09-27 02:05:46 +02:00
de4dot
bfca8a351f Updated version number 2011-09-24 18:56:13 +02:00
de4dot
5dd6567fc9 Bug fix. Some methods have a body but 0 instrs 2011-09-24 18:48:15 +02:00
de4dot
9945b8b47c Moved code to blocks assembly 2011-09-24 10:26:29 +02:00
de4dot
865ed5a47a Initial commit 2011-09-22 04:55:30 +02:00