monocul.us
/
de4dot-cex
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
de4dot-cex/de4dot.code/ObfuscatedFile.cs

843 lines
25 KiB
C#
Raw Permalink Blame History

/*
Copyright (C) 2011-2015 de4dot@gmail.com
This file is part of de4dot.
de4dot is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
de4dot is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with de4dot. If not, see <http://www.gnu.org/licenses/>.
*/
using System;
using System.Collections.Generic;
using System.Globalization;
using System.IO;
using System.Text;
using dnlib.DotNet;
using dnlib.DotNet.Emit;
using dnlib.DotNet.Writer;
using dnlib.PE;
using AssemblyData;
using de4dot.code.deobfuscators;
using de4dot.blocks;
using de4dot.blocks.cflow;
using de4dot.code.AssemblyClient;
using de4dot.code.renamer;
namespace de4dot.code {
public class ObfuscatedFile : IObfuscatedFile, IDeobfuscatedFile {
Options options;
ModuleDefMD module;
IDeobfuscator deob;
IDeobfuscatorContext deobfuscatorContext;
AssemblyModule assemblyModule;
IAssemblyClient assemblyClient;
DynamicStringInliner dynamicStringInliner;
IAssemblyClientFactory assemblyClientFactory;
SavedMethodBodies savedMethodBodies;
bool userStringDecrypterMethods = false;
class SavedMethodBodies {
Dictionary<MethodDef, SavedMethodBody> savedMethodBodies = new Dictionary<MethodDef, SavedMethodBody>();
class SavedMethodBody {
MethodDef method;
IList<Instruction> instructions;
IList<ExceptionHandler> exceptionHandlers;
public SavedMethodBody(MethodDef method) {
this.method = method;
DotNetUtils.CopyBody(method, out instructions, out exceptionHandlers);
}
public void Restore() {
DotNetUtils.RestoreBody(method, instructions, exceptionHandlers);
}
}
public void Save(MethodDef method) {
if (IsSaved(method))
return;
savedMethodBodies[method] = new SavedMethodBody(method);
}
public void RestoreAll() {
foreach (var smb in savedMethodBodies.Values)
smb.Restore();
savedMethodBodies.Clear();
}
public bool IsSaved(MethodDef method) {
return savedMethodBodies.ContainsKey(method);
}
}
public class Options {
public string Filename { get; set; }
public string NewFilename { get; set; }
public string ForcedObfuscatorType { get; set; }
public DecrypterType StringDecrypterType { get; set; }
public List<string> StringDecrypterMethods { get; private set; }
public bool ControlFlowDeobfuscation { get; set; }
public bool KeepObfuscatorTypes { get; set; }
public bool PreserveTokens { get; set; }
public MetaDataFlags MetaDataFlags { get; set; }
public RenamerFlags RenamerFlags { get; set; }
public Options() {
StringDecrypterType = DecrypterType.Default;
StringDecrypterMethods = new List<string>();
}
}
public string Filename {
get { return options.Filename; }
}
public string NewFilename {
get { return options.NewFilename; }
}
public ModuleDefMD ModuleDefMD {
get { return module; }
}
public INameChecker NameChecker {
get { return deob; }
}
public bool RenameResourcesInCode {
get { return deob.TheOptions.RenameResourcesInCode; }
}
public bool RemoveNamespaceWithOneType {
get { return (deob.RenamingOptions & RenamingOptions.RemoveNamespaceIfOneType) != 0; }
}
public bool RenameResourceKeys {
get { return (deob.RenamingOptions & RenamingOptions.RenameResourceKeys) != 0; }
}
public IDeobfuscator Deobfuscator {
get { return deob; }
}
public IDeobfuscatorContext DeobfuscatorContext {
get { return deobfuscatorContext; }
set { deobfuscatorContext = value; }
}
public ObfuscatedFile(Options options, ModuleContext moduleContext, IAssemblyClientFactory assemblyClientFactory) {
this.assemblyClientFactory = assemblyClientFactory;
this.options = options;
userStringDecrypterMethods = options.StringDecrypterMethods.Count > 0;
options.Filename = Utils.GetFullPath(options.Filename);
assemblyModule = new AssemblyModule(options.Filename, moduleContext);
if (options.NewFilename == null)
options.NewFilename = GetDefaultNewFilename();
if (string.Equals(options.Filename, options.NewFilename, StringComparison.OrdinalIgnoreCase))
throw new UserException(string.Format("filename is same as new filename! ({0})", options.Filename));
}
string GetDefaultNewFilename() {
string newFilename = Path.GetFileNameWithoutExtension(options.Filename) + "-cleaned" + Path.GetExtension(options.Filename);
return Path.Combine(Path.GetDirectoryName(options.Filename), newFilename);
}
public void Load(IList<IDeobfuscator> deobfuscators) {
try {
LoadModule(deobfuscators);
TheAssemblyResolver.Instance.AddSearchDirectory(Utils.GetDirName(Filename));
TheAssemblyResolver.Instance.AddSearchDirectory(Utils.GetDirName(NewFilename));
DetectObfuscator(deobfuscators);
if (deob == null)
throw new ApplicationException("Could not detect obfuscator!");
InitializeDeobfuscator();
}
finally {
foreach (var d in deobfuscators) {
if (d != deob && d != null)
d.Dispose();
}
}
}
void LoadModule(IEnumerable<IDeobfuscator> deobfuscators) {
ModuleDefMD oldModule = module;
try {
module = assemblyModule.Load();
}
catch (BadImageFormatException) {
if (!UnpackNativeImage(deobfuscators))
throw new BadImageFormatException();
Logger.v("Unpacked native file");
}
finally {
if (oldModule != null)
oldModule.Dispose();
}
}
bool UnpackNativeImage(IEnumerable<IDeobfuscator> deobfuscators) {
using (var peImage = new PEImage(Filename)) {
foreach (var deob in deobfuscators) {
byte[] unpackedData = null;
try {
unpackedData = deob.UnpackNativeFile(peImage);
}
catch {
}
if (unpackedData == null)
continue;
var oldModule = module;
try {
module = assemblyModule.Load(unpackedData);
}
catch {
Logger.w("Could not load unpacked data. File: {0}, deobfuscator: {0}", peImage.FileName ?? "(unknown filename)", deob.TypeLong);
continue;
}
finally {
if (oldModule != null)
oldModule.Dispose();
}
this.deob = deob;
return true;
}
}
return false;
}
void InitializeDeobfuscator() {
if (options.StringDecrypterType == DecrypterType.Default)
options.StringDecrypterType = deob.DefaultDecrypterType;
if (options.StringDecrypterType == DecrypterType.Default)
options.StringDecrypterType = DecrypterType.Static;
deob.Operations = CreateOperations();
}
IOperations CreateOperations() {
var op = new Operations();
switch (options.StringDecrypterType) {
case DecrypterType.None:
op.DecryptStrings = OpDecryptString.None;
break;
case DecrypterType.Static:
op.DecryptStrings = OpDecryptString.Static;
break;
default:
op.DecryptStrings = OpDecryptString.Dynamic;
break;
}
op.KeepObfuscatorTypes = options.KeepObfuscatorTypes;
op.MetaDataFlags = options.MetaDataFlags;
op.RenamerFlags = options.RenamerFlags;
return op;
}
void DetectObfuscator(IEnumerable<IDeobfuscator> deobfuscators) {
// The deobfuscators may call methods to deobfuscate control flow and decrypt
// strings (statically) in order to detect the obfuscator.
if (!options.ControlFlowDeobfuscation || options.StringDecrypterType == DecrypterType.None)
savedMethodBodies = new SavedMethodBodies();
// It's not null if it unpacked a native file
if (this.deob != null) {
deob.Initialize(module);
deob.DeobfuscatedFile = this;
deob.Detect();
return;
}
foreach (var deob in deobfuscators) {
deob.Initialize(module);
deob.DeobfuscatedFile = this;
}
if (options.ForcedObfuscatorType != null) {
foreach (var deob in deobfuscators) {
if (string.Equals(options.ForcedObfuscatorType, deob.Type, StringComparison.OrdinalIgnoreCase)) {
this.deob = deob;
deob.Detect();
return;
}
}
}
else
this.deob = DetectObfuscator2(deobfuscators);
}
IDeobfuscator DetectObfuscator2(IEnumerable<IDeobfuscator> deobfuscators) {
var allDetected = new List<IDeobfuscator>();
IDeobfuscator detected = null;
int detectVal = 0;
foreach (var deob in deobfuscators) {
this.deob = deob; // So we can call deob.CanInlineMethods in deobfuscate()
int val;
//TODO: Re-enable exception handler
//try {
val = deob.Detect();
/*}
catch {
val = deob.Type == "un" ? 1 : 0;
}*/
Logger.v("{0,3}: {1}", val, deob.TypeLong);
if (val > 0 && deob.Type != "un")
allDetected.Add(deob);
if (val > detectVal) {
detectVal = val;
detected = deob;
}
}
this.deob = null;
if (allDetected.Count > 1) {
Logger.n("More than one obfuscator detected:");
Logger.Instance.Indent();
foreach (var deob in allDetected)
Logger.n("{0} (use: -p {1})", deob.Name, deob.Type);
Logger.Instance.DeIndent();
}
return detected;
}
MetaDataFlags GetMetaDataFlags() {
var mdFlags = options.MetaDataFlags | deob.MetaDataFlags;
// Always preserve tokens if it's an unknown obfuscator
if (deob.Type == "un") {
mdFlags |= MetaDataFlags.PreserveRids |
MetaDataFlags.PreserveUSOffsets |
MetaDataFlags.PreserveBlobOffsets |
MetaDataFlags.PreserveExtraSignatureData;
}
return mdFlags;
}
public void Save() {
Logger.n("Saving {0}", options.NewFilename);
var mdFlags = GetMetaDataFlags();
if (!options.ControlFlowDeobfuscation)
mdFlags |= MetaDataFlags.KeepOldMaxStack;
assemblyModule.Save(options.NewFilename, mdFlags, new PrintNewTokens(module, deob as IModuleWriterListener));
}
IList<MethodDef> GetAllMethods() {
var list = new List<MethodDef>();
foreach (var type in module.GetTypes()) {
foreach (var method in type.Methods)
list.Add(method);
}
return list;
}
public void DeobfuscateBegin() {
switch (options.StringDecrypterType) {
case DecrypterType.None:
CheckSupportedStringDecrypter(StringFeatures.AllowNoDecryption);
break;
case DecrypterType.Static:
CheckSupportedStringDecrypter(StringFeatures.AllowStaticDecryption);
break;
case DecrypterType.Delegate:
case DecrypterType.Emulate:
CheckSupportedStringDecrypter(StringFeatures.AllowDynamicDecryption);
var newProcFactory = assemblyClientFactory as NewProcessAssemblyClientFactory;
if (newProcFactory != null)
assemblyClient = newProcFactory.Create(AssemblyServiceType.StringDecrypter, module);
else
assemblyClient = assemblyClientFactory.Create(AssemblyServiceType.StringDecrypter);
assemblyClient.Connect();
break;
default:
throw new ApplicationException(string.Format("Invalid string decrypter type '{0}'", options.StringDecrypterType));
}
}
public void CheckSupportedStringDecrypter(StringFeatures feature) {
if ((deob.StringFeatures & feature) == feature)
return;
throw new UserException(string.Format("Deobfuscator {0} does not support this string decryption type", deob.TypeLong));
}
public void Deobfuscate() {
Logger.n("Cleaning {0}", options.Filename);
InitAssemblyClient();
for (int i = 0; ; i++) {
byte[] fileData = null;
DumpedMethods dumpedMethods = null;
if (!deob.GetDecryptedModule(i, ref fileData, ref dumpedMethods))
break;
ReloadModule(fileData, dumpedMethods);
}
deob.DeobfuscateBegin();
DeobfuscateMethods();
deob.DeobfuscateEnd();
}
void ReloadModule(byte[] newModuleData, DumpedMethods dumpedMethods) {
Logger.v("Reloading decrypted assembly (original filename: {0})", Filename);
simpleDeobfuscatorFlags.Clear();
using (var oldModule = module) {
module = assemblyModule.Reload(newModuleData, CreateDumpedMethodsRestorer(dumpedMethods), deob as IStringDecrypter);
deob = deob.ModuleReloaded(module);
}
InitializeDeobfuscator();
deob.DeobfuscatedFile = this;
UpdateDynamicStringInliner();
}
DumpedMethodsRestorer CreateDumpedMethodsRestorer(DumpedMethods dumpedMethods) {
if (dumpedMethods == null || dumpedMethods.Count == 0)
return null;
return new DumpedMethodsRestorer(dumpedMethods);
}
void InitAssemblyClient() {
if (assemblyClient == null)
return;
assemblyClient.WaitConnected();
assemblyClient.StringDecrypterService.LoadAssembly(options.Filename);
if (options.StringDecrypterType == DecrypterType.Delegate)
assemblyClient.StringDecrypterService.SetStringDecrypterType(AssemblyData.StringDecrypterType.Delegate);
else if (options.StringDecrypterType == DecrypterType.Emulate)
assemblyClient.StringDecrypterService.SetStringDecrypterType(AssemblyData.StringDecrypterType.Emulate);
else
throw new ApplicationException(string.Format("Invalid string decrypter type '{0}'", options.StringDecrypterType));
dynamicStringInliner = new DynamicStringInliner(assemblyClient);
UpdateDynamicStringInliner();
}
void UpdateDynamicStringInliner() {
if (dynamicStringInliner != null)
dynamicStringInliner.Initialize(GetMethodTokens());
}
IEnumerable<int> GetMethodTokens() {
if (!userStringDecrypterMethods)
return deob.GetStringDecrypterMethods();
var tokens = new List<int>();
foreach (var val in options.StringDecrypterMethods) {
var tokenStr = val.Trim();
if (Utils.StartsWith(tokenStr, "0x", StringComparison.OrdinalIgnoreCase))
tokenStr = tokenStr.Substring(2);
int methodToken;
if (int.TryParse(tokenStr, NumberStyles.HexNumber, null, out methodToken))
tokens.Add(methodToken);
else
tokens.AddRange(FindMethodTokens(val));
}
return tokens;
}
IEnumerable<int> FindMethodTokens(string methodDesc) {
var tokens = new List<int>();
string typeString, methodName;
string[] argsStrings;
SplitMethodDesc(methodDesc, out typeString, out methodName, out argsStrings);
foreach (var type in module.GetTypes()) {
if (typeString != null && typeString != type.FullName)
continue;
foreach (var method in type.Methods) {
if (!method.IsStatic)
continue;
if (method.MethodSig.GetRetType().GetElementType() != ElementType.String && method.MethodSig.GetRetType().GetElementType() != ElementType.Object)
continue;
if (methodName != null && methodName != method.Name)
continue;
var sig = method.MethodSig;
if (argsStrings == null) {
if (sig.Params.Count == 0)
continue;
}
else {
if (argsStrings.Length != sig.Params.Count)
continue;
for (int i = 0; i < argsStrings.Length; i++) {
if (argsStrings[i] != sig.Params[i].FullName)
continue;
}
}
Logger.v("Adding string decrypter; token: {0:X8}, method: {1}", method.MDToken.ToInt32(), Utils.RemoveNewlines(method.FullName));
tokens.Add(method.MDToken.ToInt32());
}
}
return tokens;
}
static void SplitMethodDesc(string methodDesc, out string type, out string name, out string[] args) {
string stringArgs = null;
args = null;
type = null;
name = null;
var remaining = methodDesc;
int index = remaining.LastIndexOf("::");
if (index >= 0) {
type = remaining.Substring(0, index);
remaining = remaining.Substring(index + 2);
}
index = remaining.IndexOf('(');
if (index >= 0) {
name = remaining.Substring(0, index);
remaining = remaining.Substring(index);
}
else {
name = remaining;
remaining = "";
}
if (Utils.StartsWith(remaining, "(", StringComparison.Ordinal)) {
stringArgs = remaining;
}
else if (remaining.Length > 0)
throw new UserException(string.Format("Invalid method desc: '{0}'", methodDesc));
if (stringArgs != null) {
if (Utils.StartsWith(stringArgs, "(", StringComparison.Ordinal))
stringArgs = stringArgs.Substring(1);
if (stringArgs.EndsWith(")", StringComparison.Ordinal))
stringArgs = stringArgs.Substring(0, stringArgs.Length - 1);
args = stringArgs.Split(',');
for (int i = 0; i < args.Length; i++)
args[i] = args[i].Trim();
}
if (type == "")
type = null;
if (name == "")
name = null;
}
public void DeobfuscateEnd() {
DeobfuscateCleanUp();
}
public void DeobfuscateCleanUp() {
if (assemblyClient != null) {
assemblyClient.Dispose();
assemblyClient = null;
}
}
void DeobfuscateMethods() {
if (savedMethodBodies != null) {
savedMethodBodies.RestoreAll();
savedMethodBodies = null;
}
deob.DeobfuscatedFile = null;
if (!options.ControlFlowDeobfuscation) {
if (options.KeepObfuscatorTypes || deob.Type == "un")
return;
}
bool isVerbose = !Logger.Instance.IgnoresEvent(LoggerEvent.Verbose);
bool isVV = !Logger.Instance.IgnoresEvent(LoggerEvent.VeryVerbose);
if (isVerbose)
Logger.v("Deobfuscating methods");
var methodPrinter = new MethodPrinter();
var cflowDeobfuscator = new BlocksCflowDeobfuscator(deob.BlocksDeobfuscators);
foreach (var method in GetAllMethods()) {
if (isVerbose) {
Logger.v("Deobfuscating {0} ({1:X8})", Utils.RemoveNewlines(method), method.MDToken.ToUInt32());
Logger.Instance.Indent();
}
int oldIndentLevel = Logger.Instance.IndentLevel;
//TODO: Re-enable exception handler
//try {
Deobfuscate(method, cflowDeobfuscator, methodPrinter, isVerbose, isVV);
/*}
catch (Exception ex) {
if (!CanLoadMethodBody(method)) {
if (isVerbose)
Logger.v("Invalid method body. {0:X8}", method.MDToken.ToInt32());
method.Body = new CilBody();
}
else {
Logger.w("Could not deobfuscate method {0:X8}. Hello, E.T.: {1}", // E.T. = exception type
method.MDToken.ToInt32(),
ex.GetType());
}
}
finally {
Logger.Instance.IndentLevel = oldIndentLevel;
}*/
RemoveNoInliningAttribute(method);
if (isVerbose)
Logger.Instance.DeIndent();
}
}
static bool CanLoadMethodBody(MethodDef method) {
try {
var body = method.Body;
return true;
}
catch {
return false;
}
}
bool CanOptimizeLocals() {
// Don't remove any locals if we must preserve StandAloneSig table
return (GetMetaDataFlags() & MetaDataFlags.PreserveStandAloneSigRids) == 0;
}
void Deobfuscate(MethodDef method, BlocksCflowDeobfuscator cflowDeobfuscator, MethodPrinter methodPrinter, bool isVerbose, bool isVV) {
if (!HasNonEmptyBody(method))
return;
var blocks = new Blocks(method);
int numRemovedLocals = 0;
int oldNumInstructions = method.Body.Instructions.Count;
deob.DeobfuscateMethodBegin(blocks);
if (options.ControlFlowDeobfuscation) {
cflowDeobfuscator.Initialize(blocks);
cflowDeobfuscator.Deobfuscate();
}
if (deob.DeobfuscateOther(blocks) && options.ControlFlowDeobfuscation)
cflowDeobfuscator.Deobfuscate();
if (options.ControlFlowDeobfuscation) {
if (CanOptimizeLocals())
numRemovedLocals = blocks.OptimizeLocals();
blocks.RepartitionBlocks();
}
DeobfuscateStrings(blocks);
deob.DeobfuscateMethodEnd(blocks);
IList<Instruction> allInstructions;
IList<ExceptionHandler> allExceptionHandlers;
blocks.GetCode(out allInstructions, out allExceptionHandlers);
DotNetUtils.RestoreBody(method, allInstructions, allExceptionHandlers);
if (isVerbose && numRemovedLocals > 0)
Logger.v("Removed {0} unused local(s)", numRemovedLocals);
int numRemovedInstructions = oldNumInstructions - method.Body.Instructions.Count;
if (isVerbose && numRemovedInstructions > 0)
Logger.v("Removed {0} dead instruction(s)", numRemovedInstructions);
if (isVV) {
Logger.Log(LoggerEvent.VeryVerbose, "Deobfuscated code:");
Logger.Instance.Indent();
methodPrinter.Print(LoggerEvent.VeryVerbose, allInstructions, allExceptionHandlers);
Logger.Instance.DeIndent();
}
}
bool HasNonEmptyBody(MethodDef method) {
return method.HasBody && method.Body.Instructions.Count > 0;
}
void DeobfuscateStrings(Blocks blocks) {
switch (options.StringDecrypterType) {
case DecrypterType.None:
break;
case DecrypterType.Static:
deob.DeobfuscateStrings(blocks);
break;
case DecrypterType.Delegate:
case DecrypterType.Emulate:
dynamicStringInliner.Decrypt(blocks);
break;
default:
throw new ApplicationException(string.Format("Invalid string decrypter type '{0}'", options.StringDecrypterType));
}
}
void RemoveNoInliningAttribute(MethodDef method) {
method.IsNoInlining = false;
for (int i = 0; i < method.CustomAttributes.Count; i++) {
var cattr = method.CustomAttributes[i];
if (cattr.TypeFullName != "System.Runtime.CompilerServices.MethodImplAttribute")
continue;
int options = 0;
if (!GetMethodImplOptions(cattr, ref options))
continue;
if (options != 0 && options != (int)MethodImplAttributes.NoInlining)
continue;
method.CustomAttributes.RemoveAt(i);
i--;
}
}
static bool GetMethodImplOptions(CustomAttribute cattr, ref int value) {
if (cattr.IsRawBlob)
return false;
if (cattr.ConstructorArguments.Count != 1)
return false;
if (cattr.ConstructorArguments[0].Type.ElementType != ElementType.I2 &&
cattr.ConstructorArguments[0].Type.FullName != "System.Runtime.CompilerServices.MethodImplOptions")
return false;
var arg = cattr.ConstructorArguments[0].Value;
if (arg is short) {
value = (short)arg;
return true;
}
if (arg is int) {
value = (int)arg;
return true;
}
return false;
}
public override string ToString() {
if (options == null || options.Filename == null)
return base.ToString();
return options.Filename;
}
[Flags]
enum SimpleDeobFlags {
HasDeobfuscated = 0x1,
}
Dictionary<MethodDef, SimpleDeobFlags> simpleDeobfuscatorFlags = new Dictionary<MethodDef, SimpleDeobFlags>();
bool Check(MethodDef method, SimpleDeobFlags flag) {
if (method == null)
return false;
SimpleDeobFlags oldFlags;
simpleDeobfuscatorFlags.TryGetValue(method, out oldFlags);
simpleDeobfuscatorFlags[method] = oldFlags | flag;
return (oldFlags & flag) == flag;
}
bool Clear(MethodDef method, SimpleDeobFlags flag) {
if (method == null)
return false;
SimpleDeobFlags oldFlags;
if (!simpleDeobfuscatorFlags.TryGetValue(method, out oldFlags))
return false;
simpleDeobfuscatorFlags[method] = oldFlags & ~flag;
return true;
}
void Deobfuscate(MethodDef method, string msg, Action<Blocks> handler) {
if (savedMethodBodies != null)
savedMethodBodies.Save(method);
Logger.v("{0}: {1} ({2:X8})", msg, Utils.RemoveNewlines(method), method.MDToken.ToUInt32());
Logger.Instance.Indent();
if (HasNonEmptyBody(method)) {
try {
var blocks = new Blocks(method);
handler(blocks);
IList<Instruction> allInstructions;
IList<ExceptionHandler> allExceptionHandlers;
blocks.GetCode(out allInstructions, out allExceptionHandlers);
DotNetUtils.RestoreBody(method, allInstructions, allExceptionHandlers);
}
catch {
Logger.v("Could not deobfuscate {0:X8}", method.MDToken.ToInt32());
}
}
Logger.Instance.DeIndent();
}
void ISimpleDeobfuscator.MethodModified(MethodDef method) {
Clear(method, SimpleDeobFlags.HasDeobfuscated);
}
void ISimpleDeobfuscator.Deobfuscate(MethodDef method) {
((ISimpleDeobfuscator)this).Deobfuscate(method, 0);
}
void ISimpleDeobfuscator.Deobfuscate(MethodDef method, SimpleDeobfuscatorFlags flags) {
bool force = (flags & SimpleDeobfuscatorFlags.Force) != 0;
if (method == null || (!force && Check(method, SimpleDeobFlags.HasDeobfuscated)))
return;
Deobfuscate(method, "Deobfuscating control flow", (blocks) => {
bool disableNewCFCode = (flags & SimpleDeobfuscatorFlags.DisableConstantsFolderExtraInstrs) != 0;
var cflowDeobfuscator = new BlocksCflowDeobfuscator(deob.BlocksDeobfuscators, disableNewCFCode);
cflowDeobfuscator.Initialize(blocks);
cflowDeobfuscator.Deobfuscate();
});
}
void ISimpleDeobfuscator.DecryptStrings(MethodDef method, IDeobfuscator theDeob) {
Deobfuscate(method, "Static string decryption", (blocks) => theDeob.DeobfuscateStrings(blocks));
}
void IDeobfuscatedFile.CreateAssemblyFile(byte[] data, string assemblyName, string extension) {
if (extension == null)
extension = ".dll";
var baseDir = Utils.GetDirName(options.NewFilename);
var newName = Path.Combine(baseDir, assemblyName + extension);
Logger.n("Creating file {0}", newName);
File.WriteAllBytes(newName, data);
}
void IDeobfuscatedFile.StringDecryptersAdded() {
UpdateDynamicStringInliner();
}
void IDeobfuscatedFile.SetDeobfuscator(IDeobfuscator deob) {
this.deob = deob;
}
public void Dispose() {
DeobfuscateCleanUp();
if (module != null)
module.Dispose();
if (deob != null)
deob.Dispose();
module = null;
deob = null;
}
}
}
Reference in New Issue View Git Blame Copy Permalink