Merge branch 'master' into new_code

Conflicts:
	de4dot.code/de4dot.code.csproj

AssemblyData/Properties/AssemblyInfo.cs

@@ -29,5 +29,5 @@ You should have received a copy of the GNU General Public License
 [assembly: AssemblyTrademark("")]
 [assembly: AssemblyCulture("")]
 [assembly: ComVisible(false)]
-[assembly: AssemblyVersion("1.8.6.3405")]
-[assembly: AssemblyFileVersion("1.8.6.3405")]
+[assembly: AssemblyVersion("1.8.7.3405")]
+[assembly: AssemblyFileVersion("1.8.7.3405")]

AssemblyServer-x64/Properties/AssemblyInfo.cs

@@ -29,5 +29,5 @@ You should have received a copy of the GNU General Public License
 [assembly: AssemblyTrademark("")]
 [assembly: AssemblyCulture("")]
 [assembly: ComVisible(false)]
-[assembly: AssemblyVersion("1.8.6.3405")]
-[assembly: AssemblyFileVersion("1.8.6.3405")]
+[assembly: AssemblyVersion("1.8.7.3405")]
+[assembly: AssemblyFileVersion("1.8.7.3405")]

AssemblyServer/Properties/AssemblyInfo.cs

@@ -29,5 +29,5 @@ You should have received a copy of the GNU General Public License
 [assembly: AssemblyTrademark("")]
 [assembly: AssemblyCulture("")]
 [assembly: ComVisible(false)]
-[assembly: AssemblyVersion("1.8.6.3405")]
-[assembly: AssemblyFileVersion("1.8.6.3405")]
+[assembly: AssemblyVersion("1.8.7.3405")]
+[assembly: AssemblyFileVersion("1.8.7.3405")]

Test.Rename.Dll/Properties/AssemblyInfo.cs

@@ -29,5 +29,5 @@ You should have received a copy of the GNU General Public License
 [assembly: AssemblyTrademark("")]
 [assembly: AssemblyCulture("")]
 [assembly: ComVisible(false)]
-[assembly: AssemblyVersion("1.8.6.3405")]
-[assembly: AssemblyFileVersion("1.8.6.3405")]
+[assembly: AssemblyVersion("1.8.7.3405")]
+[assembly: AssemblyFileVersion("1.8.7.3405")]

Test.Rename/Properties/AssemblyInfo.cs

@@ -29,5 +29,5 @@ You should have received a copy of the GNU General Public License
 [assembly: AssemblyTrademark("")]
 [assembly: AssemblyCulture("")]
 [assembly: ComVisible(false)]
-[assembly: AssemblyVersion("1.8.6.3405")]
-[assembly: AssemblyFileVersion("1.8.6.3405")]
+[assembly: AssemblyVersion("1.8.7.3405")]
+[assembly: AssemblyFileVersion("1.8.7.3405")]

blocks/DotNetUtils.cs

@@ -462,11 +462,23 @@ public static MethodDefinition getMethod(TypeDefinition type, MethodReference me
 		}
 
 		public static MethodDefinition getMethod(ModuleDefinition module, MethodReference method) {
+			if (method == null)
+				return null;
+			return getMethod(module, method, method.DeclaringType);
+		}
+
+		public static MethodDefinition getMethod2(ModuleDefinition module, MethodReference method) {
+			if (method == null)
+				return null;
+			return getMethod(module, method, method.DeclaringType.GetElementType());
+		}
+
+		static MethodDefinition getMethod(ModuleDefinition module, MethodReference method, TypeReference declaringType) {
 			if (method == null)
 				return null;
 			if (method is MethodDefinition)
 				return (MethodDefinition)method;
-			return getMethod(getType(module, method.DeclaringType), method);
+			return getMethod(getType(module, declaringType), method);
 		}
 
 		public static MethodDefinition getMethod(TypeDefinition type, string returnType, string parameters) {

blocks/Properties/AssemblyInfo.cs

@@ -29,5 +29,5 @@ You should have received a copy of the GNU General Public License
 [assembly: AssemblyTrademark("")]
 [assembly: AssemblyCulture("")]
 [assembly: ComVisible(false)]
-[assembly: AssemblyVersion("1.8.6.3405")]
-[assembly: AssemblyFileVersion("1.8.6.3405")]
+[assembly: AssemblyVersion("1.8.7.3405")]
+[assembly: AssemblyFileVersion("1.8.7.3405")]

de4dot-x64/Properties/AssemblyInfo.cs

@@ -29,5 +29,5 @@ You should have received a copy of the GNU General Public License
 [assembly: AssemblyTrademark("")]
 [assembly: AssemblyCulture("")]
 [assembly: ComVisible(false)]
-[assembly: AssemblyVersion("1.8.6.3405")]
-[assembly: AssemblyFileVersion("1.8.6.3405")]
+[assembly: AssemblyVersion("1.8.7.3405")]
+[assembly: AssemblyFileVersion("1.8.7.3405")]

de4dot.code/ObfuscatedFile.cs

@@ -731,7 +731,11 @@ void deobfuscate(MethodDefinition method, string msg, Action<Blocks> handler) {
 		}
 
 		void ISimpleDeobfuscator.deobfuscate(MethodDefinition method) {
-			if (check(method, SimpleDeobFlags.HasDeobfuscated))
+			((ISimpleDeobfuscator)this).deobfuscate(method, false);
+		}
+
+		void ISimpleDeobfuscator.deobfuscate(MethodDefinition method, bool force) {
+			if (!force && check(method, SimpleDeobFlags.HasDeobfuscated))
 				return;
 
 			deobfuscate(method, "Deobfuscating control flow", (blocks) => {

de4dot.code/Properties/AssemblyInfo.cs

@@ -29,5 +29,5 @@ You should have received a copy of the GNU General Public License
 [assembly: AssemblyTrademark("")]
 [assembly: AssemblyCulture("")]
 [assembly: ComVisible(false)]
-[assembly: AssemblyVersion("1.8.6.3405")]
-[assembly: AssemblyFileVersion("1.8.6.3405")]
+[assembly: AssemblyVersion("1.8.7.3405")]
+[assembly: AssemblyFileVersion("1.8.7.3405")]

de4dot.code/de4dot.code.csproj

@@ -70,6 +70,14 @@
     <Compile Include="deobfuscators\dotNET_Reactor\v4\ProxyCallFixer.cs" />
     <Compile Include="deobfuscators\ILProtector\MethodReader.cs" />
     <Compile Include="deobfuscators\ILProtector\MethodsDecrypter.cs" />
+    <Compile Include="deobfuscators\DeepSea\ArrayBlockState.cs" />
+    <Compile Include="deobfuscators\MaxtoCode\CryptDecrypter.cs" />
+    <Compile Include="deobfuscators\MaxtoCode\Decrypter6.cs" />
+    <Compile Include="deobfuscators\MaxtoCode\DecrypterInfo.cs" />
+    <Compile Include="deobfuscators\MaxtoCode\EncryptionInfos.cs" />
+    <Compile Include="deobfuscators\MaxtoCode\McKey.cs" />
+    <Compile Include="deobfuscators\MaxtoCode\PeHeader.cs" />
+    <Compile Include="deobfuscators\MaxtoCode\StringDecrypter.cs" />
     <Compile Include="deobfuscators\MethodBodyReaderBase.cs" />
     <Compile Include="deobfuscators\Babel_NET\MethodsDecrypter.cs" />
     <Compile Include="deobfuscators\Babel_NET\ProxyCallFixer.cs" />

de4dot.code/deobfuscators/Blowfish.cs

@@ -318,6 +318,22 @@ public void init(byte[] key) {
 			}
 		}
 
+		public void encrypt_LE(byte[] data) {
+			for (int i = 0; i + 8 <= data.Length; i += 8) {
+				uint xl = BitConverter.ToUInt32(data, i);
+				uint xr = BitConverter.ToUInt32(data, i + 4);
+				encrypt(ref xl, ref xr);
+				data[i] = (byte)xl;
+				data[i + 1] = (byte)(xl >> 8);
+				data[i + 2] = (byte)(xl >> 16);
+				data[i + 3] = (byte)(xl >> 24);
+				data[i + 4] = (byte)xr;
+				data[i + 5] = (byte)(xr >> 8);
+				data[i + 6] = (byte)(xr >> 16);
+				data[i + 7] = (byte)(xr >> 24);
+			}
+		}
+
 		public void encrypt(byte[] data) {
 			for (int i = 0; i + 8 <= data.Length; i += 8) {
 				uint xl = (uint)((data[i] << 24) | (data[i + 1] << 16) | (data[i + 2] << 8) | data[i + 3]);
@@ -347,6 +363,22 @@ protected virtual void encrypt(ref uint rxl, ref uint rxr) {
 			rxl = xr ^ P[17];
 		}
 
+		public void decrypt_LE(byte[] data) {
+			for (int i = 0; i + 8 <= data.Length; i += 8) {
+				uint xl = BitConverter.ToUInt32(data, i);
+				uint xr = BitConverter.ToUInt32(data, i + 4);
+				decrypt(ref xl, ref xr);
+				data[i] = (byte)xl;
+				data[i + 1] = (byte)(xl >> 8);
+				data[i + 2] = (byte)(xl >> 16);
+				data[i + 3] = (byte)(xl >> 24);
+				data[i + 4] = (byte)xr;
+				data[i + 5] = (byte)(xr >> 8);
+				data[i + 6] = (byte)(xr >> 16);
+				data[i + 7] = (byte)(xr >> 24);
+			}
+		}
+
 		public void decrypt(byte[] data) {
 			for (int i = 0; i + 8 <= data.Length; i += 8) {
 				uint xl = (uint)((data[i] << 24) | (data[i + 1] << 16) | (data[i + 2] << 8) | data[i + 3]);

de4dot.code/deobfuscators/DeepSea/ArrayBlockDeobfuscator.cs

@@ -20,73 +20,17 @@ You should have received a copy of the GNU General Public License
 using System.Collections.Generic;
 using Mono.Cecil;
 using Mono.Cecil.Cil;
-using Mono.Cecil.Metadata;
 using de4dot.blocks;
 using de4dot.blocks.cflow;
 
 namespace de4dot.code.deobfuscators.DeepSea {
 	class ArrayBlockDeobfuscator : BlockDeobfuscator {
-		ModuleDefinition module;
-		FieldDefinitionAndDeclaringTypeDict<FieldInfo> fieldToInfo = new FieldDefinitionAndDeclaringTypeDict<FieldInfo>();
-		Dictionary<VariableDefinition, FieldInfo> localToInfo = new Dictionary<VariableDefinition, FieldInfo>();
+		ArrayBlockState arrayBlockState;
+		Dictionary<VariableDefinition, ArrayBlockState.FieldInfo> localToInfo = new Dictionary<VariableDefinition, ArrayBlockState.FieldInfo>();
 		DsConstantsReader constantsReader;
 
-		class FieldInfo {
-			public readonly FieldDefinition field;
-			public readonly FieldDefinition arrayInitField;
-			public readonly byte[] array;
-
-			public FieldInfo(FieldDefinition field, FieldDefinition arrayInitField) {
-				this.field = field;
-				this.arrayInitField = arrayInitField;
-				this.array = (byte[])arrayInitField.InitialValue.Clone();
-			}
-		}
-
-		public bool Detected {
-			get { return fieldToInfo.Count != 0; }
-		}
-
-		public ArrayBlockDeobfuscator(ModuleDefinition module) {
-			this.module = module;
-		}
-
-		public void init() {
-			initializeArrays(DotNetUtils.getModuleTypeCctor(module));
-		}
-
-		void initializeArrays(MethodDefinition method) {
-			if (method == null || method.Body == null)
-				return;
-
-			var instructions = method.Body.Instructions;
-			for (int i = 0; i < instructions.Count; i++) {
-				var ldci4 = instructions[i];
-				if (!DotNetUtils.isLdcI4(ldci4))
-					continue;
-				i++;
-				var instrs = DotNetUtils.getInstructions(instructions, i, OpCodes.Newarr, OpCodes.Dup, OpCodes.Ldtoken, OpCodes.Call, OpCodes.Stsfld);
-				if (instrs == null)
-					continue;
-
-				var arrayType = instrs[0].Operand as TypeReference;
-				if (arrayType == null || arrayType.EType != ElementType.U1)
-					continue;
-
-				var arrayInitField = instrs[2].Operand as FieldDefinition;
-				if (arrayInitField == null || arrayInitField.InitialValue == null || arrayInitField.InitialValue.Length == 0)
-					continue;
-
-				var calledMethod = instrs[3].Operand as MethodReference;
-				if (calledMethod == null || calledMethod.FullName != "System.Void System.Runtime.CompilerServices.RuntimeHelpers::InitializeArray(System.Array,System.RuntimeFieldHandle)")
-					continue;
-
-				var targetField = instrs[4].Operand as FieldDefinition;
-				if (targetField == null)
-					continue;
-
-				fieldToInfo.add(targetField, new FieldInfo(targetField, arrayInitField));
-			}
+		public ArrayBlockDeobfuscator(ArrayBlockState arrayBlockState) {
+			this.arrayBlockState = arrayBlockState;
 		}
 
 		public override void deobfuscateBegin(Blocks blocks) {
@@ -107,7 +51,7 @@ void initLocalToInfo() {
 					if (!stloc.isStloc())
 						continue;
 
-					var info = fieldToInfo.find((FieldReference)ldsfld.Operand);
+					var info = arrayBlockState.getFieldInfo((FieldReference)ldsfld.Operand);
 					if (info == null)
 						continue;
 					var local = DotNetUtils.getLocalVar(blocks.Locals, stloc.Instruction);
@@ -158,7 +102,7 @@ bool deobfuscate1(Block block, int i) {
 			var local = DotNetUtils.getLocalVar(blocks.Locals, ldloc.Instruction);
 			if (local == null)
 				return false;
-			FieldInfo info;
+			ArrayBlockState.FieldInfo info;
 			if (!localToInfo.TryGetValue(local, out info))
 				return false;
 
@@ -183,7 +127,7 @@ bool deobfuscate2(Block block, int i) {
 			var ldsfld = instrs[i];
 			if (ldsfld.OpCode.Code != Code.Ldsfld)
 				return false;
-			var info = fieldToInfo.find(ldsfld.Operand as FieldReference);
+			var info = arrayBlockState.getFieldInfo(ldsfld.Operand as FieldReference);
 			if (info == null)
 				return false;
 
@@ -209,7 +153,7 @@ bool deobfuscate3(Block block, int i) {
 			var ldsfld = instrs[i];
 			if (ldsfld.OpCode.Code != Code.Ldsfld)
 				return false;
-			var info = fieldToInfo.find(ldsfld.Operand as FieldReference);
+			var info = arrayBlockState.getFieldInfo(ldsfld.Operand as FieldReference);
 			if (info == null)
 				return false;
 
@@ -237,90 +181,5 @@ DsConstantsReader getConstantsReader(Block block) {
 				return constantsReader;
 			return constantsReader = new DsConstantsReader(block.Instructions);
 		}
-
-		public IEnumerable<FieldDefinition> cleanUp() {
-			var removedFields = new List<FieldDefinition>();
-			var moduleCctor = DotNetUtils.getModuleTypeCctor(module);
-			if (moduleCctor == null)
-				return removedFields;
-			var moduleCctorBlocks = new Blocks(moduleCctor);
-
-			var keep = findFieldsToKeep();
-			foreach (var fieldInfo in fieldToInfo.getValues()) {
-				if (keep.ContainsKey(fieldInfo))
-					continue;
-				if (removeInitCode(moduleCctorBlocks, fieldInfo)) {
-					removedFields.Add(fieldInfo.field);
-					removedFields.Add(fieldInfo.arrayInitField);
-				}
-				fieldInfo.arrayInitField.InitialValue = new byte[1];
-				fieldInfo.arrayInitField.FieldType = module.TypeSystem.Byte;
-			}
-
-			IList<Instruction> allInstructions;
-			IList<ExceptionHandler> allExceptionHandlers;
-			moduleCctorBlocks.getCode(out allInstructions, out allExceptionHandlers);
-			DotNetUtils.restoreBody(moduleCctorBlocks.Method, allInstructions, allExceptionHandlers);
-			return removedFields;
-		}
-
-		bool removeInitCode(Blocks blocks, FieldInfo info) {
-			bool removedSomething = false;
-			foreach (var block in blocks.MethodBlocks.getAllBlocks()) {
-				var instrs = block.Instructions;
-				for (int i = 0; i < instrs.Count - 5; i++) {
-					var ldci4 = instrs[i];
-					if (!ldci4.isLdcI4())
-						continue;
-					if (instrs[i + 1].OpCode.Code != Code.Newarr)
-						continue;
-					if (instrs[i + 2].OpCode.Code != Code.Dup)
-						continue;
-					var ldtoken = instrs[i + 3];
-					if (ldtoken.OpCode.Code != Code.Ldtoken)
-						continue;
-					if (ldtoken.Operand != info.arrayInitField)
-						continue;
-					var call = instrs[i + 4];
-					if (call.OpCode.Code != Code.Call)
-						continue;
-					var calledMethod = call.Operand as MethodReference;
-					if (calledMethod == null || calledMethod.FullName != "System.Void System.Runtime.CompilerServices.RuntimeHelpers::InitializeArray(System.Array,System.RuntimeFieldHandle)")
-						continue;
-					var stsfld = instrs[i + 5];
-					if (stsfld.OpCode.Code != Code.Stsfld)
-						continue;
-					if (stsfld.Operand != info.field)
-						continue;
-					block.remove(i, 6);
-					i--;
-					removedSomething = true;
-				}
-			}
-			return removedSomething;
-		}
-
-		Dictionary<FieldInfo, bool> findFieldsToKeep() {
-			var keep = new Dictionary<FieldInfo, bool>();
-			foreach (var type in module.GetTypes()) {
-				foreach (var method in type.Methods) {
-					if (type == DotNetUtils.getModuleType(module) && method.Name == ".cctor")
-						continue;
-					if (method.Body == null)
-						continue;
-
-					foreach (var instr in method.Body.Instructions) {
-						var field = instr.Operand as FieldReference;
-						if (field == null)
-							continue;
-						var fieldInfo = fieldToInfo.find(field);
-						if (fieldInfo == null)
-							continue;
-						keep[fieldInfo] = true;
-					}
-				}
-			}
-			return keep;
-		}
 	}
 }