Beispiel #1
0
 public ConstantsDecrypter(ModuleDef module, MethodDef lzmaMethod, ISimpleDeobfuscator deobfsucator, x86Emulator nativeEmulator)
 {
     _module         = module;
     _lzmaMethod     = lzmaMethod;
     _deobfuscator   = deobfsucator;
     _nativeEmulator = nativeEmulator;
 }
Beispiel #2
0
            protected override void ScanForObfuscator()
            {
                _nativeEmulator = new x86Emulator(DeobUtils.ReadModule(module));

                _controlFlowFixer = new ControlFlowFixer(_nativeEmulator);
                _lzmaFinder       = new LzmaFinder(module, DeobfuscatedFile);
                _lzmaFinder.Find();

                _constantDecrypter = new ConstantsDecrypter(module, _lzmaFinder.Method, DeobfuscatedFile, _nativeEmulator);
                _resourceDecrypter = new ResourceDecrypter(module, _lzmaFinder.Method, DeobfuscatedFile);

                if (_lzmaFinder.FoundLzma)
                {
                    _constantDecrypter.Find();
                    _resourceDecrypter.Find();
                }

                _proxyCallFixer = new ProxyCallFixer(module, DeobfuscatedFile, _nativeEmulator);
                _proxyCallFixer.FindDelegateCreatorMethod();
                _proxyCallFixer.Find();

                DetectConfuserExAttribute();
            }
Beispiel #3
0
 public ControlFlowFixer(x86Emulator nativeEmulator)
 {
     _nativeEmulator = nativeEmulator;
 }
Beispiel #4
0
 public ConstantDecrypterBase(x86Emulator nativeEmulator)
 {
     _nativeEmulator = nativeEmulator;
 }
Beispiel #5
0
 public ProxyCallFixer(ModuleDefMD module, ISimpleDeobfuscator simpleDeobfuscator, x86Emulator nativeEmulator) : base(module)
 {
     _simpleDeobfuscator = simpleDeobfuscator;
     _nativeEmulator     = nativeEmulator;
 }