void detectObfuscator(IEnumerable <IDeobfuscator> deobfuscators) { // The deobfuscators may call methods to deobfuscate control flow and decrypt // strings (statically) in order to detect the obfuscator. if (!options.ControlFlowDeobfuscation || options.StringDecrypterType == DecrypterType.None) { savedMethodBodies = new SavedMethodBodies(); } // It's not null if it unpacked a native file if (this.deob != null) { deob.init(module); deob.DeobfuscatedFile = this; deob.earlyDetect(); deob.detect(); return; } foreach (var deob in deobfuscators) { deob.init(module); deob.DeobfuscatedFile = this; } if (options.ForcedObfuscatorType != null) { foreach (var deob in deobfuscators) { if (string.Equals(options.ForcedObfuscatorType, deob.Type, StringComparison.OrdinalIgnoreCase)) { deob.earlyDetect(); this.deob = deob; deob.detect(); return; } } } else { this.deob = earlyDetectObfuscator(deobfuscators); if (this.deob == null) { this.deob = detectObfuscator2(deobfuscators); } else { this.deob.detect(); } } }
IDeobfuscator detectObfuscator2(IEnumerable <IDeobfuscator> deobfuscators) { var allDetected = new List <IDeobfuscator>(); IDeobfuscator detected = null; int detectVal = 0; foreach (var deob in deobfuscators) { this.deob = deob; // So we can call deob.CanInlineMethods in deobfuscate() int val; try { val = deob.detect(); } catch { val = deob.Type == "un" ? 1 : 0; } Logger.v("{0,3}: {1}", val, deob.TypeLong); if (val > 0 && deob.Type != "un") { allDetected.Add(deob); } if (val > detectVal) { detectVal = val; detected = deob; } } this.deob = null; if (allDetected.Count > 1) { Logger.n("More than one obfuscator detected:"); Logger.Instance.indent(); foreach (var deob in allDetected) { Logger.n("{0} (use: -p {1})", deob.Name, deob.Type); } Logger.Instance.deIndent(); } return(detected); }
IDeobfuscator detectObfuscator2(IEnumerable<IDeobfuscator> deobfuscators) { var allDetected = new List<IDeobfuscator>(); IDeobfuscator detected = null; int detectVal = 0; foreach (var deob in deobfuscators) { this.deob = deob; // So we can call deob.CanInlineMethods in deobfuscate() int val = deob.detect(); Log.v("{0,3}: {1}", val, deob.TypeLong); if (val > 0 && deob.Type != "un") allDetected.Add(deob); if (val > detectVal) { detectVal = val; detected = deob; } } this.deob = null; if (allDetected.Count > 1) { Log.n("More than one obfuscator detected:"); Log.indent(); foreach (var deob in allDetected) Log.n("{0} (use: -p {1})", deob.Name, deob.Type); Log.deIndent(); } return detected; }
void detectObfuscator(IEnumerable<IDeobfuscator> deobfuscators) { // The deobfuscators may call methods to deobfuscate control flow and decrypt // strings (statically) in order to detect the obfuscator. if (!options.ControlFlowDeobfuscation || options.StringDecrypterType == DecrypterType.None) savedMethodBodies = new SavedMethodBodies(); // It's not null if it unpacked a native file if (this.deob != null) { deob.init(module); deob.DeobfuscatedFile = this; deob.earlyDetect(); deob.detect(); return; } foreach (var deob in deobfuscators) { deob.init(module); deob.DeobfuscatedFile = this; } if (options.ForcedObfuscatorType != null) { foreach (var deob in deobfuscators) { if (string.Equals(options.ForcedObfuscatorType, deob.Type, StringComparison.OrdinalIgnoreCase)) { deob.earlyDetect(); this.deob = deob; deob.detect(); return; } } } else { this.deob = earlyDetectObfuscator(deobfuscators); if (this.deob == null) this.deob = detectObfuscator2(deobfuscators); else this.deob.detect(); } }
IDeobfuscator detectObfuscator2(IEnumerable<IDeobfuscator> deobfuscators) { IDeobfuscator detected = null; int detectVal = 0; foreach (var deob in deobfuscators) { this.deob = deob; // So we can call deob.CanInlineMethods in deobfuscate() int val = deob.detect(); Log.v("{0,3}: {1}", val, deob.TypeLong); if (val > detectVal) { detectVal = val; detected = deob; } } this.deob = null; return detected; }