high6 Posted August 9, 2008 Posted August 9, 2008 I was wondering if anyone could help me with deobfuscating calls removing useless stuff.I am getting confused with conditional jumps.I currently have my program step through the call line by line but when it gets to a conditional jump I am not sure what to do. I have tried recursion but that ends in messing up on loops.
GamingMasteR Posted August 9, 2008 Posted August 9, 2008 (edited) It depends on the obfuscation method itself ... Can't give a generic method Edited August 9, 2008 by Sadistic-X
high6 Posted August 9, 2008 Author Posted August 9, 2008 It depends on the obfuscation method itself ...Can't give a generic method Dotfuscator (.net). it turns most ifs into switches. I got down resolving the switches but the conditional jumps have me stuck.
GamingMasteR Posted August 9, 2008 Posted August 9, 2008 Oh i thought you mean native code not .NET ...
high6 Posted August 10, 2008 Author Posted August 10, 2008 Well what I am stuck at is in both native and cil.
high6 Posted August 10, 2008 Author Posted August 10, 2008 (edited) Well I have tried many variations of this(I use cecil http://www.go-mono.com/mono-downloads/download.html) Instruction[] TraceUntilRet(MethodDefinition m, Instruction cur) { List<Instruction> ret = new List<Instruction>(); while (cur != null) { if (cur.OpCode == OpCodes.Endfinally || cur.OpCode == OpCodes.Endfilter) { cur = cur.Next; continue; } else if (cur.OpCode == OpCodes.Leave) { cur.OpCode = OpCodes.Br; } else if (cur.OpCode == OpCodes.Leave_S) { cur.OpCode = OpCodes.Br_S; } else if (cur.Operand is Instruction) { Instruction br = (Instruction)cur.Operand; if (br.OpCode == OpCodes.Ldloc && br.Next.OpCode == OpCodes.Switch) { if (cur.Previous != null) { if (cur.Previous.Previous != null) { ret.RemoveAt(ret.Count - 1); ret.RemoveAt(ret.Count - 1); int num = (int)cur.Previous.Previous.Operand; cur = ((Instruction[])br.Next.Operand)[num]; continue; } } } if (cur.OpCode == OpCodes.Br || cur.OpCode == OpCodes.Br_S) { cur = br; continue; } Instruction[] IF = TraceIntoIf(m, cur, br.Offset); for (int x = 0; x < IF.Length; x++) { ret.Add(IF[x]); } if (IF.Length > 0) ret.Add(cur); cur = br; continue; } else if (cur.OpCode == OpCodes.Ret) { ret.Add(cur); break; } ret.Add(cur); cur = cur.Next; } return ret.ToArray(); } List<int> Trace = new List<int>(); Instruction[] TraceIntoIf(MethodDefinition m, Instruction cur, int dest) //infi loop (need to have it detect while (something.True()) { List<Instruction> ret = new List<Instruction>(); Instruction ori = cur; cur = cur.Next; while (cur.Offset != dest) { if (cur.OpCode == OpCodes.Endfinally || cur.OpCode == OpCodes.Endfilter) { cur = cur.Next; continue; } else if (cur.OpCode == OpCodes.Leave) { cur.OpCode = OpCodes.Br; } else if (cur.OpCode == OpCodes.Leave_S) { cur.OpCode = OpCodes.Br_S; } else if (cur.Operand is Instruction) { Instruction br = (Instruction)cur.Operand; if (br.OpCode == OpCodes.Ldloc && br.Next.OpCode == OpCodes.Switch) { if (cur.Previous != null) { if (cur.Previous.Previous != null) { ret.RemoveAt(ret.Count - 1); ret.RemoveAt(ret.Count - 1); int num = (int)cur.Previous.Previous.Operand; cur = ((Instruction[])br.Next.Operand)[num]; continue; } } } if (cur.OpCode == OpCodes.Br || cur.OpCode == OpCodes.Br_S) { cur = br; continue; } Instruction[] IF = TraceIntoIf(m, cur, br.Offset); for (int x = 0; x < IF.Length; x++) { ret.Add(IF[x]); } if (IF.Length > 0) ret.Add(cur); cur = br; continue; } else if (cur.OpCode == OpCodes.Ret) { //ret.Add(cur); break; } ret.Add(cur); cur = cur.Next; } return ret.ToArray(); } Edited August 10, 2008 by high6
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now