more arith deob
This commit is contained in:
Adam
@@ -13,6 +13,7 @@ import info.sigterm.deob.Method;
|
||||
import info.sigterm.deob.attributes.Code;
|
||||
import info.sigterm.deob.attributes.code.Instruction;
|
||||
import info.sigterm.deob.attributes.code.Instructions;
|
||||
import info.sigterm.deob.attributes.code.instruction.types.ComparisonInstruction;
|
||||
import info.sigterm.deob.attributes.code.instruction.types.GetFieldInstruction;
|
||||
import info.sigterm.deob.attributes.code.instruction.types.InvokeInstruction;
|
||||
import info.sigterm.deob.attributes.code.instruction.types.LVTInstruction;
|
||||
@@ -48,7 +49,7 @@ public class ModularArithmeticDeobfuscation
|
||||
}
|
||||
}
|
||||
|
||||
// check for popping instruction to be a LVT get
|
||||
// lvt = field * constant
|
||||
private static boolean checkLVTGet(InstructionContext popCtx)
|
||||
{
|
||||
if (!(popCtx.getInstruction() instanceof LVTInstruction))
|
||||
@@ -70,10 +71,32 @@ public class ModularArithmeticDeobfuscation
|
||||
return true;
|
||||
}
|
||||
|
||||
// lvt comparison field * constant
|
||||
private static boolean checkCompare(InstructionContext popCtx)
|
||||
{
|
||||
if (!(popCtx.getInstruction() instanceof ComparisonInstruction))
|
||||
return false;
|
||||
|
||||
// make sure comparison is against lvt
|
||||
List<StackContext> pops = popCtx.getPops(); // things popCtx popped
|
||||
for (StackContext ctx : pops) // one of these is the imul
|
||||
{
|
||||
InstructionContext pushCtx = ctx.getPushed(); // instruction which pushed this here
|
||||
if (pushCtx.getInstruction() instanceof LVTInstruction)
|
||||
{
|
||||
LVTInstruction lvt = (LVTInstruction) pushCtx.getInstruction();
|
||||
return !lvt.store(); // check its a get
|
||||
}
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
private static boolean checkRules(InstructionContext popCtx)
|
||||
{
|
||||
return checkLVTGet(popCtx)
|
||||
|| checkInvoke(popCtx);
|
||||
|| checkInvoke(popCtx)
|
||||
|| checkCompare(popCtx);
|
||||
}
|
||||
|
||||
/* try to identify:
|
||||
|
||||
@@ -0,0 +1,59 @@
|
||||
package info.sigterm.deob.deobfuscators;
|
||||
|
||||
import java.util.ArrayList;
|
||||
|
||||
import info.sigterm.deob.ClassFile;
|
||||
import info.sigterm.deob.ClassGroup;
|
||||
import info.sigterm.deob.Field;
|
||||
import info.sigterm.deob.Method;
|
||||
import info.sigterm.deob.attributes.Code;
|
||||
import info.sigterm.deob.attributes.code.Instruction;
|
||||
import info.sigterm.deob.attributes.code.instruction.types.FieldInstruction;
|
||||
|
||||
public class UnusedFields
|
||||
{
|
||||
private static boolean isUnused(ClassGroup group, Field field)
|
||||
{
|
||||
for (ClassFile cf : group.getClasses())
|
||||
for (Method m : cf.getMethods().getMethods())
|
||||
{
|
||||
Code code = m.getCode();
|
||||
if (code == null)
|
||||
continue;
|
||||
|
||||
for (Instruction ins : code.getInstructions().getInstructions())
|
||||
{
|
||||
if (ins instanceof FieldInstruction)
|
||||
{
|
||||
FieldInstruction fi = (FieldInstruction) ins;
|
||||
|
||||
info.sigterm.deob.pool.Field ff = fi.getField();
|
||||
|
||||
if (ff.getClassEntry().getName().equals(field.getFields().getClassFile().getName()))
|
||||
{
|
||||
if (ff.getNameAndType().getName().equals(field.getName()))
|
||||
{
|
||||
return false;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
public void run(ClassGroup group)
|
||||
{
|
||||
int count = 0;
|
||||
for (ClassFile cf : group.getClasses())
|
||||
for (Field f : new ArrayList<>(cf.getFields().getFields()))
|
||||
{
|
||||
if (isUnused(group, f))
|
||||
{
|
||||
cf.getFields().getFields().remove(f);
|
||||
++count;
|
||||
}
|
||||
}
|
||||
System.out.println("Removed " + count + " unused fields");
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user