ra/runelite
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity

Unused field stuff was harder than i thought

Browse Source
This commit is contained in:
Adam
2015-07-03 01:09:01 -04:00
parent 7b0776d1ec
commit c5bbe20791
3 changed files with 103 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
src/main/java/info/sigterm/deob/ClassFile.java
View File

@@ -153,7 +153,6 @@ public class ClassFile
if (m != null) if (m != null)
return m; return m;
// XXX is this necessary?
ClassFile parent = getParent(); ClassFile parent = getParent();
if (parent != null) if (parent != null)
return parent.findMethod(nat); return parent.findMethod(nat);

97
src/main/java/info/sigterm/deob/deobfuscators/ModularArithmeticDeobfuscation.java
View File

@@ -2,9 +2,11 @@ package info.sigterm.deob.deobfuscators;
import java.math.BigInteger; import java.math.BigInteger;
import java.util.HashMap; import java.util.HashMap;
import java.util.HashSet;
import java.util.List; import java.util.List;
import java.util.Map; import java.util.Map;
import java.util.Map.Entry; import java.util.Map.Entry;
import java.util.Set;
import info.sigterm.deob.ClassFile; import info.sigterm.deob.ClassFile;
import info.sigterm.deob.ClassGroup; import info.sigterm.deob.ClassGroup;
@@ -71,6 +73,7 @@ public class ModularArithmeticDeobfuscation
return true; return true;
} }
/*
// lvt comparison field * constant // lvt comparison field * constant
private static boolean checkCompare(InstructionContext popCtx) private static boolean checkCompare(InstructionContext popCtx)
{ {
@@ -92,11 +95,96 @@ public class ModularArithmeticDeobfuscation
return false; return false;
} }
// constant comparison field * constant
private static boolean checkCompareConstant(InstructionContext popCtx)
{
if (!(popCtx.getInstruction() instanceof ComparisonInstruction))
return false;
// make sure comparison is against lvt
List<StackContext> pops = popCtx.getPops(); // things popCtx popped
for (StackContext ctx : pops) // one of these is the imul
{
InstructionContext pushCtx = ctx.getPushed(); // instruction which pushed this here
if (pushCtx.getInstruction() instanceof PushConstantInstruction)
{
//PushConstantInstruction ci = (PushConstantInstruction) pushCtx.getInstruction();
return true; // maybe should check this isn't an obd constant?
}
}
return false;
}*/
// <something not a field> comparison field * constant
private static boolean checkCompare(InstructionContext popCtx)
{
if (!(popCtx.getInstruction() instanceof ComparisonInstruction))
return false;
// make sure comparison is against lvt
List<StackContext> pops = popCtx.getPops(); // things popCtx popped
for (StackContext ctx : pops) // one of these is the imul
{
InstructionContext pushCtx = ctx.getPushed(); // instruction which pushed this here
if (pushCtx.getInstruction() instanceof IMul)
continue;
// recursively check that theres no fields
}
return false;
}
private static boolean checkRules(InstructionContext popCtx) private static boolean checkRules(InstructionContext popCtx)
{ {
return checkLVTGet(popCtx) return checkLVTGet(popCtx)
|| checkInvoke(popCtx) || checkInvoke(popCtx)
|| checkCompare(popCtx); || checkCompare(popCtx)
|| checkCompareConstant(popCtx);
}
private static Set<Field> getObfuscatedFields(Execution execution, ClassGroup group)
{
Set<Field> fields = new HashSet<>();
for (Frame frame : execution.processedFrames)
{
for (InstructionContext ctx : frame.getInstructions())
{
if (!(ctx.getInstruction() instanceof IMul))
continue;
Instruction one = ctx.getPops().get(0).getPushed().getInstruction();
Instruction two = ctx.getPops().get(1).getPushed().getInstruction();
PushConstantInstruction pc = null;
GetFieldInstruction gf = null;
if (one instanceof PushConstantInstruction && two instanceof GetFieldInstruction)
{
pc = (PushConstantInstruction) one;
gf = (GetFieldInstruction) two;
}
else if (two instanceof PushConstantInstruction && one instanceof GetFieldInstruction)
{
pc = (PushConstantInstruction) two;
gf = (GetFieldInstruction) one;
}
if (pc == null)
continue;
// get Field from pool Field
info.sigterm.deob.pool.Field field = gf.getField();
Field f = group.findClass(field.getClassEntry().getName()).findField(field.getNameAndType());
assert f != null;
fields.add(f);
}
}
return fields;
} }
/* try to identify: /* try to identify:
@@ -133,6 +221,8 @@ public class ModularArithmeticDeobfuscation
*/ */
private void run(Execution execution, ClassGroup group) private void run(Execution execution, ClassGroup group)
{ {
Set<Field> obfuscatedFields = getObfuscatedFields(execution, group);
Map<Field, Integer> constants = new HashMap<>(); Map<Field, Integer> constants = new HashMap<>();
for (Frame frame : execution.processedFrames) for (Frame frame : execution.processedFrames)
{ {
@@ -212,8 +302,9 @@ public class ModularArithmeticDeobfuscation
} }
System.out.println("Did not find for:"); System.out.println("Did not find for:");
int count = 0; int count = 0;
for (ClassFile cf : group.getClasses()) for (Field f : obfuscatedFields)
for (Field f : cf.getFields().getFields()) //for (ClassFile cf : group.getClasses())
//for (Field f : cf.getFields().getFields())
{ {
if (f.getType().toString().equals("I")) if (f.getType().toString().equals("I"))
{ {

15
src/main/java/info/sigterm/deob/deobfuscators/UnusedFields.java
View File

@@ -26,15 +26,18 @@ public class UnusedFields
if (ins instanceof FieldInstruction) if (ins instanceof FieldInstruction)
{ {
FieldInstruction fi = (FieldInstruction) ins; FieldInstruction fi = (FieldInstruction) ins;
info.sigterm.deob.pool.Field ff = fi.getField(); info.sigterm.deob.pool.Field ff = fi.getField();
if (ff.getClassEntry().getName().equals(field.getFields().getClassFile().getName())) // pool to Field
ClassFile clazz = group.findClass(ff.getClassEntry().getName());
if (clazz == null)
continue;
Field f = clazz.findField(ff.getNameAndType());
if (field == f)
{ {
if (ff.getNameAndType().getName().equals(field.getName())) return false;
{
return false;
}
} }
} }
} }