dotscope 0.7.0

A high-performance, cross-platform framework for analyzing and reverse engineering .NET PE executables
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59

//! Deobfuscation SSA transformation passes.
//!
//! These passes complement the generic compiler passes in [`crate::compiler`]
//! with transformations that require obfuscator-specific knowledge: decryptor
//! registrations, dispatcher tracking, emulation hooks, and state machines.
//!
//! # Shared Passes
//!
//! | Pass | Phase | Description |
//! |------|-------|-------------|
//! | [`OpaqueFieldPredicatePass`] | Structure | Removes opaque predicates based on static field chains resolved via emulation, before CFF unflattening |
//! | [`CffReconstructionPass`] | Structure | Recovers original control flow from flattened state-machine dispatchers using Z3-backed symbolic analysis and tree-based tracing |
//! | [`ReflectionDevirtualizationPass`] | Simplify | Resolves reflection-based call indirection (ResolveMethod, GetMethod, Invoke, CreateInstance, GetValue/SetValue) to direct calls |
//! | [`DecryptionPass`] | Value | Decrypts obfuscated strings and constants by emulating registered decryptor methods, with caching and state machine support |
//! | [`NeutralizationPass`] | Cleanup | Removes protection code (anti-tamper, anti-debug calls) from method bodies via taint analysis, preserving legitimate initialization |
//! | [`NativeMethodConversionPass`] | Pre-SSA | Converts native x86 methods back to CIL bytecode (runs before the SSA pipeline) |
//!
//! # Obfuscator-Specific Passes
//!
//! Technique-specific passes are organized in sub-modules named after their
//! obfuscator. Each is created by its corresponding detection technique via
//! [`Technique::create_pass`](super::techniques::Technique::create_pass).
//!
//! - [`jiejienet`] — JIEJIE.NET value-level passes (constants, strings, typeof, arrays)
//! - [`bitmono`] — BitMono passes (string decryption, unmanaged strings, anti-debug)
//! - [`netreactor`] — .NET Reactor passes (anti-tamper token resolver)
//!
//! # Relationship to Compiler Passes
//!
//! Generic SSA passes ([`crate::compiler::SsaPass`]) operate only on
//! [`crate::compiler::CompilerContext`] and have no knowledge
//! of obfuscators. The passes here take shared references (via `Arc`) to
//! deobfuscation state from [`AnalysisContext`](crate::deobfuscation::AnalysisContext)
//! at construction time, allowing them to participate in the same
//! [`PassScheduler`](crate::compiler::PassScheduler) pipeline as compiler passes.

pub mod bitmono;
pub mod jiejienet;
pub mod netreactor;

mod antidebug;
mod decryption;
mod delegates;
mod native;
mod neutralize;
mod opaquefields;
mod reflection;
mod staticfields;
mod unflattening;

pub use self::antidebug::{SentinelCondition, SentinelTaintRemovalPass};
pub use self::decryption::DecryptionPass;
pub use self::delegates::{DelegateProxyResolutionPass, DelegateTypeInfo};
pub use self::native::NativeMethodConversionPass;
pub use self::neutralize::NeutralizationPass;
pub use self::opaquefields::OpaqueFieldPredicatePass;
pub use self::reflection::{count_resolve_method_calli_sites, ReflectionDevirtualizationPass};
pub use self::staticfields::{I32Extractor, StaticFieldResolutionPass, StringExtractor};
pub use self::unflattening::{CffDetector, CffReconstructionPass, Dispatcher, UnflattenConfig};