public static int?GetFieldValue(MethodDef method, ModuleDefMD module, int argValue, out string fieldName)
{
fieldName = null;
Base.methodsToRemove.Add(method);
var insemu = new Emulation(method);
insemu.ValueStack.Parameters[method.Parameters[0]] = argValue;
insemu.Emulate();
fieldName = insemu.ValueStack.Fields.First().Key.Name;
insemu.Emulate();
var value = (int)insemu.ValueStack.Fields.First().Value;
return(value);
}
private void StepOne(ModuleDefMD module)
{
var ep = module.EntryPoint;
var emulator = new Emulation(ep);
emulator.OnCallPrepared += (emulation, args) =>
{
var instr = args.Instruction;
Utils.HandleCall(args, emulation);
};
emulator.OnInstructionPrepared += (emulation, args) =>
{
if (args.Instruction.OpCode == OpCodes.Ldftn)
{
emulation.ValueStack.CallStack.Push(null);
args.Cancel = true;
}
};
emulator.Emulate();
if (ModuleBytes == null)
{
Base.CompressorRemoved = false;
return;
}
Protections.Base.ModuleDef = ModuleDefMD.Load(ModuleBytes);
Protections.Base.ModuleDef.EntryPoint = Protections.Base.ModuleDef.ResolveToken(ModuleEp) as MethodDef;
Base.CompressorRemoved = true;
}
public static object DecryptConstant(MethodDef decryptionMethod, object[] param, byte[] bytes)
{
Emulation emulator = new Emulation(decryptionMethod);
emulator.OnCallPrepared += (emulation, args) =>
{
var instr = args.Instruction;
Utils.HandleCall(args, emulation);
};
emulator.OnInstructionPrepared += (emulation, args) =>
{
if (args.Instruction.OpCode == OpCodes.Ldsfld)
{
emulator.ValueStack.CallStack.Push(bytes);
args.Cancel = true;
}
};
foreach (Parameter decryptionMethodParameter in decryptionMethod.Parameters)
{
emulator.ValueStack.Parameters[decryptionMethodParameter] = param[decryptionMethodParameter.Index];
}
emulator.Emulate();
return(emulator.ValueStack.CallStack.Pop());
}
public static byte[] InitaliseBytes(MethodDef methods)
{
byte[] bytes = null;
if (methods == null)
{
return(bytes);
}
Emulation emulator = new Emulation(methods);
emulator.OnCallPrepared += (emulation, args) =>
{
var instr = args.Instruction;
Utils.HandleCall(args, emulation);
};
emulator.OnInstructionPrepared += (emulation, args) =>
{
if (args.Instruction.OpCode == OpCodes.Stsfld)
{
bytes = emulation.ValueStack.CallStack.Pop();
args.Break = true;
}
};
emulator.Emulate();
return(bytes);
}
public static void TamperFields(ModuleDefMD module)
{
// Console.WriteLine("[!] Finding Field And Its Value");
var cctor = module.GlobalType.FindOrCreateStaticConstructor();
if (cctor.Body.Instructions[0].OpCode == OpCodes.Call &&
cctor.Body.Instructions[0].Operand.ToString().Contains("Koi"))
cctor = (MethodDef)cctor.Body.Instructions[0].Operand;
foreach (var t1 in cctor.Body.Instructions)
if (t1.OpCode == OpCodes.Call ||
t1.Operand is MethodDef)
{
var methodDef = (MethodDef)t1.Operand;
if (!methodDef.HasBody) continue;
if (methodDef.Body.Instructions[0].OpCode != OpCodes.Call) continue;
var methodDef2 = methodDef.Body.Instructions[0].Operand as MethodDef;
if (methodDef2 == null) continue;
if (!methodDef2.HasBody) continue;
if (!methodDef2.Body.Instructions.Where((t, z) => t.IsStloc() && methodDef2.Body.Instructions[z + 1].IsLdcI4())
.Any()) continue;
if (ContainsP0(methodDef2)) continue;
var insEmu = new Emulation(methodDef2);
insEmu.Emulate();
allFields = insEmu.ValueStack.Fields;
return;
}
}
internal static void Cleaner()
{
var cctor = ModuleDefMD.GlobalType.FindOrCreateStaticConstructor();
if (cctor.Body.Instructions[0].OpCode == OpCodes.Call &&
cctor.Body.Instructions[0].Operand.ToString().Contains("Koi"))
{
cctor = (MethodDef)cctor.Body.Instructions[0].Operand;
}
foreach (Instruction t in cctor.Body.Instructions)
{
if (t.OpCode == OpCodes.Call && t.Operand is MethodDef)
{
var methodDef = (MethodDef)t.Operand;
if (!methodDef.HasBody)
{
continue;
}
if (methodDef.Body.Instructions.Count < 9)
{
continue;
}
if (methodDef.Body.Instructions[0].IsLdcI4() && methodDef.Body.Instructions.Count == 9 &&
methodDef.Body.Instructions[3].OpCode == OpCodes.Ldtoken &&
methodDef.Body.Instructions[7].OpCode == OpCodes.Stsfld)
{
var field = methodDef.Body.Instructions[3].Operand as FieldDef;
var cflowFieldArray = methodDef.Body.Instructions[7].Operand as FieldDef;
var arrrr = field.InitialValue;
var tester = IChannelReceiverHook.ParseNumbers(arrrr, methodDef.Body.Instructions[5].GetLdcI4Value());
FieldReplaace(ModuleDefMD, cflowFieldArray, tester);
Base.methodsToRemove.Add(methodDef);
}
else if (methodDef.Body.Instructions[1].IsLdcI4() && methodDef.Body.Instructions.Count == 10 &&
methodDef.Body.Instructions[4].OpCode == OpCodes.Ldtoken &&
methodDef.Body.Instructions[8].OpCode == OpCodes.Stsfld)
{
var field = methodDef.Body.Instructions[4].Operand as FieldDef;
var cflowFieldArray = methodDef.Body.Instructions[8].Operand as FieldDef;
var arrrr = field.InitialValue;
var tester = IChannelReceiverHook.ParseNumbers(arrrr, methodDef.Body.Instructions[6].GetLdcI4Value());
FieldReplaace(ModuleDefMD, cflowFieldArray, tester);
if (methodDef.Body.Instructions[0].OpCode == OpCodes.Call)
{
MethodDef methods2 = (MethodDef)methodDef.Body.Instructions[0].Operand;
Emulation emu = new Emulation(methods2);
emu.Emulate();
FieldsInFirstCall.allFields = emu.ValueStack.Fields;
FieldsInFirstCall.FieldReplacer(ModuleDefMD);
FieldsInFirstCall.allFields = null;
Base.methodsToRemove.Add(methodDef);
}
}
}
}
}
public static GCHandle HandleDecryptMethod(Emulation mainEmulation, CallEventArgs mainArgs, MethodDef decryptionMethod)
{
var decEmulation = new Emulation(decryptionMethod);
decEmulation.OnCallPrepared += (emulation, args) => { Utils.HandleCall(args, emulation); };
decEmulation.ValueStack.Parameters[decryptionMethod.Parameters[1]] = (uint)
mainEmulation.ValueStack.CallStack.Pop();
decEmulation.ValueStack.Parameters[decryptionMethod.Parameters[0]] =
mainEmulation.ValueStack.CallStack.Pop();
decEmulation.Emulate();
return((GCHandle)decEmulation.ValueStack.CallStack.Pop());
}
public override void Deobfuscate()
{
// Console.WriteLine("[!] Setting Up String Decryption Finding Init Method");
GetMethod = firstStep(ModuleDefMD);
Base.methodsToRemove.Add(GetMethod);
if (GetMethod == null)
{
// Console.WriteLine("[!!] Method Not Found Fix This");
return;
}
// Console.WriteLine("[!] Found String Init Method {0}. Emulating", GetMethod.Name);
var insemu = new Emulation(GetMethod);
insemu.OnInstructionPrepared = (sender, e) =>
{
if (e.Instruction.OpCode == OpCodes.Castclass)
{
e.Cancel = true;
}
};
insemu.OnCallPrepared = (sender, e) =>
{
if (e.Instruction.Operand.ToString()
.Contains(
"System.Void System.Runtime.CompilerServices.RuntimeHelpers::InitializeArray(System.Array,System.RuntimeFieldHandle")
)
{
var stack2 = sender.ValueStack.CallStack.Pop();
var stack1 = sender.ValueStack.CallStack.Pop();
sender.ValueStack.CallStack.Pop();
var fielddef = ModuleDefMD.ResolveToken(stack2) as FieldDef;
var test = fielddef.InitialValue;
var decoded = new uint[test.Length / 4];
Buffer.BlockCopy(test, 0, decoded, 0, test.Length);
stack1 = decoded;
sender.ValueStack.CallStack.Push(stack1);
e.bypassCall = true;
}
else if (e.Instruction.Operand is MethodDef &&
e.Instruction.Operand.ToString().Contains("(System.Byte[])"))
{
e.endMethod = true;
}
else
{
e.AllowCall = false;
}
};
GC.Collect();
Thread.Sleep(1000);
GC.Collect();
insemu.Emulate();
if (GetMethod.Body.Instructions[GetMethod.Body.Instructions.Count - 2].OpCode == OpCodes.Stsfld)
{
fields = (FieldDef)GetMethod.Body.Instructions[GetMethod.Body.Instructions.Count - 2].Operand;
}
var aaa = GetMethod.Body.Variables.Where(i => i.Type.FullName.Contains("System.Byte[]")).ToArray();
var byteStackLocal = insemu.ValueStack.Locals[aaa[0].Index];
//Console.WriteLine("[!] Emulation Success Got Array");
if (Protections.Base.NativePacker)
{
byteStackLocal = P1(byteStackLocal, byteStackLocal.Length);
}
byte_0 = (byte[])byteStackLocal;
return;
}
public static void ResolveCalls(ModuleDefMD module)
{
foreach (DelegateInfo2 info2 in ListedDelegateInfo2s)
{
MethodDef methods = info2.callingMethodDef;
FieldDef fields = info2.fieldDef;
int byteVal = info2.byteVal;
if (methods.MDToken.ToInt32() == 0x0600000A && byteVal == 9)
{
}
if (EncryptedDelegateMethod(methods))
{
continue;
}
var boolean = module.Metadata.TablesStream.TryReadFieldRow(fields.Rid, out RawFieldRow rw);
byte[] data = module.Metadata.BlobStream.Read(rw.Signature);
Emulation emu = new Emulation(methods);
var mdtoken = 0;
if (methods.MDToken.ToInt32() == 100663336 && byteVal == 4)
{
}
emu.ValueStack.Parameters[methods.Parameters[0]] = null;
emu.ValueStack.Parameters[methods.Parameters[1]] = (byte)byteVal;
emu.OnInstructionPrepared = (sender, e) =>
{
if (e.Instruction.OpCode != OpCodes.Callvirt || !e.Instruction.Operand.ToString()
.Contains("System.Reflection.MethodBase System.Reflection.Module::ResolveMethod(System.Int32)"))
{
return;
}
mdtoken = sender.ValueStack.CallStack.Pop();
if (0x806EC032 == (uint)mdtoken)
{
}
e.Break = true;
};
emu.OnCallPrepared = (sender, e) =>
{
var ebc = e.Instruction;
if (ebc.Operand.ToString().Contains("System.Byte[] System.Reflection.Module::ResolveSignature(System.Int32)"))
{
sender.ValueStack.CallStack.Pop();
sender.ValueStack.CallStack.Pop();
sender.ValueStack.CallStack.Push(data);
e.bypassCall = true;
}
else if (ebc.Operand.ToString().Contains("System.Type[] System.Reflection.FieldInfo::GetOptionalCustomModifiers()"))
{
sender.ValueStack.CallStack.Pop();
sender.ValueStack.CallStack.Push(new Type[500]);
e.bypassCall = true;
}
else if (ebc.Operand.ToString().Contains("System.Int32 System.Reflection.MemberInfo::get_MetadataToken()"))
{
sender.ValueStack.CallStack.Pop();
CModOptSig sig = (CModOptSig)fields.FieldSig.Type;
int modToken = sig.Modifier.MDToken.ToInt32();
sender.ValueStack.CallStack.Push(modToken);
e.bypassCall = true;
}
else if (ebc.Operand.ToString().Contains("System.String System.Reflection.MemberInfo::get_Name()"))
{
sender.ValueStack.CallStack.Pop();
string sig = fields.Name;
sender.ValueStack.CallStack.Push(sig);
e.bypassCall = true;
}
else if (ebc.Operand.ToString().Contains("System.Char System.String::get_Chars(System.Int32)"))
{
var one = sender.ValueStack.CallStack.Pop();
var two = sender.ValueStack.CallStack.Pop();
sender.ValueStack.CallStack.Push(two[one]);
e.bypassCall = true;
}
else if (ebc.Operand.ToString().Contains("System.Object[] System.Reflection.MemberInfo::GetCustomAttributes(System.Boolean)"))
{
var one = sender.ValueStack.CallStack.Pop();
var two = sender.ValueStack.CallStack.Pop();
sender.ValueStack.CallStack.Push(new object[500]);
e.bypassCall = true;
}
else if (ebc.Operand.ToString().Contains("System.Int32 System.Object::GetHashCode()"))
{
var one = sender.ValueStack.CallStack.Pop();
// var two = sender.ValueStack.CallStack.Pop();
TypeDef caType = fields.CustomAttributes[0].AttributeType.ResolveTypeDef();
int caCtorNum = (int)fields.CustomAttributes[0].ConstructorArguments[0].Value;
MethodDef meth = First(caType.FindConstructors());
int caKey = MathResolver.GetResult(caCtorNum, meth);
sender.ValueStack.CallStack.Push(caKey);
e.bypassCall = true;
}
else
{
e.AllowCall = false;
e.bypassCall = false;
}
};
emu.Emulate();
info2.mdtoken = (uint)mdtoken;
var ins = findInstruction(methods);
var ab = fields.Name.String[ins] ^ byteVal;
var aa = OpCodes.Call.Value;
var v = OpCodes.Callvirt.Value;
var t = OpCodes.Newobj.Value;
OpCode te;
if (ab == aa)
{
te = OpCodes.Call;
}
else if (ab == v)
{
te = OpCodes.Callvirt;
}
else
{
te = OpCodes.Newobj;
}
info2.opcode = te;
}
}
