private static int GetTokenForFieldDecode(ProxyType PT, int iIndex, AntiProxyParams Params)
{
FieldInfo fieldFromHandle = PT.arFieldReflection[iIndex];
Assembly executingAssembly = Params.asmReflection;
char[] array = new char[fieldFromHandle.Name.Length];
for (int i = 0; i < array.Length; i++)
{
array[i] = (char)((int)((byte)fieldFromHandle.Name[i]) ^ i);
}
return(BitConverter.ToInt32(Convert.FromBase64String(new string(array)), 0) ^ Params.XORTokenField);
}
private static int GetTokenForMethodDecode(ProxyType PT, int iIndex, AntiProxyParams Params, out FunctionCallType CT)
{
FieldInfo fieldFromHandle = PT.arFieldReflection[iIndex];
Assembly executingAssembly = Params.asmReflection;
char[] array = new char[fieldFromHandle.Name.Length];
for (int i = 0; i < array.Length; i++)
{
array[i] = (char)((int)((byte)fieldFromHandle.Name[i]) ^ i);
}
byte[] array2 = Convert.FromBase64String(new string(array));
CT = (array2[0] == 13) ? FunctionCallType.Callvirt : FunctionCallType.Call;
return(BitConverter.ToInt32(array2, 1) ^ Params.XORTokenMethod);
}
public static bool Phase3()
{
AntiProxyParams Params = PhaseParam;
Params.asmReflection = Assembly.LoadFile(Globals.DeobContext.InPath);
InitMethodCallList();
foreach (var PT in Params.lstProxyTypes)
{
PT.InitProxyType(Params.ResolveFieldMD.MetadataToken.ToInt32(), Params.ResolveMethodMD.MetadataToken.ToInt32(), Params.asmReflection);
DoAntiProxy(PT, Params);
//MarkMember(PT.Type);
}
return(true);
}
public static bool Phase2()
{
AntiProxyParams Params = PhaseParam;
String InstructionString = String.Empty;
foreach (var Type in AsmDef.MainModule.Types)
{
foreach (var Method in Type.Methods)
{
if (!Method.HasBody)
{
continue;
}
foreach (var Instruc in Method.Body.Instructions)
{
InstructionString = Instruc.GetInstructionString();
if (!InstructionString.Contains("Emit"))
{
continue;
}
if (InstructionString.Contains("Newobj"))
{
Params.ResolveFieldMD = Method;
}
if (InstructionString.Contains("Castclass"))
{
Params.ResolveMethodMD = Method;
}
}
}
}
Params.XORTokenField = GetInt32TokenOfDecodeFunction(Params.ResolveFieldMD);
Params.XORTokenMethod = GetInt32TokenOfDecodeFunction(Params.ResolveMethodMD);
return(true);
}
public static bool Phase1()
{
PhaseParam = new AntiProxyParams();
PhaseParam.lstProxyTypes = new List<ProxyType>();
foreach (var Type in AsmDef.MainModule.Types)
{
//if (Type.
MethodDefinition[] MDs = Type.Methods.Where(m => m.IsConstructor && m.Name == ".cctor").ToArray();
if (MDs.Length == 0)
continue;
MethodDefinition cctor = MDs[0];
if (cctor.Body.Instructions[0].OpCode.ToString().Contains("ldtoken"))
{
PhaseParam.lstProxyTypes.Add(new ProxyType(Type));
}
}
return true;
}
public static bool Phase1()
{
PhaseParam = new AntiProxyParams();
PhaseParam.lstProxyTypes = new List <ProxyType>();
foreach (var Type in AsmDef.MainModule.Types)
{
//if (Type.
MethodDefinition[] MDs = Type.Methods.Where(m => m.IsConstructor && m.Name == ".cctor").ToArray();
if (MDs.Length == 0)
{
continue;
}
MethodDefinition cctor = MDs[0];
if (cctor.Body.Instructions[0].OpCode.ToString().Contains("ldtoken"))
{
PhaseParam.lstProxyTypes.Add(new ProxyType(Type));
}
}
return(true);
}
private static bool DoAntiProxy(ProxyType PT, AntiProxyParams Params)
{
FunctionCallType CT = FunctionCallType.Call;
for (int iIndex = 0; iIndex < PT.arMethods.Length; iIndex++)
{
if (PT.arProxyTypeDelegate[iIndex] == ProxyTypeDelegate.NewObjectCall)
{
Int32 TokenOfOriginalCall = GetTokenForFieldDecode(PT, iIndex, Params);
MethodReference MR = AsmDef.MainModule.Import(Params.asmReflection.GetModules()[0].ResolveMethod(TokenOfOriginalCall));
Instruction[] arIns = GetInstructionsWithMethodCall(PT.arMethods[iIndex]).ToArray();
for (int i = 0; i < arIns.Length; i++)
{
arIns[i].OpCode = OpCodes.Newobj;
arIns[i].Operand = MR;
}
}
if (PT.arProxyTypeDelegate[iIndex] == ProxyTypeDelegate.DirectMethodCall)
{
Int32 TokenOfOriginalCall = GetTokenForMethodDecode(PT, iIndex, Params, out CT);
ProxyType PT2 = null;
MethodReference MR = AsmDef.MainModule.Import(Params.asmReflection.GetModules()[0].ResolveMethod(TokenOfOriginalCall));
ProxyType[] NestedPT = Params.lstProxyTypes.Where(m => m.Type.Name == MR.DeclaringType.Name).ToArray();
if (NestedPT.Length != 0)
{
PT2 = NestedPT[0];
}
/*foreach (var PTNew in AP17.lstProxyTypes)
* {
* if (MR.DeclaringType.Name == PTNew.Type.Name)
* {
* PT2 = new ProxyType(PTNew.Type, AP17);
* }
* }*/
// PT2 = Second stage proxy -> proxy followed by a proxy by a method/newobj
if (PT2 != null)
{
Instruction[] arIns = GetInstructionsWithMethodCall(PT.arMethods[iIndex]);
if (PT2.arProxyTypeDelegate[0] == ProxyTypeDelegate.NewObjectCall)
{
Int32 TokenOfOriginalCall2 = GetTokenForFieldDecode(PT2, 0, Params);
MethodReference MR2 = AsmDef.MainModule.Import(Params.asmReflection.GetModules()[0].ResolveMethod(TokenOfOriginalCall2));
for (int i = 0; i < arIns.Length; i++)
{
arIns[i].OpCode = OpCodes.Newobj;
arIns[i].Operand = MR2;
}
}
}
else
{
Instruction[] arIns = GetInstructionsWithMethodCall(PT.arMethods[iIndex]);
for (int i = 0; i < arIns.Length; i++)
{
if (CT == FunctionCallType.Call)
{
arIns[i].OpCode = OpCodes.Call;
arIns[i].Operand = MR;
}
if (CT == FunctionCallType.Callvirt)
{
arIns[i].OpCode = OpCodes.Callvirt;
arIns[i].Operand = MR;
}
}
}
}
}
return(true);
}
private static int GetTokenForMethodDecode(ProxyType PT, int iIndex, AntiProxyParams Params, out FunctionCallType CT)
{
FieldInfo fieldFromHandle = PT.arFieldReflection[iIndex];
Assembly executingAssembly = Params.asmReflection;
char[] array = new char[fieldFromHandle.Name.Length];
for (int i = 0; i < array.Length; i++)
{
array[i] = (char)((int)((byte)fieldFromHandle.Name[i]) ^ i);
}
byte[] array2 = Convert.FromBase64String(new string(array));
CT = (array2[0] == 13) ? FunctionCallType.Callvirt : FunctionCallType.Call;
return BitConverter.ToInt32(array2, 1) ^ Params.XORTokenMethod;
}
private static int GetTokenForFieldDecode(ProxyType PT, int iIndex, AntiProxyParams Params)
{
FieldInfo fieldFromHandle = PT.arFieldReflection[iIndex];
Assembly executingAssembly = Params.asmReflection;
char[] array = new char[fieldFromHandle.Name.Length];
for (int i = 0; i < array.Length; i++)
{
array[i] = (char)((int)((byte)fieldFromHandle.Name[i]) ^ i);
}
return BitConverter.ToInt32(Convert.FromBase64String(new string(array)), 0) ^ Params.XORTokenField;
}
private static bool DoAntiProxy(ProxyType PT, AntiProxyParams Params)
{
FunctionCallType CT = FunctionCallType.Call;
for (int iIndex = 0; iIndex < PT.arMethods.Length; iIndex++)
{
if (PT.arProxyTypeDelegate[iIndex] == ProxyTypeDelegate.NewObjectCall)
{
Int32 TokenOfOriginalCall = GetTokenForFieldDecode(PT, iIndex, Params);
MethodReference MR = AsmDef.MainModule.Import(Params.asmReflection.GetModules()[0].ResolveMethod(TokenOfOriginalCall));
Instruction[] arIns = GetInstructionsWithMethodCall(PT.arMethods[iIndex]).ToArray();
for (int i = 0; i < arIns.Length; i++)
{
arIns[i].OpCode = OpCodes.Newobj;
arIns[i].Operand = MR;
}
}
if (PT.arProxyTypeDelegate[iIndex] == ProxyTypeDelegate.DirectMethodCall)
{
Int32 TokenOfOriginalCall = GetTokenForMethodDecode(PT, iIndex, Params, out CT);
ProxyType PT2 = null;
MethodReference MR = AsmDef.MainModule.Import(Params.asmReflection.GetModules()[0].ResolveMethod(TokenOfOriginalCall));
ProxyType[] NestedPT = Params.lstProxyTypes.Where(m => m.Type.Name == MR.DeclaringType.Name).ToArray();
if (NestedPT.Length != 0)
PT2 = NestedPT[0];
/*foreach (var PTNew in AP17.lstProxyTypes)
{
if (MR.DeclaringType.Name == PTNew.Type.Name)
{
PT2 = new ProxyType(PTNew.Type, AP17);
}
}*/
// PT2 = Second stage proxy -> proxy followed by a proxy by a method/newobj
if (PT2 != null)
{
Instruction[] arIns = GetInstructionsWithMethodCall(PT.arMethods[iIndex]);
if (PT2.arProxyTypeDelegate[0] == ProxyTypeDelegate.NewObjectCall)
{
Int32 TokenOfOriginalCall2 = GetTokenForFieldDecode(PT2, 0, Params);
MethodReference MR2 = AsmDef.MainModule.Import(Params.asmReflection.GetModules()[0].ResolveMethod(TokenOfOriginalCall2));
for (int i = 0; i < arIns.Length; i++)
{
arIns[i].OpCode = OpCodes.Newobj;
arIns[i].Operand = MR2;
}
}
}
else
{
Instruction[] arIns = GetInstructionsWithMethodCall(PT.arMethods[iIndex]);
for (int i = 0; i < arIns.Length; i++)
{
if (CT == FunctionCallType.Call)
{
arIns[i].OpCode = OpCodes.Call;
arIns[i].Operand = MR;
}
if (CT == FunctionCallType.Callvirt)
{
arIns[i].OpCode = OpCodes.Callvirt;
arIns[i].Operand = MR;
}
}
}
}
}
return true;
}
