private int?CalculateKey(SwitchData switchData) { var popValue = _instructionEmulator.Peek(); if (popValue == null || !popValue.IsInt32() || !(popValue as Int32Value).AllBitsValid()) { return(null); } _instructionEmulator.Pop(); int num = ((Int32Value)popValue).Value; if (switchData is NativeSwitchData) { var nativeSwitchData = (NativeSwitchData)switchData; var nativeMethod = new X86Method(nativeSwitchData.NativeMethodDef, _blocks.Method.Module as ModuleDefMD); //TODO: Possible null return(nativeMethod.Execute(num)); } if (switchData is NormalSwitchData) { var normalSwitchData = (NormalSwitchData)switchData; return(num ^ normalSwitchData.Key.Value); } return(null); }
public static void Emulate(ValueStack valueStack, Instruction instruction, MethodDef method) { if (instruction.Operand is MethodDef && ((MethodDef)instruction.Operand).IsNative) { //this is really only for confuserex x86 methods var abc2 = method.Module.ResolveToken(((MethodDef)instruction.Operand).MDToken.ToInt32()); var x86 = new X86Method(abc2 as MethodDef); var value = valueStack.CallStack.Pop(); var abc = x86.Execute((int)(uint)value); valueStack.CallStack.Push(abc); } else { var instructionOperand = instruction.Operand as IMethodDefOrRef; var resolved = instructionOperand.ResolveMethodDef(); if (resolved.Module != method.Module) { if (resolved.IsStatic) { var mod = typeof(string).Module; var asmCall = mod.ResolveMethod(resolved.MDToken.ToInt32()); int pushes; int pops; instruction.CalculateStackUsage(out pushes, out pops); var paramsObjects = new dynamic[pops]; for (var i = 0; i < pops; i++) { paramsObjects[i] = valueStack.CallStack.Pop(); } paramsObjects = paramsObjects.Reverse().ToArray(); try { if (pushes != 0) { var av = asmCall.Invoke(null, paramsObjects); valueStack.CallStack.Push(av); } else { asmCall.Invoke(null, paramsObjects); } } catch { } } } } }
public void Load(string path, long baseAddr) { BaseAddress = baseAddr; asm = WindowsAssembly.FromFile(path); entryMethod = this.CreateMethodFromRVA(asm.NtHeaders.OptionalHeader.AddressOfEntrypoint); methods[entryMethod.Address] = entryMethod; entryMethod.Initialize(); while (pendingAddresses.Count > 0) { var emu = pendingAddresses.GetEnumerator(); emu.MoveNext(); long addr = emu.Current; var method = this.CreateMethodFromAddress(addr); methods[addr] = method; method.Initialize(); pendingAddresses.Remove(addr); } }
private uint CalculateMagic(uint index) { uint uint_0; if (NativeMethod != null) { _instructionEmulator.Push(new Int32Value((int)index)); _nativeMethod = new X86Method(NativeMethod, Method.Module as ModuleDefMD); //TODO: Possible null var key = CalculateKey(); uint_0 = (uint)key.Value; } else { uint_0 = index * Num1 ^ Num2; } uint_0 &= 0x3fffffff; uint_0 <<= 2; return(uint_0); }
private static void Main(string[] args) { if (args.Length == 0) { Console.WriteLine("No input file specified..."); return; } // Store the obfuscated file name for later use (e.g. when resolving the RVAs) Configuration.AssemblyFilename = args[0]; // Load the assembly via dnlib (Only the module, we need this structure to resolve MD Tokens) var assemblyModuleDnlib = ModuleDefMD.Load(Configuration.AssemblyFilename); // Get the <Module>-Type for later use var cctorType = assemblyModuleDnlib.GlobalType; // Store the replaced methods in this list var nativeMethodsReplaced = new List <MethodDef>(); // Find methods with native code var nativeMethods = cctorType.Methods.Where(m => m.IsNative).ToList(); foreach (var nativeMethod in nativeMethods) { // Get the assembly code and the X86 Opcode Structure (Thanks to ubbelol) X86Method x86NativeMethod = new X86Method(nativeMethod); var ILNativeMethod = X86MethodToILConverter.CreateILFromX86Method(x86NativeMethod); nativeMethod.DeclaringType.Methods.Add(ILNativeMethod); nativeMethodsReplaced.Add(nativeMethod); } // Export all the IL Methods to a DLL MethodExporter.ExportMethodsToDll("TestMethodModule.dll", nativeMethodsReplaced, assemblyModuleDnlib); // Call the DLL IL Methods and the native Methods via x86 function ptr to see if the result is the same X86ILTester.TestNativeWithILMethods(Configuration.AssemblyFilename, Path.Combine(Environment.CurrentDirectory, "TestMethodModule.dll")); // Find all the native method calls and replace them with the IL calls foreach (var replacedMethod in nativeMethodsReplaced) { var callsToNativeMethod = replacedMethod.FindAllReferences(assemblyModuleDnlib); var ilMethod = assemblyModuleDnlib.GlobalType.Methods.FirstOrDefault(m => m.Name == replacedMethod.Name + "_IL"); foreach (var call in callsToNativeMethod) { call.Operand = ilMethod; } Console.WriteLine("[+] Removed " + callsToNativeMethod.ToList().Count + " entries."); } // Remove each native method foreach (var replacedMethod in nativeMethodsReplaced) { cctorType.Methods.Remove(replacedMethod); } // Turn off signing assemblyModuleDnlib.IsStrongNameSigned = false; assemblyModuleDnlib.Assembly.PublicKey = null; // Preserve Tokens and fix the flags for ILOnly var moduleWriterOptions = new ModuleWriterOptions(); moduleWriterOptions.MetaDataOptions.Flags |= MetaDataFlags.PreserveAll; moduleWriterOptions.MetaDataOptions.Flags |= MetaDataFlags.KeepOldMaxStack; moduleWriterOptions.Cor20HeaderOptions.Flags = ComImageFlags.ILOnly | ComImageFlags._32BitRequired; assemblyModuleDnlib.Write("out_mod.exe", moduleWriterOptions); }
private int EmulateNativeMethod(MethodDef externalMethod, int parameter) { var nativeMethod = new X86Method(externalMethod, module); //TODO: Possible null return(nativeMethod.Execute(parameter)); }
private int x86emulate(MethodDef methods, int[] val) { var x86 = new X86Method(methods); return(x86.Execute(val)); }
public static MethodDef CreateILFromX86Method(X86Method methodToConvert) { // Find the Int32 type var int32Type = methodToConvert.OriginalMethod.ReturnType; // Create a method with the same name as the native and append "_IL" var returnMethod = new MethodDefUser(new UTF8String(methodToConvert.OriginalMethod.Name + "_IL"), MethodSig.CreateStatic(int32Type, int32Type), MethodImplAttributes.IL | MethodImplAttributes.Managed, MethodAttributes.Public | MethodAttributes.Static | MethodAttributes.HideBySig); returnMethod.Body = new CilBody(); returnMethod.Body.MaxStack = 12; // Add 8 registers for (var i = 0; i < 8; i++) { returnMethod.Body.Variables.Add(new Local(int32Type)); } var returnMethodBody = returnMethod.Body; // load param to stack, it later gets popped into ecx returnMethodBody.Instructions.Add(new Instruction(OpCodes.Ldarg_0)); // Translate each x86 Instruction to IL foreach (var x86Instruction in methodToConvert.Instructions) { switch (x86Instruction.OpCode) { case X86OpCode.MOV: if (x86Instruction.Operands[0] is X86ImmediateOperand) { throw new Exception("Can't mov value to immediate value"); } if (x86Instruction.Operands[1] is X86RegisterOperand) { returnMethodBody.Instructions.Add(GetLdlocInstructionFromRegister( (x86Instruction.Operands[1] as X86RegisterOperand).Register, returnMethodBody)); } else if (x86Instruction.Operands[1] is X86ImmediateOperand) { returnMethodBody.Instructions.Add(new Instruction(OpCodes.Ldc_I4, (x86Instruction.Operands[1] as X86ImmediateOperand).Immediate)); } returnMethodBody.Instructions.Add(GetStlocInstructionFromRegister( (x86Instruction.Operands[0] as X86RegisterOperand).Register, returnMethodBody)); break; case X86OpCode.ADD: if (x86Instruction.Operands[0] is X86ImmediateOperand) { throw new Exception("Can't add value to immediate value"); } returnMethodBody.Instructions.Add(GetLdlocInstructionFromRegister( (x86Instruction.Operands[0] as X86RegisterOperand).Register, returnMethodBody)); if (x86Instruction.Operands[1] is X86RegisterOperand) { returnMethodBody.Instructions.Add(GetLdlocInstructionFromRegister( (x86Instruction.Operands[1] as X86RegisterOperand).Register, returnMethodBody)); // 25 is EAX } else if (x86Instruction.Operands[1] is X86ImmediateOperand) { returnMethodBody.Instructions.Add(new Instruction(OpCodes.Ldc_I4, (x86Instruction.Operands[1] as X86ImmediateOperand).Immediate)); } returnMethodBody.Instructions.Add(new Instruction(OpCodes.Add)); returnMethodBody.Instructions.Add(GetStlocInstructionFromRegister( (x86Instruction.Operands[0] as X86RegisterOperand).Register, returnMethodBody)); break; case X86OpCode.DIV: if (x86Instruction.Operands[0] is X86ImmediateOperand) { throw new Exception("Can't div value to immediate value"); } returnMethodBody.Instructions.Add(GetLdlocInstructionFromRegister( (x86Instruction.Operands[0] as X86RegisterOperand).Register, returnMethodBody)); if (x86Instruction.Operands[1] is X86RegisterOperand) { returnMethodBody.Instructions.Add(GetLdlocInstructionFromRegister( (x86Instruction.Operands[1] as X86RegisterOperand).Register, returnMethodBody)); // 25 is EAX } else if (x86Instruction.Operands[1] is X86ImmediateOperand) { returnMethodBody.Instructions.Add(new Instruction(OpCodes.Ldc_I4, (x86Instruction.Operands[1] as X86ImmediateOperand).Immediate)); } returnMethodBody.Instructions.Add(new Instruction(OpCodes.Div_Un)); returnMethodBody.Instructions.Add(GetStlocInstructionFromRegister( (x86Instruction.Operands[0] as X86RegisterOperand).Register, returnMethodBody)); break; case X86OpCode.IMUL: if (x86Instruction.Operands[0] is X86ImmediateOperand) { throw new Exception("Can't imul value to immediate value"); } if (x86Instruction.Operands[1] is X86RegisterOperand) { returnMethodBody.Instructions.Add(GetLdlocInstructionFromRegister( (x86Instruction.Operands[1] as X86RegisterOperand).Register, returnMethodBody)); // 25 is EAX } else if (x86Instruction.Operands[1] is X86ImmediateOperand) { returnMethodBody.Instructions.Add(new Instruction(OpCodes.Ldc_I4, (x86Instruction.Operands[1] as X86ImmediateOperand).Immediate)); } if (x86Instruction.Operands[2] is X86RegisterOperand) { returnMethodBody.Instructions.Add(GetLdlocInstructionFromRegister( (x86Instruction.Operands[2] as X86RegisterOperand).Register, returnMethodBody)); // 25 is EAX } else if (x86Instruction.Operands[2] is X86ImmediateOperand) { returnMethodBody.Instructions.Add(new Instruction(OpCodes.Ldc_I4, (x86Instruction.Operands[2] as X86ImmediateOperand).Immediate)); } returnMethodBody.Instructions.Add(new Instruction(OpCodes.Mul)); returnMethodBody.Instructions.Add(GetStlocInstructionFromRegister( (x86Instruction.Operands[0] as X86RegisterOperand).Register, returnMethodBody)); break; case X86OpCode.NEG: if (x86Instruction.Operands[0] is X86ImmediateOperand) { throw new Exception("Can't neg immediate value"); } returnMethodBody.Instructions.Add(GetLdlocInstructionFromRegister( (x86Instruction.Operands[0] as X86RegisterOperand).Register, returnMethodBody)); // 25 is EAX returnMethodBody.Instructions.Add(new Instruction(OpCodes.Neg)); returnMethodBody.Instructions.Add(GetStlocInstructionFromRegister( (x86Instruction.Operands[0] as X86RegisterOperand).Register, returnMethodBody)); break; case X86OpCode.NOT: if (x86Instruction.Operands[0] is X86ImmediateOperand) { throw new Exception("Can't not immediate value"); } returnMethodBody.Instructions.Add(GetLdlocInstructionFromRegister( (x86Instruction.Operands[0] as X86RegisterOperand).Register, returnMethodBody)); // 25 is EAX returnMethodBody.Instructions.Add(new Instruction(OpCodes.Not)); returnMethodBody.Instructions.Add(GetStlocInstructionFromRegister( (x86Instruction.Operands[0] as X86RegisterOperand).Register, returnMethodBody)); break; case X86OpCode.POP: returnMethodBody.Instructions.Add(GetStlocInstructionFromRegister( (x86Instruction.Operands[0] as X86RegisterOperand).Register, returnMethodBody)); break; case X86OpCode.SUB: if (x86Instruction.Operands[0] is X86ImmediateOperand) { throw new Exception("Can't sub value to immediate value"); } returnMethodBody.Instructions.Add(GetLdlocInstructionFromRegister( (x86Instruction.Operands[0] as X86RegisterOperand).Register, returnMethodBody)); if (x86Instruction.Operands[1] is X86RegisterOperand) { returnMethodBody.Instructions.Add(GetLdlocInstructionFromRegister( (x86Instruction.Operands[1] as X86RegisterOperand).Register, returnMethodBody)); // 25 is EAX } else if (x86Instruction.Operands[1] is X86ImmediateOperand) { returnMethodBody.Instructions.Add(new Instruction(OpCodes.Ldc_I4, (x86Instruction.Operands[1] as X86ImmediateOperand).Immediate)); } returnMethodBody.Instructions.Add(new Instruction(OpCodes.Sub)); returnMethodBody.Instructions.Add(GetStlocInstructionFromRegister( (x86Instruction.Operands[0] as X86RegisterOperand).Register, returnMethodBody)); break; case X86OpCode.XOR: if (x86Instruction.Operands[0] is X86ImmediateOperand) { throw new Exception("Can't xor value to immediate value"); } returnMethodBody.Instructions.Add(GetLdlocInstructionFromRegister( (x86Instruction.Operands[0] as X86RegisterOperand).Register, returnMethodBody)); if (x86Instruction.Operands[1] is X86RegisterOperand) { returnMethodBody.Instructions.Add(GetLdlocInstructionFromRegister( (x86Instruction.Operands[1] as X86RegisterOperand).Register, returnMethodBody)); // 25 is EAX } else if (x86Instruction.Operands[1] is X86ImmediateOperand) { returnMethodBody.Instructions.Add(new Instruction(OpCodes.Ldc_I4, ((X86ImmediateOperand)x86Instruction.Operands[1]).Immediate)); } returnMethodBody.Instructions.Add(new Instruction(OpCodes.Xor)); returnMethodBody.Instructions.Add(GetStlocInstructionFromRegister( (x86Instruction.Operands[0] as X86RegisterOperand).Register, returnMethodBody)); break; } } // Load EAX returnMethodBody.Instructions.Add(new Instruction(OpCodes.Ldloc_0)); // Return eax returnMethodBody.Instructions.Add(new Instruction(OpCodes.Ret)); return(returnMethod); }
public static MethodDef CreateILFromX86Method(X86Method methodToConvert) { TypeSig int32Type = methodToConvert.OriginalMethod.ReturnType; MethodDefUser returnMethod = new MethodDefUser(new UTF8String(methodToConvert.OriginalMethod.Name + "_IL"), MethodSig.CreateStatic(int32Type, int32Type), MethodImplAttributes.IL, MethodAttributes.FamANDAssem | MethodAttributes.Family | MethodAttributes.Static | MethodAttributes.HideBySig); returnMethod.Body = new CilBody(); returnMethod.Body.MaxStack = 12; for (int i = 0; i < 8; i++) { returnMethod.Body.Variables.Add(new Local(int32Type)); } CilBody returnMethodBody = returnMethod.Body; returnMethodBody.Instructions.Add(new Instruction(OpCodes.Ldarg_0)); foreach (X86Instruction x86Instruction in methodToConvert.Instructions) { switch (x86Instruction.OpCode) { case X86OpCode.MOV: { bool flag = x86Instruction.Operands[0] is X86ImmediateOperand; if (flag) { throw new Exception("Can't mov value to immediate value"); } bool flag2 = x86Instruction.Operands[1] is X86RegisterOperand; if (flag2) { returnMethodBody.Instructions.Add(X86MethodToILConverter.GetLdlocInstructionFromRegister((x86Instruction.Operands[1] as X86RegisterOperand).Register, returnMethodBody)); } else { bool flag3 = x86Instruction.Operands[1] is X86ImmediateOperand; if (flag3) { returnMethodBody.Instructions.Add(new Instruction(OpCodes.Ldc_I4, (x86Instruction.Operands[1] as X86ImmediateOperand).Immediate)); } } returnMethodBody.Instructions.Add(X86MethodToILConverter.GetStlocInstructionFromRegister((x86Instruction.Operands[0] as X86RegisterOperand).Register, returnMethodBody)); break; } case X86OpCode.ADD: { bool flag4 = x86Instruction.Operands[0] is X86ImmediateOperand; if (flag4) { throw new Exception("Can't add value to immediate value"); } returnMethodBody.Instructions.Add(X86MethodToILConverter.GetLdlocInstructionFromRegister((x86Instruction.Operands[0] as X86RegisterOperand).Register, returnMethodBody)); bool flag5 = x86Instruction.Operands[1] is X86RegisterOperand; if (flag5) { returnMethodBody.Instructions.Add(X86MethodToILConverter.GetLdlocInstructionFromRegister((x86Instruction.Operands[1] as X86RegisterOperand).Register, returnMethodBody)); } else { bool flag6 = x86Instruction.Operands[1] is X86ImmediateOperand; if (flag6) { returnMethodBody.Instructions.Add(new Instruction(OpCodes.Ldc_I4, (x86Instruction.Operands[1] as X86ImmediateOperand).Immediate)); } } returnMethodBody.Instructions.Add(new Instruction(OpCodes.Add)); returnMethodBody.Instructions.Add(X86MethodToILConverter.GetStlocInstructionFromRegister((x86Instruction.Operands[0] as X86RegisterOperand).Register, returnMethodBody)); break; } case X86OpCode.SUB: { bool flag7 = x86Instruction.Operands[0] is X86ImmediateOperand; if (flag7) { throw new Exception("Can't sub value to immediate value"); } returnMethodBody.Instructions.Add(X86MethodToILConverter.GetLdlocInstructionFromRegister((x86Instruction.Operands[0] as X86RegisterOperand).Register, returnMethodBody)); bool flag8 = x86Instruction.Operands[1] is X86RegisterOperand; if (flag8) { returnMethodBody.Instructions.Add(X86MethodToILConverter.GetLdlocInstructionFromRegister((x86Instruction.Operands[1] as X86RegisterOperand).Register, returnMethodBody)); } else { bool flag9 = x86Instruction.Operands[1] is X86ImmediateOperand; if (flag9) { returnMethodBody.Instructions.Add(new Instruction(OpCodes.Ldc_I4, (x86Instruction.Operands[1] as X86ImmediateOperand).Immediate)); } } returnMethodBody.Instructions.Add(new Instruction(OpCodes.Sub)); returnMethodBody.Instructions.Add(X86MethodToILConverter.GetStlocInstructionFromRegister((x86Instruction.Operands[0] as X86RegisterOperand).Register, returnMethodBody)); break; } case X86OpCode.IMUL: { bool flag10 = x86Instruction.Operands[0] is X86ImmediateOperand; if (flag10) { throw new Exception("Can't imul value to immediate value"); } bool flag11 = x86Instruction.Operands[1] is X86RegisterOperand; if (flag11) { returnMethodBody.Instructions.Add(X86MethodToILConverter.GetLdlocInstructionFromRegister((x86Instruction.Operands[1] as X86RegisterOperand).Register, returnMethodBody)); } else { bool flag12 = x86Instruction.Operands[1] is X86ImmediateOperand; if (flag12) { returnMethodBody.Instructions.Add(new Instruction(OpCodes.Ldc_I4, (x86Instruction.Operands[1] as X86ImmediateOperand).Immediate)); } } bool flag13 = x86Instruction.Operands[2] is X86RegisterOperand; if (flag13) { returnMethodBody.Instructions.Add(X86MethodToILConverter.GetLdlocInstructionFromRegister((x86Instruction.Operands[2] as X86RegisterOperand).Register, returnMethodBody)); } else { bool flag14 = x86Instruction.Operands[2] is X86ImmediateOperand; if (flag14) { returnMethodBody.Instructions.Add(new Instruction(OpCodes.Ldc_I4, (x86Instruction.Operands[2] as X86ImmediateOperand).Immediate)); } } returnMethodBody.Instructions.Add(new Instruction(OpCodes.Mul)); returnMethodBody.Instructions.Add(X86MethodToILConverter.GetStlocInstructionFromRegister((x86Instruction.Operands[0] as X86RegisterOperand).Register, returnMethodBody)); break; } case X86OpCode.DIV: { bool flag15 = x86Instruction.Operands[0] is X86ImmediateOperand; if (flag15) { throw new Exception("Can't div value to immediate value"); } returnMethodBody.Instructions.Add(X86MethodToILConverter.GetLdlocInstructionFromRegister((x86Instruction.Operands[0] as X86RegisterOperand).Register, returnMethodBody)); bool flag16 = x86Instruction.Operands[1] is X86RegisterOperand; if (flag16) { returnMethodBody.Instructions.Add(X86MethodToILConverter.GetLdlocInstructionFromRegister((x86Instruction.Operands[1] as X86RegisterOperand).Register, returnMethodBody)); } else { bool flag17 = x86Instruction.Operands[1] is X86ImmediateOperand; if (flag17) { returnMethodBody.Instructions.Add(new Instruction(OpCodes.Ldc_I4, (x86Instruction.Operands[1] as X86ImmediateOperand).Immediate)); } } returnMethodBody.Instructions.Add(new Instruction(OpCodes.Div_Un)); returnMethodBody.Instructions.Add(X86MethodToILConverter.GetStlocInstructionFromRegister((x86Instruction.Operands[0] as X86RegisterOperand).Register, returnMethodBody)); break; } case X86OpCode.NEG: { bool flag18 = x86Instruction.Operands[0] is X86ImmediateOperand; if (flag18) { throw new Exception("Can't neg immediate value"); } returnMethodBody.Instructions.Add(X86MethodToILConverter.GetLdlocInstructionFromRegister((x86Instruction.Operands[0] as X86RegisterOperand).Register, returnMethodBody)); returnMethodBody.Instructions.Add(new Instruction(OpCodes.Neg)); returnMethodBody.Instructions.Add(X86MethodToILConverter.GetStlocInstructionFromRegister((x86Instruction.Operands[0] as X86RegisterOperand).Register, returnMethodBody)); break; } case X86OpCode.NOT: { bool flag19 = x86Instruction.Operands[0] is X86ImmediateOperand; if (flag19) { throw new Exception("Can't not immediate value"); } returnMethodBody.Instructions.Add(X86MethodToILConverter.GetLdlocInstructionFromRegister((x86Instruction.Operands[0] as X86RegisterOperand).Register, returnMethodBody)); returnMethodBody.Instructions.Add(new Instruction(OpCodes.Not)); returnMethodBody.Instructions.Add(X86MethodToILConverter.GetStlocInstructionFromRegister((x86Instruction.Operands[0] as X86RegisterOperand).Register, returnMethodBody)); break; } case X86OpCode.XOR: { bool flag20 = x86Instruction.Operands[0] is X86ImmediateOperand; if (flag20) { throw new Exception("Can't xor value to immediate value"); } returnMethodBody.Instructions.Add(X86MethodToILConverter.GetLdlocInstructionFromRegister((x86Instruction.Operands[0] as X86RegisterOperand).Register, returnMethodBody)); bool flag21 = x86Instruction.Operands[1] is X86RegisterOperand; if (flag21) { returnMethodBody.Instructions.Add(X86MethodToILConverter.GetLdlocInstructionFromRegister((x86Instruction.Operands[1] as X86RegisterOperand).Register, returnMethodBody)); } else { bool flag22 = x86Instruction.Operands[1] is X86ImmediateOperand; if (flag22) { returnMethodBody.Instructions.Add(new Instruction(OpCodes.Ldc_I4, (x86Instruction.Operands[1] as X86ImmediateOperand).Immediate)); } } returnMethodBody.Instructions.Add(new Instruction(OpCodes.Xor)); returnMethodBody.Instructions.Add(X86MethodToILConverter.GetStlocInstructionFromRegister((x86Instruction.Operands[0] as X86RegisterOperand).Register, returnMethodBody)); break; } case X86OpCode.POP: returnMethodBody.Instructions.Add(X86MethodToILConverter.GetStlocInstructionFromRegister((x86Instruction.Operands[0] as X86RegisterOperand).Register, returnMethodBody)); break; } } returnMethodBody.Instructions.Add(new Instruction(OpCodes.Ldloc_0)); returnMethodBody.Instructions.Add(new Instruction(OpCodes.Ret)); return(returnMethod); }
public static void HandleCall(CallEventArgs args, Emulation emulation) { if (args.Instruction.Operand is MethodDef && IsProxyMethod((MethodDef)args.Instruction.Operand, out var ins)) { args.Instruction = ins; HandleCall(args, emulation); return; } if (args.Instruction.Operand.ToString() .Contains( "System.Void System.Runtime.CompilerServices.RuntimeHelpers::InitializeArray(System.Array,System.RuntimeFieldHandle") ) { var stack2 = emulation.ValueStack.CallStack.Pop(); var stack1 = emulation.ValueStack.CallStack.Pop(); emulation.ValueStack.CallStack.Pop(); var fielddef = ModuleDef.ResolveToken(stack2) as FieldDef; var test = fielddef.InitialValue; var decoded = new uint[test.Length / 4]; Buffer.BlockCopy(test, 0, decoded, 0, test.Length); stack1 = decoded; emulation.ValueStack.CallStack.Push(stack1); args.bypassCall = true; } else if (args.Instruction.Operand is MethodSpec && IsUintDecyption(((MethodSpec)args.Instruction.Operand).ResolveMethodDef())) { var method = ((MethodSpec)args.Instruction.Operand).ResolveMethodDef(); var initaliseMethod = Constants.Remover.FindInitialiseMethod(); var initBytes = Constants.Remover.InitaliseBytes(initaliseMethod); var param = new object[args.Pops]; for (var i = 0; i < param.Length; i++) { param[i] = emulation.ValueStack.CallStack.Pop(); } emulation.ValueStack.CallStack.Push(Constants.Remover.DecryptConstant(method, param, initBytes)); args.bypassCall = true; } else if (args.Instruction.Operand.ToString() .Contains("System.Reflection.Assembly System.Reflection.Assembly::GetExecutingAssembly()")) { } else if (args.Instruction.Operand.ToString() .Contains("System.String System.String::Intern(System.String)")) { emulation.ValueStack.CallStack.Push(string.Intern(emulation.ValueStack.CallStack.Pop())); args.bypassCall = true; } else if (args.Instruction.Operand.ToString() .Contains("System.String System.Text.Encoding::GetString(System.Byte[],System.Int32,System.Int32)")) { var stack4 = emulation.ValueStack.CallStack.Pop(); var stack3 = emulation.ValueStack.CallStack.Pop(); var stack2 = emulation.ValueStack.CallStack.Pop(); var stack1 = emulation.ValueStack.CallStack.Pop(); var result = stack1.GetString(stack2, stack3, stack4); emulation.ValueStack.CallStack.Push(result); args.bypassCall = true; } else if (args.Instruction.Operand.ToString() .Contains("System.Text.Encoding System.Text.Encoding::get_UTF8()")) { emulation.ValueStack.CallStack.Push(Encoding.UTF8); args.bypassCall = true; } else if (args.Instruction.Operand.ToString() .Contains("System.Array System.Array::CreateInstance(System.Type,System.Int32)")) { var stack2 = emulation.ValueStack.CallStack.Pop(); var stack1 = emulation.ValueStack.CallStack.Pop(); var result = Array.CreateInstance(stack1, stack2); emulation.ValueStack.CallStack.Push(result); args.bypassCall = true; } else if (args.Instruction.Operand.ToString() .Contains("System.Type System.Type::GetElementType()")) { var stack = emulation.ValueStack.CallStack.Pop(); emulation.ValueStack.CallStack.Push(stack.GetElementType()); args.bypassCall = true; } else if (args.Instruction.Operand.ToString() .Contains("System.Type System.Type::GetTypeFromHandle(System.RuntimeTypeHandle)")) { var stack = emulation.ValueStack.CallStack.Pop(); emulation.ValueStack.CallStack.Push(typeof(uint[])); args.bypassCall = true; } else if (args.Instruction.Operand.ToString() .Contains( "System.Void System.Buffer::BlockCopy(System.Array,System.Int32,System.Array,System.Int32,System.Int32)") ) { var stack5 = emulation.ValueStack.CallStack.Pop(); var stack4 = emulation.ValueStack.CallStack.Pop(); var stack3 = emulation.ValueStack.CallStack.Pop(); var stack2 = emulation.ValueStack.CallStack.Pop(); var stack1 = emulation.ValueStack.CallStack.Pop(); Buffer.BlockCopy(stack1, stack2, stack3, stack4, stack5); args.bypassCall = true; } else if (args.Instruction.Operand.ToString() .Contains("System.Reflection.Module System.Reflection.Assembly::get_ManifestModule()")) { args.bypassCall = true; } else if (args.Instruction.Operand is MethodDef && isDecryptMethod((MethodDef)args.Instruction.Operand)) { var bytes = Compressor.Remover.HandleDecryptMethod(emulation, args, (MethodDef)args.Instruction.Operand); emulation.ValueStack.CallStack.Push(bytes); var bytes2 = (byte[])bytes.Target; Compressor.Remover.ModuleBytes = new byte[bytes2.Length]; Buffer.BlockCopy(bytes2, 0, Compressor.Remover.ModuleBytes, 0, bytes2.Length); ModuleBytes = bytes2; args.bypassCall = true; } else if (args.Instruction.Operand.ToString() .Contains("System.Void System.Array::Clear(System.Array,System.Int32,System.Int32)")) { var stack3 = emulation.ValueStack.CallStack.Pop(); var stack2 = emulation.ValueStack.CallStack.Pop(); var stack1 = emulation.ValueStack.CallStack.Pop(); // File.WriteAllBytes("arrayemu", stack1); if (stack1 is Array) { Array.Clear(stack1, stack2, stack3); } args.bypassCall = true; } else if (args.Instruction.Operand is MethodDef && isDecompressMethod((MethodDef)args.Instruction.Operand)) { var stack = emulation.ValueStack.CallStack.Pop(); var decrypted = LzmaDecompress(stack); // Protections.Compressor.Remover.ModuleBytes = decrypted; // File.WriteAllBytes("arrayemu",stack); emulation.ValueStack.CallStack.Push(decrypted); args.bypassCall = true; } else if (args.Instruction.Operand.ToString() .Contains("System.Byte[] System.Reflection.Module::ResolveSignature(System.Int32)")) { var stack2 = emulation.ValueStack.CallStack.Pop(); var stack1 = emulation.ValueStack.CallStack.Pop(); emulation.ValueStack.CallStack.Push(ModuleDef.ReadBlob((uint)stack2)); args.bypassCall = true; } else if (args.Instruction.Operand.ToString() .Contains("System.Reflection.MethodBase System.Reflection.Module::ResolveMethod(System.Int32)")) { var stack2 = emulation.ValueStack.CallStack.Pop(); var stack1 = emulation.ValueStack.CallStack.Pop(); Compressor.Remover.ModuleEp = stack2; args.endMethod = true; } else if (args.Instruction.Operand.ToString() .Contains( "System.Runtime.InteropServices.GCHandle System.Runtime.InteropServices.GCHandle::Alloc(System.Object,System.Runtime.InteropServices.GCHandleType") ) { var stack2 = emulation.ValueStack.CallStack.Pop(); var stack1 = emulation.ValueStack.CallStack.Pop(); emulation.ValueStack.CallStack.Push(GCHandle.Alloc(stack1, GCHandleType.Pinned)); args.bypassCall = true; } else if (args.Instruction.Operand.ToString() .Contains( "System.Object System.Runtime.InteropServices.GCHandle::get_Target()") ) { var stack1 = emulation.ValueStack.CallStack.Pop(); emulation.ValueStack.CallStack.Push(stack1.Target); args.bypassCall = true; } else if (args.Instruction.Operand is MethodDef && ((MethodDef)args.Instruction.Operand).IsNative) { var stack1 = emulation.ValueStack.CallStack.Pop(); X86Method x86 = new X86Method(args.Instruction.Operand as MethodDef); var abc = x86.Execute(stack1); emulation.ValueStack.CallStack.Push(abc); args.bypassCall = true; } // }