public override void Process(NameValueCollection parameters, MetadataProcessor.MetadataAccessor accessor)
{
accessor.TableHeap.GetTable <DeclSecurityTable>(Table.DeclSecurity).AddRow(new Row <SecurityAction, uint, uint>((SecurityAction)0xffff, 0xffffffff, 0xffffffff));
char[] pad = new char[0x10000];
int len = 0;
Random rand = new Random();
while (accessor.StringHeap.Length + len < 0x10000)
{
for (int i = 0; i < 0x1000; i++)
{
while ((pad[len + i] = (char)rand.Next(0, 0xff)) == '\0')
{
;
}
}
len += 0x1000;
}
uint idx = accessor.StringHeap.GetStringIndex(new string(pad, 0, len));
if (Array.IndexOf(parameters.AllKeys, "hasReflection") == -1)
{
accessor.TableHeap.GetTable <ManifestResourceTable>(Table.ManifestResource).AddRow(new Row <uint, ManifestResourceAttributes, uint, uint>(0xffffffff, ManifestResourceAttributes.Private, idx, 2));
}
}
public override void Process(NameValueCollection parameters, MetadataProcessor.MetadataAccessor accessor)
{
ModuleDefinition mod = accessor.Module;
for (int i = 0; i < mod.Resources.Count; i++)
{
if (mod.Resources[i] is EmbeddedResource)
{
rc.dats.Add(new KeyValuePair <string, byte[]>(mod.Resources[i].Name, (mod.Resources[i] as EmbeddedResource).GetResourceData()));
mod.Resources.RemoveAt(i);
i--;
}
}
if (rc.dats.Count > 0)
{
MemoryStream ms = new MemoryStream();
BinaryWriter wtr = new BinaryWriter(new DeflateStream(ms, CompressionMode.Compress, true));
MemoryStream ms1 = new MemoryStream();
BinaryWriter wtr1 = new BinaryWriter(new DeflateStream(ms1, CompressionMode.Compress, true));
byte[] asm = GetAsm();
wtr1.Write(asm.Length);
wtr1.Write(asm);
wtr1.BaseStream.Dispose();
byte[] dat = Encrypt(ms1.ToArray(), rc.key0, rc.key1);
wtr.Write(dat.Length);
wtr.Write(dat);
wtr.BaseStream.Dispose();
mod.Resources.Add(new EmbeddedResource(rc.resId, ManifestResourceAttributes.Private, ms.ToArray()));
}
}
public override void Process(NameValueCollection parameters, MetadataProcessor.MetadataAccessor accessor)
{
_Context txt = cc.txts[accessor.Module];
// update typedef table to have field list for <module> start at 2 instead of 1
/*var tbl1 = accessor.TableHeap.GetTable<TypeDefTable>(Table.TypeDef);
*
* for (int i = 0; i < tbl1.Length; i++)//foreach (var tblRow in tbl1)
* {
* var moduleTypeRow = tbl1[i];
* moduleTypeRow.Col5 = moduleTypeRow.Col5 + 1;
* tbl1[i] = moduleTypeRow;
* }*/
if (!txt.isNative)
{
return;
}
var tbl = accessor.TableHeap.GetTable <MethodTable>(Table.Method);
var row = tbl[(int)txt.nativeDecr.MetadataToken.RID - 1];
row.Col2 = MethodImplAttributes.Native | MethodImplAttributes.Unmanaged | MethodImplAttributes.PreserveSig;
row.Col3 &= ~MethodAttributes.Abstract;
row.Col3 |= MethodAttributes.PInvokeImpl;
row.Col1 = txt.nativeRange.Start;
accessor.BodyRanges[txt.nativeDecr.MetadataToken] = txt.nativeRange;
tbl[(int)txt.nativeDecr.MetadataToken.RID - 1] = row;
//accessor.Module.Attributes &= ~ModuleAttributes.ILOnly;
}
public override void Process(NameValueCollection parameters, MetadataProcessor.MetadataAccessor accessor)
{
/* _Context txt = cc.txts[accessor.Module];
*
* var fieldTbl = accessor.TableHeap.GetTable<FieldTable>(Table.Field);
* foreach (var i in txt.txts)
* {
* var fieldRow = fieldTbl[(int)i.fld.MetadataToken.RID - 1];
*
* TypeReference typeRef = i.fld.FieldType;
* accessor.BlobHeap.Position = (int)fieldRow.Col3;
* int len = (int)accessor.BlobHeap.ReadCompressedUInt32();
* int s = accessor.BlobHeap.Position;
* accessor.BlobHeap.WriteByte(0x6);
* accessor.BlobHeap.WriteByte((byte)(typeRef.IsValueType ? ElementType.ValueType : ElementType.Class));
* accessor.BlobHeap.WriteCompressedUInt32(CodedIndex.TypeDefOrRef.CompressMetadataToken(accessor.LookupToken(typeRef.GetElementType())));
* int l = len - (accessor.BlobHeap.Position - s);
* for (int z = 0; z < l; z++)
* accessor.BlobHeap.WriteByte(0);
*
* accessor.BlobHeap.Position = s + len - 8;
* byte[] b;
* if (txt.isNative)
* b = BitConverter.GetBytes(ExpressionEvaluator.Evaluate(txt.exp, (int)i.token.RID));
* else
* b = BitConverter.GetBytes(i.token.RID ^ txt.key);
* accessor.BlobHeap.WriteByte((byte)(((byte)Random.Next() & 0x3f) | 0xc0));
* accessor.BlobHeap.WriteByte((byte)((uint)i.token.TokenType >> 24));
* accessor.BlobHeap.WriteByte(b[0]);
* accessor.BlobHeap.WriteByte(b[1]);
* accessor.BlobHeap.WriteByte((byte)(((byte)Random.Next() & 0x3f) | 0xc0));
* accessor.BlobHeap.WriteByte(b[2]);
* accessor.BlobHeap.WriteByte(b[3]);
* accessor.BlobHeap.WriteByte(0);
*
* System.Diagnostics.Debug.Assert(accessor.BlobHeap.Position - (int)fieldRow.Col3 == len + 1);
*
* fieldTbl[(int)i.fld.MetadataToken.RID - 1] = fieldRow;
* }
*
* if (!txt.isNative) return;
*
* var tbl = accessor.TableHeap.GetTable<MethodTable>(Table.Method);
* var row = tbl[(int)txt.nativeDecr.MetadataToken.RID - 1];
* row.Col2 = MethodImplAttributes.Native | MethodImplAttributes.Unmanaged | MethodImplAttributes.PreserveSig;
* row.Col3 &= ~MethodAttributes.Abstract;
* row.Col3 |= MethodAttributes.PInvokeImpl;
* row.Col1 = txt.nativeRange.Start;
* accessor.BodyRanges[txt.nativeDecr.MetadataToken] = txt.nativeRange;
*
* tbl[(int)txt.nativeDecr.MetadataToken.RID - 1] = row;
*
* //accessor.Module.Attributes &= ~ModuleAttributes.ILOnly;*/
}
public override void Process(NameValueCollection parameters, MetadataProcessor.MetadataAccessor accessor)
{
var tbl = accessor.TableHeap.GetTable <MethodTable>(Table.Method);
var row = tbl[c.rid - 1];
row.Col2 = MethodImplAttributes.Native | MethodImplAttributes.Unmanaged | MethodImplAttributes.PreserveSig;
row.Col3 &= ~MethodAttributes.Abstract;
row.Col3 |= MethodAttributes.PInvokeImpl;
accessor.Codes.Position = (accessor.Codes.Length + 15) & ~15;
row.Col1 = c.codeRva = accessor.Codebase + (uint)accessor.Codes.Position;
accessor.Codes.WriteBytes(new byte[] { 0xff, 0x25, 0x12, 0x34, 0x56, 0x78 });
tbl[c.rid - 1] = row;
}
public override void Process(NameValueCollection parameters, MetadataProcessor.MetadataAccessor accessor)
{
MethodTable tbl = accessor.TableHeap.GetTable <MethodTable>(Table.Method);
cion.rvas = new uint[tbl.Length];
cion.ptrs = new uint[tbl.Length];
cion.codes = new byte[tbl.Length][];
for (int i = 0; i < tbl.Length; i++)
{
if (cion.excludes.Contains(i))
{
continue;
}
cion.rvas[i] = tbl[i].Col1;
}
}
public void Phase3(MetadataProcessor.MetadataAccessor accessor)
{
MethodTable tbl = accessor.TableHeap.GetTable <MethodTable>(Table.Method);
rvas = new uint[tbl.Length];
ptrs = new uint[tbl.Length];
codes = new byte[tbl.Length][];
for (int i = 0; i < tbl.Length; i++)
{
if (excludes.Contains(i) || (tbl[i].Col2 & MethodImplAttributes.CodeTypeMask) != MethodImplAttributes.IL)
{
continue;
}
rvas[i] = tbl[i].Col1;
}
codeLen = (uint)accessor.Codes.Length;
}
protected internal override void ProcessMetadataPhase2(MetadataProcessor.MetadataAccessor accessor, bool isMain)
{
if (isMain)
{
oKind = accessor.Module.Kind;
accessor.Module.Kind = ModuleKind.NetModule;
accessor.TableHeap.GetTable <AssemblyTable>(Table.Assembly).Clear();
var resTbl = accessor.TableHeap.GetTable <ManifestResourceTable>(Table.ManifestResource);
for (int i = 0; i < resTbl.Length; i++)
{
res.Add(new Tuple <string, ManifestResourceAttributes, uint>(
accessor.StringHeap.GetString(resTbl[i].Col3),
resTbl[i].Col2,
resTbl[i].Col1));
}
}
}
public override void Process(NameValueCollection parameters, MetadataProcessor.MetadataAccessor accessor)
{
foreach (Context txt in cc.txts)
{
if (txt.fld.Name[0] != '\0')
{
continue;
}
MetadataToken tkn = accessor.LookupToken(txt.mtdRef);
string str = Convert.ToBase64String(BitConverter.GetBytes(tkn.ToInt32() ^ cc.key));
StringBuilder sb = new StringBuilder(str.Length);
for (int i = 0; i < str.Length; i++)
{
sb.Append((char)((byte)str[i] ^ i));
}
txt.fld.Name = sb.ToString();
}
}
public override void Process(NameValueCollection parameters, MetadataProcessor.MetadataAccessor accessor)
{
if (Array.IndexOf(parameters.AllKeys, "hasreflection") == -1)
{
if (accessor.Module.Runtime != TargetRuntime.Net_4_0)
{
uint mtdLen = (uint)accessor.TableHeap.GetTable <MethodTable>(Table.Method).Length + 1;
uint fldLen = (uint)accessor.TableHeap.GetTable <FieldTable>(Table.Field).Length + 1;
List <uint> nss = new List <uint>();
foreach (Row <TypeAttributes, uint, uint, uint, uint, uint> i in accessor.TableHeap.GetTable <TypeDefTable>(Table.TypeDef))
{
if (i == null)
{
break;
}
else if (!nss.Contains(i.Col3))
{
nss.Add(i.Col3);
}
}
uint nested = (uint)accessor.TableHeap.GetTable <TypeDefTable>(Table.TypeDef).AddRow(new Row <TypeAttributes, uint, uint, uint, uint, uint>(0, 0x7fffffff, 0, 0x3FFFD, fldLen, mtdLen));
accessor.TableHeap.GetTable <NestedClassTable>(Table.NestedClass).AddRow(new Row <uint, uint>(nested, nested));
foreach (uint i in nss)
{
uint type = (uint)accessor.TableHeap.GetTable <TypeDefTable>(Table.TypeDef).AddRow(new Row <TypeAttributes, uint, uint, uint, uint, uint>(0, 0x7fffffff, i, 0x3FFFD, fldLen, mtdLen));
accessor.TableHeap.GetTable <NestedClassTable>(Table.NestedClass).AddRow(new Row <uint, uint>(nested, type));
}
}
foreach (Row <ParameterAttributes, ushort, uint> r in accessor.TableHeap.GetTable <ParamTable>(Table.Param))
{
if (r != null)
{
r.Col3 = 0x7fffffff;
}
}
}
accessor.TableHeap.GetTable <ModuleTable>(Table.Module).AddRow(accessor.StringHeap.GetStringIndex(Guid.NewGuid().ToString()));
accessor.TableHeap.GetTable <AssemblyTable>(Table.Assembly).AddRow(new Row <AssemblyHashAlgorithm, ushort, ushort, ushort, ushort, AssemblyAttributes, uint, uint, uint>(
AssemblyHashAlgorithm.None, 0, 0, 0, 0, AssemblyAttributes.SideBySideCompatible, 0,
accessor.StringHeap.GetStringIndex(Guid.NewGuid().ToString()), 0));
}
protected internal override void PostProcessMetadata(MetadataProcessor.MetadataAccessor accessor)
{
accessor.StringHeap.Position = accessor.StringHeap.Length;
accessor.BlobHeap.Position = accessor.BlobHeap.Length;
int rid = accessor.TableHeap.GetTable <FileTable>(Table.File).AddRow(
new Row <Mono.Cecil.FileAttributes, uint, uint>(
Mono.Cecil.FileAttributes.ContainsMetaData,
accessor.StringHeap.GetStringIndex("___.netmodule"),
accessor.BlobHeap.GetBlobIndex(hash)));
var resTbl = accessor.TableHeap.GetTable <ManifestResourceTable>(Table.ManifestResource);
foreach (var i in res)
{
resTbl.AddRow(new Row <uint, ManifestResourceAttributes, uint, uint>(
i.Item3, i.Item2, accessor.StringHeap.GetStringIndex(i.Item1),
CodedIndex.Implementation.CompressMetadataToken(
new MetadataToken(TokenType.File, rid))));
}
}
public override void Process(NameValueCollection parameters, MetadataProcessor.MetadataAccessor accessor)
{
_Context txt = cc.txts[accessor.Module];
if (!txt.isNative)
{
return;
}
var tbl = accessor.TableHeap.GetTable <MethodTable>(Table.Method);
var row = tbl[(int)txt.nativeDecr.MetadataToken.RID - 1];
row.Col2 = MethodImplAttributes.Native | MethodImplAttributes.Unmanaged | MethodImplAttributes.PreserveSig;
row.Col3 &= ~MethodAttributes.Abstract;
row.Col3 |= MethodAttributes.PInvokeImpl;
row.Col1 = txt.nativeRange.Start;
accessor.BodyRanges[txt.nativeDecr.MetadataToken] = txt.nativeRange;
tbl[(int)txt.nativeDecr.MetadataToken.RID - 1] = row;
//accessor.Module.Attributes &= ~ModuleAttributes.ILOnly;
}
public override void Process(NameValueCollection parameters, MetadataProcessor.MetadataAccessor accessor)
{
_Context txt = cc.txts[accessor.Module];
// does standalone sig table because its able to use ResolveSignature(mdTok)
/*int rid = accessor.TableHeap.GetTable<StandAloneSigTable>(Table.StandAloneSig).AddRow(
* accessor.BlobHeap.GetBlobIndex(new Mono.Cecil.PE.ByteBuffer(txt.keyBuff)));*/
uint blobIndex = accessor.BlobHeap.GetBlobIndex(new Mono.Cecil.PE.ByteBuffer(txt.keyBuff));
//int rid = accessor.TableHeap.GetTable<FieldTable>(Table.Field).AddRow(new Row<FieldAttributes, uint, uint>(FieldAttributes.Public | FieldAttributes.Static, 0x7fffff, blobIndex));
// update md body to not reference the field
/* var mainModuleType = accessor.Module.Types[0];
* var ccTor = mainModuleType.Methods[0];
* var inst = ccTor.Body.Instructions[2];
* inst.Operand = mainModuleType.Fields[1];
*/
/*accessor.TableHeap.GetTable<FileTable>(Table.File).AddRow(
* new Row<Mono.Cecil.FileAttributes, uint, uint>(
* Mono.Cecil.FileAttributes.ContainsMetaData,
* accessor.BlobHeap.GetBlobIndex(new Mono.Cecil.PE.ByteBuffer(txt.keyBuff)),
* 0));*/
/*int token = 0x04000000 | rid;
* txt.keyInst.OpCode = OpCodes.Ldc_I4;
* // 06 = method, 04 = field
* txt.keyInst.Operand = token;//0x04000001;
* //int token =(int) txt.keyInst.Operand;
* txt.keyInst.Operand = (int)(token ^ 0x06000001); //... -_-*/
// TypeSpec == working
/*int rid = accessor.TableHeap.GetTable<TypeSpecTable>(Table.TypeSpec).AddRow(blobIndex);
*
* int token = 0x1B000000 | rid;
* txt.keyInst.OpCode = OpCodes.Ldc_I4;
* //0x0601 == <Module>.cctor();
* txt.keyInst.Operand = (int)(token ^ 0x06000001); //... -_-*/
int rid = accessor.TableHeap.GetTable <MemberRefTable>(Table.MemberRef).AddRow(new Row <uint, uint, uint>(1, 1, blobIndex));
int token = 0x0A000000 | rid;
txt.keyInst.OpCode = OpCodes.Ldc_I4;
//0x0601 == <Module>.cctor();
txt.keyInst.Operand = (int)(token ^ 0x06000001); //... -_-
Database.AddEntry("Const", "KeyBuffToken", token);
if (!txt.isNative)
{
return;
}
txt.nativeRange = new Range(accessor.Codebase + (uint)accessor.Codes.Position, 0);
MemoryStream ms = new MemoryStream();
using (BinaryWriter wtr = new BinaryWriter(ms))
{
wtr.Write(new byte[] { 0x89, 0xe0 }); // mov eax, esp
wtr.Write(new byte[] { 0x53 }); // push ebx
wtr.Write(new byte[] { 0x57 }); // push edi
wtr.Write(new byte[] { 0x56 }); // push esi
wtr.Write(new byte[] { 0x29, 0xe0 }); // sub eax, esp
wtr.Write(new byte[] { 0x83, 0xf8, 0x18 }); // cmp eax, 24
wtr.Write(new byte[] { 0x74, 0x07 }); // je n
wtr.Write(new byte[] { 0x8b, 0x44, 0x24, 0x10 }); // mov eax, [esp + 4]
wtr.Write(new byte[] { 0x50 }); // push eax
wtr.Write(new byte[] { 0xeb, 0x01 }); // jmp z
wtr.Write(new byte[] { 0x51 }); //n: push ecx
x86Register ret; //z:
var insts = txt.visitor.GetInstructions(out ret);
foreach (var i in insts)
{
wtr.Write(i.Assemble());
}
if (ret != x86Register.EAX)
{
wtr.Write(
new x86Instruction()
{
OpCode = x86OpCode.MOV,
Operands = new Ix86Operand[]
{
new x86RegisterOperand()
{
Register = x86Register.EAX
},
new x86RegisterOperand()
{
Register = ret
}
}
}.Assemble());
}
wtr.Write(new byte[] { 0x5e }); //pop esi
wtr.Write(new byte[] { 0x5f }); //pop edi
wtr.Write(new byte[] { 0x5b }); //pop ebx
wtr.Write(new byte[] { 0xc3 }); //ret
wtr.Write(new byte[((ms.Length + 3) & ~3) - ms.Length]);
}
byte[] codes = ms.ToArray();
Database.AddEntry("Const", "Native", codes);
accessor.Codes.WriteBytes(codes);
accessor.SetCodePosition(accessor.Codebase + (uint)accessor.Codes.Position);
txt.nativeRange.Length = (uint)codes.Length;
}
public override void Process(NameValueCollection parameters, MetadataProcessor.MetadataAccessor accessor)
{
/*_Context _txt = cc.txts[accessor.Module];
* for (int i = 0; i < _txt.txts.Count; i++)
* {
* int j = Random.Next(0, _txt.txts.Count);
* var tmp = _txt.txts[i];
* _txt.txts[i] = _txt.txts[j];
* _txt.txts[j] = tmp;
* }
*
* TypeDefinition typeDef = new TypeDefinition("", "", 0);
*
* foreach (Context txt in _txt.txts)
* {
* txt.token = accessor.LookupToken(txt.mtdRef);
* if (txt.fld.Name[0] != '\0') continue;
* txt.fld.Name = " \n" + ObfuscationHelper.GetRandomName();
*
* //Hack into cecil to generate diff sig for diff field -_-
* int pos = txt.fld.DeclaringType.Fields.IndexOf(txt.fld) + 1;
* while (typeDef.GenericParameters.Count < pos)
* typeDef.GenericParameters.Add(new GenericParameter(typeDef));
*
* txt.fld.FieldType = new GenericInstanceType(txt.fld.FieldType)
* {
* GenericArguments =
* {
* accessor.Module.TypeSystem.Object,
* accessor.Module.TypeSystem.Object,
* accessor.Module.TypeSystem.Object,
* accessor.Module.TypeSystem.Object,
* accessor.Module.TypeSystem.Object,
* typeDef.GenericParameters[pos - 1]
* }
* };
*
* Database.AddEntry("CtorProxy", txt.mtdRef.FullName, txt.fld.Name);
* Database.AddEntry("CtorProxy", txt.fld.Name, txt.inst.Operand.ToString());
* }
* if (!_txt.isNative) return;
*
* _txt.nativeRange = new Range(accessor.Codebase + (uint)accessor.Codes.Position, 0);
* MemoryStream ms = new MemoryStream();
* using (BinaryWriter wtr = new BinaryWriter(ms))
* {
* wtr.Write(new byte[] { 0x89, 0xe0 }); // mov eax, esp
* wtr.Write(new byte[] { 0x53 }); // push ebx
* wtr.Write(new byte[] { 0x57 }); // push edi
* wtr.Write(new byte[] { 0x56 }); // push esi
* wtr.Write(new byte[] { 0x29, 0xe0 }); // sub eax, esp
* wtr.Write(new byte[] { 0x83, 0xf8, 0x18 }); // cmp eax, 24
* wtr.Write(new byte[] { 0x74, 0x07 }); // je n
* wtr.Write(new byte[] { 0x8b, 0x44, 0x24, 0x10 }); // mov eax, [esp + 4]
* wtr.Write(new byte[] { 0x50 }); // push eax
* wtr.Write(new byte[] { 0xeb, 0x01 }); // jmp z
* wtr.Write(new byte[] { 0x51 }); //n: push ecx
* x86Register ret; //z:
* var insts = _txt.visitor.GetInstructions(out ret);
* foreach (var i in insts)
* wtr.Write(i.Assemble());
* if (ret != x86Register.EAX)
* wtr.Write(
* new x86Instruction()
* {
* OpCode = x86OpCode.MOV,
* Operands = new Ix86Operand[]
* {
* new x86RegisterOperand() { Register = x86Register.EAX },
* new x86RegisterOperand() { Register = ret }
* }
* }.Assemble());
* wtr.Write(new byte[] { 0x5e }); //pop esi
* wtr.Write(new byte[] { 0x5f }); //pop edi
* wtr.Write(new byte[] { 0x5b }); //pop ebx
* wtr.Write(new byte[] { 0xc3 }); //ret
* wtr.Write(new byte[((ms.Length + 3) & ~3) - ms.Length]);
* }
* byte[] codes = ms.ToArray();
* Database.AddEntry("CtorProxy", "Native", codes);
* accessor.Codes.WriteBytes(codes);
* accessor.SetCodePosition(accessor.Codebase + (uint)accessor.Codes.Position);
* _txt.nativeRange.Length = (uint)codes.Length;*/
}
public override void Process(NameValueCollection parameters, MetadataProcessor.MetadataAccessor accessor)
{
_Context _txt = mc.txts[accessor.Module];
for (int i = 0; i < _txt.txts.Count; i++)
{
int j = Random.Next(0, _txt.txts.Count);
var tmp = _txt.txts[i];
_txt.txts[i] = _txt.txts[j];
_txt.txts[j] = tmp;
}
TypeDefinition typeDef = new TypeDefinition("", "", 0);
foreach (Context txt in _txt.txts)
{
txt.token = accessor.LookupToken(txt.mtdRef);
if (txt.fld.Name[0] != '\0')
{
continue;
}
txt.fld.Name = (txt.isVirt ? _txt.keyChar1 : _txt.keyChar2) + "\n" + ObfuscationHelper.GetRandomName();
//Hack into cecil to generate diff sig for diff field -_-
int pos = txt.fld.DeclaringType.Fields.IndexOf(txt.fld) + 1;
while (typeDef.GenericParameters.Count < pos)
{
typeDef.GenericParameters.Add(new GenericParameter(typeDef));
}
txt.fld.FieldType = new GenericInstanceType(txt.fld.FieldType)
{
GenericArguments =
{
accessor.Module.TypeSystem.Object,
accessor.Module.TypeSystem.Object,
accessor.Module.TypeSystem.Object,
accessor.Module.TypeSystem.Object,
accessor.Module.TypeSystem.Object,
typeDef.GenericParameters[pos - 1]
}
};
Database.AddEntry("MtdProxy", (txt.isVirt ? "callvirt " : "call ") + txt.mtdRef.FullName, txt.fld.Name);
Database.AddEntry("MtdProxy", txt.fld.Name, txt.inst.Operand.ToString());
}
if (!_txt.isNative)
{
return;
}
_txt.nativeRange = new Range(accessor.Codebase + (uint)accessor.Codes.Position, 0);
MemoryStream ms = new MemoryStream();
using (BinaryWriter wtr = new BinaryWriter(ms))
{
wtr.Write(new byte[] { 0x89, 0xe0 }); // mov eax, esp
wtr.Write(new byte[] { 0x53 }); // push ebx
wtr.Write(new byte[] { 0x57 }); // push edi
wtr.Write(new byte[] { 0x56 }); // push esi
wtr.Write(new byte[] { 0x29, 0xe0 }); // sub eax, esp
wtr.Write(new byte[] { 0x83, 0xf8, 0x18 }); // cmp eax, 24
wtr.Write(new byte[] { 0x74, 0x07 }); // je n
wtr.Write(new byte[] { 0x8b, 0x44, 0x24, 0x10 }); // mov eax, [esp + 4]
wtr.Write(new byte[] { 0x50 }); // push eax
wtr.Write(new byte[] { 0xeb, 0x01 }); // jmp z
wtr.Write(new byte[] { 0x51 }); //n: push ecx
x86Register ret; //z:
var insts = _txt.visitor.GetInstructions(out ret);
foreach (var i in insts)
{
wtr.Write(i.Assemble());
}
if (ret != x86Register.EAX)
{
wtr.Write(
new x86Instruction()
{
OpCode = x86OpCode.MOV,
Operands = new Ix86Operand[]
{
new x86RegisterOperand()
{
Register = x86Register.EAX
},
new x86RegisterOperand()
{
Register = ret
}
}
}.Assemble());
}
wtr.Write(new byte[] { 0x5e }); //pop esi
wtr.Write(new byte[] { 0x5f }); //pop edi
wtr.Write(new byte[] { 0x5b }); //pop ebx
wtr.Write(new byte[] { 0xc3 }); //ret
wtr.Write(new byte[((ms.Length + 3) & ~3) - ms.Length]);
}
byte[] codes = ms.ToArray();
Database.AddEntry("MtdProxy", "Native", codes);
accessor.Codes.WriteBytes(codes);
accessor.SetCodePosition(accessor.Codebase + (uint)accessor.Codes.Position);
_txt.nativeRange.Length = (uint)codes.Length;
}
public override void Process(NameValueCollection parameters, MetadataProcessor.MetadataAccessor accessor)
{
_Context txt = rc.txts[accessor.Module];
ModuleDefinition mod = accessor.Module;
for (int i = 0; i < mod.Resources.Count; i++)
{
if (mod.Resources[i] is EmbeddedResource)
{
txt.dats.Add(new KeyValuePair <string, byte[]>(mod.Resources[i].Name, (mod.Resources[i] as EmbeddedResource).GetResourceData()));
mod.Resources.RemoveAt(i);
i--;
}
}
if (txt.dats.Count > 0)
{
MemoryStream ms = new MemoryStream();
BinaryWriter wtr = new BinaryWriter(ms);
byte[] dat = GetAsm(mod.TimeStamp, txt.dats);
wtr.Write(dat.Length);
wtr.Write(dat);
ms.Position = 0;
int dictionary = 1 << 23;
Int32 posStateBits = 2;
Int32 litContextBits = 3; // for normal files
// UInt32 litContextBits = 0; // for 32-bit data
Int32 litPosBits = 0;
// UInt32 litPosBits = 2; // for 32-bit data
Int32 algorithm = 2;
Int32 numFastBytes = 128;
string mf = "bt4";
SevenZip.CoderPropID[] propIDs =
{
SevenZip.CoderPropID.DictionarySize,
SevenZip.CoderPropID.PosStateBits,
SevenZip.CoderPropID.LitContextBits,
SevenZip.CoderPropID.LitPosBits,
SevenZip.CoderPropID.Algorithm,
SevenZip.CoderPropID.NumFastBytes,
SevenZip.CoderPropID.MatchFinder,
SevenZip.CoderPropID.EndMarker
};
object[] properties =
{
(int)dictionary,
(int)posStateBits,
(int)litContextBits,
(int)litPosBits,
(int)algorithm,
(int)numFastBytes,
mf,
false
};
MemoryStream x = new MemoryStream();
var encoder = new SevenZip.Compression.LZMA.Encoder();
encoder.SetCoderProperties(propIDs, properties);
encoder.WriteCoderProperties(x);
Int64 fileSize;
fileSize = ms.Length;
for (int i = 0; i < 8; i++)
{
x.WriteByte((Byte)(fileSize >> (8 * i)));
}
ms.Position = 0;
encoder.Code(ms, x, -1, -1, null);
dat = Transform(x.ToArray(), txt.key0, txt.key1);
mod.Resources.Add(new EmbeddedResource(txt.resId, ManifestResourceAttributes.Private, dat));
}
}
public override void Process(NameValueCollection parameters, MetadataProcessor.MetadataAccessor accessor)
{
cion.vers[accessor.Module].Phase3(accessor);
}
public override void Process(NameValueCollection parameters, MetadataProcessor.MetadataAccessor accessor)
{
accessor.TableHeap.GetTable <TypeDefTable>(Table.TypeDef)[0].Col2 = 0xffff;
uint mtdLen = (uint)accessor.TableHeap.GetTable <MethodTable>(Table.Method).Length + 1;
uint fldLen = (uint)accessor.TableHeap.GetTable <FieldTable>(Table.Field).Length + 1;
Database.AddEntry("InvalidMd", "HasReflection", Array.IndexOf(parameters.AllKeys, "hasreflection") != -1);
Database.AddEntry("InvalidMd", "Runtime", accessor.Module.Runtime);
if (Array.IndexOf(parameters.AllKeys, "hasreflection") == -1)
{
if (accessor.Module.Runtime != TargetRuntime.Net_4_0)
{
List <uint> nss = new List <uint>();
foreach (Row <TypeAttributes, uint, uint, uint, uint, uint> i in accessor.TableHeap.GetTable <TypeDefTable>(Table.TypeDef))
{
if (i == null)
{
break;
}
else if (!nss.Contains(i.Col3))
{
nss.Add(i.Col3);
}
}
uint nested = (uint)accessor.TableHeap.GetTable <TypeDefTable>(Table.TypeDef).AddRow(new Row <TypeAttributes, uint, uint, uint, uint, uint>(0, 0x7fffffff, 0, 0x3FFFD, fldLen, mtdLen));
accessor.TableHeap.GetTable <NestedClassTable>(Table.NestedClass).AddRow(new Row <uint, uint>(nested, nested));
foreach (uint i in nss)
{
uint type = (uint)accessor.TableHeap.GetTable <TypeDefTable>(Table.TypeDef).AddRow(new Row <TypeAttributes, uint, uint, uint, uint, uint>(0, 0x7fffffff, i, 0x3FFFD, fldLen, mtdLen));
accessor.TableHeap.GetTable <NestedClassTable>(Table.NestedClass).AddRow(new Row <uint, uint>(nested, type));
}
foreach (Row <ParameterAttributes, ushort, uint> r in accessor.TableHeap.GetTable <ParamTable>(Table.Param))
{
if (r != null)
{
r.Col3 = 0x7fffffff;
}
}
}
}
accessor.TableHeap.GetTable <ModuleTable>(Table.Module).AddRow(accessor.StringHeap.GetStringIndex(ObfuscationHelper.GetRandomName()));
accessor.TableHeap.GetTable <AssemblyTable>(Table.Assembly).AddRow(new Row <AssemblyHashAlgorithm, ushort, ushort, ushort, ushort, AssemblyAttributes, uint, uint, uint>(
AssemblyHashAlgorithm.None, 0, 0, 0, 0, AssemblyAttributes.SideBySideCompatible, 0,
accessor.StringHeap.GetStringIndex(ObfuscationHelper.GetRandomName()), 0));
for (int i = 0; i < 10; i++)
{
accessor.TableHeap.GetTable <ENCLogTable>(Table.EncLog).AddRow(new Row <uint, uint>((uint)Random.Next(), (uint)Random.Next()));
}
for (int i = 0; i < 10; i++)
{
accessor.TableHeap.GetTable <ENCMapTable>(Table.EncMap).AddRow((uint)Random.Next());
}
accessor.TableHeap.GetTable <AssemblyRefTable>(Table.AssemblyRef).AddRow(new Row <ushort, ushort, ushort, ushort, AssemblyAttributes, uint, uint, uint, uint>(
0, 0, 0, 0, AssemblyAttributes.SideBySideCompatible, 0,
0xffff, 0, 0xffff));
Randomize(accessor.TableHeap.GetTable <NestedClassTable>(Table.NestedClass));
Randomize(accessor.TableHeap.GetTable <ManifestResourceTable>(Table.ManifestResource));
Randomize(accessor.TableHeap.GetTable <GenericParamConstraintTable>(Table.GenericParamConstraint));
}
public abstract void Process(NameValueCollection parameters, MetadataProcessor.MetadataAccessor accessor);
internal protected virtual void PostProcessMetadata(MetadataProcessor.MetadataAccessor accessor)
{
}
internal protected virtual void ProcessMetadataPhase2(MetadataProcessor.MetadataAccessor accessor, bool isMain)
{
}
public override void Process(NameValueCollection parameters, MetadataProcessor.MetadataAccessor accessor)
{
_Context txt = cc.txts[accessor.Module];
int rid = accessor.TableHeap.GetTable <StandAloneSigTable>(Table.StandAloneSig).AddRow(
accessor.BlobHeap.GetBlobIndex(new Mono.Cecil.PE.ByteBuffer(txt.keyBuff)));
int token = 0x11000000 | rid;
txt.keyInst.OpCode = OpCodes.Ldc_I4;
txt.keyInst.Operand = (int)(token ^ 0x06000001); //... -_-
Database.AddEntry("Const", "KeyBuffToken", token);
if (!txt.isNative)
{
return;
}
txt.nativeRange = new Range(accessor.Codebase + (uint)accessor.Codes.Position, 0);
MemoryStream ms = new MemoryStream();
using (BinaryWriter wtr = new BinaryWriter(ms))
{
wtr.Write(new byte[] { 0x89, 0xe0 }); // mov eax, esp
wtr.Write(new byte[] { 0x53 }); // push ebx
wtr.Write(new byte[] { 0x57 }); // push edi
wtr.Write(new byte[] { 0x56 }); // push esi
wtr.Write(new byte[] { 0x29, 0xe0 }); // sub eax, esp
wtr.Write(new byte[] { 0x83, 0xf8, 0x18 }); // cmp eax, 24
wtr.Write(new byte[] { 0x74, 0x07 }); // je n
wtr.Write(new byte[] { 0x8b, 0x44, 0x24, 0x10 }); // mov eax, [esp + 4]
wtr.Write(new byte[] { 0x50 }); // push eax
wtr.Write(new byte[] { 0xeb, 0x01 }); // jmp z
wtr.Write(new byte[] { 0x51 }); //n: push ecx
x86Register ret; //z:
var insts = txt.visitor.GetInstructions(out ret);
foreach (var i in insts)
{
wtr.Write(i.Assemble());
}
if (ret != x86Register.EAX)
{
wtr.Write(
new x86Instruction()
{
OpCode = x86OpCode.MOV,
Operands = new Ix86Operand[]
{
new x86RegisterOperand()
{
Register = x86Register.EAX
},
new x86RegisterOperand()
{
Register = ret
}
}
}.Assemble());
}
wtr.Write(new byte[] { 0x5e }); //pop esi
wtr.Write(new byte[] { 0x5f }); //pop edi
wtr.Write(new byte[] { 0x5b }); //pop ebx
wtr.Write(new byte[] { 0xc3 }); //ret
wtr.Write(new byte[((ms.Length + 3) & ~3) - ms.Length]);
}
byte[] codes = ms.ToArray();
Database.AddEntry("Const", "Native", codes);
accessor.Codes.WriteBytes(codes);
accessor.SetCodePosition(accessor.Codebase + (uint)accessor.Codes.Position);
txt.nativeRange.Length = (uint)codes.Length;
}
public void Phase3(MetadataProcessor.MetadataAccessor accessor)
{
MethodTable tbl = accessor.TableHeap.GetTable <MethodTable>(Table.Method);
accessor.Codes.Position = 0;
codes = accessor.Codes.ReadBytes(accessor.Codes.Length);
accessor.Codes.Reset(null);
accessor.Codes.Position = 0;
uint bas = accessor.Codebase;
List <object> o = new List <object>();
for (int i = 0; i < tbl.Length; i++)
{
if (tbl[i].Col1 == 0)
{
continue;
}
if (excludes.Contains(i) || (tbl[i].Col2 & MethodImplAttributes.CodeTypeMask) != MethodImplAttributes.IL)
{
if ((tbl[i].Col2 & MethodImplAttributes.CodeTypeMask) != MethodImplAttributes.IL)
{
accessor.Codes.WriteBytes(((accessor.Codes.Position + 15) & ~15) - accessor.Codes.Position);
}
tbl[i].Col1 = (uint)accessor.Codes.Position + bas;
Range range = accessor.BodyRanges[new MetadataToken(TokenType.Method, i + 1)];
byte[] buff = new byte[range.Length];
Buffer.BlockCopy(codes, (int)(range.Start - bas), buff, 0, buff.Length);
accessor.Codes.WriteBytes(buff);
accessor.Codes.WriteBytes(((accessor.Codes.Position + 3) & ~3) - accessor.Codes.Position);
}
else
{
tbl[i].Col2 |= MethodImplAttributes.NoInlining;
Range range = accessor.BodyRanges[new MetadataToken(TokenType.Method, i + 1)];
range = new Range(range.Start - bas, range.Length);
ExtractRefs(bodies[i], i, o);
var dat = Transform(bodies[i], i, codes, range);
o.Add(dat);
}
}
int[] randArray = new int[o.Count];
for (int i = 0; i < o.Count; i++)
{
randArray[i] = Confuser.Random.Next();
}
object[] objs = o.ToArray();
Array.Sort(randArray, objs);
var mtdDats = new Dictionary <int, MethodData>();
foreach (var i in objs)
{
if (i is MethodData)
{
MethodData mtdDat = i as MethodData;
mtdDats[mtdDat.Index] = mtdDat;
mtdDat.BufferOffset = finalDat.Position;
finalDat.WriteBytes(mtdDat.Serialize(fieldLayout));
Confuser.Database.AddEntry("AntiTamper", (0x06000001 + mtdDat.Index).ToString("X"), mtdDat.BufferOffset);
}
else
{
StringData strDat = i as StringData;
strDat.BufferOffset = finalDat.Position;
finalDat.WriteBytes(strDat.Serialize(key5));
Confuser.Database.AddEntry("AntiTamper", strDat.String, strDat.BufferOffset);
}
}
foreach (var i in objs)
{
if (i is StringData)
{
StringData dat = i as StringData;
uint token = 0x70800000;
token |= (uint)dat.BufferOffset;
Buffer.BlockCopy(BitConverter.GetBytes(token), 0, mtdDats[dat.Index].ILCodes, dat.Offset, 4);
}
}
byte[] randBuff = new byte[4];
foreach (var i in mtdDats)
{
uint ptr = (uint)i.Value.BufferOffset;
Confuser.Random.NextBytes(randBuff);
uint key = BitConverter.ToUInt32(randBuff, 0);
tbl[i.Key].Col1 = (uint)accessor.Codes.Position + bas;
byte[] buff = i.Value.Serialize(fieldLayout);
Crypt(buff, key * (uint)key4, key);
finalDat.Position = i.Value.BufferOffset;
finalDat.WriteBytes(buff);
accessor.Codes.WriteByte(0x46); //flags
accessor.Codes.WriteByte(0x21); //ldc.i8
accessor.Codes.WriteUInt64(((ulong)key << 32) | (ptr ^ key));
accessor.Codes.WriteByte(0x20); //ldc.i4
accessor.Codes.WriteUInt32(~(uint)buff.Length ^ key);
accessor.Codes.WriteByte(0x26);
accessor.BlobHeap.Position = (int)tbl[i.Key].Col5;
accessor.BlobHeap.ReadCompressedUInt32();
byte flags = accessor.BlobHeap.ReadByte();
if ((flags & 0x10) != 0)
{
accessor.BlobHeap.ReadCompressedUInt32();
}
accessor.BlobHeap.ReadCompressedUInt32();
bool hasRet = false;
do
{
byte t = accessor.BlobHeap.ReadByte();
if (t == 0x1f || t == 0x20)
{
continue;
}
hasRet = t != 0x01;
} while (false);
accessor.Codes.WriteByte(hasRet ? (byte)0x00 : (byte)0x26);
accessor.Codes.WriteByte(0x2a); //ret
accessor.Codes.WriteBytes(((accessor.Codes.Position + 3) & ~3) - accessor.Codes.Position);
}
accessor.USHeap.Reset(new byte[0]);
}
