public override void Process(NameValueCollection parameters, MetadataProcessor.MetadataAccessor accessor)
{
_Context txt = cc.txts[accessor.Module];
int rid = accessor.TableHeap.GetTable <StandAloneSigTable>(Table.StandAloneSig).AddRow(
accessor.BlobHeap.GetBlobIndex(new Mono.Cecil.PE.ByteBuffer(txt.keyBuff)));
int token = 0x11000000 | rid;
txt.keyInst.OpCode = OpCodes.Ldc_I4;
txt.keyInst.Operand = (int)(token ^ 0x06000001); //... -_-
Database.AddEntry("Const", "KeyBuffToken", token);
if (!txt.isNative)
{
return;
}
txt.nativeRange = new Range(accessor.Codebase + (uint)accessor.Codes.Position, 0);
MemoryStream ms = new MemoryStream();
using (BinaryWriter wtr = new BinaryWriter(ms))
{
wtr.Write(new byte[] { 0x89, 0xe0 }); // mov eax, esp
wtr.Write(new byte[] { 0x53 }); // push ebx
wtr.Write(new byte[] { 0x57 }); // push edi
wtr.Write(new byte[] { 0x56 }); // push esi
wtr.Write(new byte[] { 0x29, 0xe0 }); // sub eax, esp
wtr.Write(new byte[] { 0x83, 0xf8, 0x18 }); // cmp eax, 24
wtr.Write(new byte[] { 0x74, 0x07 }); // je n
wtr.Write(new byte[] { 0x8b, 0x44, 0x24, 0x10 }); // mov eax, [esp + 4]
wtr.Write(new byte[] { 0x50 }); // push eax
wtr.Write(new byte[] { 0xeb, 0x01 }); // jmp z
wtr.Write(new byte[] { 0x51 }); //n: push ecx
x86Register ret; //z:
var insts = txt.visitor.GetInstructions(out ret);
foreach (var i in insts)
{
wtr.Write(i.Assemble());
}
if (ret != x86Register.EAX)
{
wtr.Write(
new x86Instruction()
{
OpCode = x86OpCode.MOV,
Operands = new Ix86Operand[]
{
new x86RegisterOperand()
{
Register = x86Register.EAX
},
new x86RegisterOperand()
{
Register = ret
}
}
}.Assemble());
}
wtr.Write(new byte[] { 0x5e }); //pop esi
wtr.Write(new byte[] { 0x5f }); //pop edi
wtr.Write(new byte[] { 0x5b }); //pop ebx
wtr.Write(new byte[] { 0xc3 }); //ret
wtr.Write(new byte[((ms.Length + 3) & ~3) - ms.Length]);
}
byte[] codes = ms.ToArray();
Database.AddEntry("Const", "Native", codes);
accessor.Codes.WriteBytes(codes);
accessor.SetCodePosition(accessor.Codebase + (uint)accessor.Codes.Position);
txt.nativeRange.Length = (uint)codes.Length;
}
public override void Process(NameValueCollection parameters, MetadataProcessor.MetadataAccessor accessor)
{
_Context _txt = mc.txts[accessor.Module];
for (int i = 0; i < _txt.txts.Count; i++)
{
int j = Random.Next(0, _txt.txts.Count);
var tmp = _txt.txts[i];
_txt.txts[i] = _txt.txts[j];
_txt.txts[j] = tmp;
}
TypeDefinition typeDef = new TypeDefinition("", "", 0);
foreach (Context txt in _txt.txts)
{
txt.token = accessor.LookupToken(txt.mtdRef);
if (txt.fld.Name[0] != '\0')
{
continue;
}
txt.fld.Name = (txt.isVirt ? _txt.keyChar1 : _txt.keyChar2) + "\n" + ObfuscationHelper.GetRandomName();
//Hack into cecil to generate diff sig for diff field -_-
int pos = txt.fld.DeclaringType.Fields.IndexOf(txt.fld) + 1;
while (typeDef.GenericParameters.Count < pos)
{
typeDef.GenericParameters.Add(new GenericParameter(typeDef));
}
txt.fld.FieldType = new GenericInstanceType(txt.fld.FieldType)
{
GenericArguments =
{
accessor.Module.TypeSystem.Object,
accessor.Module.TypeSystem.Object,
accessor.Module.TypeSystem.Object,
accessor.Module.TypeSystem.Object,
accessor.Module.TypeSystem.Object,
typeDef.GenericParameters[pos - 1]
}
};
Database.AddEntry("MtdProxy", (txt.isVirt ? "callvirt " : "call ") + txt.mtdRef.FullName, txt.fld.Name);
Database.AddEntry("MtdProxy", txt.fld.Name, txt.inst.Operand.ToString());
}
if (!_txt.isNative)
{
return;
}
_txt.nativeRange = new Range(accessor.Codebase + (uint)accessor.Codes.Position, 0);
MemoryStream ms = new MemoryStream();
using (BinaryWriter wtr = new BinaryWriter(ms))
{
wtr.Write(new byte[] { 0x89, 0xe0 }); // mov eax, esp
wtr.Write(new byte[] { 0x53 }); // push ebx
wtr.Write(new byte[] { 0x57 }); // push edi
wtr.Write(new byte[] { 0x56 }); // push esi
wtr.Write(new byte[] { 0x29, 0xe0 }); // sub eax, esp
wtr.Write(new byte[] { 0x83, 0xf8, 0x18 }); // cmp eax, 24
wtr.Write(new byte[] { 0x74, 0x07 }); // je n
wtr.Write(new byte[] { 0x8b, 0x44, 0x24, 0x10 }); // mov eax, [esp + 4]
wtr.Write(new byte[] { 0x50 }); // push eax
wtr.Write(new byte[] { 0xeb, 0x01 }); // jmp z
wtr.Write(new byte[] { 0x51 }); //n: push ecx
x86Register ret; //z:
var insts = _txt.visitor.GetInstructions(out ret);
foreach (var i in insts)
{
wtr.Write(i.Assemble());
}
if (ret != x86Register.EAX)
{
wtr.Write(
new x86Instruction()
{
OpCode = x86OpCode.MOV,
Operands = new Ix86Operand[]
{
new x86RegisterOperand()
{
Register = x86Register.EAX
},
new x86RegisterOperand()
{
Register = ret
}
}
}.Assemble());
}
wtr.Write(new byte[] { 0x5e }); //pop esi
wtr.Write(new byte[] { 0x5f }); //pop edi
wtr.Write(new byte[] { 0x5b }); //pop ebx
wtr.Write(new byte[] { 0xc3 }); //ret
wtr.Write(new byte[((ms.Length + 3) & ~3) - ms.Length]);
}
byte[] codes = ms.ToArray();
Database.AddEntry("MtdProxy", "Native", codes);
accessor.Codes.WriteBytes(codes);
accessor.SetCodePosition(accessor.Codebase + (uint)accessor.Codes.Position);
_txt.nativeRange.Length = (uint)codes.Length;
}
public override void Process(NameValueCollection parameters, MetadataProcessor.MetadataAccessor accessor)
{
_Context txt = cc.txts[accessor.Module];
// does standalone sig table because its able to use ResolveSignature(mdTok)
/*int rid = accessor.TableHeap.GetTable<StandAloneSigTable>(Table.StandAloneSig).AddRow(
* accessor.BlobHeap.GetBlobIndex(new Mono.Cecil.PE.ByteBuffer(txt.keyBuff)));*/
uint blobIndex = accessor.BlobHeap.GetBlobIndex(new Mono.Cecil.PE.ByteBuffer(txt.keyBuff));
//int rid = accessor.TableHeap.GetTable<FieldTable>(Table.Field).AddRow(new Row<FieldAttributes, uint, uint>(FieldAttributes.Public | FieldAttributes.Static, 0x7fffff, blobIndex));
// update md body to not reference the field
/* var mainModuleType = accessor.Module.Types[0];
* var ccTor = mainModuleType.Methods[0];
* var inst = ccTor.Body.Instructions[2];
* inst.Operand = mainModuleType.Fields[1];
*/
/*accessor.TableHeap.GetTable<FileTable>(Table.File).AddRow(
* new Row<Mono.Cecil.FileAttributes, uint, uint>(
* Mono.Cecil.FileAttributes.ContainsMetaData,
* accessor.BlobHeap.GetBlobIndex(new Mono.Cecil.PE.ByteBuffer(txt.keyBuff)),
* 0));*/
/*int token = 0x04000000 | rid;
* txt.keyInst.OpCode = OpCodes.Ldc_I4;
* // 06 = method, 04 = field
* txt.keyInst.Operand = token;//0x04000001;
* //int token =(int) txt.keyInst.Operand;
* txt.keyInst.Operand = (int)(token ^ 0x06000001); //... -_-*/
// TypeSpec == working
/*int rid = accessor.TableHeap.GetTable<TypeSpecTable>(Table.TypeSpec).AddRow(blobIndex);
*
* int token = 0x1B000000 | rid;
* txt.keyInst.OpCode = OpCodes.Ldc_I4;
* //0x0601 == <Module>.cctor();
* txt.keyInst.Operand = (int)(token ^ 0x06000001); //... -_-*/
int rid = accessor.TableHeap.GetTable <MemberRefTable>(Table.MemberRef).AddRow(new Row <uint, uint, uint>(1, 1, blobIndex));
int token = 0x0A000000 | rid;
txt.keyInst.OpCode = OpCodes.Ldc_I4;
//0x0601 == <Module>.cctor();
txt.keyInst.Operand = (int)(token ^ 0x06000001); //... -_-
Database.AddEntry("Const", "KeyBuffToken", token);
if (!txt.isNative)
{
return;
}
txt.nativeRange = new Range(accessor.Codebase + (uint)accessor.Codes.Position, 0);
MemoryStream ms = new MemoryStream();
using (BinaryWriter wtr = new BinaryWriter(ms))
{
wtr.Write(new byte[] { 0x89, 0xe0 }); // mov eax, esp
wtr.Write(new byte[] { 0x53 }); // push ebx
wtr.Write(new byte[] { 0x57 }); // push edi
wtr.Write(new byte[] { 0x56 }); // push esi
wtr.Write(new byte[] { 0x29, 0xe0 }); // sub eax, esp
wtr.Write(new byte[] { 0x83, 0xf8, 0x18 }); // cmp eax, 24
wtr.Write(new byte[] { 0x74, 0x07 }); // je n
wtr.Write(new byte[] { 0x8b, 0x44, 0x24, 0x10 }); // mov eax, [esp + 4]
wtr.Write(new byte[] { 0x50 }); // push eax
wtr.Write(new byte[] { 0xeb, 0x01 }); // jmp z
wtr.Write(new byte[] { 0x51 }); //n: push ecx
x86Register ret; //z:
var insts = txt.visitor.GetInstructions(out ret);
foreach (var i in insts)
{
wtr.Write(i.Assemble());
}
if (ret != x86Register.EAX)
{
wtr.Write(
new x86Instruction()
{
OpCode = x86OpCode.MOV,
Operands = new Ix86Operand[]
{
new x86RegisterOperand()
{
Register = x86Register.EAX
},
new x86RegisterOperand()
{
Register = ret
}
}
}.Assemble());
}
wtr.Write(new byte[] { 0x5e }); //pop esi
wtr.Write(new byte[] { 0x5f }); //pop edi
wtr.Write(new byte[] { 0x5b }); //pop ebx
wtr.Write(new byte[] { 0xc3 }); //ret
wtr.Write(new byte[((ms.Length + 3) & ~3) - ms.Length]);
}
byte[] codes = ms.ToArray();
Database.AddEntry("Const", "Native", codes);
accessor.Codes.WriteBytes(codes);
accessor.SetCodePosition(accessor.Codebase + (uint)accessor.Codes.Position);
txt.nativeRange.Length = (uint)codes.Length;
}
