static void packer() { try { if (Protections.Packer.IsPacked(module)) { Console.WriteLine("[!] Compressor Detected"); try { Protections.Packer.findLocal(); Console.WriteLine("[!] Compressor Removed Successfully"); Console.WriteLine("[!] Now Cleaning The koi Module"); } catch { Console.WriteLine("[!] Compressor Failed To Remove"); } antitamper(); module.EntryPoint = module.ResolveToken(Protections.StaticPacker.epToken) as MethodDef; } } catch { Console.WriteLine("An error in dynamic packer remover happened"); } }
void Initialize(ModuleDefMD module) { var info = module.MetaData.ImageCor20Header.VTableFixups; if (info.VirtualAddress == 0 || info.Size == 0) { this.vtables = ThreadSafeListCreator.Create<VTable>(); return; } this.rva = info.VirtualAddress; this.vtables = ThreadSafeListCreator.Create<VTable>((int)info.Size / 8); var peImage = module.MetaData.PEImage; using (var reader = peImage.CreateFullStream()) { reader.Position = (long)peImage.ToFileOffset(info.VirtualAddress); long endPos = reader.Position + info.Size; while (reader.Position + 8 <= endPos && reader.CanRead(8)) { RVA tableRva = (RVA)reader.ReadUInt32(); int numSlots = reader.ReadUInt16(); var flags = (VTableFlags)reader.ReadUInt16(); var vtable = new VTable(tableRva, flags, numSlots); vtables.Add(vtable); var pos = reader.Position; reader.Position = (long)peImage.ToFileOffset(tableRva); int slotSize = vtable.Is64Bit ? 8 : 4; while (numSlots-- > 0 && reader.CanRead(slotSize)) { vtable.Methods.Add(module.ResolveToken(reader.ReadUInt32()) as IMethod); if (slotSize == 8) reader.ReadUInt32(); } reader.Position = pos; } } }
public PdbConstant[] GetConstants(ModuleDefMD module, GenericParamContext gpContext) { if (constants == null) { return(emptySymbolConstants); } var res = new PdbConstant[constants.Count]; for (int i = 0; i < res.Length; i++) { var info = constants[i]; TypeSig signature; var saSig = module.ResolveToken(info.SignatureToken) as StandAloneSig; var fieldSig = saSig == null ? null : saSig.Signature as FieldSig; if (fieldSig == null) { Debug.Fail("Constant without a signature"); signature = null; } else { signature = fieldSig.Type; } res[i] = new PdbConstant(info.Name, signature, info.Value); } return(res); }
void Restore2() { Logger.n("Restoring CSVM methods"); Logger.Instance.Indent(); var opcodeDetector = GetVmOpCodeHandlerDetector(); var csvmMethods = new CsvmDataReader(resource.Data).Read(); var converter = new CsvmToCilMethodConverter(deobfuscatorContext, module, opcodeDetector); var methodPrinter = new MethodPrinter(); foreach (var csvmMethod in csvmMethods) { var cilMethod = module.ResolveToken(csvmMethod.Token) as MethodDef; if (cilMethod == null) { throw new ApplicationException(string.Format("Could not find method {0:X8}", csvmMethod.Token)); } converter.Convert(cilMethod, csvmMethod); Logger.v("Restored method {0:X8}", cilMethod.MDToken.ToInt32()); PrintMethod(methodPrinter, cilMethod); } Logger.Instance.DeIndent(); Logger.n("Restored {0} CSVM methods", csvmMethods.Count); }
IMethod ReResolve(IMethod method, GenericParamContext gpContext) { if (method.IsMethodSpec || method.IsMemberRef) { method = module.ResolveToken(method.MDToken.Raw, gpContext) as IMethod ?? method; } return(method); }
void Decrypt(IBinaryReader reader, int delegateTypeToken, ISimpleDeobfuscator simpleDeobfuscator) { var delegateType = module.ResolveToken(delegateTypeToken) as TypeDef; if (delegateType == null) { throw new ApplicationException("Couldn't find delegate type"); } int delToken, encMethToken, encDeclToken; if (!GetTokens(delegateType, out delToken, out encMethToken, out encDeclToken)) { throw new ApplicationException("Could not find encrypted method tokens"); } if (delToken != delegateTypeToken) { throw new ApplicationException("Invalid delegate type token"); } var encType = module.ResolveToken(encDeclToken) as ITypeDefOrRef; if (encType == null) { throw new ApplicationException("Invalid declaring type token"); } var encMethod = module.ResolveToken(encMethToken) as MethodDef; if (encMethod == null) { throw new ApplicationException("Invalid encrypted method token"); } var bodyReader = new MethodBodyReader(module, reader); bodyReader.Read(encMethod); bodyReader.RestoreMethod(encMethod); Logger.v("Restored method {0} ({1:X8}). Instrs:{2}, Locals:{3}, Exceptions:{4}", Utils.RemoveNewlines(encMethod.FullName), encMethod.MDToken.ToInt32(), encMethod.Body.Instructions.Count, encMethod.Body.Variables.Count, encMethod.Body.ExceptionHandlers.Count); delegateTypes.Add(delegateType); simpleDeobfuscator.MethodModified(encMethod); }
static void packer() { if (Protections.Packer.IsPacked(module)) { Console.WriteLine("[!] Compressor Dynamico Detectado"); try { Protections.Packer.findLocal(); Console.WriteLine("[!] Compressor Removido"); } catch { Console.WriteLine("[!] Compressor Erro ao Remover"); } antitamper(); module.EntryPoint = module.ResolveToken(Protections.StaticPacker.epToken) as MethodDef; } }
public void reloaded() { foreach (var pair in tokenToNativeMethod) { int token = (int)pair.Key; var method = module.ResolveToken(token) as MethodDef; if (method == null) throw new ApplicationException(string.Format("Could not find method {0:X8}", token)); methodToNativeMethod[method] = pair.Value; } tokenToNativeMethod = null; }
private static string DecryptSting(MethodSpec decryptionMethod, uint uintVal, object arrayVal) { Base.methodsToRemove.Add(decryptionMethod); MethodDef resolvedDef = decryptionMethod.ResolveMethodDef(); CawkEmulatorV4.Emulation emulationD = new CawkEmulatorV4.Emulation(resolvedDef); emulationD.ValueStack.Fields[ModuleDefMD.ResolveToken(Strings.Initalise.DecryptInitialByteArray.fields.MDToken.ToInt32()) as FieldDef] = Strings.Initalise.DecryptInitialByteArray.byte_0; File.WriteAllBytes("Method.bin", methodBytes); if (FieldValueGrabber.value != null) { emulationD.ValueStack.Fields[ ModuleDefMD.ResolveToken(FieldValueGrabber.value.Item1.MDToken.ToInt32()) as FieldDef] = (int) FieldValueGrabber.value.Item2; } emulationD.ValueStack.Parameters[resolvedDef.Parameters[0]] = uintVal; emulationD.ValueStack.Parameters[resolvedDef.Parameters[1]] = arrayVal; emulationD.OnCallPrepared = (sender, e) => { HandleCall(sender, e); }; emulationD.OnInstructionPrepared += (emulation, args) => { if (args.Instruction.OpCode == OpCodes.Isinst) { dynamic value = emulation.ValueStack.CallStack.Pop(); TypeRef instrType = args.Instruction.Operand as TypeRef; dynamic name = value.GetType().Name; if (instrType.FullName.Contains(name)) { emulation.ValueStack.CallStack.Push(1); } else { emulation.ValueStack.CallStack.Push(null); } args.Cancel = true; } else if (args.Instruction.OpCode == OpCodes.Castclass) { dynamic abc = emulation.ValueStack.CallStack.Pop(); if (abc is int[]) { emulation.ValueStack.CallStack.Push((int[])abc); args.Cancel = true; } if (args.Instruction.Operand.ToString().Contains("Assembly")) { emulation.ValueStack.CallStack.Push(null); args.Cancel = true; } } }; emulationD.Emulate(); return((string)emulationD.ValueStack.CallStack.Pop()); }
static void AddToken(this IList <short> instrs, ModuleDefMD module, uint token) { if (module == null || module.ResolveToken(token) == null) { instrs.AddUnknownInt32(); } else { instrs.AddInt32(unchecked ((int)token)); } }
public override IDeobfuscator ModuleReloaded(ModuleDefMD module) { if (module.Assembly != null) { realAssemblyInfo = null; } if (realAssemblyInfo != null) { realAssemblyInfo.realAssembly.Modules.Insert(0, module); if (realAssemblyInfo.entryPointToken != 0) { module.EntryPoint = module.ResolveToken((int)realAssemblyInfo.entryPointToken) as MethodDef; } module.Kind = realAssemblyInfo.kind; module.Name = new UTF8String(realAssemblyInfo.moduleName); } var newOne = new Deobfuscator(options); DeobfuscatedFile.SetDeobfuscator(newOne); newOne.realAssemblyInfo = realAssemblyInfo; newOne.decryptState = decryptState; newOne.DeobfuscatedFile = DeobfuscatedFile; newOne.ModuleBytes = ModuleBytes; newOne.embeddedAssemblyInfos.AddRange(embeddedAssemblyInfos); newOne.SetModule(module); newOne.RemoveObfuscatorAttribute(); newOne.jitMethodsDecrypter = hasUnpacked ? new JitMethodsDecrypter(module, DeobfuscatedFile) : new JitMethodsDecrypter(module, DeobfuscatedFile, jitMethodsDecrypter); if ((newOne.decryptState & DecryptState.CanDecryptMethods) != 0) { try { newOne.jitMethodsDecrypter.Find(); } catch { } if (newOne.jitMethodsDecrypter.Detected) { return(newOne); } } newOne.memoryMethodsDecrypter = hasUnpacked ? new MemoryMethodsDecrypter(module, DeobfuscatedFile) : new MemoryMethodsDecrypter(module, DeobfuscatedFile, memoryMethodsDecrypter); if ((newOne.decryptState & DecryptState.CanDecryptMethods) != 0) { newOne.memoryMethodsDecrypter.Find(); if (newOne.memoryMethodsDecrypter.Detected) { return(newOne); } } newOne.InitializeTheRest(this); return(newOne); }
/// <summary> /// Constructor /// </summary> /// <param name="reader">A <see cref="ISymbolReader"/> instance</param> /// <param name="module">Owner module</param> public PdbState(ISymbolReader reader, ModuleDefMD module) { if (reader == null) throw new ArgumentNullException("reader"); if (module == null) throw new ArgumentNullException("module"); this.reader = reader; this.userEntryPoint = module.ResolveToken(reader.UserEntryPoint.GetToken()) as MethodDef; foreach (var doc in reader.GetDocuments()) Add_NoLock(new PdbDocument(doc)); }
public static T Lookup <T>(ModuleDefMD module, T def, string errorMessage) where T : class, ICodedToken { if (def == null) { return(null); } var newDef = module.ResolveToken(def.MDToken.Raw) as T; if (newDef == null) { throw new ApplicationException(errorMessage); } return(newDef); }
public void Reloaded() { foreach (var pair in tokenToNativeMethod) { int token = (int)pair.Key; var method = module.ResolveToken(token) as MethodDef; if (method == null) { throw new ApplicationException($"Could not find method {token:X8}"); } methodToNativeMethod[method] = pair.Value; } tokenToNativeMethod = null; }
public void Deobfuscate(Blocks blocks) { if (type == null) { return; } var gpContext = GenericParamContext.Create(blocks.Method); foreach (var block in blocks.MethodBlocks.GetAllBlocks()) { var instrs = block.Instructions; for (int i = 0; i < instrs.Count - 1; i++) { var instr = instrs[i]; if (instr.OpCode.Code != Code.Ldc_I4) { continue; } var call = instrs[i + 1]; if (call.OpCode.Code != Code.Call) { continue; } var method = call.Operand as IMethod; if (method == null) { continue; } if (!new SigComparer().Equals(type, method.DeclaringType)) { continue; } var methodDef = DotNetUtils.GetMethod(module, method); if (methodDef == null) { continue; } if (methodDef != typeMethod && methodDef != fieldMethod) { continue; } uint token = (uint)(int)instrs[i].Operand; instrs[i] = new Instr(OpCodes.Nop.ToInstruction()); instrs[i + 1] = new Instr(new Instruction(OpCodes.Ldtoken, module.ResolveToken(token, gpContext) as ITokenOperand)); } } }
private void PatchCallingAssemblyCheck(ModuleDefMD module, uint mdToken) { MethodDef method = (MethodDef)module.ResolveToken(mdToken); for (int i = 0; i < method.Body.Instructions.Count - 1; i++) { if (method.Body.Instructions[i].OpCode.Code == Code.Call && method.Body.Instructions[i + 1].OpCode.Code == Code.Call && ((MemberRef)method.Body.Instructions[i].Operand).Name == "GetExecutingAssembly") { method.Body.Instructions[i + 1].Operand = method.Body.Instructions[i].Operand; break; } } }
/// <summary> /// Constructor /// </summary> /// <param name="reader">A <see cref="ISymbolReader"/> instance</param> /// <param name="module">Owner module</param> public PdbState(ISymbolReader reader, ModuleDefMD module) { if (reader == null) { throw new ArgumentNullException("reader"); } if (module == null) { throw new ArgumentNullException("module"); } this.reader = reader; this.userEntryPoint = module.ResolveToken(reader.UserEntryPoint.GetToken()) as MethodDef; foreach (var doc in reader.GetDocuments()) { Add_NoLock(new PdbDocument(doc)); } }
public static byte[] tester(MethodDef methodDef, ModuleDefMD updated) { var streamFull = updated.Metadata.PEImage.CreateReader(); var upated = (updated.ResolveToken(methodDef.MDToken.ToInt32()) as MethodDef); var offset = updated.Metadata.PEImage.ToFileOffset(upated.RVA); streamFull.Position = (uint)offset; byte b = streamFull.ReadByte(); ushort flags; byte headerSize; ushort maxStack; uint codeSize = 0; switch (b & 7) { case 2: case 6: flags = 2; maxStack = 8; codeSize = (uint)(b >> 2); headerSize = 1; break; case 3: flags = (ushort)((streamFull.ReadByte() << 8) | b); headerSize = (byte)(flags >> 12); maxStack = streamFull.ReadUInt16(); codeSize = streamFull.ReadUInt32(); break; } if (codeSize != 0) { byte[] il_byte = new byte[codeSize]; streamFull.Position = (uint)offset + upated.Body.HeaderSize; streamFull.ReadBytes(il_byte, 0, il_byte.Length); return(il_byte); } return(null); }
/// <summary> /// Constructor /// </summary> /// <param name="reader">A <see cref="SymbolReader"/> instance</param> /// <param name="module">Owner module</param> public PdbState(SymbolReader reader, ModuleDefMD module) { if (reader == null) { throw new ArgumentNullException("reader"); } if (module == null) { throw new ArgumentNullException("module"); } this.reader = reader; reader.Initialize(module); PdbFileKind = reader.PdbFileKind; this.compiler = CalculateCompiler(module); this.userEntryPoint = module.ResolveToken(reader.UserEntryPoint) as MethodDef; foreach (var doc in reader.Documents) { Add_NoLock(new PdbDocument(doc)); } }
public override void Deobfuscate() { // Console.WriteLine("[!] Setting Up String Decryption Finding Init Method"); GetMethod = firstStep(ModuleDefMD); Base.methodsToRemove.Add(GetMethod); if (GetMethod == null) { // Console.WriteLine("[!!] Method Not Found Fix This"); return; } // Console.WriteLine("[!] Found String Init Method {0}. Emulating", GetMethod.Name); var insemu = new Emulation(GetMethod); insemu.OnInstructionPrepared = (sender, e) => { if (e.Instruction.OpCode == OpCodes.Castclass) { e.Cancel = true; } }; insemu.OnCallPrepared = (sender, e) => { if (e.Instruction.Operand.ToString() .Contains( "System.Void System.Runtime.CompilerServices.RuntimeHelpers::InitializeArray(System.Array,System.RuntimeFieldHandle") ) { var stack2 = sender.ValueStack.CallStack.Pop(); var stack1 = sender.ValueStack.CallStack.Pop(); sender.ValueStack.CallStack.Pop(); var fielddef = ModuleDefMD.ResolveToken(stack2) as FieldDef; var test = fielddef.InitialValue; var decoded = new uint[test.Length / 4]; Buffer.BlockCopy(test, 0, decoded, 0, test.Length); stack1 = decoded; sender.ValueStack.CallStack.Push(stack1); e.bypassCall = true; } else if (e.Instruction.Operand is MethodDef && e.Instruction.Operand.ToString().Contains("(System.Byte[])")) { e.endMethod = true; } else { e.AllowCall = false; } }; GC.Collect(); Thread.Sleep(1000); GC.Collect(); insemu.Emulate(); if (GetMethod.Body.Instructions[GetMethod.Body.Instructions.Count - 2].OpCode == OpCodes.Stsfld) { fields = (FieldDef)GetMethod.Body.Instructions[GetMethod.Body.Instructions.Count - 2].Operand; } var aaa = GetMethod.Body.Variables.Where(i => i.Type.FullName.Contains("System.Byte[]")).ToArray(); var byteStackLocal = insemu.ValueStack.Locals[aaa[0].Index]; //Console.WriteLine("[!] Emulation Success Got Array"); if (Protections.Base.NativePacker) { byteStackLocal = P1(byteStackLocal, byteStackLocal.Length); } byte_0 = (byte[])byteStackLocal; return; }
T Resolve <T>(int token) { return((T)module.ResolveToken(token)); }
T Resolve <T>(int token) { return((T)module.ResolveToken(token, gpContext)); }
private bool checkBlocks() { bool isError = false; string logInfo = ""; var blocksToFind = new List <List <string> >(); var blocksToReplace = new List <List <string> >(); foreach (var block in Regex.Split(inputFindText, @"^={3,}", RegexOptions.Multiline)) { var instrs = block.Split(new[] { "\r\n", "\r", "\n" }, StringSplitOptions.RemoveEmptyEntries).ToList(); blocksToFind.Add(instrs); } foreach (var block in Regex.Split(inputReplaceText, @"^={3,}", RegexOptions.Multiline)) { var instrs = block.Split(new[] { "\r\n", "\r", "\n" }, StringSplitOptions.RemoveEmptyEntries).ToList(); blocksToReplace.Add(instrs); } if (blocksToFind.Count != blocksToReplace.Count) { MessageBox.Show( string.Format("Size of Blocks Find and Replace not Match\r\nBlocks Find: {0}\r\nBlocks Replace: {1}", blocksToFind.Count, blocksToReplace.Count), "Blocks Error!", MessageBoxButtons.OK, MessageBoxIcon.Error); isError = true; } if (!isError) { for (int i = 0; i < blocksToFind.Count; i++) { if (blocksToFind[i].Count != blocksToReplace[i].Count) { logInfo += string.Format( "Error, Block {0} has different size\r\nFind ({1}):\r\n{2}\r\n\r\nReplace ({3}):\r\n{4}\r\n{5}\r\n", i + 1, blocksToFind[i].Count, string.Join("\r\n", blocksToFind[i].ToArray()), blocksToReplace[i].Count, string.Join("\r\n", blocksToReplace[i].ToArray()), "================================================"); isError = true; } } } try { module = ModuleDefMD.Load(moduleName); } catch { writeStatus(string.Format("Error Loading \"{0}\" Maybe not .NET Executable", Path.GetFileName(moduleName))); isError = true; } if (!isError) { for (int i = 0; i < blocksToFind.Count; i++) { var block = blocksToFind[i]; var instructions = new List <Instruction>(); for (int j = 0; j < block.Count; j++) { var line = block[j]; OpCode opCode = null; Instruction instr = new Instruction(); string[] toInstr = line.Trim().Split(new char[] { ' ', '\t' }, 2); if (toInstr.Length > 0) { opCode = GetOpCodeFromString(toInstr[0]); } if (opCode != null) { instr.OpCode = opCode; if (toInstr.Length == 2) { instr.Operand = toInstr[1].Trim().Trim('"'); } instructions.Add(instr); } else { logInfo += string.Format( "\"{0}\" is not valid OpCode, Block Find {1} Line {2}\r\n{3}", toInstr[0], i + 1, j + 1, line); isError = true; } } BlocksFind.Add(instructions); } } if (!isError) { for (int i = 0; i < blocksToReplace.Count; i++) { var block = blocksToReplace[i]; var instructions = new List <Instruction>(); for (int j = 0; j < block.Count; j++) { var line = block[j]; OpCode opCode = null; Instruction instr = new Instruction(); string[] toInstr = line.Trim().Split(new char[] { ' ', '\t' }, 2); if (toInstr[0].Trim() == "=") { instr.Operand = "="; instructions.Add(instr); continue; } opCode = GetOpCodeFromString(toInstr[0]); if (opCode != null) { instr.OpCode = opCode; if (toInstr.Length == 2) { if (opCode == OpCodes.Call) { string mdtoken = toInstr[1].Trim().ToUpper(); if (mdtoken == "" || !Regex.IsMatch(mdtoken, @"^(0[Xx])?[A-F0-9]{8}$")) { isError = true; } else { uint rid = uint.Parse(mdtoken.ToUpper().Replace("0X", ""), System.Globalization.NumberStyles.HexNumber); var isMethod = module.ResolveToken(rid); if (isMethod == null) { isError = true; } instr.Operand = rid; } if (isError) { logInfo += string.Format( "\"{0}\" is invalid Operand/MDToken for \"Call\", Block Replace {1} Line {2}\r\n{3}\r\n{4}\r\n", mdtoken, i + 1, j + 1, "The value Should be Hex or MDToken like 06000001 or 0x06000001", line); } } else { instr.Operand = toInstr[1].Trim().Trim('"'); } } instructions.Add(instr); } else { logInfo += string.Format( "\"{0}\" is not valid OpCode, Block Replace {1} Line {2}\r\n{3}", toInstr[0], i + 1, j + 1, line); isError = true; } } BlocksReplace.Add(instructions); } } if (isError) { if (logInfo != "") { showFormLog(logInfo); } enableControl(true); isRunning = false; if (module != null) { module.Dispose(); } return(false); } return(true); }
private void ReplaceInstructions() { string currentBlockNum = ""; foreach (var type in module.GetTypes()) { foreach (var method in type.Methods) { bool isNewMethod = true; if (!method.HasBody) { continue; } var instrs = method.Body.Instructions; for (int i = 0; i < instrs.Count; i++) { // start replace for (int B = 0; B < BlocksFind.Count; B++) { bool isMatched = false; int j = i; var blockFind = BlocksFind[B]; // check for (int k = 0; k < blockFind.Count; k++) { if (instrs[j].OpCode == blockFind[k].OpCode) { if (blockFind[k].OpCode == OpCodes.Call) { if (instrs[j].Operand == null) { isMatched = false; } else { if (instrs[j].Operand.ToString().Contains(blockFind[k].Operand.ToString())) { isMatched = true; } else { isMatched = false; } } } else if (blockFind[k].Operand != null) { if (instrs[j].Operand.ToString().Contains(blockFind[k].Operand.ToString())) { isMatched = true; } else { isMatched = false; } } else { isMatched = true; } } else { isMatched = false; break; } j++; } if (isMatched) { if (isNewMethod) { isNewMethod = false; EditedMethodsCount++; logInfo += string.Format( "==========================================\r\nMethod: {0} || MDToken: 0x06{1:X6}\r\n", method.FullName, method.MDToken.Rid); currentBlockNum = ""; } if (currentBlockNum != (B + 1).ToString()) { currentBlockNum = (B + 1).ToString(); logInfo += string.Format("\r\nBlock Find and Replace: {0}\r\n", (B + 1)); } // Do replace j = i; for (int k = 0; k < blockFind.Count; k++) { var newOperand = BlocksReplace[B][k].Operand; if (newOperand.ToString() == "=") { logInfo += string.Format("#{0} --> {1} {2} ==> No Change\r\n", j, instrs[j].OpCode, instrs[j].Operand, BlocksReplace[B][k].OpCode, newOperand); } else { if (BlocksReplace[B][k].OpCode == OpCodes.Call) { newOperand = module.ResolveToken((uint)BlocksReplace[B][k].Operand); } logInfo += string.Format("#{0} --> {1} {2} ==> {3} {4}\r\n", j, instrs[j].OpCode, instrs[j].Operand, BlocksReplace[B][k].OpCode, newOperand); method.Body.Instructions[j].OpCode = BlocksReplace[B][k].OpCode; method.Body.Instructions[j].Operand = newOperand; } j++; } ReplacedBlocks++; // set method.Body.Instructions loop position i = j; } } } } } }
public static void HandleCall(Emulation sender, CallEventArgs e) { object instruction = e.Instruction.Operand; if (instruction.ToString().Contains("System.Void System.Diagnostics.StackTrace::.ctor()")) { sender.ValueStack.CallStack.Push(1); e.bypassCall = true; } else if (instruction.ToString().Contains("System.Diagnostics.StackFrame System.Diagnostics.StackTrace::GetFrame(System.Int32)")) { dynamic call = sender.ValueStack.CallStack.Pop(); dynamic ldc = sender.ValueStack.CallStack.Pop(); sender.ValueStack.CallStack.Push(1); e.bypassCall = true; } else if (e.Instruction.Operand.ToString().Contains("System.String System.String::Intern(System.String)")) { dynamic abc = sender.ValueStack.CallStack.Pop(); sender.ValueStack.CallStack.Push(string.Intern(abc)); e.bypassCall = true; } else if (instruction.ToString().Contains("System.Reflection.MethodBase System.Diagnostics.StackFrame::GetMethod()")) { dynamic call = sender.ValueStack.CallStack.Pop(); sender.ValueStack.CallStack.Push(1); e.bypassCall = true; } else if (instruction.ToString().Contains("System.Reflection.MethodBody System.Reflection.MethodBase::GetMethodBody()")) { dynamic call = sender.ValueStack.CallStack.Pop(); sender.ValueStack.CallStack.Push(1); e.bypassCall = true; } else if (instruction.ToString().Contains("System.Byte[] System.Reflection.MethodBody::GetILAsByteArray()")) { sender.ValueStack.CallStack.Pop(); sender.ValueStack.CallStack.Push(methodBytes); e.bypassCall = true; } else if (instruction.ToString().Contains("System.Text.Encoding System.Text.Encoding::get_UTF8()")) { sender.ValueStack.CallStack.Push(Encoding.UTF8); e.bypassCall = true; } else if (e.Instruction.Operand.ToString().Contains("System.String System.Text.Encoding::GetString(System.Byte[],System.Int32,System.Int32)")) { dynamic abc = sender.ValueStack.CallStack.Pop(); dynamic def = sender.ValueStack.CallStack.Pop(); dynamic ghi = sender.ValueStack.CallStack.Pop(); sender.ValueStack.CallStack.Pop(); sender.ValueStack.CallStack.Push(Encoding.UTF8.GetString(ghi, (int)def, (int)abc)); e.bypassCall = true; } else if (instruction.ToString().Contains("System.String System.Reflection.MemberInfo::get_Name()")) { sender.ValueStack.CallStack.Pop(); sender.ValueStack.CallStack.Push(methodName); e.bypassCall = true; } else if (e.Instruction.Operand.ToString().Contains("System.Byte[] System.Text.Encoding::GetBytes(System.String)")) { dynamic abc = sender.ValueStack.CallStack.Pop(); sender.ValueStack.CallStack.Pop(); sender.ValueStack.CallStack.Push(Encoding.UTF8.GetBytes(abc)); e.bypassCall = true; } else if (e.Instruction.Operand.ToString().Contains("System.Type System.Object::GetType()")) { dynamic abc = sender.ValueStack.CallStack.Pop(); // sender.ValueStack.CallStack.Pop(); sender.ValueStack.CallStack.Push(abc.GetType()); e.bypassCall = true; } else if (instruction.ToString().Contains("System.Boolean System.String::op_Equality(System.String,System.String)")) { dynamic one = sender.ValueStack.CallStack.Pop(); dynamic two = sender.ValueStack.CallStack.Pop(); dynamic boole = one == two; sender.ValueStack.CallStack.Push(boole); e.bypassCall = true; } else if (instruction.ToString().Contains("System.Boolean System.String::op_Inequality(System.String,System.String)")) { dynamic one = sender.ValueStack.CallStack.Pop(); dynamic two = sender.ValueStack.CallStack.Pop(); dynamic boole = one != two; sender.ValueStack.CallStack.Push(boole); e.bypassCall = true; } else if (instruction.ToString().Contains("System.Reflection.Assembly System.Reflection.Assembly::GetCallingAssembly()")) { sender.ValueStack.CallStack.Push(1); e.bypassCall = true; } else if (instruction.ToString().Contains("System.String System.Reflection.Assembly::get_FullName()")) { sender.ValueStack.CallStack.Pop(); sender.ValueStack.CallStack.Push(ModuleDefMD.FullName); e.bypassCall = true; } else if (instruction.ToString().Contains("System.Reflection.Assembly System.Reflection.Assembly::GetExecutingAssembly()")) { sender.ValueStack.CallStack.Push(1); e.bypassCall = true; } else if (instruction.ToString() .Contains("System.Type System.Type::GetTypeFromHandle(System.RuntimeTypeHandle")) { dynamic stack = sender.ValueStack.CallStack.Pop(); sender.ValueStack.CallStack.Push(typeof(string).GetType()); e.bypassCall = true; } else if (instruction.ToString().Contains("System.Object System.Reflection.MethodBase::Invoke")) { sender.ValueStack.CallStack.Pop(); sender.ValueStack.CallStack.Pop(); sender.ValueStack.CallStack.Pop(); sender.ValueStack.CallStack.Push(1); e.bypassCall = true; } else if (instruction is MethodDef && ((MethodDef)instruction).IsNative) { dynamic value = sender.ValueStack.CallStack.Pop(); MethodDef methodsss = (MethodDef)instruction; dnlib.IO.FileOffset offset = ModuleDefMD.Metadata.PEImage.ToFileOffset(methodsss.RVA); uint abc = (uint)Test(File.ReadAllBytes(Program.Path), (ulong)offset, (uint)value); sender.ValueStack.CallStack.Push((int)abc); e.bypassCall = true; } else if (e.Instruction.Operand.ToString() .Contains( "System.Void System.Runtime.CompilerServices.RuntimeHelpers::InitializeArray(System.Array,System.RuntimeFieldHandle") ) { dynamic stack2 = sender.ValueStack.CallStack.Pop(); dynamic stack1 = sender.ValueStack.CallStack.Pop(); sender.ValueStack.CallStack.Pop(); FieldDef fielddef = ModuleDefMD.ResolveToken(stack2) as FieldDef; byte[] test = fielddef.InitialValue; uint[] decoded = new uint[test.Length / 4]; Buffer.BlockCopy(test, 0, decoded, 0, test.Length); stack1 = decoded; sender.ValueStack.CallStack.Push(stack1); e.bypassCall = true; } }
TypeSig ReadTypeRef(BinaryReader reader, GenericParamContext gpContext) { var etype = (ElementType)reader.ReadInt32(); switch (etype) { case ElementType.Void: return(module.CorLibTypes.Void); case ElementType.Boolean: return(module.CorLibTypes.Boolean); case ElementType.Char: return(module.CorLibTypes.Char); case ElementType.I1: return(module.CorLibTypes.SByte); case ElementType.U1: return(module.CorLibTypes.Byte); case ElementType.I2: return(module.CorLibTypes.Int16); case ElementType.U2: return(module.CorLibTypes.UInt16); case ElementType.I4: return(module.CorLibTypes.Int32); case ElementType.U4: return(module.CorLibTypes.UInt32); case ElementType.I8: return(module.CorLibTypes.Int64); case ElementType.U8: return(module.CorLibTypes.UInt64); case ElementType.R4: return(module.CorLibTypes.Single); case ElementType.R8: return(module.CorLibTypes.Double); case ElementType.String: return(module.CorLibTypes.String); case ElementType.TypedByRef: return(module.CorLibTypes.TypedReference); case ElementType.I: return(module.CorLibTypes.IntPtr); case ElementType.U: return(module.CorLibTypes.UIntPtr); case ElementType.Object: return(module.CorLibTypes.Object); case ElementType.ValueType: case ElementType.Var: case ElementType.MVar: return((module.ResolveToken(reader.ReadUInt32(), gpContext) as ITypeDefOrRef).ToTypeSig()); case ElementType.GenericInst: etype = (ElementType)reader.ReadInt32(); if (etype == ElementType.ValueType) { return((module.ResolveToken(reader.ReadUInt32(), gpContext) as ITypeDefOrRef).ToTypeSig()); } // ElementType.Class return(module.CorLibTypes.Object); case ElementType.Ptr: case ElementType.Class: case ElementType.Array: case ElementType.FnPtr: case ElementType.SZArray: case ElementType.ByRef: case ElementType.CModReqd: case ElementType.CModOpt: case ElementType.Internal: case ElementType.Sentinel: case ElementType.Pinned: default: return(module.CorLibTypes.Object); } }
public static dnlib.DotNet.Emit.Instruction CreateInstr(Instruction instr, MethodDef meth) { switch (instr.Code) { case OpCode.Add: Stack.Pop(); Stack.Pop(); return(dnlib.DotNet.Emit.Instruction.Create(OpCodes.Add)); case OpCode.Call: Tuple <short, int, bool> tuple = (Tuple <short, int, bool>)instr.Operand; ModuleDefMD str = ModuleDefMD.Load(GetReference(tuple.Item1)); IMethod meh = (IMethod)str.ResolveToken((uint)tuple.Item2); module.Import(meh); return(dnlib.DotNet.Emit.Instruction.Create(OpCodes.Call, module.Import(meh))); case OpCode.Cgt: Stack.Pop(); Stack.Pop(); return(dnlib.DotNet.Emit.Instruction.Create(OpCodes.Cgt)); case OpCode.Clt: Stack.Pop(); Stack.Pop(); return(dnlib.DotNet.Emit.Instruction.Create(OpCodes.Clt)); // case OpCode.Cmp: // return dnlib.DotNet.Emit.Instruction.Create(OpCodes.C); case OpCode.Div: Stack.Pop(); Stack.Pop(); return(dnlib.DotNet.Emit.Instruction.Create(OpCodes.Div)); case OpCode.Dup: object value = Stack.Pop(); Stack.Push(value); Stack.Push(value); return(dnlib.DotNet.Emit.Instruction.Create(OpCodes.Dup)); case OpCode.Jf: Stack.Pop(); return(dnlib.DotNet.Emit.Instruction.Create(OpCodes.Ldstr, string.Format("BrFalse|{0}", meth.Body.Instructions[(int)instr.Operand]))); case OpCode.Jmp: return(dnlib.DotNet.Emit.Instruction.Create(OpCodes.Ldstr, string.Format("Br|{0}", meth.Body.Instructions[(int)instr.Operand]))); case OpCode.Jt: Stack.Pop(); return(dnlib.DotNet.Emit.Instruction.Create(OpCodes.Ldstr, string.Format("BrTrue|{0}", meth.Body.Instructions[(int)instr.Operand]))); case OpCode.Int32: Stack.Push((int)instr.Operand); return(dnlib.DotNet.Emit.Instruction.Create(OpCodes.Ldc_I4, (int)instr.Operand)); case OpCode.Ldarg: //A fix Stack.Push(meth.Parameters[(int)((short)instr.Operand)]); return(dnlib.DotNet.Emit.Instruction.Create(ldarg(Convert.ToInt32(instr.Operand)))); case OpCode.Ldfld: Stack.Pop(); int item2 = ((Tuple <short, int>)instr.Operand).Item2; FieldDef fld = module.ResolveField((uint)item2); Stack.Push(fld.InitialValue); return(dnlib.DotNet.Emit.Instruction.Create(OpCodes.Ldfld, fld)); case OpCode.Ldloc: //A fix Local l = meth.Body.Variables[(short)instr.Operand]; Stack.Push(l); return(dnlib.DotNet.Emit.Instruction.Create(OpCodes.Ldloc, l)); case OpCode.Mul: return(dnlib.DotNet.Emit.Instruction.Create(OpCodes.Mul)); case OpCode.Int64: Stack.Push((int)instr.Operand); return(dnlib.DotNet.Emit.Instruction.Create(OpCodes.Ldc_I8, (long)instr.Operand)); case OpCode.Newarr: Stack.Pop(); Tuple <short, int> tuple3 = (Tuple <short, int>)instr.Operand; Stack.Push(module.ResolveTypeDef((uint)tuple3.Item2)); return(dnlib.DotNet.Emit.Instruction.Create(OpCodes.Newarr, module.ResolveTypeDef((uint)tuple3.Item2))); case OpCode.Null: return(dnlib.DotNet.Emit.Instruction.Create(OpCodes.Nop)); case OpCode.Pop: Stack.Pop(); return(dnlib.DotNet.Emit.Instruction.Create(OpCodes.Pop)); case OpCode.Ret: return(dnlib.DotNet.Emit.Instruction.Create(OpCodes.Ret)); case OpCode.Stfld: Stack.Pop(); int item22 = ((Tuple <short, int>)instr.Operand).Item2; return(dnlib.DotNet.Emit.Instruction.Create(OpCodes.Stfld, module.ResolveField((uint)item22))); case OpCode.Stloc: var loc = Stack.Pop(); Local ll = meth.Body.Variables.Add(new Local(module.Import(loc.GetType()).ToTypeSig())); return(dnlib.DotNet.Emit.Instruction.Create(OpCodes.Stloc, ll)); case OpCode.String: Stack.Push((string)instr.Operand); return(dnlib.DotNet.Emit.Instruction.Create(OpCodes.Ldstr, (string)instr.Operand)); default: return(dnlib.DotNet.Emit.Instruction.Create(OpCodes.Nop)); } }
protected override IField ReadInlineField(Instruction instr) { return(module.ResolveToken(reader.ReadUInt32(), gpContext) as IField); }
public static void delegateReplacer(ModuleDefMD module) { int amoiunt = 0; foreach (TypeDef types in module.GetTypes()) { foreach (MethodDef methods in types.Methods) { if (!methods.HasBody) { continue; } for (int i = 0; i < methods.Body.Instructions.Count; i++) { Instruction inst = methods.Body.Instructions[i]; if (inst.OpCode == OpCodes.Call && inst.Operand is MethodDef) { var mtd = (MethodDef)inst.Operand; if (mtd.Name != "Invoke") { continue; } // Get ldsfld above int x = i; while (x >= 0) { Instruction xInst = methods.Body.Instructions[x]; if (xInst.OpCode == OpCodes.Ldsfld && xInst.Operand is FieldDef) { FieldDef fd = (FieldDef)xInst.Operand; if (fd.FieldSig.Type.IsOptionalModifier) { break; } } x--; } if (x < 0) { continue; } FieldDef fie = (FieldDef)methods.Body.Instructions[x].Operand; foreach (DelegateInfo2 delegateInfo in ListedDelegateInfo2s) { if (delegateInfo.fieldDef == fie) { var abc = module.ResolveToken(delegateInfo.mdtoken); if (abc != null) { methods.Body.Instructions[i].OpCode = delegateInfo.opcode; methods.Body.Instructions[i].Operand = abc; methods.Body.Instructions[x].OpCode = OpCodes.Nop; amoiunt++; } break; } } } } } } }