public static int?GetFieldValue(MethodDef method, ModuleDefMD module, int argValue, out string fieldName) { fieldName = null; Base.methodsToRemove.Add(method); var insemu = new Emulation(method); insemu.ValueStack.Parameters[method.Parameters[0]] = argValue; insemu.Emulate(); fieldName = insemu.ValueStack.Fields.First().Key.Name; insemu.Emulate(); var value = (int)insemu.ValueStack.Fields.First().Value; return(value); }
private void StepOne(ModuleDefMD module) { var ep = module.EntryPoint; var emulator = new Emulation(ep); emulator.OnCallPrepared += (emulation, args) => { var instr = args.Instruction; Utils.HandleCall(args, emulation); }; emulator.OnInstructionPrepared += (emulation, args) => { if (args.Instruction.OpCode == OpCodes.Ldftn) { emulation.ValueStack.CallStack.Push(null); args.Cancel = true; } }; emulator.Emulate(); if (ModuleBytes == null) { Base.CompressorRemoved = false; return; } Protections.Base.ModuleDef = ModuleDefMD.Load(ModuleBytes); Protections.Base.ModuleDef.EntryPoint = Protections.Base.ModuleDef.ResolveToken(ModuleEp) as MethodDef; Base.CompressorRemoved = true; }
public static object DecryptConstant(MethodDef decryptionMethod, object[] param, byte[] bytes) { Emulation emulator = new Emulation(decryptionMethod); emulator.OnCallPrepared += (emulation, args) => { var instr = args.Instruction; Utils.HandleCall(args, emulation); }; emulator.OnInstructionPrepared += (emulation, args) => { if (args.Instruction.OpCode == OpCodes.Ldsfld) { emulator.ValueStack.CallStack.Push(bytes); args.Cancel = true; } }; foreach (Parameter decryptionMethodParameter in decryptionMethod.Parameters) { emulator.ValueStack.Parameters[decryptionMethodParameter] = param[decryptionMethodParameter.Index]; } emulator.Emulate(); return(emulator.ValueStack.CallStack.Pop()); }
public static byte[] InitaliseBytes(MethodDef methods) { byte[] bytes = null; if (methods == null) { return(bytes); } Emulation emulator = new Emulation(methods); emulator.OnCallPrepared += (emulation, args) => { var instr = args.Instruction; Utils.HandleCall(args, emulation); }; emulator.OnInstructionPrepared += (emulation, args) => { if (args.Instruction.OpCode == OpCodes.Stsfld) { bytes = emulation.ValueStack.CallStack.Pop(); args.Break = true; } }; emulator.Emulate(); return(bytes); }
public static void TamperFields(ModuleDefMD module) { // Console.WriteLine("[!] Finding Field And Its Value"); var cctor = module.GlobalType.FindOrCreateStaticConstructor(); if (cctor.Body.Instructions[0].OpCode == OpCodes.Call && cctor.Body.Instructions[0].Operand.ToString().Contains("Koi")) cctor = (MethodDef)cctor.Body.Instructions[0].Operand; foreach (var t1 in cctor.Body.Instructions) if (t1.OpCode == OpCodes.Call || t1.Operand is MethodDef) { var methodDef = (MethodDef)t1.Operand; if (!methodDef.HasBody) continue; if (methodDef.Body.Instructions[0].OpCode != OpCodes.Call) continue; var methodDef2 = methodDef.Body.Instructions[0].Operand as MethodDef; if (methodDef2 == null) continue; if (!methodDef2.HasBody) continue; if (!methodDef2.Body.Instructions.Where((t, z) => t.IsStloc() && methodDef2.Body.Instructions[z + 1].IsLdcI4()) .Any()) continue; if (ContainsP0(methodDef2)) continue; var insEmu = new Emulation(methodDef2); insEmu.Emulate(); allFields = insEmu.ValueStack.Fields; return; } }
internal static void Cleaner() { var cctor = ModuleDefMD.GlobalType.FindOrCreateStaticConstructor(); if (cctor.Body.Instructions[0].OpCode == OpCodes.Call && cctor.Body.Instructions[0].Operand.ToString().Contains("Koi")) { cctor = (MethodDef)cctor.Body.Instructions[0].Operand; } foreach (Instruction t in cctor.Body.Instructions) { if (t.OpCode == OpCodes.Call && t.Operand is MethodDef) { var methodDef = (MethodDef)t.Operand; if (!methodDef.HasBody) { continue; } if (methodDef.Body.Instructions.Count < 9) { continue; } if (methodDef.Body.Instructions[0].IsLdcI4() && methodDef.Body.Instructions.Count == 9 && methodDef.Body.Instructions[3].OpCode == OpCodes.Ldtoken && methodDef.Body.Instructions[7].OpCode == OpCodes.Stsfld) { var field = methodDef.Body.Instructions[3].Operand as FieldDef; var cflowFieldArray = methodDef.Body.Instructions[7].Operand as FieldDef; var arrrr = field.InitialValue; var tester = IChannelReceiverHook.ParseNumbers(arrrr, methodDef.Body.Instructions[5].GetLdcI4Value()); FieldReplaace(ModuleDefMD, cflowFieldArray, tester); Base.methodsToRemove.Add(methodDef); } else if (methodDef.Body.Instructions[1].IsLdcI4() && methodDef.Body.Instructions.Count == 10 && methodDef.Body.Instructions[4].OpCode == OpCodes.Ldtoken && methodDef.Body.Instructions[8].OpCode == OpCodes.Stsfld) { var field = methodDef.Body.Instructions[4].Operand as FieldDef; var cflowFieldArray = methodDef.Body.Instructions[8].Operand as FieldDef; var arrrr = field.InitialValue; var tester = IChannelReceiverHook.ParseNumbers(arrrr, methodDef.Body.Instructions[6].GetLdcI4Value()); FieldReplaace(ModuleDefMD, cflowFieldArray, tester); if (methodDef.Body.Instructions[0].OpCode == OpCodes.Call) { MethodDef methods2 = (MethodDef)methodDef.Body.Instructions[0].Operand; Emulation emu = new Emulation(methods2); emu.Emulate(); FieldsInFirstCall.allFields = emu.ValueStack.Fields; FieldsInFirstCall.FieldReplacer(ModuleDefMD); FieldsInFirstCall.allFields = null; Base.methodsToRemove.Add(methodDef); } } } } }
public static GCHandle HandleDecryptMethod(Emulation mainEmulation, CallEventArgs mainArgs, MethodDef decryptionMethod) { var decEmulation = new Emulation(decryptionMethod); decEmulation.OnCallPrepared += (emulation, args) => { Utils.HandleCall(args, emulation); }; decEmulation.ValueStack.Parameters[decryptionMethod.Parameters[1]] = (uint) mainEmulation.ValueStack.CallStack.Pop(); decEmulation.ValueStack.Parameters[decryptionMethod.Parameters[0]] = mainEmulation.ValueStack.CallStack.Pop(); decEmulation.Emulate(); return((GCHandle)decEmulation.ValueStack.CallStack.Pop()); }
public override void Deobfuscate() { // Console.WriteLine("[!] Setting Up String Decryption Finding Init Method"); GetMethod = firstStep(ModuleDefMD); Base.methodsToRemove.Add(GetMethod); if (GetMethod == null) { // Console.WriteLine("[!!] Method Not Found Fix This"); return; } // Console.WriteLine("[!] Found String Init Method {0}. Emulating", GetMethod.Name); var insemu = new Emulation(GetMethod); insemu.OnInstructionPrepared = (sender, e) => { if (e.Instruction.OpCode == OpCodes.Castclass) { e.Cancel = true; } }; insemu.OnCallPrepared = (sender, e) => { if (e.Instruction.Operand.ToString() .Contains( "System.Void System.Runtime.CompilerServices.RuntimeHelpers::InitializeArray(System.Array,System.RuntimeFieldHandle") ) { var stack2 = sender.ValueStack.CallStack.Pop(); var stack1 = sender.ValueStack.CallStack.Pop(); sender.ValueStack.CallStack.Pop(); var fielddef = ModuleDefMD.ResolveToken(stack2) as FieldDef; var test = fielddef.InitialValue; var decoded = new uint[test.Length / 4]; Buffer.BlockCopy(test, 0, decoded, 0, test.Length); stack1 = decoded; sender.ValueStack.CallStack.Push(stack1); e.bypassCall = true; } else if (e.Instruction.Operand is MethodDef && e.Instruction.Operand.ToString().Contains("(System.Byte[])")) { e.endMethod = true; } else { e.AllowCall = false; } }; GC.Collect(); Thread.Sleep(1000); GC.Collect(); insemu.Emulate(); if (GetMethod.Body.Instructions[GetMethod.Body.Instructions.Count - 2].OpCode == OpCodes.Stsfld) { fields = (FieldDef)GetMethod.Body.Instructions[GetMethod.Body.Instructions.Count - 2].Operand; } var aaa = GetMethod.Body.Variables.Where(i => i.Type.FullName.Contains("System.Byte[]")).ToArray(); var byteStackLocal = insemu.ValueStack.Locals[aaa[0].Index]; //Console.WriteLine("[!] Emulation Success Got Array"); if (Protections.Base.NativePacker) { byteStackLocal = P1(byteStackLocal, byteStackLocal.Length); } byte_0 = (byte[])byteStackLocal; return; }
public static void ResolveCalls(ModuleDefMD module) { foreach (DelegateInfo2 info2 in ListedDelegateInfo2s) { MethodDef methods = info2.callingMethodDef; FieldDef fields = info2.fieldDef; int byteVal = info2.byteVal; if (methods.MDToken.ToInt32() == 0x0600000A && byteVal == 9) { } if (EncryptedDelegateMethod(methods)) { continue; } var boolean = module.Metadata.TablesStream.TryReadFieldRow(fields.Rid, out RawFieldRow rw); byte[] data = module.Metadata.BlobStream.Read(rw.Signature); Emulation emu = new Emulation(methods); var mdtoken = 0; if (methods.MDToken.ToInt32() == 100663336 && byteVal == 4) { } emu.ValueStack.Parameters[methods.Parameters[0]] = null; emu.ValueStack.Parameters[methods.Parameters[1]] = (byte)byteVal; emu.OnInstructionPrepared = (sender, e) => { if (e.Instruction.OpCode != OpCodes.Callvirt || !e.Instruction.Operand.ToString() .Contains("System.Reflection.MethodBase System.Reflection.Module::ResolveMethod(System.Int32)")) { return; } mdtoken = sender.ValueStack.CallStack.Pop(); if (0x806EC032 == (uint)mdtoken) { } e.Break = true; }; emu.OnCallPrepared = (sender, e) => { var ebc = e.Instruction; if (ebc.Operand.ToString().Contains("System.Byte[] System.Reflection.Module::ResolveSignature(System.Int32)")) { sender.ValueStack.CallStack.Pop(); sender.ValueStack.CallStack.Pop(); sender.ValueStack.CallStack.Push(data); e.bypassCall = true; } else if (ebc.Operand.ToString().Contains("System.Type[] System.Reflection.FieldInfo::GetOptionalCustomModifiers()")) { sender.ValueStack.CallStack.Pop(); sender.ValueStack.CallStack.Push(new Type[500]); e.bypassCall = true; } else if (ebc.Operand.ToString().Contains("System.Int32 System.Reflection.MemberInfo::get_MetadataToken()")) { sender.ValueStack.CallStack.Pop(); CModOptSig sig = (CModOptSig)fields.FieldSig.Type; int modToken = sig.Modifier.MDToken.ToInt32(); sender.ValueStack.CallStack.Push(modToken); e.bypassCall = true; } else if (ebc.Operand.ToString().Contains("System.String System.Reflection.MemberInfo::get_Name()")) { sender.ValueStack.CallStack.Pop(); string sig = fields.Name; sender.ValueStack.CallStack.Push(sig); e.bypassCall = true; } else if (ebc.Operand.ToString().Contains("System.Char System.String::get_Chars(System.Int32)")) { var one = sender.ValueStack.CallStack.Pop(); var two = sender.ValueStack.CallStack.Pop(); sender.ValueStack.CallStack.Push(two[one]); e.bypassCall = true; } else if (ebc.Operand.ToString().Contains("System.Object[] System.Reflection.MemberInfo::GetCustomAttributes(System.Boolean)")) { var one = sender.ValueStack.CallStack.Pop(); var two = sender.ValueStack.CallStack.Pop(); sender.ValueStack.CallStack.Push(new object[500]); e.bypassCall = true; } else if (ebc.Operand.ToString().Contains("System.Int32 System.Object::GetHashCode()")) { var one = sender.ValueStack.CallStack.Pop(); // var two = sender.ValueStack.CallStack.Pop(); TypeDef caType = fields.CustomAttributes[0].AttributeType.ResolveTypeDef(); int caCtorNum = (int)fields.CustomAttributes[0].ConstructorArguments[0].Value; MethodDef meth = First(caType.FindConstructors()); int caKey = MathResolver.GetResult(caCtorNum, meth); sender.ValueStack.CallStack.Push(caKey); e.bypassCall = true; } else { e.AllowCall = false; e.bypassCall = false; } }; emu.Emulate(); info2.mdtoken = (uint)mdtoken; var ins = findInstruction(methods); var ab = fields.Name.String[ins] ^ byteVal; var aa = OpCodes.Call.Value; var v = OpCodes.Callvirt.Value; var t = OpCodes.Newobj.Value; OpCode te; if (ab == aa) { te = OpCodes.Call; } else if (ab == v) { te = OpCodes.Callvirt; } else { te = OpCodes.Newobj; } info2.opcode = te; } }