public MSILDisassembler(MethodBody body) { MethodBody = body; Section section = Section.GetSectionByRva(body.Method.netheader.assembly, body.Method.RVA); ilOffset = new OffsetConverter(section).RvaToFileOffset(body.Method.RVA) + (uint)body.HeaderSize; image = section.ParentAssembly.peImage; tokenresolver = new MetaDataTokenResolver(body.Method.netheader); }
public override bool getDecryptedModule(ref byte[] newFileData, ref Dictionary<uint, DumpedMethod> dumpedMethods) { fileData = DeobUtils.readModule(module); peImage = new PE.PeImage(fileData); if (!options.DecryptMethods) return false; if (!methodsDecrypter.decrypt(peImage, DeobfuscatedFile, ref dumpedMethods)) return false; newFileData = fileData; return true; }
public DecrypterBase(PE.PeImage peImage, CodeHeader codeHeader) { this.peImage = peImage; this.codeHeader = codeHeader; endOfMetadata = peImage.rvaToOffset(peImage.Cor20Header.metadataDirectory.virtualAddress + peImage.Cor20Header.metadataDirectory.size); }
public bool decrypt(PE.PeImage peImage, ref Dictionary<uint, DumpedMethod> dumpedMethods) { this.peImage = peImage; uint offset = peImage.rvaToOffset(peImage.Cor20Header.metadataDirectory.virtualAddress + peImage.Cor20Header.metadataDirectory.size); if (!readCodeHeader(offset)) return false; var metadataTables = peImage.Cor20Header.createMetadataTables(); var methodDefTable = metadataTables.getMetadataType(PE.MetadataIndex.iMethodDef); if (methodDefTable.totalSize != codeHeader.methodDefElemSize) return false; var methodInfos = getMethodInfos(offset + 0x30 + codeHeader.totalCodeSize); offset = methodDefTable.fileOffset - methodDefTable.totalSize; foreach (var methodInfo in methodInfos) { offset += methodDefTable.totalSize; if (methodInfo.flags == 0 || methodInfo.localVarSigTok == 0) continue; uint rva = peImage.offsetReadUInt32(offset); peImage.writeUint16(rva, (ushort)methodInfo.flags); peImage.writeUint32(rva + 8, methodInfo.localVarSigTok); } dumpedMethods = new Dictionary<uint, DumpedMethod>(); offset = methodDefTable.fileOffset; for (int i = 0; i < methodInfos.Count; i++, offset += methodDefTable.totalSize) { var methodInfo = methodInfos[i]; if (methodInfo.codeOffs == 0) continue; var dm = new DumpedMethod(); dm.token = 0x06000001 + (uint)i; uint rva = peImage.offsetReadUInt32(offset); dm.mdImplFlags = peImage.offsetReadUInt16(offset + (uint)methodDefTable.fields[1].offset); dm.mdFlags = peImage.offsetReadUInt16(offset + (uint)methodDefTable.fields[2].offset); dm.mdName = peImage.offsetRead(offset + (uint)methodDefTable.fields[3].offset, methodDefTable.fields[3].size); dm.mdSignature = peImage.offsetRead(offset + (uint)methodDefTable.fields[4].offset, methodDefTable.fields[4].size); dm.mdParamList = peImage.offsetRead(offset + (uint)methodDefTable.fields[5].offset, methodDefTable.fields[5].size); dm.code = decrypter.decrypt(methodInfo); if ((peImage.readByte(rva) & 3) == 2) { dm.mhFlags = 2; dm.mhMaxStack = 8; dm.mhCodeSize = (uint)dm.code.Length; dm.mhLocalVarSigTok = 0; } else { dm.mhFlags = peImage.readUInt16(rva); dm.mhMaxStack = peImage.readUInt16(rva + 2); dm.mhCodeSize = (uint)dm.code.Length; dm.mhLocalVarSigTok = peImage.readUInt32(rva + 8); } dumpedMethods[dm.token] = dm; } return true; }
public override bool getDecryptedModule(ref byte[] newFileData, ref Dictionary<uint, DumpedMethod> dumpedMethods) { if (!options.DecryptMethods) return false; byte[] fileData = DeobUtils.readModule(module); var peImage = new PE.PeImage(fileData); if (!new MethodsDecrypter().decrypt(peImage, ref dumpedMethods)) { Log.v("Methods aren't encrypted or invalid signature"); return false; } newFileData = fileData; return true; }