public MSILDisassembler(MethodBody body)
{
MethodBody = body;
Section section = Section.GetSectionByRva(body.Method.netheader.assembly, body.Method.RVA);
ilOffset = new OffsetConverter(section).RvaToFileOffset(body.Method.RVA) + (uint)body.HeaderSize;
image = section.ParentAssembly.peImage;
tokenresolver = new MetaDataTokenResolver(body.Method.netheader);
}
public override bool getDecryptedModule(ref byte[] newFileData, ref Dictionary<uint, DumpedMethod> dumpedMethods)
{
fileData = DeobUtils.readModule(module);
peImage = new PE.PeImage(fileData);
if (!options.DecryptMethods)
return false;
if (!methodsDecrypter.decrypt(peImage, DeobfuscatedFile, ref dumpedMethods))
return false;
newFileData = fileData;
return true;
}
public DecrypterBase(PE.PeImage peImage, CodeHeader codeHeader)
{
this.peImage = peImage;
this.codeHeader = codeHeader;
endOfMetadata = peImage.rvaToOffset(peImage.Cor20Header.metadataDirectory.virtualAddress + peImage.Cor20Header.metadataDirectory.size);
}
public bool decrypt(PE.PeImage peImage, ref Dictionary<uint, DumpedMethod> dumpedMethods)
{
this.peImage = peImage;
uint offset = peImage.rvaToOffset(peImage.Cor20Header.metadataDirectory.virtualAddress + peImage.Cor20Header.metadataDirectory.size);
if (!readCodeHeader(offset))
return false;
var metadataTables = peImage.Cor20Header.createMetadataTables();
var methodDefTable = metadataTables.getMetadataType(PE.MetadataIndex.iMethodDef);
if (methodDefTable.totalSize != codeHeader.methodDefElemSize)
return false;
var methodInfos = getMethodInfos(offset + 0x30 + codeHeader.totalCodeSize);
offset = methodDefTable.fileOffset - methodDefTable.totalSize;
foreach (var methodInfo in methodInfos) {
offset += methodDefTable.totalSize;
if (methodInfo.flags == 0 || methodInfo.localVarSigTok == 0)
continue;
uint rva = peImage.offsetReadUInt32(offset);
peImage.writeUint16(rva, (ushort)methodInfo.flags);
peImage.writeUint32(rva + 8, methodInfo.localVarSigTok);
}
dumpedMethods = new Dictionary<uint, DumpedMethod>();
offset = methodDefTable.fileOffset;
for (int i = 0; i < methodInfos.Count; i++, offset += methodDefTable.totalSize) {
var methodInfo = methodInfos[i];
if (methodInfo.codeOffs == 0)
continue;
var dm = new DumpedMethod();
dm.token = 0x06000001 + (uint)i;
uint rva = peImage.offsetReadUInt32(offset);
dm.mdImplFlags = peImage.offsetReadUInt16(offset + (uint)methodDefTable.fields[1].offset);
dm.mdFlags = peImage.offsetReadUInt16(offset + (uint)methodDefTable.fields[2].offset);
dm.mdName = peImage.offsetRead(offset + (uint)methodDefTable.fields[3].offset, methodDefTable.fields[3].size);
dm.mdSignature = peImage.offsetRead(offset + (uint)methodDefTable.fields[4].offset, methodDefTable.fields[4].size);
dm.mdParamList = peImage.offsetRead(offset + (uint)methodDefTable.fields[5].offset, methodDefTable.fields[5].size);
dm.code = decrypter.decrypt(methodInfo);
if ((peImage.readByte(rva) & 3) == 2) {
dm.mhFlags = 2;
dm.mhMaxStack = 8;
dm.mhCodeSize = (uint)dm.code.Length;
dm.mhLocalVarSigTok = 0;
}
else {
dm.mhFlags = peImage.readUInt16(rva);
dm.mhMaxStack = peImage.readUInt16(rva + 2);
dm.mhCodeSize = (uint)dm.code.Length;
dm.mhLocalVarSigTok = peImage.readUInt32(rva + 8);
}
dumpedMethods[dm.token] = dm;
}
return true;
}
public override bool getDecryptedModule(ref byte[] newFileData, ref Dictionary<uint, DumpedMethod> dumpedMethods)
{
if (!options.DecryptMethods)
return false;
byte[] fileData = DeobUtils.readModule(module);
var peImage = new PE.PeImage(fileData);
if (!new MethodsDecrypter().decrypt(peImage, ref dumpedMethods)) {
Log.v("Methods aren't encrypted or invalid signature");
return false;
}
newFileData = fileData;
return true;
}
