public void AddInitializeArrayCode(Block block, int start, int numToRemove, ITypeDefOrRef elementType, byte[] data) {
int index = start;
block.Replace(index++, numToRemove, Instruction.CreateLdcI4(data.Length / elementType.ToTypeSig().ElementType.GetPrimitiveSize()));
block.Insert(index++, OpCodes.Newarr.ToInstruction(elementType));
block.Insert(index++, OpCodes.Dup.ToInstruction());
block.Insert(index++, OpCodes.Ldtoken.ToInstruction((IField)Create(data)));
block.Insert(index++, OpCodes.Call.ToInstruction((IMethod)InitializeArrayMethod));
}
protected override bool Deobfuscate(Block block)
{
bool modified = false;
instructionEmulator.Initialize(Blocks, AllBlocks[0] == block);
var instrs = block.Instructions;
for (int i = 0; i < instrs.Count; i++) {
var instr = instrs[i];
switch (instr.OpCode.Code) {
case Code.Ldarg:
case Code.Ldarg_0:
case Code.Ldarg_1:
case Code.Ldarg_2:
case Code.Ldarg_3:
case Code.Ldarg_S:
modified |= FixLoadInstruction(block, i, instructionEmulator.GetArg(instr.Instruction.GetParameter(args)));
break;
case Code.Ldloc:
case Code.Ldloc_0:
case Code.Ldloc_1:
case Code.Ldloc_2:
case Code.Ldloc_3:
case Code.Ldloc_S:
modified |= FixLoadInstruction(block, i, instructionEmulator.GetLocal(instr.Instruction.GetLocal(Blocks.Locals)));
break;
case Code.Ldarga:
case Code.Ldarga_S:
instructionEmulator.MakeArgUnknown((Parameter)instr.Operand);
break;
case Code.Ldloca:
case Code.Ldloca_S:
instructionEmulator.MakeLocalUnknown((Local)instr.Operand);
break;
case Code.Add:
case Code.Add_Ovf:
case Code.Add_Ovf_Un:
case Code.And:
case Code.Ceq:
case Code.Cgt:
case Code.Cgt_Un:
case Code.Clt:
case Code.Clt_Un:
case Code.Conv_I:
case Code.Conv_I1:
case Code.Conv_I2:
case Code.Conv_I4:
case Code.Conv_I8:
case Code.Conv_Ovf_I:
case Code.Conv_Ovf_I_Un:
case Code.Conv_Ovf_I1:
case Code.Conv_Ovf_I1_Un:
case Code.Conv_Ovf_I2:
case Code.Conv_Ovf_I2_Un:
case Code.Conv_Ovf_I4:
case Code.Conv_Ovf_I4_Un:
case Code.Conv_Ovf_I8:
case Code.Conv_Ovf_I8_Un:
case Code.Conv_Ovf_U:
case Code.Conv_Ovf_U_Un:
case Code.Conv_Ovf_U1:
case Code.Conv_Ovf_U1_Un:
case Code.Conv_Ovf_U2:
case Code.Conv_Ovf_U2_Un:
case Code.Conv_Ovf_U4:
case Code.Conv_Ovf_U4_Un:
case Code.Conv_Ovf_U8:
case Code.Conv_Ovf_U8_Un:
case Code.Conv_R_Un:
case Code.Conv_R4:
case Code.Conv_R8:
case Code.Conv_U:
case Code.Conv_U1:
case Code.Conv_U2:
case Code.Conv_U4:
case Code.Conv_U8:
case Code.Div:
case Code.Div_Un:
case Code.Dup:
case Code.Mul:
case Code.Mul_Ovf:
case Code.Mul_Ovf_Un:
case Code.Neg:
case Code.Not:
case Code.Or:
case Code.Rem:
case Code.Rem_Un:
case Code.Shl:
case Code.Shr:
case Code.Shr_Un:
case Code.Sub:
case Code.Sub_Ovf:
case Code.Sub_Ovf_Un:
case Code.Xor:
if (DisableNewCode)
break;
if (i + 1 < instrs.Count && instrs[i + 1].OpCode.Code == Code.Pop)
break;
if (!VerifyValidArgs(instr.Instruction))
break;
instructionEmulator.Emulate(instr.Instruction);
var tos = instructionEmulator.Peek();
Instruction newInstr = null;
if (tos.IsInt32()) {
var val = (Int32Value)tos;
if (val.AllBitsValid())
newInstr = Instruction.CreateLdcI4(val.Value);
}
else if (tos.IsInt64()) {
var val = (Int64Value)tos;
if (val.AllBitsValid())
newInstr = OpCodes.Ldc_I8.ToInstruction(val.Value);
}
else if (tos.IsReal8()) {
var val = (Real8Value)tos;
if (val.IsValid)
newInstr = GetLoadRealInstruction(val.Value);
}
if (newInstr != null) {
block.Insert(i + 1, Instruction.Create(OpCodes.Pop));
block.Insert(i + 2, newInstr);
i += 2;
modified = true;
}
continue;
}
try {
instructionEmulator.Emulate(instr.Instruction);
}
catch (NullReferenceException) {
// Here if eg. invalid metadata token in a call instruction (operand is null)
break;
}
}
return modified;
}
bool AddCast(Block block, int castIndex, int index, TypeSig type) {
if (type == null)
return false;
if (castIndex >= block.Instructions.Count || index >= block.Instructions.Count)
return false;
var stloc = block.Instructions[index];
if (!stloc.IsStloc())
return false;
var local = stloc.Instruction.GetLocal(blocks.Locals);
if (local == null)
return false;
var localInfo = localInfos[local];
if (localInfo.CastType == null)
return false;
if (!new SigComparer().Equals(localInfo.CastType, type))
block.Insert(castIndex, new Instruction(OpCodes.Castclass, localInfo.CastType));
return true;
}
void Update(Block block, NewMethodInfo currentMethodInfo) {
var instrs = block.Instructions;
for (int i = 0; i < instrs.Count; i++) {
var instr = instrs[i];
if (instr.OpCode == OpCodes.Newobj) {
var ctor = (IMethod)instr.Operand;
var ctorTypeFullName = ctor.DeclaringType.FullName;
if (ctorTypeFullName == "System.Diagnostics.StackTrace") {
InsertLoadThis(block, i + 1);
InsertCallOurMethod(block, i + 2, "static_RtFixStackTrace");
i += 2;
continue;
}
else if (ctorTypeFullName == "System.Diagnostics.StackFrame") {
InsertLoadThis(block, i + 1);
InsertCallOurMethod(block, i + 2, "static_RtFixStackFrame");
i += 2;
continue;
}
}
if (instr.OpCode == OpCodes.Call || instr.OpCode == OpCodes.Callvirt) {
var calledMethod = (IMethod)instr.Operand;
if (calledMethod.DeclaringType.DefinitionAssembly.IsCorLib()) {
var calledMethodFullName = calledMethod.FullName;
if (calledMethodFullName == "System.Reflection.Assembly System.Reflection.Assembly::GetAssembly(System.Type)") {
block.Replace(i, 1, OpCodes.Nop.ToInstruction());
InsertLoadThis(block, i + 1);
InsertCallOurMethod(block, i + 2, "static_RtGetAssembly_TypeArg");
i += 2;
continue;
}
else if (calledMethodFullName == "System.Reflection.Assembly System.Reflection.Assembly::GetCallingAssembly()" ||
calledMethodFullName == "System.Reflection.Assembly System.Reflection.Assembly::GetEntryAssembly()" ||
calledMethodFullName == "System.Reflection.Assembly System.Reflection.Assembly::GetExecutingAssembly()") {
block.Replace(i, 1, OpCodes.Nop.ToInstruction());
InsertLoadThis(block, i + 1);
block.Insert(i + 2, OpCodes.Ldc_I4.ToInstruction(currentMethodInfo.delegateIndex));
InsertCallOurMethod(block, i + 3, "RtGetAssembly");
i += 3;
continue;
}
}
var method = Resolver.GetMethod((IMethod)instr.Operand);
if (method != null) {
CreateMethod(method.methodBase);
var newMethodInfo = realMethodToNewMethod[method.methodBase];
block.Replace(i, 1, OpCodes.Nop.ToInstruction());
int n = i + 1;
// Pop all pushed args to a temp array
var mparams = GetParameters(method.methodDef);
if (mparams.Count > 0) {
block.Insert(n++, OpCodes.Ldc_I4.ToInstruction(mparams.Count));
var objectType = method.methodDef.DeclaringType.Module.CorLibTypes.Object;
block.Insert(n++, OpCodes.Newarr.ToInstruction(objectType));
block.Insert(n++, Create(OpCodes.Stloc, new Operand(Operand.Type.TempObjArray)));
for (int j = mparams.Count - 1; j >= 0; j--) {
var argType = mparams[j];
if (argType.RemovePinnedAndModifiers().IsValueType)
block.Insert(n++, OpCodes.Box.ToInstruction(((TypeDefOrRefSig)argType).TypeDefOrRef));
block.Insert(n++, Create(OpCodes.Stloc, new Operand(Operand.Type.TempObj)));
block.Insert(n++, Create(OpCodes.Ldloc, new Operand(Operand.Type.TempObjArray)));
block.Insert(n++, OpCodes.Ldc_I4.ToInstruction(j));
block.Insert(n++, Create(OpCodes.Ldloc, new Operand(Operand.Type.TempObj)));
block.Insert(n++, OpCodes.Stelem_Ref.ToInstruction());
}
}
// Push delegate instance
InsertLoadThis(block, n++);
block.Insert(n++, OpCodes.Ldc_I4.ToInstruction(newMethodInfo.delegateIndex));
InsertCallOurMethod(block, n++, "RtGetDelegateInstance");
block.Insert(n++, Create(OpCodes.Castclass, new Operand(Operand.Type.ReflectionType, newMethodInfo.delegateType)));
// Push all popped args
if (mparams.Count > 0) {
for (int j = 0; j < mparams.Count; j++) {
block.Insert(n++, Create(OpCodes.Ldloc, new Operand(Operand.Type.TempObjArray)));
block.Insert(n++, OpCodes.Ldc_I4.ToInstruction(j));
block.Insert(n++, OpCodes.Ldelem_Ref.ToInstruction());
var argType = mparams[j];
if (argType.RemovePinnedAndModifiers().IsValueType)
block.Insert(n++, OpCodes.Unbox_Any.ToInstruction(((TypeDefOrRefSig)argType).TypeDefOrRef));
else {
// Don't cast it to its correct type. This will sometimes cause
// an exception in some EF obfuscated assembly since we'll be
// trying to cast a System.Reflection.AssemblyName type to some
// other type.
// block.insert(n++, Instruction.Create(OpCodes.Castclass, argType.ToTypeDefOrRef()));
}
}
}
InsertLoadThis(block, n++);
block.Insert(n++, Create(OpCodes.Call, new Operand(Operand.Type.NewMethod, method.methodBase)));
i = n - 1;
continue;
}
}
}
}
int InsertCallOurMethod(Block block, int i, string methodName) {
block.Insert(i, Create(OpCodes.Call, new Operand(Operand.Type.OurMethod, methodName)));
return 1;
}
// Inserts ldarg THIS, and returns number of instructions inserted at 'i'
int InsertLoadThis(Block block, int i) {
block.Insert(i, Create(OpCodes.Ldarg, new Operand(Operand.Type.ThisArg)));
return 1;
}
protected override bool Deobfuscate(Block block) {
bool modified = false;
var instrs = block.Instructions;
var constantsReader = CreateConstantsReader(instrs);
for (int i = 0; i < instrs.Count; i++) {
int index = 0;
Instruction newInstr = null;
var instr = instrs[i];
if (constantsReader.IsLoadConstantInt32(instr.Instruction)) {
index = i;
int val;
if (!constantsReader.GetInt32(ref index, out val))
continue;
newInstr = Instruction.CreateLdcI4(val);
}
else if (constantsReader.IsLoadConstantInt64(instr.Instruction)) {
index = i;
long val;
if (!constantsReader.GetInt64(ref index, out val))
continue;
newInstr = Instruction.Create(OpCodes.Ldc_I8, val);
}
else if (constantsReader.IsLoadConstantDouble(instr.Instruction)) {
index = i;
double val;
if (!constantsReader.GetDouble(ref index, out val))
continue;
newInstr = Instruction.Create(OpCodes.Ldc_R8, val);
}
if (newInstr != null && index - i > 1) {
block.Insert(index++, Instruction.Create(OpCodes.Pop));
block.Insert(index++, newInstr);
i = index - 1;
constantsReader = CreateConstantsReader(instrs);
modified = true;
continue;
}
// Convert ldc.r4/r8 followed by conv to the appropriate ldc.i4/i8 instr
if (i + 1 < instrs.Count && (instr.OpCode.Code == Code.Ldc_R4 || instr.OpCode.Code == Code.Ldc_R8)) {
var conv = instrs[i + 1];
int vali32 = instr.OpCode.Code == Code.Ldc_R4 ? (int)(float)instr.Operand : (int)(double)instr.Operand;
long vali64 = instr.OpCode.Code == Code.Ldc_R4 ? (long)(float)instr.Operand : (long)(double)instr.Operand;
uint valu32 = instr.OpCode.Code == Code.Ldc_R4 ? (uint)(float)instr.Operand : (uint)(double)instr.Operand;
ulong valu64 = instr.OpCode.Code == Code.Ldc_R4 ? (ulong)(float)instr.Operand : (ulong)(double)instr.Operand;
switch (conv.OpCode.Code) {
case Code.Conv_I1:
newInstr = Instruction.CreateLdcI4(instr.OpCode.Code == Code.Ldc_R4 ? (sbyte)(float)instr.Operand : (sbyte)(double)instr.Operand);
break;
case Code.Conv_U1:
newInstr = Instruction.CreateLdcI4(instr.OpCode.Code == Code.Ldc_R4 ? (byte)(float)instr.Operand : (byte)(double)instr.Operand);
break;
case Code.Conv_I2:
newInstr = Instruction.CreateLdcI4(instr.OpCode.Code == Code.Ldc_R4 ? (short)(float)instr.Operand : (short)(double)instr.Operand);
break;
case Code.Conv_U2:
newInstr = Instruction.CreateLdcI4(instr.OpCode.Code == Code.Ldc_R4 ? (ushort)(float)instr.Operand : (ushort)(double)instr.Operand);
break;
case Code.Conv_I4:
newInstr = Instruction.CreateLdcI4(instr.OpCode.Code == Code.Ldc_R4 ? (int)(float)instr.Operand : (int)(double)instr.Operand);
break;
case Code.Conv_U4:
newInstr = Instruction.CreateLdcI4(instr.OpCode.Code == Code.Ldc_R4 ? (int)(uint)(float)instr.Operand : (int)(uint)(double)instr.Operand);
break;
case Code.Conv_I8:
newInstr = Instruction.Create(OpCodes.Ldc_I8, instr.OpCode.Code == Code.Ldc_R4 ? (long)(float)instr.Operand : (long)(double)instr.Operand);
break;
case Code.Conv_U8:
newInstr = Instruction.Create(OpCodes.Ldc_I8, instr.OpCode.Code == Code.Ldc_R4 ? (ulong)(float)instr.Operand : (ulong)(double)instr.Operand);
break;
default:
newInstr = null;
break;
}
if (newInstr != null) {
block.Replace(i, 2, newInstr);
constantsReader = CreateConstantsReader(instrs);
modified = true;
continue;
}
}
}
return modified;
}
