public override void Process(NameValueCollection parameters, MetadataProcessor.MetadataAccessor accessor) { _Context txt = cc.txts[accessor.Module]; int rid = accessor.TableHeap.GetTable <StandAloneSigTable>(Table.StandAloneSig).AddRow( accessor.BlobHeap.GetBlobIndex(new Mono.Cecil.PE.ByteBuffer(txt.keyBuff))); int token = 0x11000000 | rid; txt.keyInst.OpCode = OpCodes.Ldc_I4; txt.keyInst.Operand = (int)(token ^ 0x06000001); //... -_- Database.AddEntry("Const", "KeyBuffToken", token); if (!txt.isNative) { return; } txt.nativeRange = new Range(accessor.Codebase + (uint)accessor.Codes.Position, 0); MemoryStream ms = new MemoryStream(); using (BinaryWriter wtr = new BinaryWriter(ms)) { wtr.Write(new byte[] { 0x89, 0xe0 }); // mov eax, esp wtr.Write(new byte[] { 0x53 }); // push ebx wtr.Write(new byte[] { 0x57 }); // push edi wtr.Write(new byte[] { 0x56 }); // push esi wtr.Write(new byte[] { 0x29, 0xe0 }); // sub eax, esp wtr.Write(new byte[] { 0x83, 0xf8, 0x18 }); // cmp eax, 24 wtr.Write(new byte[] { 0x74, 0x07 }); // je n wtr.Write(new byte[] { 0x8b, 0x44, 0x24, 0x10 }); // mov eax, [esp + 4] wtr.Write(new byte[] { 0x50 }); // push eax wtr.Write(new byte[] { 0xeb, 0x01 }); // jmp z wtr.Write(new byte[] { 0x51 }); //n: push ecx x86Register ret; //z: var insts = txt.visitor.GetInstructions(out ret); foreach (var i in insts) { wtr.Write(i.Assemble()); } if (ret != x86Register.EAX) { wtr.Write( new x86Instruction() { OpCode = x86OpCode.MOV, Operands = new Ix86Operand[] { new x86RegisterOperand() { Register = x86Register.EAX }, new x86RegisterOperand() { Register = ret } } }.Assemble()); } wtr.Write(new byte[] { 0x5e }); //pop esi wtr.Write(new byte[] { 0x5f }); //pop edi wtr.Write(new byte[] { 0x5b }); //pop ebx wtr.Write(new byte[] { 0xc3 }); //ret wtr.Write(new byte[((ms.Length + 3) & ~3) - ms.Length]); } byte[] codes = ms.ToArray(); Database.AddEntry("Const", "Native", codes); accessor.Codes.WriteBytes(codes); accessor.SetCodePosition(accessor.Codebase + (uint)accessor.Codes.Position); txt.nativeRange.Length = (uint)codes.Length; }
public override void Process(NameValueCollection parameters, MetadataProcessor.MetadataAccessor accessor) { _Context _txt = mc.txts[accessor.Module]; for (int i = 0; i < _txt.txts.Count; i++) { int j = Random.Next(0, _txt.txts.Count); var tmp = _txt.txts[i]; _txt.txts[i] = _txt.txts[j]; _txt.txts[j] = tmp; } TypeDefinition typeDef = new TypeDefinition("", "", 0); foreach (Context txt in _txt.txts) { txt.token = accessor.LookupToken(txt.mtdRef); if (txt.fld.Name[0] != '\0') { continue; } txt.fld.Name = (txt.isVirt ? _txt.keyChar1 : _txt.keyChar2) + "\n" + ObfuscationHelper.GetRandomName(); //Hack into cecil to generate diff sig for diff field -_- int pos = txt.fld.DeclaringType.Fields.IndexOf(txt.fld) + 1; while (typeDef.GenericParameters.Count < pos) { typeDef.GenericParameters.Add(new GenericParameter(typeDef)); } txt.fld.FieldType = new GenericInstanceType(txt.fld.FieldType) { GenericArguments = { accessor.Module.TypeSystem.Object, accessor.Module.TypeSystem.Object, accessor.Module.TypeSystem.Object, accessor.Module.TypeSystem.Object, accessor.Module.TypeSystem.Object, typeDef.GenericParameters[pos - 1] } }; Database.AddEntry("MtdProxy", (txt.isVirt ? "callvirt " : "call ") + txt.mtdRef.FullName, txt.fld.Name); Database.AddEntry("MtdProxy", txt.fld.Name, txt.inst.Operand.ToString()); } if (!_txt.isNative) { return; } _txt.nativeRange = new Range(accessor.Codebase + (uint)accessor.Codes.Position, 0); MemoryStream ms = new MemoryStream(); using (BinaryWriter wtr = new BinaryWriter(ms)) { wtr.Write(new byte[] { 0x89, 0xe0 }); // mov eax, esp wtr.Write(new byte[] { 0x53 }); // push ebx wtr.Write(new byte[] { 0x57 }); // push edi wtr.Write(new byte[] { 0x56 }); // push esi wtr.Write(new byte[] { 0x29, 0xe0 }); // sub eax, esp wtr.Write(new byte[] { 0x83, 0xf8, 0x18 }); // cmp eax, 24 wtr.Write(new byte[] { 0x74, 0x07 }); // je n wtr.Write(new byte[] { 0x8b, 0x44, 0x24, 0x10 }); // mov eax, [esp + 4] wtr.Write(new byte[] { 0x50 }); // push eax wtr.Write(new byte[] { 0xeb, 0x01 }); // jmp z wtr.Write(new byte[] { 0x51 }); //n: push ecx x86Register ret; //z: var insts = _txt.visitor.GetInstructions(out ret); foreach (var i in insts) { wtr.Write(i.Assemble()); } if (ret != x86Register.EAX) { wtr.Write( new x86Instruction() { OpCode = x86OpCode.MOV, Operands = new Ix86Operand[] { new x86RegisterOperand() { Register = x86Register.EAX }, new x86RegisterOperand() { Register = ret } } }.Assemble()); } wtr.Write(new byte[] { 0x5e }); //pop esi wtr.Write(new byte[] { 0x5f }); //pop edi wtr.Write(new byte[] { 0x5b }); //pop ebx wtr.Write(new byte[] { 0xc3 }); //ret wtr.Write(new byte[((ms.Length + 3) & ~3) - ms.Length]); } byte[] codes = ms.ToArray(); Database.AddEntry("MtdProxy", "Native", codes); accessor.Codes.WriteBytes(codes); accessor.SetCodePosition(accessor.Codebase + (uint)accessor.Codes.Position); _txt.nativeRange.Length = (uint)codes.Length; }
public override void Process(NameValueCollection parameters, MetadataProcessor.MetadataAccessor accessor) { _Context txt = cc.txts[accessor.Module]; // does standalone sig table because its able to use ResolveSignature(mdTok) /*int rid = accessor.TableHeap.GetTable<StandAloneSigTable>(Table.StandAloneSig).AddRow( * accessor.BlobHeap.GetBlobIndex(new Mono.Cecil.PE.ByteBuffer(txt.keyBuff)));*/ uint blobIndex = accessor.BlobHeap.GetBlobIndex(new Mono.Cecil.PE.ByteBuffer(txt.keyBuff)); //int rid = accessor.TableHeap.GetTable<FieldTable>(Table.Field).AddRow(new Row<FieldAttributes, uint, uint>(FieldAttributes.Public | FieldAttributes.Static, 0x7fffff, blobIndex)); // update md body to not reference the field /* var mainModuleType = accessor.Module.Types[0]; * var ccTor = mainModuleType.Methods[0]; * var inst = ccTor.Body.Instructions[2]; * inst.Operand = mainModuleType.Fields[1]; */ /*accessor.TableHeap.GetTable<FileTable>(Table.File).AddRow( * new Row<Mono.Cecil.FileAttributes, uint, uint>( * Mono.Cecil.FileAttributes.ContainsMetaData, * accessor.BlobHeap.GetBlobIndex(new Mono.Cecil.PE.ByteBuffer(txt.keyBuff)), * 0));*/ /*int token = 0x04000000 | rid; * txt.keyInst.OpCode = OpCodes.Ldc_I4; * // 06 = method, 04 = field * txt.keyInst.Operand = token;//0x04000001; * //int token =(int) txt.keyInst.Operand; * txt.keyInst.Operand = (int)(token ^ 0x06000001); //... -_-*/ // TypeSpec == working /*int rid = accessor.TableHeap.GetTable<TypeSpecTable>(Table.TypeSpec).AddRow(blobIndex); * * int token = 0x1B000000 | rid; * txt.keyInst.OpCode = OpCodes.Ldc_I4; * //0x0601 == <Module>.cctor(); * txt.keyInst.Operand = (int)(token ^ 0x06000001); //... -_-*/ int rid = accessor.TableHeap.GetTable <MemberRefTable>(Table.MemberRef).AddRow(new Row <uint, uint, uint>(1, 1, blobIndex)); int token = 0x0A000000 | rid; txt.keyInst.OpCode = OpCodes.Ldc_I4; //0x0601 == <Module>.cctor(); txt.keyInst.Operand = (int)(token ^ 0x06000001); //... -_- Database.AddEntry("Const", "KeyBuffToken", token); if (!txt.isNative) { return; } txt.nativeRange = new Range(accessor.Codebase + (uint)accessor.Codes.Position, 0); MemoryStream ms = new MemoryStream(); using (BinaryWriter wtr = new BinaryWriter(ms)) { wtr.Write(new byte[] { 0x89, 0xe0 }); // mov eax, esp wtr.Write(new byte[] { 0x53 }); // push ebx wtr.Write(new byte[] { 0x57 }); // push edi wtr.Write(new byte[] { 0x56 }); // push esi wtr.Write(new byte[] { 0x29, 0xe0 }); // sub eax, esp wtr.Write(new byte[] { 0x83, 0xf8, 0x18 }); // cmp eax, 24 wtr.Write(new byte[] { 0x74, 0x07 }); // je n wtr.Write(new byte[] { 0x8b, 0x44, 0x24, 0x10 }); // mov eax, [esp + 4] wtr.Write(new byte[] { 0x50 }); // push eax wtr.Write(new byte[] { 0xeb, 0x01 }); // jmp z wtr.Write(new byte[] { 0x51 }); //n: push ecx x86Register ret; //z: var insts = txt.visitor.GetInstructions(out ret); foreach (var i in insts) { wtr.Write(i.Assemble()); } if (ret != x86Register.EAX) { wtr.Write( new x86Instruction() { OpCode = x86OpCode.MOV, Operands = new Ix86Operand[] { new x86RegisterOperand() { Register = x86Register.EAX }, new x86RegisterOperand() { Register = ret } } }.Assemble()); } wtr.Write(new byte[] { 0x5e }); //pop esi wtr.Write(new byte[] { 0x5f }); //pop edi wtr.Write(new byte[] { 0x5b }); //pop ebx wtr.Write(new byte[] { 0xc3 }); //ret wtr.Write(new byte[((ms.Length + 3) & ~3) - ms.Length]); } byte[] codes = ms.ToArray(); Database.AddEntry("Const", "Native", codes); accessor.Codes.WriteBytes(codes); accessor.SetCodePosition(accessor.Codebase + (uint)accessor.Codes.Position); txt.nativeRange.Length = (uint)codes.Length; }