private static void Main(string[] args) { if (args.Length == 0) { Console.WriteLine("No input file specified..."); } else { Configuration.AssemblyFilename = args[0]; ModuleDefMD module = ModuleDefMD.Load(Configuration.AssemblyFilename, (ModuleCreationOptions)null); TypeDef globalType = module.GlobalType; List <MethodDef> methodDefList = new List <MethodDef>(); foreach (MethodDef method in globalType.Methods.Where <MethodDef>((Func <MethodDef, bool>)(m => m.IsNative)).ToList <MethodDef>()) { MethodDef ilFromX86Method = X86MethodToILConverter.CreateILFromX86Method(new X86Method(method)); method.DeclaringType.Methods.Add(ilFromX86Method); methodDefList.Add(method); } foreach (MethodDef methodDef1 in methodDefList) { MethodDef replacedMethod = methodDef1; IEnumerable <Instruction> allReferences = replacedMethod.FindAllReferences(module); MethodDef methodDef2 = module.GlobalType.Methods.FirstOrDefault <MethodDef>((Func <MethodDef, bool>)(m => m.Name == (string)replacedMethod.Name + "_IL")); foreach (Instruction instruction in allReferences) { instruction.Operand = (object)methodDef2; } ++Program.x86Fixed; } foreach (MethodDef methodDef in methodDefList) { globalType.Methods.Remove(methodDef); } module.IsStrongNameSigned = false; module.Assembly.PublicKey = (PublicKey)null; NativeModuleWriterOptions options1 = new NativeModuleWriterOptions(module); options1.MetaDataOptions.Flags |= MetaDataFlags.PreserveAll; options1.MetaDataOptions.Flags |= MetaDataFlags.KeepOldMaxStack; options1.Cor20HeaderOptions.Flags = new ComImageFlags?(ComImageFlags.ILOnly | ComImageFlags._32BitRequired); module.NativeWrite((Stream)Program.mem, options1); Program.module = ModuleDefMD.Load((Stream)Program.mem); ModuleWriterOptions options2 = new ModuleWriterOptions((ModuleDef)Program.module); options1.MetaDataOptions.Flags |= MetaDataFlags.PreserveAll; options1.MetaDataOptions.Flags |= MetaDataFlags.KeepOldMaxStack; Program.module.Write(args[0].Replace(".exe", "-x86_mode_Fixed.exe"), options2); Console.WriteLine("Resolved : " + (object)Program.x86Fixed + " natives ints"); } }
private static void Main(string[] args) { if (args.Length == 0) { Console.WriteLine("No input file specified..."); return; } // Store the obfuscated file name for later use (e.g. when resolving the RVAs) Configuration.AssemblyFilename = args[0]; // Load the assembly via dnlib (Only the module, we need this structure to resolve MD Tokens) var assemblyModuleDnlib = ModuleDefMD.Load(Configuration.AssemblyFilename); // Get the <Module>-Type for later use var cctorType = assemblyModuleDnlib.GlobalType; // Store the replaced methods in this list var nativeMethodsReplaced = new List <MethodDef>(); // Find methods with native code var nativeMethods = cctorType.Methods.Where(m => m.IsNative).ToList(); foreach (var nativeMethod in nativeMethods) { // Get the assembly code and the X86 Opcode Structure (Thanks to ubbelol) X86Method x86NativeMethod = new X86Method(nativeMethod); var ILNativeMethod = X86MethodToILConverter.CreateILFromX86Method(x86NativeMethod); nativeMethod.DeclaringType.Methods.Add(ILNativeMethod); nativeMethodsReplaced.Add(nativeMethod); } // Export all the IL Methods to a DLL MethodExporter.ExportMethodsToDll("TestMethodModule.dll", nativeMethodsReplaced, assemblyModuleDnlib); // Call the DLL IL Methods and the native Methods via x86 function ptr to see if the result is the same X86ILTester.TestNativeWithILMethods(Configuration.AssemblyFilename, Path.Combine(Environment.CurrentDirectory, "TestMethodModule.dll")); // Find all the native method calls and replace them with the IL calls foreach (var replacedMethod in nativeMethodsReplaced) { var callsToNativeMethod = replacedMethod.FindAllReferences(assemblyModuleDnlib); var ilMethod = assemblyModuleDnlib.GlobalType.Methods.FirstOrDefault(m => m.Name == replacedMethod.Name + "_IL"); foreach (var call in callsToNativeMethod) { call.Operand = ilMethod; } Console.WriteLine("[+] Removed " + callsToNativeMethod.ToList().Count + " entries."); } // Remove each native method foreach (var replacedMethod in nativeMethodsReplaced) { cctorType.Methods.Remove(replacedMethod); } // Turn off signing assemblyModuleDnlib.IsStrongNameSigned = false; assemblyModuleDnlib.Assembly.PublicKey = null; // Preserve Tokens and fix the flags for ILOnly var moduleWriterOptions = new ModuleWriterOptions(); moduleWriterOptions.MetaDataOptions.Flags |= MetaDataFlags.PreserveAll; moduleWriterOptions.MetaDataOptions.Flags |= MetaDataFlags.KeepOldMaxStack; moduleWriterOptions.Cor20HeaderOptions.Flags = ComImageFlags.ILOnly | ComImageFlags._32BitRequired; assemblyModuleDnlib.Write("out_mod.exe", moduleWriterOptions); }