private static void DecryptMethods(MethodDef methodDef, MethodBase invokeMethod, object fieldInstance) { var instructions = methodDef.Body.Instructions; if (instructions.Count < 9) { return; } if (instructions[0].OpCode != OpCodes.Ldsfld) { return; } if (((FieldDef)instructions[0].Operand).FullName != "i <Module>::Invoke") { return; } ToRemove.Add(instructions[3].Operand); int index = instructions[1].GetLdcI4Value(); var dynamicMethodBodyReader = new DynamicMethodBodyReader(methodDef.Module, invokeMethod.Invoke(fieldInstance, new object[] { index })); dynamicMethodBodyReader.Read(); methodDef.FreeMethodBody(); methodDef.Body = dynamicMethodBodyReader.GetMethod().Body; }
private static void InvokeDelegates(IList <TypeDef> typeDefs, MethodInfo invokeMethod, object invokeField) { foreach (TypeDef typeDef in typeDefs) { foreach (MethodDef methodDef in typeDef.Methods) { if (!(methodDef.Module.Name != assembly.ManifestModule.ScopeName) && methodDef.HasBody && methodDef.Body.Instructions.Count > 2 && methodDef.Body.Instructions[0].OpCode == OpCodes.Ldsfld && methodDef.Body.Instructions[0].Operand.ToString().Contains("Invoke") && methodDef.Body.Instructions[1].IsLdcI4()) { currentMethod = methodDef; var _MDToken = ((IType)methodDef.Body.Instructions[3].Operand).MDToken.ToInt32(); junkType.Add(typeDef.NestedTypes.FirstOrDefault(net => net.MDToken.ToInt32() == _MDToken)); object method = invokeMethod.Invoke(invokeField, new object[] { (int)methodDef.Body.Instructions[1].Operand }); try { var dynamicMethodBodyReader = new DynamicMethodBodyReader(assemblyWriter.moduleDef, method); dynamicMethodBodyReader.Read(); var method2 = dynamicMethodBodyReader.GetMethod(); assemblyWriter.WriteMethod(method2); } catch (Exception ex) { Console.WriteLine("Error in Read(): " + ex.Message + "\nMethod : " + method.ToString()); } } } } }
public override void Execute(Context Context) // Change "ConvertBack::Runner" for Modded Versions { if (Context.SysModule != null && Context.DnModule != null) { try { Initialize.Initalize("Eddy^CZ_", Context.SysModule); } catch { Context.Log.Custom("Skipping", "Not CawkVM"); return; } foreach (var TypeDef in Context.DnModule.Types.Where(x => x.HasMethods && !x.IsGlobalModuleType)) { foreach (var MethodDef in TypeDef.Methods.Where(x => x.HasBody)) { var IL = MethodDef.Body.Instructions; for (int x = 0; x < IL.Count; x++) { if (IL[x].OpCode == OpCodes.Call && IL[x].Operand.ToString().Contains("ConvertBack::Runner") && IL[x - 4].IsLdcI4() && IL[x - 3].IsLdcI4() && IL[x - 2].IsLdcI4()) { try { var Position = IL[x - 4].GetLdcI4Value(); var Size = IL[x - 3].GetLdcI4Value(); var ID = IL[x - 2].GetLdcI4Value(); object[] Params = new object[MethodDef.Parameters.Count]; int Index = 0; foreach (var Param in MethodDef.Parameters) { Params[Index++] = Param.Type.Next; } var methodBase = Context.SysModule.ResolveMethod(MethodDef.MDToken.ToInt32()); var dynamicMethod = ConvertBack.Runner(Position, Size, ID, Params, methodBase); var dynamicReader = Activator.CreateInstance( typeof(System.Reflection.Emit.DynamicMethod).Module.GetTypes() .FirstOrDefault(t => t.Name == "DynamicResolver"), (System.Reflection.BindingFlags)(-1), null, new object[] { dynamicMethod.GetILGenerator() }, null); var dynamicMethodBodyReader = new DynamicMethodBodyReader(MethodDef.Module, dynamicReader); dynamicMethodBodyReader.Read(); MethodDef.Body = dynamicMethodBodyReader.GetMethod().Body; Context.Log.Debug($"Done Devirtualize Method : {MethodDef.Name}"); } catch (Exception ex) { Context.Log.Error(ex.Message); } } } } } } }
internal void ReadMethod(object method) { try { var methodBodyReader = new DynamicMethodBodyReader(_assemblyWriter.ModuleDef, method); methodBodyReader.Read(); var methodDef = methodBodyReader.GetMethod(); _assemblyWriter.WriteMethod(methodDef); } catch (Exception e) { Console.WriteLine("Error in ReadMethod(): " + e.Message); throw; } }
private static void InvokeDelegates(IList <TypeDef> typeDefs, MethodInfo invokeMethod, object invokeField) { var methodDefs = typeDefs.SelectMany(x => x.Methods).Where(x => x.Module.Name == Assembly.ManifestModule.ScopeName && x.HasBody && x.Body.Instructions.Count > 2 && x.Body.Instructions[0].OpCode == OpCodes.Ldsfld && x.Body.Instructions[0].Operand.ToString().Contains("Invoke") && x.Body.Instructions[1].IsLdcI4()); foreach (var methodDef in methodDefs) { _totalPackedMethods++; CurrentMethod = methodDef; CurrentMethodBase = Assembly.ManifestModule.ResolveMethod(methodDef.MDToken.ToInt32()); var mdToken = ((IType)methodDef.Body.Instructions[3].Operand).MDToken.ToInt32(); JunkType.Add(methodDef.DeclaringType.NestedTypes.FirstOrDefault(net => net.MDToken.ToInt32() == mdToken)); var index = methodDef.Body.Instructions[1].GetLdcI4Value(); if (index == IgnoreIndex) { continue; } var method = invokeMethod.Invoke(invokeField, new object[] { index }); try { var dynamicMethodBodyReader = new DynamicMethodBodyReader(AssemblyWriter.moduleDef, method); dynamicMethodBodyReader.Read(); var unpackedMethod = dynamicMethodBodyReader.GetMethod(); AssemblyWriter.WriteMethod(methodDef, unpackedMethod); _totalUnpackedMethods++; } catch (Exception ex) { Console.WriteLine("Error in Read(): " + ex.Message + "\nMethod : " + method); } finally { CurrentMethod = null; } } }
public static MethodDef ResolveMethodBodyShit(int num, ModuleDefMD Module) { GCHandle obj = Harmony.Handlaaaa; try{ var asd = obj.Target as object[]; var f = asd[num].GetType(); var s = f.GetRuntimeFields(); var gh = s.ToArray()[1].GetValue(asd[num]) as Delegate[]; var del = gh[0]; DynamicMethodBodyReader reader = new DynamicMethodBodyReader(Module, del); reader.Read(); return(reader.GetMethod()); } catch { } return(null); }
internal static void FixProxyCall() { var globalTypes = _moduleDefMd?.Types.Where(t => t.Namespace == string.Empty).ToArray(); var decryptor = (globalTypes ?? throw new InvalidOperationException()).Single(t => t.Name.StartsWith("{", StringComparison.Ordinal) && t.Name.EndsWith("}", StringComparison.Ordinal)).Methods.Single(m => !m.IsInstanceConstructor && m.Parameters.Count == 1); foreach (var typeDef in globalTypes) { var cctor = typeDef.FindStaticConstructor(); if (cctor is null || !cctor.Body.Instructions.Any(i => i.OpCode == OpCodes.Call && i.Operand == decryptor)) { continue; } switch (_module) { case not null: { foreach (var fieldInfo in _module.ResolveType(typeDef.MDToken.ToInt32()) .GetFields(BindingFlags.NonPublic | BindingFlags.Static) !) { var proxyFieldToken = fieldInfo.MetadataToken; var proxyFieldDef = _moduleDefMd?.ResolveField((uint)proxyFieldToken - 0x4000000); var realMethod = ((Delegate)fieldInfo.GetValue(null) !).Method; if (Utils.IsDynamicMethod(realMethod)) { var dynamicMethodBodyReader = new DynamicMethodBodyReader(_moduleDefMd, realMethod); dynamicMethodBodyReader.Read(); var instructionList = dynamicMethodBodyReader.GetMethod().Body.Instructions; ReplaceAllOperand(proxyFieldDef, instructionList[instructionList.Count - 2].OpCode, (MemberRef)instructionList[instructionList.Count - 2].Operand); } else { ReplaceAllOperand(proxyFieldDef, realMethod.IsVirtual ? OpCodes.Callvirt : OpCodes.Call, (MemberRef)_moduleDefMd.Import(realMethod)); } } break; } } } }
private static void DecryptMethods(MethodDef methodDef, MethodBase invokeMethod, object fieldInstance) { if (!methodDef.HasBody) { return; } var instructions = methodDef.Body.Instructions; if (instructions.Count > 2 && instructions[0].OpCode.Code == Code.Ldsfld && instructions[0].Operand.ToString().Contains("Invoke") && instructions[1].IsLdcI4()) { try { var mdToken = ((IType)methodDef.Body.Instructions[3].Operand).MDToken.ToInt32(); JunkTypes.Add(methodDef.DeclaringType.NestedTypes.FirstOrDefault(net => net.MDToken.ToInt32() == mdToken)); Hooks.MethodBase = Assembly.ManifestModule.ResolveMethod(methodDef.MDToken.ToInt32()); var index = instructions[1].GetLdcI4Value(); var method = invokeMethod.Invoke(fieldInstance, new object[] { index }); var reader = new DynamicMethodBodyReader(Module, method); reader.Read(); methodDef.FreeMethodBody(); methodDef.Body = reader.GetMethod().Body; } catch (Exception ex) { Console.WriteLine($"Error: {ex.Message}{Environment.NewLine}Method: {methodDef.FullName}{Environment.NewLine}MDToken: 0x{methodDef.MDToken}{Environment.NewLine}"); } } }
public static void Main(string[] args) { Console.ForegroundColor = ConsoleColor.Cyan; Console.Title = "Archangel UnCloacker"; if (args.Length == 0) { Console.WriteLine("This is a Drag And Drop Program! Exiting."); Console.ReadLine(); return; } var Module = ModuleDefMD.Load(args[0]); var asm = Assembly.LoadFile(args[0]); var Asm = Module.GetAssemblyRefs().First(q => q.FullName.Contains("Archangel.CloakingDevice")); if (Asm == null) { return; } var asm2 = Assembly.LoadFile(Path.Combine(Path.GetDirectoryName(args[0]), "Archangel.CloakingDevice.dll")); Harmony.PatchGetCallingAssembly.MethodToReplace = asm; Harmony.Patch(); var invokemethod = asm2.GetType("Archangel.CloakingDevice.KickStart").GetMethod("Boot"); invokemethod.Invoke(null, null); TypeDef specific = null; var MethodFields = new Dictionary <FieldDef, MethodDef>(); foreach (var type in Module.Types) { if (type.HasFields) { foreach (var field in type.Fields) { try{ var val = asm.ManifestModule.ResolveField(field.MDToken.ToInt32()); var value = val.GetValue(null); if (!(value is MulticastDelegate)) { continue; } var t = (MulticastDelegate)value; var reader = new DynamicMethodBodyReader(Module, t.Method); reader.Read(); var def = reader.GetMethod(); MethodFields.Add(field, def); specific = type; } catch { } } } } Console.WriteLine($"Found {MethodFields.Count} obfuscated fields and deobfuscated them."); int replacedmethods = 0; foreach (var type in Module.GetTypes()) { foreach (var method in type.Methods) { if (method.HasBody && method.Body.HasInstructions) { foreach (var instr in method.Body.Instructions) { if (instr.OpCode == OpCodes.Ldsfld) { try{ var op = (FieldDef)instr.Operand; var d = MethodFields[op]; if (d == null) { continue; } method.FreeMethodBody(); method.Body = d.Body; replacedmethods++; goto GetOut; } catch { } } } } GetOut :; } } Console.WriteLine($"Successfully Replaced {replacedmethods} out of {MethodFields.Count} methods."); if (replacedmethods != MethodFields.Count) { Console.ForegroundColor = ConsoleColor.Red; Console.WriteLine("Not all methods were decrypted, rereferencing dll."); Console.ForegroundColor = ConsoleColor.Cyan; Importer importer = new Importer(Module); IMethod Method; Method = importer.Import(invokemethod); var mainmdtok = asm.EntryPoint.MetadataToken; foreach (var type in Module.Types) { foreach (var method in type.Methods) { if (method.MDToken.ToInt32() == mainmdtok) { method.Body.Instructions.Insert(0, new Instruction(OpCodes.Call, Module.Import(Method))); } } } } else { Module.Types.Remove(specific); //Maybe shouldn't remove, you decide. } Save(Module, args[0]); Console.WriteLine("Successfully Saved!"); Console.ReadLine(); }
public static void CleanDelegates(ModuleDefMD module) { foreach (TypeDef typeDef in module.GetTypes()) { foreach (MethodDef methodDef in typeDef.Methods) { bool flag = !methodDef.HasBody; bool flag2 = !flag; if (flag2) { for (int i = 0; i < methodDef.Body.Instructions.Count; i++) { bool flag3 = methodDef.Body.Instructions[i].OpCode == OpCodes.Call && methodDef.Body.Instructions[i].Operand is MethodDef; bool flag4 = flag3; if (flag4) { MethodDef methodDef2 = methodDef.Body.Instructions[i].Operand as MethodDef; bool isDelegate = methodDef2.DeclaringType.IsDelegate; bool flag5 = isDelegate; if (flag5) { bool flag6 = !methodDef2.FullName.Contains("::Invoke"); bool flag7 = flag6; if (flag7) { MethodDef methodDef3 = methodDef2.DeclaringType.FindConstructors().ToArray <MethodDef>()[1]; bool flag8 = methodDef3.Body.Instructions.Count == 5; bool flag9 = flag8; if (flag9) { MethodDef methodDef4 = methodDef3.Body.Instructions[3].Operand as MethodDef; int ldcI4Value = methodDef3.Body.Instructions[0].GetLdcI4Value(); int ldcI4Value2 = methodDef3.Body.Instructions[1].GetLdcI4Value(); int ldcI4Value3 = methodDef3.Body.Instructions[2].GetLdcI4Value(); Program.asm.ManifestModule.ResolveMethod(methodDef4.MDToken.ToInt32()).Invoke(null, new object[] { ldcI4Value, ldcI4Value2, ldcI4Value3 }); FieldDef fieldDef = methodDef2.DeclaringType.Fields.First <FieldDef>(); Delegate @delegate = (Delegate)Program.asm.ManifestModule.ResolveField(fieldDef.MDToken.ToInt32()).GetValue(null); bool flag10 = @delegate.Method.ReturnTypeCustomAttributes.ToString().Contains("DynamicMethod"); bool flag11 = flag10; if (flag11) { DynamicMethodBodyReader dynamicMethodBodyReader = new DynamicMethodBodyReader(module, @delegate); dynamicMethodBodyReader.Read(); int count = dynamicMethodBodyReader.Instructions.Count; methodDef.Body.Instructions[i].OpCode = dynamicMethodBodyReader.Instructions[count - 2].OpCode; methodDef.Body.Instructions[i].Operand = dynamicMethodBodyReader.Instructions[count - 2].Operand; } else { IMethod operand = module.Import(@delegate.Method); methodDef.Body.Instructions[i].OpCode = OpCodes.Call; methodDef.Body.Instructions[i].Operand = operand; } } else { bool flag12 = methodDef3.Body.Instructions.Count == 6; bool flag13 = flag12; if (flag13) { MethodDef methodDef5 = methodDef3.Body.Instructions[4].Operand as MethodDef; int ldcI4Value4 = methodDef3.Body.Instructions[0].GetLdcI4Value(); int ldcI4Value5 = methodDef3.Body.Instructions[1].GetLdcI4Value(); int ldcI4Value6 = methodDef3.Body.Instructions[2].GetLdcI4Value(); int ldcI4Value7 = methodDef3.Body.Instructions[3].GetLdcI4Value(); Program.asm.ManifestModule.ResolveMethod(methodDef5.MDToken.ToInt32()).Invoke(null, new object[] { ldcI4Value4, ldcI4Value5, ldcI4Value6, ldcI4Value7 }); FieldDef fieldDef2 = methodDef2.DeclaringType.Fields.First <FieldDef>(); Delegate delegate2 = (Delegate)Program.asm.ManifestModule.ResolveField(fieldDef2.MDToken.ToInt32()).GetValue(null); bool flag14 = delegate2.Method.ReturnTypeCustomAttributes.ToString().Contains("DynamicMethod"); bool flag15 = flag14; if (flag15) { DynamicMethodBodyReader dynamicMethodBodyReader2 = new DynamicMethodBodyReader(module, delegate2); dynamicMethodBodyReader2.Read(); int count2 = dynamicMethodBodyReader2.Instructions.Count; methodDef.Body.Instructions[i].OpCode = dynamicMethodBodyReader2.Instructions[count2 - 2].OpCode; methodDef.Body.Instructions[i].Operand = dynamicMethodBodyReader2.Instructions[count2 - 2].Operand; } else { IMethod operand2 = module.Import(delegate2.Method); methodDef.Body.Instructions[i].OpCode = OpCodes.Call; methodDef.Body.Instructions[i].Operand = operand2; } } } } } } } } } } }