protected override bool Deobfuscate(Block block)
{
this.block = block;
if (!block.LastInstr.IsConditionalBranch() && block.LastInstr.OpCode.Code != Code.Switch)
{
return(false);
}
instructionEmulator.Initialize(blocks, allBlocks[0] == block);
var instructions = block.Instructions;
if (instructions.Count == 0)
{
return(false);
}
try {
for (int i = 0; i < instructions.Count - 1; i++)
{
var instr = instructions[i].Instruction;
instructionEmulator.Emulate(instr);
}
}
catch (NullReferenceException) {
// Here if eg. invalid metadata token in a call instruction (operand is null)
return(false);
}
return(branchEmulator.Emulate(block.LastInstr.Instruction));
}
protected override bool Deobfuscate(Block block)
{
bool modified = false;
instructionEmulator.Initialize(blocks, allBlocks[0] == block);
var instrs = block.Instructions;
for (int i = 0; i < instrs.Count; i++)
{
var instr = instrs[i];
switch (instr.OpCode.Code)
{
case Code.Ldarg:
case Code.Ldarg_0:
case Code.Ldarg_1:
case Code.Ldarg_2:
case Code.Ldarg_3:
case Code.Ldarg_S:
modified |= FixLoadInstruction(block, i, instructionEmulator.GetArg(instr.Instruction.GetParameter(args)));
break;
case Code.Ldloc:
case Code.Ldloc_0:
case Code.Ldloc_1:
case Code.Ldloc_2:
case Code.Ldloc_3:
case Code.Ldloc_S:
modified |= FixLoadInstruction(block, i, instructionEmulator.GetLocal(instr.Instruction.GetLocal(blocks.Locals)));
break;
case Code.Ldarga:
case Code.Ldarga_S:
instructionEmulator.MakeArgUnknown((Parameter)instr.Operand);
break;
case Code.Ldloca:
case Code.Ldloca_S:
instructionEmulator.MakeLocalUnknown((Local)instr.Operand);
break;
}
try {
instructionEmulator.Emulate(instr.Instruction);
}
catch (NullReferenceException) {
// Here if eg. invalid metadata token in a call instruction (operand is null)
break;
}
}
return(modified);
}
// Switch deobfuscation when block uses stloc N, ldloc N to load switch constant
// blk1:
// ldc.i4 X
// br swblk
// swblk:
// stloc N
// ldloc N
// switch (......)
bool DeobfuscateStLdloc(IList <Block> switchTargets, Block switchFallThrough, Block block)
{
bool modified = false;
foreach (var source in new List <Block>(block.Sources))
{
if (!isBranchBlock(source))
{
continue;
}
instructionEmulator.Initialize(blocks, allBlocks[0] == source);
instructionEmulator.Emulate(source.Instructions);
var target = GetSwitchTarget(switchTargets, switchFallThrough, instructionEmulator.Pop());
if (target == null)
{
continue;
}
source.ReplaceLastNonBranchWithBranch(0, target);
source.Add(new Instr(OpCodes.Pop.ToInstruction()));
modified = true;
}
return(modified);
}
protected override bool Deobfuscate(Block block)
{
bool modified = false;
instructionEmulator.Initialize(Blocks, AllBlocks[0] == block);
var instrs = block.Instructions;
for (int i = 0; i < instrs.Count; i++)
{
var instr = instrs[i];
switch (instr.OpCode.Code)
{
case Code.Ldarg:
case Code.Ldarg_0:
case Code.Ldarg_1:
case Code.Ldarg_2:
case Code.Ldarg_3:
case Code.Ldarg_S:
modified |= FixLoadInstruction(block, i, instructionEmulator.GetArg(instr.Instruction.GetParameter(args)));
break;
case Code.Ldloc:
case Code.Ldloc_0:
case Code.Ldloc_1:
case Code.Ldloc_2:
case Code.Ldloc_3:
case Code.Ldloc_S:
modified |= FixLoadInstruction(block, i, instructionEmulator.GetLocal(instr.Instruction.GetLocal(Blocks.Locals)));
break;
case Code.Ldarga:
case Code.Ldarga_S:
instructionEmulator.MakeArgUnknown((Parameter)instr.Operand);
break;
case Code.Ldloca:
case Code.Ldloca_S:
instructionEmulator.MakeLocalUnknown((Local)instr.Operand);
break;
case Code.Add:
case Code.Add_Ovf:
case Code.Add_Ovf_Un:
case Code.And:
case Code.Ceq:
case Code.Cgt:
case Code.Cgt_Un:
case Code.Clt:
case Code.Clt_Un:
case Code.Conv_I:
case Code.Conv_I1:
case Code.Conv_I2:
case Code.Conv_I4:
case Code.Conv_I8:
case Code.Conv_Ovf_I:
case Code.Conv_Ovf_I_Un:
case Code.Conv_Ovf_I1:
case Code.Conv_Ovf_I1_Un:
case Code.Conv_Ovf_I2:
case Code.Conv_Ovf_I2_Un:
case Code.Conv_Ovf_I4:
case Code.Conv_Ovf_I4_Un:
case Code.Conv_Ovf_I8:
case Code.Conv_Ovf_I8_Un:
case Code.Conv_Ovf_U:
case Code.Conv_Ovf_U_Un:
case Code.Conv_Ovf_U1:
case Code.Conv_Ovf_U1_Un:
case Code.Conv_Ovf_U2:
case Code.Conv_Ovf_U2_Un:
case Code.Conv_Ovf_U4:
case Code.Conv_Ovf_U4_Un:
case Code.Conv_Ovf_U8:
case Code.Conv_Ovf_U8_Un:
case Code.Conv_R_Un:
case Code.Conv_R4:
case Code.Conv_R8:
case Code.Conv_U:
case Code.Conv_U1:
case Code.Conv_U2:
case Code.Conv_U4:
case Code.Conv_U8:
case Code.Div:
case Code.Div_Un:
case Code.Dup:
case Code.Mul:
case Code.Mul_Ovf:
case Code.Mul_Ovf_Un:
case Code.Neg:
case Code.Not:
case Code.Or:
case Code.Rem:
case Code.Rem_Un:
case Code.Shl:
case Code.Shr:
case Code.Shr_Un:
case Code.Sub:
case Code.Sub_Ovf:
case Code.Sub_Ovf_Un:
case Code.Xor:
if (DisableNewCode)
{
break;
}
if (i + 1 < instrs.Count && instrs[i + 1].OpCode.Code == Code.Pop)
{
break;
}
if (!VerifyValidArgs(instr.Instruction))
{
break;
}
instructionEmulator.Emulate(instr.Instruction);
var tos = instructionEmulator.Peek();
Instruction newInstr = null;
if (tos.IsInt32())
{
var val = (Int32Value)tos;
if (val.AllBitsValid())
{
newInstr = Instruction.CreateLdcI4(val.Value);
}
}
else if (tos.IsInt64())
{
var val = (Int64Value)tos;
if (val.AllBitsValid())
{
newInstr = OpCodes.Ldc_I8.ToInstruction(val.Value);
}
}
else if (tos.IsReal8())
{
var val = (Real8Value)tos;
if (val.IsValid)
{
newInstr = GetLoadRealInstruction(val.Value);
}
}
if (newInstr != null)
{
block.Insert(i + 1, Instruction.Create(OpCodes.Pop));
block.Insert(i + 2, newInstr);
i += 2;
modified = true;
}
continue;
}
try {
instructionEmulator.Emulate(instr.Instruction);
}
catch (NullReferenceException) {
// Here if eg. invalid metadata token in a call instruction (operand is null)
break;
}
}
return(modified);
}
// 5.1+
// the only changes are the indexes of ldloc and stfld
bool EmulateDynocodeNew(InstructionEmulator emu, ref int index) {
var instrs = stringMethod.Body.Instructions;
var instr = instrs[index];
var ctor = instr.Operand as MethodDef;
if (ctor == null || ctor.MethodSig.GetParamCount() != 1 || ctor.MethodSig.Params[0].ElementType != ElementType.I4)
return false;
if (index + 4 >= instrs.Count)
return false;
var ldloc = instrs[index + 2];
var stfld = instrs[index + 3];
if (!ldloc.IsLdloc() || stfld.OpCode.Code != Code.Stfld)
return false;
var enumerableField = stfld.Operand as FieldDef;
if (enumerableField == null)
return false;
var initValue = emu.GetLocal(ldloc.GetLocal(stringMethod.Body.Variables)) as Int32Value;
if (initValue == null || !initValue.AllBitsValid())
return false;
int leaveIndex = FindLeave(instrs, index);
if (leaveIndex < 0)
return false;
var afterLoop = instrs[leaveIndex].Operand as Instruction;
if (afterLoop == null)
return false;
int newIndex = instrs.IndexOf(afterLoop);
var loopLocal = GetDCLoopLocal(index, newIndex);
if (loopLocal == null)
return false;
var initValue2 = emu.GetLocal(loopLocal) as Int32Value;
if (initValue2 == null || !initValue2.AllBitsValid())
return false;
int loopStart = GetIndexOfCall(instrs, index, leaveIndex, "System.Int32", "()");
int loopEnd = GetIndexOfCall(instrs, loopStart, leaveIndex, "System.Boolean", "()");
if (loopStart < 0 || loopEnd < 0)
return false;
loopStart++;
loopEnd--;
dynocode.Initialize(module);
var ctorArg = emu.Pop() as Int32Value;
if (ctorArg == null || !ctorArg.AllBitsValid())
return false;
dynocode.CreateEnumerable(ctor, new object[] { ctorArg.Value });
dynocode.WriteEnumerableField(enumerableField.MDToken.ToUInt32(), initValue.Value);
dynocode.CreateEnumerator();
foreach (var val in dynocode) {
emu.Push(new Int32Value(val));
for (int i = loopStart; i < loopEnd; i++)
emu.Emulate(instrs[i]);
}
index = newIndex - 1;
return true;
}
bool FindInts(int index) {
if (index < 0)
return false;
i2 = 0;
var instrs = stringMethod.Body.Instructions;
var emu = new InstructionEmulator(stringMethod);
foreach (var kv in stringMethodConsts.Locals32)
emu.SetLocal(kv.Key, new Int32Value(kv.Value));
var fields = new Dictionary<FieldDef, int?>();
for (int i = index; i < instrs.Count - 2; i++) {
var instr = instrs[i];
FieldDef field;
switch (instr.OpCode.Code) {
case Code.Ldsfld:
field = instr.Operand as FieldDef;
if (field == null || field.DeclaringType != stringMethod.DeclaringType || field.FieldType.GetElementType() != ElementType.I4)
goto default;
fields[field] = null;
emu.Push(new Int32Value(i1));
break;
case Code.Stsfld:
field = instr.Operand as FieldDef;
if (field == null || field.DeclaringType != stringMethod.DeclaringType || field.FieldType.GetElementType() != ElementType.I4)
goto default;
if (fields.ContainsKey(field) && fields[field] == null)
goto default;
var val = emu.Pop() as Int32Value;
if (val == null || !val.AllBitsValid())
fields[field] = null;
else
fields[field] = val.Value;
break;
case Code.Call:
var method = instr.Operand as MethodDef;
if (!decrypterType.Detected || method != decrypterType.Int64Method)
goto done;
emu.Push(new Int64Value((long)decrypterType.GetMagic()));
break;
case Code.Newobj:
if (!EmulateDynocode(emu, ref i))
goto default;
break;
default:
if (instr.OpCode.FlowControl != FlowControl.Next)
goto done;
emu.Emulate(instr);
break;
}
}
done:
foreach (var val in fields.Values) {
if (val == null)
continue;
magic1 = i2 = val.Value;
return true;
}
return false;
}
public static Value[] GetInitializedArray(int arraySize, MethodDef method, ref int newarrIndex, Code stelemOpCode) {
var resultValueArray = new Value[arraySize];
var emulator = new InstructionEmulator(method);
var theArray = new UnknownValue();
emulator.Push(theArray);
var instructions = method.Body.Instructions;
int i;
for (i = newarrIndex + 1; i < instructions.Count; i++) {
var instr = instructions[i];
if (instr.OpCode.FlowControl != FlowControl.Next)
break;
if (instr.OpCode.Code == Code.Newarr)
break;
switch (instr.OpCode.Code) {
case Code.Newarr:
case Code.Newobj:
goto done;
case Code.Stloc:
case Code.Stloc_S:
case Code.Stloc_0:
case Code.Stloc_1:
case Code.Stloc_2:
case Code.Stloc_3:
case Code.Starg:
case Code.Starg_S:
case Code.Stsfld:
case Code.Stfld:
if (emulator.Peek() == theArray && i != newarrIndex + 1 && i != newarrIndex + 2)
goto done;
break;
}
if (instr.OpCode.Code == stelemOpCode) {
var value = emulator.Pop();
var index = emulator.Pop() as Int32Value;
var array = emulator.Pop();
if (ReferenceEquals(array, theArray) && index != null && index.AllBitsValid()) {
if (0 <= index.Value && index.Value < resultValueArray.Length)
resultValueArray[index.Value] = value;
}
}
else
emulator.Emulate(instr);
}
done:
if (i != newarrIndex + 1)
i--;
newarrIndex = i;
return resultValueArray;
}
