/// <summary> /// Reads a <see cref="TypeSig"/> signature /// </summary> /// <param name="helper">Token resolver</param> /// <param name="corLibTypes">A <see cref="ICorLibTypes"/> instance</param> /// <param name="signature">The signature data</param> /// <param name="gpContext">Generic parameter context</param> /// <param name="extraData">If there's any extra data after the signature, it's saved /// here, else this will be <c>null</c></param> /// <returns>A new <see cref="TypeSig"/> instance or <c>null</c> if /// <paramref name="signature"/> is invalid.</returns> public static TypeSig ReadTypeSig(ISignatureReaderHelper helper, ICorLibTypes corLibTypes, byte[] signature, GenericParamContext gpContext, out byte[] extraData) => ReadTypeSig(helper, corLibTypes, ByteArrayDataReaderFactory.CreateReader(signature), gpContext, out extraData);
/// <summary> /// Reads a <see cref="TypeSig"/> signature /// </summary> /// <param name="module">The module where the signature is located in</param> /// <param name="signature">The signature data</param> /// <param name="gpContext">Generic parameter context</param> /// <returns>A new <see cref="TypeSig"/> instance or <c>null</c> if /// <paramref name="signature"/> is invalid.</returns> public static TypeSig ReadTypeSig(ModuleDefMD module, byte[] signature, GenericParamContext gpContext) => ReadTypeSig(module, module.CorLibTypes, ByteArrayDataReaderFactory.CreateReader(signature), gpContext);
/// <summary> /// Reads a <see cref="TypeSig"/> signature /// </summary> /// <param name="helper">Token resolver</param> /// <param name="corLibTypes">A <see cref="ICorLibTypes"/> instance</param> /// <param name="signature">The signature data</param> /// <returns>A new <see cref="TypeSig"/> instance or <c>null</c> if /// <paramref name="signature"/> is invalid.</returns> public static TypeSig ReadTypeSig(ISignatureReaderHelper helper, ICorLibTypes corLibTypes, byte[] signature) => ReadTypeSig(helper, corLibTypes, ByteArrayDataReaderFactory.CreateReader(signature), new GenericParamContext());
/// <summary> /// Reads a <see cref="CallingConventionSig"/> signature /// </summary> /// <param name="helper">Token resolver</param> /// <param name="corLibTypes">A <see cref="ICorLibTypes"/> instance</param> /// <param name="signature">The signature data</param> /// <param name="gpContext">Generic parameter context</param> /// <returns>A new <see cref="CallingConventionSig"/> instance or <c>null</c> if /// <paramref name="signature"/> is invalid.</returns> public static CallingConventionSig ReadSig(ISignatureReaderHelper helper, ICorLibTypes corLibTypes, byte[] signature, GenericParamContext gpContext) => ReadSig(helper, corLibTypes, ByteArrayDataReaderFactory.CreateReader(signature), gpContext);
/// <summary> /// Reads a <see cref="CallingConventionSig"/> signature /// </summary> /// <param name="module">The module where the signature is located in</param> /// <param name="signature">The signature data</param> /// <returns>A new <see cref="CallingConventionSig"/> instance or <c>null</c> if /// <paramref name="signature"/> is invalid.</returns> public static CallingConventionSig ReadSig(ModuleDefMD module, byte[] signature) => ReadSig(module, module.CorLibTypes, ByteArrayDataReaderFactory.CreateReader(signature), new GenericParamContext());
/// <summary> /// Reads a <c>DeclSecurity</c> blob /// </summary> /// <param name="module">Module that will own the returned list</param> /// <param name="blob"><c>DeclSecurity</c> blob</param> /// <param name="gpContext">Generic parameter context</param>/// /// <returns>A list of <see cref="SecurityAttribute"/>s</returns> public static IList <SecurityAttribute> Read(ModuleDef module, byte[] blob, GenericParamContext gpContext) => Read(module, ByteArrayDataReaderFactory.CreateReader(blob), gpContext);
public void EncryptNativeMethods(ModuleWriterBase moduleWriter)
{
if (validNativeMethods == null || validNativeMethods.Count == 0)
{
return;
}
Logger.v("Encrypting native methods");
var stream = new MemoryStream();
var writer = new BinaryWriter(stream);
writer.Write((uint)0); // patch count
writer.Write((uint)0); // mode
writer.Write(validNativeMethods.Count);
int index = 0;
foreach (var method in validNativeMethods)
{
var code = methodToNativeMethod[method];
var mb = moduleWriter.Metadata.GetMethodBody(method);
if (mb == null)
{
Logger.e("Could not find method body for method {0} ({1:X8})", method, method.MDToken.Raw);
continue;
}
uint codeRva = (uint)mb.RVA;
if (mb.IsTiny)
{
codeRva++;
}
else
{
codeRva += (uint)(4 * (mb.Code[1] >> 4));
}
Logger.v("Native method {0:X8}, code RVA {1:X8}", new MDToken(Table.Method, moduleWriter.Metadata.GetRid(method)).Raw, codeRva);
writer.Write(codeRva);
writer.Write(0x70000000 + index++);
writer.Write(code.Length);
writer.Write(code);
}
if (index != 0)
{
Logger.n("Re-encrypted {0}/{1} native methods", index, totalEncryptedNativeMethods);
}
var resourceChunk = moduleWriter.Metadata.GetChunk(encryptedResource.Resource);
var resourceData = resourceChunk.CreateReader();
var encrypted = stream.ToArray();
XorEncrypt(encrypted);
encrypted = encryptedResource.Encrypt(encrypted);
if (encrypted.Length != resourceData.Length)
{
Logger.e("Encrypted native methods array is not same size as original array");
}
resourceChunk.SetData(ByteArrayDataReaderFactory.CreateReader(encrypted));
}
public bool Decrypt(MyPEImage peImage, ISimpleDeobfuscator simpleDeobfuscator, ref DumpedMethods dumpedMethods, Dictionary <uint, byte[]> tokenToNativeCode, bool unpackedNativeFile)
{
if (encryptedResource.Method == null)
{
return(false);
}
encryptedResource.Initialize(simpleDeobfuscator);
if (!encryptedResource.FoundResource)
{
return(false);
}
var methodsData = encryptedResource.Decrypt();
bool hooksJitter = FindDnrCompileMethod(encryptedResource.Method.DeclaringType) != null;
xorKey = GetXorKey();
XorEncrypt(methodsData);
var methodsDataReader = ByteArrayDataReaderFactory.CreateReader(methodsData);
int patchCount = methodsDataReader.ReadInt32();
int mode = methodsDataReader.ReadInt32();
int tmp = methodsDataReader.ReadInt32();
methodsDataReader.Position -= 4;
if ((tmp & 0xFF000000) == 0x06000000)
{
// It's method token + rva. DNR 3.7.0.3 (and earlier?) - 3.9.0.1
methodsDataReader.Position += 8 * (uint)patchCount;
patchCount = methodsDataReader.ReadInt32();
mode = methodsDataReader.ReadInt32();
PatchDwords(peImage, ref methodsDataReader, patchCount);
while (methodsDataReader.Position < methodsData.Length - 1)
{
/*uint token =*/ methodsDataReader.ReadUInt32();
int numDwords = methodsDataReader.ReadInt32();
PatchDwords(peImage, ref methodsDataReader, numDwords / 2);
}
}
else if (!hooksJitter || mode == 1)
{
// DNR 3.9.8.0, 4.0+
PatchDwords(peImage, ref methodsDataReader, patchCount);
bool oldCode = !IsNewer45Decryption(encryptedResource.Method);
bool isUsingOffset = !IsUsingRva(encryptedResource.Method);
while (methodsDataReader.Position < methodsData.Length - 1)
{
uint rva = (uint)methodsDataReader.ReadInt32();
int size;
if (oldCode)
{
methodsDataReader.ReadInt32(); // token, unknown, or index
size = methodsDataReader.ReadInt32();
}
else
{
size = methodsDataReader.ReadInt32() * 4;
}
var newData = methodsDataReader.ReadBytes(size);
if (unpackedNativeFile && isUsingOffset)
{
peImage.DotNetSafeWriteOffset(rva, newData);
}
else
{
peImage.DotNetSafeWrite(rva, newData);
}
}
}
else
{
// DNR 4.0+ (jitter is hooked)
var methodDef = peImage.Metadata.TablesStream.MethodTable;
var rvaToIndex = new Dictionary <uint, int>((int)methodDef.Rows);
uint offset = (uint)methodDef.StartOffset;
for (int i = 0; i < methodDef.Rows; i++)
{
uint rva = peImage.OffsetReadUInt32(offset);
offset += methodDef.RowSize;
if (rva == 0)
{
continue;
}
if ((peImage.ReadByte(rva) & 3) == 2)
{
rva++;
}
else
{
rva += (uint)(4 * (peImage.ReadByte(rva + 1) >> 4));
}
rvaToIndex[rva] = i;
}
PatchDwords(peImage, ref methodsDataReader, patchCount);
/*int count =*/ methodsDataReader.ReadInt32();
dumpedMethods = new DumpedMethods();
while (methodsDataReader.Position < methodsData.Length - 1)
{
uint rva = methodsDataReader.ReadUInt32();
uint index = methodsDataReader.ReadUInt32();
bool isNativeCode = index >= 0x70000000;
int size = methodsDataReader.ReadInt32();
var methodData = methodsDataReader.ReadBytes(size);
if (!rvaToIndex.TryGetValue(rva, out int methodIndex))
{
Logger.w("Could not find method having code RVA {0:X8}", rva);
continue;
}
uint methodToken = 0x06000001 + (uint)methodIndex;
if (isNativeCode)
{
totalEncryptedNativeMethods++;
if (tokenToNativeCode != null)
{
tokenToNativeCode[methodToken] = methodData;
}
// Convert return true / false methods. The others are converted to
// throw 0xDEADCODE.
if (DeobUtils.IsCode(nativeLdci4, methodData))
{
uint val = BitConverter.ToUInt32(methodData, 4);
// ldc.i4 XXXXXXXXh / ret
methodData = new byte[] { 0x20, 0, 0, 0, 0, 0x2A };
methodData[1] = (byte)val;
methodData[2] = (byte)(val >> 8);
methodData[3] = (byte)(val >> 16);
methodData[4] = (byte)(val >> 24);
}
else if (DeobUtils.IsCode(nativeLdci4_0, methodData))
{
// ldc.i4.0 / ret
methodData = new byte[] { 0x16, 0x2A };
}
else
{
tokenToNativeMethod[methodToken] = methodData;
// ldc.i4 0xDEADCODE / conv.u4 / throw
methodData = new byte[] { 0x20, 0xDE, 0xC0, 0xAD, 0xDE, 0x6D, 0x7A };
}
}
var dm = new DumpedMethod();
peImage.ReadMethodTableRowTo(dm, MDToken.ToRID(methodToken));
dm.code = methodData;
var codeReader = peImage.Reader;
codeReader.Position = peImage.RvaToOffset(dm.mdRVA);
var mbHeader = MethodBodyParser.ParseMethodBody(ref codeReader, out var code, out dm.extraSections);
peImage.UpdateMethodHeaderInfo(dm, mbHeader);
dumpedMethods.Add(dm);
}
}
return(true);
}
