Exemplo n.º 1
0
        private static void DecryptMethods(MethodDef methodDef, MethodBase invokeMethod, object fieldInstance)
        {
            var instructions = methodDef.Body.Instructions;

            if (instructions.Count < 9)
            {
                return;
            }
            if (instructions[0].OpCode != OpCodes.Ldsfld)
            {
                return;
            }
            if (((FieldDef)instructions[0].Operand).FullName != "i <Module>::Invoke")
            {
                return;
            }

            ToRemove.Add(instructions[3].Operand);

            int index = instructions[1].GetLdcI4Value();

            var dynamicMethodBodyReader = new DynamicMethodBodyReader(methodDef.Module, invokeMethod.Invoke(fieldInstance, new object[] { index }));

            dynamicMethodBodyReader.Read();

            methodDef.FreeMethodBody();
            methodDef.Body = dynamicMethodBodyReader.GetMethod().Body;
        }
Exemplo n.º 2
0
    private static void InvokeDelegates(IList <TypeDef> typeDefs, MethodInfo invokeMethod, object invokeField)
    {
        foreach (TypeDef typeDef in typeDefs)
        {
            foreach (MethodDef methodDef in typeDef.Methods)
            {
                if (!(methodDef.Module.Name != assembly.ManifestModule.ScopeName) && methodDef.HasBody && methodDef.Body.Instructions.Count > 2 && methodDef.Body.Instructions[0].OpCode == OpCodes.Ldsfld && methodDef.Body.Instructions[0].Operand.ToString().Contains("Invoke") && methodDef.Body.Instructions[1].IsLdcI4())
                {
                    currentMethod = methodDef;

                    var _MDToken = ((IType)methodDef.Body.Instructions[3].Operand).MDToken.ToInt32();
                    junkType.Add(typeDef.NestedTypes.FirstOrDefault(net => net.MDToken.ToInt32() == _MDToken));
                    object method = invokeMethod.Invoke(invokeField, new object[] { (int)methodDef.Body.Instructions[1].Operand });

                    try
                    {
                        var dynamicMethodBodyReader = new DynamicMethodBodyReader(assemblyWriter.moduleDef, method);
                        dynamicMethodBodyReader.Read();
                        var method2 = dynamicMethodBodyReader.GetMethod();
                        assemblyWriter.WriteMethod(method2);
                    }
                    catch (Exception ex)
                    {
                        Console.WriteLine("Error in Read(): " + ex.Message + "\nMethod : " + method.ToString());
                    }
                }
            }
        }
    }
Exemplo n.º 3
0
 public override void Execute(Context Context) // Change "ConvertBack::Runner" for Modded Versions
 {
     if (Context.SysModule != null && Context.DnModule != null)
     {
         try { Initialize.Initalize("Eddy^CZ_", Context.SysModule); } catch { Context.Log.Custom("Skipping", "Not CawkVM"); return; }
         foreach (var TypeDef in Context.DnModule.Types.Where(x => x.HasMethods && !x.IsGlobalModuleType))
         {
             foreach (var MethodDef in TypeDef.Methods.Where(x => x.HasBody))
             {
                 var IL = MethodDef.Body.Instructions;
                 for (int x = 0; x < IL.Count; x++)
                 {
                     if (IL[x].OpCode == OpCodes.Call &&
                         IL[x].Operand.ToString().Contains("ConvertBack::Runner") &&
                         IL[x - 4].IsLdcI4() &&
                         IL[x - 3].IsLdcI4() &&
                         IL[x - 2].IsLdcI4())
                     {
                         try
                         {
                             var      Position = IL[x - 4].GetLdcI4Value();
                             var      Size = IL[x - 3].GetLdcI4Value();
                             var      ID = IL[x - 2].GetLdcI4Value();
                             object[] Params = new object[MethodDef.Parameters.Count]; int Index = 0;
                             foreach (var Param in MethodDef.Parameters)
                             {
                                 Params[Index++] = Param.Type.Next;
                             }
                             var methodBase    = Context.SysModule.ResolveMethod(MethodDef.MDToken.ToInt32());
                             var dynamicMethod = ConvertBack.Runner(Position, Size, ID, Params, methodBase);
                             var dynamicReader = Activator.CreateInstance(
                                 typeof(System.Reflection.Emit.DynamicMethod).Module.GetTypes()
                                 .FirstOrDefault(t => t.Name == "DynamicResolver"),
                                 (System.Reflection.BindingFlags)(-1), null, new object[] { dynamicMethod.GetILGenerator() }, null);
                             var dynamicMethodBodyReader = new DynamicMethodBodyReader(MethodDef.Module, dynamicReader);
                             dynamicMethodBodyReader.Read();
                             MethodDef.Body = dynamicMethodBodyReader.GetMethod().Body;
                             Context.Log.Debug($"Done Devirtualize Method : {MethodDef.Name}");
                         }
                         catch (Exception ex)
                         {
                             Context.Log.Error(ex.Message);
                         }
                     }
                 }
             }
         }
     }
 }
Exemplo n.º 4
0
        internal void ReadMethod(object method)
        {
            try
            {
                var methodBodyReader = new DynamicMethodBodyReader(_assemblyWriter.ModuleDef, method);
                methodBodyReader.Read();

                var methodDef = methodBodyReader.GetMethod();

                _assemblyWriter.WriteMethod(methodDef);
            }
            catch (Exception e)
            {
                Console.WriteLine("Error in ReadMethod(): " + e.Message);
                throw;
            }
        }
Exemplo n.º 5
0
        private static void InvokeDelegates(IList <TypeDef> typeDefs, MethodInfo invokeMethod, object invokeField)
        {
            var methodDefs = typeDefs.SelectMany(x => x.Methods).Where(x =>
                                                                       x.Module.Name == Assembly.ManifestModule.ScopeName && x.HasBody &&
                                                                       x.Body.Instructions.Count > 2 &&
                                                                       x.Body.Instructions[0].OpCode == OpCodes.Ldsfld &&
                                                                       x.Body.Instructions[0].Operand.ToString().Contains("Invoke") &&
                                                                       x.Body.Instructions[1].IsLdcI4());

            foreach (var methodDef in methodDefs)
            {
                _totalPackedMethods++;

                CurrentMethod     = methodDef;
                CurrentMethodBase = Assembly.ManifestModule.ResolveMethod(methodDef.MDToken.ToInt32());

                var mdToken = ((IType)methodDef.Body.Instructions[3].Operand).MDToken.ToInt32();
                JunkType.Add(methodDef.DeclaringType.NestedTypes.FirstOrDefault(net => net.MDToken.ToInt32() == mdToken));
                var index = methodDef.Body.Instructions[1].GetLdcI4Value();
                if (index == IgnoreIndex)
                {
                    continue;
                }

                var method = invokeMethod.Invoke(invokeField, new object[] { index });

                try
                {
                    var dynamicMethodBodyReader = new DynamicMethodBodyReader(AssemblyWriter.moduleDef, method);
                    dynamicMethodBodyReader.Read();
                    var unpackedMethod = dynamicMethodBodyReader.GetMethod();
                    AssemblyWriter.WriteMethod(methodDef, unpackedMethod);
                    _totalUnpackedMethods++;
                }
                catch (Exception ex)
                {
                    Console.WriteLine("Error in Read(): " + ex.Message + "\nMethod : " + method);
                }
                finally
                {
                    CurrentMethod = null;
                }
            }
        }
Exemplo n.º 6
0
        public static MethodDef ResolveMethodBodyShit(int num, ModuleDefMD Module)
        {
            GCHandle obj = Harmony.Handlaaaa;

            try{
                var asd = obj.Target as object[];
                var f   = asd[num].GetType();
                var s   = f.GetRuntimeFields();
                var gh  = s.ToArray()[1].GetValue(asd[num]) as Delegate[];
                var del = gh[0];

                DynamicMethodBodyReader reader = new DynamicMethodBodyReader(Module, del);
                reader.Read();
                return(reader.GetMethod());
            }
            catch {
            }
            return(null);
        }
Exemplo n.º 7
0
        internal static void FixProxyCall()
        {
            var globalTypes = _moduleDefMd?.Types.Where(t => t.Namespace == string.Empty).ToArray();
            var decryptor   = (globalTypes ?? throw new InvalidOperationException()).Single(t => t.Name.StartsWith("{", StringComparison.Ordinal) &&
                                                                                            t.Name.EndsWith("}", StringComparison.Ordinal)).Methods.Single(m => !m.IsInstanceConstructor && m.Parameters.Count == 1);

            foreach (var typeDef in globalTypes)
            {
                var cctor = typeDef.FindStaticConstructor();
                if (cctor is null || !cctor.Body.Instructions.Any(i => i.OpCode == OpCodes.Call && i.Operand == decryptor))
                {
                    continue;
                }
                switch (_module)
                {
                case not null: {
                    foreach (var fieldInfo in _module.ResolveType(typeDef.MDToken.ToInt32())
                             .GetFields(BindingFlags.NonPublic | BindingFlags.Static) !)
                    {
                        var proxyFieldToken = fieldInfo.MetadataToken;
                        var proxyFieldDef   = _moduleDefMd?.ResolveField((uint)proxyFieldToken - 0x4000000);
                        var realMethod      = ((Delegate)fieldInfo.GetValue(null) !).Method;

                        if (Utils.IsDynamicMethod(realMethod))
                        {
                            var dynamicMethodBodyReader = new DynamicMethodBodyReader(_moduleDefMd, realMethod);
                            dynamicMethodBodyReader.Read();
                            var instructionList = dynamicMethodBodyReader.GetMethod().Body.Instructions;
                            ReplaceAllOperand(proxyFieldDef, instructionList[instructionList.Count - 2].OpCode,
                                              (MemberRef)instructionList[instructionList.Count - 2].Operand);
                        }
                        else
                        {
                            ReplaceAllOperand(proxyFieldDef, realMethod.IsVirtual ? OpCodes.Callvirt : OpCodes.Call,
                                              (MemberRef)_moduleDefMd.Import(realMethod));
                        }
                    }

                    break;
                }
                }
            }
        }
Exemplo n.º 8
0
        private static void DecryptMethods(MethodDef methodDef, MethodBase invokeMethod, object fieldInstance)
        {
            if (!methodDef.HasBody)
            {
                return;
            }

            var instructions = methodDef.Body.Instructions;

            if (instructions.Count > 2 &&
                instructions[0].OpCode.Code == Code.Ldsfld &&
                instructions[0].Operand.ToString().Contains("Invoke") &&
                instructions[1].IsLdcI4())
            {
                try
                {
                    var mdToken = ((IType)methodDef.Body.Instructions[3].Operand).MDToken.ToInt32();
                    JunkTypes.Add(methodDef.DeclaringType.NestedTypes.FirstOrDefault(net => net.MDToken.ToInt32() == mdToken));

                    Hooks.MethodBase = Assembly.ManifestModule.ResolveMethod(methodDef.MDToken.ToInt32());

                    var index  = instructions[1].GetLdcI4Value();
                    var method = invokeMethod.Invoke(fieldInstance, new object[] { index });

                    var reader = new DynamicMethodBodyReader(Module, method);
                    reader.Read();

                    methodDef.FreeMethodBody();
                    methodDef.Body = reader.GetMethod().Body;
                }
                catch (Exception ex)
                {
                    Console.WriteLine($"Error: {ex.Message}{Environment.NewLine}Method: {methodDef.FullName}{Environment.NewLine}MDToken: 0x{methodDef.MDToken}{Environment.NewLine}");
                }
            }
        }
Exemplo n.º 9
0
        public static void Main(string[] args)
        {
            Console.ForegroundColor = ConsoleColor.Cyan;
            Console.Title           = "Archangel UnCloacker";
            if (args.Length == 0)
            {
                Console.WriteLine("This is a Drag And Drop Program! Exiting.");
                Console.ReadLine();
                return;
            }

            var Module = ModuleDefMD.Load(args[0]);
            var asm    = Assembly.LoadFile(args[0]);


            var Asm = Module.GetAssemblyRefs().First(q => q.FullName.Contains("Archangel.CloakingDevice"));

            if (Asm == null)
            {
                return;
            }

            var asm2 =
                Assembly.LoadFile(Path.Combine(Path.GetDirectoryName(args[0]), "Archangel.CloakingDevice.dll"));

            Harmony.PatchGetCallingAssembly.MethodToReplace = asm;
            Harmony.Patch();

            var invokemethod = asm2.GetType("Archangel.CloakingDevice.KickStart").GetMethod("Boot");

            invokemethod.Invoke(null, null);
            TypeDef specific = null;

            var MethodFields = new Dictionary <FieldDef, MethodDef>();

            foreach (var type in Module.Types)
            {
                if (type.HasFields)
                {
                    foreach (var field in type.Fields)
                    {
                        try{
                            var val   = asm.ManifestModule.ResolveField(field.MDToken.ToInt32());
                            var value = val.GetValue(null);
                            if (!(value is MulticastDelegate))
                            {
                                continue;
                            }

                            var t      = (MulticastDelegate)value;
                            var reader = new DynamicMethodBodyReader(Module, t.Method);
                            reader.Read();
                            var def = reader.GetMethod();
                            MethodFields.Add(field, def);
                            specific = type;
                        }
                        catch {
                        }
                    }
                }
            }
            Console.WriteLine($"Found {MethodFields.Count} obfuscated fields and deobfuscated them.");

            int replacedmethods = 0;

            foreach (var type in Module.GetTypes())
            {
                foreach (var method in type.Methods)
                {
                    if (method.HasBody && method.Body.HasInstructions)
                    {
                        foreach (var instr in method.Body.Instructions)
                        {
                            if (instr.OpCode == OpCodes.Ldsfld)
                            {
                                try{
                                    var op = (FieldDef)instr.Operand;
                                    var d  = MethodFields[op];
                                    if (d == null)
                                    {
                                        continue;
                                    }
                                    method.FreeMethodBody();
                                    method.Body = d.Body;
                                    replacedmethods++;
                                    goto GetOut;
                                }
                                catch {
                                }
                            }
                        }
                    }

                    GetOut :;
                }
            }


            Console.WriteLine($"Successfully Replaced {replacedmethods} out of {MethodFields.Count} methods.");
            if (replacedmethods != MethodFields.Count)
            {
                Console.ForegroundColor = ConsoleColor.Red;
                Console.WriteLine("Not all methods were decrypted, rereferencing dll.");
                Console.ForegroundColor = ConsoleColor.Cyan;
                Importer importer = new Importer(Module);
                IMethod  Method;
                Method = importer.Import(invokemethod);
                var mainmdtok = asm.EntryPoint.MetadataToken;
                foreach (var type in Module.Types)
                {
                    foreach (var method in type.Methods)
                    {
                        if (method.MDToken.ToInt32() == mainmdtok)
                        {
                            method.Body.Instructions.Insert(0, new Instruction(OpCodes.Call, Module.Import(Method)));
                        }
                    }
                }
            }
            else
            {
                Module.Types.Remove(specific);
                //Maybe shouldn't remove, you decide.
            }
            Save(Module, args[0]);
            Console.WriteLine("Successfully Saved!");
            Console.ReadLine();
        }
Exemplo n.º 10
0
 public static void CleanDelegates(ModuleDefMD module)
 {
     foreach (TypeDef typeDef in module.GetTypes())
     {
         foreach (MethodDef methodDef in typeDef.Methods)
         {
             bool flag  = !methodDef.HasBody;
             bool flag2 = !flag;
             if (flag2)
             {
                 for (int i = 0; i < methodDef.Body.Instructions.Count; i++)
                 {
                     bool flag3 = methodDef.Body.Instructions[i].OpCode == OpCodes.Call && methodDef.Body.Instructions[i].Operand is MethodDef;
                     bool flag4 = flag3;
                     if (flag4)
                     {
                         MethodDef methodDef2 = methodDef.Body.Instructions[i].Operand as MethodDef;
                         bool      isDelegate = methodDef2.DeclaringType.IsDelegate;
                         bool      flag5      = isDelegate;
                         if (flag5)
                         {
                             bool flag6 = !methodDef2.FullName.Contains("::Invoke");
                             bool flag7 = flag6;
                             if (flag7)
                             {
                                 MethodDef methodDef3 = methodDef2.DeclaringType.FindConstructors().ToArray <MethodDef>()[1];
                                 bool      flag8      = methodDef3.Body.Instructions.Count == 5;
                                 bool      flag9      = flag8;
                                 if (flag9)
                                 {
                                     MethodDef methodDef4  = methodDef3.Body.Instructions[3].Operand as MethodDef;
                                     int       ldcI4Value  = methodDef3.Body.Instructions[0].GetLdcI4Value();
                                     int       ldcI4Value2 = methodDef3.Body.Instructions[1].GetLdcI4Value();
                                     int       ldcI4Value3 = methodDef3.Body.Instructions[2].GetLdcI4Value();
                                     Program.asm.ManifestModule.ResolveMethod(methodDef4.MDToken.ToInt32()).Invoke(null, new object[]
                                     {
                                         ldcI4Value,
                                         ldcI4Value2,
                                         ldcI4Value3
                                     });
                                     FieldDef fieldDef  = methodDef2.DeclaringType.Fields.First <FieldDef>();
                                     Delegate @delegate = (Delegate)Program.asm.ManifestModule.ResolveField(fieldDef.MDToken.ToInt32()).GetValue(null);
                                     bool     flag10    = @delegate.Method.ReturnTypeCustomAttributes.ToString().Contains("DynamicMethod");
                                     bool     flag11    = flag10;
                                     if (flag11)
                                     {
                                         DynamicMethodBodyReader dynamicMethodBodyReader = new DynamicMethodBodyReader(module, @delegate);
                                         dynamicMethodBodyReader.Read();
                                         int count = dynamicMethodBodyReader.Instructions.Count;
                                         methodDef.Body.Instructions[i].OpCode  = dynamicMethodBodyReader.Instructions[count - 2].OpCode;
                                         methodDef.Body.Instructions[i].Operand = dynamicMethodBodyReader.Instructions[count - 2].Operand;
                                     }
                                     else
                                     {
                                         IMethod operand = module.Import(@delegate.Method);
                                         methodDef.Body.Instructions[i].OpCode  = OpCodes.Call;
                                         methodDef.Body.Instructions[i].Operand = operand;
                                     }
                                 }
                                 else
                                 {
                                     bool flag12 = methodDef3.Body.Instructions.Count == 6;
                                     bool flag13 = flag12;
                                     if (flag13)
                                     {
                                         MethodDef methodDef5  = methodDef3.Body.Instructions[4].Operand as MethodDef;
                                         int       ldcI4Value4 = methodDef3.Body.Instructions[0].GetLdcI4Value();
                                         int       ldcI4Value5 = methodDef3.Body.Instructions[1].GetLdcI4Value();
                                         int       ldcI4Value6 = methodDef3.Body.Instructions[2].GetLdcI4Value();
                                         int       ldcI4Value7 = methodDef3.Body.Instructions[3].GetLdcI4Value();
                                         Program.asm.ManifestModule.ResolveMethod(methodDef5.MDToken.ToInt32()).Invoke(null, new object[]
                                         {
                                             ldcI4Value4,
                                             ldcI4Value5,
                                             ldcI4Value6,
                                             ldcI4Value7
                                         });
                                         FieldDef fieldDef2 = methodDef2.DeclaringType.Fields.First <FieldDef>();
                                         Delegate delegate2 = (Delegate)Program.asm.ManifestModule.ResolveField(fieldDef2.MDToken.ToInt32()).GetValue(null);
                                         bool     flag14    = delegate2.Method.ReturnTypeCustomAttributes.ToString().Contains("DynamicMethod");
                                         bool     flag15    = flag14;
                                         if (flag15)
                                         {
                                             DynamicMethodBodyReader dynamicMethodBodyReader2 = new DynamicMethodBodyReader(module, delegate2);
                                             dynamicMethodBodyReader2.Read();
                                             int count2 = dynamicMethodBodyReader2.Instructions.Count;
                                             methodDef.Body.Instructions[i].OpCode  = dynamicMethodBodyReader2.Instructions[count2 - 2].OpCode;
                                             methodDef.Body.Instructions[i].Operand = dynamicMethodBodyReader2.Instructions[count2 - 2].Operand;
                                         }
                                         else
                                         {
                                             IMethod operand2 = module.Import(delegate2.Method);
                                             methodDef.Body.Instructions[i].OpCode  = OpCodes.Call;
                                             methodDef.Body.Instructions[i].Operand = operand2;
                                         }
                                     }
                                 }
                             }
                         }
                     }
                 }
             }
         }
     }
 }