private int?CalculateKey(SwitchData switchData)
{
var popValue = _instructionEmulator.Peek();
if (popValue == null || !popValue.IsInt32() || !(popValue as Int32Value).AllBitsValid())
{
return(null);
}
_instructionEmulator.Pop();
int num = ((Int32Value)popValue).Value;
if (switchData is NativeSwitchData)
{
var nativeSwitchData = (NativeSwitchData)switchData;
var nativeMethod = new X86Method(nativeSwitchData.NativeMethodDef, _blocks.Method.Module as ModuleDefMD); //TODO: Possible null
return(nativeMethod.Execute(num));
}
if (switchData is NormalSwitchData)
{
var normalSwitchData = (NormalSwitchData)switchData;
return(num ^ normalSwitchData.Key.Value);
}
return(null);
}
public static void Emulate(ValueStack valueStack, Instruction instruction, MethodDef method)
{
if (instruction.Operand is MethodDef && ((MethodDef)instruction.Operand).IsNative)
{
//this is really only for confuserex x86 methods
var abc2 = method.Module.ResolveToken(((MethodDef)instruction.Operand).MDToken.ToInt32());
var x86 = new X86Method(abc2 as MethodDef);
var value = valueStack.CallStack.Pop();
var abc = x86.Execute((int)(uint)value);
valueStack.CallStack.Push(abc);
}
else
{
var instructionOperand = instruction.Operand as IMethodDefOrRef;
var resolved = instructionOperand.ResolveMethodDef();
if (resolved.Module != method.Module)
{
if (resolved.IsStatic)
{
var mod = typeof(string).Module;
var asmCall = mod.ResolveMethod(resolved.MDToken.ToInt32());
int pushes;
int pops;
instruction.CalculateStackUsage(out pushes, out pops);
var paramsObjects = new dynamic[pops];
for (var i = 0; i < pops; i++)
{
paramsObjects[i] = valueStack.CallStack.Pop();
}
paramsObjects = paramsObjects.Reverse().ToArray();
try
{
if (pushes != 0)
{
var av = asmCall.Invoke(null, paramsObjects);
valueStack.CallStack.Push(av);
}
else
{
asmCall.Invoke(null, paramsObjects);
}
}
catch
{
}
}
}
}
}
public void Load(string path, long baseAddr)
{
BaseAddress = baseAddr;
asm = WindowsAssembly.FromFile(path);
entryMethod = this.CreateMethodFromRVA(asm.NtHeaders.OptionalHeader.AddressOfEntrypoint);
methods[entryMethod.Address] = entryMethod;
entryMethod.Initialize();
while (pendingAddresses.Count > 0)
{
var emu = pendingAddresses.GetEnumerator();
emu.MoveNext();
long addr = emu.Current;
var method = this.CreateMethodFromAddress(addr);
methods[addr] = method;
method.Initialize();
pendingAddresses.Remove(addr);
}
}
private uint CalculateMagic(uint index)
{
uint uint_0;
if (NativeMethod != null)
{
_instructionEmulator.Push(new Int32Value((int)index));
_nativeMethod = new X86Method(NativeMethod, Method.Module as ModuleDefMD); //TODO: Possible null
var key = CalculateKey();
uint_0 = (uint)key.Value;
}
else
{
uint_0 = index * Num1 ^ Num2;
}
uint_0 &= 0x3fffffff;
uint_0 <<= 2;
return(uint_0);
}
private static void Main(string[] args)
{
if (args.Length == 0)
{
Console.WriteLine("No input file specified...");
return;
}
// Store the obfuscated file name for later use (e.g. when resolving the RVAs)
Configuration.AssemblyFilename = args[0];
// Load the assembly via dnlib (Only the module, we need this structure to resolve MD Tokens)
var assemblyModuleDnlib = ModuleDefMD.Load(Configuration.AssemblyFilename);
// Get the <Module>-Type for later use
var cctorType = assemblyModuleDnlib.GlobalType;
// Store the replaced methods in this list
var nativeMethodsReplaced = new List <MethodDef>();
// Find methods with native code
var nativeMethods = cctorType.Methods.Where(m => m.IsNative).ToList();
foreach (var nativeMethod in nativeMethods)
{
// Get the assembly code and the X86 Opcode Structure (Thanks to ubbelol)
X86Method x86NativeMethod = new X86Method(nativeMethod);
var ILNativeMethod = X86MethodToILConverter.CreateILFromX86Method(x86NativeMethod);
nativeMethod.DeclaringType.Methods.Add(ILNativeMethod);
nativeMethodsReplaced.Add(nativeMethod);
}
// Export all the IL Methods to a DLL
MethodExporter.ExportMethodsToDll("TestMethodModule.dll", nativeMethodsReplaced, assemblyModuleDnlib);
// Call the DLL IL Methods and the native Methods via x86 function ptr to see if the result is the same
X86ILTester.TestNativeWithILMethods(Configuration.AssemblyFilename, Path.Combine(Environment.CurrentDirectory, "TestMethodModule.dll"));
// Find all the native method calls and replace them with the IL calls
foreach (var replacedMethod in nativeMethodsReplaced)
{
var callsToNativeMethod = replacedMethod.FindAllReferences(assemblyModuleDnlib);
var ilMethod = assemblyModuleDnlib.GlobalType.Methods.FirstOrDefault(m => m.Name == replacedMethod.Name + "_IL");
foreach (var call in callsToNativeMethod)
{
call.Operand = ilMethod;
}
Console.WriteLine("[+] Removed " + callsToNativeMethod.ToList().Count + " entries.");
}
// Remove each native method
foreach (var replacedMethod in nativeMethodsReplaced)
{
cctorType.Methods.Remove(replacedMethod);
}
// Turn off signing
assemblyModuleDnlib.IsStrongNameSigned = false;
assemblyModuleDnlib.Assembly.PublicKey = null;
// Preserve Tokens and fix the flags for ILOnly
var moduleWriterOptions = new ModuleWriterOptions();
moduleWriterOptions.MetaDataOptions.Flags |= MetaDataFlags.PreserveAll;
moduleWriterOptions.MetaDataOptions.Flags |= MetaDataFlags.KeepOldMaxStack;
moduleWriterOptions.Cor20HeaderOptions.Flags = ComImageFlags.ILOnly | ComImageFlags._32BitRequired;
assemblyModuleDnlib.Write("out_mod.exe", moduleWriterOptions);
}
private int EmulateNativeMethod(MethodDef externalMethod, int parameter)
{
var nativeMethod = new X86Method(externalMethod, module); //TODO: Possible null
return(nativeMethod.Execute(parameter));
}
private int x86emulate(MethodDef methods, int[] val)
{
var x86 = new X86Method(methods);
return(x86.Execute(val));
}
public static MethodDef CreateILFromX86Method(X86Method methodToConvert)
{
// Find the Int32 type
var int32Type = methodToConvert.OriginalMethod.ReturnType;
// Create a method with the same name as the native and append "_IL"
var returnMethod = new MethodDefUser(new UTF8String(methodToConvert.OriginalMethod.Name + "_IL"),
MethodSig.CreateStatic(int32Type, int32Type), MethodImplAttributes.IL | MethodImplAttributes.Managed,
MethodAttributes.Public | MethodAttributes.Static | MethodAttributes.HideBySig);
returnMethod.Body = new CilBody();
returnMethod.Body.MaxStack = 12;
// Add 8 registers
for (var i = 0; i < 8; i++)
{
returnMethod.Body.Variables.Add(new Local(int32Type));
}
var returnMethodBody = returnMethod.Body;
// load param to stack, it later gets popped into ecx
returnMethodBody.Instructions.Add(new Instruction(OpCodes.Ldarg_0));
// Translate each x86 Instruction to IL
foreach (var x86Instruction in methodToConvert.Instructions)
{
switch (x86Instruction.OpCode)
{
case X86OpCode.MOV:
if (x86Instruction.Operands[0] is X86ImmediateOperand)
{
throw new Exception("Can't mov value to immediate value");
}
if (x86Instruction.Operands[1] is X86RegisterOperand)
{
returnMethodBody.Instructions.Add(GetLdlocInstructionFromRegister(
(x86Instruction.Operands[1] as X86RegisterOperand).Register,
returnMethodBody));
}
else if (x86Instruction.Operands[1] is X86ImmediateOperand)
{
returnMethodBody.Instructions.Add(new Instruction(OpCodes.Ldc_I4,
(x86Instruction.Operands[1] as X86ImmediateOperand).Immediate));
}
returnMethodBody.Instructions.Add(GetStlocInstructionFromRegister(
(x86Instruction.Operands[0] as X86RegisterOperand).Register,
returnMethodBody));
break;
case X86OpCode.ADD:
if (x86Instruction.Operands[0] is X86ImmediateOperand)
{
throw new Exception("Can't add value to immediate value");
}
returnMethodBody.Instructions.Add(GetLdlocInstructionFromRegister(
(x86Instruction.Operands[0] as X86RegisterOperand).Register, returnMethodBody));
if (x86Instruction.Operands[1] is X86RegisterOperand)
{
returnMethodBody.Instructions.Add(GetLdlocInstructionFromRegister(
(x86Instruction.Operands[1] as X86RegisterOperand).Register,
returnMethodBody)); // 25 is EAX
}
else if (x86Instruction.Operands[1] is X86ImmediateOperand)
{
returnMethodBody.Instructions.Add(new Instruction(OpCodes.Ldc_I4,
(x86Instruction.Operands[1] as X86ImmediateOperand).Immediate));
}
returnMethodBody.Instructions.Add(new Instruction(OpCodes.Add));
returnMethodBody.Instructions.Add(GetStlocInstructionFromRegister(
(x86Instruction.Operands[0] as X86RegisterOperand).Register, returnMethodBody));
break;
case X86OpCode.DIV:
if (x86Instruction.Operands[0] is X86ImmediateOperand)
{
throw new Exception("Can't div value to immediate value");
}
returnMethodBody.Instructions.Add(GetLdlocInstructionFromRegister(
(x86Instruction.Operands[0] as X86RegisterOperand).Register, returnMethodBody));
if (x86Instruction.Operands[1] is X86RegisterOperand)
{
returnMethodBody.Instructions.Add(GetLdlocInstructionFromRegister(
(x86Instruction.Operands[1] as X86RegisterOperand).Register,
returnMethodBody)); // 25 is EAX
}
else if (x86Instruction.Operands[1] is X86ImmediateOperand)
{
returnMethodBody.Instructions.Add(new Instruction(OpCodes.Ldc_I4,
(x86Instruction.Operands[1] as X86ImmediateOperand).Immediate));
}
returnMethodBody.Instructions.Add(new Instruction(OpCodes.Div_Un));
returnMethodBody.Instructions.Add(GetStlocInstructionFromRegister(
(x86Instruction.Operands[0] as X86RegisterOperand).Register, returnMethodBody));
break;
case X86OpCode.IMUL:
if (x86Instruction.Operands[0] is X86ImmediateOperand)
{
throw new Exception("Can't imul value to immediate value");
}
if (x86Instruction.Operands[1] is X86RegisterOperand)
{
returnMethodBody.Instructions.Add(GetLdlocInstructionFromRegister(
(x86Instruction.Operands[1] as X86RegisterOperand).Register,
returnMethodBody)); // 25 is EAX
}
else if (x86Instruction.Operands[1] is X86ImmediateOperand)
{
returnMethodBody.Instructions.Add(new Instruction(OpCodes.Ldc_I4,
(x86Instruction.Operands[1] as X86ImmediateOperand).Immediate));
}
if (x86Instruction.Operands[2] is X86RegisterOperand)
{
returnMethodBody.Instructions.Add(GetLdlocInstructionFromRegister(
(x86Instruction.Operands[2] as X86RegisterOperand).Register,
returnMethodBody)); // 25 is EAX
}
else if (x86Instruction.Operands[2] is X86ImmediateOperand)
{
returnMethodBody.Instructions.Add(new Instruction(OpCodes.Ldc_I4,
(x86Instruction.Operands[2] as X86ImmediateOperand).Immediate));
}
returnMethodBody.Instructions.Add(new Instruction(OpCodes.Mul));
returnMethodBody.Instructions.Add(GetStlocInstructionFromRegister(
(x86Instruction.Operands[0] as X86RegisterOperand).Register, returnMethodBody));
break;
case X86OpCode.NEG:
if (x86Instruction.Operands[0] is X86ImmediateOperand)
{
throw new Exception("Can't neg immediate value");
}
returnMethodBody.Instructions.Add(GetLdlocInstructionFromRegister(
(x86Instruction.Operands[0] as X86RegisterOperand).Register,
returnMethodBody)); // 25 is EAX
returnMethodBody.Instructions.Add(new Instruction(OpCodes.Neg));
returnMethodBody.Instructions.Add(GetStlocInstructionFromRegister(
(x86Instruction.Operands[0] as X86RegisterOperand).Register, returnMethodBody));
break;
case X86OpCode.NOT:
if (x86Instruction.Operands[0] is X86ImmediateOperand)
{
throw new Exception("Can't not immediate value");
}
returnMethodBody.Instructions.Add(GetLdlocInstructionFromRegister(
(x86Instruction.Operands[0] as X86RegisterOperand).Register,
returnMethodBody)); // 25 is EAX
returnMethodBody.Instructions.Add(new Instruction(OpCodes.Not));
returnMethodBody.Instructions.Add(GetStlocInstructionFromRegister(
(x86Instruction.Operands[0] as X86RegisterOperand).Register, returnMethodBody));
break;
case X86OpCode.POP:
returnMethodBody.Instructions.Add(GetStlocInstructionFromRegister(
(x86Instruction.Operands[0] as X86RegisterOperand).Register, returnMethodBody));
break;
case X86OpCode.SUB:
if (x86Instruction.Operands[0] is X86ImmediateOperand)
{
throw new Exception("Can't sub value to immediate value");
}
returnMethodBody.Instructions.Add(GetLdlocInstructionFromRegister(
(x86Instruction.Operands[0] as X86RegisterOperand).Register, returnMethodBody));
if (x86Instruction.Operands[1] is X86RegisterOperand)
{
returnMethodBody.Instructions.Add(GetLdlocInstructionFromRegister(
(x86Instruction.Operands[1] as X86RegisterOperand).Register,
returnMethodBody)); // 25 is EAX
}
else if (x86Instruction.Operands[1] is X86ImmediateOperand)
{
returnMethodBody.Instructions.Add(new Instruction(OpCodes.Ldc_I4,
(x86Instruction.Operands[1] as X86ImmediateOperand).Immediate));
}
returnMethodBody.Instructions.Add(new Instruction(OpCodes.Sub));
returnMethodBody.Instructions.Add(GetStlocInstructionFromRegister(
(x86Instruction.Operands[0] as X86RegisterOperand).Register, returnMethodBody));
break;
case X86OpCode.XOR:
if (x86Instruction.Operands[0] is X86ImmediateOperand)
{
throw new Exception("Can't xor value to immediate value");
}
returnMethodBody.Instructions.Add(GetLdlocInstructionFromRegister(
(x86Instruction.Operands[0] as X86RegisterOperand).Register, returnMethodBody));
if (x86Instruction.Operands[1] is X86RegisterOperand)
{
returnMethodBody.Instructions.Add(GetLdlocInstructionFromRegister(
(x86Instruction.Operands[1] as X86RegisterOperand).Register,
returnMethodBody)); // 25 is EAX
}
else if (x86Instruction.Operands[1] is X86ImmediateOperand)
{
returnMethodBody.Instructions.Add(new Instruction(OpCodes.Ldc_I4,
((X86ImmediateOperand)x86Instruction.Operands[1]).Immediate));
}
returnMethodBody.Instructions.Add(new Instruction(OpCodes.Xor));
returnMethodBody.Instructions.Add(GetStlocInstructionFromRegister(
(x86Instruction.Operands[0] as X86RegisterOperand).Register, returnMethodBody));
break;
}
}
// Load EAX
returnMethodBody.Instructions.Add(new Instruction(OpCodes.Ldloc_0));
// Return eax
returnMethodBody.Instructions.Add(new Instruction(OpCodes.Ret));
return(returnMethod);
}
public static MethodDef CreateILFromX86Method(X86Method methodToConvert)
{
TypeSig int32Type = methodToConvert.OriginalMethod.ReturnType;
MethodDefUser returnMethod = new MethodDefUser(new UTF8String(methodToConvert.OriginalMethod.Name + "_IL"), MethodSig.CreateStatic(int32Type, int32Type), MethodImplAttributes.IL, MethodAttributes.FamANDAssem | MethodAttributes.Family | MethodAttributes.Static | MethodAttributes.HideBySig);
returnMethod.Body = new CilBody();
returnMethod.Body.MaxStack = 12;
for (int i = 0; i < 8; i++)
{
returnMethod.Body.Variables.Add(new Local(int32Type));
}
CilBody returnMethodBody = returnMethod.Body;
returnMethodBody.Instructions.Add(new Instruction(OpCodes.Ldarg_0));
foreach (X86Instruction x86Instruction in methodToConvert.Instructions)
{
switch (x86Instruction.OpCode)
{
case X86OpCode.MOV:
{
bool flag = x86Instruction.Operands[0] is X86ImmediateOperand;
if (flag)
{
throw new Exception("Can't mov value to immediate value");
}
bool flag2 = x86Instruction.Operands[1] is X86RegisterOperand;
if (flag2)
{
returnMethodBody.Instructions.Add(X86MethodToILConverter.GetLdlocInstructionFromRegister((x86Instruction.Operands[1] as X86RegisterOperand).Register, returnMethodBody));
}
else
{
bool flag3 = x86Instruction.Operands[1] is X86ImmediateOperand;
if (flag3)
{
returnMethodBody.Instructions.Add(new Instruction(OpCodes.Ldc_I4, (x86Instruction.Operands[1] as X86ImmediateOperand).Immediate));
}
}
returnMethodBody.Instructions.Add(X86MethodToILConverter.GetStlocInstructionFromRegister((x86Instruction.Operands[0] as X86RegisterOperand).Register, returnMethodBody));
break;
}
case X86OpCode.ADD:
{
bool flag4 = x86Instruction.Operands[0] is X86ImmediateOperand;
if (flag4)
{
throw new Exception("Can't add value to immediate value");
}
returnMethodBody.Instructions.Add(X86MethodToILConverter.GetLdlocInstructionFromRegister((x86Instruction.Operands[0] as X86RegisterOperand).Register, returnMethodBody));
bool flag5 = x86Instruction.Operands[1] is X86RegisterOperand;
if (flag5)
{
returnMethodBody.Instructions.Add(X86MethodToILConverter.GetLdlocInstructionFromRegister((x86Instruction.Operands[1] as X86RegisterOperand).Register, returnMethodBody));
}
else
{
bool flag6 = x86Instruction.Operands[1] is X86ImmediateOperand;
if (flag6)
{
returnMethodBody.Instructions.Add(new Instruction(OpCodes.Ldc_I4, (x86Instruction.Operands[1] as X86ImmediateOperand).Immediate));
}
}
returnMethodBody.Instructions.Add(new Instruction(OpCodes.Add));
returnMethodBody.Instructions.Add(X86MethodToILConverter.GetStlocInstructionFromRegister((x86Instruction.Operands[0] as X86RegisterOperand).Register, returnMethodBody));
break;
}
case X86OpCode.SUB:
{
bool flag7 = x86Instruction.Operands[0] is X86ImmediateOperand;
if (flag7)
{
throw new Exception("Can't sub value to immediate value");
}
returnMethodBody.Instructions.Add(X86MethodToILConverter.GetLdlocInstructionFromRegister((x86Instruction.Operands[0] as X86RegisterOperand).Register, returnMethodBody));
bool flag8 = x86Instruction.Operands[1] is X86RegisterOperand;
if (flag8)
{
returnMethodBody.Instructions.Add(X86MethodToILConverter.GetLdlocInstructionFromRegister((x86Instruction.Operands[1] as X86RegisterOperand).Register, returnMethodBody));
}
else
{
bool flag9 = x86Instruction.Operands[1] is X86ImmediateOperand;
if (flag9)
{
returnMethodBody.Instructions.Add(new Instruction(OpCodes.Ldc_I4, (x86Instruction.Operands[1] as X86ImmediateOperand).Immediate));
}
}
returnMethodBody.Instructions.Add(new Instruction(OpCodes.Sub));
returnMethodBody.Instructions.Add(X86MethodToILConverter.GetStlocInstructionFromRegister((x86Instruction.Operands[0] as X86RegisterOperand).Register, returnMethodBody));
break;
}
case X86OpCode.IMUL:
{
bool flag10 = x86Instruction.Operands[0] is X86ImmediateOperand;
if (flag10)
{
throw new Exception("Can't imul value to immediate value");
}
bool flag11 = x86Instruction.Operands[1] is X86RegisterOperand;
if (flag11)
{
returnMethodBody.Instructions.Add(X86MethodToILConverter.GetLdlocInstructionFromRegister((x86Instruction.Operands[1] as X86RegisterOperand).Register, returnMethodBody));
}
else
{
bool flag12 = x86Instruction.Operands[1] is X86ImmediateOperand;
if (flag12)
{
returnMethodBody.Instructions.Add(new Instruction(OpCodes.Ldc_I4, (x86Instruction.Operands[1] as X86ImmediateOperand).Immediate));
}
}
bool flag13 = x86Instruction.Operands[2] is X86RegisterOperand;
if (flag13)
{
returnMethodBody.Instructions.Add(X86MethodToILConverter.GetLdlocInstructionFromRegister((x86Instruction.Operands[2] as X86RegisterOperand).Register, returnMethodBody));
}
else
{
bool flag14 = x86Instruction.Operands[2] is X86ImmediateOperand;
if (flag14)
{
returnMethodBody.Instructions.Add(new Instruction(OpCodes.Ldc_I4, (x86Instruction.Operands[2] as X86ImmediateOperand).Immediate));
}
}
returnMethodBody.Instructions.Add(new Instruction(OpCodes.Mul));
returnMethodBody.Instructions.Add(X86MethodToILConverter.GetStlocInstructionFromRegister((x86Instruction.Operands[0] as X86RegisterOperand).Register, returnMethodBody));
break;
}
case X86OpCode.DIV:
{
bool flag15 = x86Instruction.Operands[0] is X86ImmediateOperand;
if (flag15)
{
throw new Exception("Can't div value to immediate value");
}
returnMethodBody.Instructions.Add(X86MethodToILConverter.GetLdlocInstructionFromRegister((x86Instruction.Operands[0] as X86RegisterOperand).Register, returnMethodBody));
bool flag16 = x86Instruction.Operands[1] is X86RegisterOperand;
if (flag16)
{
returnMethodBody.Instructions.Add(X86MethodToILConverter.GetLdlocInstructionFromRegister((x86Instruction.Operands[1] as X86RegisterOperand).Register, returnMethodBody));
}
else
{
bool flag17 = x86Instruction.Operands[1] is X86ImmediateOperand;
if (flag17)
{
returnMethodBody.Instructions.Add(new Instruction(OpCodes.Ldc_I4, (x86Instruction.Operands[1] as X86ImmediateOperand).Immediate));
}
}
returnMethodBody.Instructions.Add(new Instruction(OpCodes.Div_Un));
returnMethodBody.Instructions.Add(X86MethodToILConverter.GetStlocInstructionFromRegister((x86Instruction.Operands[0] as X86RegisterOperand).Register, returnMethodBody));
break;
}
case X86OpCode.NEG:
{
bool flag18 = x86Instruction.Operands[0] is X86ImmediateOperand;
if (flag18)
{
throw new Exception("Can't neg immediate value");
}
returnMethodBody.Instructions.Add(X86MethodToILConverter.GetLdlocInstructionFromRegister((x86Instruction.Operands[0] as X86RegisterOperand).Register, returnMethodBody));
returnMethodBody.Instructions.Add(new Instruction(OpCodes.Neg));
returnMethodBody.Instructions.Add(X86MethodToILConverter.GetStlocInstructionFromRegister((x86Instruction.Operands[0] as X86RegisterOperand).Register, returnMethodBody));
break;
}
case X86OpCode.NOT:
{
bool flag19 = x86Instruction.Operands[0] is X86ImmediateOperand;
if (flag19)
{
throw new Exception("Can't not immediate value");
}
returnMethodBody.Instructions.Add(X86MethodToILConverter.GetLdlocInstructionFromRegister((x86Instruction.Operands[0] as X86RegisterOperand).Register, returnMethodBody));
returnMethodBody.Instructions.Add(new Instruction(OpCodes.Not));
returnMethodBody.Instructions.Add(X86MethodToILConverter.GetStlocInstructionFromRegister((x86Instruction.Operands[0] as X86RegisterOperand).Register, returnMethodBody));
break;
}
case X86OpCode.XOR:
{
bool flag20 = x86Instruction.Operands[0] is X86ImmediateOperand;
if (flag20)
{
throw new Exception("Can't xor value to immediate value");
}
returnMethodBody.Instructions.Add(X86MethodToILConverter.GetLdlocInstructionFromRegister((x86Instruction.Operands[0] as X86RegisterOperand).Register, returnMethodBody));
bool flag21 = x86Instruction.Operands[1] is X86RegisterOperand;
if (flag21)
{
returnMethodBody.Instructions.Add(X86MethodToILConverter.GetLdlocInstructionFromRegister((x86Instruction.Operands[1] as X86RegisterOperand).Register, returnMethodBody));
}
else
{
bool flag22 = x86Instruction.Operands[1] is X86ImmediateOperand;
if (flag22)
{
returnMethodBody.Instructions.Add(new Instruction(OpCodes.Ldc_I4, (x86Instruction.Operands[1] as X86ImmediateOperand).Immediate));
}
}
returnMethodBody.Instructions.Add(new Instruction(OpCodes.Xor));
returnMethodBody.Instructions.Add(X86MethodToILConverter.GetStlocInstructionFromRegister((x86Instruction.Operands[0] as X86RegisterOperand).Register, returnMethodBody));
break;
}
case X86OpCode.POP:
returnMethodBody.Instructions.Add(X86MethodToILConverter.GetStlocInstructionFromRegister((x86Instruction.Operands[0] as X86RegisterOperand).Register, returnMethodBody));
break;
}
}
returnMethodBody.Instructions.Add(new Instruction(OpCodes.Ldloc_0));
returnMethodBody.Instructions.Add(new Instruction(OpCodes.Ret));
return(returnMethod);
}
public static void HandleCall(CallEventArgs args, Emulation emulation)
{
if (args.Instruction.Operand is MethodDef &&
IsProxyMethod((MethodDef)args.Instruction.Operand, out var ins))
{
args.Instruction = ins;
HandleCall(args, emulation);
return;
}
if (args.Instruction.Operand.ToString()
.Contains(
"System.Void System.Runtime.CompilerServices.RuntimeHelpers::InitializeArray(System.Array,System.RuntimeFieldHandle")
)
{
var stack2 = emulation.ValueStack.CallStack.Pop();
var stack1 = emulation.ValueStack.CallStack.Pop();
emulation.ValueStack.CallStack.Pop();
var fielddef = ModuleDef.ResolveToken(stack2) as FieldDef;
var test = fielddef.InitialValue;
var decoded = new uint[test.Length / 4];
Buffer.BlockCopy(test, 0, decoded, 0, test.Length);
stack1 = decoded;
emulation.ValueStack.CallStack.Push(stack1);
args.bypassCall = true;
}
else if (args.Instruction.Operand is MethodSpec &&
IsUintDecyption(((MethodSpec)args.Instruction.Operand).ResolveMethodDef()))
{
var method = ((MethodSpec)args.Instruction.Operand).ResolveMethodDef();
var initaliseMethod = Constants.Remover.FindInitialiseMethod();
var initBytes = Constants.Remover.InitaliseBytes(initaliseMethod);
var param = new object[args.Pops];
for (var i = 0; i < param.Length; i++)
{
param[i] = emulation.ValueStack.CallStack.Pop();
}
emulation.ValueStack.CallStack.Push(Constants.Remover.DecryptConstant(method, param, initBytes));
args.bypassCall = true;
}
else if (args.Instruction.Operand.ToString()
.Contains("System.Reflection.Assembly System.Reflection.Assembly::GetExecutingAssembly()"))
{
}
else if (args.Instruction.Operand.ToString()
.Contains("System.String System.String::Intern(System.String)"))
{
emulation.ValueStack.CallStack.Push(string.Intern(emulation.ValueStack.CallStack.Pop()));
args.bypassCall = true;
}
else if (args.Instruction.Operand.ToString()
.Contains("System.String System.Text.Encoding::GetString(System.Byte[],System.Int32,System.Int32)"))
{
var stack4 = emulation.ValueStack.CallStack.Pop();
var stack3 = emulation.ValueStack.CallStack.Pop();
var stack2 = emulation.ValueStack.CallStack.Pop();
var stack1 = emulation.ValueStack.CallStack.Pop();
var result = stack1.GetString(stack2, stack3, stack4);
emulation.ValueStack.CallStack.Push(result);
args.bypassCall = true;
}
else if (args.Instruction.Operand.ToString()
.Contains("System.Text.Encoding System.Text.Encoding::get_UTF8()"))
{
emulation.ValueStack.CallStack.Push(Encoding.UTF8);
args.bypassCall = true;
}
else if (args.Instruction.Operand.ToString()
.Contains("System.Array System.Array::CreateInstance(System.Type,System.Int32)"))
{
var stack2 = emulation.ValueStack.CallStack.Pop();
var stack1 = emulation.ValueStack.CallStack.Pop();
var result = Array.CreateInstance(stack1, stack2);
emulation.ValueStack.CallStack.Push(result);
args.bypassCall = true;
}
else if (args.Instruction.Operand.ToString()
.Contains("System.Type System.Type::GetElementType()"))
{
var stack = emulation.ValueStack.CallStack.Pop();
emulation.ValueStack.CallStack.Push(stack.GetElementType());
args.bypassCall = true;
}
else if (args.Instruction.Operand.ToString()
.Contains("System.Type System.Type::GetTypeFromHandle(System.RuntimeTypeHandle)"))
{
var stack = emulation.ValueStack.CallStack.Pop();
emulation.ValueStack.CallStack.Push(typeof(uint[]));
args.bypassCall = true;
}
else if (args.Instruction.Operand.ToString()
.Contains(
"System.Void System.Buffer::BlockCopy(System.Array,System.Int32,System.Array,System.Int32,System.Int32)")
)
{
var stack5 = emulation.ValueStack.CallStack.Pop();
var stack4 = emulation.ValueStack.CallStack.Pop();
var stack3 = emulation.ValueStack.CallStack.Pop();
var stack2 = emulation.ValueStack.CallStack.Pop();
var stack1 = emulation.ValueStack.CallStack.Pop();
Buffer.BlockCopy(stack1, stack2, stack3, stack4, stack5);
args.bypassCall = true;
}
else if (args.Instruction.Operand.ToString()
.Contains("System.Reflection.Module System.Reflection.Assembly::get_ManifestModule()"))
{
args.bypassCall = true;
}
else if (args.Instruction.Operand is MethodDef && isDecryptMethod((MethodDef)args.Instruction.Operand))
{
var bytes = Compressor.Remover.HandleDecryptMethod(emulation, args,
(MethodDef)args.Instruction.Operand);
emulation.ValueStack.CallStack.Push(bytes);
var bytes2 = (byte[])bytes.Target;
Compressor.Remover.ModuleBytes = new byte[bytes2.Length];
Buffer.BlockCopy(bytes2, 0, Compressor.Remover.ModuleBytes, 0, bytes2.Length);
ModuleBytes = bytes2;
args.bypassCall = true;
}
else if (args.Instruction.Operand.ToString()
.Contains("System.Void System.Array::Clear(System.Array,System.Int32,System.Int32)"))
{
var stack3 = emulation.ValueStack.CallStack.Pop();
var stack2 = emulation.ValueStack.CallStack.Pop();
var stack1 = emulation.ValueStack.CallStack.Pop();
// File.WriteAllBytes("arrayemu", stack1);
if (stack1 is Array)
{
Array.Clear(stack1, stack2, stack3);
}
args.bypassCall = true;
}
else if (args.Instruction.Operand is MethodDef && isDecompressMethod((MethodDef)args.Instruction.Operand))
{
var stack = emulation.ValueStack.CallStack.Pop();
var decrypted = LzmaDecompress(stack);
// Protections.Compressor.Remover.ModuleBytes = decrypted;
// File.WriteAllBytes("arrayemu",stack);
emulation.ValueStack.CallStack.Push(decrypted);
args.bypassCall = true;
}
else if (args.Instruction.Operand.ToString()
.Contains("System.Byte[] System.Reflection.Module::ResolveSignature(System.Int32)"))
{
var stack2 = emulation.ValueStack.CallStack.Pop();
var stack1 = emulation.ValueStack.CallStack.Pop();
emulation.ValueStack.CallStack.Push(ModuleDef.ReadBlob((uint)stack2));
args.bypassCall = true;
}
else if (args.Instruction.Operand.ToString()
.Contains("System.Reflection.MethodBase System.Reflection.Module::ResolveMethod(System.Int32)"))
{
var stack2 = emulation.ValueStack.CallStack.Pop();
var stack1 = emulation.ValueStack.CallStack.Pop();
Compressor.Remover.ModuleEp = stack2;
args.endMethod = true;
}
else if (args.Instruction.Operand.ToString()
.Contains(
"System.Runtime.InteropServices.GCHandle System.Runtime.InteropServices.GCHandle::Alloc(System.Object,System.Runtime.InteropServices.GCHandleType")
)
{
var stack2 = emulation.ValueStack.CallStack.Pop();
var stack1 = emulation.ValueStack.CallStack.Pop();
emulation.ValueStack.CallStack.Push(GCHandle.Alloc(stack1, GCHandleType.Pinned));
args.bypassCall = true;
}
else if (args.Instruction.Operand.ToString()
.Contains(
"System.Object System.Runtime.InteropServices.GCHandle::get_Target()")
)
{
var stack1 = emulation.ValueStack.CallStack.Pop();
emulation.ValueStack.CallStack.Push(stack1.Target);
args.bypassCall = true;
}
else if (args.Instruction.Operand is MethodDef && ((MethodDef)args.Instruction.Operand).IsNative)
{
var stack1 = emulation.ValueStack.CallStack.Pop();
X86Method x86 = new X86Method(args.Instruction.Operand as MethodDef);
var abc = x86.Execute(stack1);
emulation.ValueStack.CallStack.Push(abc);
args.bypassCall = true;
}
//
}
