private int?CalculateKey(SwitchData switchData)
{
var popValue = _instructionEmulator.Peek();
if (popValue == null || !popValue.IsInt32() || !(popValue as Int32Value).AllBitsValid())
{
return(null);
}
_instructionEmulator.Pop();
int num = ((Int32Value)popValue).Value;
if (switchData is NativeSwitchData)
{
var nativeSwitchData = (NativeSwitchData)switchData;
var nativeMethod = new X86Method(nativeSwitchData.NativeMethodDef, _blocks.Method.Module as ModuleDefMD); //TODO: Possible null
return(nativeMethod.Execute(num));
}
if (switchData is NormalSwitchData)
{
var normalSwitchData = (NormalSwitchData)switchData;
return(num ^ normalSwitchData.Key.Value);
}
return(null);
}
private int?CalculateKey()
{
var popValue = _instructionEmulator.Peek();
if (popValue == null || !popValue.IsInt32() || !(popValue as Int32Value).AllBitsValid())
{
return(null);
}
_instructionEmulator.Pop();
var result = _nativeMethod.Execute(((Int32Value)popValue).Value);
return(result);
}
public static void Emulate(ValueStack valueStack, Instruction instruction, MethodDef method)
{
if (instruction.Operand is MethodDef && ((MethodDef)instruction.Operand).IsNative)
{
//this is really only for confuserex x86 methods
var abc2 = method.Module.ResolveToken(((MethodDef)instruction.Operand).MDToken.ToInt32());
var x86 = new X86Method(abc2 as MethodDef);
var value = valueStack.CallStack.Pop();
var abc = x86.Execute((int)(uint)value);
valueStack.CallStack.Push(abc);
}
else
{
var instructionOperand = instruction.Operand as IMethodDefOrRef;
var resolved = instructionOperand.ResolveMethodDef();
if (resolved.Module != method.Module)
{
if (resolved.IsStatic)
{
var mod = typeof(string).Module;
var asmCall = mod.ResolveMethod(resolved.MDToken.ToInt32());
int pushes;
int pops;
instruction.CalculateStackUsage(out pushes, out pops);
var paramsObjects = new dynamic[pops];
for (var i = 0; i < pops; i++)
{
paramsObjects[i] = valueStack.CallStack.Pop();
}
paramsObjects = paramsObjects.Reverse().ToArray();
try
{
if (pushes != 0)
{
var av = asmCall.Invoke(null, paramsObjects);
valueStack.CallStack.Push(av);
}
else
{
asmCall.Invoke(null, paramsObjects);
}
}
catch
{
}
}
}
}
}
private int EmulateNativeMethod(MethodDef externalMethod, int parameter)
{
var nativeMethod = new X86Method(externalMethod, module); //TODO: Possible null
return(nativeMethod.Execute(parameter));
}
private int x86emulate(MethodDef methods, int[] val)
{
var x86 = new X86Method(methods);
return(x86.Execute(val));
}
public static void HandleCall(CallEventArgs args, Emulation emulation)
{
if (args.Instruction.Operand is MethodDef &&
IsProxyMethod((MethodDef)args.Instruction.Operand, out var ins))
{
args.Instruction = ins;
HandleCall(args, emulation);
return;
}
if (args.Instruction.Operand.ToString()
.Contains(
"System.Void System.Runtime.CompilerServices.RuntimeHelpers::InitializeArray(System.Array,System.RuntimeFieldHandle")
)
{
var stack2 = emulation.ValueStack.CallStack.Pop();
var stack1 = emulation.ValueStack.CallStack.Pop();
emulation.ValueStack.CallStack.Pop();
var fielddef = ModuleDef.ResolveToken(stack2) as FieldDef;
var test = fielddef.InitialValue;
var decoded = new uint[test.Length / 4];
Buffer.BlockCopy(test, 0, decoded, 0, test.Length);
stack1 = decoded;
emulation.ValueStack.CallStack.Push(stack1);
args.bypassCall = true;
}
else if (args.Instruction.Operand is MethodSpec &&
IsUintDecyption(((MethodSpec)args.Instruction.Operand).ResolveMethodDef()))
{
var method = ((MethodSpec)args.Instruction.Operand).ResolveMethodDef();
var initaliseMethod = Constants.Remover.FindInitialiseMethod();
var initBytes = Constants.Remover.InitaliseBytes(initaliseMethod);
var param = new object[args.Pops];
for (var i = 0; i < param.Length; i++)
{
param[i] = emulation.ValueStack.CallStack.Pop();
}
emulation.ValueStack.CallStack.Push(Constants.Remover.DecryptConstant(method, param, initBytes));
args.bypassCall = true;
}
else if (args.Instruction.Operand.ToString()
.Contains("System.Reflection.Assembly System.Reflection.Assembly::GetExecutingAssembly()"))
{
}
else if (args.Instruction.Operand.ToString()
.Contains("System.String System.String::Intern(System.String)"))
{
emulation.ValueStack.CallStack.Push(string.Intern(emulation.ValueStack.CallStack.Pop()));
args.bypassCall = true;
}
else if (args.Instruction.Operand.ToString()
.Contains("System.String System.Text.Encoding::GetString(System.Byte[],System.Int32,System.Int32)"))
{
var stack4 = emulation.ValueStack.CallStack.Pop();
var stack3 = emulation.ValueStack.CallStack.Pop();
var stack2 = emulation.ValueStack.CallStack.Pop();
var stack1 = emulation.ValueStack.CallStack.Pop();
var result = stack1.GetString(stack2, stack3, stack4);
emulation.ValueStack.CallStack.Push(result);
args.bypassCall = true;
}
else if (args.Instruction.Operand.ToString()
.Contains("System.Text.Encoding System.Text.Encoding::get_UTF8()"))
{
emulation.ValueStack.CallStack.Push(Encoding.UTF8);
args.bypassCall = true;
}
else if (args.Instruction.Operand.ToString()
.Contains("System.Array System.Array::CreateInstance(System.Type,System.Int32)"))
{
var stack2 = emulation.ValueStack.CallStack.Pop();
var stack1 = emulation.ValueStack.CallStack.Pop();
var result = Array.CreateInstance(stack1, stack2);
emulation.ValueStack.CallStack.Push(result);
args.bypassCall = true;
}
else if (args.Instruction.Operand.ToString()
.Contains("System.Type System.Type::GetElementType()"))
{
var stack = emulation.ValueStack.CallStack.Pop();
emulation.ValueStack.CallStack.Push(stack.GetElementType());
args.bypassCall = true;
}
else if (args.Instruction.Operand.ToString()
.Contains("System.Type System.Type::GetTypeFromHandle(System.RuntimeTypeHandle)"))
{
var stack = emulation.ValueStack.CallStack.Pop();
emulation.ValueStack.CallStack.Push(typeof(uint[]));
args.bypassCall = true;
}
else if (args.Instruction.Operand.ToString()
.Contains(
"System.Void System.Buffer::BlockCopy(System.Array,System.Int32,System.Array,System.Int32,System.Int32)")
)
{
var stack5 = emulation.ValueStack.CallStack.Pop();
var stack4 = emulation.ValueStack.CallStack.Pop();
var stack3 = emulation.ValueStack.CallStack.Pop();
var stack2 = emulation.ValueStack.CallStack.Pop();
var stack1 = emulation.ValueStack.CallStack.Pop();
Buffer.BlockCopy(stack1, stack2, stack3, stack4, stack5);
args.bypassCall = true;
}
else if (args.Instruction.Operand.ToString()
.Contains("System.Reflection.Module System.Reflection.Assembly::get_ManifestModule()"))
{
args.bypassCall = true;
}
else if (args.Instruction.Operand is MethodDef && isDecryptMethod((MethodDef)args.Instruction.Operand))
{
var bytes = Compressor.Remover.HandleDecryptMethod(emulation, args,
(MethodDef)args.Instruction.Operand);
emulation.ValueStack.CallStack.Push(bytes);
var bytes2 = (byte[])bytes.Target;
Compressor.Remover.ModuleBytes = new byte[bytes2.Length];
Buffer.BlockCopy(bytes2, 0, Compressor.Remover.ModuleBytes, 0, bytes2.Length);
ModuleBytes = bytes2;
args.bypassCall = true;
}
else if (args.Instruction.Operand.ToString()
.Contains("System.Void System.Array::Clear(System.Array,System.Int32,System.Int32)"))
{
var stack3 = emulation.ValueStack.CallStack.Pop();
var stack2 = emulation.ValueStack.CallStack.Pop();
var stack1 = emulation.ValueStack.CallStack.Pop();
// File.WriteAllBytes("arrayemu", stack1);
if (stack1 is Array)
{
Array.Clear(stack1, stack2, stack3);
}
args.bypassCall = true;
}
else if (args.Instruction.Operand is MethodDef && isDecompressMethod((MethodDef)args.Instruction.Operand))
{
var stack = emulation.ValueStack.CallStack.Pop();
var decrypted = LzmaDecompress(stack);
// Protections.Compressor.Remover.ModuleBytes = decrypted;
// File.WriteAllBytes("arrayemu",stack);
emulation.ValueStack.CallStack.Push(decrypted);
args.bypassCall = true;
}
else if (args.Instruction.Operand.ToString()
.Contains("System.Byte[] System.Reflection.Module::ResolveSignature(System.Int32)"))
{
var stack2 = emulation.ValueStack.CallStack.Pop();
var stack1 = emulation.ValueStack.CallStack.Pop();
emulation.ValueStack.CallStack.Push(ModuleDef.ReadBlob((uint)stack2));
args.bypassCall = true;
}
else if (args.Instruction.Operand.ToString()
.Contains("System.Reflection.MethodBase System.Reflection.Module::ResolveMethod(System.Int32)"))
{
var stack2 = emulation.ValueStack.CallStack.Pop();
var stack1 = emulation.ValueStack.CallStack.Pop();
Compressor.Remover.ModuleEp = stack2;
args.endMethod = true;
}
else if (args.Instruction.Operand.ToString()
.Contains(
"System.Runtime.InteropServices.GCHandle System.Runtime.InteropServices.GCHandle::Alloc(System.Object,System.Runtime.InteropServices.GCHandleType")
)
{
var stack2 = emulation.ValueStack.CallStack.Pop();
var stack1 = emulation.ValueStack.CallStack.Pop();
emulation.ValueStack.CallStack.Push(GCHandle.Alloc(stack1, GCHandleType.Pinned));
args.bypassCall = true;
}
else if (args.Instruction.Operand.ToString()
.Contains(
"System.Object System.Runtime.InteropServices.GCHandle::get_Target()")
)
{
var stack1 = emulation.ValueStack.CallStack.Pop();
emulation.ValueStack.CallStack.Push(stack1.Target);
args.bypassCall = true;
}
else if (args.Instruction.Operand is MethodDef && ((MethodDef)args.Instruction.Operand).IsNative)
{
var stack1 = emulation.ValueStack.CallStack.Pop();
X86Method x86 = new X86Method(args.Instruction.Operand as MethodDef);
var abc = x86.Execute(stack1);
emulation.ValueStack.CallStack.Push(abc);
args.bypassCall = true;
}
//
}
