private int?CalculateKey(SwitchData switchData) { var popValue = _instructionEmulator.Peek(); if (popValue == null || !popValue.IsInt32() || !(popValue as Int32Value).AllBitsValid()) { return(null); } _instructionEmulator.Pop(); int num = ((Int32Value)popValue).Value; if (switchData is NativeSwitchData) { var nativeSwitchData = (NativeSwitchData)switchData; var nativeMethod = new X86Method(nativeSwitchData.NativeMethodDef, _blocks.Method.Module as ModuleDefMD); //TODO: Possible null return(nativeMethod.Execute(num)); } if (switchData is NormalSwitchData) { var normalSwitchData = (NormalSwitchData)switchData; return(num ^ normalSwitchData.Key.Value); } return(null); }
private int?CalculateKey() { var popValue = _instructionEmulator.Peek(); if (popValue == null || !popValue.IsInt32() || !(popValue as Int32Value).AllBitsValid()) { return(null); } _instructionEmulator.Pop(); var result = _nativeMethod.Execute(((Int32Value)popValue).Value); return(result); }
public static void Emulate(ValueStack valueStack, Instruction instruction, MethodDef method) { if (instruction.Operand is MethodDef && ((MethodDef)instruction.Operand).IsNative) { //this is really only for confuserex x86 methods var abc2 = method.Module.ResolveToken(((MethodDef)instruction.Operand).MDToken.ToInt32()); var x86 = new X86Method(abc2 as MethodDef); var value = valueStack.CallStack.Pop(); var abc = x86.Execute((int)(uint)value); valueStack.CallStack.Push(abc); } else { var instructionOperand = instruction.Operand as IMethodDefOrRef; var resolved = instructionOperand.ResolveMethodDef(); if (resolved.Module != method.Module) { if (resolved.IsStatic) { var mod = typeof(string).Module; var asmCall = mod.ResolveMethod(resolved.MDToken.ToInt32()); int pushes; int pops; instruction.CalculateStackUsage(out pushes, out pops); var paramsObjects = new dynamic[pops]; for (var i = 0; i < pops; i++) { paramsObjects[i] = valueStack.CallStack.Pop(); } paramsObjects = paramsObjects.Reverse().ToArray(); try { if (pushes != 0) { var av = asmCall.Invoke(null, paramsObjects); valueStack.CallStack.Push(av); } else { asmCall.Invoke(null, paramsObjects); } } catch { } } } } }
private int EmulateNativeMethod(MethodDef externalMethod, int parameter) { var nativeMethod = new X86Method(externalMethod, module); //TODO: Possible null return(nativeMethod.Execute(parameter)); }
private int x86emulate(MethodDef methods, int[] val) { var x86 = new X86Method(methods); return(x86.Execute(val)); }
public static void HandleCall(CallEventArgs args, Emulation emulation) { if (args.Instruction.Operand is MethodDef && IsProxyMethod((MethodDef)args.Instruction.Operand, out var ins)) { args.Instruction = ins; HandleCall(args, emulation); return; } if (args.Instruction.Operand.ToString() .Contains( "System.Void System.Runtime.CompilerServices.RuntimeHelpers::InitializeArray(System.Array,System.RuntimeFieldHandle") ) { var stack2 = emulation.ValueStack.CallStack.Pop(); var stack1 = emulation.ValueStack.CallStack.Pop(); emulation.ValueStack.CallStack.Pop(); var fielddef = ModuleDef.ResolveToken(stack2) as FieldDef; var test = fielddef.InitialValue; var decoded = new uint[test.Length / 4]; Buffer.BlockCopy(test, 0, decoded, 0, test.Length); stack1 = decoded; emulation.ValueStack.CallStack.Push(stack1); args.bypassCall = true; } else if (args.Instruction.Operand is MethodSpec && IsUintDecyption(((MethodSpec)args.Instruction.Operand).ResolveMethodDef())) { var method = ((MethodSpec)args.Instruction.Operand).ResolveMethodDef(); var initaliseMethod = Constants.Remover.FindInitialiseMethod(); var initBytes = Constants.Remover.InitaliseBytes(initaliseMethod); var param = new object[args.Pops]; for (var i = 0; i < param.Length; i++) { param[i] = emulation.ValueStack.CallStack.Pop(); } emulation.ValueStack.CallStack.Push(Constants.Remover.DecryptConstant(method, param, initBytes)); args.bypassCall = true; } else if (args.Instruction.Operand.ToString() .Contains("System.Reflection.Assembly System.Reflection.Assembly::GetExecutingAssembly()")) { } else if (args.Instruction.Operand.ToString() .Contains("System.String System.String::Intern(System.String)")) { emulation.ValueStack.CallStack.Push(string.Intern(emulation.ValueStack.CallStack.Pop())); args.bypassCall = true; } else if (args.Instruction.Operand.ToString() .Contains("System.String System.Text.Encoding::GetString(System.Byte[],System.Int32,System.Int32)")) { var stack4 = emulation.ValueStack.CallStack.Pop(); var stack3 = emulation.ValueStack.CallStack.Pop(); var stack2 = emulation.ValueStack.CallStack.Pop(); var stack1 = emulation.ValueStack.CallStack.Pop(); var result = stack1.GetString(stack2, stack3, stack4); emulation.ValueStack.CallStack.Push(result); args.bypassCall = true; } else if (args.Instruction.Operand.ToString() .Contains("System.Text.Encoding System.Text.Encoding::get_UTF8()")) { emulation.ValueStack.CallStack.Push(Encoding.UTF8); args.bypassCall = true; } else if (args.Instruction.Operand.ToString() .Contains("System.Array System.Array::CreateInstance(System.Type,System.Int32)")) { var stack2 = emulation.ValueStack.CallStack.Pop(); var stack1 = emulation.ValueStack.CallStack.Pop(); var result = Array.CreateInstance(stack1, stack2); emulation.ValueStack.CallStack.Push(result); args.bypassCall = true; } else if (args.Instruction.Operand.ToString() .Contains("System.Type System.Type::GetElementType()")) { var stack = emulation.ValueStack.CallStack.Pop(); emulation.ValueStack.CallStack.Push(stack.GetElementType()); args.bypassCall = true; } else if (args.Instruction.Operand.ToString() .Contains("System.Type System.Type::GetTypeFromHandle(System.RuntimeTypeHandle)")) { var stack = emulation.ValueStack.CallStack.Pop(); emulation.ValueStack.CallStack.Push(typeof(uint[])); args.bypassCall = true; } else if (args.Instruction.Operand.ToString() .Contains( "System.Void System.Buffer::BlockCopy(System.Array,System.Int32,System.Array,System.Int32,System.Int32)") ) { var stack5 = emulation.ValueStack.CallStack.Pop(); var stack4 = emulation.ValueStack.CallStack.Pop(); var stack3 = emulation.ValueStack.CallStack.Pop(); var stack2 = emulation.ValueStack.CallStack.Pop(); var stack1 = emulation.ValueStack.CallStack.Pop(); Buffer.BlockCopy(stack1, stack2, stack3, stack4, stack5); args.bypassCall = true; } else if (args.Instruction.Operand.ToString() .Contains("System.Reflection.Module System.Reflection.Assembly::get_ManifestModule()")) { args.bypassCall = true; } else if (args.Instruction.Operand is MethodDef && isDecryptMethod((MethodDef)args.Instruction.Operand)) { var bytes = Compressor.Remover.HandleDecryptMethod(emulation, args, (MethodDef)args.Instruction.Operand); emulation.ValueStack.CallStack.Push(bytes); var bytes2 = (byte[])bytes.Target; Compressor.Remover.ModuleBytes = new byte[bytes2.Length]; Buffer.BlockCopy(bytes2, 0, Compressor.Remover.ModuleBytes, 0, bytes2.Length); ModuleBytes = bytes2; args.bypassCall = true; } else if (args.Instruction.Operand.ToString() .Contains("System.Void System.Array::Clear(System.Array,System.Int32,System.Int32)")) { var stack3 = emulation.ValueStack.CallStack.Pop(); var stack2 = emulation.ValueStack.CallStack.Pop(); var stack1 = emulation.ValueStack.CallStack.Pop(); // File.WriteAllBytes("arrayemu", stack1); if (stack1 is Array) { Array.Clear(stack1, stack2, stack3); } args.bypassCall = true; } else if (args.Instruction.Operand is MethodDef && isDecompressMethod((MethodDef)args.Instruction.Operand)) { var stack = emulation.ValueStack.CallStack.Pop(); var decrypted = LzmaDecompress(stack); // Protections.Compressor.Remover.ModuleBytes = decrypted; // File.WriteAllBytes("arrayemu",stack); emulation.ValueStack.CallStack.Push(decrypted); args.bypassCall = true; } else if (args.Instruction.Operand.ToString() .Contains("System.Byte[] System.Reflection.Module::ResolveSignature(System.Int32)")) { var stack2 = emulation.ValueStack.CallStack.Pop(); var stack1 = emulation.ValueStack.CallStack.Pop(); emulation.ValueStack.CallStack.Push(ModuleDef.ReadBlob((uint)stack2)); args.bypassCall = true; } else if (args.Instruction.Operand.ToString() .Contains("System.Reflection.MethodBase System.Reflection.Module::ResolveMethod(System.Int32)")) { var stack2 = emulation.ValueStack.CallStack.Pop(); var stack1 = emulation.ValueStack.CallStack.Pop(); Compressor.Remover.ModuleEp = stack2; args.endMethod = true; } else if (args.Instruction.Operand.ToString() .Contains( "System.Runtime.InteropServices.GCHandle System.Runtime.InteropServices.GCHandle::Alloc(System.Object,System.Runtime.InteropServices.GCHandleType") ) { var stack2 = emulation.ValueStack.CallStack.Pop(); var stack1 = emulation.ValueStack.CallStack.Pop(); emulation.ValueStack.CallStack.Push(GCHandle.Alloc(stack1, GCHandleType.Pinned)); args.bypassCall = true; } else if (args.Instruction.Operand.ToString() .Contains( "System.Object System.Runtime.InteropServices.GCHandle::get_Target()") ) { var stack1 = emulation.ValueStack.CallStack.Pop(); emulation.ValueStack.CallStack.Push(stack1.Target); args.bypassCall = true; } else if (args.Instruction.Operand is MethodDef && ((MethodDef)args.Instruction.Operand).IsNative) { var stack1 = emulation.ValueStack.CallStack.Pop(); X86Method x86 = new X86Method(args.Instruction.Operand as MethodDef); var abc = x86.Execute(stack1); emulation.ValueStack.CallStack.Push(abc); args.bypassCall = true; } // }