private static int GetTokenForFieldDecode(ProxyType PT, int iIndex, AntiProxyParams Params) { FieldInfo fieldFromHandle = PT.arFieldReflection[iIndex]; Assembly executingAssembly = Params.asmReflection; char[] array = new char[fieldFromHandle.Name.Length]; for (int i = 0; i < array.Length; i++) { array[i] = (char)((int)((byte)fieldFromHandle.Name[i]) ^ i); } return(BitConverter.ToInt32(Convert.FromBase64String(new string(array)), 0) ^ Params.XORTokenField); }
private static int GetTokenForMethodDecode(ProxyType PT, int iIndex, AntiProxyParams Params, out FunctionCallType CT) { FieldInfo fieldFromHandle = PT.arFieldReflection[iIndex]; Assembly executingAssembly = Params.asmReflection; char[] array = new char[fieldFromHandle.Name.Length]; for (int i = 0; i < array.Length; i++) { array[i] = (char)((int)((byte)fieldFromHandle.Name[i]) ^ i); } byte[] array2 = Convert.FromBase64String(new string(array)); CT = (array2[0] == 13) ? FunctionCallType.Callvirt : FunctionCallType.Call; return(BitConverter.ToInt32(array2, 1) ^ Params.XORTokenMethod); }
public static bool Phase3() { AntiProxyParams Params = PhaseParam; Params.asmReflection = Assembly.LoadFile(Globals.DeobContext.InPath); InitMethodCallList(); foreach (var PT in Params.lstProxyTypes) { PT.InitProxyType(Params.ResolveFieldMD.MetadataToken.ToInt32(), Params.ResolveMethodMD.MetadataToken.ToInt32(), Params.asmReflection); DoAntiProxy(PT, Params); //MarkMember(PT.Type); } return(true); }
public static bool Phase2() { AntiProxyParams Params = PhaseParam; String InstructionString = String.Empty; foreach (var Type in AsmDef.MainModule.Types) { foreach (var Method in Type.Methods) { if (!Method.HasBody) { continue; } foreach (var Instruc in Method.Body.Instructions) { InstructionString = Instruc.GetInstructionString(); if (!InstructionString.Contains("Emit")) { continue; } if (InstructionString.Contains("Newobj")) { Params.ResolveFieldMD = Method; } if (InstructionString.Contains("Castclass")) { Params.ResolveMethodMD = Method; } } } } Params.XORTokenField = GetInt32TokenOfDecodeFunction(Params.ResolveFieldMD); Params.XORTokenMethod = GetInt32TokenOfDecodeFunction(Params.ResolveMethodMD); return(true); }
public static bool Phase1() { PhaseParam = new AntiProxyParams(); PhaseParam.lstProxyTypes = new List<ProxyType>(); foreach (var Type in AsmDef.MainModule.Types) { //if (Type. MethodDefinition[] MDs = Type.Methods.Where(m => m.IsConstructor && m.Name == ".cctor").ToArray(); if (MDs.Length == 0) continue; MethodDefinition cctor = MDs[0]; if (cctor.Body.Instructions[0].OpCode.ToString().Contains("ldtoken")) { PhaseParam.lstProxyTypes.Add(new ProxyType(Type)); } } return true; }
public static bool Phase1() { PhaseParam = new AntiProxyParams(); PhaseParam.lstProxyTypes = new List <ProxyType>(); foreach (var Type in AsmDef.MainModule.Types) { //if (Type. MethodDefinition[] MDs = Type.Methods.Where(m => m.IsConstructor && m.Name == ".cctor").ToArray(); if (MDs.Length == 0) { continue; } MethodDefinition cctor = MDs[0]; if (cctor.Body.Instructions[0].OpCode.ToString().Contains("ldtoken")) { PhaseParam.lstProxyTypes.Add(new ProxyType(Type)); } } return(true); }
private static bool DoAntiProxy(ProxyType PT, AntiProxyParams Params) { FunctionCallType CT = FunctionCallType.Call; for (int iIndex = 0; iIndex < PT.arMethods.Length; iIndex++) { if (PT.arProxyTypeDelegate[iIndex] == ProxyTypeDelegate.NewObjectCall) { Int32 TokenOfOriginalCall = GetTokenForFieldDecode(PT, iIndex, Params); MethodReference MR = AsmDef.MainModule.Import(Params.asmReflection.GetModules()[0].ResolveMethod(TokenOfOriginalCall)); Instruction[] arIns = GetInstructionsWithMethodCall(PT.arMethods[iIndex]).ToArray(); for (int i = 0; i < arIns.Length; i++) { arIns[i].OpCode = OpCodes.Newobj; arIns[i].Operand = MR; } } if (PT.arProxyTypeDelegate[iIndex] == ProxyTypeDelegate.DirectMethodCall) { Int32 TokenOfOriginalCall = GetTokenForMethodDecode(PT, iIndex, Params, out CT); ProxyType PT2 = null; MethodReference MR = AsmDef.MainModule.Import(Params.asmReflection.GetModules()[0].ResolveMethod(TokenOfOriginalCall)); ProxyType[] NestedPT = Params.lstProxyTypes.Where(m => m.Type.Name == MR.DeclaringType.Name).ToArray(); if (NestedPT.Length != 0) { PT2 = NestedPT[0]; } /*foreach (var PTNew in AP17.lstProxyTypes) * { * if (MR.DeclaringType.Name == PTNew.Type.Name) * { * PT2 = new ProxyType(PTNew.Type, AP17); * } * }*/ // PT2 = Second stage proxy -> proxy followed by a proxy by a method/newobj if (PT2 != null) { Instruction[] arIns = GetInstructionsWithMethodCall(PT.arMethods[iIndex]); if (PT2.arProxyTypeDelegate[0] == ProxyTypeDelegate.NewObjectCall) { Int32 TokenOfOriginalCall2 = GetTokenForFieldDecode(PT2, 0, Params); MethodReference MR2 = AsmDef.MainModule.Import(Params.asmReflection.GetModules()[0].ResolveMethod(TokenOfOriginalCall2)); for (int i = 0; i < arIns.Length; i++) { arIns[i].OpCode = OpCodes.Newobj; arIns[i].Operand = MR2; } } } else { Instruction[] arIns = GetInstructionsWithMethodCall(PT.arMethods[iIndex]); for (int i = 0; i < arIns.Length; i++) { if (CT == FunctionCallType.Call) { arIns[i].OpCode = OpCodes.Call; arIns[i].Operand = MR; } if (CT == FunctionCallType.Callvirt) { arIns[i].OpCode = OpCodes.Callvirt; arIns[i].Operand = MR; } } } } } return(true); }
private static int GetTokenForMethodDecode(ProxyType PT, int iIndex, AntiProxyParams Params, out FunctionCallType CT) { FieldInfo fieldFromHandle = PT.arFieldReflection[iIndex]; Assembly executingAssembly = Params.asmReflection; char[] array = new char[fieldFromHandle.Name.Length]; for (int i = 0; i < array.Length; i++) { array[i] = (char)((int)((byte)fieldFromHandle.Name[i]) ^ i); } byte[] array2 = Convert.FromBase64String(new string(array)); CT = (array2[0] == 13) ? FunctionCallType.Callvirt : FunctionCallType.Call; return BitConverter.ToInt32(array2, 1) ^ Params.XORTokenMethod; }
private static int GetTokenForFieldDecode(ProxyType PT, int iIndex, AntiProxyParams Params) { FieldInfo fieldFromHandle = PT.arFieldReflection[iIndex]; Assembly executingAssembly = Params.asmReflection; char[] array = new char[fieldFromHandle.Name.Length]; for (int i = 0; i < array.Length; i++) { array[i] = (char)((int)((byte)fieldFromHandle.Name[i]) ^ i); } return BitConverter.ToInt32(Convert.FromBase64String(new string(array)), 0) ^ Params.XORTokenField; }
private static bool DoAntiProxy(ProxyType PT, AntiProxyParams Params) { FunctionCallType CT = FunctionCallType.Call; for (int iIndex = 0; iIndex < PT.arMethods.Length; iIndex++) { if (PT.arProxyTypeDelegate[iIndex] == ProxyTypeDelegate.NewObjectCall) { Int32 TokenOfOriginalCall = GetTokenForFieldDecode(PT, iIndex, Params); MethodReference MR = AsmDef.MainModule.Import(Params.asmReflection.GetModules()[0].ResolveMethod(TokenOfOriginalCall)); Instruction[] arIns = GetInstructionsWithMethodCall(PT.arMethods[iIndex]).ToArray(); for (int i = 0; i < arIns.Length; i++) { arIns[i].OpCode = OpCodes.Newobj; arIns[i].Operand = MR; } } if (PT.arProxyTypeDelegate[iIndex] == ProxyTypeDelegate.DirectMethodCall) { Int32 TokenOfOriginalCall = GetTokenForMethodDecode(PT, iIndex, Params, out CT); ProxyType PT2 = null; MethodReference MR = AsmDef.MainModule.Import(Params.asmReflection.GetModules()[0].ResolveMethod(TokenOfOriginalCall)); ProxyType[] NestedPT = Params.lstProxyTypes.Where(m => m.Type.Name == MR.DeclaringType.Name).ToArray(); if (NestedPT.Length != 0) PT2 = NestedPT[0]; /*foreach (var PTNew in AP17.lstProxyTypes) { if (MR.DeclaringType.Name == PTNew.Type.Name) { PT2 = new ProxyType(PTNew.Type, AP17); } }*/ // PT2 = Second stage proxy -> proxy followed by a proxy by a method/newobj if (PT2 != null) { Instruction[] arIns = GetInstructionsWithMethodCall(PT.arMethods[iIndex]); if (PT2.arProxyTypeDelegate[0] == ProxyTypeDelegate.NewObjectCall) { Int32 TokenOfOriginalCall2 = GetTokenForFieldDecode(PT2, 0, Params); MethodReference MR2 = AsmDef.MainModule.Import(Params.asmReflection.GetModules()[0].ResolveMethod(TokenOfOriginalCall2)); for (int i = 0; i < arIns.Length; i++) { arIns[i].OpCode = OpCodes.Newobj; arIns[i].Operand = MR2; } } } else { Instruction[] arIns = GetInstructionsWithMethodCall(PT.arMethods[iIndex]); for (int i = 0; i < arIns.Length; i++) { if (CT == FunctionCallType.Call) { arIns[i].OpCode = OpCodes.Call; arIns[i].Operand = MR; } if (CT == FunctionCallType.Callvirt) { arIns[i].OpCode = OpCodes.Callvirt; arIns[i].Operand = MR; } } } } } return true; }