public override void Process(NameValueCollection parameters, MetadataProcessor.MetadataAccessor accessor) { _Context txt = cc.txts[accessor.Module]; var fieldTbl = accessor.TableHeap.GetTable<FieldTable>(Table.Field); foreach (var i in txt.txts) { var fieldRow = fieldTbl[(int)i.fld.MetadataToken.RID - 1]; TypeReference typeRef = i.fld.FieldType; accessor.BlobHeap.Position = (int)fieldRow.Col3; int len = (int)accessor.BlobHeap.ReadCompressedUInt32(); int s = accessor.BlobHeap.Position; accessor.BlobHeap.WriteByte(0x6); accessor.BlobHeap.WriteByte((byte)(typeRef.IsValueType ? ElementType.ValueType : ElementType.Class)); accessor.BlobHeap.WriteCompressedUInt32(CodedIndex.TypeDefOrRef.CompressMetadataToken(accessor.LookupToken(typeRef.GetElementType()))); int l = len - (accessor.BlobHeap.Position - s); for (int z = 0; z < l; z++) accessor.BlobHeap.WriteByte(0); accessor.BlobHeap.Position = s + len - 8; byte[] b; if (txt.isNative) b = BitConverter.GetBytes(ExpressionEvaluator.Evaluate(txt.exp, (int)i.token.RID)); else b = BitConverter.GetBytes(i.token.RID ^ txt.key); accessor.BlobHeap.WriteByte((byte)(((byte)Random.Next() & 0x3f) | 0xc0)); accessor.BlobHeap.WriteByte((byte)((uint)i.token.TokenType >> 24)); accessor.BlobHeap.WriteByte(b[0]); accessor.BlobHeap.WriteByte(b[1]); accessor.BlobHeap.WriteByte((byte)(((byte)Random.Next() & 0x3f) | 0xc0)); accessor.BlobHeap.WriteByte(b[2]); accessor.BlobHeap.WriteByte(b[3]); accessor.BlobHeap.WriteByte(0); System.Diagnostics.Debug.Assert(accessor.BlobHeap.Position - (int)fieldRow.Col3 == len + 1); fieldTbl[(int)i.fld.MetadataToken.RID - 1] = fieldRow; } if (!txt.isNative) return; var tbl = accessor.TableHeap.GetTable<MethodTable>(Table.Method); var row = tbl[(int)txt.nativeDecr.MetadataToken.RID - 1]; row.Col2 = MethodImplAttributes.Native | MethodImplAttributes.Unmanaged | MethodImplAttributes.PreserveSig; row.Col3 &= ~MethodAttributes.Abstract; row.Col3 |= MethodAttributes.PInvokeImpl; row.Col1 = txt.nativeRange.Start; accessor.BodyRanges[txt.nativeDecr.MetadataToken] = txt.nativeRange; tbl[(int)txt.nativeDecr.MetadataToken.RID - 1] = row; //accessor.Module.Attributes &= ~ModuleAttributes.ILOnly; }
public override void Process(NameValueCollection parameters, MetadataProcessor.MetadataAccessor accessor) { _Context _txt = cc.txts[accessor.Module]; for (int i = 0; i < _txt.txts.Count; i++) { int j = Random.Next(0, _txt.txts.Count); var tmp = _txt.txts[i]; _txt.txts[i] = _txt.txts[j]; _txt.txts[j] = tmp; } TypeDefinition typeDef = new TypeDefinition("", "", 0); foreach (Context txt in _txt.txts) { txt.token = accessor.LookupToken(txt.mtdRef); if (txt.fld.Name[0] != '\0') continue; txt.fld.Name = " \n" + ObfuscationHelper.GetRandomName(); //Hack into cecil to generate diff sig for diff field -_- int pos = txt.fld.DeclaringType.Fields.IndexOf(txt.fld) + 1; while (typeDef.GenericParameters.Count < pos) typeDef.GenericParameters.Add(new GenericParameter(typeDef)); txt.fld.FieldType = new GenericInstanceType(txt.fld.FieldType) { GenericArguments = { accessor.Module.TypeSystem.Object, accessor.Module.TypeSystem.Object, accessor.Module.TypeSystem.Object, accessor.Module.TypeSystem.Object, accessor.Module.TypeSystem.Object, typeDef.GenericParameters[pos - 1] } }; Database.AddEntry("CtorProxy", txt.mtdRef.FullName, txt.fld.Name); Database.AddEntry("CtorProxy", txt.fld.Name, txt.inst.Operand.ToString()); } if (!_txt.isNative) return; _txt.nativeRange = new Range(accessor.Codebase + (uint)accessor.Codes.Position, 0); MemoryStream ms = new MemoryStream(); using (BinaryWriter wtr = new BinaryWriter(ms)) { wtr.Write(new byte[] { 0x89, 0xe0 }); // mov eax, esp wtr.Write(new byte[] { 0x53 }); // push ebx wtr.Write(new byte[] { 0x57 }); // push edi wtr.Write(new byte[] { 0x56 }); // push esi wtr.Write(new byte[] { 0x29, 0xe0 }); // sub eax, esp wtr.Write(new byte[] { 0x83, 0xf8, 0x18 }); // cmp eax, 24 wtr.Write(new byte[] { 0x74, 0x07 }); // je n wtr.Write(new byte[] { 0x8b, 0x44, 0x24, 0x10 }); // mov eax, [esp + 4] wtr.Write(new byte[] { 0x50 }); // push eax wtr.Write(new byte[] { 0xeb, 0x01 }); // jmp z wtr.Write(new byte[] { 0x51 }); //n: push ecx x86Register ret; //z: var insts = _txt.visitor.GetInstructions(out ret); foreach (var i in insts) wtr.Write(i.Assemble()); if (ret != x86Register.EAX) wtr.Write( new x86Instruction() { OpCode = x86OpCode.MOV, Operands = new Ix86Operand[] { new x86RegisterOperand() { Register = x86Register.EAX }, new x86RegisterOperand() { Register = ret } } }.Assemble()); wtr.Write(new byte[] { 0x5e }); //pop esi wtr.Write(new byte[] { 0x5f }); //pop edi wtr.Write(new byte[] { 0x5b }); //pop ebx wtr.Write(new byte[] { 0xc3 }); //ret wtr.Write(new byte[((ms.Length + 3) & ~3) - ms.Length]); } byte[] codes = ms.ToArray(); Database.AddEntry("CtorProxy", "Native", codes); accessor.Codes.WriteBytes(codes); accessor.SetCodePosition(accessor.Codebase + (uint)accessor.Codes.Position); _txt.nativeRange.Length = (uint)codes.Length; }