public void AddInitializeArrayCode(Block block, int start, int numToRemove, ITypeDefOrRef elementType, byte[] data) { int index = start; block.Replace(index++, numToRemove, Instruction.CreateLdcI4(data.Length / elementType.ToTypeSig().ElementType.GetPrimitiveSize())); block.Insert(index++, OpCodes.Newarr.ToInstruction(elementType)); block.Insert(index++, OpCodes.Dup.ToInstruction()); block.Insert(index++, OpCodes.Ldtoken.ToInstruction((IField)Create(data))); block.Insert(index++, OpCodes.Call.ToInstruction((IMethod)InitializeArrayMethod)); }
protected override bool Deobfuscate(Block block) { bool modified = false; instructionEmulator.Initialize(Blocks, AllBlocks[0] == block); var instrs = block.Instructions; for (int i = 0; i < instrs.Count; i++) { var instr = instrs[i]; switch (instr.OpCode.Code) { case Code.Ldarg: case Code.Ldarg_0: case Code.Ldarg_1: case Code.Ldarg_2: case Code.Ldarg_3: case Code.Ldarg_S: modified |= FixLoadInstruction(block, i, instructionEmulator.GetArg(instr.Instruction.GetParameter(args))); break; case Code.Ldloc: case Code.Ldloc_0: case Code.Ldloc_1: case Code.Ldloc_2: case Code.Ldloc_3: case Code.Ldloc_S: modified |= FixLoadInstruction(block, i, instructionEmulator.GetLocal(instr.Instruction.GetLocal(Blocks.Locals))); break; case Code.Ldarga: case Code.Ldarga_S: instructionEmulator.MakeArgUnknown((Parameter)instr.Operand); break; case Code.Ldloca: case Code.Ldloca_S: instructionEmulator.MakeLocalUnknown((Local)instr.Operand); break; case Code.Add: case Code.Add_Ovf: case Code.Add_Ovf_Un: case Code.And: case Code.Ceq: case Code.Cgt: case Code.Cgt_Un: case Code.Clt: case Code.Clt_Un: case Code.Conv_I: case Code.Conv_I1: case Code.Conv_I2: case Code.Conv_I4: case Code.Conv_I8: case Code.Conv_Ovf_I: case Code.Conv_Ovf_I_Un: case Code.Conv_Ovf_I1: case Code.Conv_Ovf_I1_Un: case Code.Conv_Ovf_I2: case Code.Conv_Ovf_I2_Un: case Code.Conv_Ovf_I4: case Code.Conv_Ovf_I4_Un: case Code.Conv_Ovf_I8: case Code.Conv_Ovf_I8_Un: case Code.Conv_Ovf_U: case Code.Conv_Ovf_U_Un: case Code.Conv_Ovf_U1: case Code.Conv_Ovf_U1_Un: case Code.Conv_Ovf_U2: case Code.Conv_Ovf_U2_Un: case Code.Conv_Ovf_U4: case Code.Conv_Ovf_U4_Un: case Code.Conv_Ovf_U8: case Code.Conv_Ovf_U8_Un: case Code.Conv_R_Un: case Code.Conv_R4: case Code.Conv_R8: case Code.Conv_U: case Code.Conv_U1: case Code.Conv_U2: case Code.Conv_U4: case Code.Conv_U8: case Code.Div: case Code.Div_Un: case Code.Dup: case Code.Mul: case Code.Mul_Ovf: case Code.Mul_Ovf_Un: case Code.Neg: case Code.Not: case Code.Or: case Code.Rem: case Code.Rem_Un: case Code.Shl: case Code.Shr: case Code.Shr_Un: case Code.Sub: case Code.Sub_Ovf: case Code.Sub_Ovf_Un: case Code.Xor: if (DisableNewCode) break; if (i + 1 < instrs.Count && instrs[i + 1].OpCode.Code == Code.Pop) break; if (!VerifyValidArgs(instr.Instruction)) break; instructionEmulator.Emulate(instr.Instruction); var tos = instructionEmulator.Peek(); Instruction newInstr = null; if (tos.IsInt32()) { var val = (Int32Value)tos; if (val.AllBitsValid()) newInstr = Instruction.CreateLdcI4(val.Value); } else if (tos.IsInt64()) { var val = (Int64Value)tos; if (val.AllBitsValid()) newInstr = OpCodes.Ldc_I8.ToInstruction(val.Value); } else if (tos.IsReal8()) { var val = (Real8Value)tos; if (val.IsValid) newInstr = GetLoadRealInstruction(val.Value); } if (newInstr != null) { block.Insert(i + 1, Instruction.Create(OpCodes.Pop)); block.Insert(i + 2, newInstr); i += 2; modified = true; } continue; } try { instructionEmulator.Emulate(instr.Instruction); } catch (NullReferenceException) { // Here if eg. invalid metadata token in a call instruction (operand is null) break; } } return modified; }
bool AddCast(Block block, int castIndex, int index, TypeSig type) { if (type == null) return false; if (castIndex >= block.Instructions.Count || index >= block.Instructions.Count) return false; var stloc = block.Instructions[index]; if (!stloc.IsStloc()) return false; var local = stloc.Instruction.GetLocal(blocks.Locals); if (local == null) return false; var localInfo = localInfos[local]; if (localInfo.CastType == null) return false; if (!new SigComparer().Equals(localInfo.CastType, type)) block.Insert(castIndex, new Instruction(OpCodes.Castclass, localInfo.CastType)); return true; }
void Update(Block block, NewMethodInfo currentMethodInfo) { var instrs = block.Instructions; for (int i = 0; i < instrs.Count; i++) { var instr = instrs[i]; if (instr.OpCode == OpCodes.Newobj) { var ctor = (IMethod)instr.Operand; var ctorTypeFullName = ctor.DeclaringType.FullName; if (ctorTypeFullName == "System.Diagnostics.StackTrace") { InsertLoadThis(block, i + 1); InsertCallOurMethod(block, i + 2, "static_RtFixStackTrace"); i += 2; continue; } else if (ctorTypeFullName == "System.Diagnostics.StackFrame") { InsertLoadThis(block, i + 1); InsertCallOurMethod(block, i + 2, "static_RtFixStackFrame"); i += 2; continue; } } if (instr.OpCode == OpCodes.Call || instr.OpCode == OpCodes.Callvirt) { var calledMethod = (IMethod)instr.Operand; if (calledMethod.DeclaringType.DefinitionAssembly.IsCorLib()) { var calledMethodFullName = calledMethod.FullName; if (calledMethodFullName == "System.Reflection.Assembly System.Reflection.Assembly::GetAssembly(System.Type)") { block.Replace(i, 1, OpCodes.Nop.ToInstruction()); InsertLoadThis(block, i + 1); InsertCallOurMethod(block, i + 2, "static_RtGetAssembly_TypeArg"); i += 2; continue; } else if (calledMethodFullName == "System.Reflection.Assembly System.Reflection.Assembly::GetCallingAssembly()" || calledMethodFullName == "System.Reflection.Assembly System.Reflection.Assembly::GetEntryAssembly()" || calledMethodFullName == "System.Reflection.Assembly System.Reflection.Assembly::GetExecutingAssembly()") { block.Replace(i, 1, OpCodes.Nop.ToInstruction()); InsertLoadThis(block, i + 1); block.Insert(i + 2, OpCodes.Ldc_I4.ToInstruction(currentMethodInfo.delegateIndex)); InsertCallOurMethod(block, i + 3, "RtGetAssembly"); i += 3; continue; } } var method = Resolver.GetMethod((IMethod)instr.Operand); if (method != null) { CreateMethod(method.methodBase); var newMethodInfo = realMethodToNewMethod[method.methodBase]; block.Replace(i, 1, OpCodes.Nop.ToInstruction()); int n = i + 1; // Pop all pushed args to a temp array var mparams = GetParameters(method.methodDef); if (mparams.Count > 0) { block.Insert(n++, OpCodes.Ldc_I4.ToInstruction(mparams.Count)); var objectType = method.methodDef.DeclaringType.Module.CorLibTypes.Object; block.Insert(n++, OpCodes.Newarr.ToInstruction(objectType)); block.Insert(n++, Create(OpCodes.Stloc, new Operand(Operand.Type.TempObjArray))); for (int j = mparams.Count - 1; j >= 0; j--) { var argType = mparams[j]; if (argType.RemovePinnedAndModifiers().IsValueType) block.Insert(n++, OpCodes.Box.ToInstruction(((TypeDefOrRefSig)argType).TypeDefOrRef)); block.Insert(n++, Create(OpCodes.Stloc, new Operand(Operand.Type.TempObj))); block.Insert(n++, Create(OpCodes.Ldloc, new Operand(Operand.Type.TempObjArray))); block.Insert(n++, OpCodes.Ldc_I4.ToInstruction(j)); block.Insert(n++, Create(OpCodes.Ldloc, new Operand(Operand.Type.TempObj))); block.Insert(n++, OpCodes.Stelem_Ref.ToInstruction()); } } // Push delegate instance InsertLoadThis(block, n++); block.Insert(n++, OpCodes.Ldc_I4.ToInstruction(newMethodInfo.delegateIndex)); InsertCallOurMethod(block, n++, "RtGetDelegateInstance"); block.Insert(n++, Create(OpCodes.Castclass, new Operand(Operand.Type.ReflectionType, newMethodInfo.delegateType))); // Push all popped args if (mparams.Count > 0) { for (int j = 0; j < mparams.Count; j++) { block.Insert(n++, Create(OpCodes.Ldloc, new Operand(Operand.Type.TempObjArray))); block.Insert(n++, OpCodes.Ldc_I4.ToInstruction(j)); block.Insert(n++, OpCodes.Ldelem_Ref.ToInstruction()); var argType = mparams[j]; if (argType.RemovePinnedAndModifiers().IsValueType) block.Insert(n++, OpCodes.Unbox_Any.ToInstruction(((TypeDefOrRefSig)argType).TypeDefOrRef)); else { // Don't cast it to its correct type. This will sometimes cause // an exception in some EF obfuscated assembly since we'll be // trying to cast a System.Reflection.AssemblyName type to some // other type. // block.insert(n++, Instruction.Create(OpCodes.Castclass, argType.ToTypeDefOrRef())); } } } InsertLoadThis(block, n++); block.Insert(n++, Create(OpCodes.Call, new Operand(Operand.Type.NewMethod, method.methodBase))); i = n - 1; continue; } } } }
int InsertCallOurMethod(Block block, int i, string methodName) { block.Insert(i, Create(OpCodes.Call, new Operand(Operand.Type.OurMethod, methodName))); return 1; }
// Inserts ldarg THIS, and returns number of instructions inserted at 'i' int InsertLoadThis(Block block, int i) { block.Insert(i, Create(OpCodes.Ldarg, new Operand(Operand.Type.ThisArg))); return 1; }
protected override bool Deobfuscate(Block block) { bool modified = false; var instrs = block.Instructions; var constantsReader = CreateConstantsReader(instrs); for (int i = 0; i < instrs.Count; i++) { int index = 0; Instruction newInstr = null; var instr = instrs[i]; if (constantsReader.IsLoadConstantInt32(instr.Instruction)) { index = i; int val; if (!constantsReader.GetInt32(ref index, out val)) continue; newInstr = Instruction.CreateLdcI4(val); } else if (constantsReader.IsLoadConstantInt64(instr.Instruction)) { index = i; long val; if (!constantsReader.GetInt64(ref index, out val)) continue; newInstr = Instruction.Create(OpCodes.Ldc_I8, val); } else if (constantsReader.IsLoadConstantDouble(instr.Instruction)) { index = i; double val; if (!constantsReader.GetDouble(ref index, out val)) continue; newInstr = Instruction.Create(OpCodes.Ldc_R8, val); } if (newInstr != null && index - i > 1) { block.Insert(index++, Instruction.Create(OpCodes.Pop)); block.Insert(index++, newInstr); i = index - 1; constantsReader = CreateConstantsReader(instrs); modified = true; continue; } // Convert ldc.r4/r8 followed by conv to the appropriate ldc.i4/i8 instr if (i + 1 < instrs.Count && (instr.OpCode.Code == Code.Ldc_R4 || instr.OpCode.Code == Code.Ldc_R8)) { var conv = instrs[i + 1]; int vali32 = instr.OpCode.Code == Code.Ldc_R4 ? (int)(float)instr.Operand : (int)(double)instr.Operand; long vali64 = instr.OpCode.Code == Code.Ldc_R4 ? (long)(float)instr.Operand : (long)(double)instr.Operand; uint valu32 = instr.OpCode.Code == Code.Ldc_R4 ? (uint)(float)instr.Operand : (uint)(double)instr.Operand; ulong valu64 = instr.OpCode.Code == Code.Ldc_R4 ? (ulong)(float)instr.Operand : (ulong)(double)instr.Operand; switch (conv.OpCode.Code) { case Code.Conv_I1: newInstr = Instruction.CreateLdcI4(instr.OpCode.Code == Code.Ldc_R4 ? (sbyte)(float)instr.Operand : (sbyte)(double)instr.Operand); break; case Code.Conv_U1: newInstr = Instruction.CreateLdcI4(instr.OpCode.Code == Code.Ldc_R4 ? (byte)(float)instr.Operand : (byte)(double)instr.Operand); break; case Code.Conv_I2: newInstr = Instruction.CreateLdcI4(instr.OpCode.Code == Code.Ldc_R4 ? (short)(float)instr.Operand : (short)(double)instr.Operand); break; case Code.Conv_U2: newInstr = Instruction.CreateLdcI4(instr.OpCode.Code == Code.Ldc_R4 ? (ushort)(float)instr.Operand : (ushort)(double)instr.Operand); break; case Code.Conv_I4: newInstr = Instruction.CreateLdcI4(instr.OpCode.Code == Code.Ldc_R4 ? (int)(float)instr.Operand : (int)(double)instr.Operand); break; case Code.Conv_U4: newInstr = Instruction.CreateLdcI4(instr.OpCode.Code == Code.Ldc_R4 ? (int)(uint)(float)instr.Operand : (int)(uint)(double)instr.Operand); break; case Code.Conv_I8: newInstr = Instruction.Create(OpCodes.Ldc_I8, instr.OpCode.Code == Code.Ldc_R4 ? (long)(float)instr.Operand : (long)(double)instr.Operand); break; case Code.Conv_U8: newInstr = Instruction.Create(OpCodes.Ldc_I8, instr.OpCode.Code == Code.Ldc_R4 ? (ulong)(float)instr.Operand : (ulong)(double)instr.Operand); break; default: newInstr = null; break; } if (newInstr != null) { block.Replace(i, 2, newInstr); constantsReader = CreateConstantsReader(instrs); modified = true; continue; } } } return modified; }