2011-12-29 15:26:36 +08:00
|
|
|
|
/*
|
2013-01-02 00:03:16 +08:00
|
|
|
|
Copyright (C) 2011-2013 de4dot@gmail.com
|
2011-12-29 15:26:36 +08:00
|
|
|
|
|
|
|
|
|
This file is part of de4dot.
|
|
|
|
|
|
|
|
|
|
de4dot is free software: you can redistribute it and/or modify
|
|
|
|
|
it under the terms of the GNU General Public License as published by
|
|
|
|
|
the Free Software Foundation, either version 3 of the License, or
|
|
|
|
|
(at your option) any later version.
|
|
|
|
|
|
|
|
|
|
de4dot is distributed in the hope that it will be useful,
|
|
|
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
GNU General Public License for more details.
|
|
|
|
|
|
|
|
|
|
You should have received a copy of the GNU General Public License
|
|
|
|
|
along with de4dot. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
using System;
|
|
|
|
|
using System.Collections.Generic;
|
2012-12-20 09:06:09 +08:00
|
|
|
|
using dnlib.DotNet;
|
|
|
|
|
using dnlib.DotNet.Emit;
|
2011-12-29 15:26:36 +08:00
|
|
|
|
using de4dot.blocks;
|
|
|
|
|
|
|
|
|
|
namespace de4dot.code.deobfuscators.Goliath_NET {
|
2012-05-29 17:13:39 +08:00
|
|
|
|
class ProxyCallFixer : ProxyCallFixer2 {
|
2012-11-18 10:02:12 +08:00
|
|
|
|
public ProxyCallFixer(ModuleDefMD module)
|
2011-12-29 15:26:36 +08:00
|
|
|
|
: base(module) {
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
class MyInfo {
|
2012-11-02 22:57:11 +08:00
|
|
|
|
public MethodDef method;
|
2011-12-29 15:26:36 +08:00
|
|
|
|
public DelegateInfo delegateInfo;
|
2012-11-02 22:57:11 +08:00
|
|
|
|
public MyInfo(MethodDef method, DelegateInfo delegateInfo) {
|
2011-12-29 15:26:36 +08:00
|
|
|
|
this.method = method;
|
|
|
|
|
this.delegateInfo = delegateInfo;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2013-01-19 20:03:57 +08:00
|
|
|
|
public new void Find() {
|
2012-11-11 12:31:11 +08:00
|
|
|
|
Logger.v("Finding all proxy delegates");
|
2011-12-29 15:26:36 +08:00
|
|
|
|
var infos = new List<MyInfo>();
|
|
|
|
|
foreach (var type in module.GetTypes()) {
|
|
|
|
|
if (type.BaseType == null || type.BaseType.FullName != "System.MulticastDelegate")
|
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
infos.Clear();
|
|
|
|
|
foreach (var method in type.Methods) {
|
|
|
|
|
DelegateInfo info;
|
2013-01-19 20:03:57 +08:00
|
|
|
|
if (!CheckProxyMethod(method, out info))
|
2011-12-29 15:26:36 +08:00
|
|
|
|
continue;
|
|
|
|
|
infos.Add(new MyInfo(method, info));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (infos.Count == 0)
|
|
|
|
|
continue;
|
|
|
|
|
|
2013-01-19 20:03:57 +08:00
|
|
|
|
Logger.v("Found proxy delegate: {0} ({1:X8})", Utils.RemoveNewlines(type), type.MDToken.ToUInt32());
|
2011-12-29 15:26:36 +08:00
|
|
|
|
RemovedDelegateCreatorCalls++;
|
2013-01-19 20:03:57 +08:00
|
|
|
|
Logger.Instance.Indent();
|
2011-12-29 15:26:36 +08:00
|
|
|
|
foreach (var info in infos) {
|
|
|
|
|
var di = info.delegateInfo;
|
2013-01-19 20:03:57 +08:00
|
|
|
|
Add(info.method, di);
|
2012-11-11 12:31:11 +08:00
|
|
|
|
Logger.v("Field: {0}, Opcode: {1}, Method: {2} ({3:X8})",
|
2013-01-19 20:03:57 +08:00
|
|
|
|
Utils.RemoveNewlines(di.field.Name),
|
2012-01-14 18:59:01 +08:00
|
|
|
|
di.callOpcode,
|
2013-01-19 20:03:57 +08:00
|
|
|
|
Utils.RemoveNewlines(di.methodRef),
|
2012-11-02 22:57:11 +08:00
|
|
|
|
di.methodRef.MDToken.ToUInt32());
|
2011-12-29 15:26:36 +08:00
|
|
|
|
}
|
2013-01-19 20:03:57 +08:00
|
|
|
|
Logger.Instance.DeIndent();
|
2011-12-29 15:26:36 +08:00
|
|
|
|
delegateTypesDict[type] = true;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2013-01-19 20:03:57 +08:00
|
|
|
|
bool CheckProxyMethod(MethodDef method, out DelegateInfo info) {
|
2011-12-29 15:26:36 +08:00
|
|
|
|
info = null;
|
|
|
|
|
if (!method.IsStatic || method.Body == null)
|
|
|
|
|
return false;
|
|
|
|
|
|
|
|
|
|
var instrs = method.Body.Instructions;
|
|
|
|
|
if (instrs.Count < 7)
|
|
|
|
|
return false;
|
|
|
|
|
|
|
|
|
|
int index = 0;
|
|
|
|
|
|
|
|
|
|
if (instrs[index].OpCode.Code != Code.Ldsfld)
|
|
|
|
|
return false;
|
2012-11-02 22:57:11 +08:00
|
|
|
|
var field = instrs[index++].Operand as FieldDef;
|
2011-12-29 15:26:36 +08:00
|
|
|
|
if (field == null || !field.IsStatic)
|
|
|
|
|
return false;
|
2012-11-18 10:02:12 +08:00
|
|
|
|
if (!new SigComparer().Equals(method.DeclaringType, field.DeclaringType))
|
2011-12-29 15:26:36 +08:00
|
|
|
|
return false;
|
|
|
|
|
|
2012-11-18 10:02:12 +08:00
|
|
|
|
if (!instrs[index++].IsBrtrue())
|
2011-12-29 15:26:36 +08:00
|
|
|
|
return false;
|
|
|
|
|
if (instrs[index++].OpCode.Code != Code.Ldnull)
|
|
|
|
|
return false;
|
|
|
|
|
if (instrs[index].OpCode.Code != Code.Ldftn)
|
|
|
|
|
return false;
|
2012-11-18 10:02:12 +08:00
|
|
|
|
var calledMethod = instrs[index++].Operand as IMethod;
|
2011-12-29 15:26:36 +08:00
|
|
|
|
if (calledMethod == null)
|
|
|
|
|
return false;
|
|
|
|
|
if (instrs[index++].OpCode.Code != Code.Newobj)
|
|
|
|
|
return false;
|
|
|
|
|
if (instrs[index].OpCode.Code != Code.Stsfld)
|
|
|
|
|
return false;
|
2012-11-18 10:02:12 +08:00
|
|
|
|
if (!new SigComparer().Equals(field, instrs[index++].Operand as IField))
|
2011-12-29 15:26:36 +08:00
|
|
|
|
return false;
|
|
|
|
|
if (instrs[index].OpCode.Code != Code.Ldsfld)
|
|
|
|
|
return false;
|
2012-11-18 10:02:12 +08:00
|
|
|
|
if (!new SigComparer().Equals(field, instrs[index++].Operand as IField))
|
2011-12-29 15:26:36 +08:00
|
|
|
|
return false;
|
|
|
|
|
|
2012-11-18 10:02:12 +08:00
|
|
|
|
var sig = method.MethodSig;
|
|
|
|
|
if (sig == null)
|
|
|
|
|
return false;
|
|
|
|
|
for (int i = 0; i < sig.Params.Count; i++) {
|
2011-12-29 15:26:36 +08:00
|
|
|
|
if (index >= instrs.Count)
|
|
|
|
|
return false;
|
2012-11-18 10:02:12 +08:00
|
|
|
|
if (instrs[index++].GetParameterIndex() != i)
|
2011-12-29 15:26:36 +08:00
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (index + 2 > instrs.Count)
|
|
|
|
|
return false;
|
|
|
|
|
var call = instrs[index++];
|
|
|
|
|
if (call.OpCode.Code != Code.Callvirt)
|
|
|
|
|
return false;
|
|
|
|
|
|
|
|
|
|
if (instrs[index++].OpCode.Code != Code.Ret)
|
|
|
|
|
return false;
|
|
|
|
|
|
|
|
|
|
info = new DelegateInfo(field, calledMethod, OpCodes.Call);
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
|
2013-01-19 20:03:57 +08:00
|
|
|
|
protected override object CheckCctor(TypeDef type, MethodDef cctor) {
|
2011-12-29 15:26:36 +08:00
|
|
|
|
throw new System.NotImplementedException();
|
|
|
|
|
}
|
|
|
|
|
|
2013-01-19 20:03:57 +08:00
|
|
|
|
protected override void GetCallInfo(object context, FieldDef field, out IMethod calledMethod, out OpCode callOpcode) {
|
2011-12-29 15:26:36 +08:00
|
|
|
|
throw new System.NotImplementedException();
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|