From 5511ab833bd3ab24c2efd7e813080e8e8421ef13 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Fri, 6 Apr 2012 15:38:44 +0200
Subject: [PATCH] Update ldelema type, and add unbox.any and ldobj

---
 .../vm/CilOperandInstructionRestorer.cs       | 20 +++++++++++++++----
 de4dot.code/deobfuscators/MethodStack.cs      | 11 ++++++++++
 2 files changed, 27 insertions(+), 4 deletions(-)

diff --git a/de4dot.code/deobfuscators/CliSecure/vm/CilOperandInstructionRestorer.cs b/de4dot.code/deobfuscators/CliSecure/vm/CilOperandInstructionRestorer.cs
index 0963eea4..ee814803 100644
--- a/de4dot.code/deobfuscators/CliSecure/vm/CilOperandInstructionRestorer.cs
+++ b/de4dot.code/deobfuscators/CliSecure/vm/CilOperandInstructionRestorer.cs
@@ -53,13 +53,13 @@ namespace de4dot.code.deobfuscators.CliSecure.vm {
 					break;
 
 				case Code.Ldobj:
-					operandType = MethodStack.getLoadedType(method, instrs, i, 0);
+					operandType = getPtrElementType(MethodStack.getLoadedType(method, instrs, i, 0));
 					break;
 
 				case Code.Stobj:
-					operandType = MethodStack.getLoadedType(method, instrs, i, 1);
-					if (operandType == null)
-						operandType = MethodStack.getLoadedType(method, instrs, i, 0);
+					operandType = MethodStack.getLoadedType(method, instrs, i, 0);
+					if (!isValidType(operandType))
+						operandType = getPtrElementType(MethodStack.getLoadedType(method, instrs, i, 1));
 					break;
 
 				default:
@@ -76,6 +76,18 @@ namespace de4dot.code.deobfuscators.CliSecure.vm {
 			return atLeastOneFailed;
 		}
 
+		static TypeReference getPtrElementType(TypeReference type) {
+			if (type == null)
+				return null;
+			var pt = type as PointerType;
+			if (pt != null)
+				return pt.ElementType;
+			var bt = type as ByReferenceType;
+			if (bt != null)
+				return bt.ElementType;
+			return null;
+		}
+
 		bool isValidType(TypeReference type) {
 			if (type == null)
 				return false;
diff --git a/de4dot.code/deobfuscators/MethodStack.cs b/de4dot.code/deobfuscators/MethodStack.cs
index 0b56256d..780cf0b9 100644
--- a/de4dot.code/deobfuscators/MethodStack.cs
+++ b/de4dot.code/deobfuscators/MethodStack.cs
@@ -192,6 +192,7 @@ namespace de4dot.code.deobfuscators {
 
 			case Code.Castclass:
 			case Code.Isinst:
+			case Code.Unbox_Any:
 				fieldType = pushInstr.Operand as TypeReference;
 				break;
 
@@ -225,6 +226,10 @@ namespace de4dot.code.deobfuscators {
 				break;
 
 			case Code.Ldelema:
+				fieldType = createByReferenceType(pushInstr.Operand as TypeReference);
+				break;
+
+			case Code.Ldobj:
 				fieldType = pushInstr.Operand as TypeReference;
 				break;
 
@@ -235,6 +240,12 @@ namespace de4dot.code.deobfuscators {
 			return fieldType;
 		}
 
+		static ByReferenceType createByReferenceType(TypeReference elementType) {
+			if (elementType == null)
+				return null;
+			return new ByReferenceType(elementType);
+		}
+
 		static Instruction getPreviousInstruction(IList<Instruction> instructions, ref int instrIndex) {
 			while (true) {
 				instrIndex--;