/* Copyright (C) 2011-2015 de4dot@gmail.com This file is part of de4dot. de4dot is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. de4dot is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with de4dot. If not, see . */ using System; using System.Collections.Generic; using System.IO; using System.Text; using dnlib.DotNet; using dnlib.DotNet.Emit; using de4dot.blocks; namespace de4dot.code.deobfuscators.Confuser { class ProxyCallFixer : ProxyCallFixer2, IVersionProvider, IDisposable { MethodDefAndDeclaringTypeDict methodToInfo = new MethodDefAndDeclaringTypeDict(); FieldDefAndDeclaringTypeDict> fieldToMethods = new FieldDefAndDeclaringTypeDict>(); string ourAsm; ConfuserVersion version = ConfuserVersion.Unknown; byte[] fileData; x86Emulator x86emu; ushort callvirtChar; bool foundNewobjProxy; enum ConfuserVersion { Unknown, v10_r42915, v10_r42919, v10_r48717, v11_r50378, v12_r54564, v13_r55346, v13_r55604, v14_r58564, v14_r58802, v14_r58857, v16_r66631, v16_r70489, v17_r73479, v17_r73740_normal, v17_r73740_native, v17_r74708_normal, v17_r74708_native, v18_r75367_normal, v18_r75367_native, v18_r75369_normal, v18_r75369_native, v19_r76101_normal, v19_r76101_native, v19_r78363_normal, v19_r78363_native, v19_r78963_normal_Newobj, v19_r78963_native_Newobj, } enum ProxyCreatorType { None, CallOrCallvirt, Newobj, } class ProxyCreatorInfo { public readonly MethodDef creatorMethod; public readonly ProxyCreatorType proxyCreatorType; public readonly ConfuserVersion version; public readonly uint magic; public readonly MethodDef nativeMethod; public readonly ushort callvirtChar; public ProxyCreatorInfo(MethodDef creatorMethod, ProxyCreatorType proxyCreatorType, ConfuserVersion version, uint magic, MethodDef nativeMethod, ushort callvirtChar) { this.creatorMethod = creatorMethod; this.proxyCreatorType = proxyCreatorType; this.version = version; this.magic = magic; this.nativeMethod = nativeMethod; this.callvirtChar = callvirtChar; } } class DelegateInitInfo { public readonly byte[] data; public readonly FieldDef field; public readonly MethodDef creatorMethod; public DelegateInitInfo(FieldDef field, MethodDef creatorMethod) { this.field = field; this.creatorMethod = creatorMethod; } public DelegateInitInfo(string data, FieldDef field, MethodDef creatorMethod) { this.data = Convert.FromBase64String(data); this.field = field; this.creatorMethod = creatorMethod; } } protected override bool ProxyCallIsObfuscated { get { return true; } } public IEnumerable Fields { get { var fields = new List(fieldToMethods.GetKeys()); var type = DotNetUtils.GetModuleType(module); if (fields.Count > 0 && type != null) { foreach (var field in type.Fields) { var fieldType = field.FieldType.TryGetTypeDef(); if (fieldType != null && delegateTypesDict.ContainsKey(fieldType)) fields.Add(field); } } return fields; } } public override IEnumerable> OtherMethods { get { var list = new List>(); foreach (var info in methodToInfo.GetValues()) { list.Add(new Tuple { Item1 = info.creatorMethod, Item2 = "Delegate creator method", }); list.Add(new Tuple { Item1 = info.nativeMethod, Item2 = "Calculate RID native method", }); } foreach (var methods in fieldToMethods.GetValues()) { foreach (var method in methods) { list.Add(new Tuple { Item1 = method, Item2 = "Proxy delegate method", }); } } return list; } } public ProxyCallFixer(ModuleDefMD module, byte[] fileData) : base(module) { this.fileData = fileData; if (module.Assembly == null) ourAsm = " -1-1-1-1-1- , Version=1.2.3.4, Culture=neutral, PublicKeyToken=null"; else ourAsm = module.Assembly.FullName; } protected override object CheckCctor(TypeDef type, MethodDef cctor) { // Here if 1.2 r54564 (almost 1.3) or later var fieldToInfo = new FieldDefAndDeclaringTypeDict(); var instrs = cctor.Body.Instructions; for (int i = 0; i < instrs.Count - 1; i++) { var ldtoken = instrs[i]; if (ldtoken.OpCode.Code != Code.Ldtoken) continue; var field = ldtoken.Operand as FieldDef; if (field == null || field.DeclaringType != cctor.DeclaringType) continue; var call = instrs[i + 1]; if (call.OpCode.Code != Code.Call) continue; var calledMethod = call.Operand as MethodDef; if (calledMethod == null) continue; if (!IsDelegateCreatorMethod(calledMethod)) continue; var info = methodToInfo.Find(calledMethod); if (info == null) continue; i++; fieldToInfo.Add(field, new DelegateInitInfo(field, calledMethod)); } return fieldToInfo.Count == 0 ? null : fieldToInfo; } protected override void GetCallInfo(object context, FieldDef field, out IMethod calledMethod, out OpCode callOpcode) { var info = context as DelegateInitInfo; if (info == null) { var fieldToInfo = context as FieldDefAndDeclaringTypeDict; if (fieldToInfo != null) info = fieldToInfo.Find(field); } if (info == null) throw new ApplicationException("Couldn't get the delegate info"); var creatorInfo = methodToInfo.Find(info.creatorMethod); switch (creatorInfo.version) { case ConfuserVersion.v10_r42915: case ConfuserVersion.v10_r42919: GetCallInfo_v10_r42915(info, creatorInfo, out calledMethod, out callOpcode); break; case ConfuserVersion.v10_r48717: case ConfuserVersion.v11_r50378: case ConfuserVersion.v12_r54564: case ConfuserVersion.v13_r55346: case ConfuserVersion.v13_r55604: case ConfuserVersion.v14_r58564: case ConfuserVersion.v14_r58802: GetCallInfo_v10_r48717(info, creatorInfo, out calledMethod, out callOpcode); break; case ConfuserVersion.v14_r58857: case ConfuserVersion.v16_r66631: case ConfuserVersion.v16_r70489: case ConfuserVersion.v17_r73479: GetCallInfo_v14_r58857(info, creatorInfo, out calledMethod, out callOpcode); break; case ConfuserVersion.v17_r73740_normal: case ConfuserVersion.v17_r74708_normal: GetCallInfo_v17_r73740_normal(info, creatorInfo, out calledMethod, out callOpcode); break; case ConfuserVersion.v17_r73740_native: case ConfuserVersion.v17_r74708_native: GetCallInfo_v17_r73740_native(info, creatorInfo, out calledMethod, out callOpcode); break; case ConfuserVersion.v18_r75367_normal: case ConfuserVersion.v18_r75369_normal: case ConfuserVersion.v19_r76101_normal: case ConfuserVersion.v19_r78363_normal: case ConfuserVersion.v19_r78963_normal_Newobj: GetCallInfo_v18_r75367_normal(info, creatorInfo, out calledMethod, out callOpcode); break; case ConfuserVersion.v18_r75367_native: case ConfuserVersion.v18_r75369_native: case ConfuserVersion.v19_r76101_native: case ConfuserVersion.v19_r78363_native: case ConfuserVersion.v19_r78963_native_Newobj: GetCallInfo_v18_r75367_native(info, creatorInfo, out calledMethod, out callOpcode); break; default: throw new ApplicationException("Unknown version"); } if (calledMethod == null) { Logger.w("Could not find real method. Proxy field: {0:X8}", info.field.MDToken.ToInt32()); errors++; } } void GetCallInfo_v10_r42915(DelegateInitInfo info, ProxyCreatorInfo creatorInfo, out IMethod calledMethod, out OpCode callOpcode) { var reader = new BinaryReader(new MemoryStream(info.data)); bool isCallvirt = false; if (creatorInfo.proxyCreatorType == ProxyCreatorType.CallOrCallvirt) isCallvirt = reader.ReadBoolean(); var asmRef = ReadAssemblyNameReference(reader); // If < 1.0 r42919, then high byte is 06, else it's cleared. uint token = (reader.ReadUInt32() & 0x00FFFFFF) | 0x06000000; if (reader.BaseStream.Position != reader.BaseStream.Length) throw new ApplicationException("Extra data"); if (asmRef.FullName == ourAsm) calledMethod = module.ResolveToken(token) as IMethod; else calledMethod = CreateMethodReference(asmRef, token); callOpcode = GetCallOpCode(creatorInfo, isCallvirt); } void GetCallInfo_v10_r48717(DelegateInitInfo info, ProxyCreatorInfo creatorInfo, out IMethod calledMethod, out OpCode callOpcode) { bool isNew = creatorInfo.version == ConfuserVersion.v14_r58802; int offs = creatorInfo.proxyCreatorType == ProxyCreatorType.CallOrCallvirt ? 2 : 1; if (isNew) offs--; int callvirtOffs = isNew ? 0 : 1; // This is an obfuscator bug. Field names are stored in the #Strings heap, // and strings in that heap are UTF8 zero terminated strings, but Confuser // can generate names with zeros in them. This was fixed in 1.4 58857. if (offs + 2 > info.field.Name.String.Length) { calledMethod = null; callOpcode = OpCodes.Call; return; } uint token = BitConverter.ToUInt32(Encoding.Unicode.GetBytes(info.field.Name.String.ToCharArray(), offs, 2), 0) ^ creatorInfo.magic; uint table = token >> 24; if (table != 0 && table != 6 && table != 0x0A && table != 0x2B) throw new ApplicationException("Invalid method token"); // 1.3 r55346 now correctly uses method reference tokens and finally fixed the old // bug of using methoddef tokens to reference external methods. if (isNew || info.field.Name.String[0] == (char)1 || table != 0x06) calledMethod = module.ResolveToken(token) as IMethod; else { var asmRef = module.ResolveAssemblyRef((uint)info.field.Name.String[0] - 2 + 1); calledMethod = CreateMethodReference(asmRef, token); } bool isCallvirt = false; if (creatorInfo.proxyCreatorType == ProxyCreatorType.CallOrCallvirt && info.field.Name.String[callvirtOffs] == '\r') isCallvirt = true; callOpcode = GetCallOpCode(creatorInfo, isCallvirt); } void GetCallInfo_v14_r58857(DelegateInitInfo info, ProxyCreatorInfo creatorInfo, out IMethod calledMethod, out OpCode callOpcode) { int offs = creatorInfo.proxyCreatorType == ProxyCreatorType.CallOrCallvirt ? 1 : 0; var nameInfo = DecryptFieldName(info.field.Name.String); uint token = BitConverter.ToUInt32(nameInfo, offs) ^ creatorInfo.magic; uint table = token >> 24; if (table != 6 && table != 0x0A && table != 0x2B) throw new ApplicationException("Invalid method token"); calledMethod = module.ResolveToken(token) as IMethod; bool isCallvirt = false; if (creatorInfo.proxyCreatorType == ProxyCreatorType.CallOrCallvirt && nameInfo[0] == '\r') isCallvirt = true; callOpcode = GetCallOpCode(creatorInfo, isCallvirt); } static byte[] DecryptFieldName(string name) { var chars = new char[name.Length]; for (int i = 0; i < chars.Length; i++) chars[i] = (char)((byte)name[i] ^ i); return Convert.FromBase64CharArray(chars, 0, chars.Length); } void Extract_v17_r73740(ProxyCreatorInfo creatorInfo, byte[] nameInfo, out uint arg, out uint table, out bool isCallvirt) { switch (creatorInfo.proxyCreatorType) { case ProxyCreatorType.CallOrCallvirt: arg = BitConverter.ToUInt32(nameInfo, 1); table = (uint)(nameInfo[0] & 0x7F) << 24; isCallvirt = (nameInfo[0] & 0x80) != 0; break; case ProxyCreatorType.Newobj: arg = BitConverter.ToUInt32(nameInfo, 0); table = (uint)nameInfo[4] << 24; isCallvirt = false; break; default: throw new ApplicationException("Invalid creator type"); } } void GetCallInfo_v17_r73740_normal(DelegateInitInfo info, ProxyCreatorInfo creatorInfo, out IMethod calledMethod, out OpCode callOpcode) { var nameInfo = DecryptFieldName(info.field.Name.String); uint arg, table; bool isCallvirt; Extract_v17_r73740(creatorInfo, nameInfo, out arg, out table, out isCallvirt); uint token = (arg ^ creatorInfo.magic) | table; calledMethod = module.ResolveToken((int)token) as IMethod; callOpcode = GetCallOpCode(creatorInfo, isCallvirt); } void GetCallInfo_v17_r73740_native(DelegateInitInfo info, ProxyCreatorInfo creatorInfo, out IMethod calledMethod, out OpCode callOpcode) { var nameInfo = DecryptFieldName(info.field.Name.String); uint arg, table; bool isCallvirt; Extract_v17_r73740(creatorInfo, nameInfo, out arg, out table, out isCallvirt); if (x86emu == null) x86emu = new x86Emulator(fileData); uint token = x86emu.Emulate((uint)creatorInfo.nativeMethod.RVA, arg) | table; calledMethod = module.ResolveToken((int)token) as IMethod; callOpcode = GetCallOpCode(creatorInfo, isCallvirt); } void GetCallInfo_v18_r75367_normal(DelegateInitInfo info, ProxyCreatorInfo creatorInfo, out IMethod calledMethod, out OpCode callOpcode) { GetCallInfo_v18_r75367(info, creatorInfo, out calledMethod, out callOpcode, (creatorInfo2, magic) => creatorInfo2.magic ^ magic); } void GetCallInfo_v18_r75367_native(DelegateInitInfo info, ProxyCreatorInfo creatorInfo, out IMethod calledMethod, out OpCode callOpcode) { GetCallInfo_v18_r75367(info, creatorInfo, out calledMethod, out callOpcode, (creatorInfo2, magic) => { if (x86emu == null) x86emu = new x86Emulator(fileData); return x86emu.Emulate((uint)creatorInfo2.nativeMethod.RVA, magic); }); } void GetCallInfo_v18_r75367(DelegateInitInfo info, ProxyCreatorInfo creatorInfo, out IMethod calledMethod, out OpCode callOpcode, Func getRid) { var sig = module.ReadBlob(info.field.MDToken.Raw); int len = sig.Length; uint magic = (uint)((sig[len - 2] << 24) | (sig[len - 3] << 16) | (sig[len - 5] << 8) | sig[len - 6]); uint rid = getRid(creatorInfo, magic); int token = (sig[len - 7] << 24) | (int)rid; uint table = (uint)token >> 24; if (table != 6 && table != 0x0A && table != 0x2B) throw new ApplicationException("Invalid method token"); calledMethod = module.ResolveToken(token) as IMethod; callOpcode = GetCallOpCode(creatorInfo, info.field); } static OpCode GetCallOpCode(ProxyCreatorInfo info, FieldDef field) { switch (info.proxyCreatorType) { case ProxyCreatorType.CallOrCallvirt: if (field.Name.String.Length > 0 && field.Name.String[0] == info.callvirtChar) return OpCodes.Callvirt; return OpCodes.Call; case ProxyCreatorType.Newobj: return OpCodes.Newobj; default: throw new NotSupportedException(); } } // A method token is not a stable value so this method can fail to return the correct method! // There's nothing I can do about that. It's an obfuscator bug. It was fixed in 1.3 r55346. IMethod CreateMethodReference(AssemblyRef asmRef, uint methodToken) { var asm = module.Context.AssemblyResolver.Resolve(asmRef, module); if (asm == null) return null; var method = ((ModuleDefMD)asm.ManifestModule).ResolveToken(methodToken) as MethodDef; if (method == null) return null; return module.Import(method); } AssemblyRef ReadAssemblyNameReference(BinaryReader reader) { var name = ReadString(reader); var version = new Version(reader.ReadInt16(), reader.ReadInt16(), reader.ReadInt16(), reader.ReadInt16()); var culture = ReadString(reader); byte[] pkt = reader.ReadBoolean() ? reader.ReadBytes(8) : null; return module.UpdateRowId(new AssemblyRefUser(name, version, pkt == null ? null : new PublicKeyToken(pkt), culture)); } static string ReadString(BinaryReader reader) { int len = reader.ReadByte(); var bytes = new byte[len]; for (int i = 0; i < len; i++) bytes[i] = (byte)(reader.ReadByte() ^ len); return Encoding.UTF8.GetString(bytes); } static OpCode GetCallOpCode(ProxyCreatorInfo info, bool isCallvirt) { switch (info.proxyCreatorType) { case ProxyCreatorType.Newobj: return OpCodes.Newobj; case ProxyCreatorType.CallOrCallvirt: return isCallvirt ? OpCodes.Callvirt : OpCodes.Call; default: throw new NotImplementedException(); } } public void FindDelegateCreator(ISimpleDeobfuscator simpleDeobfuscator) { var type = DotNetUtils.GetModuleType(module); if (type == null) return; foreach (var method in type.Methods) { if (method.Body == null || !method.IsStatic || !method.IsAssembly) continue; ConfuserVersion theVersion = ConfuserVersion.Unknown; if (DotNetUtils.IsMethod(method, "System.Void", "(System.String,System.RuntimeFieldHandle)")) theVersion = ConfuserVersion.v10_r42915; else if (DotNetUtils.IsMethod(method, "System.Void", "(System.RuntimeFieldHandle)")) theVersion = ConfuserVersion.v10_r48717; else continue; int tmpVer; var proxyType = GetProxyCreatorType(method, simpleDeobfuscator, out tmpVer); if (proxyType == ProxyCreatorType.None) continue; if (proxyType == ProxyCreatorType.Newobj) foundNewobjProxy = true; simpleDeobfuscator.Deobfuscate(method, SimpleDeobfuscatorFlags.DisableConstantsFolderExtraInstrs); MethodDef nativeMethod = null; uint magic; if (FindMagic_v14_r58564(method, out magic)) { if (!DotNetUtils.CallsMethod(method, "System.Byte[] System.Convert::FromBase64String(System.String)")) { if (!IsMethodCreator_v14_r58802(method, proxyType)) theVersion = ConfuserVersion.v14_r58564; else theVersion = ConfuserVersion.v14_r58802; } else if (DotNetUtils.CallsMethod(method, "System.Reflection.Module System.Reflection.MemberInfo::get_Module()")) theVersion = ConfuserVersion.v17_r73479; else if (proxyType != ProxyCreatorType.CallOrCallvirt || !HasFieldReference(method, "System.Reflection.Emit.OpCode System.Reflection.Emit.OpCodes::Castclass")) theVersion = ConfuserVersion.v14_r58857; else if (proxyType == ProxyCreatorType.CallOrCallvirt && DotNetUtils.CallsMethod(method, "System.Void System.Reflection.Emit.DynamicMethod::.ctor(System.String,System.Type,System.Type[],System.Boolean)")) theVersion = ConfuserVersion.v16_r66631; else if (proxyType == ProxyCreatorType.CallOrCallvirt) theVersion = ConfuserVersion.v16_r70489; } else if (!DotNetUtils.CallsMethod(method, "System.Byte[] System.Convert::FromBase64String(System.String)") && DotNetUtils.CallsMethod(method, "System.Reflection.MethodBase System.Reflection.Module::ResolveMethod(System.Int32)")) { if (proxyType == ProxyCreatorType.CallOrCallvirt && !FindCallvirtChar(method, out callvirtChar)) continue; if ((nativeMethod = FindNativeMethod_v18_r75367(method)) != null) theVersion = proxyType != ProxyCreatorType.CallOrCallvirt || callvirtChar == 9 ? ConfuserVersion.v18_r75367_native : ConfuserVersion.v18_r75369_native; else if (FindMagic_v18_r75367(method, out magic)) theVersion = proxyType != ProxyCreatorType.CallOrCallvirt || callvirtChar == 9 ? ConfuserVersion.v18_r75367_normal : ConfuserVersion.v18_r75369_normal; else if (FindMagic_v19_r76101(method, out magic)) CommonCheckVersion19(method, true, tmpVer, ref theVersion); else if ((nativeMethod = FindNativeMethod_v19_r76101(method)) != null) CommonCheckVersion19(method, false, tmpVer, ref theVersion); else { if (proxyType == ProxyCreatorType.CallOrCallvirt && !DotNetUtils.CallsMethod(method, "System.Int32 System.String::get_Length()")) theVersion = ConfuserVersion.v11_r50378; int numCalls = ConfuserUtils.CountCalls(method, "System.Byte[] System.Text.Encoding::GetBytes(System.Char[],System.Int32,System.Int32)"); if (numCalls == 2) theVersion = ConfuserVersion.v12_r54564; if (!DotNetUtils.CallsMethod(method, "System.Reflection.Assembly System.Reflection.Assembly::Load(System.Reflection.AssemblyName)")) theVersion = ConfuserVersion.v13_r55346; if (DotNetUtils.CallsMethod(method, "System.Void System.Runtime.CompilerServices.RuntimeHelpers::RunClassConstructor(System.RuntimeTypeHandle)")) theVersion = ConfuserVersion.v13_r55604; } } else if (Is_v17_r73740(method)) { if (DotNetUtils.CallsMethod(method, "System.Boolean System.Type::get_IsArray()")) { if ((nativeMethod = FindNativeMethod_v17_r73740(method)) != null) theVersion = ConfuserVersion.v17_r74708_native; else if (FindMagic_v17_r73740(method, out magic)) theVersion = ConfuserVersion.v17_r74708_normal; else continue; } else { if ((nativeMethod = FindNativeMethod_v17_r73740(method)) != null) theVersion = ConfuserVersion.v17_r73740_native; else if (FindMagic_v17_r73740(method, out magic)) theVersion = ConfuserVersion.v17_r73740_normal; else continue; } } else if (theVersion == ConfuserVersion.v10_r42915) { if (DeobUtils.HasInteger(method, 0x06000000)) theVersion = ConfuserVersion.v10_r42919; } SetDelegateCreatorMethod(method); methodToInfo.Add(method, new ProxyCreatorInfo(method, proxyType, theVersion, magic, nativeMethod, callvirtChar)); version = (ConfuserVersion)Math.Max((int)version, (int)theVersion); } } static bool CommonCheckVersion19(MethodDef method, bool isNormal, int tmpProxyVer, ref ConfuserVersion theVersion) { if (tmpProxyVer == 1) { theVersion = isNormal ? ConfuserVersion.v19_r76101_normal : ConfuserVersion.v19_r76101_native; return true; } else if (tmpProxyVer == 2) { if (!CheckCtorProxyType_v19_r78963(method)) theVersion = isNormal ? ConfuserVersion.v19_r78363_normal : ConfuserVersion.v19_r78363_native; else theVersion = isNormal ? ConfuserVersion.v19_r78963_normal_Newobj : ConfuserVersion.v19_r78963_native_Newobj; return true; } return false; } static bool HasFieldReference(MethodDef method, string fieldFullName) { foreach (var instr in method.Body.Instructions) { var field = instr.Operand as IField; if (field == null) continue; if (field.FullName == fieldFullName) return true; } return false; } static bool IsMethodCreator_v14_r58802(MethodDef method, ProxyCreatorType proxyType) { int index = GetFieldNameIndex(method); if (index < 0) throw new ApplicationException("Could not find field name index"); switch (proxyType) { case ProxyCreatorType.Newobj: if (index == 1) return false; if (index == 0) return true; break; case ProxyCreatorType.CallOrCallvirt: if (index == 2) return false; if (index == 1) return true; break; default: throw new ApplicationException("Invalid proxy creator type"); } throw new ApplicationException("Could not find field name index"); } static int GetFieldNameIndex(MethodDef method) { var instrs = method.Body.Instructions; for (int i = 0; i < instrs.Count; i++) { i = ConfuserUtils.FindCallMethod(instrs, i, Code.Callvirt, "System.Byte[] System.Text.Encoding::GetBytes(System.Char[],System.Int32,System.Int32)"); if (i < 0) break; if (i < 2) continue; var ldci4 = instrs[i - 2]; if (!ldci4.IsLdcI4()) continue; return ldci4.GetLdcI4Value(); } return -1; } static bool FindMagic_v19_r76101(MethodDef method, out uint magic) { var instrs = method.Body.Instructions; for (int i = 0; i < instrs.Count - 7; i++) { var ldci4_1 = instrs[i]; if (!ldci4_1.IsLdcI4() || ldci4_1.GetLdcI4Value() != 24) continue; if (instrs[i + 1].OpCode.Code != Code.Shl) continue; if (instrs[i + 2].OpCode.Code != Code.Or) continue; if (!instrs[i + 3].IsStloc()) continue; if (!instrs[i + 4].IsLdloc()) continue; if (!instrs[i + 5].IsLdloc()) continue; var ldci4_2 = instrs[i + 6]; if (!ldci4_2.IsLdcI4()) continue; if (instrs[i + 7].OpCode.Code != Code.Xor) continue; magic = (uint)ldci4_2.GetLdcI4Value(); return true; } magic = 0; return false; } static MethodDef FindNativeMethod_v19_r76101(MethodDef method) { var instrs = method.Body.Instructions; for (int i = 0; i < instrs.Count - 6; i++) { var ldci4 = instrs[i]; if (!ldci4.IsLdcI4() || ldci4.GetLdcI4Value() != 24) continue; if (instrs[i + 1].OpCode.Code != Code.Shl) continue; if (instrs[i + 2].OpCode.Code != Code.Or) continue; if (!instrs[i + 3].IsStloc()) continue; if (!instrs[i + 4].IsLdloc()) continue; if (!instrs[i + 5].IsLdloc()) continue; var call = instrs[i + 6]; if (call.OpCode.Code != Code.Call) continue; var calledMethod = call.Operand as MethodDef; if (calledMethod == null || calledMethod.Body != null || !calledMethod.IsNative) continue; return calledMethod; } return null; } static bool FindMagic_v18_r75367(MethodDef method, out uint magic) { var instrs = method.Body.Instructions; for (int i = 0; i < instrs.Count; i++) { i = ConfuserUtils.FindCallMethod(instrs, i, Code.Callvirt, "System.Reflection.Module System.Reflection.MemberInfo::get_Module()"); if (i < 0 || i + 3 >= instrs.Count) break; if (!instrs[i + 1].IsLdloc()) continue; var ldci4 = instrs[i + 2]; if (!ldci4.IsLdcI4()) continue; if (instrs[i+3].OpCode.Code != Code.Xor) continue; magic = (uint)ldci4.GetLdcI4Value(); return true; } magic = 0; return false; } static MethodDef FindNativeMethod_v18_r75367(MethodDef method) { var instrs = method.Body.Instructions; for (int i = 0; i < instrs.Count; i++) { i = ConfuserUtils.FindCallMethod(instrs, i, Code.Callvirt, "System.Reflection.Module System.Reflection.MemberInfo::get_Module()"); if (i < 0 || i + 2 >= instrs.Count) break; if (!instrs[i + 1].IsLdloc()) continue; var call = instrs[i + 2]; if (call.OpCode.Code != Code.Call) continue; var calledMethod = call.Operand as MethodDef; if (calledMethod == null || calledMethod.Body != null || !calledMethod.IsNative) continue; return calledMethod; } return null; } static bool FindMagic_v17_r73740(MethodDef method, out uint magic) { var instrs = method.Body.Instructions; for (int i = 0; i < instrs.Count; i++) { int index = ConfuserUtils.FindCallMethod(instrs, i, Code.Call, "System.Int32 System.BitConverter::ToInt32(System.Byte[],System.Int32)"); if (index < 0) break; if (index < 1 || index + 2 >= instrs.Count) continue; if (!instrs[index - 1].IsLdcI4()) continue; var ldci4 = instrs[index + 1]; if (!ldci4.IsLdcI4()) continue; if (instrs[index + 2].OpCode.Code != Code.Xor) continue; magic = (uint)ldci4.GetLdcI4Value(); return true; } magic = 0; return false; } static MethodDef FindNativeMethod_v17_r73740(MethodDef method) { var instrs = method.Body.Instructions; for (int i = 0; i < instrs.Count; i++) { int index = ConfuserUtils.FindCallMethod(instrs, i, Code.Call, "System.Int32 System.BitConverter::ToInt32(System.Byte[],System.Int32)"); if (index < 0) break; if (index < 1 || index + 1 >= instrs.Count) continue; if (!instrs[index - 1].IsLdcI4()) continue; var call = instrs[index + 1]; if (call.OpCode.Code != Code.Call) continue; var calledMethod = call.Operand as MethodDef; if (calledMethod == null || calledMethod.Body != null || !calledMethod.IsNative) continue; return calledMethod; } return null; } static bool Is_v17_r73740(MethodDef method) { var instrs = method.Body.Instructions; for (int i = 0; i < instrs.Count; i++) { int index = ConfuserUtils.FindCallMethod(instrs, i, Code.Callvirt, "System.Reflection.MethodBase System.Reflection.Module::ResolveMethod(System.Int32)"); if (index < 0) break; if (index < 3) continue; index -= 3; var ldci4 = instrs[index]; if (!ldci4.IsLdcI4() || ldci4.GetLdcI4Value() != 24) continue; if (instrs[index + 1].OpCode.Code != Code.Shl) continue; if (instrs[index + 2].OpCode.Code != Code.Or) continue; return true; } return false; } static bool FindMagic_v14_r58564(MethodDef method, out uint magic) { var instrs = method.Body.Instructions; for (int i = 0; i < instrs.Count; i++) { int index = ConfuserUtils.FindCallMethod(instrs, i, Code.Call, "System.Int32 System.BitConverter::ToInt32(System.Byte[],System.Int32)"); if (index < 0) break; int index2 = ConfuserUtils.FindCallMethod(instrs, i, Code.Callvirt, "System.Reflection.MethodBase System.Reflection.Module::ResolveMethod(System.Int32)"); if (index2 < 0 || index2 - index != 3) continue; var ldci4 = instrs[index + 1]; if (!ldci4.IsLdcI4()) continue; if (instrs[index + 2].OpCode.Code != Code.Xor) continue; magic = (uint)ldci4.GetLdcI4Value(); return true; } magic = 0; return false; } static ProxyCreatorType GetProxyCreatorType(MethodDef method, ISimpleDeobfuscator simpleDeobfuscator, out int version) { var type = GetProxyCreatorTypeV1(method); if (type != ProxyCreatorType.None) { version = 1; return type; } simpleDeobfuscator.Deobfuscate(method); type = GetProxyCreatorTypeV2(method); if (type != ProxyCreatorType.None) { version = 2; return type; } version = 0; return ProxyCreatorType.None; } // <= 1.9 r78342 (refs to System.Reflection.Emit.OpCodes) static ProxyCreatorType GetProxyCreatorTypeV1(MethodDef method) { foreach (var instr in method.Body.Instructions) { var field = instr.Operand as IField; if (field == null) continue; switch (field.FullName) { case "System.Reflection.Emit.OpCode System.Reflection.Emit.OpCodes::Call": case "System.Reflection.Emit.OpCode System.Reflection.Emit.OpCodes::Callvirt": return ProxyCreatorType.CallOrCallvirt; case "System.Reflection.Emit.OpCode System.Reflection.Emit.OpCodes::Newobj": return ProxyCreatorType.Newobj; } } return ProxyCreatorType.None; } // >= 1.9 r78363 (no refs to System.Reflection.Emit.OpCodes) static ProxyCreatorType GetProxyCreatorTypeV2(MethodDef method) { if (!DeobUtils.HasInteger(method, 0x2A)) return ProxyCreatorType.None; if (CheckCtorProxyTypeV2(method)) return ProxyCreatorType.Newobj; if (CheckCallProxyTypeV2(method)) return ProxyCreatorType.CallOrCallvirt; return ProxyCreatorType.None; } static bool CheckCtorProxyTypeV2(MethodDef method) { var instrs = method.Body.Instructions; for (int i = 0; i < instrs.Count - 3; i++) { var ldci4 = instrs[i]; if (!ldci4.IsLdcI4() || ldci4.GetLdcI4Value() != 2) continue; if (instrs[i + 1].OpCode.Code != Code.Mul) continue; ldci4 = instrs[i + 2]; if (!ldci4.IsLdcI4() || ldci4.GetLdcI4Value() != 0x73) continue; if (instrs[i + 3].OpCode.Code != Code.Stelem_I1) continue; return true; } return false; } static bool CheckCallProxyTypeV2(MethodDef method) { return DeobUtils.HasInteger(method, 0x28) && DeobUtils.HasInteger(method, 0x6F); } // r78963 adds a 'castclass' opcode to the generated code. This code assumes // CheckCtorProxyTypeV2() has returned true. static bool CheckCtorProxyType_v19_r78963(MethodDef method) { var instrs = method.Body.Instructions; for (int i = 0; i < instrs.Count - 2; i++) { if (instrs[i].OpCode.Code != Code.Add) continue; var ldci4 = instrs[i + 1]; if (!ldci4.IsLdcI4() || ldci4.GetLdcI4Value() != 0x74) continue; if (instrs[i + 2].OpCode.Code != Code.Stelem_I1) continue; return true; } return false; } public new void Find() { if (delegateCreatorMethods.Count == 0) return; var cctor = DotNetUtils.GetModuleTypeCctor(module); if (cctor == null) return; Logger.v("Finding all proxy delegates"); var delegateInfos = CreateDelegateInitInfos(cctor); fieldToMethods = CreateFieldToMethodsDictionary(cctor.DeclaringType); if (delegateInfos.Count < fieldToMethods.Count) throw new ApplicationException("Missing proxy delegates"); var delegateToFields = new Dictionary>(); foreach (var field in fieldToMethods.GetKeys()) { List list; if (!delegateToFields.TryGetValue(field.FieldType.TryGetTypeDef(), out list)) delegateToFields[field.FieldType.TryGetTypeDef()] = list = new List(); list.Add(field); } foreach (var kv in delegateToFields) { var type = kv.Key; var fields = kv.Value; Logger.v("Found proxy delegate: {0} ({1:X8})", Utils.RemoveNewlines(type), type.MDToken.ToInt32()); RemovedDelegateCreatorCalls++; Logger.Instance.Indent(); foreach (var field in fields) { var proxyMethods = fieldToMethods.Find(field); if (proxyMethods == null) continue; var info = delegateInfos.Find(field); if (info == null) throw new ApplicationException("Missing proxy info"); IMethod calledMethod; OpCode callOpcode; GetCallInfo(info, field, out calledMethod, out callOpcode); if (calledMethod == null) continue; foreach (var proxyMethod in proxyMethods) { Add(proxyMethod, new DelegateInfo(field, calledMethod, callOpcode)); Logger.v("Field: {0}, Opcode: {1}, Method: {2} ({3:X8})", Utils.RemoveNewlines(field.Name), callOpcode, Utils.RemoveNewlines(calledMethod), calledMethod.MDToken.ToUInt32()); } } Logger.Instance.DeIndent(); delegateTypesDict[type] = true; } // 1.2 r54564 (almost 1.3) now moves method proxy init code to the delegate cctors Find2(); } FieldDefAndDeclaringTypeDict CreateDelegateInitInfos(MethodDef method) { switch (version) { case ConfuserVersion.v10_r42915: case ConfuserVersion.v10_r42919: return CreateDelegateInitInfos_v10_r42915(method); default: return CreateDelegateInitInfos_v10_r48717(method); } } FieldDefAndDeclaringTypeDict CreateDelegateInitInfos_v10_r42915(MethodDef method) { var infos = new FieldDefAndDeclaringTypeDict(); var instrs = method.Body.Instructions; for (int i = 0; i < instrs.Count - 2; i++) { var ldstr = instrs[i]; if (ldstr.OpCode.Code != Code.Ldstr) continue; var info = ldstr.Operand as string; if (info == null) continue; var ldtoken = instrs[i + 1]; if (ldtoken.OpCode.Code != Code.Ldtoken) continue; var delegateField = ldtoken.Operand as FieldDef; if (delegateField == null) continue; var delegateType = delegateField.FieldType.TryGetTypeDef(); if (!DotNetUtils.DerivesFromDelegate(delegateType)) continue; var call = instrs[i + 2]; if (call.OpCode.Code != Code.Call) continue; var delegateCreatorMethod = call.Operand as MethodDef; if (delegateCreatorMethod == null || !IsDelegateCreatorMethod(delegateCreatorMethod)) continue; infos.Add(delegateField, new DelegateInitInfo(info, delegateField, delegateCreatorMethod)); i += 2; } return infos; } FieldDefAndDeclaringTypeDict CreateDelegateInitInfos_v10_r48717(MethodDef method) { var infos = new FieldDefAndDeclaringTypeDict(); var instrs = method.Body.Instructions; for (int i = 0; i < instrs.Count - 1; i++) { var ldtoken = instrs[i]; if (ldtoken.OpCode.Code != Code.Ldtoken) continue; var delegateField = ldtoken.Operand as FieldDef; if (delegateField == null) continue; var delegateType = delegateField.FieldType.TryGetTypeDef(); if (!DotNetUtils.DerivesFromDelegate(delegateType)) continue; var call = instrs[i + 1]; if (call.OpCode.Code != Code.Call) continue; var delegateCreatorMethod = call.Operand as MethodDef; if (delegateCreatorMethod == null || !IsDelegateCreatorMethod(delegateCreatorMethod)) continue; infos.Add(delegateField, new DelegateInitInfo(delegateField, delegateCreatorMethod)); i += 1; } return infos; } static FieldDefAndDeclaringTypeDict> CreateFieldToMethodsDictionary(TypeDef type) { var dict = new FieldDefAndDeclaringTypeDict>(); foreach (var method in type.Methods) { if (!method.IsStatic || method.Body == null || method.Name == ".cctor") continue; var delegateField = GetDelegateField(method); if (delegateField == null) continue; var methods = dict.Find(delegateField); if (methods == null) dict.Add(delegateField, methods = new List()); methods.Add(method); } return dict; } static FieldDef GetDelegateField(MethodDef method) { if (method == null || method.Body == null) return null; FieldDef field = null; bool foundInvoke = false; foreach (var instr in method.Body.Instructions) { if (instr.OpCode.Code == Code.Ldsfld) { var field2 = instr.Operand as FieldDef; if (field2 == null || field2.DeclaringType != method.DeclaringType) continue; if (field != null) return null; if (!DotNetUtils.DerivesFromDelegate(field2.FieldType.TryGetTypeDef())) continue; field = field2; } else if (instr.OpCode.Code == Code.Call || instr.OpCode.Code == Code.Callvirt) { var calledMethod = instr.Operand as IMethod; foundInvoke |= calledMethod != null && calledMethod.Name == "Invoke"; } } return foundInvoke ? field : null; } static bool FindCallvirtChar(MethodDef method, out ushort callvirtChar) { var instrs = method.Body.Instructions; for (int index = 0; index < instrs.Count; index++) { index = ConfuserUtils.FindCallMethod(instrs, index, Code.Callvirt, "System.Char System.String::get_Chars(System.Int32)"); if (index < 0) break; index++; if (index >= instrs.Count) break; var ldci4 = instrs[index]; if (!ldci4.IsLdcI4()) continue; callvirtChar = (ushort)ldci4.GetLdcI4Value(); return true; } callvirtChar = 0; return false; } public void CleanUp() { if (!Detected) return; var cctor = DotNetUtils.GetModuleTypeCctor(module); if (cctor == null) return; cctor.Body.Instructions.Clear(); cctor.Body.Instructions.Add(Instruction.Create(OpCodes.Ret)); } public bool GetRevisionRange(out int minRev, out int maxRev) { switch (version) { case ConfuserVersion.Unknown: minRev = maxRev = 0; return false; case ConfuserVersion.v10_r42915: minRev = 42915; maxRev = 42917; return true; case ConfuserVersion.v10_r42919: minRev = 42919; maxRev = 48509; return true; case ConfuserVersion.v10_r48717: minRev = 48717; maxRev = 54431; return true; case ConfuserVersion.v11_r50378: minRev = 50378; maxRev = 54431; return true; case ConfuserVersion.v12_r54564: minRev = 54564; maxRev = 54574; return true; case ConfuserVersion.v13_r55346: minRev = 55346; maxRev = 55346; return true; case ConfuserVersion.v13_r55604: minRev = 55604; maxRev = 58446; return true; case ConfuserVersion.v14_r58564: minRev = 58564; maxRev = 58741; return true; case ConfuserVersion.v14_r58802: minRev = 58802; maxRev = 58852; return true; case ConfuserVersion.v14_r58857: minRev = 58857; maxRev = 73477; return true; case ConfuserVersion.v16_r66631: minRev = 66631; maxRev = 69666; return true; case ConfuserVersion.v16_r70489: minRev = 70489; maxRev = 73477; return true; case ConfuserVersion.v17_r73479: minRev = 73479; maxRev = 73605; return true; case ConfuserVersion.v17_r73740_normal: case ConfuserVersion.v17_r73740_native: minRev = 73740; maxRev = 74637; return true; case ConfuserVersion.v17_r74708_normal: case ConfuserVersion.v17_r74708_native: minRev = 74708; maxRev = 75349; return true; case ConfuserVersion.v18_r75367_normal: case ConfuserVersion.v18_r75367_native: minRev = 75367; maxRev = 75926; return true; case ConfuserVersion.v18_r75369_normal: case ConfuserVersion.v18_r75369_native: minRev = 75369; maxRev = 75926; return true; case ConfuserVersion.v19_r76101_normal: case ConfuserVersion.v19_r76101_native: minRev = 76101; maxRev = 78342; return true; case ConfuserVersion.v19_r78363_normal: case ConfuserVersion.v19_r78363_native: minRev = 78363; // We can only detect the r78963 version if a method ctor proxy is used. // If it's not used, then maxRev must be the same maxRev as in the next case. // If a method ctor proxy is found, then we know that rev <= 78962. if (foundNewobjProxy) maxRev = 78962; else maxRev = int.MaxValue; return true; case ConfuserVersion.v19_r78963_normal_Newobj: case ConfuserVersion.v19_r78963_native_Newobj: minRev = 78963; maxRev = int.MaxValue; return true; default: throw new ApplicationException("Invalid version"); } } public void Dispose() { if (x86emu != null) x86emu.Dispose(); x86emu = null; } } }