/*
Copyright (C) 2011-2012 de4dot@gmail.com
This file is part of de4dot.
de4dot is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
de4dot is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with de4dot. If not, see .
*/
using System;
using System.Collections.Generic;
using System.Runtime.InteropServices;
using System.IO;
using System.Text;
using dot10.IO;
using dot10.DotNet;
using dot10.DotNet.Emit;
using de4dot.blocks;
using CR = System.Runtime.InteropServices;
using DR = dot10.DotNet;
namespace de4dot.code.deobfuscators.Babel_NET {
class ImageReader {
static int METHODS_SIG = 0x0000BEBA;
static int METADATA_SIG = 0x0100BEBA;
static int METHOD_NAMES_SIG = 0x0200BEBA;
static int ASSEMBLY_NAMES_SIG = 0x0201BEBA;
static int TYPEREFS_SIG = 0x0202BEBA;
static int STRINGS_SIG = 0x0203BEBA;
enum TypeId : byte {
TypeRef = 0,
GenericInstance = 1,
Pointer = 2,
Array = 3,
ByRef = 4,
}
ModuleDefMD module;
IBinaryReader reader;
string[] strings;
AssemblyRef[] assemblyNames;
Dictionary methodOffsets;
List typeReferences;
MemberReferenceConverter memberReferenceConverter;
IDeobfuscatorContext deobfuscatorContext;
public ImageReader(IDeobfuscatorContext deobfuscatorContext, ModuleDefMD module, byte[] data) {
this.deobfuscatorContext = deobfuscatorContext;
this.module = module;
this.reader = MemoryImageStream.Create(data);
this.memberReferenceConverter = new MemberReferenceConverter(module);
}
public bool initialize() {
if (reader.ReadInt32() != METHODS_SIG)
return false;
int metadataOffset = getMetadataOffset();
if (metadataOffset < 0)
return false;
long pos = metadataOffset + 4;
reader.Position = pos;
int version = reader.ReadInt16(); // major, minor
if (version == 0x0001) {
initializeV10();
return true;
}
reader.Position = pos;
initializeV55();
return true;
}
void initializeV10() {
reader.ReadInt16();
int methodNamesOffset = (int)reader.ReadInt64();
int typeReferencesOffset = (int)reader.ReadInt64();
int assemblyReferencesOffset = (int)reader.ReadInt64();
int stringsOffset = (int)reader.ReadInt64();
initializeStrings(stringsOffset);
initializeAssemblyNames(assemblyReferencesOffset);
initializeMethodNames(methodNamesOffset);
initializeTypeReferences(typeReferencesOffset);
}
void initializeV55() {
int methodNamesOffset = (int)reader.ReadInt64() ^ METADATA_SIG;
int typeReferencesOffset = (int)reader.ReadInt64() ^ (METADATA_SIG << 1);
int assemblyReferencesOffset = (int)reader.ReadInt64() ^ ((METADATA_SIG << 1) + 1);
int stringsOffset = (int)reader.ReadInt64() ^ (((METADATA_SIG << 1) + 1) << 1);
initializeStrings(stringsOffset);
initializeAssemblyNames(assemblyReferencesOffset);
initializeMethodNames(methodNamesOffset);
initializeTypeReferences(typeReferencesOffset);
}
public void restore(string name, MethodDef method) {
var babelMethod = getMethod(name);
var body = method.Body;
body.MaxStack = babelMethod.MaxStack;
body.InitLocals = babelMethod.InitLocals;
body.LocalList.Clear();
foreach (var local in babelMethod.Locals)
body.LocalList.Add(local);
var toNewOperand = new Dictionary