Files push

Author: void-stack

.gitignore

@@ -332,3 +332,4 @@ ASALocalRun/
 
 # Local History for Visual Studio
 .localhistory/
+VMUP/VMUnprotect/VMUnprotect.csproj.DotSettings

VMUP/VMUP.sln

@@ -0,0 +1,16 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "VMUnprotect", "VMUnprotect\VMUnprotect.csproj", "{42C88429-9A67-4087-91BD-7D76383BC86D}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|Any CPU = Debug|Any CPU
+		Release|Any CPU = Release|Any CPU
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{42C88429-9A67-4087-91BD-7D76383BC86D}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{42C88429-9A67-4087-91BD-7D76383BC86D}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{42C88429-9A67-4087-91BD-7D76383BC86D}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{42C88429-9A67-4087-91BD-7D76383BC86D}.Release|Any CPU.Build.0 = Release|Any CPU
+	EndGlobalSection
+EndGlobal

VMUP/VMUnprotect/Hooks/HooksManager.cs

@@ -0,0 +1,44 @@
+using HarmonyLib;
+using System;
+using System.Reflection;
+using VMUnprotect.Hooks.Methods;
+using VMUnprotect.Utils;
+
+namespace VMUnprotect.Hooks
+{
+    /// <summary>
+    ///     Manages patches of Harmony
+    /// </summary>
+    public static class HooksManager
+    {
+        // Harmony instance
+        private static Harmony Harmony { get; set; }
+
+        /// <summary>
+        ///     Applies Harmony patches to VMP functions.
+        /// </summary>
+        /// <param name="runtimeStructure">Structure of VMP Runtime</param>
+        internal static void HooksApply(VmRuntimeStructure runtimeStructure)
+        {
+            // Enable Harmony Debug file.
+            Harmony.DEBUG = true;
+
+            Harmony = new Harmony("com.hussaryyn.vmup");
+            Harmony.PatchAll(typeof(Loader).Assembly);
+
+            // Check if functionHandler was found.
+            if (runtimeStructure.FunctionHandler is null)
+                throw new ArgumentException("Could not locate Function Handler.");
+
+            // resolve method.
+            var mdToken = runtimeStructure.FunctionHandler.MDToken.ToInt32();
+            var resolvedVmpHandler = Loader.VmpAssembly.ManifestModule.ResolveMethod(mdToken);
+
+            ConsoleLogger.Debug("Found VMPFunctionHandler, MDToken {0}", mdToken);
+            ConsoleLogger.Debug("Applying Transpiler and replacing Invokes.");
+
+            // Apply transpiler to the function handler.
+            Harmony.Patch(resolvedVmpHandler, transpiler: new HarmonyMethod(typeof(VmProtectDumper).GetMethod(nameof(VmProtectDumper.Transpiler), (BindingFlags) (-1))));
+        }
+    }
+}

VMUP/VMUnprotect/Hooks/Methods/GetCallingAssemblyPatch.cs

@@ -0,0 +1,22 @@
+using HarmonyLib;
+using System.Reflection;
+using VMUnprotect.Utils;
+
+namespace VMUnprotect.Hooks.Methods
+{
+    /// <summary>
+    ///     Harmony Patch for GetCallingAssembly
+    /// </summary>
+    [HarmonyPatch(typeof(Assembly))]
+    [HarmonyPatch("GetCallingAssembly")]
+    public class GetCallingAssemblyPatch
+    {
+        public static void Postfix(ref Assembly __result)
+        {
+            if (__result != typeof(GetCallingAssemblyPatch).Assembly) return;
+
+            ConsoleLogger.Debug("Swapped [{0}] '{1}'", "GetCallingAssembly", __result.FullName);
+            __result = Loader.VmpAssembly;
+        }
+    }
+}

VMUP/VMUnprotect/Hooks/Methods/GetEntryAssemblyPatch.cs

@@ -0,0 +1,22 @@
+using HarmonyLib;
+using System.Reflection;
+using VMUnprotect.Utils;
+
+namespace VMUnprotect.Hooks.Methods
+{
+    /// <summary>
+    ///     Harmony Patch for GetEntryAssembly
+    /// </summary>
+    [HarmonyPatch(typeof(Assembly))]
+    [HarmonyPatch("GetEntryAssembly")]
+    public class GetEntryAssemblyPatch
+    {
+        public static void Postfix(ref Assembly __result)
+        {
+            if (__result != typeof(GetEntryAssemblyPatch).Assembly) return;
+
+            ConsoleLogger.Debug("Swapped [{0}] '{1}'", "GetEntryAssembly", __result.FullName);
+            __result = Loader.VmpAssembly;
+        }
+    }
+}

VMUP/VMUnprotect/Hooks/Methods/VMProtectDumper.cs

@@ -0,0 +1,188 @@
+using HarmonyLib;
+using System;
+using System.Collections.Generic;
+using System.Globalization;
+using System.Linq;
+using System.Reflection;
+using System.Reflection.Emit;
+using VMUnprotect.Utils;
+
+namespace VMUnprotect.Hooks.Methods
+{
+    /// <summary>
+    ///     This class holds target functions.
+    /// </summary>
+    internal class Targets
+    {
+        /// <summary>
+        ///     This function is used by current VMProtect version.
+        /// </summary>
+        /// <param name="obj">
+        ///     The object on which to invoke the method or constructor. If a method is static, this argument is
+        ///     ignored. If a constructor is static, this argument must be <see langword="null" /> or an instance of the class that
+        ///     defines the constructor.
+        /// </param>
+        /// <param name="invokeAttr">
+        ///     A bitmask that is a combination of 0 or more bit flags from
+        ///     <see cref="T:System.Reflection.BindingFlags" />. If <paramref name="binder" /> is <see langword="null" />, this
+        ///     parameter is assigned the value <see cref="F:System.Reflection.BindingFlags.Default" />; thus, whatever you pass in
+        ///     is ignored.
+        /// </param>
+        /// <param name="binder">
+        ///     An object that enables the binding, coercion of argument types, invocation of members, and
+        ///     retrieval of <see langword="MemberInfo" /> objects via reflection. If <paramref name="binder" /> is
+        ///     <see langword="null" />, the default binder is used.
+        /// </param>
+        /// <param name="parameters">
+        ///     An argument list for the invoked method or constructor. This is an array of objects with the same number, order,
+        ///     and type as the parameters of the method or constructor to be invoked. If there are no parameters, this should be
+        ///     <see langword="null" />.
+        ///     If the method or constructor represented by this instance takes a ByRef parameter, there is no special attribute
+        ///     required for that parameter in order to invoke the method or constructor using this function. Any object in this
+        ///     array that is not explicitly initialized with a value will contain the default value for that object type. For
+        ///     reference-type elements, this value is <see langword="null" />. For value-type elements, this value is 0, 0.0, or
+        ///     <see langword="false" />, depending on the specific element type.
+        /// </param>
+        /// <param name="culture">
+        ///     An instance of <see langword="CultureInfo" /> used to govern the coercion of types. If this is
+        ///     <see langword="null" />, the <see langword="CultureInfo" /> for the current thread is used. (This is necessary to
+        ///     convert a <see langword="String" /> that represents 1000 to a <see langword="Double" /> value, for example, since
+        ///     1000 is represented differently by different cultures.)
+        /// </param>
+        /// <returns>
+        ///     An <see langword="Object" /> containing the return value of the invoked method, or <see langword="null" /> in
+        ///     the case of a constructor, or <see langword="null" /> if the method's return type is <see langword="void" />.
+        ///     Before calling the method or constructor, <see langword="Invoke" /> checks to see if the user has access permission
+        ///     and verifies that the parameters are valid.
+        /// </returns>
+        public object HookedInvoke(object obj, BindingFlags bindingFlags, Binder binder, object[] parameters, CultureInfo culture, MethodBase methodBase)
+        {
+            try
+            {
+                // Indicate this method was called by newer version of VMP.
+                ConsoleLogger.Warn("============================================= HookedInvoke =============================================\n");
+
+                // Invoke the method and get return value.
+                var returnValue = methodBase.Invoke(obj, bindingFlags, binder, parameters, culture);
+
+                // Route the arguments and return value to our middleman function where they can be manipulated or logged.
+                MiddleMan.VmpMethodLogger(obj, bindingFlags, binder, ref parameters, culture, methodBase, ref returnValue);
+
+                // Return logged return value.
+                return returnValue;
+            }
+            catch (Exception ex)
+            {
+                // Log the exception.
+                ConsoleLogger.Error(ex.StackTrace);
+                return null;
+            }
+        }
+
+        /// <summary>
+        ///     This function is used by older VMProtect version.
+        /// </summary>
+        /// <param name="obj">
+        ///     The object on which to invoke the method or constructor. If a method is static, this argument is
+        ///     ignored. If a constructor is static, this argument must be <see langword="null" /> or an instance of the class that
+        ///     defines the constructor.
+        /// </param>
+        /// <param name="parameters">
+        ///     An argument list for the invoked method or constructor. This is an array of objects with the same number, order,
+        ///     and type as the parameters of the method or constructor to be invoked. If there are no parameters,
+        ///     <paramref name="parameters" /> should be <see langword="null" />.
+        ///     If the method or constructor represented by this instance takes a <see langword="ref" /> parameter (
+        ///     <see langword="ByRef" /> in Visual Basic), no special attribute is required for that parameter in order to invoke
+        ///     the method or constructor using this function. Any object in this array that is not explicitly initialized with a
+        ///     value will contain the default value for that object type. For reference-type elements, this value is
+        ///     <see langword="null" />. For value-type elements, this value is 0, 0.0, or <see langword="false" />, depending on
+        ///     the specific element type.
+        /// </param>
+        /// <returns>
+        ///     An object containing the return value of the invoked method, or <see langword="null" /> in the case of a
+        ///     constructor.
+        /// </returns>
+        public object HookedInvokeOld(object obj, object[] parameters, MethodBase methodBase)
+        {
+            try
+            {
+                // Indicate this method was called by older version of VMP.
+                ConsoleLogger.Warn("============================================= HookedInvokeOld =============================================\n");
+
+                // Invoke the method and get return value.
+                var returnValue = methodBase.Invoke(obj, parameters);
+
+                // Route the arguments and return value to our middleman function where they can be manipulated or logged.
+                MiddleMan.VmpMethodLogger(obj, null, null, ref parameters, null, methodBase, ref returnValue);
+
+                // Return logged return value.
+                return returnValue;
+            }
+            catch (Exception ex)
+            {
+                // Log the exception.
+                ConsoleLogger.Error(ex.StackTrace);
+                return null;
+            }
+        }
+    }
+
+    /// <summary>
+    ///     This class contains Harmony Patches
+    /// </summary>
+    public static class VmProtectDumper
+    {
+        /// <summary>A transpiler that replaces all occurrences of a given method with another with additional Ldarg_1 instruction</summary>
+        /// <param name="instructions">The enumeration of <see cref="T:HarmonyLib.CodeInstruction" /> to act on</param>
+        /// <param name="from">Method to search for</param>
+        /// <param name="to">Method to replace with</param>
+        /// <returns>Modified enumeration of <see cref="T:HarmonyLib.CodeInstruction" /></returns>
+        private static IEnumerable<CodeInstruction> ReplaceVmpInvoke(this IEnumerable<CodeInstruction> instructions, MethodBase from, MethodBase to)
+        {
+            if ((object) from == null) throw new ArgumentException("Unexpected null argument", nameof(from));
+            if ((object) to == null) throw new ArgumentException("Unexpected null argument", nameof(to));
+
+            var code = new List<CodeInstruction>(instructions);
+
+            for (var x = 0; x < code.Count; x++)
+            {
+                var ins = code[x];
+                if (ins.operand as MethodBase != from) continue;
+
+                // replace callvirt Invoke with our debug invoke.
+                ins.opcode = OpCodes.Callvirt;
+                ins.operand = to;
+
+                // insert additional Ldarg_1 which corresponds to MethodBase of invoked function.
+                // TODO: Improve this, can be easily broken by obfuscation or future VMP updates
+                code.Insert(x, new CodeInstruction(OpCodes.Ldarg_1));
+                ConsoleLogger.Info("Replaced with custom Invoke and injected MethodBase argument at {0}.", x);
+            }
+
+            return code.AsEnumerable();
+        }
+
+        /// <summary>A transpiler that alters instructions that calls specific method</summary>
+        /// <param name="instructions">The enumeration of <see cref="T:HarmonyLib.CodeInstruction" /> to act on</param>
+        /// <returns>Modified enumeration of <see cref="T:HarmonyLib.CodeInstruction" /></returns>
+        public static IEnumerable<CodeInstruction> Transpiler(IEnumerable<CodeInstruction> instructions)
+        {
+            ConsoleLogger.Debug("VMP Function Handler Transpiler");
+
+            var codeInstructions = instructions.ToList();
+
+            // Replace all occurrences of MethodBase.Invoke with our debug version.
+            return codeInstructions.ReplaceVmpInvoke(AccessTools.Method(typeof(MethodBase),
+                        "Invoke",
+                        new[]
+                        {
+                            typeof(object), typeof(BindingFlags), typeof(Binder), typeof(object[]),
+                            typeof(CultureInfo)
+                        }),
+                    AccessTools.Method(typeof(Targets), nameof(Targets.HookedInvoke)))
+                // Older version of VMP
+                .ReplaceVmpInvoke(AccessTools.Method(typeof(MethodBase), "Invoke", new[] {typeof(object), typeof(object[])}),
+                    AccessTools.Method(typeof(Targets), nameof(Targets.HookedInvokeOld)));
+        }
+    }
+}

VMUP/VMUnprotect/Init/Loader.cs

@@ -0,0 +1,87 @@
+using dnlib.DotNet;
+using HarmonyLib;
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Reflection;
+using System.Runtime.CompilerServices;
+using VMUnprotect.Hooks;
+using VMUnprotect.Utils;
+
+namespace VMUnprotect
+{
+    public class Loader
+    {
+        public Loader(string path)
+        {
+            VmpAssembly = TryLoadAssembly(path);
+            VmpModuleDefMd = TryLoadModuleDef(path);
+        }
+
+        internal static Assembly VmpAssembly
+        {
+            get;
+            set;
+        }
+        internal static ModuleDefMD VmpModuleDefMd
+        {
+            get;
+            set;
+        }
+
+        public VmRuntimeStructure RuntimeStructure
+        {
+            get;
+            set;
+        }
+
+        public void Start(IEnumerable<string> args)
+        {
+            var fileEntryPoint = VmpAssembly.EntryPoint;
+            var moduleHandle = VmpAssembly.ManifestModule.ModuleHandle;
+            var parameters = fileEntryPoint.GetParameters();
+            var arguments = args.Skip(1).ToArray();
+
+            ConsoleLogger.Debug("Entrypoint method: {0}", fileEntryPoint.FullDescription());
+            ConsoleLogger.Debug("ModuleHandle: {0}", moduleHandle);
+
+            ConsoleLogger.Debug("Analyzing VMP Structure...");
+            VmAnalyzer.Run(this);
+
+            ConsoleLogger.Info("Applying hooks.");
+            HooksManager.HooksApply(RuntimeStructure);
+
+            ConsoleLogger.Info("Invoking Constructor.");
+            RuntimeHelpers.RunModuleConstructor(moduleHandle);
+
+            ConsoleLogger.Info("Invoking assembly.");
+            fileEntryPoint.Invoke(null, parameters.Length == 0 ? null : new object[] {arguments});
+        }
+
+        private static Assembly TryLoadAssembly(string path)
+        {
+            try
+            {
+                return Assembly.LoadFile(path);
+            }
+            catch (Exception ex)
+            {
+                Console.WriteLine(ex.Message);
+                return null;
+            }
+        }
+
+        private static ModuleDefMD TryLoadModuleDef(string path)
+        {
+            try
+            {
+                return ModuleDefMD.Load(path);
+            }
+            catch (Exception ex)
+            {
+                Console.WriteLine(ex.Message);
+                return null;
+            }
+        }
+    }
+}