dotscope 0.7.0

A high-performance, cross-platform framework for analyzing and reverse engineering .NET PE executables
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122

//! SSA pass that folds NR's anti-tamper metadata-token accessors.
//!
//! NR's anti-tamper stage rewrites every user `ldtoken X` instruction into
//! `ldc.i4 <metadata_token>; call resolver.GetTypeHandle(int32)`. The
//! resolver caches a `ModuleHandle` and dispatches to
//! `ModuleHandle::GetRuntime{Type|Field|Method}HandleFromMetadataToken`.
//!
//! This pass reverses the rewrite: when the int argument is constant, it
//! replaces the `Call` with a single `LoadToken` carrying the recovered
//! token. After this pass the resolver type itself becomes orphan and the
//! generic cleanup pipeline removes it.
//!
//! # Pipeline Position
//!
//! Runs in the **Value** phase, alongside other constant-resolution passes
//! (string decryption, JIEJIE.NET typeof restoration). The pass is purely
//! intra-method and `InstructionsOnly` — it does not change CFG structure.

use std::collections::HashSet;

use crate::{
    analysis::{ConstValue, SsaFunction, SsaOp, SsaVarId, TypeRef},
    compiler::{CompilerContext, EventKind, ModificationScope, SsaPass},
    metadata::token::Token,
    CilObject, Result,
};

/// Folds `accessor(<const>)` calls into `ldtoken X` for the NR
/// anti-tamper metadata-token resolver.
pub struct TokenResolverPass {
    accessor_tokens: HashSet<Token>,
}

impl TokenResolverPass {
    /// Builds the pass from the resolver's accessor method tokens.
    ///
    /// All accessor flavours (`RuntimeTypeHandle` / `RuntimeFieldHandle` /
    /// `RuntimeMethodHandle`) are handled identically: the int argument is
    /// the raw metadata token, and `LoadToken` accepts any token kind.
    #[must_use]
    pub fn new(accessor_tokens: impl IntoIterator<Item = Token>) -> Self {
        Self {
            accessor_tokens: accessor_tokens.into_iter().collect(),
        }
    }
}

impl SsaPass for TokenResolverPass {
    fn name(&self) -> &'static str {
        "netreactor-token-resolver"
    }

    fn description(&self) -> &'static str {
        "Folds NR anti-tamper metadata-token accessor calls back to ldtoken"
    }

    fn modification_scope(&self) -> ModificationScope {
        ModificationScope::InstructionsOnly
    }

    fn run_on_method(
        &self,
        ssa: &mut SsaFunction,
        _method_token: Token,
        ctx: &CompilerContext,
        _assembly: &CilObject,
    ) -> Result<bool> {
        if self.accessor_tokens.is_empty() {
            return Ok(false);
        }

        let constants = ssa.find_constants();

        let mut replacements: Vec<(usize, usize, Token, SsaVarId)> = Vec::new();

        for (block_idx, block) in ssa.blocks().iter().enumerate() {
            for (instr_idx, instr) in block.instructions().iter().enumerate() {
                if let SsaOp::Call { dest, method, args } = instr.op() {
                    if !self.accessor_tokens.contains(&method.token()) {
                        continue;
                    }
                    if args.len() != 1 {
                        continue;
                    }
                    let Some(dest_var) = dest else {
                        continue;
                    };
                    let Some(const_val) = constants.get(&args[0]) else {
                        continue;
                    };
                    let raw_token = match const_val {
                        ConstValue::I32(v) => *v as u32,
                        ConstValue::U32(v) => *v,
                        _ => continue,
                    };
                    if raw_token == 0 {
                        continue;
                    }
                    replacements.push((block_idx, instr_idx, Token::new(raw_token), *dest_var));
                }
            }
        }

        if replacements.is_empty() {
            return Ok(false);
        }

        for (block_idx, instr_idx, token, dest) in &replacements {
            ssa.replace_instruction_op(
                *block_idx,
                *instr_idx,
                SsaOp::LoadToken {
                    dest: *dest,
                    token: TypeRef::new(*token),
                },
            );
            ctx.events.record(EventKind::ValueResolved);
        }

        Ok(true)
    }
}