dotscope 0.7.0

A high-performance, cross-platform framework for analyzing and reverse engineering .NET PE executables
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199

//! JIEJIE.NET array initialization restoration pass.
//!
//! Replaces `Call(GetHandle, index)` operations with `Const(FieldHandle(...))`
//! to restore the original `ldtoken <field>` that JIEJIE.NET replaced with its
//! RuntimeFieldHandleContainer indirection.
//!
//! Also handles `Call(MyInitializeArray, array, handle, xorKey)` by replacing it
//! with `Call(RuntimeHelpers.InitializeArray, array, handle)`, removing the XOR
//! key argument. The actual FieldRVA data decryption is done in the byte transform
//! phase (see [`crate::deobfuscation::techniques::jiejienet::arrays`]).
//!
//! # Pipeline Position
//!
//! This pass runs in the **Value** phase, after Int32ValueContainer resolution
//! (which resolves the index constants) and before CFF unflattening.
//!
//! # Algorithm
//!
//! 1. During technique initialization, parse the container's `.cctor` to extract
//!    the ordered list of `ldtoken` field tokens (index 0, 1, 2, ...)
//! 2. For each method, scan for `Call { method: accessor_token, args: [index_var] }`
//! 3. Resolve `index_var` to a `Const(I32(N))` via the SSA constant map
//! 4. Replace the Call with `Const { dest, value: FieldHandle(field_tokens[N]) }`
//! 5. For `Call { method: init_array_method, args: [array, handle, xorKey] }`,
//!    replace with `Call { method: init_array_target, args: [array, handle] }`
//!
//! # Example
//!
//! ```text
//! // Before:
//! v3 = Const(I32(1))
//! v4 = call GetHandle(v3)          // accessor method token
//! call MyInitializeArray(v2, v4, v5)  // XOR-encrypted init
//!
//! // After:
//! v3 = Const(I32(1))
//! v4 = Const(FieldHandle(0x04000010))  // the actual field token at index 1
//! call RuntimeHelpers.InitializeArray(v2, v4)  // standard BCL call
//! ```

use crate::{
    analysis::{ConstValue, FieldRef, MethodRef, SsaFunction, SsaOp},
    compiler::{CompilerContext, EventKind, ModificationScope, SsaPass},
    metadata::token::Token,
    CilObject, Result,
};

/// SSA pass that replaces JIEJIE.NET field handle container calls with direct field handle constants
/// and restores `MyInitializeArray` calls to standard `RuntimeHelpers.InitializeArray`.
///
/// Created by the `jiejienet.arrays` technique after detection identifies the
/// container class and its `.cctor` is parsed for the field token mapping.
pub struct ArrayInitRestorationPass {
    /// Token of the GetHandle accessor method.
    accessor_token: Token,
    /// Ordered field tokens extracted from the container's .cctor.
    /// Index in the vector corresponds to the integer argument passed to the accessor.
    field_tokens: Vec<Token>,
    /// Token of the `MyInitializeArray` wrapper method, if detected.
    init_array_method: Option<Token>,
    /// Token of `RuntimeHelpers.InitializeArray` MemberRef to replace with.
    init_array_target: Option<Token>,
}

impl ArrayInitRestorationPass {
    /// Creates a new array init restoration pass.
    ///
    /// # Arguments
    ///
    /// * `accessor_token` - Token of the container's GetHandle method
    /// * `field_tokens` - Ordered field tokens from the container's .cctor ldtoken instructions
    /// * `init_array_method` - Optional token of `MyInitializeArray`
    /// * `init_array_target` - Optional token of `RuntimeHelpers.InitializeArray` MemberRef
    #[must_use]
    pub fn new(
        accessor_token: Token,
        field_tokens: Vec<Token>,
        init_array_method: Option<Token>,
        init_array_target: Option<Token>,
    ) -> Self {
        Self {
            accessor_token,
            field_tokens,
            init_array_method,
            init_array_target,
        }
    }
}

impl SsaPass for ArrayInitRestorationPass {
    fn name(&self) -> &'static str {
        "jiejie-array-init-restore"
    }

    fn description(&self) -> &'static str {
        "Replaces JIEJIE.NET field handle container calls with direct field handle constants"
    }

    fn modification_scope(&self) -> ModificationScope {
        ModificationScope::InstructionsOnly
    }

    fn run_on_method(
        &self,
        ssa: &mut SsaFunction,
        _method_token: Token,
        ctx: &CompilerContext,
        _assembly: &CilObject,
    ) -> Result<bool> {
        if self.field_tokens.is_empty() {
            return Ok(false);
        }

        // Build constant map to resolve index arguments
        let constants = ssa.find_constants();

        // Scan for Call ops targeting the accessor method or MyInitializeArray
        let mut replacements: Vec<(usize, usize, SsaOp)> = Vec::new();

        for (block_idx, block) in ssa.blocks().iter().enumerate() {
            for (instr_idx, instr) in block.instructions().iter().enumerate() {
                if let SsaOp::Call { dest, method, args } = instr.op() {
                    let method_token = method.token();

                    // Case 1: GetHandle accessor replacement
                    if method_token == self.accessor_token {
                        // The accessor takes a single int32 argument (the index)
                        if args.len() != 1 {
                            continue;
                        }

                        // Resolve the index argument to a constant
                        let Some(ConstValue::I32(index)) = constants.get(&args[0]) else {
                            continue;
                        };

                        let index = *index as usize;
                        if index >= self.field_tokens.len() {
                            continue;
                        }

                        let field_token = self.field_tokens[index];

                        // Replace Call with Const(FieldHandle(...))
                        if let Some(dest) = dest {
                            replacements.push((
                                block_idx,
                                instr_idx,
                                SsaOp::Const {
                                    dest: *dest,
                                    value: ConstValue::FieldHandle(FieldRef::new(field_token)),
                                },
                            ));
                        }
                        continue;
                    }

                    // Case 2: MyInitializeArray replacement
                    if let (Some(init_method), Some(init_target)) =
                        (self.init_array_method, self.init_array_target)
                    {
                        if method_token == init_method && args.len() == 3 {
                            // Replace Call(MyInitializeArray, array, handle, xorKey)
                            // with Call(RuntimeHelpers.InitializeArray, array, handle)
                            replacements.push((
                                block_idx,
                                instr_idx,
                                SsaOp::Call {
                                    dest: *dest,
                                    method: MethodRef::new(init_target),
                                    args: vec![args[0], args[1]],
                                },
                            ));
                        }
                    }
                }
            }
        }

        if replacements.is_empty() {
            return Ok(false);
        }

        // Apply replacements
        for (block_idx, instr_idx, new_op) in &replacements {
            ssa.replace_instruction_op(*block_idx, *instr_idx, new_op.clone());
        }

        for (_, _, new_op) in &replacements {
            let kind = match new_op {
                SsaOp::Const { .. } => EventKind::ConstantFolded,
                _ => EventKind::ArtifactRemoved,
            };
            ctx.events.record(kind);
        }

        Ok(true)
    }
}