Updated x86 expression emulating

de4dot.code/de4dot.code.csproj

@@ -166,6 +166,7 @@
     <Compile Include="deobfuscators\ConfuserEx\NativeSwitchData.cs" />
     <Compile Include="deobfuscators\ConfuserEx\NormalSwitchData.cs" />
     <Compile Include="deobfuscators\ConfuserEx\Utils.cs" />
+    <Compile Include="deobfuscators\ConfuserEx\x86Emulator.cs" />
     <Compile Include="deobfuscators\ConfuserEx\x86\Bea\Constants.cs" />
     <Compile Include="deobfuscators\ConfuserEx\x86\Bea\Engine.cs" />
     <Compile Include="deobfuscators\ConfuserEx\x86\Bea\Structs.cs" />

de4dot.code/deobfuscators/ConfuserEx/ConstantDecrypter.cs

@@ -7,7 +7,7 @@
 using System.Text;
 using de4dot.blocks;
 using de4dot.blocks.cflow;
-using de4dot.code.deobfuscators.ConfuserEx.x86;
+//using de4dot.code.deobfuscators.ConfuserEx.x86;
 using dnlib.DotNet;
 using dnlib.DotNet.Writer;
 using FieldAttributes = dnlib.DotNet.FieldAttributes;
@@ -20,14 +20,20 @@ namespace de4dot.code.deobfuscators.ConfuserEx
     public class ConstantDecrypterBase
     {
         private readonly InstructionEmulator _instructionEmulator = new InstructionEmulator();
-        private X86Method _nativeMethod;
+        private x86Emulator _nativeEmulator;
+        //private X86Method _nativeMethod;
 
         public MethodDef Method { get; set; }
         public byte[] Decrypted { get; set; }
         public uint Magic1 { get; set; }
         public uint Magic2 { get; set; }
         public bool CanRemove { get; set; } = true;
 
+        public ConstantDecrypterBase(x86Emulator nativeEmulator)
+        {
+            _nativeEmulator = nativeEmulator;
+        }
+
         // native mode
         public MethodDef NativeMethod { get; internal set; }
 
@@ -43,7 +49,8 @@ public class ConstantDecrypterBase
                 return null;
 
             _instructionEmulator.Pop();
-            var result = _nativeMethod.Execute(((Int32Value) popValue).Value);
+           // var result = _nativeMethod.Execute(((Int32Value) popValue).Value);
+            var result = (int?)_nativeEmulator.Emulate(NativeMethod, ((Int32Value)popValue).Value);
             return result;
         }
 
@@ -53,7 +60,7 @@ private uint CalculateMagic(uint index)
             if (NativeMethod != null)
             {
                 _instructionEmulator.Push(new Int32Value((int)index));
-                _nativeMethod = new X86Method(NativeMethod, Method.Module as ModuleDefMD); //TODO: Possible null
+                //_nativeMethod = new X86Method(NativeMethod, Method.Module as ModuleDefMD); //TODO: Possible null
                 var key = CalculateKey();
 
                 uint_0 = (uint)key.Value;
@@ -115,12 +122,14 @@ public class ConstantsDecrypter
         private byte[] _decryptedBytes;
         private FieldDef _decryptedField, _arrayField;
         internal TypeDef ArrayType;
+        private x86Emulator _nativeEmulator;
 
-        public ConstantsDecrypter(ModuleDef module, MethodDef lzmaMethod, ISimpleDeobfuscator deobfsucator)
+        public ConstantsDecrypter(ModuleDef module, MethodDef lzmaMethod, ISimpleDeobfuscator deobfsucator, x86Emulator nativeEmulator)
         {
             _module = module;
             _lzmaMethod = lzmaMethod;
             _deobfuscator = deobfsucator;
+            _nativeEmulator = nativeEmulator;
         }
 
         public bool CanRemoveLzma { get; private set; }
@@ -295,7 +304,7 @@ private IEnumerable<ConstantDecrypterBase> FindStringDecrypters(TypeDef type)
 
                 if (IsNativeStringDecrypter(method, out MethodDef nativeMethod))
                 {
-                    yield return new ConstantDecrypterBase
+                    yield return new ConstantDecrypterBase(_nativeEmulator)
                     {
                         Decrypted = _decryptedBytes,
                         Method = method,
@@ -304,7 +313,7 @@ private IEnumerable<ConstantDecrypterBase> FindStringDecrypters(TypeDef type)
                 }
                 if (IsNormalStringDecrypter(method, out int num1, out int num2))
                 {
-                    yield return new ConstantDecrypterBase
+                    yield return new ConstantDecrypterBase(_nativeEmulator)
                     {
                         Decrypted = _decryptedBytes,
                         Method = method,

de4dot.code/deobfuscators/ConfuserEx/ControlFlowFixer.cs

@@ -3,7 +3,7 @@
 using System.Linq;
 using de4dot.blocks;
 using de4dot.blocks.cflow;
-using de4dot.code.deobfuscators.ConfuserEx.x86;
+//using de4dot.code.deobfuscators.ConfuserEx.x86;
 using dnlib.DotNet;
 using dnlib.DotNet.Emit;
 
@@ -15,10 +15,16 @@ internal class ControlFlowFixer : IBlocksDeobfuscator
         public List<MethodDef> NativeMethods = new List<MethodDef>();
 
         private readonly InstructionEmulator _instructionEmulator = new InstructionEmulator();
+        private x86Emulator _nativeEmulator;
 
         private Blocks _blocks;
         private Local _switchKey;
 
+        public ControlFlowFixer(x86Emulator nativeEmulator)
+        {
+            _nativeEmulator = nativeEmulator;
+        }
+
         private int? CalculateKey(SwitchData switchData)
         {
             var popValue = _instructionEmulator.Peek();
@@ -31,8 +37,9 @@ internal class ControlFlowFixer : IBlocksDeobfuscator
             if (switchData is NativeSwitchData)
             {
                 var nativeSwitchData = (NativeSwitchData)switchData;
-                var nativeMethod = new X86Method(nativeSwitchData.NativeMethodDef, _blocks.Method.Module as ModuleDefMD); //TODO: Possible null
-                return nativeMethod.Execute(num);
+                //var nativeMethod = new X86Method(nativeSwitchData.NativeMethodDef, _blocks.Method.Module as ModuleDefMD); //TODO: Possible null
+                //return nativeMethod.Execute(num);
+                return (int?)_nativeEmulator.Emulate(nativeSwitchData.NativeMethodDef, num);
             }
             if (switchData is NormalSwitchData)
             {

de4dot.code/deobfuscators/ConfuserEx/Deobfuscator.cs

@@ -50,14 +50,15 @@ public override IDeobfuscator CreateDeobfuscator()
 
         private class Deobfuscator : DeobfuscatorBase
         {
-            private readonly ControlFlowFixer _controlFlowFixer = new ControlFlowFixer();
+            private ControlFlowFixer _controlFlowFixer;
 
             private bool _canRemoveLzma = true;
             private ConstantsDecrypter _constantDecrypter;
             private bool _detectedConfuserExAttribute, _deobfuscating;
             private LzmaFinder _lzmaFinder;
             private ProxyCallFixer _proxyCallFixer;
             private ResourceDecrypter _resourceDecrypter;
+            private x86Emulator _nativeEmulator;
             private string _version = "";
 
             public Deobfuscator(Options options)
@@ -103,10 +104,13 @@ protected override int DetectInternal()
 
             protected override void ScanForObfuscator()
             {
+                _nativeEmulator = new x86Emulator(DeobUtils.ReadModule(module));
+
+                _controlFlowFixer = new ControlFlowFixer(_nativeEmulator);
                 _lzmaFinder = new LzmaFinder(module, DeobfuscatedFile);
                 _lzmaFinder.Find();
 
-                _constantDecrypter = new ConstantsDecrypter(module, _lzmaFinder.Method, DeobfuscatedFile);
+                _constantDecrypter = new ConstantsDecrypter(module, _lzmaFinder.Method, DeobfuscatedFile, _nativeEmulator);
                 _resourceDecrypter = new ResourceDecrypter(module, _lzmaFinder.Method, DeobfuscatedFile);
 
                 if (_lzmaFinder.FoundLzma)
@@ -115,7 +119,7 @@ protected override void ScanForObfuscator()
                     _resourceDecrypter.Find();
                 }
 
-                _proxyCallFixer = new ProxyCallFixer(module, DeobfuscatedFile);
+                _proxyCallFixer = new ProxyCallFixer(module, DeobfuscatedFile, _nativeEmulator);
                 _proxyCallFixer.FindDelegateCreatorMethod();
                 _proxyCallFixer.Find();
 

de4dot.code/deobfuscators/ConfuserEx/ProxyCallFixer.cs

@@ -3,7 +3,7 @@
 using System.Linq;
 using de4dot.blocks;
 using de4dot.blocks.cflow;
-using de4dot.code.deobfuscators.ConfuserEx.x86;
+//using de4dot.code.deobfuscators.ConfuserEx.x86;
 using dnlib.DotNet;
 using dnlib.DotNet.Emit;
 
@@ -31,10 +31,12 @@ internal class ProxyCallFixer : ProxyCallFixer4
         public List<TypeDef> AttributeTypes = new List<TypeDef>();
         public List<MethodDef> DelegateCreatorMethods = new List<MethodDef>();
         public List<MethodDef> NativeMethods = new List<MethodDef>();
+        private x86Emulator _nativeEmulator;
 
-        public ProxyCallFixer(ModuleDefMD module, ISimpleDeobfuscator simpleDeobfuscator) : base(module)
+        public ProxyCallFixer(ModuleDefMD module, ISimpleDeobfuscator simpleDeobfuscator, x86Emulator nativeEmulator) : base(module)
         {
             _simpleDeobfuscator = simpleDeobfuscator;
+            _nativeEmulator = nativeEmulator;
         }
 
         public ProxyCallFixer(ModuleDefMD module, ProxyCallFixer4 oldOne) : base(module, oldOne)
@@ -167,8 +169,9 @@ private OpCode GetCallOpCode(IMethod calledMethod, int charNum, int byteNum)
 
         private int EmulateNativeMethod(MethodDef externalMethod, int parameter)
         {
-            var nativeMethod = new X86Method(externalMethod, module); //TODO: Possible null
-            return nativeMethod.Execute(parameter);
+            //var nativeMethod = new X86Method(externalMethod, module); //TODO: Possible null
+            //return nativeMethod.Execute(parameter);
+            return (int)_nativeEmulator.Emulate(externalMethod, parameter);
         }
 
         private int EmulateManagedMethod(MethodDef method, int startIndex, int endIndex,