Background: I am using dnlib to build a deobfuscator for an unknown custom done Obfuscator in c#. The obfuscated code has large amount of mathematical expressions that define constants for things such as a switch statement, if statements, numbers for method calls, ect. This is part of the control flow obfusctation as well.
Problem: Since I have all these expressions that need to be evaluated, I need to find a way to traverse through the msil instructions of a given method, and emulate the results that appear on the stack of the method. For example, let's say I have an expression of if (5 + 9) In msil, the expression will be Ldci4.5 Ldci4 9 add
What I need to do is have my own little runtime with its own stack that can be reinitialized upon each method I attempt to deobfuscate. This runtime can evaluate each instruction and it's effects on the local stack of the method. This way I can evaluate simple expressions like the instructions above. I can then nop those instructions and put the actual value back into the physical code. I know I can pretty easily make a class to act as how the stack does, but I'm not sure how I would go about taking an Instruction instance from dnlib, and giving it a way to evaluate that in connection with a stack class.
This is the closest thing to what I'm describing that I could find on the internet https://github.com/GodLesZ/ConfuserDeobfuscator/blob/master/ConfuserDeobfuscator/ConfuserDeobfuscator/Utils/ILEmulator.cs
Any ideas?
