lib: dll delayload/loadwithalteredsearchpath flags were added in v23, add version check for this

tests: add test for v22 script with dll imports. please note bytecode used here came from a malware sample!

Author: Wack0

IFPSLib.Tests/CompiledCode_v22.bin

@@ -59,6 +59,7 @@
   <ItemGroup>
     <None Include="app.config" />
     <None Include="CompiledCode.bin" />
+    <None Include="CompiledCode_v22.bin" />
     <None Include="packages.config" />
   </ItemGroup>
   <ItemGroup>
@@ -81,6 +82,9 @@
   <ItemGroup>
     <None Include="CompiledCode.txt" />
   </ItemGroup>
+  <ItemGroup>
+    <None Include="CompiledCode_v22.txt" />
+  </ItemGroup>
   <Import Project="$(VSToolsPath)\TeamTest\Microsoft.TestTools.targets" Condition="Exists('$(VSToolsPath)\TeamTest\Microsoft.TestTools.targets')" />
   <Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
   <Target Name="EnsureNuGetPackageBuildImports" BeforeTargets="PrepareForBuild">

IFPSLib.Tests/CompiledCode_v22.txt

@@ -124,4 +124,10 @@
   <data name="CompiledCodeDisasm" type="System.Resources.ResXFileRef, System.Windows.Forms">
     <value>..\CompiledCode.txt;System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089;utf-8</value>
   </data>
+  <data name="CompiledCodeDisasm_v22" type="System.Resources.ResXFileRef, System.Windows.Forms">
+    <value>..\CompiledCode_v22.txt;System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089;utf-8</value>
+  </data>
+  <data name="CompiledCode_v22" type="System.Resources.ResXFileRef, System.Windows.Forms">
+    <value>..\CompiledCode_v22.bin;System.Byte[], mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</value>
+  </data>
 </root>

IFPSLib.Tests/IFPSLib.Tests.csproj

@@ -11,6 +11,7 @@ namespace IFPSLib.Tests
     public class ScriptTest
     {
         private static readonly string origB64 = Convert.ToBase64String(Resources.CompiledCode);
+        private static readonly string origB64_22 = Convert.ToBase64String(Resources.CompiledCode_v22);
 
         [TestMethod]
         public void TestLoadSave()
@@ -44,5 +45,38 @@ public void TestAsm()
             var savedB64 = Convert.ToBase64String(script.Save());
             Assert.AreEqual(savedB64, origB64);
         }
+
+        [TestMethod]
+        public void TestLoadSaveV22()
+        {
+            // Load the script.
+            var script = Script.Load(Resources.CompiledCode_v22);
+            // Ensure it's not null.
+            Assert.IsNotNull(script);
+            // For an official script (compiled by inno setup), the entrypoint is the first function.
+            Assert.AreEqual(script.EntryPoint, script.Functions[0]);
+            // Save the script.
+            var savedBytes = script.Save();
+            // Convert to base64 for later.
+            var saved = Convert.ToBase64String(savedBytes);
+            // Load the saved script.
+            var scriptSaved = Script.Load(savedBytes);
+            // Save again.
+            var savedTwice = Convert.ToBase64String(scriptSaved.Save());
+            // Ensure both saved scripts equal each other.
+            Assert.AreEqual(saved, savedTwice);
+            // Ensure the saved script equals the original.
+            Assert.AreEqual(saved, origB64_22);
+            // Ensure the disassemblies are equal.
+            Assert.AreEqual(script.Disassemble(), scriptSaved.Disassemble());
+        }
+
+        [TestMethod]
+        public void TestAsmV22()
+        {
+            var script = Assembler.Assemble(Resources.CompiledCodeDisasm_v22);
+            var savedB64 = Convert.ToBase64String(script.Save());
+            Assert.AreEqual(savedB64, origB64);
+        }
     }
 }

IFPSLib.Tests/Properties/Resources.Designer.cs

@@ -27,7 +27,7 @@ public abstract class Base
             protected const string ClassString = "class:";
             protected const string ComString = "intf:.";
 
-            internal static Base Load(BinaryReader br)
+            internal static Base Load(BinaryReader br, Script script)
             {
                 var fdeclLen = br.Read<uint>();
                 using (var fdeclMem = new NativeMemoryArray<byte>(fdeclLen, true))
@@ -39,21 +39,21 @@ internal static Base Load(BinaryReader br)
                         if (fdeclSpan.EqualsAsciiString(0, DllString))
                         {
                             brDecl.BaseStream.Position = DllString.Length;
-                            return DLL.Load(brDecl);
+                            return DLL.Load(brDecl, script);
                         }
                         else if (fdeclSpan.EqualsAsciiString(0, ClassString))
                         {
                             brDecl.BaseStream.Position = ClassString.Length;
-                            return Class.Load(brDecl);
+                            return Class.Load(brDecl, script);
                         }
                         else if (fdeclSpan.EqualsAsciiString(0, ComString))
                         {
                             brDecl.BaseStream.Position = ComString.Length;
-                            return COM.Load(brDecl);
+                            return COM.Load(brDecl, script);
                         }
                         else
                         {
-                            return Internal.Load(brDecl);
+                            return Internal.Load(brDecl, script);
                         }
                     }
                 }
@@ -124,14 +124,17 @@ public sealed class DLL : BaseCC
 
             internal override string Name => string.Format("{0}!{1}", DllName, ProcedureName);
 
-            internal static new DLL Load(BinaryReader br)
+            internal static new DLL Load(BinaryReader br, Script script)
             {
                 var ret = new DLL();
                 ret.DllName = br.ReadAsciiStringTerminated();
                 ret.ProcedureName = br.ReadAsciiStringTerminated();
                 ret.CallingConvention = (NativeCallingConvention)br.ReadByte();
-                ret.DelayLoad = br.ReadByte() != 0;
-                ret.LoadWithAlteredSearchPath = br.ReadByte() != 0;
+                if (script.FileVersion >= Script.VERSION_MIN_DLL_LOAD_FLAGS)
+                {
+                    ret.DelayLoad = br.ReadByte() != 0;
+                    ret.LoadWithAlteredSearchPath = br.ReadByte() != 0;
+                }
 
                 ret.LoadArguments(br);
 
@@ -164,8 +167,11 @@ internal override void SaveCore(BinaryWriter bw, Script.SaveContext ctx)
                 bw.WriteAsciiStringTerminated(DllName);
                 bw.WriteAsciiStringTerminated(ProcedureName);
                 bw.Write(CallingConvention);
-                bw.Write<byte>((byte)(DelayLoad ? 1 : 0));
-                bw.Write<byte>((byte)(LoadWithAlteredSearchPath ? 1 : 0));
+                if (ctx.FileVersion >= Script.VERSION_MIN_DLL_LOAD_FLAGS)
+                {
+                    bw.Write<byte>((byte)(DelayLoad ? 1 : 0));
+                    bw.Write<byte>((byte)(LoadWithAlteredSearchPath ? 1 : 0));
+                }
                 SaveArguments(bw);
             }
         }
@@ -181,7 +187,7 @@ public sealed class Class : BaseCC
 
             private const byte TERMINATOR = (byte)'|';
 
-            internal static new Class Load(BinaryReader br)
+            internal static new Class Load(BinaryReader br, Script script)
             {
                 var ret = new Class();
 
@@ -297,7 +303,7 @@ public sealed class COM : BaseCC
 
             internal override string Name => string.Format("CoInterface->vtbl[{0}]", VTableIndex);
 
-            internal static new COM Load(BinaryReader br)
+            internal static new COM Load(BinaryReader br, Script script)
             {
                 var ret = new COM();
                 ret.VTableIndex = br.Read<uint>();
@@ -325,7 +331,7 @@ internal override void SaveCore(BinaryWriter bw, Script.SaveContext ctx)
 
         public sealed class Internal : Base
         {
-            internal static new Internal Load(BinaryReader br)
+            internal static new Internal Load(BinaryReader br, Script script)
             {
                 var ret = new Internal();
                 ret.LoadArguments(br);
@@ -378,7 +384,7 @@ internal static ExternalFunction Load(BinaryReader br, Script script, bool expor
                 ret.Name = br.ReadAsciiString(namelen);
             if (exported)
             {
-                ret.Declaration = FDecl.Base.Load(br);
+                ret.Declaration = FDecl.Base.Load(br, script);
                 if (ret.Declaration.HasReturnArgument) ret.ReturnArgument = UnknownType.Instance;
                 if (string.IsNullOrEmpty(ret.Name)) ret.Name = ret.Declaration.Name;
             }

IFPSLib.Tests/Properties/Resources.resx

@@ -20,6 +20,7 @@ public sealed class Script
 
         internal const int VERSION_MIN_ATTRIBUTES = 21;
         internal const int VERSION_MAX_SETSTACKTYPE = 22; // Is this correct?
+        internal const int VERSION_MIN_DLL_LOAD_FLAGS = 23;
         internal const int VERSION_MIN_STATICARRAYSTART = 23;
 
         /// <summary>