public static MethodDefinition FindDecryptor(AssemblyDefinition asmDef)
{
foreach (var modDef in asmDef.Modules)
foreach (var typeDef in modDef.Types)
foreach (var mDef in typeDef.Methods)
{
var signature = new ILSignature
{
Start = 1,
StartOpCode = OpCodes.Nop,
Instructions = new List<OpCode>
{
OpCodes.Callvirt,
OpCodes.Stloc_0,
OpCodes.Ldloc_0,
OpCodes.Newarr,
OpCodes.Stloc_1,
OpCodes.Ldc_I4_0,
OpCodes.Stloc_2
}
};
if (mDef.HasBody) {
if (SignatureFinder.IsMatch(mDef, signature))
return mDef;
}
}
return null;
}
private static ISignature IdentifyRpx(AssemblyDefinition asmDef, out bool found)
{
var signature = new ILSignature
{
StartIndex = 0,
StartOpCode = OpCodes.Nop,
Instructions = new List <OpCode>
{
OpCodes.Call,
OpCodes.Callvirt,
OpCodes.Ldstr,
OpCodes.Callvirt,
OpCodes.Stloc_0,
OpCodes.Ldloc_0,
OpCodes.Ldc_I4_3,
OpCodes.Ldc_I4_1,
OpCodes.Call,
OpCodes.Stloc_1,
OpCodes.Ldloc_1,
OpCodes.Ldstr
}
};
if (SignatureFinder.IsMatch(asmDef.EntryPoint, signature))
{
found = true;
return(new RpxSignature());
}
found = false;
return(new UnidentifiedSignature());
}
public static bool IsMatch(MethodDefinition mDef, ILSignature signature)
{
if (!mDef.HasBody)
return false;
if(mDef.Body.Instructions.Count <= (signature.StartIndex > 0 ? signature.StartIndex : -signature.StartIndex) + signature.Instructions.Count)
return false;
Instruction initInstr = null;
if (signature.StartOpCode != OpCodes.Nop)
initInstr = mDef.Body.Instructions.FirstOrDefault(instr => instr.OpCode == signature.StartOpCode);
else
initInstr = mDef.Body.Instructions[signature.StartIndex];
if (initInstr == null)
return false;
var flag = true;
var tmp = initInstr.Previous ?? initInstr;
foreach (var instr in signature.Instructions)
{
tmp = tmp.Next;
if (instr != tmp.OpCode)
flag = false;
}
return flag;
}
public static bool IsMatch(MethodDefinition mDef, ILSignature signature)
{
if (!mDef.HasBody)
{
return(false);
}
if (mDef.Body.Instructions.Count <= (signature.StartIndex > 0 ? signature.StartIndex : -signature.StartIndex) + signature.Instructions.Count)
{
return(false);
}
Instruction initInstr = null;
if (signature.StartOpCode != OpCodes.Nop)
{
initInstr = mDef.Body.Instructions.FirstOrDefault(instr => instr.OpCode == signature.StartOpCode);
}
else
{
initInstr = mDef.Body.Instructions[signature.StartIndex];
}
if (initInstr == null)
{
return(false);
}
var flag = true;
var tmp = initInstr.Previous ?? initInstr;
foreach (var instr in signature.Instructions)
{
tmp = tmp.Next;
if (instr != tmp.OpCode)
{
flag = false;
}
}
return(flag);
}
private static List<MethodDefinition> FindDecryptors(AssemblyDefinition asmDef)
{
var signature = new ILSignature
{
Start = 0,
StartOpCode = OpCodes.Ldsfld,
Instructions = new List<OpCode>
{
OpCodes.Ldsfld,
OpCodes.Dup,
OpCodes.Stloc_S,
OpCodes.Call,
OpCodes.Ldarg_0,
OpCodes.Ldc_I4
}
};
var decryptors = new List<MethodDefinition>();
foreach (var modDef in asmDef.Modules)
foreach (var typeDef in modDef.Types)
foreach (var mDef in typeDef.Methods)
if (SignatureFinder.IsMatch(mDef, signature))
decryptors.Add(mDef);
return decryptors;
}
private static ISignature IdentifyRpx(AssemblyDefinition asmDef, out bool found)
{
var signature = new ILSignature
{
StartIndex = 0,
StartOpCode = OpCodes.Nop,
Instructions = new List<OpCode>
{
OpCodes.Call,
OpCodes.Callvirt,
OpCodes.Ldstr,
OpCodes.Callvirt,
OpCodes.Stloc_0,
OpCodes.Ldloc_0,
OpCodes.Ldc_I4_3,
OpCodes.Ldc_I4_1,
OpCodes.Call,
OpCodes.Stloc_1,
OpCodes.Ldloc_1,
OpCodes.Ldstr
}
};
if(SignatureFinder.IsMatch(asmDef.EntryPoint, signature))
{
found = true;
return new RpxSignature();
}
found = false;
return new UnidentifiedSignature();
}
