List <TypeDef> FindVmHandlerTypes()
{
var requiredFields = new string[] {
null,
"System.Collections.Generic.Dictionary`2<System.UInt16,System.Type>",
"System.UInt16",
};
var cflowDeobfuscator = new CflowDeobfuscator();
foreach (var type in module.Types)
{
var cctor = type.FindStaticConstructor();
if (cctor == null)
{
continue;
}
requiredFields[0] = type.FullName;
var fieldTypes = new FieldTypes(type);
if (!fieldTypes.All(requiredFields))
{
continue;
}
cflowDeobfuscator.Deobfuscate(cctor);
var handlers = FindVmHandlerTypes(cctor);
return(handlers);
}
return(null);
}
bool Find2()
{
foreach (var cctor in DeobUtils.GetInitCctors(module, 3))
{
foreach (var calledMethod in DotNetUtils.GetCalledMethods(module, cctor))
{
var type = calledMethod.DeclaringType;
if (type.IsPublic)
{
continue;
}
var fieldTypes = new FieldTypes(type);
if (!fieldTypes.All(requiredFields1))
{
continue;
}
if (!HasInitializeMethod(type, "_Initialize") && !HasInitializeMethod(type, "_Initialize64"))
{
continue;
}
initializeMethod = calledMethod;
postInitializeMethod = FindMethod(type, "System.Void", "PostInitialize", "()");
loadMethod = FindMethod(type, "System.IntPtr", "Load", "()");
cliSecureRtType = type;
FindStringDecrypters();
return(true);
}
}
return(false);
}
public void Find() {
var requiredFields = new string[] {
"System.Threading.ReaderWriterLock",
"System.Collections.Hashtable",
};
foreach (var type in module.GetTypes()) {
var fieldTypes = new FieldTypes(type);
if (!fieldTypes.All(requiredFields))
continue;
if (type.FindMethod("Finalize") == null)
continue;
var executeMethod = DotNetUtils.GetMethod(type, "System.Object", "(System.String,System.Object[])");
if (executeMethod == null || !executeMethod.IsStatic || executeMethod.Body == null)
continue;
var decrypterType = FindMethodsDecrypterType(type);
if (decrypterType == null)
continue;
resourceDecrypter.DecryptMethod = FindDecryptMethod(decrypterType);
methodsDecrypterCreator = type;
methodsDecrypter = decrypterType;
decryptExecuteMethod = executeMethod;
return;
}
}
public void Find()
{
var requiredFields = new string[] {
"System.Threading.ReaderWriterLock",
"System.Collections.Hashtable",
};
foreach (var type in module.GetTypes())
{
var fieldTypes = new FieldTypes(type);
if (!fieldTypes.All(requiredFields))
{
continue;
}
if (type.FindMethod("Finalize") == null)
{
continue;
}
var executeMethod = DotNetUtils.GetMethod(type, "System.Object", "(System.String,System.Object[])");
if (executeMethod == null || !executeMethod.IsStatic || executeMethod.Body == null)
{
continue;
}
var decrypterType = FindMethodsDecrypterType(type);
if (decrypterType == null)
{
continue;
}
resourceDecrypter.DecryptMethod = FindDecryptMethod(decrypterType);
methodsDecrypterCreator = type;
methodsDecrypter = decrypterType;
decryptExecuteMethod = executeMethod;
return;
}
}
List<TypeDef> FindVmHandlerTypes() {
var requiredFields = new string[] {
null,
"System.Collections.Generic.Dictionary`2<System.UInt16,System.Type>",
"System.UInt16",
};
var cflowDeobfuscator = new CflowDeobfuscator();
foreach (var type in module.Types) {
var cctor = type.FindStaticConstructor();
if (cctor == null)
continue;
requiredFields[0] = type.FullName;
var fieldTypes = new FieldTypes(type);
if (!fieldTypes.All(requiredFields))
continue;
cflowDeobfuscator.Deobfuscate(cctor);
var handlers = FindVmHandlerTypes(cctor);
if (handlers.Count < NUM_HANDLERS)
continue;
return handlers;
}
return null;
}