List <TypeDef> FindVmHandlerTypes() { var requiredFields = new string[] { null, "System.Collections.Generic.Dictionary`2<System.UInt16,System.Type>", "System.UInt16", }; var cflowDeobfuscator = new CflowDeobfuscator(); foreach (var type in module.Types) { var cctor = type.FindStaticConstructor(); if (cctor == null) { continue; } requiredFields[0] = type.FullName; var fieldTypes = new FieldTypes(type); if (!fieldTypes.All(requiredFields)) { continue; } cflowDeobfuscator.Deobfuscate(cctor); var handlers = FindVmHandlerTypes(cctor); return(handlers); } return(null); }
bool Find2() { foreach (var cctor in DeobUtils.GetInitCctors(module, 3)) { foreach (var calledMethod in DotNetUtils.GetCalledMethods(module, cctor)) { var type = calledMethod.DeclaringType; if (type.IsPublic) { continue; } var fieldTypes = new FieldTypes(type); if (!fieldTypes.All(requiredFields1)) { continue; } if (!HasInitializeMethod(type, "_Initialize") && !HasInitializeMethod(type, "_Initialize64")) { continue; } initializeMethod = calledMethod; postInitializeMethod = FindMethod(type, "System.Void", "PostInitialize", "()"); loadMethod = FindMethod(type, "System.IntPtr", "Load", "()"); cliSecureRtType = type; FindStringDecrypters(); return(true); } } return(false); }
public void Find() { var requiredFields = new string[] { "System.Threading.ReaderWriterLock", "System.Collections.Hashtable", }; foreach (var type in module.GetTypes()) { var fieldTypes = new FieldTypes(type); if (!fieldTypes.All(requiredFields)) continue; if (type.FindMethod("Finalize") == null) continue; var executeMethod = DotNetUtils.GetMethod(type, "System.Object", "(System.String,System.Object[])"); if (executeMethod == null || !executeMethod.IsStatic || executeMethod.Body == null) continue; var decrypterType = FindMethodsDecrypterType(type); if (decrypterType == null) continue; resourceDecrypter.DecryptMethod = FindDecryptMethod(decrypterType); methodsDecrypterCreator = type; methodsDecrypter = decrypterType; decryptExecuteMethod = executeMethod; return; } }
public void Find() { var requiredFields = new string[] { "System.Threading.ReaderWriterLock", "System.Collections.Hashtable", }; foreach (var type in module.GetTypes()) { var fieldTypes = new FieldTypes(type); if (!fieldTypes.All(requiredFields)) { continue; } if (type.FindMethod("Finalize") == null) { continue; } var executeMethod = DotNetUtils.GetMethod(type, "System.Object", "(System.String,System.Object[])"); if (executeMethod == null || !executeMethod.IsStatic || executeMethod.Body == null) { continue; } var decrypterType = FindMethodsDecrypterType(type); if (decrypterType == null) { continue; } resourceDecrypter.DecryptMethod = FindDecryptMethod(decrypterType); methodsDecrypterCreator = type; methodsDecrypter = decrypterType; decryptExecuteMethod = executeMethod; return; } }
List<TypeDef> FindVmHandlerTypes() { var requiredFields = new string[] { null, "System.Collections.Generic.Dictionary`2<System.UInt16,System.Type>", "System.UInt16", }; var cflowDeobfuscator = new CflowDeobfuscator(); foreach (var type in module.Types) { var cctor = type.FindStaticConstructor(); if (cctor == null) continue; requiredFields[0] = type.FullName; var fieldTypes = new FieldTypes(type); if (!fieldTypes.All(requiredFields)) continue; cflowDeobfuscator.Deobfuscate(cctor); var handlers = FindVmHandlerTypes(cctor); if (handlers.Count < NUM_HANDLERS) continue; return handlers; } return null; }