public static ISignature IdentifyHurpFuscator(AssemblyDefinition asmDef, out bool found)
{
foreach (var mDef in asmDef.FindMethods(m => m.HasBody))
{
if (mDef.Parameters.Count == 2 &&
mDef.Body.Variables.Count == 9 &&
mDef.ReturnType.ToString().ToLower().Contains("string") &&
mDef.Body.Instructions.GetOpCodeCount(OpCodes.Callvirt) == 7)
{
found = true;
return new Signatures.HurpFuscatorSignature1_0();
}
if(mDef.Parameters.Count == 1 &&
mDef.Body.Variables.Count == 7 &&
mDef.ReturnType.ToString().ToLower().Contains("string") &&
mDef.Body.Instructions.GetOpCodeCount(OpCodes.Callvirt) == 7 &&
mDef.Body.Instructions.GetOpCodeCount(OpCodes.Ldstr) == 2)
{
found = true;
return new Signatures.HurpFuscatorSignature1_1();
}
}
found = false;
return new Signatures.UnidentifiedSignature();
}
private static ISignature IdentifyCodeWall(AssemblyDefinition asmDef, out bool found)
{
found = false;
if (asmDef.FindMethods(
mDef =>
mDef.Body.Instructions.GetOpCodeCount(OpCodes.Xor) == 6 &&
mDef.Body.Instructions.GetOpCodeCount(OpCodes.Ldc_I4) == 3).Count >= 1)
{
found = true;
return new CodeWallSignature();
}
return new UnidentifiedSignature();
}
