public static bool IsNewer45Decryption(MethodDef method) { if (method == null || method.Body == null) { return(false); } var instrs = method.Body.Instructions; for (int i = 0; i < instrs.Count - 4; i++) { var ldci4 = instrs[i]; if (!ldci4.IsLdcI4() || ldci4.GetLdcI4Value() != 4) { continue; } if (instrs[i + 1].OpCode.Code != Code.Mul) { continue; } ldci4 = instrs[i + 2]; if (!ldci4.IsLdcI4() || ldci4.GetLdcI4Value() != 4) { continue; } if (instrs[i + 3].OpCode.Code != Code.Ldloca_S && instrs[i + 3].OpCode.Code != Code.Ldloca) { continue; } var call = instrs[i + 4]; if (call.OpCode.Code != Code.Call) { continue; } if (!DotNetUtils.IsPinvokeMethod(call.Operand as MethodDef, "kernel32", "VirtualProtect")) { continue; } return(true); } return(false); }
bool FindFirstBlocks(Block block, TamperBlocks tamperBlocks, IList <Block> allBlocks, IList <Local> locals) { if (!block.LastInstr.IsBrfalse()) { return(false); } /* * ldc.i4.0 * stloc X * call GetExecutingAssembly() * stloc Y * ldloc Y * callvirt Location * ldc.i4.1 * ldloca X * call StrongNameSignatureVerificationEx * pop / brfalse bad_code * ldloc X * brfalse bad_code * ldloc Y * callvirt FullName() * ldstr "......" * callvirt EndsWith(string) * brfalse bad_code / brtrue good_code */ var instrs = block.Instructions; int end = instrs.Count - 1; Instr instr; IMethod method; tamperBlocks.type = Type.V1; int index = 0; int start = FindCallMethod(block, index, true, (calledMethod) => calledMethod.ToString() == "System.Reflection.Assembly System.Reflection.Assembly::GetExecutingAssembly()"); if (start < 0) { return(false); } index = start + 1; instr = instrs[--start]; if (!instr.IsStloc()) { return(false); } var loc0 = Instr.GetLocalVar(locals, instr); instr = instrs[--start]; if (!instr.IsLdcI4()) { return(false); } index = FindCallMethod(block, index, false, (calledMethod) => calledMethod.ToString() == "System.String System.Reflection.Assembly::get_Location()"); if (index < 0) { return(false); } index++; index = FindCallMethod(block, index, false, (calledMethod) => { tamperBlocks.pinvokeMethod = DotNetUtils.GetMethod(module, calledMethod); return(DotNetUtils.IsPinvokeMethod(tamperBlocks.pinvokeMethod, "mscorwks", "StrongNameSignatureVerificationEx")); }); if (index < 0) { return(false); } index++; if (!instrs[index].IsBrfalse()) { if (instrs[index].OpCode.Code != Code.Pop) { return(false); } instr = instrs[index + 1]; if (!instr.IsLdloc() || Instr.GetLocalVar(locals, instr) != loc0) { return(false); } if (!instrs[index + 2].IsBrfalse()) { return(false); } tamperBlocks.type = Type.V1; tamperBlocks.first = new BlockInfo { Block = block, Start = start, End = end, }; } else { tamperBlocks.type = Type.V2; tamperBlocks.first = new BlockInfo { Block = block, Start = start, End = end, }; block = block.FallThrough; if (block == null) { return(false); } instrs = block.Instructions; index = 0; instr = instrs[index]; if (!instr.IsLdloc() || Instr.GetLocalVar(locals, instr) != loc0) { return(false); } if (!instrs[index + 1].IsBrfalse()) { return(false); } } block = block.FallThrough; instrs = block.Instructions; start = end = 0; instr = instrs[end++]; if (!instr.IsLdloc()) { return(false); } instr = instrs[end++]; if (instr.OpCode != OpCodes.Callvirt) { return(false); } method = instr.Operand as IMethod; if (method == null || method.ToString() != "System.String System.Reflection.Assembly::get_FullName()") { return(false); } instr = instrs[end++]; if (instr.OpCode != OpCodes.Ldstr) { return(false); } instr = instrs[end++]; if (instr.OpCode != OpCodes.Callvirt) { return(false); } method = instr.Operand as IMethod; if (method == null || method.ToString() != "System.Boolean System.String::EndsWith(System.String)") { return(false); } instr = instrs[end++]; if (!instr.IsBrfalse() && !instr.IsBrtrue()) { return(false); } end--; tamperBlocks.second = new BlockInfo { Block = block, Start = start, End = end, }; return(true); }