bool CheckInitMethod(MethodDef method)
{
if (method == null || !method.IsStatic || method.Body == null)
{
return(false);
}
if (!DotNetUtils.IsMethod(method, "System.Void", "()"))
{
return(false);
}
var type = method.DeclaringType;
if (type.NestedTypes.Count != 1)
{
return(false);
}
if (DotNetUtils.GetField(type, "System.Reflection.Assembly") == null)
{
return(false);
}
var resolveHandler = DeobUtils.GetResolveMethod(method);
if (resolveHandler == null)
{
return(false);
}
initMethod = method;
resolverType = type;
handlerMethod = resolveHandler;
return(true);
}
bool CheckInitMethod(MethodDef method)
{
var type = method.DeclaringType;
if (type.NestedTypes.Count < 2 || type.NestedTypes.Count > 6)
{
return(false);
}
if (DotNetUtils.GetPInvokeMethod(type, "kernel32", "MoveFileEx") == null)
{
return(false);
}
var resolveHandler = DeobUtils.GetResolveMethod(method);
if (resolveHandler == null)
{
return(false);
}
if (!DeobUtils.HasInteger(resolveHandler, ',') ||
!DeobUtils.HasInteger(resolveHandler, '|'))
{
return(false);
}
initMethod = method;
resolverType = type;
handlerMethod = resolveHandler;
return(true);
}
bool CheckInitMethod(MethodDef checkMethod, ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob)
{
var requiredFields = new string[] {
"System.Collections.Hashtable",
"System.Boolean",
};
foreach (var method in DotNetUtils.GetCalledMethods(module, checkMethod))
{
if (method.Body == null)
{
continue;
}
if (!method.IsStatic)
{
continue;
}
if (!DotNetUtils.IsMethod(method, "System.Void", "()"))
{
continue;
}
var type = method.DeclaringType;
if (!new FieldTypes(type).Exactly(requiredFields))
{
continue;
}
var ctor = type.FindMethod(".ctor");
if (ctor == null)
{
continue;
}
var handler = DeobUtils.GetResolveMethod(ctor);
if (handler == null)
{
continue;
}
simpleDeobfuscator.DecryptStrings(handler, deob);
var resourcePrefix = GetResourcePrefix(handler);
if (resourcePrefix == null)
{
continue;
}
for (int i = 0; ; i++)
{
var resource = DotNetUtils.GetResource(module, resourcePrefix + i.ToString("D5")) as EmbeddedResource;
if (resource == null)
{
break;
}
resources.Add(resource);
}
initMethod = method;
return(true);
}
return(false);
}
MethodDef CheckInitMethod(MethodDef method)
{
if (method == null || !method.IsStatic || method.Body == null)
{
return(null);
}
if (!DotNetUtils.IsMethod(method, "System.Void", "()"))
{
return(null);
}
var resolver = DeobUtils.GetResolveMethod(method);
if (resolver == null || resolver.DeclaringType != method.DeclaringType)
{
return(null);
}
return(resolver);
}
