public bool IsDecryptor(MethodDef mDef) { if (!mDef.HasBody) { return(false); } if (mDef.ParamDefs.Count != 3 || !mDef.Body.HasVariables) { return(false); } if (mDef.Body.Variables.Count != 9 && mDef.Body.Variables.Count != 10) { return(false); } if (mDef.FindAllReferences().Count() != 1) { return(false); } if (mDef.FindAllReferences().ToList()[0].Item2 != RoutineVariables["antiTamper"]) { return(false); } return(true); }
private static void Main(string[] args) { if (args.Length == 0) { Console.WriteLine("No input file specified..."); } else { Configuration.AssemblyFilename = args[0]; ModuleDefMD module = ModuleDefMD.Load(Configuration.AssemblyFilename, (ModuleCreationOptions)null); TypeDef globalType = module.GlobalType; List <MethodDef> methodDefList = new List <MethodDef>(); foreach (MethodDef method in globalType.Methods.Where <MethodDef>((Func <MethodDef, bool>)(m => m.IsNative)).ToList <MethodDef>()) { MethodDef ilFromX86Method = X86MethodToILConverter.CreateILFromX86Method(new X86Method(method)); method.DeclaringType.Methods.Add(ilFromX86Method); methodDefList.Add(method); } foreach (MethodDef methodDef1 in methodDefList) { MethodDef replacedMethod = methodDef1; IEnumerable <Instruction> allReferences = replacedMethod.FindAllReferences(module); MethodDef methodDef2 = module.GlobalType.Methods.FirstOrDefault <MethodDef>((Func <MethodDef, bool>)(m => m.Name == (string)replacedMethod.Name + "_IL")); foreach (Instruction instruction in allReferences) { instruction.Operand = (object)methodDef2; } ++Program.x86Fixed; } foreach (MethodDef methodDef in methodDefList) { globalType.Methods.Remove(methodDef); } module.IsStrongNameSigned = false; module.Assembly.PublicKey = (PublicKey)null; NativeModuleWriterOptions options1 = new NativeModuleWriterOptions(module); options1.MetaDataOptions.Flags |= MetaDataFlags.PreserveAll; options1.MetaDataOptions.Flags |= MetaDataFlags.KeepOldMaxStack; options1.Cor20HeaderOptions.Flags = new ComImageFlags?(ComImageFlags.ILOnly | ComImageFlags._32BitRequired); module.NativeWrite((Stream)Program.mem, options1); Program.module = ModuleDefMD.Load((Stream)Program.mem); ModuleWriterOptions options2 = new ModuleWriterOptions((ModuleDef)Program.module); options1.MetaDataOptions.Flags |= MetaDataFlags.PreserveAll; options1.MetaDataOptions.Flags |= MetaDataFlags.KeepOldMaxStack; Program.module.Write(args[0].Replace(".exe", "-x86_mode_Fixed.exe"), options2); Console.WriteLine("Resolved : " + (object)Program.x86Fixed + " natives ints"); } }
public bool IsDecryptor(MethodDef mDef) { if (!mDef.HasBody) { return(false); } if (mDef.ParamDefs.Count != 3 || !mDef.Body.HasVariables) { return(false); } if (mDef.Body.Variables.Count != 9 && mDef.Body.Variables.Count != 10) { return(false); } var refs = mDef.FindAllReferences(); if (refs.Count() != 1) { return(false); } var flag = false; foreach (var instr in (RoutineVariables["cctor"] as MethodDef).Body.Instructions.Where(x => x.IsCall())) { if ((instr.Operand as MethodDef) == refs.ToList()[0].Item2) { flag = true; break; } } return(flag); // if (mDef.FindAllReferences().ToList()[0].Item2 != RoutineVariables["antiTamper"]) // return false; }
private static bool IsStringDecryptor(MethodDef mDef, bool all) { if (!mDef.HasBody) { return(false); } if (mDef.Parameters.Count == 0 || !mDef.Body.HasVariables) { return(false); } if (mDef.Parameters.Count != 2 || !(mDef.Body.Variables.Count != 15 || mDef.Body.Variables.Count != 16)) { return(false); } if (mDef.Body.Variables.FirstOrDefault(x => x.Type.TypeName.EndsWith("MethodBase")) == null) { return(false); } return(all || mDef.FindAllReferences().Any()); }
public bool IsDecryptor(MethodDef mDef) { if (!mDef.HasBody) return false; if (mDef.ParamDefs.Count != 3 || !mDef.Body.HasVariables) return false; if (mDef.Body.Variables.Count != 9 && mDef.Body.Variables.Count != 10) return false; var refs = mDef.FindAllReferences(); if (refs.Count() != 1) return false; var flag = false; foreach (var instr in (RoutineVariables["cctor"] as MethodDef).Body.Instructions.Where(x => x.IsCall())) { if ((instr.Operand as MethodDef) == refs.ToList()[0].Item2) { flag = true; break; } } return flag; // if (mDef.FindAllReferences().ToList()[0].Item2 != RoutineVariables["antiTamper"]) // return false; }