DumpedMethods CreateDumpedMethods(MyPEImage peImage, byte[] fileData, byte[] methodsData) { var dumpedMethods = new DumpedMethods(); var methodsDataReader = MemoryImageStream.Create(methodsData); var fileDataReader = MemoryImageStream.Create(fileData); var methodDef = peImage.MetaData.TablesStream.MethodTable; for (uint rid = 1; rid <= methodDef.Rows; rid++) { var dm = new DumpedMethod(); peImage.ReadMethodTableRowTo(dm, rid); if (dm.mdRVA == 0) { continue; } uint bodyOffset = peImage.RvaToOffset(dm.mdRVA); byte b = peImage.OffsetReadByte(bodyOffset); uint codeOffset; if ((b & 3) == 2) { if (b != 2) { continue; // not zero byte code size } dm.mhFlags = 2; dm.mhMaxStack = 8; dm.mhLocalVarSigTok = 0; codeOffset = bodyOffset + 1; } else { if (peImage.OffsetReadUInt32(bodyOffset + 4) != 0) { continue; // not zero byte code size } dm.mhFlags = peImage.OffsetReadUInt16(bodyOffset); dm.mhMaxStack = peImage.OffsetReadUInt16(bodyOffset + 2); dm.mhLocalVarSigTok = peImage.OffsetReadUInt32(bodyOffset + 8); codeOffset = bodyOffset + (uint)(dm.mhFlags >> 12) * 4; } fileDataReader.Position = codeOffset; if (!decrypter.Decrypt(fileDataReader, dm)) { continue; } dumpedMethods.Add(dm); } return(dumpedMethods); }
byte[] GetKeyData(uint baseOffset) => new byte[6] { peImage.OffsetReadByte(baseOffset + 5), peImage.OffsetReadByte(baseOffset + 0xF), peImage.OffsetReadByte(baseOffset + 0x58), peImage.OffsetReadByte(baseOffset + 0x6D), peImage.OffsetReadByte(baseOffset + 0x98), peImage.OffsetReadByte(baseOffset + 0xA6), };
byte ReadByte(uint offset) => peImage.OffsetReadByte(methodInfosOffset + offset);
byte ReadByte(uint offset) { return(peImage.OffsetReadByte(methodInfosOffset + offset)); }
DumpedMethods CreateDumpedMethods(MyPEImage peImage, byte[] fileData, byte[] methodsData) { var dumpedMethods = new DumpedMethods(); var methodsDataReader = MemoryImageStream.Create(methodsData); var fileDataReader = MemoryImageStream.Create(fileData); var methodDef = peImage.MetaData.TablesStream.MethodTable; for (uint rid = 1; rid <= methodDef.Rows; rid++) { var dm = new DumpedMethod(); peImage.ReadMethodTableRowTo(dm, rid); if (dm.mdRVA == 0) continue; uint bodyOffset = peImage.RvaToOffset(dm.mdRVA); byte b = peImage.OffsetReadByte(bodyOffset); uint codeOffset; if ((b & 3) == 2) { if (b != 2) continue; // not zero byte code size dm.mhFlags = 2; dm.mhMaxStack = 8; dm.mhLocalVarSigTok = 0; codeOffset = bodyOffset + 1; } else { if (peImage.OffsetReadUInt32(bodyOffset + 4) != 0) continue; // not zero byte code size dm.mhFlags = peImage.OffsetReadUInt16(bodyOffset); dm.mhMaxStack = peImage.OffsetReadUInt16(bodyOffset + 2); dm.mhLocalVarSigTok = peImage.OffsetReadUInt32(bodyOffset + 8); codeOffset = bodyOffset + (uint)(dm.mhFlags >> 12) * 4; } fileDataReader.Position = codeOffset; if (!decrypter.Decrypt(fileDataReader, dm)) continue; dumpedMethods.Add(dm); } return dumpedMethods; }