private void ReadMutatedKeys(MethodDef mDef, out string resName)
{
resName = mDef.Body.Instructions.GetOperandAt <string>(x => x.OpCode.Code == Code.Ldstr, 0);
var key1 = mDef.Body.Instructions.FindInstruction(x => x.OpCode.Code == Code.Conv_U1, 0).Previous(mDef.Body).GetLdcI4Value();
var key2 = mDef.Body.Instructions.FindInstruction(x => x.OpCode.Code == Code.Stelem_I1, 0).Next(mDef.Body).Next(mDef.Body).GetLdcI4Value();
DemutatedKeys.Add("res", new DemutatedKeys
{
DemutatedInts = new[] { key1, key2 }
});
}
private void ReadKeys(CilBody atBody, CilBody decBody)
{
var antiTamperKeys = new DemutatedKeys();
var decryptorKeys = new DemutatedKeys();
var key0L =
(long)atBody.Instructions.FindInstruction(
x => x.IsCall() && x.Operand.ToString().Contains("ReadUInt64()"), 0).Next(atBody).Operand;
var key0I =
atBody.Instructions.FindInstruction(
x => x.IsCall() && x.Operand.ToString().Contains("ReadInt32()"), 2).Next(atBody).GetLdcI4Value();
var key1I =
atBody.Instructions.FindInstruction(
x => x.IsCall() && x.Operand.ToString().Contains("ReadInt32()"), 3).Next(atBody).GetLdcI4Value();
var key2I =
atBody.Instructions.FindInstruction(
x => x.IsCall() && x.Operand.ToString().Contains("ReadUInt32()"), 10).Next(atBody).GetLdcI4Value();
var key3I =
atBody.Instructions.FindInstruction(
x => x.IsCall() && x.Operand.ToString().Contains("ReadUInt32()"), 11).Next(atBody).GetLdcI4Value();
var decKey0I =
decBody.Instructions.FindInstruction(
x => x.OpCode.Code == Code.Ldelem_U1, 0).Next(decBody).GetLdcI4Value();
antiTamperKeys.DemutatedInts = new[]
{
key0I, // IV
key1I // dats
};
antiTamperKeys.DemutatedUInts = new[]
{
key2I.GetUInt(), // pos
key3I.GetUInt() // RVA
};
antiTamperKeys.DemutatedULongs = new[]
{
key0L.GetULong() // checksum
};
decryptorKeys.DemutatedInts = new[]
{
decKey0I,
};
//antiTamperKeys.DemutatedInts = new[]
// {
// atBody.Instructions.GetOperandAt<int>(x =>x.IsLdcI4(), 42), // IV
// atBody.Instructions.GetOperandAt<int>(x => x.IsLdcI4(), 43), // dats
// atBody.Instructions.GetOperandAt<int>(x => x.IsLdcI4(), 56), // pos
// atBody.Instructions.GetOperandAt<int>(x => x.IsLdcI4(), 57), // RVA
// };
//antiTamperKeys.DemutatedLongs = new[]
// {
// atBody.Instructions.GetOperandAt<long>(x =>x.OpCode.Code == Code.Ldc_I8, 0) // Checksum
// };
//decryptorKeys.DemutatedInts = new[]
// {
// decBody.Instructions.GetOperandAt<int>(x => x.IsLdcI4(), 7) // Decryption key
// };
DemutatedKeys.Add("antitamper", antiTamperKeys);
DemutatedKeys.Add("decryptor", decryptorKeys);
}