static uint ResolveEntryPoint(ModuleDefMD module)
{
Logger.Verbose("Resolving entry point of module encrypted...");
var instructions = module.EntryPoint.Body.Instructions;
for (var i = 0; i < instructions.Count; i++)
{
if (instructions[i].OpCode != OpCodes.Callvirt)
{
continue;
}
var operand = instructions[i].Operand.ToString();
if (!operand.Contains("System.Reflection.Module::ResolveSignature(System.Int32)"))
{
continue;
}
for (var ii = i; ii >= 0; ii--)
{
if (!instructions[ii].IsLdcI4())
{
continue;
}
var signatureToken = (uint)instructions[ii].GetLdcI4Value();
var signature = module.ReadBlob(signatureToken);
var entryPoint = (uint)(signature[0] | signature[1] << 8 | signature[2] << 16 | signature[3] << 24);
Logger.Verbose($"Entry point of module decrypted: {entryPoint}");
return(entryPoint);
}
}
Logger.Exception(new Exception("Error resolving entry point."));
return(0);
}
public static bool Run(ModuleDefMD module)
{
MethodDef GetFirstMetohd = module.EntryPoint;
uint[] val2 = arrayFinder();
if (val2 == null)
return false;
uint val3 = findLocal();
if (val3 == 0)
return false;
byte[] val = Decrypt(decryptMethod,val2, val3);
if (val == null)
return false;
int value = epStuff(module.EntryPoint);
if (value == 0)
return false;
byte[] epstuff = module.ReadBlob((uint)value);
if (epstuff == null)
return false;
epToken = ((int)epstuff[0] | (int)epstuff[1] << 8 | (int)epstuff[2] << 16 | (int)epstuff[3] << 24);
Program.module = ModuleDefMD.Load(val);
Program.module.EntryPoint = Program.module.ResolveToken(epToken) as MethodDef;
return true;
}
byte[] GetSigKey() => module.ReadBlob(key0d ^ installMethod.MDToken.ToUInt32());
