monocul.us/de4dot-cex
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Check both locations at the same time

Browse Source
This commit is contained in:
de4dot 2013-11-13 18:54:06 +01:00
parent db0001f481
commit 892fa4cd3d
1 changed files with 6 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
de4dot.mdecrypt/DynamicMethodsDecrypter.cs
View File

@ -595,13 +595,7 @@ namespace de4dot.mdecrypt {
[HandleProcessCorruptedStateExceptions, SecurityCritical] // Req'd on .NET 4.0
static unsafe IntPtr FindCMAddress(PEImage peImage, IntPtr baseAddr, IntPtr origValue) {
const int offset1_CLR2 = 0x78;
const int offset1_CLR4 = 0x74;
int offset1 = Environment.Version.Major == 2 ? offset1_CLR2 : offset1_CLR4;
const int offset2_CLR2 = 0x10;
const int offset2_CLR4 = 0x28;
int offset2 = Environment.Version.Major == 2 ? offset2_CLR2 : offset2_CLR4;
int offset = Environment.Version.Major == 2 ? 0x10 : 0x28;
foreach (var section in peImage.ImageSectionHeaders) {
const uint RW = 0x80000000 | 0x40000000;
@ -613,9 +607,10 @@ namespace de4dot.mdecrypt {
try {
byte* p2 = (byte*)*(IntPtr**)p;
if ((ulong)p2 >= 0x10000) {
p2 += offset1;
if (*(IntPtr*)p2 == origValue)
return new IntPtr(p2);
if (*(IntPtr*)(p2 + 0x74) == origValue)
return new IntPtr(p2 + 0x74);
if (*(IntPtr*)(p2 + 0x78) == origValue)
return new IntPtr(p2 + 0x78);
}
}
catch {
@ -623,7 +618,7 @@ namespace de4dot.mdecrypt {
try {
byte* p2 = (byte*)*(IntPtr**)p;
if ((ulong)p2 >= 0x10000) {
p2 += offset2;
p2 += offset;
if (*(IntPtr*)p2 == origValue)
return new IntPtr(p2);
}