Check both locations at the same time
This commit is contained in:
parent
db0001f481
commit
892fa4cd3d
|
@ -595,13 +595,7 @@ namespace de4dot.mdecrypt {
|
||||||
|
|
||||||
[HandleProcessCorruptedStateExceptions, SecurityCritical] // Req'd on .NET 4.0
|
[HandleProcessCorruptedStateExceptions, SecurityCritical] // Req'd on .NET 4.0
|
||||||
static unsafe IntPtr FindCMAddress(PEImage peImage, IntPtr baseAddr, IntPtr origValue) {
|
static unsafe IntPtr FindCMAddress(PEImage peImage, IntPtr baseAddr, IntPtr origValue) {
|
||||||
const int offset1_CLR2 = 0x78;
|
int offset = Environment.Version.Major == 2 ? 0x10 : 0x28;
|
||||||
const int offset1_CLR4 = 0x74;
|
|
||||||
int offset1 = Environment.Version.Major == 2 ? offset1_CLR2 : offset1_CLR4;
|
|
||||||
|
|
||||||
const int offset2_CLR2 = 0x10;
|
|
||||||
const int offset2_CLR4 = 0x28;
|
|
||||||
int offset2 = Environment.Version.Major == 2 ? offset2_CLR2 : offset2_CLR4;
|
|
||||||
|
|
||||||
foreach (var section in peImage.ImageSectionHeaders) {
|
foreach (var section in peImage.ImageSectionHeaders) {
|
||||||
const uint RW = 0x80000000 | 0x40000000;
|
const uint RW = 0x80000000 | 0x40000000;
|
||||||
|
@ -613,9 +607,10 @@ namespace de4dot.mdecrypt {
|
||||||
try {
|
try {
|
||||||
byte* p2 = (byte*)*(IntPtr**)p;
|
byte* p2 = (byte*)*(IntPtr**)p;
|
||||||
if ((ulong)p2 >= 0x10000) {
|
if ((ulong)p2 >= 0x10000) {
|
||||||
p2 += offset1;
|
if (*(IntPtr*)(p2 + 0x74) == origValue)
|
||||||
if (*(IntPtr*)p2 == origValue)
|
return new IntPtr(p2 + 0x74);
|
||||||
return new IntPtr(p2);
|
if (*(IntPtr*)(p2 + 0x78) == origValue)
|
||||||
|
return new IntPtr(p2 + 0x78);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
catch {
|
catch {
|
||||||
|
@ -623,7 +618,7 @@ namespace de4dot.mdecrypt {
|
||||||
try {
|
try {
|
||||||
byte* p2 = (byte*)*(IntPtr**)p;
|
byte* p2 = (byte*)*(IntPtr**)p;
|
||||||
if ((ulong)p2 >= 0x10000) {
|
if ((ulong)p2 >= 0x10000) {
|
||||||
p2 += offset2;
|
p2 += offset;
|
||||||
if (*(IntPtr*)p2 == origValue)
|
if (*(IntPtr*)p2 == origValue)
|
||||||
return new IntPtr(p2);
|
return new IntPtr(p2);
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue
Block a user