Created
June 26, 2019 14:03
-
-
Save hackf5/d0f48571904ebadf600b8a1b88527f4c to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // interprets the bytes in buffer starting at start as an integer. | |
| static int ToInt32(this byte[] buffer, int start); | |
| // interprets the bytes in buffer starting at start as an ASCII string. | |
| static string ToAsciiString(this byte[] buffer, int start0); | |
| // code to find the address of the root domain function. | |
| const int nullPtr = 0; | |
| const int sizeOfPtr = sizeof(uint); | |
| var startIndex = moduleDump.ToInt32(0x3c); | |
| var exportDirectoryIndex = startIndex + 0x78; | |
| var exportDirectory = moduleDump.ToInt32(exportDirectoryIndex); | |
| var numberOfFunctions = moduleDump.ToInt32(exportDirectory + 0x14); | |
| var functionAddressArrayIndex = moduleDump.ToInt32(exportDirectory + 0x1c); | |
| var functionNameArrayIndex = moduleDump.ToInt32(exportDirectory + 0x20); | |
| var rootDomainFunctionAddress = nullPtr; | |
| for (var functionIndex = 0; | |
| functionIndex < (numberOfFunctions * sizeOfPtr); | |
| functionIndex += sizeOfPtr) | |
| { | |
| var functionNameIndex = moduleDump.ToInt32(functionNameArrayIndex + functionIndex); | |
| var functionName = moduleDump.ToAsciiString(functionNameIndex); | |
| if (functionName == "mono_get_root_domain") | |
| { | |
| rootDomainFunctionAddress = monoModule.BaseAddress.ToInt32() | |
| + moduleDump.ToInt32(functionAddressArrayIndex + functionIndex); | |
| break; | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment