how to find method in assembly file in hex?

Question

I have a test assembly and I want to find method in file

[CompilerGenerated]
public bool get_CreateFlash()
{
    return this.cZBH;
}

I use hex editor and template to search

2B * 26 16 02 7B * * * * 0A 2B * 06 2A

where * is any byte because I do not see exact bytes in tools like ILSpy.

I have found 1500 matches, naturally, it is getter. The different is in 7B * * * *, like this

"2B 02 26 16 02 7B 1D 00 00 04 0A 2B 00 06 2A"
"2B 02 26 16 02 7B 1E 00 00 04 0A 2B 00 06 2A"
...
etc.

How can I find what I need?

Answer 1

If you use ILDasm (part of the .NET Framework SDK), it will show you the corresponding code bytes.

To show them, you need to select View -> Show Bytes before displaying the method. I put together a small example application to test this, and got the following:

In order to use this data it's important to know that the bytes on the left of the "|" appear in-order in the .dll/.exe, and those on the right are encoded in little-endian. With this in mind, I searched the .exe for the following (note that I have highlighted the bytes that are in little-endian order):

00 02 7b 03 00 00 04 0a 2b 00 06 2a

In my (albeit small) test executable, this sequence of bytes occurred only once.

Note that in the screenshot above, it also indicates the method RVA (Relative Virtual Address). In order to convert this into a file location, you need to determine the layout of the executable file. There are a number of PE tools available, but I used dumpbin which comes with Visual Studio to view the PE headers (dumpbin /headers <your exe name>). The relevant data for this executable:

SECTION HEADER #1
   .text name
    1824 virtual size
    2000 virtual address (00402000 to 00403823)
    1A00 size of raw data
     200 file pointer to raw data (00000200 to 00001BFF)
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
60000020 flags
         Code
         Execute Read

Here, the .text section's virtual address is indicated as 0x2000, and has a virtual size of 0x1824 bytes. Since the method has an RVA of 0x2464, it must reside within this section. The "file pointer to raw data" in the output from dumpbin indicates that the section containing our method begins at 0x200 in the executable file, so we can calculate the offset of the method in the executable file as:

(Method RVA - Section RVA) + File Location
= (0x2464 - 0x2000) + 0x200
= 0x664

Going to location 0x664 in the test executable file, the bytes we were looking for can indeed by seen there (they are not exactly at this location, but a few bytes after it as there is a small method header before the IL bytes).