diff --git a/de4dot.code/deobfuscators/CryptoObfuscator/AntiDebugger.cs b/de4dot.code/deobfuscators/CryptoObfuscator/AntiDebugger.cs index 1f9cf645..1704aa20 100644 --- a/de4dot.code/deobfuscators/CryptoObfuscator/AntiDebugger.cs +++ b/de4dot.code/deobfuscators/CryptoObfuscator/AntiDebugger.cs @@ -65,7 +65,9 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator { if (!containsString(method, "debugger is activ") && !containsString(method, "debugger is running") && !containsString(method, "run under a debugger") && - !containsString(method, "Debugger detected")) + !containsString(method, "run under debugger") && + !containsString(method, "Debugger detected") && + !containsString(method, "Debugger was detected")) continue; antiDebuggerType = type; diff --git a/de4dot.code/deobfuscators/CryptoObfuscator/ConstantsDecrypter.cs b/de4dot.code/deobfuscators/CryptoObfuscator/ConstantsDecrypter.cs index 1fa6749b..2240e431 100644 --- a/de4dot.code/deobfuscators/CryptoObfuscator/ConstantsDecrypter.cs +++ b/de4dot.code/deobfuscators/CryptoObfuscator/ConstantsDecrypter.cs @@ -82,7 +82,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator { bool checkType(TypeDefinition type) { if (type.Methods.Count != 7) return false; - if (type.Fields.Count != 1) + if (type.Fields.Count < 1 || type.Fields.Count > 2) return false; if (!new FieldTypes(type).all(requiredTypes)) return false; diff --git a/de4dot.code/deobfuscators/CryptoObfuscator/ProxyCallFixer.cs b/de4dot.code/deobfuscators/CryptoObfuscator/ProxyCallFixer.cs index 9fb4f2cb..52288048 100644 --- a/de4dot.code/deobfuscators/CryptoObfuscator/ProxyCallFixer.cs +++ b/de4dot.code/deobfuscators/CryptoObfuscator/ProxyCallFixer.cs @@ -110,7 +110,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator { MethodDefinition getProxyCreateMethod(TypeDefinition type) { if (DotNetUtils.findFieldType(type, "System.ModuleHandle", true) == null) return null; - if (type.Fields.Count < 1 || type.Fields.Count > 8) + if (type.Fields.Count < 1 || type.Fields.Count > 10) return null; MethodDefinition createMethod = null; diff --git a/de4dot.code/deobfuscators/CryptoObfuscator/ResourceDecrypter.cs b/de4dot.code/deobfuscators/CryptoObfuscator/ResourceDecrypter.cs index 32bada9f..0e84de0d 100644 --- a/de4dot.code/deobfuscators/CryptoObfuscator/ResourceDecrypter.cs +++ b/de4dot.code/deobfuscators/CryptoObfuscator/ResourceDecrypter.cs @@ -304,8 +304,12 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator { return method; if (DotNetUtils.isMethod(method, "System.Byte[]", "(System.Byte,System.IO.Stream)")) return method; + if (DotNetUtils.isMethod(method, "System.Byte[]", "(System.SByte,System.IO.Stream)")) + return method; if (DotNetUtils.isMethod(method, "System.Byte[]", "(System.Byte,System.IO.Stream,System.Int32)")) return method; + if (DotNetUtils.isMethod(method, "System.Byte[]", "(System.SByte,System.IO.Stream,System.UInt32)")) + return method; } return null; } diff --git a/de4dot.code/deobfuscators/CryptoObfuscator/TamperDetection.cs b/de4dot.code/deobfuscators/CryptoObfuscator/TamperDetection.cs index 67dde72a..e2512da4 100644 --- a/de4dot.code/deobfuscators/CryptoObfuscator/TamperDetection.cs +++ b/de4dot.code/deobfuscators/CryptoObfuscator/TamperDetection.cs @@ -84,7 +84,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator { if (!method.IsStatic || !DotNetUtils.isMethod(method, "System.Void", "()")) return false; - if (type.Methods.Count < 3 || type.Methods.Count > 10) + if (type.Methods.Count < 3 || type.Methods.Count > 12) return false; if (DotNetUtils.getPInvokeMethod(type, "mscoree", "StrongNameSignatureVerificationEx") != null) { }