Update detection of CO types
This commit is contained in:
parent
957a8ab8dd
commit
0a5973e541
|
@ -65,7 +65,9 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
|||
if (!containsString(method, "debugger is activ") &&
|
||||
!containsString(method, "debugger is running") &&
|
||||
!containsString(method, "run under a debugger") &&
|
||||
!containsString(method, "Debugger detected"))
|
||||
!containsString(method, "run under debugger") &&
|
||||
!containsString(method, "Debugger detected") &&
|
||||
!containsString(method, "Debugger was detected"))
|
||||
continue;
|
||||
|
||||
antiDebuggerType = type;
|
||||
|
|
|
@ -82,7 +82,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
|||
bool checkType(TypeDefinition type) {
|
||||
if (type.Methods.Count != 7)
|
||||
return false;
|
||||
if (type.Fields.Count != 1)
|
||||
if (type.Fields.Count < 1 || type.Fields.Count > 2)
|
||||
return false;
|
||||
if (!new FieldTypes(type).all(requiredTypes))
|
||||
return false;
|
||||
|
|
|
@ -110,7 +110,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
|||
MethodDefinition getProxyCreateMethod(TypeDefinition type) {
|
||||
if (DotNetUtils.findFieldType(type, "System.ModuleHandle", true) == null)
|
||||
return null;
|
||||
if (type.Fields.Count < 1 || type.Fields.Count > 8)
|
||||
if (type.Fields.Count < 1 || type.Fields.Count > 10)
|
||||
return null;
|
||||
|
||||
MethodDefinition createMethod = null;
|
||||
|
|
|
@ -304,8 +304,12 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
|||
return method;
|
||||
if (DotNetUtils.isMethod(method, "System.Byte[]", "(System.Byte,System.IO.Stream)"))
|
||||
return method;
|
||||
if (DotNetUtils.isMethod(method, "System.Byte[]", "(System.SByte,System.IO.Stream)"))
|
||||
return method;
|
||||
if (DotNetUtils.isMethod(method, "System.Byte[]", "(System.Byte,System.IO.Stream,System.Int32)"))
|
||||
return method;
|
||||
if (DotNetUtils.isMethod(method, "System.Byte[]", "(System.SByte,System.IO.Stream,System.UInt32)"))
|
||||
return method;
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
|
|
@ -84,7 +84,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
|||
|
||||
if (!method.IsStatic || !DotNetUtils.isMethod(method, "System.Void", "()"))
|
||||
return false;
|
||||
if (type.Methods.Count < 3 || type.Methods.Count > 10)
|
||||
if (type.Methods.Count < 3 || type.Methods.Count > 12)
|
||||
return false;
|
||||
if (DotNetUtils.getPInvokeMethod(type, "mscoree", "StrongNameSignatureVerificationEx") != null) {
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue
Block a user