Detect CV version

2012-02-07 15:05:27 +01:00 · 2012-02-07 15:05:27 +01:00 · 1076218a81
commit 1076218a81
parent 6ab0748bdd
2 changed files with 39 additions and 4 deletions
--- a/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs
+++ b/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs
@ -17,6 +17,7 @@
    along with de4dot.  If not, see <http://www.gnu.org/licenses/>.
 */

+using System;
 using System.Collections.Generic;
 using Mono.Cecil;
 using Mono.MyStuff;
@ -102,6 +103,31 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 			methodsDecrypter.find();
 			stringDecrypter = new StringDecrypter(module);
 			stringDecrypter.find();
+			var version = detectVersion();
+			if (!string.IsNullOrEmpty(version))
+				obfuscatorName = obfuscatorName + " " + version;
+		}
+
+		string detectVersion() {
+			switch (methodsDecrypter.Version) {
+			case MethodsDecrypter.TypeVersion.Unknown:
+				return null;
+
+			case MethodsDecrypter.TypeVersion.V3:
+				return "3.x";
+
+			case MethodsDecrypter.TypeVersion.V4_0:
+				return "4.0";
+
+			case MethodsDecrypter.TypeVersion.V4_1:
+				return "4.1";
+
+			case MethodsDecrypter.TypeVersion.V5:
+				return "5.x";
+
+			default:
+				throw new ApplicationException("Unknown version");
+			}
 		}

 		void findKillType() {
--- a/de4dot.code/deobfuscators/CodeVeil/MethodsDecrypter.cs
+++ b/de4dot.code/deobfuscators/CodeVeil/MethodsDecrypter.cs
@ -34,13 +34,18 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 		List<int> rvas;	// _stub and _executive
 		IDecrypter decrypter;

-		enum TypeVersion {
+		public enum TypeVersion {
 			Unknown,
 			V3,
-			V4,
+			V4_0,
+			V4_1,
 			V5,
 		}

+		public TypeVersion Version {
+			get { return decrypter == null ? TypeVersion.Unknown : decrypter.TypeVersion; }
+		}
+
 		interface IDecrypter {
 			TypeVersion TypeVersion { get; }
 			void initialize(byte[] methodsData);
@ -210,8 +215,12 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 			if (!DotNetUtils.isMethod(initMethod, "System.Void", "(System.Boolean,System.Boolean)"))
 				return false;

-			if (hasCodeString(initMethod, "E_FullTrust"))
-				decrypter = new Decrypter(TypeVersion.V4);
+			if (hasCodeString(initMethod, "E_FullTrust")) {
+				if (DotNetUtils.getPInvokeMethod(initMethod.DeclaringType, "user32", "CallWindowProcW") != null)
+					decrypter = new Decrypter(TypeVersion.V4_1);
+				else
+					decrypter = new Decrypter(TypeVersion.V4_0);
+			}
 			else if (hasCodeString(initMethod, "Full Trust Required"))
 				decrypter = new Decrypter(TypeVersion.V3);
 			else if (initMethod.DeclaringType.HasNestedTypes && new FieldTypes(initMethod.DeclaringType).all(fieldTypesV5))