Detect CV version
This commit is contained in:
parent
6ab0748bdd
commit
1076218a81
|
@ -17,6 +17,7 @@
|
||||||
along with de4dot. If not, see <http://www.gnu.org/licenses/>.
|
along with de4dot. If not, see <http://www.gnu.org/licenses/>.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
|
using System;
|
||||||
using System.Collections.Generic;
|
using System.Collections.Generic;
|
||||||
using Mono.Cecil;
|
using Mono.Cecil;
|
||||||
using Mono.MyStuff;
|
using Mono.MyStuff;
|
||||||
|
@ -102,6 +103,31 @@ namespace de4dot.code.deobfuscators.CodeVeil {
|
||||||
methodsDecrypter.find();
|
methodsDecrypter.find();
|
||||||
stringDecrypter = new StringDecrypter(module);
|
stringDecrypter = new StringDecrypter(module);
|
||||||
stringDecrypter.find();
|
stringDecrypter.find();
|
||||||
|
var version = detectVersion();
|
||||||
|
if (!string.IsNullOrEmpty(version))
|
||||||
|
obfuscatorName = obfuscatorName + " " + version;
|
||||||
|
}
|
||||||
|
|
||||||
|
string detectVersion() {
|
||||||
|
switch (methodsDecrypter.Version) {
|
||||||
|
case MethodsDecrypter.TypeVersion.Unknown:
|
||||||
|
return null;
|
||||||
|
|
||||||
|
case MethodsDecrypter.TypeVersion.V3:
|
||||||
|
return "3.x";
|
||||||
|
|
||||||
|
case MethodsDecrypter.TypeVersion.V4_0:
|
||||||
|
return "4.0";
|
||||||
|
|
||||||
|
case MethodsDecrypter.TypeVersion.V4_1:
|
||||||
|
return "4.1";
|
||||||
|
|
||||||
|
case MethodsDecrypter.TypeVersion.V5:
|
||||||
|
return "5.x";
|
||||||
|
|
||||||
|
default:
|
||||||
|
throw new ApplicationException("Unknown version");
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
void findKillType() {
|
void findKillType() {
|
||||||
|
|
|
@ -34,13 +34,18 @@ namespace de4dot.code.deobfuscators.CodeVeil {
|
||||||
List<int> rvas; // _stub and _executive
|
List<int> rvas; // _stub and _executive
|
||||||
IDecrypter decrypter;
|
IDecrypter decrypter;
|
||||||
|
|
||||||
enum TypeVersion {
|
public enum TypeVersion {
|
||||||
Unknown,
|
Unknown,
|
||||||
V3,
|
V3,
|
||||||
V4,
|
V4_0,
|
||||||
|
V4_1,
|
||||||
V5,
|
V5,
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public TypeVersion Version {
|
||||||
|
get { return decrypter == null ? TypeVersion.Unknown : decrypter.TypeVersion; }
|
||||||
|
}
|
||||||
|
|
||||||
interface IDecrypter {
|
interface IDecrypter {
|
||||||
TypeVersion TypeVersion { get; }
|
TypeVersion TypeVersion { get; }
|
||||||
void initialize(byte[] methodsData);
|
void initialize(byte[] methodsData);
|
||||||
|
@ -210,8 +215,12 @@ namespace de4dot.code.deobfuscators.CodeVeil {
|
||||||
if (!DotNetUtils.isMethod(initMethod, "System.Void", "(System.Boolean,System.Boolean)"))
|
if (!DotNetUtils.isMethod(initMethod, "System.Void", "(System.Boolean,System.Boolean)"))
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
if (hasCodeString(initMethod, "E_FullTrust"))
|
if (hasCodeString(initMethod, "E_FullTrust")) {
|
||||||
decrypter = new Decrypter(TypeVersion.V4);
|
if (DotNetUtils.getPInvokeMethod(initMethod.DeclaringType, "user32", "CallWindowProcW") != null)
|
||||||
|
decrypter = new Decrypter(TypeVersion.V4_1);
|
||||||
|
else
|
||||||
|
decrypter = new Decrypter(TypeVersion.V4_0);
|
||||||
|
}
|
||||||
else if (hasCodeString(initMethod, "Full Trust Required"))
|
else if (hasCodeString(initMethod, "Full Trust Required"))
|
||||||
decrypter = new Decrypter(TypeVersion.V3);
|
decrypter = new Decrypter(TypeVersion.V3);
|
||||||
else if (initMethod.DeclaringType.HasNestedTypes && new FieldTypes(initMethod.DeclaringType).all(fieldTypesV5))
|
else if (initMethod.DeclaringType.HasNestedTypes && new FieldTypes(initMethod.DeclaringType).all(fieldTypesV5))
|
||||||
|
|
Loading…
Reference in New Issue
Block a user