Support Confuser 1.7 r73404 resource encrypter
This commit is contained in:
parent
b5ef7a7b12
commit
13420b80eb
|
@ -38,6 +38,7 @@ namespace de4dot.code.deobfuscators.Confuser {
|
||||||
enum ConfuserVersion {
|
enum ConfuserVersion {
|
||||||
Unknown,
|
Unknown,
|
||||||
v14_r55802,
|
v14_r55802,
|
||||||
|
v17_r73404,
|
||||||
vXX,
|
vXX,
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -82,9 +83,14 @@ namespace de4dot.code.deobfuscators.Confuser {
|
||||||
simpleDeobfuscator.deobfuscate(tmpHandler, true);
|
simpleDeobfuscator.deobfuscate(tmpHandler, true);
|
||||||
ConfuserVersion tmpVersion = ConfuserVersion.Unknown;
|
ConfuserVersion tmpVersion = ConfuserVersion.Unknown;
|
||||||
if (DotNetUtils.callsMethod(tmpHandler, "System.Object System.AppDomain::GetData(System.String)")) {
|
if (DotNetUtils.callsMethod(tmpHandler, "System.Object System.AppDomain::GetData(System.String)")) {
|
||||||
tmpVersion = ConfuserVersion.v14_r55802;
|
if (!DotNetUtils.callsMethod(tmpHandler, "System.Void System.Buffer::BlockCopy(System.Array,System.Int32,System.Array,System.Int32,System.Int32)")) {
|
||||||
|
if (!findKey0Key1_v14_r55802(tmpHandler, out key0, out key1))
|
||||||
if (!findKey0Key1_v14_r55802(tmpHandler, out key0, out key1))
|
return false;
|
||||||
|
tmpVersion = ConfuserVersion.v14_r55802;
|
||||||
|
}
|
||||||
|
else if (findKey0_v17_r73404(tmpHandler, out key0) && findKey1_v17_r73404(tmpHandler, out key1))
|
||||||
|
tmpVersion = ConfuserVersion.v17_r73404;
|
||||||
|
else
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
|
@ -246,6 +252,51 @@ namespace de4dot.code.deobfuscators.Confuser {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static bool findKey0_v17_r73404(MethodDefinition method, out byte key) {
|
||||||
|
var instrs = method.Body.Instructions;
|
||||||
|
for (int i = 0; i < instrs.Count - 3; i++) {
|
||||||
|
int index = ConfuserUtils.findCallMethod(instrs, i, Code.Callvirt, "System.Byte[] System.IO.BinaryReader::ReadBytes(System.Int32)");
|
||||||
|
if (index < 0)
|
||||||
|
break;
|
||||||
|
if (index + 3 >= instrs.Count)
|
||||||
|
break;
|
||||||
|
|
||||||
|
if (!DotNetUtils.isStloc(instrs[index + 1]))
|
||||||
|
continue;
|
||||||
|
var ldci4 = instrs[index + 2];
|
||||||
|
if (!DotNetUtils.isLdcI4(ldci4))
|
||||||
|
continue;
|
||||||
|
if (!DotNetUtils.isStloc(instrs[index + 3]))
|
||||||
|
continue;
|
||||||
|
|
||||||
|
key = (byte)DotNetUtils.getLdcI4Value(ldci4);
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
key = 0;
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
static bool findKey1_v17_r73404(MethodDefinition method, out byte key) {
|
||||||
|
var instrs = method.Body.Instructions;
|
||||||
|
for (int i = 0; i < instrs.Count - 3; i++) {
|
||||||
|
var ldci4_1 = instrs[i];
|
||||||
|
if (!DotNetUtils.isLdcI4(ldci4_1))
|
||||||
|
continue;
|
||||||
|
if (instrs[i + 1].OpCode.Code != Code.Mul)
|
||||||
|
continue;
|
||||||
|
var ldci4_2 = instrs[i + 2];
|
||||||
|
if (!DotNetUtils.isLdcI4(ldci4_2) || DotNetUtils.getLdcI4Value(ldci4_2) != 0x100)
|
||||||
|
continue;
|
||||||
|
if (instrs[i + 3].OpCode.Code != Code.Rem)
|
||||||
|
continue;
|
||||||
|
|
||||||
|
key = (byte)DotNetUtils.getLdcI4Value(ldci4_1);
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
key = 0;
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
public EmbeddedResource mergeResources() {
|
public EmbeddedResource mergeResources() {
|
||||||
if (resource == null)
|
if (resource == null)
|
||||||
return null;
|
return null;
|
||||||
|
@ -258,6 +309,7 @@ namespace de4dot.code.deobfuscators.Confuser {
|
||||||
byte[] decryptResource() {
|
byte[] decryptResource() {
|
||||||
switch (version) {
|
switch (version) {
|
||||||
case ConfuserVersion.v14_r55802: return decrypt_v14_r55802();
|
case ConfuserVersion.v14_r55802: return decrypt_v14_r55802();
|
||||||
|
case ConfuserVersion.v17_r73404: return decrypt_v17_r73404();
|
||||||
case ConfuserVersion.vXX: return decrypt_vXX();
|
case ConfuserVersion.vXX: return decrypt_vXX();
|
||||||
default: throw new ApplicationException("Unknown version");
|
default: throw new ApplicationException("Unknown version");
|
||||||
}
|
}
|
||||||
|
@ -275,6 +327,17 @@ namespace de4dot.code.deobfuscators.Confuser {
|
||||||
return reader.ReadBytes(reader.ReadInt32());
|
return reader.ReadBytes(reader.ReadInt32());
|
||||||
}
|
}
|
||||||
|
|
||||||
|
byte[] decrypt_v17_r73404() {
|
||||||
|
var reader = new BinaryReader(new MemoryStream(DeobUtils.inflate(resource.GetResourceData(), true)));
|
||||||
|
var decrypted = reader.ReadBytes(reader.ReadInt32());
|
||||||
|
byte k = key0;
|
||||||
|
for (int i = 0; i < decrypted.Length; i++) {
|
||||||
|
decrypted[i] ^= k;
|
||||||
|
k *= key1;
|
||||||
|
}
|
||||||
|
return decrypted;
|
||||||
|
}
|
||||||
|
|
||||||
byte[] decrypt_vXX() {
|
byte[] decrypt_vXX() {
|
||||||
var encrypted = resource.GetResourceData();
|
var encrypted = resource.GetResourceData();
|
||||||
byte k = key0;
|
byte k = key0;
|
||||||
|
|
Loading…
Reference in New Issue
Block a user