From 17495e986f288bc35ee8331ac146b92511ea47f2 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Tue, 31 Jul 2012 15:03:18 +0200
Subject: [PATCH] Support Confuser 1.4 r58004 methods encrypter

---
 .../Confuser/MemoryMethodsDecrypter.cs        | 26 +++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/de4dot.code/deobfuscators/Confuser/MemoryMethodsDecrypter.cs b/de4dot.code/deobfuscators/Confuser/MemoryMethodsDecrypter.cs
index ebf924b1..b6d05f69 100644
--- a/de4dot.code/deobfuscators/Confuser/MemoryMethodsDecrypter.cs
+++ b/de4dot.code/deobfuscators/Confuser/MemoryMethodsDecrypter.cs
@@ -32,6 +32,7 @@ namespace de4dot.code.deobfuscators.Confuser {
 		enum ConfuserVersion {
 			Unknown,
 			v14_r57884,
+			v14_r58004,
 			vXX,
 		}
 
@@ -58,6 +59,8 @@ namespace de4dot.code.deobfuscators.Confuser {
 
 			if (!DotNetUtils.hasString(initMethod, "Module error"))
 				version = ConfuserVersion.v14_r57884;
+			else if (DotNetUtils.callsMethod(initMethod, "System.Void System.IO.FileStream::.ctor(System.String,System.IO.FileMode,System.IO.FileAccess,System.IO.FileShare)"))
+				version = ConfuserVersion.v14_r58004;
 			else
 				version = ConfuserVersion.vXX;
 
@@ -70,6 +73,7 @@ namespace de4dot.code.deobfuscators.Confuser {
 
 			switch (version) {
 			case ConfuserVersion.v14_r57884:
+			case ConfuserVersion.v14_r58004:
 				break;
 
 			case ConfuserVersion.vXX:
@@ -181,6 +185,7 @@ namespace de4dot.code.deobfuscators.Confuser {
 
 			switch (version) {
 			case ConfuserVersion.v14_r57884: return decrypt_v14_r57884(peImage, fileData, ref dumpedMethods);
+			case ConfuserVersion.v14_r58004: return decrypt_v14_r58004(peImage, fileData, ref dumpedMethods);
 			case ConfuserVersion.vXX: return decrypt_vXX(peImage, fileData, ref dumpedMethods);
 			default: throw new ApplicationException("Unknown version");
 			}
@@ -226,6 +231,27 @@ namespace de4dot.code.deobfuscators.Confuser {
 			return decrypted;
 		}
 
+		bool decrypt_v14_r58004(PeImage peImage, byte[] fileData, ref DumpedMethods dumpedMethods) {
+			methodsData = decryptMethodsData_v14_r57884(peImage);
+
+			var reader = new BinaryReader(new MemoryStream(methodsData));
+			reader.ReadInt16();	// sig
+			var writer = new BinaryWriter(new MemoryStream(fileData));
+			int numInfos = reader.ReadInt32();
+			for (int i = 0; i < numInfos; i++) {
+				uint offs = reader.ReadUInt32();
+				if (offs == 0)
+					continue;
+				uint rva = reader.ReadUInt32();
+				if (peImage.rvaToOffset(rva) != offs)
+					throw new ApplicationException("Invalid offs & rva");
+				writer.BaseStream.Position = peImage.rvaToOffset(rva);
+				writer.Write(reader.ReadBytes(reader.ReadInt32()));
+			}
+
+			return true;
+		}
+
 		bool decrypt_vXX(PeImage peImage, byte[] fileData, ref DumpedMethods dumpedMethods) {
 			if (peImage.OptionalHeader.checkSum == 0)
 				return false;