From 1bd7632b2cd99c11fcca644c9f6ab289c4d30825 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Tue, 7 Aug 2012 19:52:53 +0200
Subject: [PATCH] Detect Confuser 1.7 r75184 compressor

---
 de4dot.code/deobfuscators/Confuser/Unpacker.cs | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/de4dot.code/deobfuscators/Confuser/Unpacker.cs b/de4dot.code/deobfuscators/Confuser/Unpacker.cs
index f3a592d7..a7182d36 100644
--- a/de4dot.code/deobfuscators/Confuser/Unpacker.cs
+++ b/de4dot.code/deobfuscators/Confuser/Unpacker.cs
@@ -82,6 +82,7 @@ namespace de4dot.code.deobfuscators.Confuser {
 			v17_r73404,
 			v17_r73477,
 			v17_r75076,
+			v18_r75184,
 		}
 
 		public bool Detected {
@@ -149,8 +150,12 @@ namespace de4dot.code.deobfuscators.Confuser {
 						version = ConfuserVersion.v14_r58852;
 						break;
 					}
-					if (use7zip)
-						version = ConfuserVersion.v17_r75076;
+					if (use7zip) {
+						if (new LocalTypes(decyptMethod).exists("System.IO.MemoryStream"))
+							version = ConfuserVersion.v17_r75076;
+						else
+							version = ConfuserVersion.v18_r75184;
+					}
 					else if (isDecryptMethod_v17_r73404(decyptMethod))
 						version = ConfuserVersion.v17_r73404;
 					else
@@ -363,7 +368,6 @@ namespace de4dot.code.deobfuscators.Confuser {
 			"System.Byte[]",
 			"System.Int64",
 			"System.IO.BinaryReader",
-			"System.IO.MemoryStream",
 			"System.Security.Cryptography.CryptoStream",
 			"System.Security.Cryptography.RijndaelManaged",
 		};
@@ -432,6 +436,7 @@ namespace de4dot.code.deobfuscators.Confuser {
 			case ConfuserVersion.v17_r73404: return decrypt_v17_r73404(data);
 			case ConfuserVersion.v17_r73477: return decrypt_v17_r73404(data);
 			case ConfuserVersion.v17_r75076: return decrypt_v17_r75076(data);
+			case ConfuserVersion.v18_r75184: return decrypt_v17_r75076(data);
 			default: throw new ApplicationException("Unknown version");
 			}
 		}