Support a (new?) version of CryptoObfuscator. Fixes #33
This commit is contained in:
parent
a405edf0fd
commit
27f382a017
|
@ -125,7 +125,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
|||
}
|
||||
|
||||
MethodDefinition getProxyCreateMethod(TypeDefinition type) {
|
||||
if (type.Fields.Count != 1)
|
||||
if (type.Fields.Count != 1 && type.Fields.Count != 2)
|
||||
return null;
|
||||
if (DotNetUtils.findFieldType(type, "System.ModuleHandle", true) == null)
|
||||
return null;
|
||||
|
|
|
@ -110,13 +110,16 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
|||
var ldci4 = instructions[i - 1];
|
||||
if (!DotNetUtils.isLdcI4(ldci4))
|
||||
continue;
|
||||
int flagValue = DotNetUtils.getLdcI4Value(ldci4);
|
||||
if (!isFlag(flagValue))
|
||||
continue;
|
||||
var ldloc = instructions[i - 2];
|
||||
if (!DotNetUtils.isLdloc(ldloc))
|
||||
continue;
|
||||
var local = DotNetUtils.getLocalVar(method.Body.Variables, ldloc);
|
||||
if (local.VariableType.ToString() != "System.Byte")
|
||||
if (!local.VariableType.IsPrimitive)
|
||||
continue;
|
||||
constants.Add(DotNetUtils.getLdcI4Value(ldci4));
|
||||
constants.Add(flagValue);
|
||||
}
|
||||
|
||||
if (constants.Count == 2) {
|
||||
|
@ -128,6 +131,14 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
|||
return false;
|
||||
}
|
||||
|
||||
static bool isFlag(int value) {
|
||||
for (uint tmp = (uint)value; tmp != 0; tmp >>= 1) {
|
||||
if ((tmp & 1) != 0)
|
||||
return tmp == 1;
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
MethodDefinition getPublicKeyTokenMethod() {
|
||||
foreach (var method in resourceDecrypterType.Methods) {
|
||||
if (isPublicKeyTokenMethod(method))
|
||||
|
|
|
@ -61,7 +61,15 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
|||
continue;
|
||||
if (type.Methods.Count < 3 || type.Methods.Count > 6)
|
||||
continue;
|
||||
if (DotNetUtils.getPInvokeMethod(type, "mscoree", "StrongNameSignatureVerificationEx") == null)
|
||||
if (DotNetUtils.getPInvokeMethod(type, "mscoree", "StrongNameSignatureVerificationEx") != null) {
|
||||
}
|
||||
else if (DotNetUtils.getPInvokeMethod(type, "mscoree", "CLRCreateInstance") != null) {
|
||||
if (type.NestedTypes.Count != 3)
|
||||
continue;
|
||||
if (!type.NestedTypes[0].IsInterface || !type.NestedTypes[1].IsInterface || !type.NestedTypes[2].IsInterface)
|
||||
continue;
|
||||
}
|
||||
else
|
||||
continue;
|
||||
|
||||
tamperType = type;
|
||||
|
|
Loading…
Reference in New Issue
Block a user