monocul.us/de4dot-cex
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Detect Confuser 1.2 r54564 proxy methods creator

Browse Source
This commit is contained in:
de4dot 2012-08-10 21:12:07 +02:00
parent 35ddd30e08
commit 2a283b922b
1 changed files with 30 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
de4dot.code/deobfuscators/Confuser/ProxyCallFixer.cs
View File

@ -42,6 +42,7 @@ namespace de4dot.code.deobfuscators.Confuser {
v10_r42919,
v10_r48717,
v11_r50378,
v12_r54564,
v14_r58564,
v14_r58857,
v17_r73740_normal,
@ -199,6 +200,7 @@ namespace de4dot.code.deobfuscators.Confuser {
case ConfuserVersion.v10_r48717:
case ConfuserVersion.v11_r50378:
case ConfuserVersion.v12_r54564:
case ConfuserVersion.v14_r58564:
getCallInfo_v10_r48717(info, creatorInfo, out calledMethod, out callOpcode);
break;
@ -512,8 +514,13 @@ namespace de4dot.code.deobfuscators.Confuser {
theVersion = ConfuserVersion.v19_r76101_normal;
else if ((nativeMethod = findNativeMethod_v19_r76101(method)) != null)
theVersion = ConfuserVersion.v19_r76101_native;
else if (proxyType == ProxyCreatorType.CallOrCallvirt && !DotNetUtils.callsMethod(method, "System.Int32 System.String::get_Length()"))
theVersion = ConfuserVersion.v11_r50378;
else {
if (proxyType == ProxyCreatorType.CallOrCallvirt && !DotNetUtils.callsMethod(method, "System.Int32 System.String::get_Length()"))
theVersion = ConfuserVersion.v11_r50378;
int numCalls = countCalls(method, "System.Byte[] System.Text.Encoding::GetBytes(System.Char[],System.Int32,System.Int32)");
if (numCalls == 2)
theVersion = ConfuserVersion.v12_r54564;
}
}
else if (is_v17_r73740(method)) {
if (DotNetUtils.callsMethod(method, "System.Boolean System.Type::get_IsArray()")) {
@ -544,6 +551,22 @@ namespace de4dot.code.deobfuscators.Confuser {
}
}
static int countCalls(MethodDefinition method, string methodFullName) {
int count = 0;
foreach (var instr in method.Body.Instructions) {
if (instr.OpCode.Code != Code.Call && instr.OpCode.Code != Code.Callvirt && instr.OpCode.Code != Code.Newobj)
continue;
var calledMethod = instr.Operand as MethodReference;
if (calledMethod == null)
continue;
if (calledMethod.FullName != methodFullName)
continue;
count++;
}
return count;
}
static bool findMagic_v19_r76101(MethodDefinition method, out uint magic) {
var instrs = method.Body.Instructions;
for (int i = 0; i < instrs.Count - 7; i++) {
@ -980,6 +1003,11 @@ namespace de4dot.code.deobfuscators.Confuser {
case ConfuserVersion.v11_r50378:
minRev = 50378;
maxRev = 54431;
return true;
case ConfuserVersion.v12_r54564:
minRev = 54564;
maxRev = 58446;
return true;