Detect Confuser 1.2 r54564 proxy methods creator
This commit is contained in:
parent
35ddd30e08
commit
2a283b922b
|
@ -42,6 +42,7 @@ namespace de4dot.code.deobfuscators.Confuser {
|
|||
v10_r42919,
|
||||
v10_r48717,
|
||||
v11_r50378,
|
||||
v12_r54564,
|
||||
v14_r58564,
|
||||
v14_r58857,
|
||||
v17_r73740_normal,
|
||||
|
@ -199,6 +200,7 @@ namespace de4dot.code.deobfuscators.Confuser {
|
|||
|
||||
case ConfuserVersion.v10_r48717:
|
||||
case ConfuserVersion.v11_r50378:
|
||||
case ConfuserVersion.v12_r54564:
|
||||
case ConfuserVersion.v14_r58564:
|
||||
getCallInfo_v10_r48717(info, creatorInfo, out calledMethod, out callOpcode);
|
||||
break;
|
||||
|
@ -512,8 +514,13 @@ namespace de4dot.code.deobfuscators.Confuser {
|
|||
theVersion = ConfuserVersion.v19_r76101_normal;
|
||||
else if ((nativeMethod = findNativeMethod_v19_r76101(method)) != null)
|
||||
theVersion = ConfuserVersion.v19_r76101_native;
|
||||
else if (proxyType == ProxyCreatorType.CallOrCallvirt && !DotNetUtils.callsMethod(method, "System.Int32 System.String::get_Length()"))
|
||||
theVersion = ConfuserVersion.v11_r50378;
|
||||
else {
|
||||
if (proxyType == ProxyCreatorType.CallOrCallvirt && !DotNetUtils.callsMethod(method, "System.Int32 System.String::get_Length()"))
|
||||
theVersion = ConfuserVersion.v11_r50378;
|
||||
int numCalls = countCalls(method, "System.Byte[] System.Text.Encoding::GetBytes(System.Char[],System.Int32,System.Int32)");
|
||||
if (numCalls == 2)
|
||||
theVersion = ConfuserVersion.v12_r54564;
|
||||
}
|
||||
}
|
||||
else if (is_v17_r73740(method)) {
|
||||
if (DotNetUtils.callsMethod(method, "System.Boolean System.Type::get_IsArray()")) {
|
||||
|
@ -544,6 +551,22 @@ namespace de4dot.code.deobfuscators.Confuser {
|
|||
}
|
||||
}
|
||||
|
||||
static int countCalls(MethodDefinition method, string methodFullName) {
|
||||
int count = 0;
|
||||
foreach (var instr in method.Body.Instructions) {
|
||||
if (instr.OpCode.Code != Code.Call && instr.OpCode.Code != Code.Callvirt && instr.OpCode.Code != Code.Newobj)
|
||||
continue;
|
||||
var calledMethod = instr.Operand as MethodReference;
|
||||
if (calledMethod == null)
|
||||
continue;
|
||||
if (calledMethod.FullName != methodFullName)
|
||||
continue;
|
||||
|
||||
count++;
|
||||
}
|
||||
return count;
|
||||
}
|
||||
|
||||
static bool findMagic_v19_r76101(MethodDefinition method, out uint magic) {
|
||||
var instrs = method.Body.Instructions;
|
||||
for (int i = 0; i < instrs.Count - 7; i++) {
|
||||
|
@ -980,6 +1003,11 @@ namespace de4dot.code.deobfuscators.Confuser {
|
|||
|
||||
case ConfuserVersion.v11_r50378:
|
||||
minRev = 50378;
|
||||
maxRev = 54431;
|
||||
return true;
|
||||
|
||||
case ConfuserVersion.v12_r54564:
|
||||
minRev = 54564;
|
||||
maxRev = 58446;
|
||||
return true;
|
||||
|
||||
|
|
Loading…
Reference in New Issue
Block a user