Detect Confuser 1.8 r75257 methods encrypter
This commit is contained in:
de4dot
parent
3b6e56f3e4
commit
2f19f876f7
|
|
@ -42,6 +42,7 @@ namespace de4dot.code.deobfuscators.Confuser {
|
|||
v17_r73477,
|
||||
v17_r73479,
|
||||
v17_r74021,
|
||||
v18_r75257,
|
||||
v18_r75402,
|
||||
}
|
||||
|
||||
|
|
@ -90,7 +91,13 @@ namespace de4dot.code.deobfuscators.Confuser {
|
|||
}
|
||||
break;
|
||||
|
||||
case 39: theVersion = ConfuserVersion.v17_r74021; break;
|
||||
case 39:
|
||||
if (!DotNetUtils.callsMethod(initMethod, "System.Void System.Console::WriteLine(System.Char)"))
|
||||
theVersion = ConfuserVersion.v17_r74021;
|
||||
else
|
||||
theVersion = ConfuserVersion.v18_r75257;
|
||||
break;
|
||||
|
||||
case 27: theVersion = ConfuserVersion.v18_r75402; break;
|
||||
default: return false;
|
||||
}
|
||||
|
|
@ -181,6 +188,7 @@ namespace de4dot.code.deobfuscators.Confuser {
|
|||
case ConfuserVersion.v17_r73477: return initializeKeys_v17_r73404();
|
||||
case ConfuserVersion.v17_r73479: return initializeKeys_v17_r73404();
|
||||
case ConfuserVersion.v17_r74021: return initializeKeys_v17_r73404();
|
||||
case ConfuserVersion.v18_r75257: return initializeKeys_v17_r73404();
|
||||
case ConfuserVersion.v18_r75402: return initializeKeys_v18_r75402();
|
||||
default: throw new ApplicationException("Invalid version");
|
||||
}
|
||||
|
|
@ -284,6 +292,7 @@ namespace de4dot.code.deobfuscators.Confuser {
|
|||
case ConfuserVersion.v17_r73477: return initializeMethodDataIndexes_v17_r73477(compileMethod);
|
||||
case ConfuserVersion.v17_r73479: return initializeMethodDataIndexes_v17_r73477(compileMethod);
|
||||
case ConfuserVersion.v17_r74021: return initializeMethodDataIndexes_v17_r73477(compileMethod);
|
||||
case ConfuserVersion.v18_r75257: return initializeMethodDataIndexes_v17_r73477(compileMethod);
|
||||
case ConfuserVersion.v18_r75402: return initializeMethodDataIndexes_v17_r73477(compileMethod);
|
||||
default: throw new ApplicationException("Invalid version");
|
||||
}
|
||||
|
|
@ -426,6 +435,7 @@ namespace de4dot.code.deobfuscators.Confuser {
|
|||
case ConfuserVersion.v17_r73477: return decrypt_v17_r73477(peImage, fileData, ref dumpedMethods);
|
||||
case ConfuserVersion.v17_r73479: return decrypt_v17_r73479(peImage, fileData, ref dumpedMethods);
|
||||
case ConfuserVersion.v17_r74021: return decrypt_v17_r73479(peImage, fileData, ref dumpedMethods);
|
||||
case ConfuserVersion.v18_r75257: return decrypt_v17_r73479(peImage, fileData, ref dumpedMethods);
|
||||
case ConfuserVersion.v18_r75402: return decrypt_v18_r75402(peImage, fileData, ref dumpedMethods);
|
||||
default: throw new ApplicationException("Unknown version");
|
||||
}
|
||||
|
|
@ -731,6 +741,11 @@ namespace de4dot.code.deobfuscators.Confuser {
|
|||
|
||||
case ConfuserVersion.v17_r74021:
|
||||
minRev = 74021;
|
||||
maxRev = 75184;
|
||||
return true;
|
||||
|
||||
case ConfuserVersion.v18_r75257:
|
||||
minRev = 75257;
|
||||
maxRev = 75369;
|
||||
return true;
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue
Block a user