From 2f19f876f731168b44196ee9a33179b1bcfabc97 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Fri, 10 Aug 2012 03:29:38 +0200
Subject: [PATCH] Detect Confuser 1.8 r75257 methods encrypter

---
 .../Confuser/JitMethodsDecrypter.cs             | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/de4dot.code/deobfuscators/Confuser/JitMethodsDecrypter.cs b/de4dot.code/deobfuscators/Confuser/JitMethodsDecrypter.cs
index d810251e..bbb72e8e 100644
--- a/de4dot.code/deobfuscators/Confuser/JitMethodsDecrypter.cs
+++ b/de4dot.code/deobfuscators/Confuser/JitMethodsDecrypter.cs
@@ -42,6 +42,7 @@ namespace de4dot.code.deobfuscators.Confuser {
 			v17_r73477,
 			v17_r73479,
 			v17_r74021,
+			v18_r75257,
 			v18_r75402,
 		}
 
@@ -90,7 +91,13 @@ namespace de4dot.code.deobfuscators.Confuser {
 				}
 				break;
 
-			case 39: theVersion = ConfuserVersion.v17_r74021; break;
+			case 39:
+				if (!DotNetUtils.callsMethod(initMethod, "System.Void System.Console::WriteLine(System.Char)"))
+					theVersion = ConfuserVersion.v17_r74021;
+				else
+					theVersion = ConfuserVersion.v18_r75257;
+				break;
+
 			case 27: theVersion = ConfuserVersion.v18_r75402; break;
 			default: return false;
 			}
@@ -181,6 +188,7 @@ namespace de4dot.code.deobfuscators.Confuser {
 			case ConfuserVersion.v17_r73477: return initializeKeys_v17_r73404();
 			case ConfuserVersion.v17_r73479: return initializeKeys_v17_r73404();
 			case ConfuserVersion.v17_r74021: return initializeKeys_v17_r73404();
+			case ConfuserVersion.v18_r75257: return initializeKeys_v17_r73404();
 			case ConfuserVersion.v18_r75402: return initializeKeys_v18_r75402();
 			default: throw new ApplicationException("Invalid version");
 			}
@@ -284,6 +292,7 @@ namespace de4dot.code.deobfuscators.Confuser {
 			case ConfuserVersion.v17_r73477: return initializeMethodDataIndexes_v17_r73477(compileMethod);
 			case ConfuserVersion.v17_r73479: return initializeMethodDataIndexes_v17_r73477(compileMethod);
 			case ConfuserVersion.v17_r74021: return initializeMethodDataIndexes_v17_r73477(compileMethod);
+			case ConfuserVersion.v18_r75257: return initializeMethodDataIndexes_v17_r73477(compileMethod);
 			case ConfuserVersion.v18_r75402: return initializeMethodDataIndexes_v17_r73477(compileMethod);
 			default: throw new ApplicationException("Invalid version");
 			}
@@ -426,6 +435,7 @@ namespace de4dot.code.deobfuscators.Confuser {
 			case ConfuserVersion.v17_r73477: return decrypt_v17_r73477(peImage, fileData, ref dumpedMethods);
 			case ConfuserVersion.v17_r73479: return decrypt_v17_r73479(peImage, fileData, ref dumpedMethods);
 			case ConfuserVersion.v17_r74021: return decrypt_v17_r73479(peImage, fileData, ref dumpedMethods);
+			case ConfuserVersion.v18_r75257: return decrypt_v17_r73479(peImage, fileData, ref dumpedMethods);
 			case ConfuserVersion.v18_r75402: return decrypt_v18_r75402(peImage, fileData, ref dumpedMethods);
 			default: throw new ApplicationException("Unknown version");
 			}
@@ -731,6 +741,11 @@ namespace de4dot.code.deobfuscators.Confuser {
 
 			case ConfuserVersion.v17_r74021:
 				minRev = 74021;
+				maxRev = 75184;
+				return true;
+
+			case ConfuserVersion.v18_r75257:
+				minRev = 75257;
 				maxRev = 75369;
 				return true;