Support some more MaxtoCode runtimes
This commit is contained in:
de4dot
parent
099233960f
commit
3f3bd90688
|
|
@ -113,7 +113,9 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
|
|||
// 526BC020
|
||||
// 526BDD12
|
||||
// 5296E242
|
||||
// 52B2B2A3
|
||||
// 52B3043C
|
||||
// 53172907
|
||||
// 531729C4
|
||||
new EncryptionInfo {
|
||||
MagicLo = 0x9A683B87,
|
||||
|
|
@ -181,7 +183,9 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
|
|||
// 526BC020
|
||||
// 526BDD12
|
||||
// 5296E242
|
||||
// 52B2B2A3
|
||||
// 52B3043C
|
||||
// 53172907
|
||||
// 531729C4
|
||||
new EncryptionInfo {
|
||||
MagicLo = 0x1A731B13,
|
||||
|
|
|
|||
|
|
@ -196,6 +196,8 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
|
|||
decrypters.Add(new Decrypter(new DecryptFunc[] { Decrypt1_v10, Decrypt4_v8, Decrypt2_v2, Decrypt3_v6, Decrypt6, Decrypt8_v9, Decrypt9_v10, Decrypt7, Decrypt5 }, new uint[] { 0x526BC020 }));
|
||||
decrypters.Add(new Decrypter(new DecryptFunc[] { Decrypt3_v7, Decrypt2_v6, Decrypt4_v9, Decrypt1_v11, Decrypt8_v10, Decrypt11_v1, Decrypt6, Decrypt7, Decrypt5 }, new uint[] { 0x5296E242, 0x52B3043C }));
|
||||
decrypters.Add(new Decrypter(new DecryptFunc[] { Decrypt4_v10, Decrypt1_v12, Decrypt3_v8, Decrypt2_v7, Decrypt6, Decrypt8_v11, Decrypt9_v11, Decrypt7, Decrypt5 }, new uint[] { 0x531729C4 }));
|
||||
decrypters.Add(new Decrypter(new DecryptFunc[] { Decrypt1_v13, Decrypt4_v11, Decrypt2_v8, Decrypt3_v9, Decrypt6, Decrypt8_v11, Decrypt9_v12, Decrypt7, Decrypt5 }, new uint[] { 0x52B2B2A3 }));
|
||||
decrypters.Add(new Decrypter(new DecryptFunc[] { Decrypt2_v9, Decrypt3_v10, Decrypt1_v10, Decrypt4_v12, Decrypt8_v12, Decrypt9_v13, Decrypt6, Decrypt7, Decrypt5 }, new uint[] { 0x53172907 }));
|
||||
break;
|
||||
|
||||
case EncryptionVersion.Unknown:
|
||||
|
|
@ -414,6 +416,10 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
|
|||
return Decrypt1(encrypted, 0x12, 0x12, 0x200);
|
||||
}
|
||||
|
||||
byte[] Decrypt1_v13(byte[] encrypted) {
|
||||
return Decrypt1(encrypted, 0x11, 0x11, 0x200);
|
||||
}
|
||||
|
||||
byte[] Decrypt1(byte[] encrypted, int keyStart, int keyReset, int keyEnd) {
|
||||
var decrypted = new byte[encrypted.Length];
|
||||
for (int i = 0, ki = keyStart; i < decrypted.Length; i++) {
|
||||
|
|
@ -452,6 +458,14 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
|
|||
return Decrypt2(encrypted, 0x00FA + 0x0E);
|
||||
}
|
||||
|
||||
byte[] Decrypt2_v8(byte[] encrypted) {
|
||||
return Decrypt2(encrypted, 0x00FA + 0x0D);
|
||||
}
|
||||
|
||||
byte[] Decrypt2_v9(byte[] encrypted) {
|
||||
return Decrypt2(encrypted, 0x00FA + 0x0C);
|
||||
}
|
||||
|
||||
byte[] Decrypt2(byte[] encrypted, int offset) {
|
||||
if ((encrypted.Length & 7) != 0)
|
||||
throw new ApplicationException("Invalid encryption #2 length");
|
||||
|
|
@ -507,6 +521,14 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
|
|||
return Decrypt3(encrypted, 0x015E + 0x0F);
|
||||
}
|
||||
|
||||
byte[] Decrypt3_v9(byte[] encrypted) {
|
||||
return Decrypt3(encrypted, 0x015E + 0x12);
|
||||
}
|
||||
|
||||
byte[] Decrypt3_v10(byte[] encrypted) {
|
||||
return Decrypt3(encrypted, 0x015E + 0x0E);
|
||||
}
|
||||
|
||||
static readonly byte[] decrypt3Shifts = new byte[16] { 5, 11, 14, 21, 6, 20, 17, 29, 4, 10, 3, 2, 7, 1, 26, 18 };
|
||||
byte[] Decrypt3(byte[] encrypted, int offset) {
|
||||
if ((encrypted.Length & 7) != 0)
|
||||
|
|
@ -576,6 +598,14 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
|
|||
return Decrypt4(encrypted, 0x10, 0x10, 0x120);
|
||||
}
|
||||
|
||||
byte[] Decrypt4_v11(byte[] encrypted) {
|
||||
return Decrypt4(encrypted, 0x0F, 0x0E, 0x120);
|
||||
}
|
||||
|
||||
byte[] Decrypt4_v12(byte[] encrypted) {
|
||||
return Decrypt4(encrypted, 0x0C, 0x0C, 0x150);
|
||||
}
|
||||
|
||||
byte[] Decrypt4(byte[] encrypted, int keyStart, int keyReset, int keyEnd) {
|
||||
var decrypted = new byte[encrypted.Length / 3 * 2 + 1];
|
||||
|
||||
|
|
@ -641,6 +671,10 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
|
|||
return Decrypt8(encrypted, 0x19, 0x19, 0x500);
|
||||
}
|
||||
|
||||
byte[] Decrypt8_v12(byte[] encrypted) {
|
||||
return Decrypt8(encrypted, 0x14, 0x14, 0x600);
|
||||
}
|
||||
|
||||
byte[] Decrypt8(byte[] encrypted, int keyStart, int keyReset, int keyEnd) {
|
||||
var decrypted = new byte[encrypted.Length];
|
||||
int ki = keyStart;
|
||||
|
|
@ -682,6 +716,14 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
|
|||
return Decrypt9(encrypted, 0x19, 0x19, 0x500);
|
||||
}
|
||||
|
||||
byte[] Decrypt9_v12(byte[] encrypted) {
|
||||
return Decrypt9(encrypted, 0x19, 0x19, 0x500);
|
||||
}
|
||||
|
||||
byte[] Decrypt9_v13(byte[] encrypted) {
|
||||
return Decrypt9(encrypted, 5, 5, 0x510);
|
||||
}
|
||||
|
||||
byte[] Decrypt9(byte[] encrypted, int keyStart, int keyReset, int keyEnd) {
|
||||
var decrypted = new byte[encrypted.Length];
|
||||
int ki = keyStart;
|
||||
|
|
|
|||
Loading…
Reference in New Issue
Block a user