diff --git a/de4dot.code/deobfuscators/Confuser/Deobfuscator.cs b/de4dot.code/deobfuscators/Confuser/Deobfuscator.cs index 1b89b22e..c5e07d7f 100644 --- a/de4dot.code/deobfuscators/Confuser/Deobfuscator.cs +++ b/de4dot.code/deobfuscators/Confuser/Deobfuscator.cs @@ -69,6 +69,7 @@ namespace de4dot.code.deobfuscators.Confuser { class Deobfuscator : DeobfuscatorBase { Options options; string obfuscatorName = DeobfuscatorInfo.THE_NAME; + Version approxVersion; List embeddedAssemblyInfos = new List(); JitMethodsDecrypter jitMethodsDecrypter; @@ -149,6 +150,7 @@ namespace de4dot.code.deobfuscators.Confuser { } protected override void scanForObfuscator() { + removeObfuscatorAttribute(); jitMethodsDecrypter = new JitMethodsDecrypter(module, DeobfuscatedFile); try { jitMethodsDecrypter.find(); @@ -215,6 +217,7 @@ namespace de4dot.code.deobfuscators.Confuser { obfuscatorName = string.Format("{0} {1}", DeobfuscatorInfo.THE_NAME, versionString); } + const bool useAttributeVersion = true; string getVersionString() { var versionProviders = new IVersionProvider[] { jitMethodsDecrypter, @@ -243,6 +246,8 @@ namespace de4dot.code.deobfuscators.Confuser { vd.addRevs(minRev, maxRev); } } + if (useAttributeVersion) + vd.setVersion(approxVersion); return vd.getVersionString(); } @@ -332,6 +337,7 @@ namespace de4dot.code.deobfuscators.Confuser { newOne.ModuleBytes = ModuleBytes; newOne.embeddedAssemblyInfos.AddRange(embeddedAssemblyInfos); newOne.setModule(module); + newOne.removeObfuscatorAttribute(); newOne.jitMethodsDecrypter = hasUnpacked ? new JitMethodsDecrypter(module, DeobfuscatedFile) : new JitMethodsDecrypter(module, DeobfuscatedFile, jitMethodsDecrypter); if ((newOne.decryptState & DecryptState.CanDecryptMethods) != 0) { @@ -359,7 +365,6 @@ namespace de4dot.code.deobfuscators.Confuser { Log.v("Detected {0}", obfuscatorName); - removeObfuscatorAttribute(); initializeConstantsDecrypterV18(); initializeConstantsDecrypterV17(); initializeConstantsDecrypterV15(); @@ -539,11 +544,27 @@ namespace de4dot.code.deobfuscators.Confuser { void removeObfuscatorAttribute() { foreach (var type in module.Types) { - if (type.FullName == "ConfusedByAttribute") + if (type.FullName == "ConfusedByAttribute") { + setConfuserVersion(type); addAttributeToBeRemoved(type, "Obfuscator attribute"); + break; + } } } + void setConfuserVersion(TypeDefinition type) { + var s = DotNetUtils.getCustomArgAsString(getModuleAttribute(type) ?? getAssemblyAttribute(type), 0); + if (s == null) + return; + var val = System.Text.RegularExpressions.Regex.Match(s, @"^Confuser v(\d+)\.(\d+)\.(\d+)\.(\d+)$"); + if (val.Groups.Count < 5) + return; + approxVersion = new Version(int.Parse(val.Groups[1].ToString()), + int.Parse(val.Groups[2].ToString()), + int.Parse(val.Groups[3].ToString()), + int.Parse(val.Groups[4].ToString())); + } + public override void deobfuscateMethodEnd(Blocks blocks) { if (proxyCallFixer != null) proxyCallFixer.deobfuscate(blocks); diff --git a/de4dot.code/deobfuscators/Confuser/VersionDetector.cs b/de4dot.code/deobfuscators/Confuser/VersionDetector.cs index 146bba7e..15e18209 100644 --- a/de4dot.code/deobfuscators/Confuser/VersionDetector.cs +++ b/de4dot.code/deobfuscators/Confuser/VersionDetector.cs @@ -87,6 +87,25 @@ namespace de4dot.code.deobfuscators.Confuser { maxRev = max; } + public void setVersion(Version version) { + if (version == null) + return; + int minRev = int.MaxValue, maxRev = int.MinValue; + foreach (var kv in revToVersion) { + if (kv.Value.Major != version.Major || kv.Value.Minor != version.Minor) + continue; + if (minRev > kv.Key) + minRev = kv.Key; + if (maxRev < kv.Key) + maxRev = kv.Key; + } + if (minRev == int.MaxValue) + return; + if (maxRev == revs[revs.Length - 1]) + maxRev = int.MaxValue; + addRevs(minRev, maxRev); + } + public string getVersionString() { if (minRev > maxRev || minRev < 0) return null;