Use version from ConfusedBy attribute on module/asm to narrow down the detected version
This commit is contained in:
parent
9e4fa4511b
commit
6bf54bbae2
|
@ -69,6 +69,7 @@ namespace de4dot.code.deobfuscators.Confuser {
|
|||
class Deobfuscator : DeobfuscatorBase {
|
||||
Options options;
|
||||
string obfuscatorName = DeobfuscatorInfo.THE_NAME;
|
||||
Version approxVersion;
|
||||
|
||||
List<EmbeddedAssemblyInfo> embeddedAssemblyInfos = new List<EmbeddedAssemblyInfo>();
|
||||
JitMethodsDecrypter jitMethodsDecrypter;
|
||||
|
@ -149,6 +150,7 @@ namespace de4dot.code.deobfuscators.Confuser {
|
|||
}
|
||||
|
||||
protected override void scanForObfuscator() {
|
||||
removeObfuscatorAttribute();
|
||||
jitMethodsDecrypter = new JitMethodsDecrypter(module, DeobfuscatedFile);
|
||||
try {
|
||||
jitMethodsDecrypter.find();
|
||||
|
@ -215,6 +217,7 @@ namespace de4dot.code.deobfuscators.Confuser {
|
|||
obfuscatorName = string.Format("{0} {1}", DeobfuscatorInfo.THE_NAME, versionString);
|
||||
}
|
||||
|
||||
const bool useAttributeVersion = true;
|
||||
string getVersionString() {
|
||||
var versionProviders = new IVersionProvider[] {
|
||||
jitMethodsDecrypter,
|
||||
|
@ -243,6 +246,8 @@ namespace de4dot.code.deobfuscators.Confuser {
|
|||
vd.addRevs(minRev, maxRev);
|
||||
}
|
||||
}
|
||||
if (useAttributeVersion)
|
||||
vd.setVersion(approxVersion);
|
||||
return vd.getVersionString();
|
||||
}
|
||||
|
||||
|
@ -332,6 +337,7 @@ namespace de4dot.code.deobfuscators.Confuser {
|
|||
newOne.ModuleBytes = ModuleBytes;
|
||||
newOne.embeddedAssemblyInfos.AddRange(embeddedAssemblyInfos);
|
||||
newOne.setModule(module);
|
||||
newOne.removeObfuscatorAttribute();
|
||||
newOne.jitMethodsDecrypter = hasUnpacked ? new JitMethodsDecrypter(module, DeobfuscatedFile) :
|
||||
new JitMethodsDecrypter(module, DeobfuscatedFile, jitMethodsDecrypter);
|
||||
if ((newOne.decryptState & DecryptState.CanDecryptMethods) != 0) {
|
||||
|
@ -359,7 +365,6 @@ namespace de4dot.code.deobfuscators.Confuser {
|
|||
|
||||
Log.v("Detected {0}", obfuscatorName);
|
||||
|
||||
removeObfuscatorAttribute();
|
||||
initializeConstantsDecrypterV18();
|
||||
initializeConstantsDecrypterV17();
|
||||
initializeConstantsDecrypterV15();
|
||||
|
@ -539,11 +544,27 @@ namespace de4dot.code.deobfuscators.Confuser {
|
|||
|
||||
void removeObfuscatorAttribute() {
|
||||
foreach (var type in module.Types) {
|
||||
if (type.FullName == "ConfusedByAttribute")
|
||||
if (type.FullName == "ConfusedByAttribute") {
|
||||
setConfuserVersion(type);
|
||||
addAttributeToBeRemoved(type, "Obfuscator attribute");
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
void setConfuserVersion(TypeDefinition type) {
|
||||
var s = DotNetUtils.getCustomArgAsString(getModuleAttribute(type) ?? getAssemblyAttribute(type), 0);
|
||||
if (s == null)
|
||||
return;
|
||||
var val = System.Text.RegularExpressions.Regex.Match(s, @"^Confuser v(\d+)\.(\d+)\.(\d+)\.(\d+)$");
|
||||
if (val.Groups.Count < 5)
|
||||
return;
|
||||
approxVersion = new Version(int.Parse(val.Groups[1].ToString()),
|
||||
int.Parse(val.Groups[2].ToString()),
|
||||
int.Parse(val.Groups[3].ToString()),
|
||||
int.Parse(val.Groups[4].ToString()));
|
||||
}
|
||||
|
||||
public override void deobfuscateMethodEnd(Blocks blocks) {
|
||||
if (proxyCallFixer != null)
|
||||
proxyCallFixer.deobfuscate(blocks);
|
||||
|
|
|
@ -87,6 +87,25 @@ namespace de4dot.code.deobfuscators.Confuser {
|
|||
maxRev = max;
|
||||
}
|
||||
|
||||
public void setVersion(Version version) {
|
||||
if (version == null)
|
||||
return;
|
||||
int minRev = int.MaxValue, maxRev = int.MinValue;
|
||||
foreach (var kv in revToVersion) {
|
||||
if (kv.Value.Major != version.Major || kv.Value.Minor != version.Minor)
|
||||
continue;
|
||||
if (minRev > kv.Key)
|
||||
minRev = kv.Key;
|
||||
if (maxRev < kv.Key)
|
||||
maxRev = kv.Key;
|
||||
}
|
||||
if (minRev == int.MaxValue)
|
||||
return;
|
||||
if (maxRev == revs[revs.Length - 1])
|
||||
maxRev = int.MaxValue;
|
||||
addRevs(minRev, maxRev);
|
||||
}
|
||||
|
||||
public string getVersionString() {
|
||||
if (minRev > maxRev || minRev < 0)
|
||||
return null;
|
||||
|
|
Loading…
Reference in New Issue
Block a user