Detect Confuser 1.7 r72989 constants encrypter
This commit is contained in:
parent
80f2a08ff1
commit
7984c94522
|
@ -34,6 +34,7 @@ namespace de4dot.code.deobfuscators.Confuser {
|
||||||
Unknown,
|
Unknown,
|
||||||
v15_r60785_normal,
|
v15_r60785_normal,
|
||||||
v15_r60785_dynamic,
|
v15_r60785_dynamic,
|
||||||
|
v17_r72989_dynamic,
|
||||||
v17_r73404_normal,
|
v17_r73404_normal,
|
||||||
v17_r73740_dynamic,
|
v17_r73740_dynamic,
|
||||||
v17_r73764_dynamic,
|
v17_r73764_dynamic,
|
||||||
|
@ -86,8 +87,12 @@ namespace de4dot.code.deobfuscators.Confuser {
|
||||||
DeobUtils.hasInteger(method, 0xFFFF))
|
DeobUtils.hasInteger(method, 0xFFFF))
|
||||||
version = ConfuserVersion.v17_r73404_normal;
|
version = ConfuserVersion.v17_r73404_normal;
|
||||||
else if (DotNetUtils.callsMethod(method, "System.String System.Text.Encoding::GetString(System.Byte[])")) {
|
else if (DotNetUtils.callsMethod(method, "System.String System.Text.Encoding::GetString(System.Byte[])")) {
|
||||||
if (findInstruction(method.Body.Instructions, 0, Code.Conv_I8) >= 0)
|
if (findInstruction(method.Body.Instructions, 0, Code.Conv_I8) >= 0) {
|
||||||
|
if (DotNetUtils.callsMethod(method, "System.Void System.Console::WriteLine()"))
|
||||||
version = ConfuserVersion.v15_r60785_dynamic;
|
version = ConfuserVersion.v15_r60785_dynamic;
|
||||||
|
else
|
||||||
|
version = ConfuserVersion.v17_r72989_dynamic;
|
||||||
|
}
|
||||||
else
|
else
|
||||||
version = ConfuserVersion.v17_r73740_dynamic;
|
version = ConfuserVersion.v17_r73740_dynamic;
|
||||||
}
|
}
|
||||||
|
@ -166,6 +171,7 @@ namespace de4dot.code.deobfuscators.Confuser {
|
||||||
switch (version) {
|
switch (version) {
|
||||||
case ConfuserVersion.v15_r60785_normal: return decryptConstant_v15_r60785_normal(info, encrypted, offs);
|
case ConfuserVersion.v15_r60785_normal: return decryptConstant_v15_r60785_normal(info, encrypted, offs);
|
||||||
case ConfuserVersion.v15_r60785_dynamic: return decryptConstant_v15_r60785_dynamic(info, encrypted, offs);
|
case ConfuserVersion.v15_r60785_dynamic: return decryptConstant_v15_r60785_dynamic(info, encrypted, offs);
|
||||||
|
case ConfuserVersion.v17_r72989_dynamic: return decryptConstant_v15_r60785_dynamic(info, encrypted, offs);
|
||||||
case ConfuserVersion.v17_r73404_normal: return decryptConstant_v17_r73404_normal(info, encrypted, offs);
|
case ConfuserVersion.v17_r73404_normal: return decryptConstant_v17_r73404_normal(info, encrypted, offs);
|
||||||
case ConfuserVersion.v17_r73740_dynamic: return decryptConstant_v17_r73740_dynamic(info, encrypted, offs, 0);
|
case ConfuserVersion.v17_r73740_dynamic: return decryptConstant_v17_r73740_dynamic(info, encrypted, offs, 0);
|
||||||
case ConfuserVersion.v17_r73764_dynamic: return decryptConstant_v17_r73740_dynamic(info, encrypted, offs, 0);
|
case ConfuserVersion.v17_r73764_dynamic: return decryptConstant_v17_r73740_dynamic(info, encrypted, offs, 0);
|
||||||
|
@ -241,13 +247,22 @@ namespace de4dot.code.deobfuscators.Confuser {
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
case ConfuserVersion.v15_r60785_normal:
|
case ConfuserVersion.v15_r60785_normal:
|
||||||
case ConfuserVersion.v15_r60785_dynamic:
|
|
||||||
minRev = 60785;
|
minRev = 60785;
|
||||||
maxRev = 72989;
|
maxRev = 72989;
|
||||||
return true;
|
return true;
|
||||||
|
|
||||||
case ConfuserVersion.v17_r73404_normal:
|
case ConfuserVersion.v17_r73404_normal:
|
||||||
minRev = 73404;
|
minRev = 73404;
|
||||||
|
maxRev = 73791;
|
||||||
|
return true;
|
||||||
|
|
||||||
|
case ConfuserVersion.v15_r60785_dynamic:
|
||||||
|
minRev = 60785;
|
||||||
|
maxRev = 72868;
|
||||||
|
return true;
|
||||||
|
|
||||||
|
case ConfuserVersion.v17_r72989_dynamic:
|
||||||
|
minRev = 72989;
|
||||||
maxRev = 73605;
|
maxRev = 73605;
|
||||||
return true;
|
return true;
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue
Block a user