monocul.us/de4dot-cex
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Detect Confuser 1.7 r72989 constants encrypter

Browse Source
This commit is contained in:
de4dot 2012-08-10 16:29:24 +02:00
parent 80f2a08ff1
commit 7984c94522
1 changed files with 18 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
de4dot.code/deobfuscators/Confuser/ConstantsDecrypterV15.cs
View File

@ -34,6 +34,7 @@ namespace de4dot.code.deobfuscators.Confuser {
Unknown, Unknown,
v15_r60785_normal, v15_r60785_normal,
v15_r60785_dynamic, v15_r60785_dynamic,
v17_r72989_dynamic,
v17_r73404_normal, v17_r73404_normal,
v17_r73740_dynamic, v17_r73740_dynamic,
v17_r73764_dynamic, v17_r73764_dynamic,
@ -86,8 +87,12 @@ namespace de4dot.code.deobfuscators.Confuser {
DeobUtils.hasInteger(method, 0xFFFF)) DeobUtils.hasInteger(method, 0xFFFF))
version = ConfuserVersion.v17_r73404_normal; version = ConfuserVersion.v17_r73404_normal;
else if (DotNetUtils.callsMethod(method, "System.String System.Text.Encoding::GetString(System.Byte[])")) { else if (DotNetUtils.callsMethod(method, "System.String System.Text.Encoding::GetString(System.Byte[])")) {
if (findInstruction(method.Body.Instructions, 0, Code.Conv_I8) >= 0) if (findInstruction(method.Body.Instructions, 0, Code.Conv_I8) >= 0) {
version = ConfuserVersion.v15_r60785_dynamic; if (DotNetUtils.callsMethod(method, "System.Void System.Console::WriteLine()"))
version = ConfuserVersion.v15_r60785_dynamic;
else
version = ConfuserVersion.v17_r72989_dynamic;
}
else else
version = ConfuserVersion.v17_r73740_dynamic; version = ConfuserVersion.v17_r73740_dynamic;
} }
@ -166,6 +171,7 @@ namespace de4dot.code.deobfuscators.Confuser {
switch (version) { switch (version) {
case ConfuserVersion.v15_r60785_normal: return decryptConstant_v15_r60785_normal(info, encrypted, offs); case ConfuserVersion.v15_r60785_normal: return decryptConstant_v15_r60785_normal(info, encrypted, offs);
case ConfuserVersion.v15_r60785_dynamic: return decryptConstant_v15_r60785_dynamic(info, encrypted, offs); case ConfuserVersion.v15_r60785_dynamic: return decryptConstant_v15_r60785_dynamic(info, encrypted, offs);
case ConfuserVersion.v17_r72989_dynamic: return decryptConstant_v15_r60785_dynamic(info, encrypted, offs);
case ConfuserVersion.v17_r73404_normal: return decryptConstant_v17_r73404_normal(info, encrypted, offs); case ConfuserVersion.v17_r73404_normal: return decryptConstant_v17_r73404_normal(info, encrypted, offs);
case ConfuserVersion.v17_r73740_dynamic: return decryptConstant_v17_r73740_dynamic(info, encrypted, offs, 0); case ConfuserVersion.v17_r73740_dynamic: return decryptConstant_v17_r73740_dynamic(info, encrypted, offs, 0);
case ConfuserVersion.v17_r73764_dynamic: return decryptConstant_v17_r73740_dynamic(info, encrypted, offs, 0); case ConfuserVersion.v17_r73764_dynamic: return decryptConstant_v17_r73740_dynamic(info, encrypted, offs, 0);
@ -241,13 +247,22 @@ namespace de4dot.code.deobfuscators.Confuser {
return false; return false;
case ConfuserVersion.v15_r60785_normal: case ConfuserVersion.v15_r60785_normal:
case ConfuserVersion.v15_r60785_dynamic:
minRev = 60785; minRev = 60785;
maxRev = 72989; maxRev = 72989;
return true; return true;
case ConfuserVersion.v17_r73404_normal: case ConfuserVersion.v17_r73404_normal:
minRev = 73404; minRev = 73404;
maxRev = 73791;
return true;
case ConfuserVersion.v15_r60785_dynamic:
minRev = 60785;
maxRev = 72868;
return true;
case ConfuserVersion.v17_r72989_dynamic:
minRev = 72989;
maxRev = 73605; maxRev = 73605;
return true; return true;