monocul.us/de4dot-cex
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Detect Confuser 1.9 r75725 methods encrypter (JIT)

Browse Source
This commit is contained in:
de4dot 2012-08-10 03:53:19 +02:00
parent 754c5a1400
commit 7aa2a157d0
1 changed files with 18 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
de4dot.code/deobfuscators/Confuser/JitMethodsDecrypter.cs
View File

@ -46,6 +46,7 @@ namespace de4dot.code.deobfuscators.Confuser {
v18_r75288, v18_r75288,
v18_r75291, v18_r75291,
v18_r75402, v18_r75402,
v19_r75725,
} }
struct MethodDataIndexes { struct MethodDataIndexes {
@ -110,8 +111,15 @@ namespace de4dot.code.deobfuscators.Confuser {
theVersion = ConfuserVersion.v18_r75288; theVersion = ConfuserVersion.v18_r75288;
break; break;
case 27: theVersion = ConfuserVersion.v18_r75402; break; case 27:
default: return false; if (DotNetUtils.callsMethod(initMethod, "System.Int32 System.String::get_Length()"))
theVersion = ConfuserVersion.v18_r75402;
else
theVersion = ConfuserVersion.v19_r75725;
break;
default:
return false;
} }
if (theVersion >= ConfuserVersion.v17_r73477) { if (theVersion >= ConfuserVersion.v17_r73477) {
@ -201,6 +209,7 @@ namespace de4dot.code.deobfuscators.Confuser {
case ConfuserVersion.v18_r75288: return initializeKeys_v17_r73404(); case ConfuserVersion.v18_r75288: return initializeKeys_v17_r73404();
case ConfuserVersion.v18_r75291: return initializeKeys_v17_r73404(); case ConfuserVersion.v18_r75291: return initializeKeys_v17_r73404();
case ConfuserVersion.v18_r75402: return initializeKeys_v18_r75402(); case ConfuserVersion.v18_r75402: return initializeKeys_v18_r75402();
case ConfuserVersion.v19_r75725: return initializeKeys_v18_r75402();
default: throw new ApplicationException("Invalid version"); default: throw new ApplicationException("Invalid version");
} }
} }
@ -307,6 +316,7 @@ namespace de4dot.code.deobfuscators.Confuser {
case ConfuserVersion.v18_r75288: return initializeMethodDataIndexes_v17_r73477(compileMethod); case ConfuserVersion.v18_r75288: return initializeMethodDataIndexes_v17_r73477(compileMethod);
case ConfuserVersion.v18_r75291: return initializeMethodDataIndexes_v17_r73477(compileMethod); case ConfuserVersion.v18_r75291: return initializeMethodDataIndexes_v17_r73477(compileMethod);
case ConfuserVersion.v18_r75402: return initializeMethodDataIndexes_v17_r73477(compileMethod); case ConfuserVersion.v18_r75402: return initializeMethodDataIndexes_v17_r73477(compileMethod);
case ConfuserVersion.v19_r75725: return initializeMethodDataIndexes_v17_r73477(compileMethod);
default: throw new ApplicationException("Invalid version"); default: throw new ApplicationException("Invalid version");
} }
} }
@ -452,6 +462,7 @@ namespace de4dot.code.deobfuscators.Confuser {
case ConfuserVersion.v18_r75288: return decrypt_v17_r73479(peImage, fileData, ref dumpedMethods); case ConfuserVersion.v18_r75288: return decrypt_v17_r73479(peImage, fileData, ref dumpedMethods);
case ConfuserVersion.v18_r75291: return decrypt_v17_r73479(peImage, fileData, ref dumpedMethods); case ConfuserVersion.v18_r75291: return decrypt_v17_r73479(peImage, fileData, ref dumpedMethods);
case ConfuserVersion.v18_r75402: return decrypt_v18_r75402(peImage, fileData, ref dumpedMethods); case ConfuserVersion.v18_r75402: return decrypt_v18_r75402(peImage, fileData, ref dumpedMethods);
case ConfuserVersion.v19_r75725: return decrypt_v18_r75402(peImage, fileData, ref dumpedMethods);
default: throw new ApplicationException("Unknown version"); default: throw new ApplicationException("Unknown version");
} }
} }
@ -776,6 +787,11 @@ namespace de4dot.code.deobfuscators.Confuser {
case ConfuserVersion.v18_r75402: case ConfuserVersion.v18_r75402:
minRev = 75402; minRev = 75402;
maxRev = 75720;
return true;
case ConfuserVersion.v19_r75725:
minRev = 75725;
maxRev = int.MaxValue; maxRev = int.MaxValue;
return true; return true;