Update detection of SA v2 string decrypter
This commit is contained in:
parent
fafa60c4c9
commit
7d4c791575
|
@ -92,11 +92,11 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
|
||||||
"System.Int32",
|
"System.Int32",
|
||||||
};
|
};
|
||||||
StringDecrypterVersion guessVersion(MethodDefinition cctor) {
|
StringDecrypterVersion guessVersion(MethodDefinition cctor) {
|
||||||
if (cctor == null)
|
|
||||||
return StringDecrypterVersion.V1;
|
|
||||||
var fieldTypes = new FieldTypes(stringsEncodingClass);
|
var fieldTypes = new FieldTypes(stringsEncodingClass);
|
||||||
if (fieldTypes.exactly(fields2x))
|
if (fieldTypes.exactly(fields2x))
|
||||||
return StringDecrypterVersion.V2;
|
return StringDecrypterVersion.V2;
|
||||||
|
if (cctor == null)
|
||||||
|
return StringDecrypterVersion.V1;
|
||||||
if (fieldTypes.exactly(fields3x))
|
if (fieldTypes.exactly(fields3x))
|
||||||
return StringDecrypterVersion.V3;
|
return StringDecrypterVersion.V3;
|
||||||
return StringDecrypterVersion.Unknown;
|
return StringDecrypterVersion.Unknown;
|
||||||
|
|
|
@ -185,12 +185,11 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
|
||||||
var fields = new FieldTypes(type);
|
var fields = new FieldTypes(type);
|
||||||
if (fields.exists("System.Collections.Hashtable") ||
|
if (fields.exists("System.Collections.Hashtable") ||
|
||||||
fields.exists("System.Collections.Generic.Dictionary`2<System.Int32,System.String>") ||
|
fields.exists("System.Collections.Generic.Dictionary`2<System.Int32,System.String>") ||
|
||||||
fields.exactly(fields2x) ||
|
|
||||||
fields.exactly(fields3x)) {
|
fields.exactly(fields3x)) {
|
||||||
if (DotNetUtils.getMethod(type, ".cctor") == null)
|
if (DotNetUtils.getMethod(type, ".cctor") == null)
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
else if (fields.exactly(fields1x)) {
|
else if (fields.exactly(fields1x) || fields.exactly(fields2x)) {
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
return false;
|
return false;
|
||||||
|
|
Loading…
Reference in New Issue
Block a user