Support Confuser 1.7 r73479 methods encrypter
This commit is contained in:
de4dot
parent
00d27a89f6
commit
82dd08b348
|
|
@ -39,6 +39,7 @@ namespace de4dot.code.deobfuscators.Confuser {
|
|||
Unknown,
|
||||
v17_r73404,
|
||||
v17_r73477,
|
||||
v17_r73479,
|
||||
vXX,
|
||||
}
|
||||
|
||||
|
|
@ -62,18 +63,27 @@ namespace de4dot.code.deobfuscators.Confuser {
|
|||
if (type == null)
|
||||
return false;
|
||||
|
||||
compileMethod = findCompileMethod(type);
|
||||
if (compileMethod == null)
|
||||
return false;
|
||||
|
||||
var theVersion = ConfuserVersion.Unknown;
|
||||
switch (type.NestedTypes.Count) {
|
||||
case 35: theVersion = ConfuserVersion.v17_r73404; break;
|
||||
case 38: theVersion = ConfuserVersion.v17_r73477; break;
|
||||
|
||||
case 38:
|
||||
switch (countInt32s(compileMethod, 0xFF)) {
|
||||
case 2: theVersion = ConfuserVersion.v17_r73477; break;
|
||||
case 4: theVersion = ConfuserVersion.v17_r73479; break;
|
||||
default: return false;
|
||||
}
|
||||
break;
|
||||
|
||||
case 27: theVersion = ConfuserVersion.vXX; break;
|
||||
default: return false;
|
||||
}
|
||||
|
||||
compileMethod = findCompileMethod(type);
|
||||
if (compileMethod == null)
|
||||
return false;
|
||||
if (theVersion == ConfuserVersion.vXX || theVersion == ConfuserVersion.v17_r73477) {
|
||||
if (theVersion >= ConfuserVersion.v17_r73477) {
|
||||
hookConstructStr = findHookConstructStr(type);
|
||||
if (hookConstructStr == null)
|
||||
return false;
|
||||
|
|
@ -86,6 +96,17 @@ namespace de4dot.code.deobfuscators.Confuser {
|
|||
return true;
|
||||
}
|
||||
|
||||
static int countInt32s(MethodDefinition method, int val) {
|
||||
int count = 0;
|
||||
foreach (var instr in method.Body.Instructions) {
|
||||
if (!DotNetUtils.isLdcI4(instr))
|
||||
continue;
|
||||
if (DotNetUtils.getLdcI4Value(instr) == val)
|
||||
count++;
|
||||
}
|
||||
return count;
|
||||
}
|
||||
|
||||
static MethodDefinition findCompileMethod(TypeDefinition type) {
|
||||
foreach (var method in type.Methods) {
|
||||
if (!method.IsStatic || method.Body == null)
|
||||
|
|
@ -145,6 +166,7 @@ namespace de4dot.code.deobfuscators.Confuser {
|
|||
switch (version) {
|
||||
case ConfuserVersion.v17_r73404: return initializeKeys_v17_r73404();
|
||||
case ConfuserVersion.v17_r73477: return initializeKeys_v17_r73404();
|
||||
case ConfuserVersion.v17_r73479: return initializeKeys_v17_r73404();
|
||||
case ConfuserVersion.vXX: return initializeKeys_vXX();
|
||||
default: throw new ApplicationException("Invalid version");
|
||||
}
|
||||
|
|
@ -245,6 +267,7 @@ namespace de4dot.code.deobfuscators.Confuser {
|
|||
switch (version) {
|
||||
case ConfuserVersion.v17_r73404: return true;
|
||||
case ConfuserVersion.v17_r73477: return initializeMethodDataIndexes_v17_r73477(compileMethod);
|
||||
case ConfuserVersion.v17_r73479: return initializeMethodDataIndexes_v17_r73477(compileMethod);
|
||||
case ConfuserVersion.vXX: return initializeMethodDataIndexes_v17_r73477(compileMethod);
|
||||
default: throw new ApplicationException("Invalid version");
|
||||
}
|
||||
|
|
@ -384,6 +407,7 @@ namespace de4dot.code.deobfuscators.Confuser {
|
|||
switch (version) {
|
||||
case ConfuserVersion.v17_r73404: return decrypt_v17_r73404(peImage, fileData, ref dumpedMethods);
|
||||
case ConfuserVersion.v17_r73477: return decrypt_v17_r73477(peImage, fileData, ref dumpedMethods);
|
||||
case ConfuserVersion.v17_r73479: return decrypt_v17_r73479(peImage, fileData, ref dumpedMethods);
|
||||
case ConfuserVersion.vXX: return decrypt_vXX(peImage, fileData, ref dumpedMethods);
|
||||
default: throw new ApplicationException("Unknown version");
|
||||
}
|
||||
|
|
@ -452,6 +476,16 @@ namespace de4dot.code.deobfuscators.Confuser {
|
|||
return decrypt(peImage, fileData, new DecryptMethodData_v17_r73477());
|
||||
}
|
||||
|
||||
bool decrypt_v17_r73479(PeImage peImage, byte[] fileData, ref DumpedMethods dumpedMethods) {
|
||||
methodsData = decryptMethodsData_v17_r73404(peImage);
|
||||
dumpedMethods = decrypt_v17_r73479(peImage, fileData);
|
||||
return dumpedMethods != null;
|
||||
}
|
||||
|
||||
DumpedMethods decrypt_v17_r73479(PeImage peImage, byte[] fileData) {
|
||||
return decrypt(peImage, fileData, new DecryptMethodData_v17_r73479());
|
||||
}
|
||||
|
||||
bool decrypt_vXX(PeImage peImage, byte[] fileData, ref DumpedMethods dumpedMethods) {
|
||||
if (peImage.OptionalHeader.checkSum == 0)
|
||||
return false;
|
||||
|
|
@ -487,6 +521,23 @@ namespace de4dot.code.deobfuscators.Confuser {
|
|||
}
|
||||
}
|
||||
|
||||
class DecryptMethodData_v17_r73479 : DecryptMethodData {
|
||||
public override void decrypt(byte[] fileData, int offset, uint k1, int size, out uint[] methodData, out byte[] codeData) {
|
||||
var data = new byte[size];
|
||||
Array.Copy(fileData, offset, data, 0, data.Length);
|
||||
uint k = k1;
|
||||
for (int i = 0; i < data.Length; i++) {
|
||||
data[i] ^= (byte)k;
|
||||
k = (k * data[i] + k1) % 0xFF;
|
||||
}
|
||||
|
||||
methodData = new uint[5];
|
||||
Buffer.BlockCopy(data, 0, methodData, 0, 20);
|
||||
codeData = new byte[size - 20];
|
||||
Array.Copy(data, 20, codeData, 0, codeData.Length);
|
||||
}
|
||||
}
|
||||
|
||||
class DecryptMethodData_vXX : DecryptMethodData {
|
||||
JitMethodsDecrypter jitDecrypter;
|
||||
|
||||
|
|
@ -545,6 +596,8 @@ namespace de4dot.code.deobfuscators.Confuser {
|
|||
int maxStack = (int)methodData[methodDataIndexes.maxStack];
|
||||
dm.mhMaxStack = (ushort)maxStack;
|
||||
dm.mhLocalVarSigTok = methodData[methodDataIndexes.localVarSigTok];
|
||||
if (dm.mhLocalVarSigTok != 0 && (dm.mhLocalVarSigTok >> 24) != 0x11)
|
||||
throw new ApplicationException("Invalid local var sig token");
|
||||
int numExceptions = (int)methodData[methodDataIndexes.ehs];
|
||||
uint options = methodData[methodDataIndexes.options];
|
||||
int codeSize = (int)methodData[methodDataIndexes.codeSize];
|
||||
|
|
|
|||
Loading…
Reference in New Issue
Block a user