monocul.us/de4dot-cex
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Support more MaxtoCode runtimes

Browse Source
This commit is contained in:
de4dot 2013-11-06 03:20:44 +01:00
parent 730505fd4f
commit 85c565fc20
3 changed files with 29 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
de4dot.code/deobfuscators/MaxtoCode/EncryptionInfos.cs
View File

@ -110,6 +110,13 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
MagicHi = 0x624ECDA3,
Version = EncryptionVersion.V8,
},
// 526BC020
// 526BDD12
new EncryptionInfo {
MagicLo = 0x9A683B87,
MagicHi = 0x928ECDA3,
Version = EncryptionVersion.V8,
},
};
public static readonly EncryptionInfo[] McKey8C0h = new EncryptionInfo[] {
@ -168,6 +175,8 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
// 51413BD8
// 51413D68
// 5166DB4F
// 526BC020
// 526BDD12
new EncryptionInfo {
MagicLo = 0x1A731B13,
MagicHi = 0x1723891F,

18
de4dot.code/deobfuscators/MaxtoCode/MethodsDecrypter.cs
View File

@ -192,6 +192,8 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
decrypters.Add(new Decrypter(new DecryptFunc[] { Decrypt4_v7, Decrypt2_v2, Decrypt3_v6, Decrypt1_v7, Decrypt6, Decrypt8_v7, Decrypt9_v7, Decrypt7, Decrypt5 }, new uint[] { 0x51413D68 }));
decrypters.Add(new Decrypter(new DecryptFunc[] { Decrypt4_v7, Decrypt2_v2, Decrypt3_v6, Decrypt1_v7, Decrypt6, Decrypt8_v8, Decrypt9_v8, Decrypt7, Decrypt5 }, new uint[] { 0x513D7124, 0x51413BD8 }));
decrypters.Add(new Decrypter(new DecryptFunc[] { Decrypt4_v5, Decrypt2_v2, Decrypt3_v6, Decrypt1_v9, Decrypt6, Decrypt8_v8, Decrypt9_v9, Decrypt7, Decrypt5 }, new uint[] { 0x513D4492 }));
decrypters.Add(new Decrypter(new DecryptFunc[] { Decrypt3_v6, Decrypt2_v2, Decrypt4_v8, Decrypt1_v10, Decrypt8_v9, Decrypt9_v10, Decrypt6, Decrypt7, Decrypt5 }, new uint[] { 0x526BDD12 }));
decrypters.Add(new Decrypter(new DecryptFunc[] { Decrypt1_v10, Decrypt4_v8, Decrypt2_v2, Decrypt3_v6, Decrypt6, Decrypt8_v9, Decrypt9_v10, Decrypt7, Decrypt5 }, new uint[] { 0x526BC020 }));
break;
case EncryptionVersion.Unknown:
@ -398,6 +400,10 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
return Decrypt1(encrypted, 9, 0x13, 0x400);
}
byte[] Decrypt1_v10(byte[] encrypted) {
return Decrypt1(encrypted, 0x11, 0x11, 0x400);
}
byte[] Decrypt1(byte[] encrypted, int keyStart, int keyReset, int keyEnd) {
var decrypted = new byte[encrypted.Length];
for (int i = 0, ki = keyStart; i < decrypted.Length; i++) {
@ -532,6 +538,10 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
return Decrypt4(encrypted, 0x0B, 0x0B, 0x100);
}
byte[] Decrypt4_v8(byte[] encrypted) {
return Decrypt4(encrypted, 9, 9, 0x100);
}
byte[] Decrypt4(byte[] encrypted, int keyStart, int keyReset, int keyEnd) {
var decrypted = new byte[encrypted.Length / 3 * 2 + 1];
@ -585,6 +595,10 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
return Decrypt8(encrypted, 0x11, 0x11, 0x600);
}
byte[] Decrypt8_v9(byte[] encrypted) {
return Decrypt8(encrypted, 0xA, 0xA, 0x600);
}
byte[] Decrypt8(byte[] encrypted, int keyStart, int keyReset, int keyEnd) {
var decrypted = new byte[encrypted.Length];
int ki = keyStart;
@ -618,6 +632,10 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
return Decrypt9(encrypted, 0x10, 0x10, 0x510);
}
byte[] Decrypt9_v10(byte[] encrypted) {
return Decrypt9(encrypted, 5, 5, 0x510);
}
byte[] Decrypt9(byte[] encrypted, int keyStart, int keyReset, int keyEnd) {
var decrypted = new byte[encrypted.Length];
int ki = keyStart;

2
de4dot.code/deobfuscators/MaxtoCode/PeHeader.cs
View File

@ -70,6 +70,8 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
break;
if (CheckMcKeyRva(peImage, 0x18ABA931))
break;
if (CheckMcKeyRva(peImage, 0x18ABA933))
break;
break;
}
}