Support more MaxtoCode runtimes
This commit is contained in:
parent
730505fd4f
commit
85c565fc20
|
@ -110,6 +110,13 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
|
||||||
MagicHi = 0x624ECDA3,
|
MagicHi = 0x624ECDA3,
|
||||||
Version = EncryptionVersion.V8,
|
Version = EncryptionVersion.V8,
|
||||||
},
|
},
|
||||||
|
// 526BC020
|
||||||
|
// 526BDD12
|
||||||
|
new EncryptionInfo {
|
||||||
|
MagicLo = 0x9A683B87,
|
||||||
|
MagicHi = 0x928ECDA3,
|
||||||
|
Version = EncryptionVersion.V8,
|
||||||
|
},
|
||||||
};
|
};
|
||||||
|
|
||||||
public static readonly EncryptionInfo[] McKey8C0h = new EncryptionInfo[] {
|
public static readonly EncryptionInfo[] McKey8C0h = new EncryptionInfo[] {
|
||||||
|
@ -168,6 +175,8 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
|
||||||
// 51413BD8
|
// 51413BD8
|
||||||
// 51413D68
|
// 51413D68
|
||||||
// 5166DB4F
|
// 5166DB4F
|
||||||
|
// 526BC020
|
||||||
|
// 526BDD12
|
||||||
new EncryptionInfo {
|
new EncryptionInfo {
|
||||||
MagicLo = 0x1A731B13,
|
MagicLo = 0x1A731B13,
|
||||||
MagicHi = 0x1723891F,
|
MagicHi = 0x1723891F,
|
||||||
|
|
|
@ -192,6 +192,8 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
|
||||||
decrypters.Add(new Decrypter(new DecryptFunc[] { Decrypt4_v7, Decrypt2_v2, Decrypt3_v6, Decrypt1_v7, Decrypt6, Decrypt8_v7, Decrypt9_v7, Decrypt7, Decrypt5 }, new uint[] { 0x51413D68 }));
|
decrypters.Add(new Decrypter(new DecryptFunc[] { Decrypt4_v7, Decrypt2_v2, Decrypt3_v6, Decrypt1_v7, Decrypt6, Decrypt8_v7, Decrypt9_v7, Decrypt7, Decrypt5 }, new uint[] { 0x51413D68 }));
|
||||||
decrypters.Add(new Decrypter(new DecryptFunc[] { Decrypt4_v7, Decrypt2_v2, Decrypt3_v6, Decrypt1_v7, Decrypt6, Decrypt8_v8, Decrypt9_v8, Decrypt7, Decrypt5 }, new uint[] { 0x513D7124, 0x51413BD8 }));
|
decrypters.Add(new Decrypter(new DecryptFunc[] { Decrypt4_v7, Decrypt2_v2, Decrypt3_v6, Decrypt1_v7, Decrypt6, Decrypt8_v8, Decrypt9_v8, Decrypt7, Decrypt5 }, new uint[] { 0x513D7124, 0x51413BD8 }));
|
||||||
decrypters.Add(new Decrypter(new DecryptFunc[] { Decrypt4_v5, Decrypt2_v2, Decrypt3_v6, Decrypt1_v9, Decrypt6, Decrypt8_v8, Decrypt9_v9, Decrypt7, Decrypt5 }, new uint[] { 0x513D4492 }));
|
decrypters.Add(new Decrypter(new DecryptFunc[] { Decrypt4_v5, Decrypt2_v2, Decrypt3_v6, Decrypt1_v9, Decrypt6, Decrypt8_v8, Decrypt9_v9, Decrypt7, Decrypt5 }, new uint[] { 0x513D4492 }));
|
||||||
|
decrypters.Add(new Decrypter(new DecryptFunc[] { Decrypt3_v6, Decrypt2_v2, Decrypt4_v8, Decrypt1_v10, Decrypt8_v9, Decrypt9_v10, Decrypt6, Decrypt7, Decrypt5 }, new uint[] { 0x526BDD12 }));
|
||||||
|
decrypters.Add(new Decrypter(new DecryptFunc[] { Decrypt1_v10, Decrypt4_v8, Decrypt2_v2, Decrypt3_v6, Decrypt6, Decrypt8_v9, Decrypt9_v10, Decrypt7, Decrypt5 }, new uint[] { 0x526BC020 }));
|
||||||
break;
|
break;
|
||||||
|
|
||||||
case EncryptionVersion.Unknown:
|
case EncryptionVersion.Unknown:
|
||||||
|
@ -398,6 +400,10 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
|
||||||
return Decrypt1(encrypted, 9, 0x13, 0x400);
|
return Decrypt1(encrypted, 9, 0x13, 0x400);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
byte[] Decrypt1_v10(byte[] encrypted) {
|
||||||
|
return Decrypt1(encrypted, 0x11, 0x11, 0x400);
|
||||||
|
}
|
||||||
|
|
||||||
byte[] Decrypt1(byte[] encrypted, int keyStart, int keyReset, int keyEnd) {
|
byte[] Decrypt1(byte[] encrypted, int keyStart, int keyReset, int keyEnd) {
|
||||||
var decrypted = new byte[encrypted.Length];
|
var decrypted = new byte[encrypted.Length];
|
||||||
for (int i = 0, ki = keyStart; i < decrypted.Length; i++) {
|
for (int i = 0, ki = keyStart; i < decrypted.Length; i++) {
|
||||||
|
@ -532,6 +538,10 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
|
||||||
return Decrypt4(encrypted, 0x0B, 0x0B, 0x100);
|
return Decrypt4(encrypted, 0x0B, 0x0B, 0x100);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
byte[] Decrypt4_v8(byte[] encrypted) {
|
||||||
|
return Decrypt4(encrypted, 9, 9, 0x100);
|
||||||
|
}
|
||||||
|
|
||||||
byte[] Decrypt4(byte[] encrypted, int keyStart, int keyReset, int keyEnd) {
|
byte[] Decrypt4(byte[] encrypted, int keyStart, int keyReset, int keyEnd) {
|
||||||
var decrypted = new byte[encrypted.Length / 3 * 2 + 1];
|
var decrypted = new byte[encrypted.Length / 3 * 2 + 1];
|
||||||
|
|
||||||
|
@ -585,6 +595,10 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
|
||||||
return Decrypt8(encrypted, 0x11, 0x11, 0x600);
|
return Decrypt8(encrypted, 0x11, 0x11, 0x600);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
byte[] Decrypt8_v9(byte[] encrypted) {
|
||||||
|
return Decrypt8(encrypted, 0xA, 0xA, 0x600);
|
||||||
|
}
|
||||||
|
|
||||||
byte[] Decrypt8(byte[] encrypted, int keyStart, int keyReset, int keyEnd) {
|
byte[] Decrypt8(byte[] encrypted, int keyStart, int keyReset, int keyEnd) {
|
||||||
var decrypted = new byte[encrypted.Length];
|
var decrypted = new byte[encrypted.Length];
|
||||||
int ki = keyStart;
|
int ki = keyStart;
|
||||||
|
@ -618,6 +632,10 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
|
||||||
return Decrypt9(encrypted, 0x10, 0x10, 0x510);
|
return Decrypt9(encrypted, 0x10, 0x10, 0x510);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
byte[] Decrypt9_v10(byte[] encrypted) {
|
||||||
|
return Decrypt9(encrypted, 5, 5, 0x510);
|
||||||
|
}
|
||||||
|
|
||||||
byte[] Decrypt9(byte[] encrypted, int keyStart, int keyReset, int keyEnd) {
|
byte[] Decrypt9(byte[] encrypted, int keyStart, int keyReset, int keyEnd) {
|
||||||
var decrypted = new byte[encrypted.Length];
|
var decrypted = new byte[encrypted.Length];
|
||||||
int ki = keyStart;
|
int ki = keyStart;
|
||||||
|
|
|
@ -70,6 +70,8 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
|
||||||
break;
|
break;
|
||||||
if (CheckMcKeyRva(peImage, 0x18ABA931))
|
if (CheckMcKeyRva(peImage, 0x18ABA931))
|
||||||
break;
|
break;
|
||||||
|
if (CheckMcKeyRva(peImage, 0x18ABA933))
|
||||||
|
break;
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue
Block a user