From 860dd5a0f59fc24cdaa53af79d7b4d2603bec2e2 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Tue, 7 Aug 2012 17:28:53 +0200
Subject: [PATCH] Detect Confuser 1.7 r74816 constants encrypter

---
 .../Confuser/ConstantsDecrypterV17.cs            | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/de4dot.code/deobfuscators/Confuser/ConstantsDecrypterV17.cs b/de4dot.code/deobfuscators/Confuser/ConstantsDecrypterV17.cs
index 2910cd78..4b9c12f9 100644
--- a/de4dot.code/deobfuscators/Confuser/ConstantsDecrypterV17.cs
+++ b/de4dot.code/deobfuscators/Confuser/ConstantsDecrypterV17.cs
@@ -37,6 +37,9 @@ namespace de4dot.code.deobfuscators.Confuser {
 			v17_r74788_normal,
 			v17_r74788_dynamic,
 			v17_r74788_native,
+			v17_r74816_normal,
+			v17_r74816_dynamic,
+			v17_r74816_native,
 		}
 
 		class DecrypterInfoV17 : DecrypterInfo {
@@ -93,11 +96,14 @@ namespace de4dot.code.deobfuscators.Confuser {
 				switch (version) {
 				case ConfuserVersion.v17_r74708_normal:
 				case ConfuserVersion.v17_r74788_normal:
+				case ConfuserVersion.v17_r74816_normal:
 					return findKey4_normal(method, out key);
 				case ConfuserVersion.v17_r74708_dynamic:
 				case ConfuserVersion.v17_r74708_native:
 				case ConfuserVersion.v17_r74788_dynamic:
 				case ConfuserVersion.v17_r74788_native:
+				case ConfuserVersion.v17_r74816_dynamic:
+				case ConfuserVersion.v17_r74816_native:
 					return findKey4_other(method, out key);
 				default:
 					throw new ApplicationException("Invalid version");
@@ -152,6 +158,9 @@ namespace de4dot.code.deobfuscators.Confuser {
 				case ConfuserVersion.v17_r74788_normal:
 				case ConfuserVersion.v17_r74788_dynamic:
 				case ConfuserVersion.v17_r74788_native:
+				case ConfuserVersion.v17_r74816_normal:
+				case ConfuserVersion.v17_r74816_dynamic:
+				case ConfuserVersion.v17_r74816_native:
 					return findKey5_v17_r74788(method, out key);
 				default:
 					key = 0;
@@ -209,7 +218,9 @@ namespace de4dot.code.deobfuscators.Confuser {
 			var method = getDecryptMethod();
 			if (method == null)
 				return;
-			if (DotNetUtils.callsMethod(method, "System.Reflection.Module System.Reflection.Assembly::GetModule(System.String)"))
+			if (DotNetUtils.callsMethod(method, "System.String System.Reflection.Module::get_ScopeName()"))
+				initVersion(method, ConfuserVersion.v17_r74816_normal, ConfuserVersion.v17_r74816_dynamic, ConfuserVersion.v17_r74816_native);
+			else if (DotNetUtils.callsMethod(method, "System.Reflection.Module System.Reflection.Assembly::GetModule(System.String)"))
 				initVersion(method, ConfuserVersion.v17_r74788_normal, ConfuserVersion.v17_r74788_dynamic, ConfuserVersion.v17_r74788_native);
 			else
 				initVersion(method, ConfuserVersion.v17_r74708_normal, ConfuserVersion.v17_r74708_dynamic, ConfuserVersion.v17_r74708_native);
@@ -266,6 +277,9 @@ namespace de4dot.code.deobfuscators.Confuser {
 			case ConfuserVersion.v17_r74788_normal: return decryptConstant_v17_r74788_normal(info, encrypted, offs, typeCode);
 			case ConfuserVersion.v17_r74788_dynamic: return decryptConstant_v17_r74788_dynamic(info, encrypted, offs, typeCode);
 			case ConfuserVersion.v17_r74788_native: return decryptConstant_v17_r74788_native(info, encrypted, offs, typeCode);
+			case ConfuserVersion.v17_r74816_normal: return decryptConstant_v17_r74788_normal(info, encrypted, offs, typeCode);
+			case ConfuserVersion.v17_r74816_dynamic: return decryptConstant_v17_r74788_dynamic(info, encrypted, offs, typeCode);
+			case ConfuserVersion.v17_r74816_native: return decryptConstant_v17_r74788_native(info, encrypted, offs, typeCode);
 			default:
 				throw new ApplicationException("Invalid version");
 			}