Support latest CryptoObfuscator
This commit is contained in:
parent
9b2ed7acca
commit
954f0af743
|
@ -70,7 +70,8 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
||||||
!ContainsString(method, "run under") &&
|
!ContainsString(method, "run under") &&
|
||||||
!ContainsString(method, "run with") &&
|
!ContainsString(method, "run with") &&
|
||||||
!ContainsString(method, "started under") &&
|
!ContainsString(method, "started under") &&
|
||||||
!ContainsString(method, "{0} detected"))
|
!ContainsString(method, "{0} detected") &&
|
||||||
|
!ContainsString(method, "{0} found"))
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
antiDebuggerType = type;
|
antiDebuggerType = type;
|
||||||
|
|
|
@ -110,7 +110,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
||||||
MethodDef GetProxyCreateMethod(TypeDef type) {
|
MethodDef GetProxyCreateMethod(TypeDef type) {
|
||||||
if (DotNetUtils.FindFieldType(type, "System.ModuleHandle", true) == null)
|
if (DotNetUtils.FindFieldType(type, "System.ModuleHandle", true) == null)
|
||||||
return null;
|
return null;
|
||||||
if (type.Fields.Count < 1 || type.Fields.Count > 18)
|
if (type.Fields.Count < 1 || type.Fields.Count > 20)
|
||||||
return null;
|
return null;
|
||||||
|
|
||||||
MethodDef createMethod = null;
|
MethodDef createMethod = null;
|
||||||
|
|
|
@ -180,6 +180,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
||||||
}
|
}
|
||||||
|
|
||||||
static bool CheckFlipBits(MethodDef method) {
|
static bool CheckFlipBits(MethodDef method) {
|
||||||
|
int nots = 0;
|
||||||
var instrs = method.Body.Instructions;
|
var instrs = method.Body.Instructions;
|
||||||
for (int i = 0; i < instrs.Count - 1; i++) {
|
for (int i = 0; i < instrs.Count - 1; i++) {
|
||||||
var ldloc = instrs[i];
|
var ldloc = instrs[i];
|
||||||
|
@ -189,14 +190,11 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
||||||
if (local == null || local.Type.GetElementType().GetPrimitiveSize() < 0)
|
if (local == null || local.Type.GetElementType().GetPrimitiveSize() < 0)
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
var not = instrs[i + 1];
|
if (instrs[i + 1].OpCode.Code == Code.Not)
|
||||||
if (not.OpCode.Code != Code.Not)
|
nots++;
|
||||||
continue;
|
|
||||||
|
|
||||||
return true;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
return false;
|
return (nots & 1) == 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
bool UpdateFlags(MethodDef method, ISimpleDeobfuscator simpleDeobfuscator) {
|
bool UpdateFlags(MethodDef method, ISimpleDeobfuscator simpleDeobfuscator) {
|
||||||
|
|
|
@ -84,7 +84,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
||||||
|
|
||||||
if (!method.IsStatic || !DotNetUtils.IsMethod(method, "System.Void", "()"))
|
if (!method.IsStatic || !DotNetUtils.IsMethod(method, "System.Void", "()"))
|
||||||
return false;
|
return false;
|
||||||
if (type.Methods.Count < 3 || type.Methods.Count > 27)
|
if (type.Methods.Count < 3 || type.Methods.Count > 31)
|
||||||
return false;
|
return false;
|
||||||
if (DotNetUtils.GetPInvokeMethod(type, "mscoree", "StrongNameSignatureVerificationEx") != null) {
|
if (DotNetUtils.GetPInvokeMethod(type, "mscoree", "StrongNameSignatureVerificationEx") != null) {
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue
Block a user