monocul.us/de4dot-cex
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Support latest CryptoObfuscator

Browse Source
This commit is contained in:
de4dot 2014-05-09 15:59:50 +02:00
parent 9b2ed7acca
commit 954f0af743
4 changed files with 8 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
de4dot.code/deobfuscators/CryptoObfuscator/AntiDebugger.cs
View File

@ -70,7 +70,8 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
!ContainsString(method, "run under") && !ContainsString(method, "run under") &&
!ContainsString(method, "run with") && !ContainsString(method, "run with") &&
!ContainsString(method, "started under") && !ContainsString(method, "started under") &&
!ContainsString(method, "{0} detected")) !ContainsString(method, "{0} detected") &&
!ContainsString(method, "{0} found"))
continue; continue;
antiDebuggerType = type; antiDebuggerType = type;

2
de4dot.code/deobfuscators/CryptoObfuscator/ProxyCallFixer.cs
View File

@ -110,7 +110,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
MethodDef GetProxyCreateMethod(TypeDef type) { MethodDef GetProxyCreateMethod(TypeDef type) {
if (DotNetUtils.FindFieldType(type, "System.ModuleHandle", true) == null) if (DotNetUtils.FindFieldType(type, "System.ModuleHandle", true) == null)
return null; return null;
if (type.Fields.Count < 1 || type.Fields.Count > 18) if (type.Fields.Count < 1 || type.Fields.Count > 20)
return null; return null;
MethodDef createMethod = null; MethodDef createMethod = null;

10
de4dot.code/deobfuscators/CryptoObfuscator/ResourceDecrypter.cs
View File

@ -180,6 +180,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
} }
static bool CheckFlipBits(MethodDef method) { static bool CheckFlipBits(MethodDef method) {
int nots = 0;
var instrs = method.Body.Instructions; var instrs = method.Body.Instructions;
for (int i = 0; i < instrs.Count - 1; i++) { for (int i = 0; i < instrs.Count - 1; i++) {
var ldloc = instrs[i]; var ldloc = instrs[i];
@ -189,14 +190,11 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
if (local == null || local.Type.GetElementType().GetPrimitiveSize() < 0) if (local == null || local.Type.GetElementType().GetPrimitiveSize() < 0)
continue; continue;
var not = instrs[i + 1]; if (instrs[i + 1].OpCode.Code == Code.Not)
if (not.OpCode.Code != Code.Not) nots++;
continue;
return true;
} }
return false; return (nots & 1) == 1;
} }
bool UpdateFlags(MethodDef method, ISimpleDeobfuscator simpleDeobfuscator) { bool UpdateFlags(MethodDef method, ISimpleDeobfuscator simpleDeobfuscator) {

2
de4dot.code/deobfuscators/CryptoObfuscator/TamperDetection.cs
View File

@ -84,7 +84,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
if (!method.IsStatic || !DotNetUtils.IsMethod(method, "System.Void", "()")) if (!method.IsStatic || !DotNetUtils.IsMethod(method, "System.Void", "()"))
return false; return false;
if (type.Methods.Count < 3 || type.Methods.Count > 27) if (type.Methods.Count < 3 || type.Methods.Count > 31)
return false; return false;
if (DotNetUtils.GetPInvokeMethod(type, "mscoree", "StrongNameSignatureVerificationEx") != null) { if (DotNetUtils.GetPInvokeMethod(type, "mscoree", "StrongNameSignatureVerificationEx") != null) {
} }