monocul.us/de4dot-cex
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Support the latest CryptoObfuscator build

Browse Source
This commit is contained in:
de4dot 2013-01-15 01:37:21 +01:00
parent 8225f79f3c
commit 9ac79e253e
4 changed files with 8 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
de4dot.code/deobfuscators/CryptoObfuscator/AntiDebugger.cs
View File

@ -67,7 +67,8 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
!containsString(method, "Debugger detected") && !containsString(method, "Debugger detected") &&
!containsString(method, "Debugger was detected") && !containsString(method, "Debugger was detected") &&
!containsString(method, "{0} was detected") && !containsString(method, "{0} was detected") &&
!containsString(method, "run under")) !containsString(method, "run under") &&
!containsString(method, "run with"))
continue; continue;
antiDebuggerType = type; antiDebuggerType = type;

2
de4dot.code/deobfuscators/CryptoObfuscator/ProxyCallFixer.cs
View File

@ -110,7 +110,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
MethodDef getProxyCreateMethod(TypeDef type) { MethodDef getProxyCreateMethod(TypeDef type) {
if (DotNetUtils.findFieldType(type, "System.ModuleHandle", true) == null) if (DotNetUtils.findFieldType(type, "System.ModuleHandle", true) == null)
return null; return null;
if (type.Fields.Count < 1 || type.Fields.Count > 14) if (type.Fields.Count < 1 || type.Fields.Count > 16)
return null; return null;
MethodDef createMethod = null; MethodDef createMethod = null;

6
de4dot.code/deobfuscators/CryptoObfuscator/ResourceDecrypter.cs
View File

@ -79,9 +79,9 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
bool findDesktopOrCompactFramework() { bool findDesktopOrCompactFramework() {
resourceDecrypterType = null; resourceDecrypterType = null;
foreach (var type in module.Types) { foreach (var type in module.Types) {
if (type.Fields.Count != 5) if (type.Fields.Count < 5)
continue; continue;
if (!new FieldTypes(type).exactly(requiredTypes)) if (!new FieldTypes(type).all(requiredTypes))
continue; continue;
var cctor = type.FindStaticConstructor(); var cctor = type.FindStaticConstructor();
@ -300,6 +300,8 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
foreach (var method in type.Methods) { foreach (var method in type.Methods) {
if (DotNetUtils.isMethod(method, "System.Byte[]", "(System.IO.Stream)")) if (DotNetUtils.isMethod(method, "System.Byte[]", "(System.IO.Stream)"))
yield return method; yield return method;
else if (DotNetUtils.isMethod(method, "System.Byte[]", "(System.Int64,System.IO.Stream)"))
yield return method;
else if (DotNetUtils.isMethod(method, "System.Byte[]", "(System.Int32,System.IO.Stream)")) else if (DotNetUtils.isMethod(method, "System.Byte[]", "(System.Int32,System.IO.Stream)"))
yield return method; yield return method;
else if (DotNetUtils.isMethod(method, "System.Byte[]", "(System.Int16,System.IO.Stream)")) else if (DotNetUtils.isMethod(method, "System.Byte[]", "(System.Int16,System.IO.Stream)"))

2
de4dot.code/deobfuscators/CryptoObfuscator/TamperDetection.cs
View File

@ -84,7 +84,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
if (!method.IsStatic || !DotNetUtils.isMethod(method, "System.Void", "()")) if (!method.IsStatic || !DotNetUtils.isMethod(method, "System.Void", "()"))
return false; return false;
if (type.Methods.Count < 3 || type.Methods.Count > 20) if (type.Methods.Count < 3 || type.Methods.Count > 24)
return false; return false;
if (DotNetUtils.getPInvokeMethod(type, "mscoree", "StrongNameSignatureVerificationEx") != null) { if (DotNetUtils.getPInvokeMethod(type, "mscoree", "StrongNameSignatureVerificationEx") != null) {
} }