Support the latest CryptoObfuscator build
This commit is contained in:
parent
8225f79f3c
commit
9ac79e253e
|
@ -67,7 +67,8 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
||||||
!containsString(method, "Debugger detected") &&
|
!containsString(method, "Debugger detected") &&
|
||||||
!containsString(method, "Debugger was detected") &&
|
!containsString(method, "Debugger was detected") &&
|
||||||
!containsString(method, "{0} was detected") &&
|
!containsString(method, "{0} was detected") &&
|
||||||
!containsString(method, "run under"))
|
!containsString(method, "run under") &&
|
||||||
|
!containsString(method, "run with"))
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
antiDebuggerType = type;
|
antiDebuggerType = type;
|
||||||
|
|
|
@ -110,7 +110,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
||||||
MethodDef getProxyCreateMethod(TypeDef type) {
|
MethodDef getProxyCreateMethod(TypeDef type) {
|
||||||
if (DotNetUtils.findFieldType(type, "System.ModuleHandle", true) == null)
|
if (DotNetUtils.findFieldType(type, "System.ModuleHandle", true) == null)
|
||||||
return null;
|
return null;
|
||||||
if (type.Fields.Count < 1 || type.Fields.Count > 14)
|
if (type.Fields.Count < 1 || type.Fields.Count > 16)
|
||||||
return null;
|
return null;
|
||||||
|
|
||||||
MethodDef createMethod = null;
|
MethodDef createMethod = null;
|
||||||
|
|
|
@ -79,9 +79,9 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
||||||
bool findDesktopOrCompactFramework() {
|
bool findDesktopOrCompactFramework() {
|
||||||
resourceDecrypterType = null;
|
resourceDecrypterType = null;
|
||||||
foreach (var type in module.Types) {
|
foreach (var type in module.Types) {
|
||||||
if (type.Fields.Count != 5)
|
if (type.Fields.Count < 5)
|
||||||
continue;
|
continue;
|
||||||
if (!new FieldTypes(type).exactly(requiredTypes))
|
if (!new FieldTypes(type).all(requiredTypes))
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
var cctor = type.FindStaticConstructor();
|
var cctor = type.FindStaticConstructor();
|
||||||
|
@ -300,6 +300,8 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
||||||
foreach (var method in type.Methods) {
|
foreach (var method in type.Methods) {
|
||||||
if (DotNetUtils.isMethod(method, "System.Byte[]", "(System.IO.Stream)"))
|
if (DotNetUtils.isMethod(method, "System.Byte[]", "(System.IO.Stream)"))
|
||||||
yield return method;
|
yield return method;
|
||||||
|
else if (DotNetUtils.isMethod(method, "System.Byte[]", "(System.Int64,System.IO.Stream)"))
|
||||||
|
yield return method;
|
||||||
else if (DotNetUtils.isMethod(method, "System.Byte[]", "(System.Int32,System.IO.Stream)"))
|
else if (DotNetUtils.isMethod(method, "System.Byte[]", "(System.Int32,System.IO.Stream)"))
|
||||||
yield return method;
|
yield return method;
|
||||||
else if (DotNetUtils.isMethod(method, "System.Byte[]", "(System.Int16,System.IO.Stream)"))
|
else if (DotNetUtils.isMethod(method, "System.Byte[]", "(System.Int16,System.IO.Stream)"))
|
||||||
|
|
|
@ -84,7 +84,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
||||||
|
|
||||||
if (!method.IsStatic || !DotNetUtils.isMethod(method, "System.Void", "()"))
|
if (!method.IsStatic || !DotNetUtils.isMethod(method, "System.Void", "()"))
|
||||||
return false;
|
return false;
|
||||||
if (type.Methods.Count < 3 || type.Methods.Count > 20)
|
if (type.Methods.Count < 3 || type.Methods.Count > 24)
|
||||||
return false;
|
return false;
|
||||||
if (DotNetUtils.getPInvokeMethod(type, "mscoree", "StrongNameSignatureVerificationEx") != null) {
|
if (DotNetUtils.getPInvokeMethod(type, "mscoree", "StrongNameSignatureVerificationEx") != null) {
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue
Block a user