monocul.us/de4dot-cex
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Detect Confuser 1.9 r75725 methods encrypter

Browse Source
This commit is contained in:
de4dot 2012-08-10 02:55:27 +02:00
parent f998afd74e
commit 9d386c528c
1 changed files with 11 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
de4dot.code/deobfuscators/Confuser/MemoryMethodsDecrypter.cs
View File

@ -41,6 +41,7 @@ namespace de4dot.code.deobfuscators.Confuser {
// Removed in Confuser 1.7 r73404 and restored in Confuser 1.7 r73605 // Removed in Confuser 1.7 r73404 and restored in Confuser 1.7 r73605
v17_r73605, v17_r73605,
v18_r75288, v18_r75288,
v19_r75725,
} }
public MemoryMethodsDecrypter(ModuleDefinition module, ISimpleDeobfuscator simpleDeobfuscator) public MemoryMethodsDecrypter(ModuleDefinition module, ISimpleDeobfuscator simpleDeobfuscator)
@ -91,8 +92,10 @@ namespace de4dot.code.deobfuscators.Confuser {
} }
else if (DotNetUtils.callsMethod(decryptMethod, "System.Security.Cryptography.Rijndael System.Security.Cryptography.Rijndael::Create()")) else if (DotNetUtils.callsMethod(decryptMethod, "System.Security.Cryptography.Rijndael System.Security.Cryptography.Rijndael::Create()"))
version = ConfuserVersion.v17_r73605; version = ConfuserVersion.v17_r73605;
else else if (DotNetUtils.hasString(initMethod, "<Unknown>"))
version = ConfuserVersion.v18_r75288; version = ConfuserVersion.v18_r75288;
else
version = ConfuserVersion.v19_r75725;
return true; return true;
} }
@ -136,6 +139,7 @@ namespace de4dot.code.deobfuscators.Confuser {
case ConfuserVersion.v17_r73605: case ConfuserVersion.v17_r73605:
case ConfuserVersion.v18_r75288: case ConfuserVersion.v18_r75288:
case ConfuserVersion.v19_r75725:
return initializeKeys_v17_r73605(); return initializeKeys_v17_r73605();
default: default:
@ -290,6 +294,7 @@ namespace de4dot.code.deobfuscators.Confuser {
case ConfuserVersion.v17_r72989: return decrypt_v16_r71742(peImage, fileData); case ConfuserVersion.v17_r72989: return decrypt_v16_r71742(peImage, fileData);
case ConfuserVersion.v17_r73605: return decrypt_v17_r73605(peImage, fileData); case ConfuserVersion.v17_r73605: return decrypt_v17_r73605(peImage, fileData);
case ConfuserVersion.v18_r75288: return decrypt_v17_r73605(peImage, fileData); case ConfuserVersion.v18_r75288: return decrypt_v17_r73605(peImage, fileData);
case ConfuserVersion.v19_r75725: return decrypt_v17_r73605(peImage, fileData);
default: throw new ApplicationException("Unknown version"); default: throw new ApplicationException("Unknown version");
} }
} }
@ -449,6 +454,11 @@ namespace de4dot.code.deobfuscators.Confuser {
case ConfuserVersion.v18_r75288: case ConfuserVersion.v18_r75288:
minRev = 75288; minRev = 75288;
maxRev = 75720;
return true;
case ConfuserVersion.v19_r75725:
minRev = 75725;
maxRev = int.MaxValue; maxRev = int.MaxValue;
return true; return true;