From a34b3f7855911ff61a76f64b0ba6cfc0495e666b Mon Sep 17 00:00:00 2001 From: de4dot Date: Wed, 22 Aug 2012 18:33:27 +0200 Subject: [PATCH] Support latest CO build --- de4dot.code/deobfuscators/CryptoObfuscator/AntiDebugger.cs | 3 ++- de4dot.code/deobfuscators/CryptoObfuscator/ProxyCallFixer.cs | 2 +- .../deobfuscators/CryptoObfuscator/ResourceDecrypter.cs | 5 +++-- .../deobfuscators/CryptoObfuscator/TamperDetection.cs | 2 +- 4 files changed, 7 insertions(+), 5 deletions(-) diff --git a/de4dot.code/deobfuscators/CryptoObfuscator/AntiDebugger.cs b/de4dot.code/deobfuscators/CryptoObfuscator/AntiDebugger.cs index 1704aa20..7b43c0ee 100644 --- a/de4dot.code/deobfuscators/CryptoObfuscator/AntiDebugger.cs +++ b/de4dot.code/deobfuscators/CryptoObfuscator/AntiDebugger.cs @@ -67,7 +67,8 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator { !containsString(method, "run under a debugger") && !containsString(method, "run under debugger") && !containsString(method, "Debugger detected") && - !containsString(method, "Debugger was detected")) + !containsString(method, "Debugger was detected") && + !containsString(method, "{0} was detected")) continue; antiDebuggerType = type; diff --git a/de4dot.code/deobfuscators/CryptoObfuscator/ProxyCallFixer.cs b/de4dot.code/deobfuscators/CryptoObfuscator/ProxyCallFixer.cs index 52288048..36110571 100644 --- a/de4dot.code/deobfuscators/CryptoObfuscator/ProxyCallFixer.cs +++ b/de4dot.code/deobfuscators/CryptoObfuscator/ProxyCallFixer.cs @@ -110,7 +110,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator { MethodDefinition getProxyCreateMethod(TypeDefinition type) { if (DotNetUtils.findFieldType(type, "System.ModuleHandle", true) == null) return null; - if (type.Fields.Count < 1 || type.Fields.Count > 10) + if (type.Fields.Count < 1 || type.Fields.Count > 12) return null; MethodDefinition createMethod = null; diff --git a/de4dot.code/deobfuscators/CryptoObfuscator/ResourceDecrypter.cs b/de4dot.code/deobfuscators/CryptoObfuscator/ResourceDecrypter.cs index 0e84de0d..406c9804 100644 --- a/de4dot.code/deobfuscators/CryptoObfuscator/ResourceDecrypter.cs +++ b/de4dot.code/deobfuscators/CryptoObfuscator/ResourceDecrypter.cs @@ -272,12 +272,13 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator { var ldci4 = instrs[i]; if (!DotNetUtils.isLdcI4(ldci4)) continue; - if (DotNetUtils.getLdcI4Value(ldci4) != 2) + int loopCount = DotNetUtils.getLdcI4Value(ldci4); + if (loopCount < 2 || loopCount > 3) continue; var blt = instrs[i + 1]; if (blt.OpCode.Code != Code.Blt && blt.OpCode.Code != Code.Blt_S) continue; - return 1; + return loopCount - 1; } return 0; } diff --git a/de4dot.code/deobfuscators/CryptoObfuscator/TamperDetection.cs b/de4dot.code/deobfuscators/CryptoObfuscator/TamperDetection.cs index e2512da4..be7f0e6e 100644 --- a/de4dot.code/deobfuscators/CryptoObfuscator/TamperDetection.cs +++ b/de4dot.code/deobfuscators/CryptoObfuscator/TamperDetection.cs @@ -84,7 +84,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator { if (!method.IsStatic || !DotNetUtils.isMethod(method, "System.Void", "()")) return false; - if (type.Methods.Count < 3 || type.Methods.Count > 12) + if (type.Methods.Count < 3 || type.Methods.Count > 14) return false; if (DotNetUtils.getPInvokeMethod(type, "mscoree", "StrongNameSignatureVerificationEx") != null) { }