From c652d493533c2c76d529d685916494802cdfa57e Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Tue, 31 Jul 2012 20:05:52 +0200
Subject: [PATCH] Remove Confuser 1.4 r58564 anti dumping type

---
 .../deobfuscators/Confuser/AntiDumping.cs     | 28 +++++++++++++++++--
 1 file changed, 26 insertions(+), 2 deletions(-)

diff --git a/de4dot.code/deobfuscators/Confuser/AntiDumping.cs b/de4dot.code/deobfuscators/Confuser/AntiDumping.cs
index fcccf25f..61e0212c 100644
--- a/de4dot.code/deobfuscators/Confuser/AntiDumping.cs
+++ b/de4dot.code/deobfuscators/Confuser/AntiDumping.cs
@@ -61,7 +61,7 @@ namespace de4dot.code.deobfuscators.Confuser {
 					continue;
 
 				simpleDeobfuscator.deobfuscate(calledMethod, true);
-				if (checkInitMethod(calledMethod)) {
+				if (checkInitMethod_vXX(calledMethod) || checkInitMethod_v14_r58564(calledMethod)) {
 					initMethod = calledMethod;
 					return true;
 				}
@@ -69,7 +69,31 @@ namespace de4dot.code.deobfuscators.Confuser {
 			return false;
 		}
 
-		bool checkInitMethod(MethodDefinition method) {
+		static bool checkInitMethod_v14_r58564(MethodDefinition method) {
+			if (method == null || method.Body == null || !method.IsStatic)
+				return false;
+			if (!DotNetUtils.isMethod(method, "System.Void", "()"))
+				return false;
+			if (DotNetUtils.getPInvokeMethod(method.DeclaringType, "kernel32", "VirtualProtect") == null)
+				return false;
+			if (!DeobUtils.hasInteger(method, 224))
+				return false;
+			if (!DeobUtils.hasInteger(method, 240))
+				return false;
+			if (!DeobUtils.hasInteger(method, 267))
+				return false;
+			var type = method.DeclaringType;
+			if (type.Methods.Count != 2)
+				return false;
+			if (type.Fields.Count != 0)
+				return false;
+			if (type.Properties.Count != 0)
+				return false;
+
+			return true;
+		}
+
+		static bool checkInitMethod_vXX(MethodDefinition method) {
 			if (method == null || method.Body == null || !method.IsStatic)
 				return false;
 			if (!DotNetUtils.isMethod(method, "System.Void", "()"))