monocul.us/de4dot-cex
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Remove Confuser 1.4 r58564 anti dumping type

Browse Source
This commit is contained in:
de4dot 2012-07-31 20:05:52 +02:00
parent 3e49c0bfa5
commit c652d49353
1 changed files with 26 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
de4dot.code/deobfuscators/Confuser/AntiDumping.cs
View File

@ -61,7 +61,7 @@ namespace de4dot.code.deobfuscators.Confuser {
continue; continue;
simpleDeobfuscator.deobfuscate(calledMethod, true); simpleDeobfuscator.deobfuscate(calledMethod, true);
if (checkInitMethod(calledMethod)) { if (checkInitMethod_vXX(calledMethod) || checkInitMethod_v14_r58564(calledMethod)) {
initMethod = calledMethod; initMethod = calledMethod;
return true; return true;
} }
@ -69,7 +69,31 @@ namespace de4dot.code.deobfuscators.Confuser {
return false; return false;
} }
bool checkInitMethod(MethodDefinition method) { static bool checkInitMethod_v14_r58564(MethodDefinition method) {
if (method == null || method.Body == null || !method.IsStatic)
return false;
if (!DotNetUtils.isMethod(method, "System.Void", "()"))
return false;
if (DotNetUtils.getPInvokeMethod(method.DeclaringType, "kernel32", "VirtualProtect") == null)
return false;
if (!DeobUtils.hasInteger(method, 224))
return false;
if (!DeobUtils.hasInteger(method, 240))
return false;
if (!DeobUtils.hasInteger(method, 267))
return false;
var type = method.DeclaringType;
if (type.Methods.Count != 2)
return false;
if (type.Fields.Count != 0)
return false;
if (type.Properties.Count != 0)
return false;
return true;
}
static bool checkInitMethod_vXX(MethodDefinition method) {
if (method == null || method.Body == null || !method.IsStatic) if (method == null || method.Body == null || !method.IsStatic)
return false; return false;
if (!DotNetUtils.isMethod(method, "System.Void", "()")) if (!DotNetUtils.isMethod(method, "System.Void", "()"))