Detect Confuser 1.7 r74021 constants encrypter
This commit is contained in:
parent
7984c94522
commit
d7eb818203
|
@ -42,6 +42,8 @@ namespace de4dot.code.deobfuscators.Confuser {
|
||||||
v17_r73822_normal,
|
v17_r73822_normal,
|
||||||
v17_r73822_dynamic,
|
v17_r73822_dynamic,
|
||||||
v17_r73822_native,
|
v17_r73822_native,
|
||||||
|
v17_r74021_dynamic,
|
||||||
|
v17_r74021_native,
|
||||||
// v1.7 r74637 was the last version using this constants encrypter.
|
// v1.7 r74637 was the last version using this constants encrypter.
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -110,6 +112,12 @@ namespace de4dot.code.deobfuscators.Confuser {
|
||||||
DeobUtils.hasInteger(method, 0x10000) &&
|
DeobUtils.hasInteger(method, 0x10000) &&
|
||||||
DeobUtils.hasInteger(method, 0xFFFF))
|
DeobUtils.hasInteger(method, 0xFFFF))
|
||||||
version = ConfuserVersion.v17_r73822_normal;
|
version = ConfuserVersion.v17_r73822_normal;
|
||||||
|
else if (DotNetUtils.callsMethod(method, "System.Int32 System.Object::GetHashCode()")) {
|
||||||
|
if ((nativeMethod = findNativeMethod(method)) == null)
|
||||||
|
version = ConfuserVersion.v17_r74021_dynamic;
|
||||||
|
else
|
||||||
|
version = ConfuserVersion.v17_r74021_native;
|
||||||
|
}
|
||||||
else if ((nativeMethod = findNativeMethod(method)) == null)
|
else if ((nativeMethod = findNativeMethod(method)) == null)
|
||||||
version = ConfuserVersion.v17_r73822_dynamic;
|
version = ConfuserVersion.v17_r73822_dynamic;
|
||||||
else
|
else
|
||||||
|
@ -141,6 +149,8 @@ namespace de4dot.code.deobfuscators.Confuser {
|
||||||
case ConfuserVersion.v17_r73822_normal:
|
case ConfuserVersion.v17_r73822_normal:
|
||||||
case ConfuserVersion.v17_r73822_dynamic:
|
case ConfuserVersion.v17_r73822_dynamic:
|
||||||
case ConfuserVersion.v17_r73822_native:
|
case ConfuserVersion.v17_r73822_native:
|
||||||
|
case ConfuserVersion.v17_r74021_dynamic:
|
||||||
|
case ConfuserVersion.v17_r74021_native:
|
||||||
if (!add(ConstantsDecrypterUtils.findDictField(info.decryptMethod, info.decryptMethod.DeclaringType)))
|
if (!add(ConstantsDecrypterUtils.findDictField(info.decryptMethod, info.decryptMethod.DeclaringType)))
|
||||||
return false;
|
return false;
|
||||||
if (!add(ConstantsDecrypterUtils.findMemoryStreamField(info.decryptMethod, info.decryptMethod.DeclaringType)))
|
if (!add(ConstantsDecrypterUtils.findMemoryStreamField(info.decryptMethod, info.decryptMethod.DeclaringType)))
|
||||||
|
@ -179,6 +189,8 @@ namespace de4dot.code.deobfuscators.Confuser {
|
||||||
case ConfuserVersion.v17_r73822_normal: return decryptConstant_v17_r73404_normal(info, encrypted, offs);
|
case ConfuserVersion.v17_r73822_normal: return decryptConstant_v17_r73404_normal(info, encrypted, offs);
|
||||||
case ConfuserVersion.v17_r73822_dynamic: return decryptConstant_v17_r73740_dynamic(info, encrypted, offs, 0);
|
case ConfuserVersion.v17_r73822_dynamic: return decryptConstant_v17_r73740_dynamic(info, encrypted, offs, 0);
|
||||||
case ConfuserVersion.v17_r73822_native: return decryptConstant_v17_r73764_native(info, encrypted, offs, 0);
|
case ConfuserVersion.v17_r73822_native: return decryptConstant_v17_r73764_native(info, encrypted, offs, 0);
|
||||||
|
case ConfuserVersion.v17_r74021_dynamic: return decryptConstant_v17_r73740_dynamic(info, encrypted, offs, 0);
|
||||||
|
case ConfuserVersion.v17_r74021_native: return decryptConstant_v17_r73764_native(info, encrypted, offs, 0);
|
||||||
default: throw new ApplicationException("Invalid version");
|
default: throw new ApplicationException("Invalid version");
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -256,6 +268,11 @@ namespace de4dot.code.deobfuscators.Confuser {
|
||||||
maxRev = 73791;
|
maxRev = 73791;
|
||||||
return true;
|
return true;
|
||||||
|
|
||||||
|
case ConfuserVersion.v17_r73822_normal:
|
||||||
|
minRev = 73822;
|
||||||
|
maxRev = 74637;
|
||||||
|
return true;
|
||||||
|
|
||||||
case ConfuserVersion.v15_r60785_dynamic:
|
case ConfuserVersion.v15_r60785_dynamic:
|
||||||
minRev = 60785;
|
minRev = 60785;
|
||||||
maxRev = 72868;
|
maxRev = 72868;
|
||||||
|
@ -277,10 +294,15 @@ namespace de4dot.code.deobfuscators.Confuser {
|
||||||
maxRev = 73791;
|
maxRev = 73791;
|
||||||
return true;
|
return true;
|
||||||
|
|
||||||
case ConfuserVersion.v17_r73822_normal:
|
|
||||||
case ConfuserVersion.v17_r73822_dynamic:
|
case ConfuserVersion.v17_r73822_dynamic:
|
||||||
case ConfuserVersion.v17_r73822_native:
|
case ConfuserVersion.v17_r73822_native:
|
||||||
minRev = 73822;
|
minRev = 73822;
|
||||||
|
maxRev = 73822;
|
||||||
|
return true;
|
||||||
|
|
||||||
|
case ConfuserVersion.v17_r74021_dynamic:
|
||||||
|
case ConfuserVersion.v17_r74021_native:
|
||||||
|
minRev = 74021;
|
||||||
maxRev = 74637;
|
maxRev = 74637;
|
||||||
return true;
|
return true;
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue
Block a user