monocul.us/de4dot-cex
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Detect Confuser 1.7 r74021 constants encrypter

Browse Source
This commit is contained in:
de4dot 2012-08-10 16:45:26 +02:00
parent 7984c94522
commit d7eb818203
1 changed files with 23 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
de4dot.code/deobfuscators/Confuser/ConstantsDecrypterV15.cs
View File

@ -42,6 +42,8 @@ namespace de4dot.code.deobfuscators.Confuser {
v17_r73822_normal, v17_r73822_normal,
v17_r73822_dynamic, v17_r73822_dynamic,
v17_r73822_native, v17_r73822_native,
v17_r74021_dynamic,
v17_r74021_native,
// v1.7 r74637 was the last version using this constants encrypter. // v1.7 r74637 was the last version using this constants encrypter.
} }
@ -110,6 +112,12 @@ namespace de4dot.code.deobfuscators.Confuser {
DeobUtils.hasInteger(method, 0x10000) && DeobUtils.hasInteger(method, 0x10000) &&
DeobUtils.hasInteger(method, 0xFFFF)) DeobUtils.hasInteger(method, 0xFFFF))
version = ConfuserVersion.v17_r73822_normal; version = ConfuserVersion.v17_r73822_normal;
else if (DotNetUtils.callsMethod(method, "System.Int32 System.Object::GetHashCode()")) {
if ((nativeMethod = findNativeMethod(method)) == null)
version = ConfuserVersion.v17_r74021_dynamic;
else
version = ConfuserVersion.v17_r74021_native;
}
else if ((nativeMethod = findNativeMethod(method)) == null) else if ((nativeMethod = findNativeMethod(method)) == null)
version = ConfuserVersion.v17_r73822_dynamic; version = ConfuserVersion.v17_r73822_dynamic;
else else
@ -141,6 +149,8 @@ namespace de4dot.code.deobfuscators.Confuser {
case ConfuserVersion.v17_r73822_normal: case ConfuserVersion.v17_r73822_normal:
case ConfuserVersion.v17_r73822_dynamic: case ConfuserVersion.v17_r73822_dynamic:
case ConfuserVersion.v17_r73822_native: case ConfuserVersion.v17_r73822_native:
case ConfuserVersion.v17_r74021_dynamic:
case ConfuserVersion.v17_r74021_native:
if (!add(ConstantsDecrypterUtils.findDictField(info.decryptMethod, info.decryptMethod.DeclaringType))) if (!add(ConstantsDecrypterUtils.findDictField(info.decryptMethod, info.decryptMethod.DeclaringType)))
return false; return false;
if (!add(ConstantsDecrypterUtils.findMemoryStreamField(info.decryptMethod, info.decryptMethod.DeclaringType))) if (!add(ConstantsDecrypterUtils.findMemoryStreamField(info.decryptMethod, info.decryptMethod.DeclaringType)))
@ -179,6 +189,8 @@ namespace de4dot.code.deobfuscators.Confuser {
case ConfuserVersion.v17_r73822_normal: return decryptConstant_v17_r73404_normal(info, encrypted, offs); case ConfuserVersion.v17_r73822_normal: return decryptConstant_v17_r73404_normal(info, encrypted, offs);
case ConfuserVersion.v17_r73822_dynamic: return decryptConstant_v17_r73740_dynamic(info, encrypted, offs, 0); case ConfuserVersion.v17_r73822_dynamic: return decryptConstant_v17_r73740_dynamic(info, encrypted, offs, 0);
case ConfuserVersion.v17_r73822_native: return decryptConstant_v17_r73764_native(info, encrypted, offs, 0); case ConfuserVersion.v17_r73822_native: return decryptConstant_v17_r73764_native(info, encrypted, offs, 0);
case ConfuserVersion.v17_r74021_dynamic: return decryptConstant_v17_r73740_dynamic(info, encrypted, offs, 0);
case ConfuserVersion.v17_r74021_native: return decryptConstant_v17_r73764_native(info, encrypted, offs, 0);
default: throw new ApplicationException("Invalid version"); default: throw new ApplicationException("Invalid version");
} }
} }
@ -256,6 +268,11 @@ namespace de4dot.code.deobfuscators.Confuser {
maxRev = 73791; maxRev = 73791;
return true; return true;
case ConfuserVersion.v17_r73822_normal:
minRev = 73822;
maxRev = 74637;
return true;
case ConfuserVersion.v15_r60785_dynamic: case ConfuserVersion.v15_r60785_dynamic:
minRev = 60785; minRev = 60785;
maxRev = 72868; maxRev = 72868;
@ -277,10 +294,15 @@ namespace de4dot.code.deobfuscators.Confuser {
maxRev = 73791; maxRev = 73791;
return true; return true;
case ConfuserVersion.v17_r73822_normal:
case ConfuserVersion.v17_r73822_dynamic: case ConfuserVersion.v17_r73822_dynamic:
case ConfuserVersion.v17_r73822_native: case ConfuserVersion.v17_r73822_native:
minRev = 73822; minRev = 73822;
maxRev = 73822;
return true;
case ConfuserVersion.v17_r74021_dynamic:
case ConfuserVersion.v17_r74021_native:
minRev = 74021;
maxRev = 74637; maxRev = 74637;
return true; return true;