Detect Confuser 1.3 r55604 safe string encrypter
This commit is contained in:
parent
72c22d7566
commit
d92ff23740
|
@ -40,8 +40,9 @@ namespace de4dot.code.deobfuscators.Confuser {
|
||||||
v10_r42915,
|
v10_r42915,
|
||||||
v10_r48832,
|
v10_r48832,
|
||||||
v11_r49299,
|
v11_r49299,
|
||||||
v14_r58802_safe, // "safe" string decrypter
|
v13_r55604_safe,
|
||||||
v14_r58802_dynamic, // "dynamic" string decrypter
|
v14_r58802_safe,
|
||||||
|
v14_r58802_dynamic,
|
||||||
// The string decrypter "confusion" was disabled from 1.5 r60785 and it was
|
// The string decrypter "confusion" was disabled from 1.5 r60785 and it was
|
||||||
// replaced by the constants "confusion".
|
// replaced by the constants "confusion".
|
||||||
}
|
}
|
||||||
|
@ -285,8 +286,12 @@ namespace de4dot.code.deobfuscators.Confuser {
|
||||||
|
|
||||||
version = ConfuserVersion.Unknown;
|
version = ConfuserVersion.Unknown;
|
||||||
if (DotNetUtils.callsMethod(method, "System.Text.Encoding System.Text.Encoding::get_UTF8()")) {
|
if (DotNetUtils.callsMethod(method, "System.Text.Encoding System.Text.Encoding::get_UTF8()")) {
|
||||||
if (foundOldMagic1)
|
if (foundOldMagic1) {
|
||||||
version = ConfuserVersion.v10_r42915;
|
if (DotNetUtils.callsMethod(method, "System.Object System.AppDomain::GetData(System.String)"))
|
||||||
|
version = ConfuserVersion.v13_r55604_safe;
|
||||||
|
else
|
||||||
|
version = ConfuserVersion.v10_r42915;
|
||||||
|
}
|
||||||
else {
|
else {
|
||||||
if (!findSafeKey1(method, out key1))
|
if (!findSafeKey1(method, out key1))
|
||||||
continue;
|
continue;
|
||||||
|
@ -419,6 +424,7 @@ namespace de4dot.code.deobfuscators.Confuser {
|
||||||
|
|
||||||
switch (version) {
|
switch (version) {
|
||||||
case ConfuserVersion.v10_r42915:
|
case ConfuserVersion.v10_r42915:
|
||||||
|
case ConfuserVersion.v13_r55604_safe:
|
||||||
decrypter = new Decrypter_v10_r42915(this);
|
decrypter = new Decrypter_v10_r42915(this);
|
||||||
break;
|
break;
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue
Block a user