Detect Confuser 1.4 r57778 compressor
This commit is contained in:
parent
12f7034894
commit
dfad2421b2
|
@ -76,6 +76,7 @@ namespace de4dot.code.deobfuscators.Confuser {
|
||||||
Unknown,
|
Unknown,
|
||||||
v10_r42915,
|
v10_r42915,
|
||||||
v10_r48717,
|
v10_r48717,
|
||||||
|
v14_r57778,
|
||||||
v14_r58564,
|
v14_r58564,
|
||||||
v14_r58802,
|
v14_r58802,
|
||||||
v14_r58852,
|
v14_r58852,
|
||||||
|
@ -125,8 +126,10 @@ namespace de4dot.code.deobfuscators.Confuser {
|
||||||
if (decryptLocals.exists("System.IO.MemoryStream")) {
|
if (decryptLocals.exists("System.IO.MemoryStream")) {
|
||||||
if (DotNetUtils.hasString(entryPoint, ".exe"))
|
if (DotNetUtils.hasString(entryPoint, ".exe"))
|
||||||
version = ConfuserVersion.v10_r42915;
|
version = ConfuserVersion.v10_r42915;
|
||||||
else
|
else if (DotNetUtils.callsMethod(entryPoint, "System.Void System.Security.PermissionSet::.ctor(System.Security.Permissions.PermissionState)"))
|
||||||
version = ConfuserVersion.v10_r48717;
|
version = ConfuserVersion.v10_r48717;
|
||||||
|
else
|
||||||
|
version = ConfuserVersion.v14_r57778;
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
version = ConfuserVersion.v14_r58564;
|
version = ConfuserVersion.v14_r58564;
|
||||||
|
@ -145,6 +148,7 @@ namespace de4dot.code.deobfuscators.Confuser {
|
||||||
switch (version) {
|
switch (version) {
|
||||||
case ConfuserVersion.v10_r42915:
|
case ConfuserVersion.v10_r42915:
|
||||||
case ConfuserVersion.v10_r48717:
|
case ConfuserVersion.v10_r48717:
|
||||||
|
case ConfuserVersion.v14_r57778:
|
||||||
break;
|
break;
|
||||||
|
|
||||||
case ConfuserVersion.v14_r58564:
|
case ConfuserVersion.v14_r58564:
|
||||||
|
@ -450,6 +454,7 @@ namespace de4dot.code.deobfuscators.Confuser {
|
||||||
switch (version) {
|
switch (version) {
|
||||||
case ConfuserVersion.v10_r42915: return decrypt_v10_r42915(data);
|
case ConfuserVersion.v10_r42915: return decrypt_v10_r42915(data);
|
||||||
case ConfuserVersion.v10_r48717: return decrypt_v10_r42915(data);
|
case ConfuserVersion.v10_r48717: return decrypt_v10_r42915(data);
|
||||||
|
case ConfuserVersion.v14_r57778: return decrypt_v10_r42915(data);
|
||||||
case ConfuserVersion.v14_r58564: return decrypt_v14_r58564(data);
|
case ConfuserVersion.v14_r58564: return decrypt_v14_r58564(data);
|
||||||
case ConfuserVersion.v14_r58802: return decrypt_v14_r58564(data);
|
case ConfuserVersion.v14_r58802: return decrypt_v14_r58564(data);
|
||||||
case ConfuserVersion.v14_r58852: return decrypt_v14_r58852(data);
|
case ConfuserVersion.v14_r58852: return decrypt_v14_r58852(data);
|
||||||
|
@ -558,6 +563,11 @@ namespace de4dot.code.deobfuscators.Confuser {
|
||||||
|
|
||||||
case ConfuserVersion.v10_r48717:
|
case ConfuserVersion.v10_r48717:
|
||||||
minRev = 48717;
|
minRev = 48717;
|
||||||
|
maxRev = 57699;
|
||||||
|
return true;
|
||||||
|
|
||||||
|
case ConfuserVersion.v14_r57778:
|
||||||
|
minRev = 57778;
|
||||||
maxRev = 58446;
|
maxRev = 58446;
|
||||||
return true;
|
return true;
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue
Block a user