monocul.us/de4dot-cex
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Support Confuser 1.9 r79630

Browse Source
This commit is contained in:
de4dot 2013-09-22 18:35:58 +02:00
parent 9ddad4bb5a
commit e68b71e8e4
2 changed files with 50 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

55
de4dot.code/deobfuscators/Confuser/ConstantsDecrypterV18.cs
View File

@ -60,6 +60,9 @@ namespace de4dot.code.deobfuscators.Confuser {
v19_r78363_normal,
v19_r78363_dynamic,
v19_r78363_native,
v19_r79630_normal,
v19_r79630_dynamic,
v19_r79630_native,
}
public class DecrypterInfo {
@ -124,6 +127,9 @@ namespace de4dot.code.deobfuscators.Confuser {
case ConfuserVersion.v19_r78363_normal:
case ConfuserVersion.v19_r78363_dynamic:
case ConfuserVersion.v19_r78363_native:
case ConfuserVersion.v19_r79630_normal:
case ConfuserVersion.v19_r79630_dynamic:
case ConfuserVersion.v19_r79630_native:
return Hash1(key0l * magic);
default:
throw new ApplicationException("Invalid version");
@ -220,10 +226,18 @@ namespace de4dot.code.deobfuscators.Confuser {
InitVersion(cctor, ConfuserVersion.v18_r75369_normal, ConfuserVersion.v18_r75369_dynamic, ConfuserVersion.v18_r75369_native);
else if (!DotNetUtils.CallsMethod(method, "System.Void System.Threading.Monitor::Exit(System.Object)"))
InitVersion(cctor, ConfuserVersion.v19_r77172_normal, ConfuserVersion.v19_r77172_dynamic, ConfuserVersion.v19_r77172_native);
else if (!DotNetUtils.CallsMethod(method, "System.Void System.Diagnostics.StackFrame::.ctor(System.Int32)"))
InitVersion(cctor, ConfuserVersion.v19_r78056_normal, ConfuserVersion.v19_r78056_dynamic, ConfuserVersion.v19_r78056_native);
else
else if (DotNetUtils.CallsMethod(method, "System.Void System.Diagnostics.StackFrame::.ctor(System.Int32)"))
InitVersion(cctor, ConfuserVersion.v19_r78363_normal, ConfuserVersion.v19_r78363_dynamic, ConfuserVersion.v19_r78363_native);
else {
int index1 = ConfuserUtils.FindCallMethod(cctor.Body.Instructions, 0, Code.Callvirt, "System.Reflection.Module System.Reflection.MemberInfo::get_Module()");
int index2 = ConfuserUtils.FindCallMethod(cctor.Body.Instructions, 0, Code.Callvirt, "System.Int32 System.Reflection.MemberInfo::get_MetadataToken()");
if (index1 < 0 || index2 < 0) {
}
if (index2 - index1 == 3)
InitVersion(cctor, ConfuserVersion.v19_r78056_normal, ConfuserVersion.v19_r78056_dynamic, ConfuserVersion.v19_r78056_native);
else if (index2 - index1 == -4)
InitVersion(cctor, ConfuserVersion.v19_r79630_normal, ConfuserVersion.v19_r79630_dynamic, ConfuserVersion.v19_r79630_native);
}
}
else
return;
@ -296,12 +310,26 @@ namespace de4dot.code.deobfuscators.Confuser {
if (index < 0)
break;
int index2 = ConfuserUtils.FindCallMethod(instrs, i, Code.Callvirt, "System.Int32 System.Reflection.MemberInfo::get_MetadataToken()");
if (index2 - index != 3)
int ldci4Index;
switch (index2 - index) {
case 3:
// rev <= r79440
ldci4Index = index + 1;
break;
case -4:
// rev >= r79630
ldci4Index = index2 - 2;
break;
default:
continue;
var ldci4 = instrs[index + 1];
}
var ldci4 = instrs[ldci4Index];
if (!ldci4.IsLdcI4())
continue;
if (!instrs[index + 2].IsLdloc())
if (!instrs[ldci4Index + 1].IsLdloc())
continue;
key = (uint)ldci4.GetLdcI4Value();
@ -423,6 +451,9 @@ namespace de4dot.code.deobfuscators.Confuser {
case ConfuserVersion.v19_r78363_normal:
case ConfuserVersion.v19_r78363_dynamic:
case ConfuserVersion.v19_r78363_native:
case ConfuserVersion.v19_r79630_normal:
case ConfuserVersion.v19_r79630_dynamic:
case ConfuserVersion.v19_r79630_native:
return FindKeys_v18_r75369(info);
default:
throw new ApplicationException("Invalid version");
@ -597,6 +628,7 @@ namespace de4dot.code.deobfuscators.Confuser {
case ConfuserVersion.v19_r77172_normal:
case ConfuserVersion.v19_r78056_normal:
case ConfuserVersion.v19_r78363_normal:
case ConfuserVersion.v19_r79630_normal:
return DecryptResource_v18_r75367_normal(encrypted);
case ConfuserVersion.v18_r75367_dynamic:
@ -604,6 +636,7 @@ namespace de4dot.code.deobfuscators.Confuser {
case ConfuserVersion.v19_r77172_dynamic:
case ConfuserVersion.v19_r78056_dynamic:
case ConfuserVersion.v19_r78363_dynamic:
case ConfuserVersion.v19_r79630_dynamic:
return DecryptResource_v18_r75367_dynamic(encrypted);
case ConfuserVersion.v18_r75367_native:
@ -611,6 +644,7 @@ namespace de4dot.code.deobfuscators.Confuser {
case ConfuserVersion.v19_r77172_native:
case ConfuserVersion.v19_r78056_native:
case ConfuserVersion.v19_r78363_native:
case ConfuserVersion.v19_r79630_native:
return DecryptResource_v18_r75367_native(encrypted);
default:
@ -811,7 +845,7 @@ namespace de4dot.code.deobfuscators.Confuser {
minRev = 78056;
// r78964 removed code that made it impossible to differentiate it from this
// version. All we know is that it can't be r78363-r78963.
maxRev = int.MaxValue;
maxRev = 79440;
return true;
case ConfuserVersion.v19_r78363_normal:
@ -821,6 +855,13 @@ namespace de4dot.code.deobfuscators.Confuser {
maxRev = 78963;
return true;
case ConfuserVersion.v19_r79630_normal:
case ConfuserVersion.v19_r79630_dynamic:
case ConfuserVersion.v19_r79630_native:
minRev = 79630;
maxRev = int.MaxValue;
return true;
default: throw new ApplicationException("Invalid version");
}
}

3
de4dot.code/deobfuscators/Confuser/VersionDetector.cs
View File

@ -46,7 +46,8 @@ namespace de4dot.code.deobfuscators.Confuser {
76558, 76580, 76656, 76871, 76923, 76924, 76933, 76934,
76972, 76974, 77124, 77172, 77447, 77501, 78056, 78072,
78086, 78196, 78197, 78342, 78363, 78377, 78612, 78638,
78642, 78730, 78731, 78962, 78963, 78964,
78642, 78730, 78731, 78962, 78963, 78964, 79256, 79257,
79258, 79440, 79630,
};
static Dictionary<int, Version> revToVersion = new Dictionary<int, Version> {