From e68b71e8e434c033a50ab6fa51a8ffee2e94b7e9 Mon Sep 17 00:00:00 2001 From: de4dot Date: Sun, 22 Sep 2013 18:35:58 +0200 Subject: [PATCH] Support Confuser 1.9 r79630 --- .../Confuser/ConstantsDecrypterV18.cs | 55 ++++++++++++++++--- .../deobfuscators/Confuser/VersionDetector.cs | 3 +- 2 files changed, 50 insertions(+), 8 deletions(-) diff --git a/de4dot.code/deobfuscators/Confuser/ConstantsDecrypterV18.cs b/de4dot.code/deobfuscators/Confuser/ConstantsDecrypterV18.cs index d7f2eb21..f315cf05 100644 --- a/de4dot.code/deobfuscators/Confuser/ConstantsDecrypterV18.cs +++ b/de4dot.code/deobfuscators/Confuser/ConstantsDecrypterV18.cs @@ -60,6 +60,9 @@ namespace de4dot.code.deobfuscators.Confuser { v19_r78363_normal, v19_r78363_dynamic, v19_r78363_native, + v19_r79630_normal, + v19_r79630_dynamic, + v19_r79630_native, } public class DecrypterInfo { @@ -124,6 +127,9 @@ namespace de4dot.code.deobfuscators.Confuser { case ConfuserVersion.v19_r78363_normal: case ConfuserVersion.v19_r78363_dynamic: case ConfuserVersion.v19_r78363_native: + case ConfuserVersion.v19_r79630_normal: + case ConfuserVersion.v19_r79630_dynamic: + case ConfuserVersion.v19_r79630_native: return Hash1(key0l * magic); default: throw new ApplicationException("Invalid version"); @@ -220,10 +226,18 @@ namespace de4dot.code.deobfuscators.Confuser { InitVersion(cctor, ConfuserVersion.v18_r75369_normal, ConfuserVersion.v18_r75369_dynamic, ConfuserVersion.v18_r75369_native); else if (!DotNetUtils.CallsMethod(method, "System.Void System.Threading.Monitor::Exit(System.Object)")) InitVersion(cctor, ConfuserVersion.v19_r77172_normal, ConfuserVersion.v19_r77172_dynamic, ConfuserVersion.v19_r77172_native); - else if (!DotNetUtils.CallsMethod(method, "System.Void System.Diagnostics.StackFrame::.ctor(System.Int32)")) - InitVersion(cctor, ConfuserVersion.v19_r78056_normal, ConfuserVersion.v19_r78056_dynamic, ConfuserVersion.v19_r78056_native); - else + else if (DotNetUtils.CallsMethod(method, "System.Void System.Diagnostics.StackFrame::.ctor(System.Int32)")) InitVersion(cctor, ConfuserVersion.v19_r78363_normal, ConfuserVersion.v19_r78363_dynamic, ConfuserVersion.v19_r78363_native); + else { + int index1 = ConfuserUtils.FindCallMethod(cctor.Body.Instructions, 0, Code.Callvirt, "System.Reflection.Module System.Reflection.MemberInfo::get_Module()"); + int index2 = ConfuserUtils.FindCallMethod(cctor.Body.Instructions, 0, Code.Callvirt, "System.Int32 System.Reflection.MemberInfo::get_MetadataToken()"); + if (index1 < 0 || index2 < 0) { + } + if (index2 - index1 == 3) + InitVersion(cctor, ConfuserVersion.v19_r78056_normal, ConfuserVersion.v19_r78056_dynamic, ConfuserVersion.v19_r78056_native); + else if (index2 - index1 == -4) + InitVersion(cctor, ConfuserVersion.v19_r79630_normal, ConfuserVersion.v19_r79630_dynamic, ConfuserVersion.v19_r79630_native); + } } else return; @@ -296,12 +310,26 @@ namespace de4dot.code.deobfuscators.Confuser { if (index < 0) break; int index2 = ConfuserUtils.FindCallMethod(instrs, i, Code.Callvirt, "System.Int32 System.Reflection.MemberInfo::get_MetadataToken()"); - if (index2 - index != 3) + int ldci4Index; + switch (index2 - index) { + case 3: + // rev <= r79440 + ldci4Index = index + 1; + break; + + case -4: + // rev >= r79630 + ldci4Index = index2 - 2; + break; + + default: continue; - var ldci4 = instrs[index + 1]; + } + + var ldci4 = instrs[ldci4Index]; if (!ldci4.IsLdcI4()) continue; - if (!instrs[index + 2].IsLdloc()) + if (!instrs[ldci4Index + 1].IsLdloc()) continue; key = (uint)ldci4.GetLdcI4Value(); @@ -423,6 +451,9 @@ namespace de4dot.code.deobfuscators.Confuser { case ConfuserVersion.v19_r78363_normal: case ConfuserVersion.v19_r78363_dynamic: case ConfuserVersion.v19_r78363_native: + case ConfuserVersion.v19_r79630_normal: + case ConfuserVersion.v19_r79630_dynamic: + case ConfuserVersion.v19_r79630_native: return FindKeys_v18_r75369(info); default: throw new ApplicationException("Invalid version"); @@ -597,6 +628,7 @@ namespace de4dot.code.deobfuscators.Confuser { case ConfuserVersion.v19_r77172_normal: case ConfuserVersion.v19_r78056_normal: case ConfuserVersion.v19_r78363_normal: + case ConfuserVersion.v19_r79630_normal: return DecryptResource_v18_r75367_normal(encrypted); case ConfuserVersion.v18_r75367_dynamic: @@ -604,6 +636,7 @@ namespace de4dot.code.deobfuscators.Confuser { case ConfuserVersion.v19_r77172_dynamic: case ConfuserVersion.v19_r78056_dynamic: case ConfuserVersion.v19_r78363_dynamic: + case ConfuserVersion.v19_r79630_dynamic: return DecryptResource_v18_r75367_dynamic(encrypted); case ConfuserVersion.v18_r75367_native: @@ -611,6 +644,7 @@ namespace de4dot.code.deobfuscators.Confuser { case ConfuserVersion.v19_r77172_native: case ConfuserVersion.v19_r78056_native: case ConfuserVersion.v19_r78363_native: + case ConfuserVersion.v19_r79630_native: return DecryptResource_v18_r75367_native(encrypted); default: @@ -811,7 +845,7 @@ namespace de4dot.code.deobfuscators.Confuser { minRev = 78056; // r78964 removed code that made it impossible to differentiate it from this // version. All we know is that it can't be r78363-r78963. - maxRev = int.MaxValue; + maxRev = 79440; return true; case ConfuserVersion.v19_r78363_normal: @@ -821,6 +855,13 @@ namespace de4dot.code.deobfuscators.Confuser { maxRev = 78963; return true; + case ConfuserVersion.v19_r79630_normal: + case ConfuserVersion.v19_r79630_dynamic: + case ConfuserVersion.v19_r79630_native: + minRev = 79630; + maxRev = int.MaxValue; + return true; + default: throw new ApplicationException("Invalid version"); } } diff --git a/de4dot.code/deobfuscators/Confuser/VersionDetector.cs b/de4dot.code/deobfuscators/Confuser/VersionDetector.cs index 60a2b6e9..118cb2c2 100644 --- a/de4dot.code/deobfuscators/Confuser/VersionDetector.cs +++ b/de4dot.code/deobfuscators/Confuser/VersionDetector.cs @@ -46,7 +46,8 @@ namespace de4dot.code.deobfuscators.Confuser { 76558, 76580, 76656, 76871, 76923, 76924, 76933, 76934, 76972, 76974, 77124, 77172, 77447, 77501, 78056, 78072, 78086, 78196, 78197, 78342, 78363, 78377, 78612, 78638, - 78642, 78730, 78731, 78962, 78963, 78964, + 78642, 78730, 78731, 78962, 78963, 78964, 79256, 79257, + 79258, 79440, 79630, }; static Dictionary revToVersion = new Dictionary {