Support Confuser 1.9 r79630
This commit is contained in:
parent
9ddad4bb5a
commit
e68b71e8e4
|
@ -60,6 +60,9 @@ namespace de4dot.code.deobfuscators.Confuser {
|
||||||
v19_r78363_normal,
|
v19_r78363_normal,
|
||||||
v19_r78363_dynamic,
|
v19_r78363_dynamic,
|
||||||
v19_r78363_native,
|
v19_r78363_native,
|
||||||
|
v19_r79630_normal,
|
||||||
|
v19_r79630_dynamic,
|
||||||
|
v19_r79630_native,
|
||||||
}
|
}
|
||||||
|
|
||||||
public class DecrypterInfo {
|
public class DecrypterInfo {
|
||||||
|
@ -124,6 +127,9 @@ namespace de4dot.code.deobfuscators.Confuser {
|
||||||
case ConfuserVersion.v19_r78363_normal:
|
case ConfuserVersion.v19_r78363_normal:
|
||||||
case ConfuserVersion.v19_r78363_dynamic:
|
case ConfuserVersion.v19_r78363_dynamic:
|
||||||
case ConfuserVersion.v19_r78363_native:
|
case ConfuserVersion.v19_r78363_native:
|
||||||
|
case ConfuserVersion.v19_r79630_normal:
|
||||||
|
case ConfuserVersion.v19_r79630_dynamic:
|
||||||
|
case ConfuserVersion.v19_r79630_native:
|
||||||
return Hash1(key0l * magic);
|
return Hash1(key0l * magic);
|
||||||
default:
|
default:
|
||||||
throw new ApplicationException("Invalid version");
|
throw new ApplicationException("Invalid version");
|
||||||
|
@ -220,10 +226,18 @@ namespace de4dot.code.deobfuscators.Confuser {
|
||||||
InitVersion(cctor, ConfuserVersion.v18_r75369_normal, ConfuserVersion.v18_r75369_dynamic, ConfuserVersion.v18_r75369_native);
|
InitVersion(cctor, ConfuserVersion.v18_r75369_normal, ConfuserVersion.v18_r75369_dynamic, ConfuserVersion.v18_r75369_native);
|
||||||
else if (!DotNetUtils.CallsMethod(method, "System.Void System.Threading.Monitor::Exit(System.Object)"))
|
else if (!DotNetUtils.CallsMethod(method, "System.Void System.Threading.Monitor::Exit(System.Object)"))
|
||||||
InitVersion(cctor, ConfuserVersion.v19_r77172_normal, ConfuserVersion.v19_r77172_dynamic, ConfuserVersion.v19_r77172_native);
|
InitVersion(cctor, ConfuserVersion.v19_r77172_normal, ConfuserVersion.v19_r77172_dynamic, ConfuserVersion.v19_r77172_native);
|
||||||
else if (!DotNetUtils.CallsMethod(method, "System.Void System.Diagnostics.StackFrame::.ctor(System.Int32)"))
|
else if (DotNetUtils.CallsMethod(method, "System.Void System.Diagnostics.StackFrame::.ctor(System.Int32)"))
|
||||||
InitVersion(cctor, ConfuserVersion.v19_r78056_normal, ConfuserVersion.v19_r78056_dynamic, ConfuserVersion.v19_r78056_native);
|
|
||||||
else
|
|
||||||
InitVersion(cctor, ConfuserVersion.v19_r78363_normal, ConfuserVersion.v19_r78363_dynamic, ConfuserVersion.v19_r78363_native);
|
InitVersion(cctor, ConfuserVersion.v19_r78363_normal, ConfuserVersion.v19_r78363_dynamic, ConfuserVersion.v19_r78363_native);
|
||||||
|
else {
|
||||||
|
int index1 = ConfuserUtils.FindCallMethod(cctor.Body.Instructions, 0, Code.Callvirt, "System.Reflection.Module System.Reflection.MemberInfo::get_Module()");
|
||||||
|
int index2 = ConfuserUtils.FindCallMethod(cctor.Body.Instructions, 0, Code.Callvirt, "System.Int32 System.Reflection.MemberInfo::get_MetadataToken()");
|
||||||
|
if (index1 < 0 || index2 < 0) {
|
||||||
|
}
|
||||||
|
if (index2 - index1 == 3)
|
||||||
|
InitVersion(cctor, ConfuserVersion.v19_r78056_normal, ConfuserVersion.v19_r78056_dynamic, ConfuserVersion.v19_r78056_native);
|
||||||
|
else if (index2 - index1 == -4)
|
||||||
|
InitVersion(cctor, ConfuserVersion.v19_r79630_normal, ConfuserVersion.v19_r79630_dynamic, ConfuserVersion.v19_r79630_native);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
return;
|
return;
|
||||||
|
@ -296,12 +310,26 @@ namespace de4dot.code.deobfuscators.Confuser {
|
||||||
if (index < 0)
|
if (index < 0)
|
||||||
break;
|
break;
|
||||||
int index2 = ConfuserUtils.FindCallMethod(instrs, i, Code.Callvirt, "System.Int32 System.Reflection.MemberInfo::get_MetadataToken()");
|
int index2 = ConfuserUtils.FindCallMethod(instrs, i, Code.Callvirt, "System.Int32 System.Reflection.MemberInfo::get_MetadataToken()");
|
||||||
if (index2 - index != 3)
|
int ldci4Index;
|
||||||
|
switch (index2 - index) {
|
||||||
|
case 3:
|
||||||
|
// rev <= r79440
|
||||||
|
ldci4Index = index + 1;
|
||||||
|
break;
|
||||||
|
|
||||||
|
case -4:
|
||||||
|
// rev >= r79630
|
||||||
|
ldci4Index = index2 - 2;
|
||||||
|
break;
|
||||||
|
|
||||||
|
default:
|
||||||
continue;
|
continue;
|
||||||
var ldci4 = instrs[index + 1];
|
}
|
||||||
|
|
||||||
|
var ldci4 = instrs[ldci4Index];
|
||||||
if (!ldci4.IsLdcI4())
|
if (!ldci4.IsLdcI4())
|
||||||
continue;
|
continue;
|
||||||
if (!instrs[index + 2].IsLdloc())
|
if (!instrs[ldci4Index + 1].IsLdloc())
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
key = (uint)ldci4.GetLdcI4Value();
|
key = (uint)ldci4.GetLdcI4Value();
|
||||||
|
@ -423,6 +451,9 @@ namespace de4dot.code.deobfuscators.Confuser {
|
||||||
case ConfuserVersion.v19_r78363_normal:
|
case ConfuserVersion.v19_r78363_normal:
|
||||||
case ConfuserVersion.v19_r78363_dynamic:
|
case ConfuserVersion.v19_r78363_dynamic:
|
||||||
case ConfuserVersion.v19_r78363_native:
|
case ConfuserVersion.v19_r78363_native:
|
||||||
|
case ConfuserVersion.v19_r79630_normal:
|
||||||
|
case ConfuserVersion.v19_r79630_dynamic:
|
||||||
|
case ConfuserVersion.v19_r79630_native:
|
||||||
return FindKeys_v18_r75369(info);
|
return FindKeys_v18_r75369(info);
|
||||||
default:
|
default:
|
||||||
throw new ApplicationException("Invalid version");
|
throw new ApplicationException("Invalid version");
|
||||||
|
@ -597,6 +628,7 @@ namespace de4dot.code.deobfuscators.Confuser {
|
||||||
case ConfuserVersion.v19_r77172_normal:
|
case ConfuserVersion.v19_r77172_normal:
|
||||||
case ConfuserVersion.v19_r78056_normal:
|
case ConfuserVersion.v19_r78056_normal:
|
||||||
case ConfuserVersion.v19_r78363_normal:
|
case ConfuserVersion.v19_r78363_normal:
|
||||||
|
case ConfuserVersion.v19_r79630_normal:
|
||||||
return DecryptResource_v18_r75367_normal(encrypted);
|
return DecryptResource_v18_r75367_normal(encrypted);
|
||||||
|
|
||||||
case ConfuserVersion.v18_r75367_dynamic:
|
case ConfuserVersion.v18_r75367_dynamic:
|
||||||
|
@ -604,6 +636,7 @@ namespace de4dot.code.deobfuscators.Confuser {
|
||||||
case ConfuserVersion.v19_r77172_dynamic:
|
case ConfuserVersion.v19_r77172_dynamic:
|
||||||
case ConfuserVersion.v19_r78056_dynamic:
|
case ConfuserVersion.v19_r78056_dynamic:
|
||||||
case ConfuserVersion.v19_r78363_dynamic:
|
case ConfuserVersion.v19_r78363_dynamic:
|
||||||
|
case ConfuserVersion.v19_r79630_dynamic:
|
||||||
return DecryptResource_v18_r75367_dynamic(encrypted);
|
return DecryptResource_v18_r75367_dynamic(encrypted);
|
||||||
|
|
||||||
case ConfuserVersion.v18_r75367_native:
|
case ConfuserVersion.v18_r75367_native:
|
||||||
|
@ -611,6 +644,7 @@ namespace de4dot.code.deobfuscators.Confuser {
|
||||||
case ConfuserVersion.v19_r77172_native:
|
case ConfuserVersion.v19_r77172_native:
|
||||||
case ConfuserVersion.v19_r78056_native:
|
case ConfuserVersion.v19_r78056_native:
|
||||||
case ConfuserVersion.v19_r78363_native:
|
case ConfuserVersion.v19_r78363_native:
|
||||||
|
case ConfuserVersion.v19_r79630_native:
|
||||||
return DecryptResource_v18_r75367_native(encrypted);
|
return DecryptResource_v18_r75367_native(encrypted);
|
||||||
|
|
||||||
default:
|
default:
|
||||||
|
@ -811,7 +845,7 @@ namespace de4dot.code.deobfuscators.Confuser {
|
||||||
minRev = 78056;
|
minRev = 78056;
|
||||||
// r78964 removed code that made it impossible to differentiate it from this
|
// r78964 removed code that made it impossible to differentiate it from this
|
||||||
// version. All we know is that it can't be r78363-r78963.
|
// version. All we know is that it can't be r78363-r78963.
|
||||||
maxRev = int.MaxValue;
|
maxRev = 79440;
|
||||||
return true;
|
return true;
|
||||||
|
|
||||||
case ConfuserVersion.v19_r78363_normal:
|
case ConfuserVersion.v19_r78363_normal:
|
||||||
|
@ -821,6 +855,13 @@ namespace de4dot.code.deobfuscators.Confuser {
|
||||||
maxRev = 78963;
|
maxRev = 78963;
|
||||||
return true;
|
return true;
|
||||||
|
|
||||||
|
case ConfuserVersion.v19_r79630_normal:
|
||||||
|
case ConfuserVersion.v19_r79630_dynamic:
|
||||||
|
case ConfuserVersion.v19_r79630_native:
|
||||||
|
minRev = 79630;
|
||||||
|
maxRev = int.MaxValue;
|
||||||
|
return true;
|
||||||
|
|
||||||
default: throw new ApplicationException("Invalid version");
|
default: throw new ApplicationException("Invalid version");
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -46,7 +46,8 @@ namespace de4dot.code.deobfuscators.Confuser {
|
||||||
76558, 76580, 76656, 76871, 76923, 76924, 76933, 76934,
|
76558, 76580, 76656, 76871, 76923, 76924, 76933, 76934,
|
||||||
76972, 76974, 77124, 77172, 77447, 77501, 78056, 78072,
|
76972, 76974, 77124, 77172, 77447, 77501, 78056, 78072,
|
||||||
78086, 78196, 78197, 78342, 78363, 78377, 78612, 78638,
|
78086, 78196, 78197, 78342, 78363, 78377, 78612, 78638,
|
||||||
78642, 78730, 78731, 78962, 78963, 78964,
|
78642, 78730, 78731, 78962, 78963, 78964, 79256, 79257,
|
||||||
|
79258, 79440, 79630,
|
||||||
};
|
};
|
||||||
|
|
||||||
static Dictionary<int, Version> revToVersion = new Dictionary<int, Version> {
|
static Dictionary<int, Version> revToVersion = new Dictionary<int, Version> {
|
||||||
|
|
Loading…
Reference in New Issue
Block a user