Support Confuser 1.9 r79630

de4dot.code/deobfuscators/Confuser/ConstantsDecrypterV18.cs

@@ -60,6 +60,9 @@ namespace de4dot.code.deobfuscators.Confuser {
 			v19_r78363_normal,
 			v19_r78363_dynamic,
 			v19_r78363_native,
+			v19_r79630_normal,
+			v19_r79630_dynamic,
+			v19_r79630_native,
 		}
 
 		public class DecrypterInfo {
@@ -124,6 +127,9 @@ namespace de4dot.code.deobfuscators.Confuser {
 				case ConfuserVersion.v19_r78363_normal:
 				case ConfuserVersion.v19_r78363_dynamic:
 				case ConfuserVersion.v19_r78363_native:
+				case ConfuserVersion.v19_r79630_normal:
+				case ConfuserVersion.v19_r79630_dynamic:
+				case ConfuserVersion.v19_r79630_native:
 					return Hash1(key0l * magic);
 				default:
 					throw new ApplicationException("Invalid version");
@@ -220,10 +226,18 @@ namespace de4dot.code.deobfuscators.Confuser {
 					InitVersion(cctor, ConfuserVersion.v18_r75369_normal, ConfuserVersion.v18_r75369_dynamic, ConfuserVersion.v18_r75369_native);
 				else if (!DotNetUtils.CallsMethod(method, "System.Void System.Threading.Monitor::Exit(System.Object)"))
 					InitVersion(cctor, ConfuserVersion.v19_r77172_normal, ConfuserVersion.v19_r77172_dynamic, ConfuserVersion.v19_r77172_native);
-				else if (!DotNetUtils.CallsMethod(method, "System.Void System.Diagnostics.StackFrame::.ctor(System.Int32)"))
+				else if (DotNetUtils.CallsMethod(method, "System.Void System.Diagnostics.StackFrame::.ctor(System.Int32)"))
-					InitVersion(cctor, ConfuserVersion.v19_r78056_normal, ConfuserVersion.v19_r78056_dynamic, ConfuserVersion.v19_r78056_native);
-				else
 					InitVersion(cctor, ConfuserVersion.v19_r78363_normal, ConfuserVersion.v19_r78363_dynamic, ConfuserVersion.v19_r78363_native);
+				else {
+					int index1 = ConfuserUtils.FindCallMethod(cctor.Body.Instructions, 0, Code.Callvirt, "System.Reflection.Module System.Reflection.MemberInfo::get_Module()");
+					int index2 = ConfuserUtils.FindCallMethod(cctor.Body.Instructions, 0, Code.Callvirt, "System.Int32 System.Reflection.MemberInfo::get_MetadataToken()");
+					if (index1 < 0 || index2 < 0) {
+					}
+					if (index2 - index1 == 3)
+						InitVersion(cctor, ConfuserVersion.v19_r78056_normal, ConfuserVersion.v19_r78056_dynamic, ConfuserVersion.v19_r78056_native);
+					else if (index2 - index1 == -4)
+						InitVersion(cctor, ConfuserVersion.v19_r79630_normal, ConfuserVersion.v19_r79630_dynamic, ConfuserVersion.v19_r79630_native);
+				}
 			}
 			else
 				return;
@@ -296,12 +310,26 @@ namespace de4dot.code.deobfuscators.Confuser {
 				if (index < 0)
 					break;
 				int index2 = ConfuserUtils.FindCallMethod(instrs, i, Code.Callvirt, "System.Int32 System.Reflection.MemberInfo::get_MetadataToken()");
-				if (index2 - index != 3)
+				int ldci4Index;
+				switch (index2 - index) {
+				case 3:
+					// rev <= r79440
+					ldci4Index = index + 1;
+					break;
+
+				case -4:
+					// rev >= r79630
+					ldci4Index = index2 - 2;
+					break;
+
+				default:
 					continue;
-				var ldci4 = instrs[index + 1];
+				}
+
+				var ldci4 = instrs[ldci4Index];
 				if (!ldci4.IsLdcI4())
 					continue;
-				if (!instrs[index + 2].IsLdloc())
+				if (!instrs[ldci4Index + 1].IsLdloc())
 					continue;
 
 				key = (uint)ldci4.GetLdcI4Value();
@@ -423,6 +451,9 @@ namespace de4dot.code.deobfuscators.Confuser {
 			case ConfuserVersion.v19_r78363_normal:
 			case ConfuserVersion.v19_r78363_dynamic:
 			case ConfuserVersion.v19_r78363_native:
+			case ConfuserVersion.v19_r79630_normal:
+			case ConfuserVersion.v19_r79630_dynamic:
+			case ConfuserVersion.v19_r79630_native:
 				return FindKeys_v18_r75369(info);
 			default:
 				throw new ApplicationException("Invalid version");
@@ -597,6 +628,7 @@ namespace de4dot.code.deobfuscators.Confuser {
 			case ConfuserVersion.v19_r77172_normal:
 			case ConfuserVersion.v19_r78056_normal:
 			case ConfuserVersion.v19_r78363_normal:
+			case ConfuserVersion.v19_r79630_normal:
 				return DecryptResource_v18_r75367_normal(encrypted);
 
 			case ConfuserVersion.v18_r75367_dynamic:
@@ -604,6 +636,7 @@ namespace de4dot.code.deobfuscators.Confuser {
 			case ConfuserVersion.v19_r77172_dynamic:
 			case ConfuserVersion.v19_r78056_dynamic:
 			case ConfuserVersion.v19_r78363_dynamic:
+			case ConfuserVersion.v19_r79630_dynamic:
 				return DecryptResource_v18_r75367_dynamic(encrypted);
 
 			case ConfuserVersion.v18_r75367_native:
@@ -611,6 +644,7 @@ namespace de4dot.code.deobfuscators.Confuser {
 			case ConfuserVersion.v19_r77172_native:
 			case ConfuserVersion.v19_r78056_native:
 			case ConfuserVersion.v19_r78363_native:
+			case ConfuserVersion.v19_r79630_native:
 				return DecryptResource_v18_r75367_native(encrypted);
 
 			default:
@@ -811,7 +845,7 @@ namespace de4dot.code.deobfuscators.Confuser {
 				minRev = 78056;
 				// r78964 removed code that made it impossible to differentiate it from this
 				// version. All we know is that it can't be r78363-r78963.
-				maxRev = int.MaxValue;
+				maxRev = 79440;
 				return true;
 
 			case ConfuserVersion.v19_r78363_normal:
@@ -821,6 +855,13 @@ namespace de4dot.code.deobfuscators.Confuser {
 				maxRev = 78963;
 				return true;
 
+			case ConfuserVersion.v19_r79630_normal:
+			case ConfuserVersion.v19_r79630_dynamic:
+			case ConfuserVersion.v19_r79630_native:
+				minRev = 79630;
+				maxRev = int.MaxValue;
+				return true;
+
 			default: throw new ApplicationException("Invalid version");
 			}
 		}

de4dot.code/deobfuscators/Confuser/VersionDetector.cs

@@ -46,7 +46,8 @@ namespace de4dot.code.deobfuscators.Confuser {
 			76558, 76580, 76656, 76871, 76923, 76924, 76933, 76934,
 			76972, 76974, 77124, 77172, 77447, 77501, 78056, 78072,
 			78086, 78196, 78197, 78342, 78363, 78377, 78612, 78638,
-			78642, 78730, 78731, 78962, 78963, 78964,
+			78642, 78730, 78731, 78962, 78963, 78964, 79256, 79257,
+			79258, 79440, 79630,
 		};
 
 		static Dictionary<int, Version> revToVersion = new Dictionary<int, Version> {