Remember detected compressor version
This commit is contained in:
parent
ed919ee528
commit
e9125616b9
|
@ -162,12 +162,12 @@ namespace de4dot.code.deobfuscators.Confuser {
|
||||||
memoryMethodsDecrypter.find();
|
memoryMethodsDecrypter.find();
|
||||||
if (memoryMethodsDecrypter.Detected)
|
if (memoryMethodsDecrypter.Detected)
|
||||||
break;
|
break;
|
||||||
initTheRest();
|
initTheRest(null);
|
||||||
} while (false);
|
} while (false);
|
||||||
initializeObfuscatorName();
|
initializeObfuscatorName();
|
||||||
}
|
}
|
||||||
|
|
||||||
void initTheRest() {
|
void initTheRest(Deobfuscator oldOne) {
|
||||||
resourceDecrypter = new ResourceDecrypter(module, DeobfuscatedFile);
|
resourceDecrypter = new ResourceDecrypter(module, DeobfuscatedFile);
|
||||||
resourceDecrypter.find();
|
resourceDecrypter.find();
|
||||||
|
|
||||||
|
@ -201,7 +201,7 @@ namespace de4dot.code.deobfuscators.Confuser {
|
||||||
stringDecrypter = new StringDecrypter(module);
|
stringDecrypter = new StringDecrypter(module);
|
||||||
stringDecrypter.find(DeobfuscatedFile);
|
stringDecrypter.find(DeobfuscatedFile);
|
||||||
initializeStringDecrypter();
|
initializeStringDecrypter();
|
||||||
unpacker = new Unpacker(module);
|
unpacker = new Unpacker(module, oldOne == null ? null : oldOne.unpacker);
|
||||||
unpacker.find(DeobfuscatedFile, this);
|
unpacker.find(DeobfuscatedFile, this);
|
||||||
initializeObfuscatorName();
|
initializeObfuscatorName();
|
||||||
}
|
}
|
||||||
|
@ -344,7 +344,7 @@ namespace de4dot.code.deobfuscators.Confuser {
|
||||||
if (newOne.memoryMethodsDecrypter.Detected)
|
if (newOne.memoryMethodsDecrypter.Detected)
|
||||||
return newOne;
|
return newOne;
|
||||||
}
|
}
|
||||||
newOne.initTheRest();
|
newOne.initTheRest(this);
|
||||||
return newOne;
|
return newOne;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -93,8 +93,10 @@ namespace de4dot.code.deobfuscators.Confuser {
|
||||||
get { return mainAsmResource != null; }
|
get { return mainAsmResource != null; }
|
||||||
}
|
}
|
||||||
|
|
||||||
public Unpacker(ModuleDefinition module) {
|
public Unpacker(ModuleDefinition module, Unpacker other) {
|
||||||
this.module = module;
|
this.module = module;
|
||||||
|
if (other != null)
|
||||||
|
this.version = other.version;
|
||||||
}
|
}
|
||||||
|
|
||||||
static string[] requiredFields = new string[] {
|
static string[] requiredFields = new string[] {
|
||||||
|
@ -115,6 +117,7 @@ namespace de4dot.code.deobfuscators.Confuser {
|
||||||
var type = entryPoint.DeclaringType;
|
var type = entryPoint.DeclaringType;
|
||||||
if (!new FieldTypes(type).all(requiredFields))
|
if (!new FieldTypes(type).all(requiredFields))
|
||||||
return;
|
return;
|
||||||
|
|
||||||
bool use7zip = type.NestedTypes.Count == 6;
|
bool use7zip = type.NestedTypes.Count == 6;
|
||||||
MethodDefinition decyptMethod;
|
MethodDefinition decyptMethod;
|
||||||
if (use7zip)
|
if (use7zip)
|
||||||
|
@ -123,30 +126,32 @@ namespace de4dot.code.deobfuscators.Confuser {
|
||||||
decyptMethod = findDecryptMethod_inflate(type);
|
decyptMethod = findDecryptMethod_inflate(type);
|
||||||
if (decyptMethod == null)
|
if (decyptMethod == null)
|
||||||
return;
|
return;
|
||||||
|
|
||||||
|
ConfuserVersion theVersion = ConfuserVersion.Unknown;
|
||||||
var decryptLocals = new LocalTypes(decyptMethod);
|
var decryptLocals = new LocalTypes(decyptMethod);
|
||||||
if (decryptLocals.exists("System.IO.MemoryStream")) {
|
if (decryptLocals.exists("System.IO.MemoryStream")) {
|
||||||
if (DotNetUtils.callsMethod(entryPoint, "System.Void", "(System.String,System.Byte[])"))
|
if (DotNetUtils.callsMethod(entryPoint, "System.Void", "(System.String,System.Byte[])"))
|
||||||
version = ConfuserVersion.v10_r42915;
|
theVersion = ConfuserVersion.v10_r42915;
|
||||||
else if (DotNetUtils.callsMethod(entryPoint, "System.Void", "(System.Security.Permissions.PermissionState)"))
|
else if (DotNetUtils.callsMethod(entryPoint, "System.Void", "(System.Security.Permissions.PermissionState)"))
|
||||||
version = ConfuserVersion.v10_r48717;
|
theVersion = ConfuserVersion.v10_r48717;
|
||||||
else
|
else
|
||||||
version = ConfuserVersion.v14_r57778;
|
theVersion = ConfuserVersion.v14_r57778;
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
version = ConfuserVersion.v14_r58564;
|
theVersion = ConfuserVersion.v14_r58564;
|
||||||
|
|
||||||
var cctor = DotNetUtils.getMethod(type, ".cctor");
|
var cctor = DotNetUtils.getMethod(type, ".cctor");
|
||||||
if (cctor == null)
|
if (cctor == null)
|
||||||
return;
|
return;
|
||||||
|
|
||||||
if ((asmResolverMethod = findAssemblyResolverMethod(entryPoint.DeclaringType)) != null) {
|
if ((asmResolverMethod = findAssemblyResolverMethod(entryPoint.DeclaringType)) != null) {
|
||||||
version = ConfuserVersion.v14_r58802;
|
theVersion = ConfuserVersion.v14_r58802;
|
||||||
simpleDeobfuscator.deobfuscate(asmResolverMethod);
|
simpleDeobfuscator.deobfuscate(asmResolverMethod);
|
||||||
if (!findKey1(asmResolverMethod, out key1))
|
if (!findKey1(asmResolverMethod, out key1))
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
switch (version) {
|
switch (theVersion) {
|
||||||
case ConfuserVersion.v10_r42915:
|
case ConfuserVersion.v10_r42915:
|
||||||
case ConfuserVersion.v10_r48717:
|
case ConfuserVersion.v10_r48717:
|
||||||
case ConfuserVersion.v14_r57778:
|
case ConfuserVersion.v14_r57778:
|
||||||
|
@ -159,21 +164,21 @@ namespace de4dot.code.deobfuscators.Confuser {
|
||||||
break;
|
break;
|
||||||
if (findKey0_v14_r58852(decyptMethod, out key0)) {
|
if (findKey0_v14_r58852(decyptMethod, out key0)) {
|
||||||
if (!decryptLocals.exists("System.Security.Cryptography.RijndaelManaged")) {
|
if (!decryptLocals.exists("System.Security.Cryptography.RijndaelManaged")) {
|
||||||
version = ConfuserVersion.v14_r58852;
|
theVersion = ConfuserVersion.v14_r58852;
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
if (use7zip) {
|
if (use7zip) {
|
||||||
if (new LocalTypes(decyptMethod).exists("System.IO.MemoryStream"))
|
if (new LocalTypes(decyptMethod).exists("System.IO.MemoryStream"))
|
||||||
version = ConfuserVersion.v17_r75076;
|
theVersion = ConfuserVersion.v17_r75076;
|
||||||
else if (module.Name == "Stub.exe")
|
else if (module.Name == "Stub.exe")
|
||||||
version = ConfuserVersion.v18_r75184;
|
theVersion = ConfuserVersion.v18_r75184;
|
||||||
else
|
else
|
||||||
version = ConfuserVersion.v18_r75367;
|
theVersion = ConfuserVersion.v18_r75367;
|
||||||
}
|
}
|
||||||
else if (isDecryptMethod_v17_r73404(decyptMethod))
|
else if (isDecryptMethod_v17_r73404(decyptMethod))
|
||||||
version = ConfuserVersion.v17_r73404;
|
theVersion = ConfuserVersion.v17_r73404;
|
||||||
else
|
else
|
||||||
version = ConfuserVersion.v15_r60785;
|
theVersion = ConfuserVersion.v15_r60785;
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
throw new ApplicationException("Could not find magic");
|
throw new ApplicationException("Could not find magic");
|
||||||
|
@ -187,14 +192,15 @@ namespace de4dot.code.deobfuscators.Confuser {
|
||||||
|
|
||||||
if (findEntryPointToken(simpleDeobfuscator, cctor, entryPoint, out entryPointToken) && !use7zip) {
|
if (findEntryPointToken(simpleDeobfuscator, cctor, entryPoint, out entryPointToken) && !use7zip) {
|
||||||
if (DotNetUtils.callsMethod(asmResolverMethod, "System.Void", "(System.String)"))
|
if (DotNetUtils.callsMethod(asmResolverMethod, "System.Void", "(System.String)"))
|
||||||
version = ConfuserVersion.v17_r73477;
|
theVersion = ConfuserVersion.v17_r73477;
|
||||||
else
|
else
|
||||||
version = ConfuserVersion.v17_r73566;
|
theVersion = ConfuserVersion.v17_r73566;
|
||||||
}
|
}
|
||||||
|
|
||||||
mainAsmResource = findResource(cctor);
|
mainAsmResource = findResource(cctor);
|
||||||
if (mainAsmResource == null)
|
if (mainAsmResource == null)
|
||||||
throw new ApplicationException("Could not find main assembly resource");
|
throw new ApplicationException("Could not find main assembly resource");
|
||||||
|
version = theVersion;
|
||||||
}
|
}
|
||||||
|
|
||||||
bool findEntryPointToken(ISimpleDeobfuscator simpleDeobfuscator, MethodDefinition cctor, MethodDefinition entryPoint, out uint token) {
|
bool findEntryPointToken(ISimpleDeobfuscator simpleDeobfuscator, MethodDefinition cctor, MethodDefinition entryPoint, out uint token) {
|
||||||
|
|
Loading…
Reference in New Issue
Block a user