Merge branch 'master' into confuser

blocks/cflow/BranchEmulator.cs

@@ -220,7 +220,7 @@ namespace de4dot.blocks.cflow {
 				return emulateBranch(1, Int64Value.compareFalse((Int64Value)val1));
 			else if (val1.isNull())
 				return emulateBranch(1, true);
-			else if (val1.isObject() || val1.isString() || val1.isBoxed())
+			else if (val1.isObject() || val1.isString())
 				return emulateBranch(1, false);
 			else
 				return false;
@@ -235,7 +235,7 @@ namespace de4dot.blocks.cflow {
 				return emulateBranch(1, Int64Value.compareTrue((Int64Value)val1));
 			else if (val1.isNull())
 				return emulateBranch(1, false);
-			else if (val1.isObject() || val1.isString() || val1.isBoxed())
+			else if (val1.isObject() || val1.isString())
 				return emulateBranch(1, true);
 			else
 				return false;

de4dot.code/ObfuscatedFile.cs

@@ -248,7 +248,6 @@ namespace de4dot.code {
 			if (this.deob != null) {
 				deob.init(module);
 				deob.DeobfuscatedFile = this;
-				deob.earlyDetect();
 				deob.detect();
 				return;
 			}
@@ -261,35 +260,14 @@ namespace de4dot.code {
 			if (options.ForcedObfuscatorType != null) {
 				foreach (var deob in deobfuscators) {
 					if (string.Equals(options.ForcedObfuscatorType, deob.Type, StringComparison.OrdinalIgnoreCase)) {
-						deob.earlyDetect();
 						this.deob = deob;
 						deob.detect();
 						return;
 					}
 				}
 			}
-			else {
-				this.deob = earlyDetectObfuscator(deobfuscators);
-				if (this.deob == null)
-					this.deob = detectObfuscator2(deobfuscators);
-				else
-					this.deob.detect();
-			}
-		}
-
-		IDeobfuscator earlyDetectObfuscator(IEnumerable<IDeobfuscator> deobfuscators) {
-			IDeobfuscator detected = null;
-			int detectVal = 0;
-			foreach (var deob in deobfuscators) {
-				int val = deob.earlyDetect();
-				if (val > 0)
-					Log.v("{0,3}: {1}", val, deob.TypeLong);
-				if (val > detectVal) {
-					detectVal = val;
-					detected = deob;
-				}
-			}
-			return detected;
+			else
+				this.deob = detectObfuscator2(deobfuscators);
 		}
 
 		IDeobfuscator detectObfuscator2(IEnumerable<IDeobfuscator> deobfuscators) {

de4dot.code/deobfuscators/DeobfuscatorBase.cs

@@ -127,10 +127,6 @@ namespace de4dot.code.deobfuscators {
 			return optionsBase.ValidNameRegex.isMatch(name);
 		}
 
-		public virtual int earlyDetect() {
-			return 0;
-		}
-
 		public virtual int detect() {
 			scanForObfuscator();
 			return detectInternal();

de4dot.code/deobfuscators/IDeobfuscator.cs

@@ -72,11 +72,6 @@ namespace de4dot.code.deobfuscators {
 
 		void init(ModuleDefinition module);
 
-		// Same as detect() but may be used by deobfuscators to detect obfuscator that decrypt
-		// metadata at runtime. Code in detect() assume they can access everything. 0 should be
-		// returned if not detected.
-		int earlyDetect();
-
 		// Returns 0 if it's not detected, or > 0 if detected (higher value => more likely true).
 		// This method is always called.
 		int detect();

de4dot.code/deobfuscators/Unknown/Deobfuscator.cs

@@ -86,6 +86,8 @@ namespace de4dot.code.deobfuscators.Unknown {
 
 		string scanTypes() {
 			foreach (var type in module.Types) {
+				if (type.FullName == "ConfusedByAttribute")
+					return "Confuser";
 				if (type.FullName == "ZYXDNGuarder")
 					return "DNGuard HVM";
 				if (type.Name.Contains("();\t"))