diff --git a/blocks/cflow/BranchEmulator.cs b/blocks/cflow/BranchEmulator.cs index d5e3a8c4..ab605146 100644 --- a/blocks/cflow/BranchEmulator.cs +++ b/blocks/cflow/BranchEmulator.cs @@ -220,7 +220,7 @@ namespace de4dot.blocks.cflow { return emulateBranch(1, Int64Value.compareFalse((Int64Value)val1)); else if (val1.isNull()) return emulateBranch(1, true); - else if (val1.isObject() || val1.isString() || val1.isBoxed()) + else if (val1.isObject() || val1.isString()) return emulateBranch(1, false); else return false; @@ -235,7 +235,7 @@ namespace de4dot.blocks.cflow { return emulateBranch(1, Int64Value.compareTrue((Int64Value)val1)); else if (val1.isNull()) return emulateBranch(1, false); - else if (val1.isObject() || val1.isString() || val1.isBoxed()) + else if (val1.isObject() || val1.isString()) return emulateBranch(1, true); else return false; diff --git a/de4dot.code/ObfuscatedFile.cs b/de4dot.code/ObfuscatedFile.cs index 8fe501a8..88b33c45 100644 --- a/de4dot.code/ObfuscatedFile.cs +++ b/de4dot.code/ObfuscatedFile.cs @@ -248,7 +248,6 @@ namespace de4dot.code { if (this.deob != null) { deob.init(module); deob.DeobfuscatedFile = this; - deob.earlyDetect(); deob.detect(); return; } @@ -261,35 +260,14 @@ namespace de4dot.code { if (options.ForcedObfuscatorType != null) { foreach (var deob in deobfuscators) { if (string.Equals(options.ForcedObfuscatorType, deob.Type, StringComparison.OrdinalIgnoreCase)) { - deob.earlyDetect(); this.deob = deob; deob.detect(); return; } } } - else { - this.deob = earlyDetectObfuscator(deobfuscators); - if (this.deob == null) - this.deob = detectObfuscator2(deobfuscators); - else - this.deob.detect(); - } - } - - IDeobfuscator earlyDetectObfuscator(IEnumerable deobfuscators) { - IDeobfuscator detected = null; - int detectVal = 0; - foreach (var deob in deobfuscators) { - int val = deob.earlyDetect(); - if (val > 0) - Log.v("{0,3}: {1}", val, deob.TypeLong); - if (val > detectVal) { - detectVal = val; - detected = deob; - } - } - return detected; + else + this.deob = detectObfuscator2(deobfuscators); } IDeobfuscator detectObfuscator2(IEnumerable deobfuscators) { diff --git a/de4dot.code/deobfuscators/DeobfuscatorBase.cs b/de4dot.code/deobfuscators/DeobfuscatorBase.cs index 701ebdbb..63943cb6 100644 --- a/de4dot.code/deobfuscators/DeobfuscatorBase.cs +++ b/de4dot.code/deobfuscators/DeobfuscatorBase.cs @@ -127,10 +127,6 @@ namespace de4dot.code.deobfuscators { return optionsBase.ValidNameRegex.isMatch(name); } - public virtual int earlyDetect() { - return 0; - } - public virtual int detect() { scanForObfuscator(); return detectInternal(); diff --git a/de4dot.code/deobfuscators/IDeobfuscator.cs b/de4dot.code/deobfuscators/IDeobfuscator.cs index dd852c71..e13fe2ec 100644 --- a/de4dot.code/deobfuscators/IDeobfuscator.cs +++ b/de4dot.code/deobfuscators/IDeobfuscator.cs @@ -72,11 +72,6 @@ namespace de4dot.code.deobfuscators { void init(ModuleDefinition module); - // Same as detect() but may be used by deobfuscators to detect obfuscator that decrypt - // metadata at runtime. Code in detect() assume they can access everything. 0 should be - // returned if not detected. - int earlyDetect(); - // Returns 0 if it's not detected, or > 0 if detected (higher value => more likely true). // This method is always called. int detect(); diff --git a/de4dot.code/deobfuscators/Unknown/Deobfuscator.cs b/de4dot.code/deobfuscators/Unknown/Deobfuscator.cs index d192c632..4a3308cd 100644 --- a/de4dot.code/deobfuscators/Unknown/Deobfuscator.cs +++ b/de4dot.code/deobfuscators/Unknown/Deobfuscator.cs @@ -86,6 +86,8 @@ namespace de4dot.code.deobfuscators.Unknown { string scanTypes() { foreach (var type in module.Types) { + if (type.FullName == "ConfusedByAttribute") + return "Confuser"; if (type.FullName == "ZYXDNGuarder") return "DNGuard HVM"; if (type.Name.Contains("();\t"))