mirrors/Detect-It-Easy
2
0
Fork 0
mirror of https://github.com/horsicq/Detect-It-Easy.git synced 2026-06-24 01:54:08 +00:00
Code Issues Projects Releases Packages Wiki Activity
Detect-It-Easy/db/PE/NetReactor.2.sg
DosX 84c47bc6cc -
2025-03-23 12:41:20 +03:00

105 lines
No EOL
3.6 KiB
JavaScript
Executable file
Raw Blame History

// Detect It Easy: detection rule file
// Author: DosX
// E-Mail: collab@kay-software.ru
// GitHub: https://github.com/DosX-dev
// Telegram: @DosX_dev
// https://www.eziriz.com/dotnet_reactor.htm
init("protector", ".NET Reactor");
function detect() {
var isDetected = false;
var options = "",
version = "";
// === 4.X ===
// by ajax
if (PE.section[".reacto"]) {
if (PE.section[1].FileSize == 0 && PE.section[2].FileSize == 0 && PE.section[3].FileSize == 0) {
version = "2.0-2.1";
}
} else if (PE.compareEP("558becb90f0000006a006a004975f951535657b8........e8")) {
version = "2.X-3.X";
} else if (PE.resource["__"] && PE.compareEP("e8$$$$$$$$8bff558bec83ec10")) {
if (PE.compareEP("e8........e9........6a0c68")) {
version = "4.2";
} else if (PE.compareEP("e8........e9........8bff558bec83ec208b45085657")) {
version = "4.5-4.7";
}
} else if (PE.isNET()) {
if (PE.isSignatureInSectionPresent(0, "558becb90f0000006a006a004975f951535657b8........e8")) {
version = "3.X";
} else if (PE.section.length >= 2) {
if (PE.section[1].Characteristics == 0xc0000040) {
if (PE.isSignatureInSectionPresent(1, "5266686E204D182276B5331112330C6D0A204D18229EA129611C76B505190158")) {
version = "4.8-4.9";
}
}
}
}
// ===========
if (PE.isNET()) {
if (PE.isNetObjectPresent("NecroVM.Runtime")) return null;
// === 6.X ===
if (PE.isSignatureInSectionPresent(0, "6D5F6973526561644F6E6C790B636F6D70617265496E666F0874657874496E666F076E756D496E666F0C6461746554696D65496E666F0863616C656E6461720A6D5F646174614974656D0963756C747572654944066D5F6E616D65116D5F757365557365724F76657272696465")) {
version = "6.X";
}
var signatureToScan = "";
for (var i = 0; i < 5; i++) {
signatureToScan += "'m_'%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%00";
}
if (PE.isSignatureInSectionPresent(0, signatureToScan)) {
options += "Control Flow";
version = "6.X";
}
// ===========
// === 6.5 ===
if (PE.isSignatureInSectionPresent(0, "24246D6574686F643078363030303331372D310024246D6574686F643078363030303333322D310024246D6574686F643078363030303333322D320024246D6574686F643078363030303334302D310024246D6574686F643078363030303334302D320024246D6574686F643078363030303335332D310024246D6574686F64")) {
version = "6.5";
}
// ===========
// === ALL VERSIONS ===
if (PE.isSignatureInSectionPresent(0, "2000690073002000740061006D00700065007200650064002E00") && PE.isNetObjectPresent("BinaryReader")) {
options += (options.length != 0 ? " + " : "") + "Anti-Tamper";
}
if (PE.isSignatureInSectionPresent(0, "45007A006900720069007A0027007300200022002E004E00450054002000520065006100630074006F0072002200210020005400680069007300200061") && PE.isNetObjectPresent("DateTime")) {
version += (version.length != 0 ? " " : "") + "Unregistered";
}
// ====================
if (options.length != 0 || version.length != 0) isDetected = true;
if (isDetected) {
if (PE.isNetObjectPresent("SuppressIldasmAttribute")) {
options += (options.length != 0 ? " + " : "") + "Anti-ILDASM";
}
_setResult("protector", ".NET Reactor", version, options);
}
}
}
Reference in a new issue View git blame Copy permalink