From d37fed03908b11e58b11f7da6acd3803f2424ddc Mon Sep 17 00:00:00 2001
From: mp-ssi <email@example.com>
Date: Mon, 10 Jul 2017 15:43:28 +0200
Subject: [PATCH] Improved Anti-Tamper detection

---
 .../Deobfuscators/AntiTamperDeobfuscator.cs       | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/NoFuserEx/NoFuserEx/Deobfuscator/Deobfuscators/AntiTamperDeobfuscator.cs b/NoFuserEx/NoFuserEx/Deobfuscator/Deobfuscators/AntiTamperDeobfuscator.cs
index 072c163..03c3e9e 100644
--- a/NoFuserEx/NoFuserEx/Deobfuscator/Deobfuscators/AntiTamperDeobfuscator.cs
+++ b/NoFuserEx/NoFuserEx/Deobfuscator/Deobfuscators/AntiTamperDeobfuscator.cs
@@ -60,11 +60,14 @@ public bool Deobfuscate(AssemblyManager assemblyManager) {
         static bool? IsTampered(ModuleDefMD module) {
             var sections = module.MetaData.PEImage.ImageSectionHeaders;
 
-            if (sections.Count == 3) {
-                Logger.Verbose("Anti-tamper not detected.");
+            // There should be at least a .text and a .rsrc section
+            if (sections.Count < 3) {
+                Logger.Verbose("Anti-tamper should not be present.");
                 return false;
             }
 
+            // If more than 2 sections, test the names (the name of the section
+            // created by ConfuserEx is random)
             foreach (var section in sections) {
                 switch (section.DisplayName) {
                     case ".text":
@@ -76,6 +79,14 @@ public bool Deobfuscate(AssemblyManager assemblyManager) {
                         return true;
                 }
             }
+            
+            // If there were only .text, .rsrc and .reloc sections
+            // Then the protection is absent
+            if (sections.Count == 3) {
+                Logger.Verbose("Anti-tamper should not detected.");
+                return false;
+            }
+            
             return null;
         }