From 0ba3a0c1e28c501620976d167f005a82a5d5dd0a Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Tue, 4 Dec 2012 23:58:34 +0100
Subject: [PATCH] Better support of DNR + .NET 1.x assemblies

---
 .../dotNET_Reactor/v4/Deobfuscator.cs         | 19 ++++++++++++++++++-
 .../dotNET_Reactor/v4/MethodsDecrypter.cs     | 15 ++++++++++++---
 2 files changed, 30 insertions(+), 4 deletions(-)

diff --git a/de4dot.code/deobfuscators/dotNET_Reactor/v4/Deobfuscator.cs b/de4dot.code/deobfuscators/dotNET_Reactor/v4/Deobfuscator.cs
index ec0b2a6c..ea158ce9 100644
--- a/de4dot.code/deobfuscators/dotNET_Reactor/v4/Deobfuscator.cs
+++ b/de4dot.code/deobfuscators/dotNET_Reactor/v4/Deobfuscator.cs
@@ -382,7 +382,7 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
 				return false;
 
 			var tokenToNativeCode = new Dictionary<uint,byte[]>();
-			if (!methodsDecrypter.decrypt(peImage, DeobfuscatedFile, ref dumpedMethods, tokenToNativeCode))
+			if (!methodsDecrypter.decrypt(peImage, DeobfuscatedFile, ref dumpedMethods, tokenToNativeCode, unpackedNativeFile))
 				return false;
 
 			newFileData = fileData;
@@ -584,9 +584,26 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
 			else
 				Logger.v("Could not remove decrypter type");
 
+			fixEntryPoint();
+
 			base.deobfuscateEnd();
 		}
 
+		void fixEntryPoint() {
+			if (!module.IsClr1x)
+				return;
+
+			var ep = module.EntryPoint;
+			if (ep == null)
+				return;
+			if (ep.MethodSig.GetParamCount() <= 1)
+				return;
+
+			ep.MethodSig = MethodSig.CreateStatic(ep.MethodSig.RetType, new SZArraySig(module.CorLibTypes.String));
+			ep.ParamList.Clear();
+			ep.Parameters.UpdateParameterTypes();
+		}
+
 		void removeInlinedMethods() {
 			if (!options.InlineMethods || !options.RemoveInlinedMethods)
 				return;
diff --git a/de4dot.code/deobfuscators/dotNET_Reactor/v4/MethodsDecrypter.cs b/de4dot.code/deobfuscators/dotNET_Reactor/v4/MethodsDecrypter.cs
index 83390106..056ed542 100644
--- a/de4dot.code/deobfuscators/dotNET_Reactor/v4/MethodsDecrypter.cs
+++ b/de4dot.code/deobfuscators/dotNET_Reactor/v4/MethodsDecrypter.cs
@@ -123,7 +123,7 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
 
 		static short[] nativeLdci4 = new short[] { 0x55, 0x8B, 0xEC, 0xB8, -1, -1, -1, -1, 0x5D, 0xC3 };
 		static short[] nativeLdci4_0 = new short[] { 0x55, 0x8B, 0xEC, 0x33, 0xC0, 0x5D, 0xC3 };
-		public bool decrypt(MyPEImage peImage, ISimpleDeobfuscator simpleDeobfuscator, ref DumpedMethods dumpedMethods, Dictionary<uint, byte[]> tokenToNativeCode) {
+		public bool decrypt(MyPEImage peImage, ISimpleDeobfuscator simpleDeobfuscator, ref DumpedMethods dumpedMethods, Dictionary<uint, byte[]> tokenToNativeCode, bool unpackedNativeFile) {
 			if (encryptedResource.Method == null)
 				return false;
 
@@ -158,13 +158,22 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
 			}
 			else if (!hooksJitter || mode == 1) {
 				// DNR 3.9.8.0, 4.0, 4.1, 4.2, 4.3, 4.4
+
+				// If it's .NET 1.x, then offsets are used, not RVAs.
+				bool useOffsets = unpackedNativeFile && module.IsClr1x;
+
 				patchDwords(peImage, methodsDataReader, patchCount);
 				while (methodsDataReader.Position < methodsData.Length - 1) {
 					uint rva = methodsDataReader.ReadUInt32();
 					uint token = methodsDataReader.ReadUInt32();	// token, unknown, or index
 					int size = methodsDataReader.ReadInt32();
-					if (size > 0)
-						peImage.dotNetSafeWrite(rva, methodsDataReader.ReadBytes(size));
+					if (size > 0) {
+						var newData = methodsDataReader.ReadBytes(size);
+						if (useOffsets)
+							peImage.dotNetSafeWriteOffset(rva, newData);
+						else
+							peImage.dotNetSafeWrite(rva, newData);
+					}
 				}
 			}
 			else {