From 27694eb19c6317e09c577697124e7dfc7845b6e3 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Thu, 27 Mar 2014 11:41:18 +0100
Subject: [PATCH] Support Agile.NET 6.3.0.17

---
 .../deobfuscators/Agile_NET/ResourceDecrypter.cs |  11 +++++++++--
 .../deobfuscators/Agile_NET/vm/v2/CSVM5.bin      | Bin 0 -> 9820 bytes
 .../deobfuscators/Agile_NET/vm/v2/CsvmInfo.cs    |   2 +-
 .../Agile_NET/vm/v2/CsvmResources.Designer.cs    |  12 +++++++++++-
 .../Agile_NET/vm/v2/CsvmResources.resx           |   4 ++++
 .../Agile_NET/vm/v2/OpCodeHandlerInfos.cs        |   1 +
 .../Agile_NET/vm/v2/VmOpCodeHandlerDetector.cs   |   3 ++-
 de4dot.mdecrypt/DynamicMethodsDecrypter.cs       |   3 +++
 8 files changed, 31 insertions(+), 5 deletions(-)
 create mode 100644 de4dot.code/deobfuscators/Agile_NET/vm/v2/CSVM5.bin

diff --git a/de4dot.code/deobfuscators/Agile_NET/ResourceDecrypter.cs b/de4dot.code/deobfuscators/Agile_NET/ResourceDecrypter.cs
index c696f508..e1854f9c 100644
--- a/de4dot.code/deobfuscators/Agile_NET/ResourceDecrypter.cs
+++ b/de4dot.code/deobfuscators/Agile_NET/ResourceDecrypter.cs
@@ -62,10 +62,15 @@ namespace de4dot.code.deobfuscators.Agile_NET {
 			FindResourceType();
 		}
 
-		static readonly string[] requiredFields = new string[] {
+		static readonly string[] requiredFields1 = new string[] {
 			"System.Reflection.Assembly",
 			"System.String[]",
 		};
+		static readonly string[] requiredFields2 = new string[] {
+			"System.Reflection.Assembly",
+			"System.String[]",
+			"System.Collections.Hashtable",
+		};
 		void FindResourceType() {
 			var cctor = DotNetUtils.GetModuleTypeCctor(module);
 			if (cctor == null)
@@ -77,7 +82,9 @@ namespace de4dot.code.deobfuscators.Agile_NET {
 				if (!DotNetUtils.IsMethod(calledMethod, "System.Void", "()"))
 					continue;
 				var type = calledMethod.DeclaringType;
-				if (!new FieldTypes(type).Exactly(requiredFields))
+				var fieldTypes = new FieldTypes(type);
+				if (!fieldTypes.Exactly(requiredFields1) &&
+					!fieldTypes.Exactly(requiredFields2))
 					continue;
 
 				var resolveHandler = DotNetUtils.GetMethod(type, "System.Reflection.Assembly", "(System.Object,System.ResolveEventArgs)");
diff --git a/de4dot.code/deobfuscators/Agile_NET/vm/v2/CSVM5.bin b/de4dot.code/deobfuscators/Agile_NET/vm/v2/CSVM5.bin
new file mode 100644
index 0000000000000000000000000000000000000000..1177d7fc1f8d763c2f89db0fc01b9ffa102f72d9
GIT binary patch
literal 9820
zcmds+3y@A_7{||%kgyw;Ty~4Hi`I2lh>+D<L`kMeE<=;jDooAPPB(2eQz)USWTNYK
z5w=M*YKWSwTxv8^Mul?Aw3A$hN~-sFp6~I#-}$~}zij%ZGjsNw?|q;D`&{4WdCt4O
z=XpcS&E?C(t8Jcr+rRqp+Q<5r>9f{nS#OuO-<r*R+4NEC7@zp#d#Roes<Oy2<=;=S
z$Z827bDA6|vdFU%K;BcmeW68GH^_SCR^B{on!D)zU*|#<*7?T=T6OaS{gfvbup<U)
zW?6-m&klZho<-G&j93&ST!MmkEpxL1G=k(8qvtp?Pc)f3Rrul`EIxF@w1^}pM)D87
zChMMS=Icc0EV6E71Z`z49a&rJsqe&#=sEhShYO(DHhIZL&qpgbAQdz!9Tdr6x8a}e
zu48q?W=Lsu)RB|vh*!cof~!cs)b6*Waa&LSyYa#5&A0b!Q5Cupb75VHwq)_=2NSNz
zI9-3DPguuf^k-G*ie6z|lgXdk>XnzAu0PQ)tYb3zvnq5YcZYRNCVxJbG4s#U^(VC{
ztYb3zvnq6@#)f;2WYRU!-h*01??F8p8gv}gTf7;}m=Qa}+Ev+$U`OdwWZgk;&QCe7
z#-NRDUT^jJ`d*FaX%9y)wR7RD5BQBV4JVA<;`u2Kny!Y5M^_Nt@1&ZUaBR}uxxGN*
zbziM)caHXkZF{$QNxCr|5vzjG{t%rllITgi$2rfS&Xit60(#j<Kwk8VA0t(%XMMwk
zJ%|0^s%s;Q8!vP3EJ=SmZDFrZ>$Y1UwgthBjKqgVQ-{3CcM?(71H=QD_>EuIAFKdc
zy(uU&5YQYSpPOdof_B2Zo*uC(ojaKx{~`ktkEnfj4;yW|%j(X(DsA2Rg^i;3U$hMI
z_Z^uRdC`qkMh#n4%<cdya&<_1tJw1!m|y=7E3$9@D=RiMRwNGaGZrQ;@U9z&;k<=U
z<HzG$g)N`ncXxU}-Br=?$okBPC*kx?*SdFr$yxtK>t(->y4A)Wvs^-pbi~8AvzPth
z`6fJL>J@v)&40QxI2W+dNzAgM{n}-OE1AEMReNhq{VEn~qLGeZ1F;!<h!c?L+R@02
zhI4E(*iLsm^2h(?u)0Q97o$*+FJg6VY-avXeGPGd6|j#zX(58yk<8e-thu!+W9NLs
zDcNHuem|Ue>@<m^D{)s*jycokExKROtg3Ww8b@cUeYMmYeYsy=kl9%CDp{NQK4boK
z*GnuChh%M?iH=Efl4f7=29b#tV3@Vp4LdWt`M!1^cFH;Ur{rd;ly*w{4wT(ip7&Ql
zJYII4Kz4&7+c)U5yphQ1j?Uj%e}jx_P8ry;;S9;2x^v_dxtUo<#$^wv9rWp*Kli9J
zGJ|nJHctS#KmYlW7MboK)!%ylE0r+AP+%AB<ghT5$c|n0sWqTxox^+XFU!f!Z80QW
z^tN>t?bH{Xt6D4EGILRhRAxgGthqSv>tZ{?sOMi`{<xh4yz!S>2rsxXA$~Fhp%uZY
z9{4KUiERJwj%Awbtglturqix}q;r134^}($kP-7Dmw%yoDuQ`zMg)X;g=H6hNT^b>
z3Q-up>xqtd<zyg{SYj1;h&NlD7#E3{**CcR?3X8H-z*d@Lln&NWog&A$f1BcGdp&S
zSu3%4u``Rl%o0)f#(m$q;>7{{7E~(-g-2Y<@Vm&FX{g|ierU~;*l_K;=|H`2Qio1-
zPEw&#nN=##VvQv?&Mbl3b<cmiLbzl_=o9AxLM0atIwC8#HuEwr|L1V!{-V3z_uajD
zM}Ob;Vr$kA8?}i@>B<te@Ui{J#|<jTTpYU#;DzQqXXM`1Rial%e(JK}P_&f7vuy-n
z9zg^n&A3N9cC+zvNr-~k=y=IC6k$*OlU<7p>bu9kDlZi~wsZLF?BNHmzFg#QZ)P<c
zqaU^l@A#q5-gExeCy%AX?s%jGb;Fh|uSkV}13Q`f<d{oW?4BYR_AilnY79QNUWm?s
z8a<*{2eY0~dLG~U;poxG3y;^E{Kzxx#3pkV6_;g?-5eWb9nETVb{b_!jvX|=vvQ|3
zKQG;u^-*wcBws#Ib3@IO7?irrFSQyHcPY90v*^sZYG425(IfJO0X3YtWM2JYt2@4A
z4?t@(H60`)Qe${y1SzOarT6aIWvh=FG{l|w6TF_f_Kq&x5o8JRMCSyMdxv%HVfS-R
z0?15%$8{E&>maeXdK=F+-@9k3rR-v6)hFnOH?X3Mh#$v9EmvjZ-qOQ|Up&7pJUUG5
z3RgE8`Qjf?eMv_v>!lHldBjvoG9u?xgLhR+Q-qw+bahZ5J-?eX61Gm!)Dhhj@A=&w
zN+Lw9qEENuI<z5cwMAa$AhD?;JimuCbE-8<KN-H%uGupIWZw9Z<raClL1J+v!P;aR
zG<WTd1*r<L{RPzSS(@EP>=@Qn?T9Z<=_YPE@}}%auw3F}_;0_je|`C%d9M@WB3a=|
zueNk_y`34ig1LO)_3DjR4zXJHsU&K3&)<$%)D;dYo<D*<-|&Lpz{9^dy>VX$iJmH*
z_Di0h=TLAuq7<xE(fguFPv3iNedbu~c>9w}N<F`yL1Jn39#1l`>peOdcSSlBR;X-u
zgMX$jZ<gcvSDLplH?pX%UNC3YQu1&74g%RgqaojFTh^3zvc9J)czw>bJv~1^4ws5N
z9m~mp18YQAK=`B_UXbDW{mq+jJ$1G&&Yk`+x=FS!NB}u;UawgeIUoUK+2Y~(7CF!$
zPiAp!d2vxzQG<04)r{>yusG4D^%u%;^%@k1LwMhk<z;6Z;tH%QyYnhDkFUb<NLQyZ
z89uKaKVW5pSlNjySB}@Zybyfd)4AEYLS=BNut#*JLVqZ@EB+E9;}I3o9hjGZzT)#=
f_;N`mLsm4#Zz3Oa!Q~G&kIKed`c1RHw7&lviL6OH

literal 0
HcmV?d00001

diff --git a/de4dot.code/deobfuscators/Agile_NET/vm/v2/CsvmInfo.cs b/de4dot.code/deobfuscators/Agile_NET/vm/v2/CsvmInfo.cs
index 11ebea38..488f3e14 100644
--- a/de4dot.code/deobfuscators/Agile_NET/vm/v2/CsvmInfo.cs
+++ b/de4dot.code/deobfuscators/Agile_NET/vm/v2/CsvmInfo.cs
@@ -81,7 +81,7 @@ namespace de4dot.code.deobfuscators.Agile_NET.vm.v2 {
 			foreach (var type in module.Types) {
 				if (!type.IsPublic || !type.IsAbstract)
 					continue;
-				if (type.HasFields || type.HasProperties || type.HasEvents)
+				if (type.HasProperties || type.HasEvents)
 					continue;
 				if (type.BaseType == null || type.BaseType.FullName != "System.Object")
 					continue;
diff --git a/de4dot.code/deobfuscators/Agile_NET/vm/v2/CsvmResources.Designer.cs b/de4dot.code/deobfuscators/Agile_NET/vm/v2/CsvmResources.Designer.cs
index 3a090f84..bea0bf1c 100644
--- a/de4dot.code/deobfuscators/Agile_NET/vm/v2/CsvmResources.Designer.cs
+++ b/de4dot.code/deobfuscators/Agile_NET/vm/v2/CsvmResources.Designer.cs
@@ -1,7 +1,7 @@
 //------------------------------------------------------------------------------
 // <auto-generated>
 //     This code was generated by a tool.
-//     Runtime Version:4.0.30319.18052
+//     Runtime Version:4.0.30319.18444
 //
 //     Changes to this file may cause incorrect behavior and will be lost if
 //     the code is regenerated.
@@ -99,5 +99,15 @@ namespace de4dot.code.deobfuscators.Agile_NET.vm.v2 {
                 return ((byte[])(obj));
             }
         }
+        
+        /// <summary>
+        ///   Looks up a localized resource of type System.Byte[].
+        /// </summary>
+        internal static byte[] CSVM5 {
+            get {
+                object obj = ResourceManager.GetObject("CSVM5", resourceCulture);
+                return ((byte[])(obj));
+            }
+        }
     }
 }
diff --git a/de4dot.code/deobfuscators/Agile_NET/vm/v2/CsvmResources.resx b/de4dot.code/deobfuscators/Agile_NET/vm/v2/CsvmResources.resx
index 17159be0..3a91280c 100644
--- a/de4dot.code/deobfuscators/Agile_NET/vm/v2/CsvmResources.resx
+++ b/de4dot.code/deobfuscators/Agile_NET/vm/v2/CsvmResources.resx
@@ -130,4 +130,8 @@
   <data name="CSVM4" type="System.Resources.ResXFileRef, System.Windows.Forms">
     <value>CSVM4.bin;System.Byte[], mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</value>
   </data>
+  <assembly alias="System.Windows.Forms" name="System.Windows.Forms, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
+  <data name="CSVM5" type="System.Resources.ResXFileRef, System.Windows.Forms">
+    <value>CSVM5.bin;System.Byte[], mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</value>
+  </data>
 </root>
\ No newline at end of file
diff --git a/de4dot.code/deobfuscators/Agile_NET/vm/v2/OpCodeHandlerInfos.cs b/de4dot.code/deobfuscators/Agile_NET/vm/v2/OpCodeHandlerInfos.cs
index f70dc4aa..37fa316d 100644
--- a/de4dot.code/deobfuscators/Agile_NET/vm/v2/OpCodeHandlerInfos.cs
+++ b/de4dot.code/deobfuscators/Agile_NET/vm/v2/OpCodeHandlerInfos.cs
@@ -75,6 +75,7 @@ namespace de4dot.code.deobfuscators.Agile_NET.vm.v2 {
 			ReadOpCodeHandlerInfos(CsvmResources.CSVM2),
 			ReadOpCodeHandlerInfos(CsvmResources.CSVM3),
 			ReadOpCodeHandlerInfos(CsvmResources.CSVM4),
+			ReadOpCodeHandlerInfos(CsvmResources.CSVM5),
 		};
 
 		static IList<MethodSigInfo> ReadOpCodeHandlerInfos(byte[] data) {
diff --git a/de4dot.code/deobfuscators/Agile_NET/vm/v2/VmOpCodeHandlerDetector.cs b/de4dot.code/deobfuscators/Agile_NET/vm/v2/VmOpCodeHandlerDetector.cs
index ccb40008..220044a3 100644
--- a/de4dot.code/deobfuscators/Agile_NET/vm/v2/VmOpCodeHandlerDetector.cs
+++ b/de4dot.code/deobfuscators/Agile_NET/vm/v2/VmOpCodeHandlerDetector.cs
@@ -254,7 +254,8 @@ namespace de4dot.code.deobfuscators.Agile_NET.vm.v2 {
 				if (cctor == null)
 					continue;
 				requiredFields[0] = type.FullName;
-				if (!new FieldTypes(type).Exactly(requiredFields))
+				var fieldTypes = new FieldTypes(type);
+				if (!fieldTypes.All(requiredFields))
 					continue;
 
 				cflowDeobfuscator.Deobfuscate(cctor);
diff --git a/de4dot.mdecrypt/DynamicMethodsDecrypter.cs b/de4dot.mdecrypt/DynamicMethodsDecrypter.cs
index 24fa5816..58557ff5 100644
--- a/de4dot.mdecrypt/DynamicMethodsDecrypter.cs
+++ b/de4dot.mdecrypt/DynamicMethodsDecrypter.cs
@@ -596,6 +596,9 @@ namespace de4dot.mdecrypt {
 			new PatchInfo(0x000110A5, new byte[] { 0x33, 0xC0, 0xC2, 0x04, 0x00 }, new byte[] { 0xE9, 0x36, 0x3A, 0x00, 0x00 }),
 			new PatchInfo(0x000110AF, new byte[] { 0x33, 0xC0, 0xC2, 0x04, 0x00 }, new byte[] { 0xE9, 0x4C, 0x3C, 0x00, 0x00 }),
 			new PatchInfo(0x000110AA, new byte[] { 0x33, 0xC0, 0xC2, 0x04, 0x00 }, new byte[] { 0xE9, 0xF1, 0x3A, 0x00, 0x00 }),
+			new PatchInfo(0x00011019, new byte[] { 0x33, 0xC0, 0xC2, 0x04, 0x00 }, new byte[] { 0xE9, 0x12, 0x4B, 0x00, 0x00 }),
+			new PatchInfo(0x00011019, new byte[] { 0x33, 0xC0, 0xC2, 0x04, 0x00 }, new byte[] { 0xE9, 0x02, 0x4B, 0x00, 0x00 }),
+			new PatchInfo(0x00011019, new byte[] { 0x33, 0xC0, 0xC2, 0x04, 0x00 }, new byte[] { 0xE9, 0xA2, 0x4B, 0x00, 0x00 }),
 		};
 
 		static unsafe bool PatchCM(IntPtr addr, IntPtr origValue, IntPtr newValue) {