From b7255bc3b58c7358a9314151247c4488ddf5472a Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Tue, 24 Sep 2013 21:44:21 +0200
Subject: [PATCH 01/58] Add assembly string separator detection code

---
 .../CryptoObfuscator/AssemblyResolver.cs      | 24 ++++++++++++++++++-
 1 file changed, 23 insertions(+), 1 deletion(-)

diff --git a/de4dot.code/deobfuscators/CryptoObfuscator/AssemblyResolver.cs b/de4dot.code/deobfuscators/CryptoObfuscator/AssemblyResolver.cs
index 5b107767..998e952f 100644
--- a/de4dot.code/deobfuscators/CryptoObfuscator/AssemblyResolver.cs
+++ b/de4dot.code/deobfuscators/CryptoObfuscator/AssemblyResolver.cs
@@ -30,6 +30,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
 		TypeDef resolverType;
 		MethodDef resolverMethod;
 		List<AssemblyInfo> assemblyInfos = new List<AssemblyInfo>();
+		string asmSeparator;
 
 		public class AssemblyInfo {
 			public string assemblyName;
@@ -86,6 +87,8 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
 				return false;
 			if (!CheckInitMethod(initMethod))
 				return false;
+			if ((asmSeparator = FindAssemblySeparator(initMethod)) == null)
+				return false;
 
 			List<AssemblyInfo> newAssemblyInfos = null;
 			foreach (var s in DotNetUtils.GetCodeStrings(initMethod)) {
@@ -134,7 +137,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
 			var sb = new StringBuilder(s.Length);
 			foreach (var c in s)
 				sb.Append((char)~c);
-			var tmpAssemblyInfos = sb.ToString().Split(new string[] { "##" }, StringSplitOptions.RemoveEmptyEntries);
+			var tmpAssemblyInfos = sb.ToString().Split(new string[] { asmSeparator }, StringSplitOptions.RemoveEmptyEntries);
 			if (tmpAssemblyInfos.Length == 0 || (tmpAssemblyInfos.Length & 1) == 1)
 				return null;
 
@@ -151,5 +154,24 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
 
 			return newAssemblyInfos;
 		}
+
+		string FindAssemblySeparator(MethodDef initMethod) {
+			if (!initMethod.HasBody)
+				return null;
+
+			foreach (var instr in initMethod.Body.Instructions) {
+				if (instr.OpCode.Code != Code.Newarr)
+					continue;
+				var op = module.CorLibTypes.GetCorLibTypeSig(instr.Operand as ITypeDefOrRef);
+				if (op == null)
+					continue;
+				if (op.ElementType == ElementType.String)
+					return "##";
+				if (op.ElementType == ElementType.Char)
+					return "`";
+			}
+
+			return null;
+		}
 	}
 }

From 3d05b408c9c5beb9340661a373e30d602ac820f5 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Wed, 25 Sep 2013 01:37:53 +0200
Subject: [PATCH 02/58] Decrypt arrays

---
 .../CryptoObfuscator/ConstantsDecrypter.cs    | 84 ++++++++++++++++++-
 .../CryptoObfuscator/Deobfuscator.cs          |  3 +-
 2 files changed, 84 insertions(+), 3 deletions(-)

diff --git a/de4dot.code/deobfuscators/CryptoObfuscator/ConstantsDecrypter.cs b/de4dot.code/deobfuscators/CryptoObfuscator/ConstantsDecrypter.cs
index 295659f1..18ff0ee0 100644
--- a/de4dot.code/deobfuscators/CryptoObfuscator/ConstantsDecrypter.cs
+++ b/de4dot.code/deobfuscators/CryptoObfuscator/ConstantsDecrypter.cs
@@ -22,6 +22,7 @@ using System.Collections.Generic;
 using System.Text;
 using dnlib.IO;
 using dnlib.DotNet;
+using dnlib.DotNet.Emit;
 using de4dot.blocks;
 
 namespace de4dot.code.deobfuscators.CryptoObfuscator {
@@ -32,6 +33,8 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
 		MethodDef methodI8;
 		MethodDef methodR4;
 		MethodDef methodR8;
+		MethodDef methodArray;
+		InitializedDataCreator initializedDataCreator;
 		EmbeddedResource encryptedResource;
 		byte[] constantsData;
 
@@ -63,8 +66,9 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
 			get { return decrypterType != null; }
 		}
 
-		public ConstantsDecrypter(ModuleDefMD module) {
+		public ConstantsDecrypter(ModuleDefMD module, InitializedDataCreator initializedDataCreator) {
 			this.module = module;
+			this.initializedDataCreator = initializedDataCreator;
 		}
 
 		public void Find() {
@@ -98,9 +102,11 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
 			methodI8 = DotNetUtils.GetMethod(type, "System.Int64", "(System.Int32)");
 			methodR4 = DotNetUtils.GetMethod(type, "System.Single", "(System.Int32)");
 			methodR8 = DotNetUtils.GetMethod(type, "System.Double", "(System.Int32)");
+			methodArray = DotNetUtils.GetMethod(type, "System.Void", "(System.Array,System.Int32)");
 
 			return methodI4 != null && methodI8 != null &&
-				methodR4 != null && methodR8 != null;
+				methodR4 != null && methodR8 != null &&
+				methodArray != null;
 		}
 
 		public void Initialize(ResourceDecrypter resourceDecrypter) {
@@ -127,5 +133,79 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
 		public double DecryptDouble(int index) {
 			return BitConverter.ToDouble(constantsData, index);
 		}
+
+		struct ArrayInfo {
+			public CorLibTypeSig arrayType;
+			public int start, len;
+			public int arySize, index;
+
+			public ArrayInfo(int start, int len, CorLibTypeSig arrayType, int arySize, int index) {
+				this.start = start;
+				this.len = len;
+				this.arrayType = arrayType;
+				this.arySize = arySize;
+				this.index = index;
+			}
+		}
+
+		public void Deobfuscate(Blocks blocks) {
+			var infos = new List<ArrayInfo>();
+			foreach (var block in blocks.MethodBlocks.GetAllBlocks()) {
+				var instrs = block.Instructions;
+				infos.Clear();
+
+				for (int i = 0; i < instrs.Count - 5; i++) {
+					int index = i;
+
+					var ldci4_arySize = instrs[index++];
+					if (!ldci4_arySize.IsLdcI4())
+						continue;
+
+					var newarr = instrs[index++];
+					if (newarr.OpCode.Code != Code.Newarr)
+						continue;
+					var arrayType = module.CorLibTypes.GetCorLibTypeSig(newarr.Operand as ITypeDefOrRef);
+					if (arrayType == null)
+						continue;
+
+					if (instrs[index++].OpCode.Code != Code.Dup)
+						continue;
+
+					var ldci4_index = instrs[index++];
+					if (!ldci4_index.IsLdcI4())
+						continue;
+
+					var call = instrs[index++];
+					if (call.OpCode.Code != Code.Call && call.OpCode.Code != Code.Callvirt)
+						continue;
+					if (!MethodEqualityComparer.CompareDeclaringTypes.Equals(call.Operand as IMethod, methodArray))
+						continue;
+
+					if (arrayType.ElementType.GetPrimitiveSize() == -1) {
+						Logger.w("Can't decrypt non-primitive type array in method {0:X8}", blocks.Method.MDToken.ToInt32());
+						continue;
+					}
+
+					infos.Add(new ArrayInfo(i, index - i, arrayType, ldci4_arySize.GetLdcI4Value(),
+								ldci4_index.GetLdcI4Value()));
+				}
+
+				infos.Reverse();
+				foreach (var info in infos) {
+					var elemSize = info.arrayType.ElementType.GetPrimitiveSize();
+					var decrypted = DecryptArray(info);
+					initializedDataCreator.AddInitializeArrayCode(block, info.start, info.len, info.arrayType.ToTypeDefOrRef(), decrypted);
+					Logger.v("Decrypted {0} array: {1} elements", info.arrayType.ToString(), decrypted.Length / elemSize);
+				}
+			}
+		}
+
+		byte[] DecryptArray(ArrayInfo aryInfo) {
+			var ary = new byte[aryInfo.arySize * aryInfo.arrayType.ElementType.GetPrimitiveSize()];
+			int dataIndex = aryInfo.index;
+			int len = DeobUtils.ReadVariableLengthInt32(constantsData, ref dataIndex);
+			Buffer.BlockCopy(constantsData, dataIndex, ary, 0, len);
+			return ary;
+		}
 	}
 }
diff --git a/de4dot.code/deobfuscators/CryptoObfuscator/Deobfuscator.cs b/de4dot.code/deobfuscators/CryptoObfuscator/Deobfuscator.cs
index 1a9b8754..93d98fc0 100644
--- a/de4dot.code/deobfuscators/CryptoObfuscator/Deobfuscator.cs
+++ b/de4dot.code/deobfuscators/CryptoObfuscator/Deobfuscator.cs
@@ -144,7 +144,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
 			stringDecrypter.Find();
 			tamperDetection = new TamperDetection(module);
 			tamperDetection.Find();
-			constantsDecrypter = new ConstantsDecrypter(module);
+			constantsDecrypter = new ConstantsDecrypter(module, initializedDataCreator);
 			constantsDecrypter.Find();
 			foundObfuscatorUserString = Utils.StartsWith(module.ReadUserString(0x70000001), "\u0011\"3D9B94A98B-76A8-4810-B1A0-4BE7C4F9C98D", StringComparison.Ordinal);
 		}
@@ -245,6 +245,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
 				int64ValueInliner.Decrypt(blocks);
 				singleValueInliner.Decrypt(blocks);
 				doubleValueInliner.Decrypt(blocks);
+				constantsDecrypter.Deobfuscate(blocks);
 			}
 			base.DeobfuscateMethodEnd(blocks);
 		}

From 06bef669c52cc86c57bfe6f2bfe091c924780622 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Sat, 28 Sep 2013 14:54:00 +0200
Subject: [PATCH 03/58] Inline a few more instructions

---
 blocks/cflow/MethodCallInlinerBase.cs | 30 +++++++++++++++++++--------
 1 file changed, 21 insertions(+), 9 deletions(-)

diff --git a/blocks/cflow/MethodCallInlinerBase.cs b/blocks/cflow/MethodCallInlinerBase.cs
index 873c4d62..d8ed9247 100644
--- a/blocks/cflow/MethodCallInlinerBase.cs
+++ b/blocks/cflow/MethodCallInlinerBase.cs
@@ -142,7 +142,9 @@ namespace de4dot.blocks.cflow {
 			if (instr == null || loadIndex != methodArgsCount - popLastArgs)
 				return null;
 
-			if (instr.OpCode.Code == Code.Call || instr.OpCode.Code == Code.Callvirt) {
+			switch (instr.OpCode.Code) {
+			case Code.Call:
+			case Code.Callvirt:
 				if (foundLdarga)
 					return null;
 				var callInstr = instr;
@@ -160,8 +162,8 @@ namespace de4dot.blocks.cflow {
 					return null;
 
 				return new InstructionPatcher(patchIndex, instrIndex, callInstr);
-			}
-			else if (instr.OpCode.Code == Code.Newobj) {
+
+			case Code.Newobj:
 				if (foundLdarga)
 					return null;
 				var newobjInstr = instr;
@@ -185,20 +187,30 @@ namespace de4dot.blocks.cflow {
 					return null;
 
 				return new InstructionPatcher(patchIndex, instrIndex, newobjInstr);
-			}
-			else if (instr.OpCode.Code == Code.Ldfld || instr.OpCode.Code == Code.Ldflda ||
-					instr.OpCode.Code == Code.Ldftn || instr.OpCode.Code == Code.Ldvirtftn) {
+
+			case Code.Ldfld:
+			case Code.Ldflda:
+			case Code.Ldftn:
+			case Code.Ldvirtftn:
+			case Code.Ldlen:
+			case Code.Initobj:
+			case Code.Isinst:
+			case Code.Castclass:
+			case Code.Newarr:
+			case Code.Ldtoken:
+			case Code.Unbox_Any:
 				var ldInstr = instr;
 				if (methodArgsCount != 1)
 					return null;
 
-				if (!HasAccessTo(instr.Operand))
+				if (instr.OpCode.OperandType != OperandType.InlineNone && !HasAccessTo(instr.Operand))
 					return null;
 
 				return new InstructionPatcher(patchIndex, instrIndex, ldInstr);
-			}
 
-			return null;
+			default:
+				return null;
+			}
 		}
 
 		bool HasAccessTo(object operand) {

From 13ef523d581cc3d0db6737cd863948b7264ec40d Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Sat, 28 Sep 2013 14:54:27 +0200
Subject: [PATCH 04/58] Add OnInlinedMethod() method

---
 blocks/cflow/MethodCallInliner.cs | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/blocks/cflow/MethodCallInliner.cs b/blocks/cflow/MethodCallInliner.cs
index a44fc610..3504a658 100644
--- a/blocks/cflow/MethodCallInliner.cs
+++ b/blocks/cflow/MethodCallInliner.cs
@@ -71,6 +71,7 @@ namespace de4dot.blocks.cflow {
 			if (instr == null)
 				return false;
 
+			bool inlinedMethod;
 			switch (instr.OpCode.Code) {
 			case Code.Ldarg:
 			case Code.Ldarg_S:
@@ -83,7 +84,8 @@ namespace de4dot.blocks.cflow {
 			case Code.Call:
 			case Code.Callvirt:
 			case Code.Newobj:
-				return InlineOtherMethod(instrIndex, methodToInline, instr, index);
+				inlinedMethod = InlineOtherMethod(instrIndex, methodToInline, instr, index);
+				break;
 
 			case Code.Ldc_I4:
 			case Code.Ldc_I4_0:
@@ -106,11 +108,18 @@ namespace de4dot.blocks.cflow {
 			case Code.Ldtoken:
 			case Code.Ldsfld:
 			case Code.Ldsflda:
-				return InlineLoadMethod(instrIndex, methodToInline, instr, index);
+				inlinedMethod = InlineLoadMethod(instrIndex, methodToInline, instr, index);
+				break;
 
 			default:
-				return false;
+				inlinedMethod = false;
+				break;
 			}
+			OnInlinedMethod(methodToInline, inlinedMethod);
+			return inlinedMethod;
+		}
+
+		protected virtual void OnInlinedMethod(MethodDef methodToInline, bool inlinedMethod) {
 		}
 
 		protected override bool IsCompatibleType(int paramIndex, IType origType, IType newType) {

From 67c9e762765f3773a78950da4851fb2e61f7e5d9 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Sat, 28 Sep 2013 14:55:29 +0200
Subject: [PATCH 05/58] Inline methods

---
 de4dot.code/de4dot.code.csproj                |  2 +
 .../CryptoObfuscator/CoMethodCallInliner.cs   | 53 +++++++++++
 .../CryptoObfuscator/Deobfuscator.cs          | 26 ++++++
 .../CryptoObfuscator/InlinedMethodTypes.cs    | 90 +++++++++++++++++++
 4 files changed, 171 insertions(+)
 create mode 100644 de4dot.code/deobfuscators/CryptoObfuscator/CoMethodCallInliner.cs
 create mode 100644 de4dot.code/deobfuscators/CryptoObfuscator/InlinedMethodTypes.cs

diff --git a/de4dot.code/de4dot.code.csproj b/de4dot.code/de4dot.code.csproj
index a2c1d13c..881d9378 100644
--- a/de4dot.code/de4dot.code.csproj
+++ b/de4dot.code/de4dot.code.csproj
@@ -126,9 +126,11 @@
     <Compile Include="deobfuscators\CRC32.cs" />
     <Compile Include="deobfuscators\CryptoObfuscator\AntiDebugger.cs" />
     <Compile Include="deobfuscators\CryptoObfuscator\AssemblyResolver.cs" />
+    <Compile Include="deobfuscators\CryptoObfuscator\CoMethodCallInliner.cs" />
     <Compile Include="deobfuscators\CryptoObfuscator\ConstantsDecrypter.cs" />
     <Compile Include="deobfuscators\CryptoObfuscator\CoUtils.cs" />
     <Compile Include="deobfuscators\CryptoObfuscator\Deobfuscator.cs" />
+    <Compile Include="deobfuscators\CryptoObfuscator\InlinedMethodTypes.cs" />
     <Compile Include="deobfuscators\CryptoObfuscator\MethodBodyReader.cs" />
     <Compile Include="deobfuscators\CryptoObfuscator\MethodsDecrypter.cs" />
     <Compile Include="deobfuscators\CryptoObfuscator\ProxyCallFixer.cs" />
diff --git a/de4dot.code/deobfuscators/CryptoObfuscator/CoMethodCallInliner.cs b/de4dot.code/deobfuscators/CryptoObfuscator/CoMethodCallInliner.cs
new file mode 100644
index 00000000..312196f4
--- /dev/null
+++ b/de4dot.code/deobfuscators/CryptoObfuscator/CoMethodCallInliner.cs
@@ -0,0 +1,53 @@
+/*
+    Copyright (C) 2011-2013 de4dot@gmail.com
+
+    This file is part of de4dot.
+
+    de4dot is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    de4dot is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with de4dot.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+using dnlib.DotNet;
+using de4dot.blocks.cflow;
+
+namespace de4dot.code.deobfuscators.CryptoObfuscator {
+	class CoMethodCallInliner : MethodCallInliner {
+		readonly InlinedMethodTypes inlinedMethodTypes;
+
+		public CoMethodCallInliner(InlinedMethodTypes inlinedMethodTypes)
+			: base(false) {
+			this.inlinedMethodTypes = inlinedMethodTypes;
+		}
+
+		protected override bool CanInline(MethodDef method) {
+			if (method == null)
+				return false;
+
+			if (method.Attributes != (MethodAttributes.Assembly | MethodAttributes.Static | MethodAttributes.HideBySig))
+				return false;
+			if (method.HasGenericParameters)
+				return false;
+			if (!inlinedMethodTypes.IsValidMethodType(method.DeclaringType))
+				return false;
+
+			return true;
+		}
+
+		protected override void OnInlinedMethod(MethodDef methodToInline, bool inlinedMethod) {
+			if (inlinedMethod)
+				inlinedMethodTypes.Add(methodToInline.DeclaringType);
+			else
+				inlinedMethodTypes.DontRemoveType(methodToInline.DeclaringType);
+		}
+	}
+}
diff --git a/de4dot.code/deobfuscators/CryptoObfuscator/Deobfuscator.cs b/de4dot.code/deobfuscators/CryptoObfuscator/Deobfuscator.cs
index 93d98fc0..874c4632 100644
--- a/de4dot.code/deobfuscators/CryptoObfuscator/Deobfuscator.cs
+++ b/de4dot.code/deobfuscators/CryptoObfuscator/Deobfuscator.cs
@@ -22,6 +22,7 @@ using System.Collections.Generic;
 using System.Text.RegularExpressions;
 using dnlib.DotNet;
 using de4dot.blocks;
+using de4dot.blocks.cflow;
 
 namespace de4dot.code.deobfuscators.CryptoObfuscator {
 	public class DeobfuscatorInfo : DeobfuscatorInfoBase {
@@ -30,11 +31,13 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
 		const string DEFAULT_REGEX = @"!^(get_|set_|add_|remove_)?[A-Z]{1,3}(?:`\d+)?$&!^(get_|set_|add_|remove_)?c[0-9a-f]{32}(?:`\d+)?$&" + DeobfuscatorBase.DEFAULT_VALID_NAME_REGEX;
 		BoolOption removeTamperProtection;
 		BoolOption decryptConstants;
+		BoolOption inlineMethods;
 
 		public DeobfuscatorInfo()
 			: base(DEFAULT_REGEX) {
 			removeTamperProtection = new BoolOption(null, MakeArgName("tamper"), "Remove tamper protection code", true);
 			decryptConstants = new BoolOption(null, MakeArgName("consts"), "Decrypt constants", true);
+			inlineMethods = new BoolOption(null, MakeArgName("inline"), "Inline short methods", true);
 		}
 
 		public override string Name {
@@ -50,6 +53,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
 				ValidNameRegex = validNameRegex.get(),
 				RemoveTamperProtection = removeTamperProtection.get(),
 				DecryptConstants = decryptConstants.get(),
+				InlineMethods = inlineMethods.get(),
 			});
 		}
 
@@ -57,6 +61,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
 			return new List<Option>() {
 				removeTamperProtection,
 				decryptConstants,
+				inlineMethods,
 			};
 		}
 	}
@@ -67,6 +72,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
 		bool foundCryptoObfuscatorAttribute = false;
 		bool foundObfuscatedSymbols = false;
 		bool foundObfuscatorUserString = false;
+		bool startedDeobfuscating = false;
 
 		MethodsDecrypter methodsDecrypter;
 		ProxyCallFixer proxyCallFixer;
@@ -81,10 +87,12 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
 		Int64ValueInliner int64ValueInliner;
 		SingleValueInliner singleValueInliner;
 		DoubleValueInliner doubleValueInliner;
+		InlinedMethodTypes inlinedMethodTypes;
 
 		internal class Options : OptionsBase {
 			public bool RemoveTamperProtection { get; set; }
 			public bool DecryptConstants { get; set; }
+			public bool InlineMethods { get; set; }
 		}
 
 		public override string Type {
@@ -99,6 +107,19 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
 			get { return obfuscatorName; }
 		}
 
+		protected override bool CanInlineMethods {
+			get { return startedDeobfuscating ? options.InlineMethods : true; }
+		}
+
+		public override IEnumerable<IBlocksDeobfuscator> BlocksDeobfuscators {
+			get {
+				var list = new List<IBlocksDeobfuscator>();
+				if (CanInlineMethods)
+					list.Add(new CoMethodCallInliner(inlinedMethodTypes));
+				return list;
+			}
+		}
+
 		public Deobfuscator(Options options)
 			: base(options) {
 			this.options = options;
@@ -136,6 +157,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
 			if (CheckCryptoObfuscator())
 				foundObfuscatedSymbols = true;
 
+			inlinedMethodTypes = new InlinedMethodTypes();
 			methodsDecrypter = new MethodsDecrypter(module);
 			methodsDecrypter.Find();
 			proxyCallFixer = new ProxyCallFixer(module);
@@ -236,6 +258,8 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
 			proxyCallFixer.Find();
 
 			DumpEmbeddedAssemblies();
+
+			startedDeobfuscating = true;
 		}
 
 		public override void DeobfuscateMethodEnd(Blocks blocks) {
@@ -256,6 +280,8 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
 				AddResourceToBeRemoved(stringDecrypter.Resource, "Encrypted strings");
 				AddTypeToBeRemoved(stringDecrypter.Type, "String decrypter type");
 			}
+			if (options.InlineMethods)
+				AddTypesToBeRemoved(inlinedMethodTypes.Types, "Inlined methods types");
 			base.DeobfuscateEnd();
 		}
 
diff --git a/de4dot.code/deobfuscators/CryptoObfuscator/InlinedMethodTypes.cs b/de4dot.code/deobfuscators/CryptoObfuscator/InlinedMethodTypes.cs
new file mode 100644
index 00000000..fce00acc
--- /dev/null
+++ b/de4dot.code/deobfuscators/CryptoObfuscator/InlinedMethodTypes.cs
@@ -0,0 +1,90 @@
+/*
+    Copyright (C) 2011-2013 de4dot@gmail.com
+
+    This file is part of de4dot.
+
+    de4dot is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    de4dot is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with de4dot.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+using System;
+using System.Collections.Generic;
+using dnlib.DotNet;
+
+namespace de4dot.code.deobfuscators.CryptoObfuscator {
+	class InlinedMethodTypes {
+		Dictionary<TypeDef, TypeFlags> types = new Dictionary<TypeDef, TypeFlags>();
+
+		[Flags]
+		enum TypeFlags {
+			DontRemoveType = 1,
+		}
+
+		public IEnumerable<TypeDef> Types {
+			get {
+				foreach (var kv in types) {
+					if ((kv.Value & TypeFlags.DontRemoveType) == 0)
+						yield return kv.Key;
+				}
+			}
+		}
+
+		bool IsValidType(TypeDef type) {
+			if (type == null)
+				return false;
+
+			if (type.BaseType == null || type.BaseType.FullName != "System.Object")
+				return false;
+			if (type.DeclaringType != null)
+				return false;
+			if (type.Attributes != (TypeAttributes.NotPublic | TypeAttributes.AutoLayout |
+				TypeAttributes.Class | TypeAttributes.Sealed | TypeAttributes.AnsiClass))
+				return false;
+			if (type.HasProperties || type.HasEvents)
+				return false;
+			if (type.HasInterfaces)
+				return false;
+			if (type.HasGenericParameters)
+				return false;
+			if (type.HasNestedTypes)
+				return false;
+
+			return true;
+		}
+
+		public bool IsValidMethodType(TypeDef type) {
+			if (!IsValidType(type))
+				return false;
+
+			if (type.HasFields)
+				return false;
+			if (type.Methods.Count != 1)
+				return false;
+
+			return true;
+		}
+
+		public void Add(TypeDef type) {
+			if (type == null || types.ContainsKey(type))
+				return;
+			types[type] = 0;
+		}
+
+		public void DontRemoveType(TypeDef type) {
+			TypeFlags flags;
+			types.TryGetValue(type, out flags);
+			flags |= TypeFlags.DontRemoveType;
+			types[type] = flags;
+		}
+	}
+}

From f9ed45c670002d9c52f1d01b6de571bea319dbd2 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Sat, 28 Sep 2013 19:07:03 +0200
Subject: [PATCH 06/58] Restore ldnull instructions

---
 de4dot.code/de4dot.code.csproj                |   1 +
 .../CryptoObfuscator/CoMethodCallInliner.cs   |   2 +-
 .../CryptoObfuscator/Deobfuscator.cs          |  10 +-
 .../CryptoObfuscator/InlinedMethodTypes.cs    |  16 ++-
 .../CryptoObfuscator/LdnullFixer.cs           | 126 ++++++++++++++++++
 5 files changed, 150 insertions(+), 5 deletions(-)
 create mode 100644 de4dot.code/deobfuscators/CryptoObfuscator/LdnullFixer.cs

diff --git a/de4dot.code/de4dot.code.csproj b/de4dot.code/de4dot.code.csproj
index 881d9378..278f80bd 100644
--- a/de4dot.code/de4dot.code.csproj
+++ b/de4dot.code/de4dot.code.csproj
@@ -131,6 +131,7 @@
     <Compile Include="deobfuscators\CryptoObfuscator\CoUtils.cs" />
     <Compile Include="deobfuscators\CryptoObfuscator\Deobfuscator.cs" />
     <Compile Include="deobfuscators\CryptoObfuscator\InlinedMethodTypes.cs" />
+    <Compile Include="deobfuscators\CryptoObfuscator\LdnullFixer.cs" />
     <Compile Include="deobfuscators\CryptoObfuscator\MethodBodyReader.cs" />
     <Compile Include="deobfuscators\CryptoObfuscator\MethodsDecrypter.cs" />
     <Compile Include="deobfuscators\CryptoObfuscator\ProxyCallFixer.cs" />
diff --git a/de4dot.code/deobfuscators/CryptoObfuscator/CoMethodCallInliner.cs b/de4dot.code/deobfuscators/CryptoObfuscator/CoMethodCallInliner.cs
index 312196f4..d632ff43 100644
--- a/de4dot.code/deobfuscators/CryptoObfuscator/CoMethodCallInliner.cs
+++ b/de4dot.code/deobfuscators/CryptoObfuscator/CoMethodCallInliner.cs
@@ -37,7 +37,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
 				return false;
 			if (method.HasGenericParameters)
 				return false;
-			if (!inlinedMethodTypes.IsValidMethodType(method.DeclaringType))
+			if (!InlinedMethodTypes.IsValidMethodType(method.DeclaringType))
 				return false;
 
 			return true;
diff --git a/de4dot.code/deobfuscators/CryptoObfuscator/Deobfuscator.cs b/de4dot.code/deobfuscators/CryptoObfuscator/Deobfuscator.cs
index 874c4632..851c6ae3 100644
--- a/de4dot.code/deobfuscators/CryptoObfuscator/Deobfuscator.cs
+++ b/de4dot.code/deobfuscators/CryptoObfuscator/Deobfuscator.cs
@@ -32,12 +32,14 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
 		BoolOption removeTamperProtection;
 		BoolOption decryptConstants;
 		BoolOption inlineMethods;
+		BoolOption fixLdnull;
 
 		public DeobfuscatorInfo()
 			: base(DEFAULT_REGEX) {
 			removeTamperProtection = new BoolOption(null, MakeArgName("tamper"), "Remove tamper protection code", true);
 			decryptConstants = new BoolOption(null, MakeArgName("consts"), "Decrypt constants", true);
 			inlineMethods = new BoolOption(null, MakeArgName("inline"), "Inline short methods", true);
+			fixLdnull = new BoolOption(null, MakeArgName("ldnull"), "Restore ldnull instructions", true);
 		}
 
 		public override string Name {
@@ -54,6 +56,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
 				RemoveTamperProtection = removeTamperProtection.get(),
 				DecryptConstants = decryptConstants.get(),
 				InlineMethods = inlineMethods.get(),
+				FixLdnull = fixLdnull.get(),
 			});
 		}
 
@@ -62,6 +65,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
 				removeTamperProtection,
 				decryptConstants,
 				inlineMethods,
+				fixLdnull,
 			};
 		}
 	}
@@ -93,6 +97,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
 			public bool RemoveTamperProtection { get; set; }
 			public bool DecryptConstants { get; set; }
 			public bool InlineMethods { get; set; }
+			public bool FixLdnull { get; set; }
 		}
 
 		public override string Type {
@@ -275,13 +280,14 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
 		}
 
 		public override void DeobfuscateEnd() {
+			if (options.FixLdnull)
+				new LdnullFixer(module, inlinedMethodTypes).Restore();
 			RemoveProxyDelegates(proxyCallFixer);
 			if (CanRemoveStringDecrypterType) {
 				AddResourceToBeRemoved(stringDecrypter.Resource, "Encrypted strings");
 				AddTypeToBeRemoved(stringDecrypter.Type, "String decrypter type");
 			}
-			if (options.InlineMethods)
-				AddTypesToBeRemoved(inlinedMethodTypes.Types, "Inlined methods types");
+			AddTypesToBeRemoved(inlinedMethodTypes.Types, "Inlined methods type");
 			base.DeobfuscateEnd();
 		}
 
diff --git a/de4dot.code/deobfuscators/CryptoObfuscator/InlinedMethodTypes.cs b/de4dot.code/deobfuscators/CryptoObfuscator/InlinedMethodTypes.cs
index fce00acc..929c80f9 100644
--- a/de4dot.code/deobfuscators/CryptoObfuscator/InlinedMethodTypes.cs
+++ b/de4dot.code/deobfuscators/CryptoObfuscator/InlinedMethodTypes.cs
@@ -39,7 +39,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
 			}
 		}
 
-		bool IsValidType(TypeDef type) {
+		static bool IsValidType(TypeDef type) {
 			if (type == null)
 				return false;
 
@@ -62,7 +62,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
 			return true;
 		}
 
-		public bool IsValidMethodType(TypeDef type) {
+		public static bool IsValidMethodType(TypeDef type) {
 			if (!IsValidType(type))
 				return false;
 
@@ -74,6 +74,18 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
 			return true;
 		}
 
+		public static bool IsValidFieldType(TypeDef type) {
+			if (!IsValidType(type))
+				return false;
+
+			if (type.HasMethods)
+				return false;
+			if (type.Fields.Count != 1)
+				return false;
+
+			return true;
+		}
+
 		public void Add(TypeDef type) {
 			if (type == null || types.ContainsKey(type))
 				return;
diff --git a/de4dot.code/deobfuscators/CryptoObfuscator/LdnullFixer.cs b/de4dot.code/deobfuscators/CryptoObfuscator/LdnullFixer.cs
new file mode 100644
index 00000000..3337153b
--- /dev/null
+++ b/de4dot.code/deobfuscators/CryptoObfuscator/LdnullFixer.cs
@@ -0,0 +1,126 @@
+/*
+    Copyright (C) 2011-2013 de4dot@gmail.com
+
+    This file is part of de4dot.
+
+    de4dot is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    de4dot is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with de4dot.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+using System.Collections.Generic;
+using de4dot.blocks;
+using dnlib.DotNet;
+using dnlib.DotNet.Emit;
+
+namespace de4dot.code.deobfuscators.CryptoObfuscator {
+	class LdnullFixer {
+		readonly ModuleDef module;
+		readonly InlinedMethodTypes inlinedMethodTypes;
+
+		public LdnullFixer(ModuleDef module, InlinedMethodTypes inlinedMethodTypes) {
+			this.module = module;
+			this.inlinedMethodTypes = inlinedMethodTypes;
+		}
+
+		public void Restore() {
+			var fields = FindFieldTypes(FindFieldTypes());
+			Restore(fields);
+			foreach (var field in fields.Keys)
+				inlinedMethodTypes.Add(field.DeclaringType);
+		}
+
+		FieldDefAndDeclaringTypeDict<FieldDef> FindFieldTypes() {
+			var dict = new FieldDefAndDeclaringTypeDict<FieldDef>();
+
+			foreach (var type in module.GetTypes()) {
+				foreach (var method in type.Methods) {
+					var body = method.Body;
+					if (body == null)
+						continue;
+					foreach (var instr in body.Instructions) {
+						if (instr.OpCode.Code != Code.Ldsfld)
+							continue;
+						var field = instr.Operand as FieldDef;
+						if (field == null)
+							continue;
+						var declType = field.DeclaringType;
+						if (declType == null)
+							continue;
+						if (!InlinedMethodTypes.IsValidFieldType(declType))
+							continue;
+						dict.Add(field, field);
+					}
+				}
+			}
+
+			return dict;
+		}
+
+		Dictionary<FieldDef, bool> FindFieldTypes(FieldDefAndDeclaringTypeDict<FieldDef> fields) {
+			var validFields = new Dictionary<FieldDef, bool>(fields.Count);
+			foreach (var field in fields.GetKeys())
+				validFields.Add(field, false);
+
+			foreach (var type in module.GetTypes()) {
+				if (validFields.Count == 0)
+					break;
+
+				foreach (var method in type.Methods) {
+					var body = method.Body;
+					if (body == null)
+						continue;
+					foreach (var instr in body.Instructions) {
+						if (instr.OpCode.Code == Code.Ldsfld)
+							continue;
+						var field = instr.Operand as IField;
+						if (field == null)
+							continue;
+
+						var validType = fields.Find(field);
+						if (validType == null)
+							continue;
+
+						validFields.Remove(validType);
+					}
+				}
+			}
+
+			return validFields;
+		}
+
+		int Restore(Dictionary<FieldDef, bool> nullFields) {
+			int numRestored = 0;
+			foreach (var type in module.GetTypes()) {
+				foreach (var method in type.Methods) {
+					var body = method.Body;
+					if (body == null)
+						continue;
+					foreach (var instr in body.Instructions) {
+						if (instr.OpCode.Code != Code.Ldsfld)
+							continue;
+						var field = instr.Operand as FieldDef;
+						if (field == null)
+							continue;
+						if (!nullFields.ContainsKey(field))
+							continue;
+
+						instr.OpCode = OpCodes.Ldnull;
+						instr.Operand = null;
+						numRestored++;
+					}
+				}
+			}
+			return numRestored;
+		}
+	}
+}

From 24b22268e3eaf16ce21c4baf8d127fc71d4bd230 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Sat, 28 Sep 2013 19:43:05 +0200
Subject: [PATCH 07/58] Deobfuscate asm resolver method

---
 .../deobfuscators/CryptoObfuscator/AssemblyResolver.cs     | 7 ++++---
 de4dot.code/deobfuscators/CryptoObfuscator/Deobfuscator.cs | 4 ++--
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/de4dot.code/deobfuscators/CryptoObfuscator/AssemblyResolver.cs b/de4dot.code/deobfuscators/CryptoObfuscator/AssemblyResolver.cs
index 998e952f..cd13f7f5 100644
--- a/de4dot.code/deobfuscators/CryptoObfuscator/AssemblyResolver.cs
+++ b/de4dot.code/deobfuscators/CryptoObfuscator/AssemblyResolver.cs
@@ -67,7 +67,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
 			this.module = module;
 		}
 
-		public void Find() {
+		public void Find(ISimpleDeobfuscator simpleDeobfuscator) {
 			var cctor = DotNetUtils.GetModuleTypeCctor(module);
 			if (cctor == null)
 				return;
@@ -77,14 +77,15 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
 					continue;
 				if (!method.IsStatic || !DotNetUtils.IsMethod(method, "System.Void", "()"))
 					continue;
-				if (CheckType(method.DeclaringType, method))
+				if (CheckType(method.DeclaringType, method, simpleDeobfuscator))
 					break;
 			}
 		}
 
-		bool CheckType(TypeDef type, MethodDef initMethod) {
+		bool CheckType(TypeDef type, MethodDef initMethod, ISimpleDeobfuscator simpleDeobfuscator) {
 			if (DotNetUtils.FindFieldType(type, "System.Collections.Hashtable", true) == null)
 				return false;
+			simpleDeobfuscator.Deobfuscate(initMethod);
 			if (!CheckInitMethod(initMethod))
 				return false;
 			if ((asmSeparator = FindAssemblySeparator(initMethod)) == null)
diff --git a/de4dot.code/deobfuscators/CryptoObfuscator/Deobfuscator.cs b/de4dot.code/deobfuscators/CryptoObfuscator/Deobfuscator.cs
index 851c6ae3..f38330e9 100644
--- a/de4dot.code/deobfuscators/CryptoObfuscator/Deobfuscator.cs
+++ b/de4dot.code/deobfuscators/CryptoObfuscator/Deobfuscator.cs
@@ -210,7 +210,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
 			resourceResolver = new ResourceResolver(module, resourceDecrypter);
 			assemblyResolver = new AssemblyResolver(module);
 			resourceResolver.Find();
-			assemblyResolver.Find();
+			assemblyResolver.Find(DeobfuscatedFile);
 
 			DecryptResources();
 			stringDecrypter.Initialize(resourceDecrypter);
@@ -225,7 +225,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
 
 			if (methodsDecrypter.Detected) {
 				if (!assemblyResolver.Detected)
-					assemblyResolver.Find();
+					assemblyResolver.Find(DeobfuscatedFile);
 				if (!tamperDetection.Detected)
 					tamperDetection.Find();
 			}

From 01dbcd063267481bc5786d1483e396b2c419ae19 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Sat, 28 Sep 2013 19:43:46 +0200
Subject: [PATCH 08/58] Add ISimpleDeobfuscator::MethodModified() to reset
 deobfuscated state

---
 de4dot.code/ObfuscatedFile.cs                   | 17 ++++++++++++++++-
 .../deobfuscators/ISimpleDeobfuscator.cs        |  1 +
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/de4dot.code/ObfuscatedFile.cs b/de4dot.code/ObfuscatedFile.cs
index c4cfa2bf..74ca82c5 100644
--- a/de4dot.code/ObfuscatedFile.cs
+++ b/de4dot.code/ObfuscatedFile.cs
@@ -752,11 +752,22 @@ namespace de4dot.code {
 		}
 		Dictionary<MethodDef, SimpleDeobFlags> simpleDeobfuscatorFlags = new Dictionary<MethodDef, SimpleDeobFlags>();
 		bool Check(MethodDef method, SimpleDeobFlags flag) {
+			if (method == null)
+				return false;
 			SimpleDeobFlags oldFlags;
 			simpleDeobfuscatorFlags.TryGetValue(method, out oldFlags);
 			simpleDeobfuscatorFlags[method] = oldFlags | flag;
 			return (oldFlags & flag) == flag;
 		}
+		bool Clear(MethodDef method, SimpleDeobFlags flag) {
+			if (method == null)
+				return false;
+			SimpleDeobFlags oldFlags;
+			if (!simpleDeobfuscatorFlags.TryGetValue(method, out oldFlags))
+				return false;
+			simpleDeobfuscatorFlags[method] = oldFlags & ~flag;
+			return true;
+		}
 
 		void Deobfuscate(MethodDef method, string msg, Action<Blocks> handler) {
 			if (savedMethodBodies != null)
@@ -784,12 +795,16 @@ namespace de4dot.code {
 			Logger.Instance.DeIndent();
 		}
 
+		void ISimpleDeobfuscator.MethodModified(MethodDef method) {
+			Clear(method, SimpleDeobFlags.HasDeobfuscated);
+		}
+
 		void ISimpleDeobfuscator.Deobfuscate(MethodDef method) {
 			((ISimpleDeobfuscator)this).Deobfuscate(method, false);
 		}
 
 		void ISimpleDeobfuscator.Deobfuscate(MethodDef method, bool force) {
-			if (!force && Check(method, SimpleDeobFlags.HasDeobfuscated))
+			if (method == null || !force && Check(method, SimpleDeobFlags.HasDeobfuscated))
 				return;
 
 			Deobfuscate(method, "Deobfuscating control flow", (blocks) => {
diff --git a/de4dot.code/deobfuscators/ISimpleDeobfuscator.cs b/de4dot.code/deobfuscators/ISimpleDeobfuscator.cs
index 3ec0f4f5..b549aea2 100644
--- a/de4dot.code/deobfuscators/ISimpleDeobfuscator.cs
+++ b/de4dot.code/deobfuscators/ISimpleDeobfuscator.cs
@@ -21,6 +21,7 @@ using dnlib.DotNet;
 
 namespace de4dot.code.deobfuscators {
 	public interface ISimpleDeobfuscator {
+		void MethodModified(MethodDef method);
 		void Deobfuscate(MethodDef method);
 		void Deobfuscate(MethodDef method, bool force);
 		void DecryptStrings(MethodDef method, IDeobfuscator deob);

From e70e2269162bc027b82203b71ebe0bbfbbd5f5bf Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Sat, 28 Sep 2013 19:51:25 +0200
Subject: [PATCH 09/58] Clear deobfuscated state for each restored method

---
 de4dot.code/deobfuscators/CryptoObfuscator/Deobfuscator.cs | 2 +-
 .../deobfuscators/CryptoObfuscator/MethodsDecrypter.cs     | 7 ++++---
 de4dot.code/deobfuscators/Spices_Net/Deobfuscator.cs       | 2 +-
 .../deobfuscators/Spices_Net/SpicesMethodCallInliner.cs    | 7 ++++---
 4 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/de4dot.code/deobfuscators/CryptoObfuscator/Deobfuscator.cs b/de4dot.code/deobfuscators/CryptoObfuscator/Deobfuscator.cs
index f38330e9..1cb146eb 100644
--- a/de4dot.code/deobfuscators/CryptoObfuscator/Deobfuscator.cs
+++ b/de4dot.code/deobfuscators/CryptoObfuscator/Deobfuscator.cs
@@ -221,7 +221,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
 				DeobfuscatedFile.StringDecryptersAdded();
 			}
 
-			methodsDecrypter.Decrypt(resourceDecrypter);
+			methodsDecrypter.Decrypt(resourceDecrypter, DeobfuscatedFile);
 
 			if (methodsDecrypter.Detected) {
 				if (!assemblyResolver.Detected)
diff --git a/de4dot.code/deobfuscators/CryptoObfuscator/MethodsDecrypter.cs b/de4dot.code/deobfuscators/CryptoObfuscator/MethodsDecrypter.cs
index ceb3c994..18f32d0a 100644
--- a/de4dot.code/deobfuscators/CryptoObfuscator/MethodsDecrypter.cs
+++ b/de4dot.code/deobfuscators/CryptoObfuscator/MethodsDecrypter.cs
@@ -112,7 +112,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
 			return null;
 		}
 
-		public void Decrypt(ResourceDecrypter resourceDecrypter) {
+		public void Decrypt(ResourceDecrypter resourceDecrypter, ISimpleDeobfuscator simpleDeobfuscator) {
 			if (decryptMethod == null)
 				return;
 
@@ -129,13 +129,13 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
 				uint codeOffset = reader.ReadUInt32();
 				var origOffset = reader.Position;
 				reader.Position = codeOffset;
-				Decrypt(reader, delegateTypeToken);
+				Decrypt(reader, delegateTypeToken, simpleDeobfuscator);
 				reader.Position = origOffset;
 			}
 			Logger.Instance.DeIndent();
 		}
 
-		void Decrypt(IBinaryReader reader, int delegateTypeToken) {
+		void Decrypt(IBinaryReader reader, int delegateTypeToken, ISimpleDeobfuscator simpleDeobfuscator) {
 			var delegateType = module.ResolveToken(delegateTypeToken) as TypeDef;
 			if (delegateType == null)
 				throw new ApplicationException("Couldn't find delegate type");
@@ -162,6 +162,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
 					encMethod.Body.Variables.Count,
 					encMethod.Body.ExceptionHandlers.Count);
 			delegateTypes.Add(delegateType);
+			simpleDeobfuscator.MethodModified(encMethod);
 		}
 
 		bool GetTokens(TypeDef delegateType, out int delegateToken, out int encMethodToken, out int encDeclaringTypeToken) {
diff --git a/de4dot.code/deobfuscators/Spices_Net/Deobfuscator.cs b/de4dot.code/deobfuscators/Spices_Net/Deobfuscator.cs
index 775e3c20..c00124d5 100644
--- a/de4dot.code/deobfuscators/Spices_Net/Deobfuscator.cs
+++ b/de4dot.code/deobfuscators/Spices_Net/Deobfuscator.cs
@@ -154,7 +154,7 @@ namespace de4dot.code.deobfuscators.Spices_Net {
 		public override void DeobfuscateBegin() {
 			base.DeobfuscateBegin();
 
-			methodCallInliner.Initialize();
+			methodCallInliner.Initialize(DeobfuscatedFile);
 
 			if (options.RestoreResourceNames) {
 				resourceNamesRestorer = new ResourceNamesRestorer(module);
diff --git a/de4dot.code/deobfuscators/Spices_Net/SpicesMethodCallInliner.cs b/de4dot.code/deobfuscators/Spices_Net/SpicesMethodCallInliner.cs
index 471ab57b..863f093c 100644
--- a/de4dot.code/deobfuscators/Spices_Net/SpicesMethodCallInliner.cs
+++ b/de4dot.code/deobfuscators/Spices_Net/SpicesMethodCallInliner.cs
@@ -52,12 +52,12 @@ namespace de4dot.code.deobfuscators.Spices_Net {
 			return CheckCanInline(method);
 		}
 
-		public void Initialize() {
+		public void Initialize(ISimpleDeobfuscator simpleDeobfuscator) {
 			InitializeMethodsTypes();
-			RestoreMethodBodies();
+			RestoreMethodBodies(simpleDeobfuscator);
 		}
 
-		void RestoreMethodBodies() {
+		void RestoreMethodBodies(ISimpleDeobfuscator simpleDeobfuscator) {
 			var methodToOrigMethods = new MethodDefAndDeclaringTypeDict<List<MethodDef>>();
 			foreach (var t in module.Types) {
 				var types = new List<TypeDef>(AllTypesHelper.Types(new List<TypeDef> { t }));
@@ -95,6 +95,7 @@ namespace de4dot.code.deobfuscators.Spices_Net {
 							calledMethod.MDToken.ToInt32());
 				DotNetUtils.CopyBodyFromTo(calledMethod, method);
 				classMethods.Add(calledMethod, method);
+				simpleDeobfuscator.MethodModified(method);
 			}
 		}
 

From f01d0f207334630f17e820defaf82074fd849a7f Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Sat, 28 Sep 2013 21:28:59 +0200
Subject: [PATCH 10/58] Fix if condition

---
 de4dot.code/ObfuscatedFile.cs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/de4dot.code/ObfuscatedFile.cs b/de4dot.code/ObfuscatedFile.cs
index 74ca82c5..89dd2a7d 100644
--- a/de4dot.code/ObfuscatedFile.cs
+++ b/de4dot.code/ObfuscatedFile.cs
@@ -804,7 +804,7 @@ namespace de4dot.code {
 		}
 
 		void ISimpleDeobfuscator.Deobfuscate(MethodDef method, bool force) {
-			if (method == null || !force && Check(method, SimpleDeobFlags.HasDeobfuscated))
+			if (method == null || (!force && Check(method, SimpleDeobFlags.HasDeobfuscated)))
 				return;
 
 			Deobfuscate(method, "Deobfuscating control flow", (blocks) => {

From 662c78380a1ba7c562ca67ca212fc7a234ac9b2d Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Wed, 2 Oct 2013 18:07:28 +0200
Subject: [PATCH 11/58] Refactor IAssemblyService

---
 AssemblyData/AssemblyData.csproj              |   4 +
 AssemblyData/AssemblyServer.cs                |   9 +-
 AssemblyData/AssemblyService.cs               | 128 +++++-------------
 AssemblyData/IAssemblyService.cs              |  21 +--
 AssemblyData/IMethodDecrypterService.cs       |  30 ++++
 AssemblyData/IStringDecrypterService.cs       |  32 +++++
 AssemblyData/MethodDecrypterService.cs        |  52 +++++++
 AssemblyData/StringDecrypterService.cs        |  93 +++++++++++++
 de4dot.code/AssemblyClient/AssemblyClient.cs  |   8 +-
 .../AssemblyClient/AssemblyClientFactory.cs   |  19 +--
 de4dot.code/AssemblyClient/IAssemblyClient.cs |   2 +
 .../AssemblyClient/IpcAssemblyServerLoader.cs |  10 +-
 .../NewAppDomainAssemblyServerLoader.cs       |   9 +-
 .../NewProcessAssemblyServerLoader.cs         |  11 +-
 .../SameAppDomainAssemblyServerLoader.cs      |   7 +-
 de4dot.code/ObfuscatedFile.cs                 |  11 +-
 de4dot.code/StringInliner.cs                  |   4 +-
 de4dot.code/deobfuscators/MethodsDecrypter.cs |   9 +-
 18 files changed, 308 insertions(+), 151 deletions(-)
 create mode 100644 AssemblyData/IMethodDecrypterService.cs
 create mode 100644 AssemblyData/IStringDecrypterService.cs
 create mode 100644 AssemblyData/MethodDecrypterService.cs
 create mode 100644 AssemblyData/StringDecrypterService.cs

diff --git a/AssemblyData/AssemblyData.csproj b/AssemblyData/AssemblyData.csproj
index 847bed52..f140d1ae 100644
--- a/AssemblyData/AssemblyData.csproj
+++ b/AssemblyData/AssemblyData.csproj
@@ -42,7 +42,10 @@
     <Compile Include="DelegateStringDecrypter.cs" />
     <Compile Include="EmuStringDecrypter.cs" />
     <Compile Include="IAssemblyService.cs" />
+    <Compile Include="IMethodDecrypterService.cs" />
     <Compile Include="IStringDecrypter.cs" />
+    <Compile Include="IStringDecrypterService.cs" />
+    <Compile Include="MethodDecrypterService.cs" />
     <Compile Include="methodsrewriter\AssemblyResolver.cs" />
     <Compile Include="methodsrewriter\CodeGenerator.cs" />
     <Compile Include="methodsrewriter\IMethodsRewriter.cs" />
@@ -58,6 +61,7 @@
     <Compile Include="methodsrewriter\TypeResolver.cs" />
     <Compile Include="Properties\AssemblyInfo.cs" />
     <Compile Include="SimpleData.cs" />
+    <Compile Include="StringDecrypterService.cs" />
     <Compile Include="Utils.cs" />
   </ItemGroup>
   <ItemGroup>
diff --git a/AssemblyData/AssemblyServer.cs b/AssemblyData/AssemblyServer.cs
index 44c9ce0b..337fc55c 100644
--- a/AssemblyData/AssemblyServer.cs
+++ b/AssemblyData/AssemblyServer.cs
@@ -27,12 +27,13 @@ using AssemblyData;
 namespace AssemblyServer {
 	public static class Start {
 		public static int Main2(string[] args) {
-			if (args.Length != 2)
+			if (args.Length != 3)
 				Environment.Exit(1);
-			var channelName = args[0];
-			var uri = args[1];
+			var serviceType = (AssemblyServiceType)Int32.Parse(args[0]);
+			var channelName = args[1];
+			var uri = args[2];
 
-			var service = new AssemblyService();
+			var service = (AssemblyService)AssemblyService.Create(serviceType);
 			StartServer(service, channelName, uri);
 			service.WaitExit();
 			return 0;
diff --git a/AssemblyData/AssemblyService.cs b/AssemblyData/AssemblyService.cs
index 7b691efc..d272deeb 100644
--- a/AssemblyData/AssemblyService.cs
+++ b/AssemblyData/AssemblyService.cs
@@ -18,20 +18,40 @@
 */
 
 using System;
-using System.Collections.Generic;
 using System.Reflection;
 using System.Threading;
-using dnlib.DotNet;
-using de4dot.blocks;
-using de4dot.mdecrypt;
 
 namespace AssemblyData {
-	public class AssemblyService : MarshalByRefObject, IAssemblyService {
-		IStringDecrypter stringDecrypter = null;
+	public abstract class AssemblyService : MarshalByRefObject, IAssemblyService {
 		ManualResetEvent exitEvent = new ManualResetEvent(false);
-		Assembly assembly = null;
+		protected Assembly assembly = null;
 		AssemblyResolver assemblyResolver = new AssemblyResolver();
-		bool installCompileMethodCalled = false;
+
+		public static AssemblyService Create(AssemblyServiceType serviceType) {
+			switch (serviceType) {
+			case AssemblyServiceType.StringDecrypter:
+				return new StringDecrypterService();
+
+			case AssemblyServiceType.MethodDecrypter:
+				return new MethodDecrypterService();
+
+			default:
+				throw new ArgumentException("Invalid assembly service type");
+			}
+		}
+
+		public static Type GetType(AssemblyServiceType serviceType) {
+			switch (serviceType) {
+			case AssemblyServiceType.StringDecrypter:
+				return typeof(StringDecrypterService);
+
+			case AssemblyServiceType.MethodDecrypter:
+				return typeof(MethodDecrypterService);
+
+			default:
+				throw new ArgumentException("Invalid assembly service type");
+			}
+		}
 
 		public void DoNothing() {
 		}
@@ -48,17 +68,12 @@ namespace AssemblyData {
 			return null;
 		}
 
-		void CheckStringDecrypter() {
-			if (stringDecrypter == null)
-				throw new ApplicationException("setStringDecrypterType() hasn't been called yet.");
-		}
-
-		void CheckAssembly() {
+		protected void CheckAssembly() {
 			if (assembly == null)
-				throw new ApplicationException("loadAssembly() hasn't been called yet.");
+				throw new ApplicationException("LoadAssembly() hasn't been called yet.");
 		}
 
-		public void LoadAssembly(string filename) {
+		protected void LoadAssemblyInternal(string filename) {
 			if (assembly != null)
 				throw new ApplicationException("Only one assembly can be explicitly loaded");
 			try {
@@ -68,86 +83,5 @@ namespace AssemblyData {
 				throw new ApplicationException(string.Format("Could not load assembly {0}. Maybe it's 32-bit or 64-bit only?", filename));
 			}
 		}
-
-		public void SetStringDecrypterType(StringDecrypterType type) {
-			if (stringDecrypter != null)
-				throw new ApplicationException("StringDecrypterType already set");
-
-			switch (type) {
-			case StringDecrypterType.Delegate:
-				stringDecrypter = new DelegateStringDecrypter();
-				break;
-
-			case StringDecrypterType.Emulate:
-				stringDecrypter = new EmuStringDecrypter();
-				break;
-
-			default:
-				throw new ApplicationException(string.Format("Unknown StringDecrypterType {0}", type));
-			}
-		}
-
-		public int DefineStringDecrypter(int methodToken) {
-			CheckStringDecrypter();
-			var methodInfo = FindMethod(methodToken);
-			if (methodInfo == null)
-				throw new ApplicationException(string.Format("Could not find method {0:X8}", methodToken));
-			if (methodInfo.ReturnType != typeof(string) && methodInfo.ReturnType != typeof(object))
-				throw new ApplicationException(string.Format("Method return type must be string or object: {0}", methodInfo));
-			return stringDecrypter.DefineStringDecrypter(methodInfo);
-		}
-
-		public object[] DecryptStrings(int stringDecrypterMethod, object[] args, int callerToken) {
-			CheckStringDecrypter();
-			var caller = GetCaller(callerToken);
-			foreach (var arg in args)
-				SimpleData.Unpack((object[])arg);
-			return SimpleData.Pack(stringDecrypter.DecryptStrings(stringDecrypterMethod, args, caller));
-		}
-
-		MethodBase GetCaller(int callerToken) {
-			try {
-				return assembly.GetModules()[0].ResolveMethod(callerToken);
-			}
-			catch {
-				return null;
-			}
-		}
-
-		MethodInfo FindMethod(int methodToken) {
-			CheckAssembly();
-
-			foreach (var module in assembly.GetModules()) {
-				var method = module.ResolveMethod(methodToken) as MethodInfo;
-				if (method != null)
-					return method;
-			}
-
-			return null;
-		}
-
-		public void InstallCompileMethod(DecryptMethodsInfo decryptMethodsInfo) {
-			if (installCompileMethodCalled)
-				throw new ApplicationException("installCompileMethod() has already been called");
-			installCompileMethodCalled = true;
-			DynamicMethodsDecrypter.Instance.DecryptMethodsInfo = decryptMethodsInfo;
-			DynamicMethodsDecrypter.Instance.InstallCompileMethod();
-		}
-
-		public void LoadObfuscator(string filename) {
-			LoadAssembly(filename);
-			DynamicMethodsDecrypter.Instance.Module = assembly.ManifestModule;
-			DynamicMethodsDecrypter.Instance.LoadObfuscator();
-		}
-
-		public bool CanDecryptMethods() {
-			CheckAssembly();
-			return DynamicMethodsDecrypter.Instance.CanDecryptMethods();
-		}
-
-		public DumpedMethods DecryptMethods() {
-			CheckAssembly();
-			return DynamicMethodsDecrypter.Instance.DecryptMethods();
-		}
 	}
 }
diff --git a/AssemblyData/IAssemblyService.cs b/AssemblyData/IAssemblyService.cs
index 2867531b..3a0dc700 100644
--- a/AssemblyData/IAssemblyService.cs
+++ b/AssemblyData/IAssemblyService.cs
@@ -17,29 +17,14 @@
     along with de4dot.  If not, see <http://www.gnu.org/licenses/>.
 */
 
-using dnlib.DotNet;
-using de4dot.blocks;
-using de4dot.mdecrypt;
-
 namespace AssemblyData {
-	public enum StringDecrypterType {
-		Delegate,
-		Emulate,
+	public enum AssemblyServiceType {
+		StringDecrypter,
+		MethodDecrypter,
 	}
 
 	public interface IAssemblyService {
 		void DoNothing();
 		void Exit();
-
-		void LoadAssembly(string filename);
-
-		void SetStringDecrypterType(StringDecrypterType type);
-		int DefineStringDecrypter(int methodToken);
-		object[] DecryptStrings(int stringDecrypterMethod, object[] args, int callerToken);
-
-		void InstallCompileMethod(DecryptMethodsInfo decryptMethodsInfo);
-		void LoadObfuscator(string filename);
-		bool CanDecryptMethods();
-		DumpedMethods DecryptMethods();
 	}
 }
diff --git a/AssemblyData/IMethodDecrypterService.cs b/AssemblyData/IMethodDecrypterService.cs
new file mode 100644
index 00000000..5ec2b224
--- /dev/null
+++ b/AssemblyData/IMethodDecrypterService.cs
@@ -0,0 +1,30 @@
+/*
+    Copyright (C) 2011-2013 de4dot@gmail.com
+
+    This file is part of de4dot.
+
+    de4dot is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    de4dot is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with de4dot.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+using de4dot.blocks;
+using de4dot.mdecrypt;
+
+namespace AssemblyData {
+	public interface IMethodDecrypterService : IAssemblyService {
+		void InstallCompileMethod(DecryptMethodsInfo decryptMethodsInfo);
+		void LoadObfuscator(string filename);
+		bool CanDecryptMethods();
+		DumpedMethods DecryptMethods();
+	}
+}
diff --git a/AssemblyData/IStringDecrypterService.cs b/AssemblyData/IStringDecrypterService.cs
new file mode 100644
index 00000000..83ad0c6a
--- /dev/null
+++ b/AssemblyData/IStringDecrypterService.cs
@@ -0,0 +1,32 @@
+/*
+    Copyright (C) 2011-2013 de4dot@gmail.com
+
+    This file is part of de4dot.
+
+    de4dot is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    de4dot is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with de4dot.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+namespace AssemblyData {
+	public enum StringDecrypterType {
+		Delegate,
+		Emulate,
+	}
+
+	public interface IStringDecrypterService : IAssemblyService {
+		void LoadAssembly(string filename);
+		void SetStringDecrypterType(StringDecrypterType type);
+		int DefineStringDecrypter(int methodToken);
+		object[] DecryptStrings(int stringDecrypterMethod, object[] args, int callerToken);
+	}
+}
diff --git a/AssemblyData/MethodDecrypterService.cs b/AssemblyData/MethodDecrypterService.cs
new file mode 100644
index 00000000..47c75234
--- /dev/null
+++ b/AssemblyData/MethodDecrypterService.cs
@@ -0,0 +1,52 @@
+/*
+    Copyright (C) 2011-2013 de4dot@gmail.com
+
+    This file is part of de4dot.
+
+    de4dot is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    de4dot is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with de4dot.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+using System;
+using de4dot.blocks;
+using de4dot.mdecrypt;
+
+namespace AssemblyData {
+	class MethodDecrypterService : AssemblyService, IMethodDecrypterService {
+		bool installCompileMethodCalled = false;
+
+		public void InstallCompileMethod(DecryptMethodsInfo decryptMethodsInfo) {
+			if (installCompileMethodCalled)
+				throw new ApplicationException("installCompileMethod() has already been called");
+			installCompileMethodCalled = true;
+			DynamicMethodsDecrypter.Instance.DecryptMethodsInfo = decryptMethodsInfo;
+			DynamicMethodsDecrypter.Instance.InstallCompileMethod();
+		}
+
+		public void LoadObfuscator(string filename) {
+			LoadAssemblyInternal(filename);
+			DynamicMethodsDecrypter.Instance.Module = assembly.ManifestModule;
+			DynamicMethodsDecrypter.Instance.LoadObfuscator();
+		}
+
+		public bool CanDecryptMethods() {
+			CheckAssembly();
+			return DynamicMethodsDecrypter.Instance.CanDecryptMethods();
+		}
+
+		public DumpedMethods DecryptMethods() {
+			CheckAssembly();
+			return DynamicMethodsDecrypter.Instance.DecryptMethods();
+		}
+	}
+}
diff --git a/AssemblyData/StringDecrypterService.cs b/AssemblyData/StringDecrypterService.cs
new file mode 100644
index 00000000..08c0be43
--- /dev/null
+++ b/AssemblyData/StringDecrypterService.cs
@@ -0,0 +1,93 @@
+/*
+    Copyright (C) 2011-2013 de4dot@gmail.com
+
+    This file is part of de4dot.
+
+    de4dot is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    de4dot is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with de4dot.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+using System;
+using System.Reflection;
+
+namespace AssemblyData {
+	class StringDecrypterService : AssemblyService, IStringDecrypterService {
+		IStringDecrypter stringDecrypter = null;
+
+		void CheckStringDecrypter() {
+			if (stringDecrypter == null)
+				throw new ApplicationException("SetStringDecrypterType() hasn't been called yet.");
+		}
+
+		public void LoadAssembly(string filename) {
+			LoadAssemblyInternal(filename);
+		}
+
+		public void SetStringDecrypterType(StringDecrypterType type) {
+			if (stringDecrypter != null)
+				throw new ApplicationException("StringDecrypterType already set");
+
+			switch (type) {
+			case StringDecrypterType.Delegate:
+				stringDecrypter = new DelegateStringDecrypter();
+				break;
+
+			case StringDecrypterType.Emulate:
+				stringDecrypter = new EmuStringDecrypter();
+				break;
+
+			default:
+				throw new ApplicationException(string.Format("Unknown StringDecrypterType {0}", type));
+			}
+		}
+
+		public int DefineStringDecrypter(int methodToken) {
+			CheckStringDecrypter();
+			var methodInfo = FindMethod(methodToken);
+			if (methodInfo == null)
+				throw new ApplicationException(string.Format("Could not find method {0:X8}", methodToken));
+			if (methodInfo.ReturnType != typeof(string) && methodInfo.ReturnType != typeof(object))
+				throw new ApplicationException(string.Format("Method return type must be string or object: {0}", methodInfo));
+			return stringDecrypter.DefineStringDecrypter(methodInfo);
+		}
+
+		public object[] DecryptStrings(int stringDecrypterMethod, object[] args, int callerToken) {
+			CheckStringDecrypter();
+			var caller = GetCaller(callerToken);
+			foreach (var arg in args)
+				SimpleData.Unpack((object[])arg);
+			return SimpleData.Pack(stringDecrypter.DecryptStrings(stringDecrypterMethod, args, caller));
+		}
+
+		MethodBase GetCaller(int callerToken) {
+			try {
+				return assembly.GetModules()[0].ResolveMethod(callerToken);
+			}
+			catch {
+				return null;
+			}
+		}
+
+		MethodInfo FindMethod(int methodToken) {
+			CheckAssembly();
+
+			foreach (var module in assembly.GetModules()) {
+				var method = module.ResolveMethod(methodToken) as MethodInfo;
+				if (method != null)
+					return method;
+			}
+
+			return null;
+		}
+	}
+}
diff --git a/de4dot.code/AssemblyClient/AssemblyClient.cs b/de4dot.code/AssemblyClient/AssemblyClient.cs
index 68bca68e..1693a269 100644
--- a/de4dot.code/AssemblyClient/AssemblyClient.cs
+++ b/de4dot.code/AssemblyClient/AssemblyClient.cs
@@ -35,8 +35,12 @@ namespace de4dot.code.AssemblyClient {
 			get { return service; }
 		}
 
-		public AssemblyClient()
-			: this(new NewProcessAssemblyServerLoader()) {
+		public IStringDecrypterService StringDecrypterService {
+			get { return (IStringDecrypterService)service; }
+		}
+
+		public IMethodDecrypterService MethodDecrypterService {
+			get { return (IMethodDecrypterService)service; }
 		}
 
 		public AssemblyClient(IAssemblyServerLoader loader) {
diff --git a/de4dot.code/AssemblyClient/AssemblyClientFactory.cs b/de4dot.code/AssemblyClient/AssemblyClientFactory.cs
index fdcd9a59..83a1967b 100644
--- a/de4dot.code/AssemblyClient/AssemblyClientFactory.cs
+++ b/de4dot.code/AssemblyClient/AssemblyClientFactory.cs
@@ -18,21 +18,22 @@
 */
 
 using dnlib.DotNet;
+using AssemblyData;
 
 namespace de4dot.code.AssemblyClient {
 	public interface IAssemblyClientFactory {
-		IAssemblyClient Create();
+		IAssemblyClient Create(AssemblyServiceType serviceType);
 	}
 
 	public class SameAppDomainAssemblyClientFactory : IAssemblyClientFactory {
-		public IAssemblyClient Create() {
-			return new AssemblyClient(new SameAppDomainAssemblyServerLoader());
+		public IAssemblyClient Create(AssemblyServiceType serviceType) {
+			return new AssemblyClient(new SameAppDomainAssemblyServerLoader(serviceType));
 		}
 	}
 
 	public class NewAppDomainAssemblyClientFactory : IAssemblyClientFactory {
-		public IAssemblyClient Create() {
-			return new AssemblyClient(new NewAppDomainAssemblyServerLoader());
+		public IAssemblyClient Create(AssemblyServiceType serviceType) {
+			return new AssemblyClient(new NewAppDomainAssemblyServerLoader(serviceType));
 		}
 	}
 
@@ -47,12 +48,12 @@ namespace de4dot.code.AssemblyClient {
 			this.serverVersion = serverVersion;
 		}
 
-		public IAssemblyClient Create(ModuleDef module) {
-			return new AssemblyClient(new NewProcessAssemblyServerLoader(GetServerClrVersion(module)));
+		public IAssemblyClient Create(AssemblyServiceType serviceType, ModuleDef module) {
+			return new AssemblyClient(new NewProcessAssemblyServerLoader(serviceType, GetServerClrVersion(module)));
 		}
 
-		public IAssemblyClient Create() {
-			return new AssemblyClient(new NewProcessAssemblyServerLoader(serverVersion));
+		public IAssemblyClient Create(AssemblyServiceType serviceType) {
+			return new AssemblyClient(new NewProcessAssemblyServerLoader(serviceType, serverVersion));
 		}
 
 		internal static ServerClrVersion GetServerClrVersion(ModuleDef module) {
diff --git a/de4dot.code/AssemblyClient/IAssemblyClient.cs b/de4dot.code/AssemblyClient/IAssemblyClient.cs
index 0449796b..8477806c 100644
--- a/de4dot.code/AssemblyClient/IAssemblyClient.cs
+++ b/de4dot.code/AssemblyClient/IAssemblyClient.cs
@@ -23,6 +23,8 @@ using AssemblyData;
 namespace de4dot.code.AssemblyClient {
 	public interface IAssemblyClient : IDisposable {
 		IAssemblyService Service { get; }
+		IStringDecrypterService StringDecrypterService { get; }
+		IMethodDecrypterService MethodDecrypterService { get; }
 		void Connect();
 		void WaitConnected();
 	}
diff --git a/de4dot.code/AssemblyClient/IpcAssemblyServerLoader.cs b/de4dot.code/AssemblyClient/IpcAssemblyServerLoader.cs
index 423f4eb7..f2af1232 100644
--- a/de4dot.code/AssemblyClient/IpcAssemblyServerLoader.cs
+++ b/de4dot.code/AssemblyClient/IpcAssemblyServerLoader.cs
@@ -35,13 +35,15 @@ namespace de4dot.code.AssemblyClient {
 		readonly string assemblyServerFilename;
 		protected string ipcName;
 		protected string ipcUri;
+		protected AssemblyServiceType serviceType;
 		string url;
 
-		protected IpcAssemblyServerLoader()
-			: this(ServerClrVersion.CLR_ANY_ANYCPU) {
+		protected IpcAssemblyServerLoader(AssemblyServiceType serviceType)
+			: this(serviceType, ServerClrVersion.CLR_ANY_ANYCPU) {
 		}
 
-		protected IpcAssemblyServerLoader(ServerClrVersion serverVersion) {
+		protected IpcAssemblyServerLoader(AssemblyServiceType serviceType, ServerClrVersion serverVersion) {
+			this.serviceType = serviceType;
 			assemblyServerFilename = GetServerName(serverVersion);
 			ipcName = Utils.RandomName(15, 20);
 			ipcUri = Utils.RandomName(15, 20);
@@ -69,7 +71,7 @@ namespace de4dot.code.AssemblyClient {
 		public abstract void LoadServer(string filename);
 
 		public IAssemblyService CreateService() {
-			return (IAssemblyService)Activator.GetObject(typeof(AssemblyService), url);
+			return (IAssemblyService)Activator.GetObject(AssemblyService.GetType(serviceType), url);
 		}
 
 		public abstract void Dispose();
diff --git a/de4dot.code/AssemblyClient/NewAppDomainAssemblyServerLoader.cs b/de4dot.code/AssemblyClient/NewAppDomainAssemblyServerLoader.cs
index 16b274ce..f7521663 100644
--- a/de4dot.code/AssemblyClient/NewAppDomainAssemblyServerLoader.cs
+++ b/de4dot.code/AssemblyClient/NewAppDomainAssemblyServerLoader.cs
@@ -19,6 +19,7 @@
 
 using System;
 using System.Threading;
+using AssemblyData;
 
 namespace de4dot.code.AssemblyClient {
 	// Starts the server in a new app domain.
@@ -26,6 +27,10 @@ namespace de4dot.code.AssemblyClient {
 		AppDomain appDomain;
 		Thread thread;
 
+		public NewAppDomainAssemblyServerLoader(AssemblyServiceType serviceType)
+			: base(serviceType) {
+		}
+
 		public override void LoadServer(string filename) {
 			if (appDomain != null)
 				throw new ApplicationException("Server is already loaded");
@@ -33,7 +38,9 @@ namespace de4dot.code.AssemblyClient {
 			appDomain = AppDomain.CreateDomain(Utils.RandomName(15, 20));
 			thread = new Thread(new ThreadStart(() => {
 				try {
-					appDomain.ExecuteAssembly(filename, null, new string[] { ipcName, ipcUri });
+					appDomain.ExecuteAssembly(filename, null, new string[] {
+						((int)serviceType).ToString(), ipcName, ipcUri
+					});
 				}
 				catch (NullReferenceException) {
 					// Here if appDomain was set to null by Dispose() before this thread started
diff --git a/de4dot.code/AssemblyClient/NewProcessAssemblyServerLoader.cs b/de4dot.code/AssemblyClient/NewProcessAssemblyServerLoader.cs
index 379ed0ce..9aa00537 100644
--- a/de4dot.code/AssemblyClient/NewProcessAssemblyServerLoader.cs
+++ b/de4dot.code/AssemblyClient/NewProcessAssemblyServerLoader.cs
@@ -19,17 +19,19 @@
 
 using System;
 using System.Diagnostics;
+using AssemblyData;
 
 namespace de4dot.code.AssemblyClient {
 	// Starts the server in a new process
 	class NewProcessAssemblyServerLoader : IpcAssemblyServerLoader {
 		Process process;
 
-		public NewProcessAssemblyServerLoader() {
+		public NewProcessAssemblyServerLoader(AssemblyServiceType serviceType)
+			: base(serviceType) {
 		}
 
-		public NewProcessAssemblyServerLoader(ServerClrVersion version)
-			: base(version) {
+		public NewProcessAssemblyServerLoader(AssemblyServiceType serviceType, ServerClrVersion version)
+			: base(serviceType, version) {
 		}
 
 		public override void LoadServer(string filename) {
@@ -37,7 +39,8 @@ namespace de4dot.code.AssemblyClient {
 				throw new ApplicationException("Server is already loaded");
 
 			var psi = new ProcessStartInfo {
-				Arguments = string.Format("{0} {1}", Utils.ShellEscape(ipcName), Utils.ShellEscape(ipcUri)),
+				Arguments = string.Format("{0} {1} {2}", (int)serviceType,
+							Utils.ShellEscape(ipcName), Utils.ShellEscape(ipcUri)),
 				CreateNoWindow = true,
 				ErrorDialog = false,
 				FileName = filename,
diff --git a/de4dot.code/AssemblyClient/SameAppDomainAssemblyServerLoader.cs b/de4dot.code/AssemblyClient/SameAppDomainAssemblyServerLoader.cs
index 978a205c..8cd8096b 100644
--- a/de4dot.code/AssemblyClient/SameAppDomainAssemblyServerLoader.cs
+++ b/de4dot.code/AssemblyClient/SameAppDomainAssemblyServerLoader.cs
@@ -24,11 +24,16 @@ namespace de4dot.code.AssemblyClient {
 	// Starts the server in the current app domain.
 	class SameAppDomainAssemblyServerLoader : IAssemblyServerLoader {
 		IAssemblyService service;
+		AssemblyServiceType serviceType;
+
+		public SameAppDomainAssemblyServerLoader(AssemblyServiceType serviceType) {
+			this.serviceType = serviceType;
+		}
 
 		public void LoadServer() {
 			if (service != null)
 				throw new ApplicationException("Server already loaded");
-			service = new AssemblyService();
+			service = AssemblyService.Create(serviceType);
 		}
 
 		public IAssemblyService CreateService() {
diff --git a/de4dot.code/ObfuscatedFile.cs b/de4dot.code/ObfuscatedFile.cs
index 89dd2a7d..35cc83e0 100644
--- a/de4dot.code/ObfuscatedFile.cs
+++ b/de4dot.code/ObfuscatedFile.cs
@@ -26,6 +26,7 @@ using dnlib.DotNet;
 using dnlib.DotNet.Emit;
 using dnlib.DotNet.Writer;
 using dnlib.PE;
+using AssemblyData;
 using de4dot.code.deobfuscators;
 using de4dot.blocks;
 using de4dot.blocks.cflow;
@@ -375,9 +376,9 @@ namespace de4dot.code {
 				CheckSupportedStringDecrypter(StringFeatures.AllowDynamicDecryption);
 				var newProcFactory = assemblyClientFactory as NewProcessAssemblyClientFactory;
 				if (newProcFactory != null)
-					assemblyClient = newProcFactory.Create(module);
+					assemblyClient = newProcFactory.Create(AssemblyServiceType.StringDecrypter, module);
 				else
-					assemblyClient = assemblyClientFactory.Create();
+					assemblyClient = assemblyClientFactory.Create(AssemblyServiceType.StringDecrypter);
 				assemblyClient.Connect();
 				break;
 
@@ -432,12 +433,12 @@ namespace de4dot.code {
 				return;
 
 			assemblyClient.WaitConnected();
-			assemblyClient.Service.LoadAssembly(options.Filename);
+			assemblyClient.StringDecrypterService.LoadAssembly(options.Filename);
 
 			if (options.StringDecrypterType == DecrypterType.Delegate)
-				assemblyClient.Service.SetStringDecrypterType(AssemblyData.StringDecrypterType.Delegate);
+				assemblyClient.StringDecrypterService.SetStringDecrypterType(AssemblyData.StringDecrypterType.Delegate);
 			else if (options.StringDecrypterType == DecrypterType.Emulate)
-				assemblyClient.Service.SetStringDecrypterType(AssemblyData.StringDecrypterType.Emulate);
+				assemblyClient.StringDecrypterService.SetStringDecrypterType(AssemblyData.StringDecrypterType.Emulate);
 			else
 				throw new ApplicationException(string.Format("Invalid string decrypter type '{0}'", options.StringDecrypterType));
 
diff --git a/de4dot.code/StringInliner.cs b/de4dot.code/StringInliner.cs
index afbd29ee..ac77dc02 100644
--- a/de4dot.code/StringInliner.cs
+++ b/de4dot.code/StringInliner.cs
@@ -89,7 +89,7 @@ namespace de4dot.code {
 			foreach (var methodToken in methodTokens) {
 				if (methodTokenToId.ContainsKey(methodToken))
 					continue;
-				methodTokenToId[methodToken] = assemblyClient.Service.DefineStringDecrypter(methodToken);
+				methodTokenToId[methodToken] = assemblyClient.StringDecrypterService.DefineStringDecrypter(methodToken);
 			}
 		}
 
@@ -117,7 +117,7 @@ namespace de4dot.code {
 					AssemblyData.SimpleData.Pack(list[i].args);
 					args[i] = list[i].args;
 				}
-				var decryptedStrings = assemblyClient.Service.DecryptStrings(methodId, args, Method.MDToken.ToInt32());
+				var decryptedStrings = assemblyClient.StringDecrypterService.DecryptStrings(methodId, args, Method.MDToken.ToInt32());
 				if (decryptedStrings.Length != args.Length)
 					throw new ApplicationException("Invalid decrypted strings array length");
 				AssemblyData.SimpleData.Unpack(decryptedStrings);
diff --git a/de4dot.code/deobfuscators/MethodsDecrypter.cs b/de4dot.code/deobfuscators/MethodsDecrypter.cs
index 81779260..46e52442 100644
--- a/de4dot.code/deobfuscators/MethodsDecrypter.cs
+++ b/de4dot.code/deobfuscators/MethodsDecrypter.cs
@@ -18,6 +18,7 @@
 */
 
 using dnlib.DotNet;
+using AssemblyData;
 using de4dot.code.AssemblyClient;
 using de4dot.blocks;
 using de4dot.mdecrypt;
@@ -29,14 +30,14 @@ namespace de4dot.code.deobfuscators {
 		}
 
 		public static DumpedMethods Decrypt(ServerClrVersion serverVersion, string filename, byte[] moduleCctorBytes) {
-			using (var client = new NewProcessAssemblyClientFactory(serverVersion).Create()) {
+			using (var client = new NewProcessAssemblyClientFactory(serverVersion).Create(AssemblyServiceType.MethodDecrypter)) {
 				client.Connect();
 				client.WaitConnected();
 				var info = new DecryptMethodsInfo();
 				info.moduleCctorBytes = moduleCctorBytes;
-				client.Service.InstallCompileMethod(info);
-				client.Service.LoadObfuscator(filename);
-				return client.Service.DecryptMethods();
+				client.MethodDecrypterService.InstallCompileMethod(info);
+				client.MethodDecrypterService.LoadObfuscator(filename);
+				return client.MethodDecrypterService.DecryptMethods();
 			}
 		}
 	}

From 43e441ca931868e79c8ad9d9506450b42181b5a4 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Wed, 2 Oct 2013 20:49:21 +0200
Subject: [PATCH 12/58] Rename blocks -> de4dot.blocks

---
 AssemblyData/AssemblyData.csproj                           | 4 ++--
 {blocks => de4dot.blocks}/BaseBlock.cs                     | 0
 {blocks => de4dot.blocks}/Block.cs                         | 0
 {blocks => de4dot.blocks}/Blocks.cs                        | 0
 {blocks => de4dot.blocks}/BlocksSorter.cs                  | 0
 {blocks => de4dot.blocks}/CodeGenerator.cs                 | 0
 {blocks => de4dot.blocks}/DeadBlocksRemover.cs             | 0
 {blocks => de4dot.blocks}/DotNetUtils.cs                   | 0
 {blocks => de4dot.blocks}/DumpedMethod.cs                  | 0
 {blocks => de4dot.blocks}/DumpedMethods.cs                 | 0
 {blocks => de4dot.blocks}/FilterHandlerBlock.cs            | 0
 {blocks => de4dot.blocks}/ForwardScanOrder.cs              | 0
 {blocks => de4dot.blocks}/GenericArgsSubstitutor.cs        | 0
 {blocks => de4dot.blocks}/HandlerBlock.cs                  | 0
 {blocks => de4dot.blocks}/Instr.cs                         | 0
 {blocks => de4dot.blocks}/InstructionListParser.cs         | 0
 {blocks => de4dot.blocks}/MemberDefDict.cs                 | 0
 {blocks => de4dot.blocks}/MethodBlocks.cs                  | 0
 {blocks => de4dot.blocks}/Properties/AssemblyInfo.cs       | 4 ++--
 {blocks => de4dot.blocks}/ScopeBlock.cs                    | 0
 {blocks => de4dot.blocks}/TryBlock.cs                      | 0
 {blocks => de4dot.blocks}/TryHandlerBlock.cs               | 0
 {blocks => de4dot.blocks}/Utils.cs                         | 0
 {blocks => de4dot.blocks}/cflow/BlockCflowDeobfuscator.cs  | 0
 {blocks => de4dot.blocks}/cflow/BlockDeobfuscator.cs       | 0
 {blocks => de4dot.blocks}/cflow/BlocksCflowDeobfuscator.cs | 0
 {blocks => de4dot.blocks}/cflow/BranchEmulator.cs          | 0
 {blocks => de4dot.blocks}/cflow/CachedCflowDeobfuscator.cs | 0
 {blocks => de4dot.blocks}/cflow/CflowDeobfuscator.cs       | 0
 {blocks => de4dot.blocks}/cflow/CflowUtils.cs              | 0
 {blocks => de4dot.blocks}/cflow/ConstantsFolder.cs         | 0
 {blocks => de4dot.blocks}/cflow/DeadCodeRemover.cs         | 0
 {blocks => de4dot.blocks}/cflow/DeadStoreRemover.cs        | 0
 {blocks => de4dot.blocks}/cflow/DupBlockDeobfuscator.cs    | 0
 {blocks => de4dot.blocks}/cflow/IBlocksDeobfuscator.cs     | 0
 {blocks => de4dot.blocks}/cflow/ICflowDeobfuscator.cs      | 0
 {blocks => de4dot.blocks}/cflow/InstructionEmulator.cs     | 0
 {blocks => de4dot.blocks}/cflow/Int32Value.cs              | 0
 {blocks => de4dot.blocks}/cflow/Int64Value.cs              | 0
 {blocks => de4dot.blocks}/cflow/MethodCallInliner.cs       | 0
 {blocks => de4dot.blocks}/cflow/MethodCallInlinerBase.cs   | 0
 {blocks => de4dot.blocks}/cflow/Real8Value.cs              | 0
 {blocks => de4dot.blocks}/cflow/StLdlocFixer.cs            | 0
 {blocks => de4dot.blocks}/cflow/SwitchCflowDeobfuscator.cs | 0
 {blocks => de4dot.blocks}/cflow/Value.cs                   | 0
 {blocks => de4dot.blocks}/cflow/ValueStack.cs              | 0
 blocks/blocks.csproj => de4dot.blocks/de4dot.blocks.csproj | 2 +-
 de4dot.code/de4dot.code.csproj                             | 4 ++--
 de4dot.cui/de4dot.cui.csproj                               | 4 ++--
 de4dot.mdecrypt/de4dot.mdecrypt.csproj                     | 4 ++--
 de4dot.sln                                                 | 2 +-
 51 files changed, 12 insertions(+), 12 deletions(-)
 rename {blocks => de4dot.blocks}/BaseBlock.cs (100%)
 rename {blocks => de4dot.blocks}/Block.cs (100%)
 rename {blocks => de4dot.blocks}/Blocks.cs (100%)
 rename {blocks => de4dot.blocks}/BlocksSorter.cs (100%)
 rename {blocks => de4dot.blocks}/CodeGenerator.cs (100%)
 rename {blocks => de4dot.blocks}/DeadBlocksRemover.cs (100%)
 rename {blocks => de4dot.blocks}/DotNetUtils.cs (100%)
 rename {blocks => de4dot.blocks}/DumpedMethod.cs (100%)
 rename {blocks => de4dot.blocks}/DumpedMethods.cs (100%)
 rename {blocks => de4dot.blocks}/FilterHandlerBlock.cs (100%)
 rename {blocks => de4dot.blocks}/ForwardScanOrder.cs (100%)
 rename {blocks => de4dot.blocks}/GenericArgsSubstitutor.cs (100%)
 rename {blocks => de4dot.blocks}/HandlerBlock.cs (100%)
 rename {blocks => de4dot.blocks}/Instr.cs (100%)
 rename {blocks => de4dot.blocks}/InstructionListParser.cs (100%)
 rename {blocks => de4dot.blocks}/MemberDefDict.cs (100%)
 rename {blocks => de4dot.blocks}/MethodBlocks.cs (100%)
 rename {blocks => de4dot.blocks}/Properties/AssemblyInfo.cs (93%)
 rename {blocks => de4dot.blocks}/ScopeBlock.cs (100%)
 rename {blocks => de4dot.blocks}/TryBlock.cs (100%)
 rename {blocks => de4dot.blocks}/TryHandlerBlock.cs (100%)
 rename {blocks => de4dot.blocks}/Utils.cs (100%)
 rename {blocks => de4dot.blocks}/cflow/BlockCflowDeobfuscator.cs (100%)
 rename {blocks => de4dot.blocks}/cflow/BlockDeobfuscator.cs (100%)
 rename {blocks => de4dot.blocks}/cflow/BlocksCflowDeobfuscator.cs (100%)
 rename {blocks => de4dot.blocks}/cflow/BranchEmulator.cs (100%)
 rename {blocks => de4dot.blocks}/cflow/CachedCflowDeobfuscator.cs (100%)
 rename {blocks => de4dot.blocks}/cflow/CflowDeobfuscator.cs (100%)
 rename {blocks => de4dot.blocks}/cflow/CflowUtils.cs (100%)
 rename {blocks => de4dot.blocks}/cflow/ConstantsFolder.cs (100%)
 rename {blocks => de4dot.blocks}/cflow/DeadCodeRemover.cs (100%)
 rename {blocks => de4dot.blocks}/cflow/DeadStoreRemover.cs (100%)
 rename {blocks => de4dot.blocks}/cflow/DupBlockDeobfuscator.cs (100%)
 rename {blocks => de4dot.blocks}/cflow/IBlocksDeobfuscator.cs (100%)
 rename {blocks => de4dot.blocks}/cflow/ICflowDeobfuscator.cs (100%)
 rename {blocks => de4dot.blocks}/cflow/InstructionEmulator.cs (100%)
 rename {blocks => de4dot.blocks}/cflow/Int32Value.cs (100%)
 rename {blocks => de4dot.blocks}/cflow/Int64Value.cs (100%)
 rename {blocks => de4dot.blocks}/cflow/MethodCallInliner.cs (100%)
 rename {blocks => de4dot.blocks}/cflow/MethodCallInlinerBase.cs (100%)
 rename {blocks => de4dot.blocks}/cflow/Real8Value.cs (100%)
 rename {blocks => de4dot.blocks}/cflow/StLdlocFixer.cs (100%)
 rename {blocks => de4dot.blocks}/cflow/SwitchCflowDeobfuscator.cs (100%)
 rename {blocks => de4dot.blocks}/cflow/Value.cs (100%)
 rename {blocks => de4dot.blocks}/cflow/ValueStack.cs (100%)
 rename blocks/blocks.csproj => de4dot.blocks/de4dot.blocks.csproj (98%)

diff --git a/AssemblyData/AssemblyData.csproj b/AssemblyData/AssemblyData.csproj
index f140d1ae..552ed0ef 100644
--- a/AssemblyData/AssemblyData.csproj
+++ b/AssemblyData/AssemblyData.csproj
@@ -70,9 +70,9 @@
     <Reference Include="System.XML" />
   </ItemGroup>
   <ItemGroup>
-    <ProjectReference Include="..\blocks\blocks.csproj">
+    <ProjectReference Include="..\de4dot.blocks\de4dot.blocks.csproj">
       <Project>{045B96F2-AF80-4C4C-8D27-E38635AC705E}</Project>
-      <Name>blocks</Name>
+      <Name>de4dot.blocks</Name>
     </ProjectReference>
     <ProjectReference Include="..\de4dot.mdecrypt\de4dot.mdecrypt.csproj">
       <Project>{5C93C5E2-196F-4877-BF65-96FEBFCEFCA1}</Project>
diff --git a/blocks/BaseBlock.cs b/de4dot.blocks/BaseBlock.cs
similarity index 100%
rename from blocks/BaseBlock.cs
rename to de4dot.blocks/BaseBlock.cs
diff --git a/blocks/Block.cs b/de4dot.blocks/Block.cs
similarity index 100%
rename from blocks/Block.cs
rename to de4dot.blocks/Block.cs
diff --git a/blocks/Blocks.cs b/de4dot.blocks/Blocks.cs
similarity index 100%
rename from blocks/Blocks.cs
rename to de4dot.blocks/Blocks.cs
diff --git a/blocks/BlocksSorter.cs b/de4dot.blocks/BlocksSorter.cs
similarity index 100%
rename from blocks/BlocksSorter.cs
rename to de4dot.blocks/BlocksSorter.cs
diff --git a/blocks/CodeGenerator.cs b/de4dot.blocks/CodeGenerator.cs
similarity index 100%
rename from blocks/CodeGenerator.cs
rename to de4dot.blocks/CodeGenerator.cs
diff --git a/blocks/DeadBlocksRemover.cs b/de4dot.blocks/DeadBlocksRemover.cs
similarity index 100%
rename from blocks/DeadBlocksRemover.cs
rename to de4dot.blocks/DeadBlocksRemover.cs
diff --git a/blocks/DotNetUtils.cs b/de4dot.blocks/DotNetUtils.cs
similarity index 100%
rename from blocks/DotNetUtils.cs
rename to de4dot.blocks/DotNetUtils.cs
diff --git a/blocks/DumpedMethod.cs b/de4dot.blocks/DumpedMethod.cs
similarity index 100%
rename from blocks/DumpedMethod.cs
rename to de4dot.blocks/DumpedMethod.cs
diff --git a/blocks/DumpedMethods.cs b/de4dot.blocks/DumpedMethods.cs
similarity index 100%
rename from blocks/DumpedMethods.cs
rename to de4dot.blocks/DumpedMethods.cs
diff --git a/blocks/FilterHandlerBlock.cs b/de4dot.blocks/FilterHandlerBlock.cs
similarity index 100%
rename from blocks/FilterHandlerBlock.cs
rename to de4dot.blocks/FilterHandlerBlock.cs
diff --git a/blocks/ForwardScanOrder.cs b/de4dot.blocks/ForwardScanOrder.cs
similarity index 100%
rename from blocks/ForwardScanOrder.cs
rename to de4dot.blocks/ForwardScanOrder.cs
diff --git a/blocks/GenericArgsSubstitutor.cs b/de4dot.blocks/GenericArgsSubstitutor.cs
similarity index 100%
rename from blocks/GenericArgsSubstitutor.cs
rename to de4dot.blocks/GenericArgsSubstitutor.cs
diff --git a/blocks/HandlerBlock.cs b/de4dot.blocks/HandlerBlock.cs
similarity index 100%
rename from blocks/HandlerBlock.cs
rename to de4dot.blocks/HandlerBlock.cs
diff --git a/blocks/Instr.cs b/de4dot.blocks/Instr.cs
similarity index 100%
rename from blocks/Instr.cs
rename to de4dot.blocks/Instr.cs
diff --git a/blocks/InstructionListParser.cs b/de4dot.blocks/InstructionListParser.cs
similarity index 100%
rename from blocks/InstructionListParser.cs
rename to de4dot.blocks/InstructionListParser.cs
diff --git a/blocks/MemberDefDict.cs b/de4dot.blocks/MemberDefDict.cs
similarity index 100%
rename from blocks/MemberDefDict.cs
rename to de4dot.blocks/MemberDefDict.cs
diff --git a/blocks/MethodBlocks.cs b/de4dot.blocks/MethodBlocks.cs
similarity index 100%
rename from blocks/MethodBlocks.cs
rename to de4dot.blocks/MethodBlocks.cs
diff --git a/blocks/Properties/AssemblyInfo.cs b/de4dot.blocks/Properties/AssemblyInfo.cs
similarity index 93%
rename from blocks/Properties/AssemblyInfo.cs
rename to de4dot.blocks/Properties/AssemblyInfo.cs
index a0dd84e7..59432fe2 100644
--- a/blocks/Properties/AssemblyInfo.cs
+++ b/de4dot.blocks/Properties/AssemblyInfo.cs
@@ -20,11 +20,11 @@
 using System.Reflection;
 using System.Runtime.InteropServices;
 
-[assembly: AssemblyTitle("blocks")]
+[assembly: AssemblyTitle("de4dot.blocks")]
 [assembly: AssemblyDescription("Modifies dnlib MethodDef bodies")]
 [assembly: AssemblyConfiguration("")]
 [assembly: AssemblyCompany("")]
-[assembly: AssemblyProduct("blocks")]
+[assembly: AssemblyProduct("de4dot.blocks")]
 [assembly: AssemblyCopyright("Copyright (C) 2011-2013 de4dot@gmail.com")]
 [assembly: AssemblyTrademark("")]
 [assembly: AssemblyCulture("")]
diff --git a/blocks/ScopeBlock.cs b/de4dot.blocks/ScopeBlock.cs
similarity index 100%
rename from blocks/ScopeBlock.cs
rename to de4dot.blocks/ScopeBlock.cs
diff --git a/blocks/TryBlock.cs b/de4dot.blocks/TryBlock.cs
similarity index 100%
rename from blocks/TryBlock.cs
rename to de4dot.blocks/TryBlock.cs
diff --git a/blocks/TryHandlerBlock.cs b/de4dot.blocks/TryHandlerBlock.cs
similarity index 100%
rename from blocks/TryHandlerBlock.cs
rename to de4dot.blocks/TryHandlerBlock.cs
diff --git a/blocks/Utils.cs b/de4dot.blocks/Utils.cs
similarity index 100%
rename from blocks/Utils.cs
rename to de4dot.blocks/Utils.cs
diff --git a/blocks/cflow/BlockCflowDeobfuscator.cs b/de4dot.blocks/cflow/BlockCflowDeobfuscator.cs
similarity index 100%
rename from blocks/cflow/BlockCflowDeobfuscator.cs
rename to de4dot.blocks/cflow/BlockCflowDeobfuscator.cs
diff --git a/blocks/cflow/BlockDeobfuscator.cs b/de4dot.blocks/cflow/BlockDeobfuscator.cs
similarity index 100%
rename from blocks/cflow/BlockDeobfuscator.cs
rename to de4dot.blocks/cflow/BlockDeobfuscator.cs
diff --git a/blocks/cflow/BlocksCflowDeobfuscator.cs b/de4dot.blocks/cflow/BlocksCflowDeobfuscator.cs
similarity index 100%
rename from blocks/cflow/BlocksCflowDeobfuscator.cs
rename to de4dot.blocks/cflow/BlocksCflowDeobfuscator.cs
diff --git a/blocks/cflow/BranchEmulator.cs b/de4dot.blocks/cflow/BranchEmulator.cs
similarity index 100%
rename from blocks/cflow/BranchEmulator.cs
rename to de4dot.blocks/cflow/BranchEmulator.cs
diff --git a/blocks/cflow/CachedCflowDeobfuscator.cs b/de4dot.blocks/cflow/CachedCflowDeobfuscator.cs
similarity index 100%
rename from blocks/cflow/CachedCflowDeobfuscator.cs
rename to de4dot.blocks/cflow/CachedCflowDeobfuscator.cs
diff --git a/blocks/cflow/CflowDeobfuscator.cs b/de4dot.blocks/cflow/CflowDeobfuscator.cs
similarity index 100%
rename from blocks/cflow/CflowDeobfuscator.cs
rename to de4dot.blocks/cflow/CflowDeobfuscator.cs
diff --git a/blocks/cflow/CflowUtils.cs b/de4dot.blocks/cflow/CflowUtils.cs
similarity index 100%
rename from blocks/cflow/CflowUtils.cs
rename to de4dot.blocks/cflow/CflowUtils.cs
diff --git a/blocks/cflow/ConstantsFolder.cs b/de4dot.blocks/cflow/ConstantsFolder.cs
similarity index 100%
rename from blocks/cflow/ConstantsFolder.cs
rename to de4dot.blocks/cflow/ConstantsFolder.cs
diff --git a/blocks/cflow/DeadCodeRemover.cs b/de4dot.blocks/cflow/DeadCodeRemover.cs
similarity index 100%
rename from blocks/cflow/DeadCodeRemover.cs
rename to de4dot.blocks/cflow/DeadCodeRemover.cs
diff --git a/blocks/cflow/DeadStoreRemover.cs b/de4dot.blocks/cflow/DeadStoreRemover.cs
similarity index 100%
rename from blocks/cflow/DeadStoreRemover.cs
rename to de4dot.blocks/cflow/DeadStoreRemover.cs
diff --git a/blocks/cflow/DupBlockDeobfuscator.cs b/de4dot.blocks/cflow/DupBlockDeobfuscator.cs
similarity index 100%
rename from blocks/cflow/DupBlockDeobfuscator.cs
rename to de4dot.blocks/cflow/DupBlockDeobfuscator.cs
diff --git a/blocks/cflow/IBlocksDeobfuscator.cs b/de4dot.blocks/cflow/IBlocksDeobfuscator.cs
similarity index 100%
rename from blocks/cflow/IBlocksDeobfuscator.cs
rename to de4dot.blocks/cflow/IBlocksDeobfuscator.cs
diff --git a/blocks/cflow/ICflowDeobfuscator.cs b/de4dot.blocks/cflow/ICflowDeobfuscator.cs
similarity index 100%
rename from blocks/cflow/ICflowDeobfuscator.cs
rename to de4dot.blocks/cflow/ICflowDeobfuscator.cs
diff --git a/blocks/cflow/InstructionEmulator.cs b/de4dot.blocks/cflow/InstructionEmulator.cs
similarity index 100%
rename from blocks/cflow/InstructionEmulator.cs
rename to de4dot.blocks/cflow/InstructionEmulator.cs
diff --git a/blocks/cflow/Int32Value.cs b/de4dot.blocks/cflow/Int32Value.cs
similarity index 100%
rename from blocks/cflow/Int32Value.cs
rename to de4dot.blocks/cflow/Int32Value.cs
diff --git a/blocks/cflow/Int64Value.cs b/de4dot.blocks/cflow/Int64Value.cs
similarity index 100%
rename from blocks/cflow/Int64Value.cs
rename to de4dot.blocks/cflow/Int64Value.cs
diff --git a/blocks/cflow/MethodCallInliner.cs b/de4dot.blocks/cflow/MethodCallInliner.cs
similarity index 100%
rename from blocks/cflow/MethodCallInliner.cs
rename to de4dot.blocks/cflow/MethodCallInliner.cs
diff --git a/blocks/cflow/MethodCallInlinerBase.cs b/de4dot.blocks/cflow/MethodCallInlinerBase.cs
similarity index 100%
rename from blocks/cflow/MethodCallInlinerBase.cs
rename to de4dot.blocks/cflow/MethodCallInlinerBase.cs
diff --git a/blocks/cflow/Real8Value.cs b/de4dot.blocks/cflow/Real8Value.cs
similarity index 100%
rename from blocks/cflow/Real8Value.cs
rename to de4dot.blocks/cflow/Real8Value.cs
diff --git a/blocks/cflow/StLdlocFixer.cs b/de4dot.blocks/cflow/StLdlocFixer.cs
similarity index 100%
rename from blocks/cflow/StLdlocFixer.cs
rename to de4dot.blocks/cflow/StLdlocFixer.cs
diff --git a/blocks/cflow/SwitchCflowDeobfuscator.cs b/de4dot.blocks/cflow/SwitchCflowDeobfuscator.cs
similarity index 100%
rename from blocks/cflow/SwitchCflowDeobfuscator.cs
rename to de4dot.blocks/cflow/SwitchCflowDeobfuscator.cs
diff --git a/blocks/cflow/Value.cs b/de4dot.blocks/cflow/Value.cs
similarity index 100%
rename from blocks/cflow/Value.cs
rename to de4dot.blocks/cflow/Value.cs
diff --git a/blocks/cflow/ValueStack.cs b/de4dot.blocks/cflow/ValueStack.cs
similarity index 100%
rename from blocks/cflow/ValueStack.cs
rename to de4dot.blocks/cflow/ValueStack.cs
diff --git a/blocks/blocks.csproj b/de4dot.blocks/de4dot.blocks.csproj
similarity index 98%
rename from blocks/blocks.csproj
rename to de4dot.blocks/de4dot.blocks.csproj
index a0bae6cc..ce78064d 100644
--- a/blocks/blocks.csproj
+++ b/de4dot.blocks/de4dot.blocks.csproj
@@ -9,7 +9,7 @@
     <OutputType>Library</OutputType>
     <AppDesignerFolder>Properties</AppDesignerFolder>
     <RootNamespace>de4dot.blocks</RootNamespace>
-    <AssemblyName>blocks</AssemblyName>
+    <AssemblyName>de4dot.blocks</AssemblyName>
     <TargetFrameworkVersion>v2.0</TargetFrameworkVersion>
     <FileAlignment>512</FileAlignment>
     <SignAssembly>true</SignAssembly>
diff --git a/de4dot.code/de4dot.code.csproj b/de4dot.code/de4dot.code.csproj
index 278f80bd..55c6a658 100644
--- a/de4dot.code/de4dot.code.csproj
+++ b/de4dot.code/de4dot.code.csproj
@@ -335,9 +335,9 @@
       <Project>{FBD84077-9D35-41FE-89DF-8D79EFE0B595}</Project>
       <Name>AssemblyData</Name>
     </ProjectReference>
-    <ProjectReference Include="..\blocks\blocks.csproj">
+    <ProjectReference Include="..\de4dot.blocks\de4dot.blocks.csproj">
       <Project>{045B96F2-AF80-4C4C-8D27-E38635AC705E}</Project>
-      <Name>blocks</Name>
+      <Name>de4dot.blocks</Name>
     </ProjectReference>
     <ProjectReference Include="..\de4dot.mdecrypt\de4dot.mdecrypt.csproj">
       <Project>{5C93C5E2-196F-4877-BF65-96FEBFCEFCA1}</Project>
diff --git a/de4dot.cui/de4dot.cui.csproj b/de4dot.cui/de4dot.cui.csproj
index c45e105c..04c6257e 100644
--- a/de4dot.cui/de4dot.cui.csproj
+++ b/de4dot.cui/de4dot.cui.csproj
@@ -43,9 +43,9 @@
     <Compile Include="Properties\AssemblyInfo.cs" />
   </ItemGroup>
   <ItemGroup>
-    <ProjectReference Include="..\blocks\blocks.csproj">
+    <ProjectReference Include="..\de4dot.blocks\de4dot.blocks.csproj">
       <Project>{045B96F2-AF80-4C4C-8D27-E38635AC705E}</Project>
-      <Name>blocks</Name>
+      <Name>de4dot.blocks</Name>
     </ProjectReference>
     <ProjectReference Include="..\de4dot.code\de4dot.code.csproj">
       <Project>{4D10B9EB-3BF1-4D61-A389-CB019E8C9622}</Project>
diff --git a/de4dot.mdecrypt/de4dot.mdecrypt.csproj b/de4dot.mdecrypt/de4dot.mdecrypt.csproj
index 0b174366..a3d3718c 100644
--- a/de4dot.mdecrypt/de4dot.mdecrypt.csproj
+++ b/de4dot.mdecrypt/de4dot.mdecrypt.csproj
@@ -42,9 +42,9 @@
     <Compile Include="Properties\AssemblyInfo.cs" />
   </ItemGroup>
   <ItemGroup>
-    <ProjectReference Include="..\blocks\blocks.csproj">
+    <ProjectReference Include="..\de4dot.blocks\de4dot.blocks.csproj">
       <Project>{045B96F2-AF80-4C4C-8D27-E38635AC705E}</Project>
-      <Name>blocks</Name>
+      <Name>de4dot.blocks</Name>
     </ProjectReference>
     <ProjectReference Include="..\dnlib\src\dnlib.csproj">
       <Project>{FDFC1237-143F-4919-8318-4926901F4639}</Project>
diff --git a/de4dot.sln b/de4dot.sln
index 20f8952c..d73491bd 100644
--- a/de4dot.sln
+++ b/de4dot.sln
@@ -17,7 +17,7 @@ Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "AssemblyServer", "AssemblyS
 EndProject
 Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "AssemblyServer-x64", "AssemblyServer-x64\AssemblyServer-x64.csproj", "{F458A89A-AEAB-4965-AA4D-393C9F7411D0}"
 EndProject
-Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "blocks", "blocks\blocks.csproj", "{045B96F2-AF80-4C4C-8D27-E38635AC705E}"
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "de4dot.blocks", "de4dot.blocks\de4dot.blocks.csproj", "{045B96F2-AF80-4C4C-8D27-E38635AC705E}"
 EndProject
 Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "de4dot.cui", "de4dot.cui\de4dot.cui.csproj", "{879E4A7E-C320-42D2-8275-4F1E44CE64AA}"
 EndProject

From 478595708b0e2cc879919dfcdf6a6e794948daf8 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Sat, 12 Oct 2013 01:00:50 +0200
Subject: [PATCH 13/58] Add MethodCallInliner::GetFirstInstruction()

---
 de4dot.blocks/cflow/MethodCallInliner.cs | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/de4dot.blocks/cflow/MethodCallInliner.cs b/de4dot.blocks/cflow/MethodCallInliner.cs
index 3504a658..4265e706 100644
--- a/de4dot.blocks/cflow/MethodCallInliner.cs
+++ b/de4dot.blocks/cflow/MethodCallInliner.cs
@@ -55,6 +55,10 @@ namespace de4dot.blocks.cflow {
 			return inlineInstanceMethods;
 		}
 
+		protected virtual Instruction GetFirstInstruction(IList<Instruction> instrs, ref int index) {
+			return DotNetUtils.GetInstruction(instrs, ref index);
+		}
+
 		bool InlineMethod(Instruction callInstr, int instrIndex) {
 			var methodToInline = callInstr.Operand as MethodDef;
 			if (methodToInline == null)
@@ -67,7 +71,7 @@ namespace de4dot.blocks.cflow {
 				return false;
 
 			int index = 0;
-			var instr = DotNetUtils.GetInstruction(body.Instructions, ref index);
+			var instr = GetFirstInstruction(body.Instructions, ref index);
 			if (instr == null)
 				return false;
 

From b6b0fe540382e4bcecc234e7e9bd3dd116ad7d54 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Sat, 12 Oct 2013 01:04:49 +0200
Subject: [PATCH 14/58] Use int and not Int32

---
 AssemblyData/AssemblyServer.cs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/AssemblyData/AssemblyServer.cs b/AssemblyData/AssemblyServer.cs
index 337fc55c..a9110bd1 100644
--- a/AssemblyData/AssemblyServer.cs
+++ b/AssemblyData/AssemblyServer.cs
@@ -29,7 +29,7 @@ namespace AssemblyServer {
 		public static int Main2(string[] args) {
 			if (args.Length != 3)
 				Environment.Exit(1);
-			var serviceType = (AssemblyServiceType)Int32.Parse(args[0]);
+			var serviceType = (AssemblyServiceType)int.Parse(args[0]);
 			var channelName = args[1];
 			var uri = args[2];
 

From 8dc72490338b0f3ec58c155a4309b7621b1be552 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Sat, 12 Oct 2013 12:12:16 +0200
Subject: [PATCH 15/58] Add updated dnlib

---
 dnlib | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dnlib b/dnlib
index 29c5bfd1..236585fb 160000
--- a/dnlib
+++ b/dnlib
@@ -1 +1 @@
-Subproject commit 29c5bfd1e57ea8041034cce69e8b741613126a52
+Subproject commit 236585fbdf5693f3e4ee92a858bbf70e9657a386

From 689635cf6918120ebf6a34d66b53e38ab8fbb5e8 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Sun, 13 Oct 2013 08:49:34 +0200
Subject: [PATCH 16/58] Support .NET Reactor 4.5 (an updated version) and 4.6

---
 de4dot.code/de4dot.code.csproj                |  1 +
 .../dotNET_Reactor/v4/Deobfuscator.cs         | 63 ++++++++++++++--
 .../dotNET_Reactor/v4/DnrMethodCallInliner.cs | 59 +++++++++++++++
 .../dotNET_Reactor/v4/MethodsDecrypter.cs     | 75 +++++++++++++++----
 4 files changed, 177 insertions(+), 21 deletions(-)
 create mode 100644 de4dot.code/deobfuscators/dotNET_Reactor/v4/DnrMethodCallInliner.cs

diff --git a/de4dot.code/de4dot.code.csproj b/de4dot.code/de4dot.code.csproj
index 55c6a658..7a89a627 100644
--- a/de4dot.code/de4dot.code.csproj
+++ b/de4dot.code/de4dot.code.csproj
@@ -157,6 +157,7 @@
     <Compile Include="deobfuscators\DeobUtils.cs" />
     <Compile Include="deobfuscators\Dotfuscator\Deobfuscator.cs" />
     <Compile Include="deobfuscators\Dotfuscator\StringDecrypter.cs" />
+    <Compile Include="deobfuscators\dotNET_Reactor\v4\DnrMethodCallInliner.cs" />
     <Compile Include="deobfuscators\Eazfuscator_NET\Dynocode.cs" />
     <Compile Include="deobfuscators\MyPEImage.cs" />
     <Compile Include="deobfuscators\dotNET_Reactor\v3\AntiStrongName.cs" />
diff --git a/de4dot.code/deobfuscators/dotNET_Reactor/v4/Deobfuscator.cs b/de4dot.code/deobfuscators/dotNET_Reactor/v4/Deobfuscator.cs
index 85526e2a..360c0e9d 100644
--- a/de4dot.code/deobfuscators/dotNET_Reactor/v4/Deobfuscator.cs
+++ b/de4dot.code/deobfuscators/dotNET_Reactor/v4/Deobfuscator.cs
@@ -26,6 +26,7 @@ using dnlib.DotNet;
 using dnlib.DotNet.Emit;
 using dnlib.DotNet.Writer;
 using de4dot.blocks;
+using de4dot.blocks.cflow;
 
 namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
 	public class DeobfuscatorInfo : DeobfuscatorInfoBase {
@@ -142,6 +143,15 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
 			get { return startedDeobfuscating ? options.InlineMethods : true; }
 		}
 
+		public override IEnumerable<IBlocksDeobfuscator> BlocksDeobfuscators {
+			get {
+				var list = new List<IBlocksDeobfuscator>();
+				if (CanInlineMethods)
+					list.Add(new DnrMethodCallInliner());
+				return list;
+			}
+		}
+
 		public Deobfuscator(Options options)
 			: base(options) {
 			this.options = options;
@@ -333,8 +343,12 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
 			}
 
 			var compileMethod = MethodsDecrypter.FindDnrCompileMethod(methodsDecrypter.Method.DeclaringType);
-			if (compileMethod == null)
-				return DeobfuscatorInfo.THE_NAME + " < 4.0";
+			if (compileMethod == null) {
+				DeobfuscatedFile.Deobfuscate(methodsDecrypter.Method);
+				if (!MethodsDecrypter.IsNewer45Decryption(methodsDecrypter.Method))
+					return DeobfuscatorInfo.THE_NAME + " < 4.0";
+				return DeobfuscatorInfo.THE_NAME + " 4.5+";
+			}
 			DeobfuscatedFile.Deobfuscate(compileMethod);
 			bool compileMethodHasConstant_0x70000000 = DeobUtils.HasInteger(compileMethod, 0x70000000);	// 4.0-4.1
 			DeobfuscatedFile.Deobfuscate(methodsDecrypter.Method);
@@ -346,11 +360,27 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
 				return DeobfuscatorInfo.THE_NAME + " 4.0";
 			}
 			if (!hasCorEnableProfilingString) {
-				// 4.x or 4.5
+				// 4.x or 4.5 - 4.6
 				bool callsReverse = DotNetUtils.CallsMethod(methodsDecrypter.Method, "System.Void System.Array::Reverse(System.Array)");
 				if (!callsReverse)
-					return DeobfuscatorInfo.THE_NAME + " 4.x";
-				return DeobfuscatorInfo.THE_NAME + " 4.5";
+					return DeobfuscatorInfo.THE_NAME + " 4.0 - 4.4";
+
+				int numIntPtrSizeCompares = CountCompareSystemIntPtrSize(methodsDecrypter.Method);
+				if (module.IsClr40) {
+					switch (numIntPtrSizeCompares) {
+					case 9: return DeobfuscatorInfo.THE_NAME + " 4.5";
+					case 10:return DeobfuscatorInfo.THE_NAME + " 4.6";
+					}
+				}
+				else {
+					switch (numIntPtrSizeCompares) {
+					case 8: return DeobfuscatorInfo.THE_NAME + " 4.5";
+					case 9: return DeobfuscatorInfo.THE_NAME + " 4.6";
+					}
+				}
+
+				// Should never be reached unless it's a new version
+				return DeobfuscatorInfo.THE_NAME + " 4.5+";
 			}
 
 			// 4.2-4.4
@@ -364,6 +394,29 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
 			return DeobfuscatorInfo.THE_NAME + " 4.3";
 		}
 
+		static int CountCompareSystemIntPtrSize(MethodDef method) {
+			if (method == null || method.Body == null)
+				return 0;
+			int count = 0;
+			var instrs = method.Body.Instructions;
+			for (int i = 1; i < instrs.Count - 1; i++) {
+				var ldci4 = instrs[i];
+				if (!ldci4.IsLdcI4() || ldci4.GetLdcI4Value() != 4)
+					continue;
+				if (!instrs[i + 1].IsConditionalBranch())
+					continue;
+				var call = instrs[i - 1];
+				if (call.OpCode.Code != Code.Call)
+					continue;
+				var calledMethod = call.Operand as MemberRef;
+				if (calledMethod == null || calledMethod.FullName != "System.Int32 System.IntPtr::get_Size()")
+					continue;
+
+				count++;
+			}
+			return count;
+		}
+
 		static bool FindString(MethodDef method, string s) {
 			foreach (var cs in DotNetUtils.GetCodeStrings(method)) {
 				if (cs == s)
diff --git a/de4dot.code/deobfuscators/dotNET_Reactor/v4/DnrMethodCallInliner.cs b/de4dot.code/deobfuscators/dotNET_Reactor/v4/DnrMethodCallInliner.cs
new file mode 100644
index 00000000..2a3324b6
--- /dev/null
+++ b/de4dot.code/deobfuscators/dotNET_Reactor/v4/DnrMethodCallInliner.cs
@@ -0,0 +1,59 @@
+/*
+    Copyright (C) 2011-2013 de4dot@gmail.com
+
+    This file is part of de4dot.
+
+    de4dot is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    de4dot is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with de4dot.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+using System;
+using System.Collections.Generic;
+using dnlib.DotNet.Emit;
+using de4dot.blocks;
+using de4dot.blocks.cflow;
+
+namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
+	class DnrMethodCallInliner : MethodCallInliner {
+		public DnrMethodCallInliner()
+			: base(false) {
+		}
+
+		protected override Instruction GetFirstInstruction(IList<Instruction> instrs, ref int index) {
+			var instr = GetFirstInstruction(instrs, index);
+			if (instr != null)
+				index = instrs.IndexOf(instr);
+			return DotNetUtils.GetInstruction(instrs, ref index);
+		}
+
+		Instruction GetFirstInstruction(IList<Instruction> instrs, int index) {
+			try {
+				var instr = instrs[index];
+				if (!instr.IsBr())
+					return null;
+				instr = instr.Operand as Instruction;
+				if (instr == null)
+					return null;
+				if (!instr.IsLdcI4() || instr.GetLdcI4Value() != 0)
+					return null;
+				instr = instrs[instrs.IndexOf(instr) + 1];
+				if (!instr.IsBrtrue())
+					return null;
+				return instrs[instrs.IndexOf(instr) + 1];
+			}
+			catch {
+				return null;
+			}
+		}
+	}
+}
diff --git a/de4dot.code/deobfuscators/dotNET_Reactor/v4/MethodsDecrypter.cs b/de4dot.code/deobfuscators/dotNET_Reactor/v4/MethodsDecrypter.cs
index 8d538834..cc9a7dc3 100644
--- a/de4dot.code/deobfuscators/dotNET_Reactor/v4/MethodsDecrypter.cs
+++ b/de4dot.code/deobfuscators/dotNET_Reactor/v4/MethodsDecrypter.cs
@@ -121,8 +121,8 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
 			}
 		}
 
-		static short[] nativeLdci4 = new short[] { 0x55, 0x8B, 0xEC, 0xB8, -1, -1, -1, -1, 0x5D, 0xC3 };
-		static short[] nativeLdci4_0 = new short[] { 0x55, 0x8B, 0xEC, 0x33, 0xC0, 0x5D, 0xC3 };
+		readonly static short[] nativeLdci4 = new short[] { 0x55, 0x8B, 0xEC, 0xB8, -1, -1, -1, -1, 0x5D, 0xC3 };
+		readonly static short[] nativeLdci4_0 = new short[] { 0x55, 0x8B, 0xEC, 0x33, 0xC0, 0x5D, 0xC3 };
 		public bool Decrypt(MyPEImage peImage, ISimpleDeobfuscator simpleDeobfuscator, ref DumpedMethods dumpedMethods, Dictionary<uint, byte[]> tokenToNativeCode, bool unpackedNativeFile) {
 			if (encryptedResource.Method == null)
 				return false;
@@ -157,27 +157,29 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
 				}
 			}
 			else if (!hooksJitter || mode == 1) {
-				// DNR 3.9.8.0, 4.0, 4.1, 4.2, 4.3, 4.4
-
-				// If it's .NET 1.x, then offsets are used, not RVAs.
-				bool useOffsets = unpackedNativeFile && module.IsClr1x;
+				// DNR 3.9.8.0, 4.0+
 
 				PatchDwords(peImage, methodsDataReader, patchCount);
+				bool oldCode = !IsNewer45Decryption(encryptedResource.Method);
 				while (methodsDataReader.Position < methodsData.Length - 1) {
 					uint rva = methodsDataReader.ReadUInt32();
-					uint token = methodsDataReader.ReadUInt32();	// token, unknown, or index
-					int size = methodsDataReader.ReadInt32();
-					if (size > 0) {
-						var newData = methodsDataReader.ReadBytes(size);
-						if (useOffsets)
-							peImage.DotNetSafeWriteOffset(rva, newData);
-						else
-							peImage.DotNetSafeWrite(rva, newData);
+					int size;
+					if (oldCode) {
+						methodsDataReader.ReadUInt32();	// token, unknown, or index
+						size = methodsDataReader.ReadInt32();
 					}
+					else
+						size = methodsDataReader.ReadInt32() * 4;
+
+					var newData = methodsDataReader.ReadBytes(size);
+					if (unpackedNativeFile)
+						peImage.DotNetSafeWriteOffset(rva, newData);
+					else
+						peImage.DotNetSafeWrite(rva, newData);
 				}
 			}
 			else {
-				// DNR 4.0 - 4.5 (jitter is hooked)
+				// DNR 4.0+ (jitter is hooked)
 
 				var methodDef = peImage.DotNetFile.MetaData.TablesStream.MethodTable;
 				var rvaToIndex = new Dictionary<uint, int>((int)methodDef.Rows);
@@ -258,6 +260,33 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
 			return true;
 		}
 
+		public static bool IsNewer45Decryption(MethodDef method) {
+			if (method == null || method.Body == null)
+				return false;
+
+			var instrs = method.Body.Instructions;
+			for (int i = 0; i < instrs.Count - 4; i++) {
+				var ldci4 = instrs[i];
+				if (!ldci4.IsLdcI4() || ldci4.GetLdcI4Value() != 4)
+					continue;
+				if (instrs[i + 1].OpCode.Code != Code.Mul)
+					continue;
+				ldci4 = instrs[i + 2];
+				if (!ldci4.IsLdcI4() || ldci4.GetLdcI4Value() != 4)
+					continue;
+				if (instrs[i + 3].OpCode.Code != Code.Ldloca_S && instrs[i + 3].OpCode.Code != Code.Ldloca)
+					continue;
+				var call = instrs[i + 4];
+				if (call.OpCode.Code != Code.Call)
+					continue;
+				if (!DotNetUtils.IsPinvokeMethod(call.Operand as MethodDef, "kernel32", "VirtualProtect"))
+					continue;
+
+				return true;
+			}
+			return false;
+		}
+
 		static void PatchDwords(MyPEImage peImage, IBinaryReader reader, int count) {
 			for (int i = 0; i < count; i++) {
 				uint rva = reader.ReadUInt32();
@@ -363,6 +392,12 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
 			Array.Copy(encrypted, resourceData, resourceData.Length);
 		}
 
+		enum CompileMethodType {
+			Unknown,
+			V1,	// <= DNR 4.5.0.0 (2012-11-06 <= endDate < 2013-01-31)
+			V2,	// >= DNR 4.5.0.0 (2012-11-06 < startDate <= 2013-01-31)
+		}
+
 		public static MethodDef FindDnrCompileMethod(TypeDef type) {
 			foreach (var method in type.Methods) {
 				if (!method.IsStatic || method.Body == null)
@@ -370,11 +405,19 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
 				var sig = method.MethodSig;
 				if (sig == null || sig.Params.Count != 6)
 					continue;
-				if (!DotNetUtils.IsMethod(method, "System.UInt32", "(System.UInt64&,System.IntPtr,System.IntPtr,System.UInt32,System.IntPtr&,System.UInt32&)"))
+				if (GetCompileMethodType(method) == CompileMethodType.Unknown)
 					continue;
 				return method;
 			}
 			return null;
 		}
+
+		static CompileMethodType GetCompileMethodType(MethodDef method) {
+			if (DotNetUtils.IsMethod(method, "System.UInt32", "(System.UInt64&,System.IntPtr,System.IntPtr,System.UInt32,System.IntPtr&,System.UInt32&)"))
+				return CompileMethodType.V1;
+			if (DotNetUtils.IsMethod(method, "System.UInt32", "(System.IntPtr,System.IntPtr,System.IntPtr,System.UInt32,System.IntPtr,System.UInt32&)"))
+				return CompileMethodType.V2;
+			return CompileMethodType.Unknown;
+		}
 	}
 }

From ad5fb7067372890cb2f433c1db3582229ee2902a Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Sun, 13 Oct 2013 10:23:31 +0200
Subject: [PATCH 17/58] Support latest Rummage

---
 de4dot.code/deobfuscators/Rummage/Deobfuscator.cs    | 2 +-
 de4dot.code/deobfuscators/Rummage/RummageVersion.cs  | 2 +-
 de4dot.code/deobfuscators/Rummage/StringDecrypter.cs | 1 -
 3 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/de4dot.code/deobfuscators/Rummage/Deobfuscator.cs b/de4dot.code/deobfuscators/Rummage/Deobfuscator.cs
index 5b517de5..fb50b00f 100644
--- a/de4dot.code/deobfuscators/Rummage/Deobfuscator.cs
+++ b/de4dot.code/deobfuscators/Rummage/Deobfuscator.cs
@@ -88,7 +88,7 @@ namespace de4dot.code.deobfuscators.Rummage {
 			string version;
 			switch (stringDecrypter.Version) {
 			case RummageVersion.V1_1_445: version = "v1.1 - v2.0"; break;
-			case RummageVersion.V2_1_729: version = "v2.1 - v2.2"; break;
+			case RummageVersion.V2_1_729: version = "v2.1+"; break;
 			default: version = null; break;
 			}
 			if (version != null)
diff --git a/de4dot.code/deobfuscators/Rummage/RummageVersion.cs b/de4dot.code/deobfuscators/Rummage/RummageVersion.cs
index 00e795e6..cddbd5b7 100644
--- a/de4dot.code/deobfuscators/Rummage/RummageVersion.cs
+++ b/de4dot.code/deobfuscators/Rummage/RummageVersion.cs
@@ -21,6 +21,6 @@ namespace de4dot.code.deobfuscators.Rummage {
 	enum RummageVersion {
 		Unknown,
 		V1_1_445,	// 1.1.445.2781 - 2.0.640.3707
-		V2_1_729,	// 2.1.729.3909 - 2.2.750.3964
+		V2_1_729,	// 2.1.729.3909 - 3.1.1016.4804
 	}
 }
diff --git a/de4dot.code/deobfuscators/Rummage/StringDecrypter.cs b/de4dot.code/deobfuscators/Rummage/StringDecrypter.cs
index cddd02c5..a166be6f 100644
--- a/de4dot.code/deobfuscators/Rummage/StringDecrypter.cs
+++ b/de4dot.code/deobfuscators/Rummage/StringDecrypter.cs
@@ -204,7 +204,6 @@ namespace de4dot.code.deobfuscators.Rummage {
 				"System.Int64",
 			};
 			static readonly string[] requiredLocals = new string[] {
-				"System.Boolean",
 				"System.Byte[]",
 				"System.Int32",
 				"System.IO.FileStream",

From 3cf63a5f7e551c8b8424ad50b9ff7236e6412116 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Tue, 15 Oct 2013 10:12:41 +0200
Subject: [PATCH 18/58] Emulate some more instructions

---
 de4dot.blocks/cflow/InstructionEmulator.cs | 282 +++++++++++++++++++--
 de4dot.blocks/cflow/Int32Value.cs          | 204 +++++++++++++--
 de4dot.blocks/cflow/Int64Value.cs          | 205 ++++++++++++++-
 de4dot.blocks/cflow/Real8Value.cs          |  64 +++++
 4 files changed, 703 insertions(+), 52 deletions(-)

diff --git a/de4dot.blocks/cflow/InstructionEmulator.cs b/de4dot.blocks/cflow/InstructionEmulator.cs
index 3345cf64..1e9468c2 100644
--- a/de4dot.blocks/cflow/InstructionEmulator.cs
+++ b/de4dot.blocks/cflow/InstructionEmulator.cs
@@ -297,8 +297,8 @@ namespace de4dot.blocks.cflow {
 			case Code.Ldc_I8:	valueStack.Push(new Int64Value((long)instr.Operand)); break;
 			case Code.Ldc_R4:	valueStack.Push(new Real8Value((float)instr.Operand)); break;
 			case Code.Ldc_R8:	valueStack.Push(new Real8Value((double)instr.Operand)); break;
-			case Code.Ldc_I4_0:	valueStack.Push(Int32Value.zero); break;
-			case Code.Ldc_I4_1:	valueStack.Push(Int32Value.one); break;
+			case Code.Ldc_I4_0:	valueStack.Push(Int32Value.Zero); break;
+			case Code.Ldc_I4_1:	valueStack.Push(Int32Value.One); break;
 			case Code.Ldc_I4_2:	valueStack.Push(new Int32Value(2)); break;
 			case Code.Ldc_I4_3:	valueStack.Push(new Int32Value(3)); break;
 			case Code.Ldc_I4_4:	valueStack.Push(new Int32Value(4)); break;
@@ -347,29 +347,29 @@ namespace de4dot.blocks.cflow {
 			case Code.Castclass: Emulate_Castclass(instr); break;
 			case Code.Isinst:	Emulate_Isinst(instr); break;
 
-			case Code.Add_Ovf:	EmulateIntOps2(); break;
-			case Code.Add_Ovf_Un: EmulateIntOps2(); break;
-			case Code.Sub_Ovf:	EmulateIntOps2(); break;
-			case Code.Sub_Ovf_Un: EmulateIntOps2(); break;
-			case Code.Mul_Ovf:	EmulateIntOps2(); break;
-			case Code.Mul_Ovf_Un: EmulateIntOps2(); break;
+			case Code.Add_Ovf:	Emulate_Add_Ovf(instr); break;
+			case Code.Add_Ovf_Un: Emulate_Add_Ovf_Un(instr); break;
+			case Code.Sub_Ovf:	Emulate_Sub_Ovf(instr); break;
+			case Code.Sub_Ovf_Un: Emulate_Sub_Ovf_Un(instr); break;
+			case Code.Mul_Ovf:	Emulate_Mul_Ovf(instr); break;
+			case Code.Mul_Ovf_Un: Emulate_Mul_Ovf_Un(instr); break;
 
-			case Code.Conv_Ovf_I1:
-			case Code.Conv_Ovf_I1_Un: valueStack.Pop(); valueStack.Push(Int32Value.CreateUnknown()); break;
-			case Code.Conv_Ovf_I2:
-			case Code.Conv_Ovf_I2_Un: valueStack.Pop(); valueStack.Push(Int32Value.CreateUnknown()); break;
-			case Code.Conv_Ovf_I4:
-			case Code.Conv_Ovf_I4_Un: valueStack.Pop(); valueStack.Push(Int32Value.CreateUnknown()); break;
-			case Code.Conv_Ovf_I8:
-			case Code.Conv_Ovf_I8_Un: valueStack.Pop(); valueStack.Push(Int64Value.CreateUnknown()); break;
-			case Code.Conv_Ovf_U1:
-			case Code.Conv_Ovf_U1_Un: valueStack.Pop(); valueStack.Push(Int32Value.CreateUnknownUInt8()); break;
-			case Code.Conv_Ovf_U2:
-			case Code.Conv_Ovf_U2_Un: valueStack.Pop(); valueStack.Push(Int32Value.CreateUnknownUInt16()); break;
-			case Code.Conv_Ovf_U4:
-			case Code.Conv_Ovf_U4_Un: valueStack.Pop(); valueStack.Push(Int32Value.CreateUnknown()); break;
-			case Code.Conv_Ovf_U8:
-			case Code.Conv_Ovf_U8_Un: valueStack.Pop(); valueStack.Push(Int64Value.CreateUnknown()); break;
+			case Code.Conv_Ovf_I1:		Emulate_Conv_Ovf_I1(instr); break;
+			case Code.Conv_Ovf_I1_Un:	Emulate_Conv_Ovf_I1_Un(instr); break;
+			case Code.Conv_Ovf_I2:		Emulate_Conv_Ovf_I2(instr); break;
+			case Code.Conv_Ovf_I2_Un:	Emulate_Conv_Ovf_I2_Un(instr); break;
+			case Code.Conv_Ovf_I4:		Emulate_Conv_Ovf_I4(instr); break;
+			case Code.Conv_Ovf_I4_Un:	Emulate_Conv_Ovf_I4_Un(instr); break;
+			case Code.Conv_Ovf_I8:		Emulate_Conv_Ovf_I8(instr); break;
+			case Code.Conv_Ovf_I8_Un:	Emulate_Conv_Ovf_I8_Un(instr); break;
+			case Code.Conv_Ovf_U1:		Emulate_Conv_Ovf_U1(instr); break;
+			case Code.Conv_Ovf_U1_Un:	Emulate_Conv_Ovf_U1_Un(instr); break;
+			case Code.Conv_Ovf_U2:		Emulate_Conv_Ovf_U2(instr); break;
+			case Code.Conv_Ovf_U2_Un:	Emulate_Conv_Ovf_U2_Un(instr); break;
+			case Code.Conv_Ovf_U4:		Emulate_Conv_Ovf_U4(instr); break;
+			case Code.Conv_Ovf_U4_Un:	Emulate_Conv_Ovf_U4_Un(instr); break;
+			case Code.Conv_Ovf_U8:		Emulate_Conv_Ovf_U8(instr); break;
+			case Code.Conv_Ovf_U8_Un:	Emulate_Conv_Ovf_U8_Un(instr); break;
 
 			case Code.Ldelem_I1: valueStack.Pop(2); valueStack.Push(Int32Value.CreateUnknown()); break;
 			case Code.Ldelem_I2: valueStack.Pop(2); valueStack.Push(Int32Value.CreateUnknown()); break;
@@ -595,6 +595,166 @@ namespace de4dot.blocks.cflow {
 			}
 		}
 
+		void Emulate_Conv_Ovf_I1(Instruction instr) {
+			var val1 = valueStack.Pop();
+			switch (val1.valueType) {
+			case ValueType.Int32:	valueStack.Push(Int32Value.Conv_Ovf_I1((Int32Value)val1)); break;
+			case ValueType.Int64:	valueStack.Push(Int64Value.Conv_Ovf_I1((Int64Value)val1)); break;
+			case ValueType.Real8:	valueStack.Push(Real8Value.Conv_Ovf_I1((Real8Value)val1)); break;
+			default:				valueStack.Push(Int32Value.CreateUnknown()); break;
+			}
+		}
+
+		void Emulate_Conv_Ovf_I1_Un(Instruction instr) {
+			var val1 = valueStack.Pop();
+			switch (val1.valueType) {
+			case ValueType.Int32:	valueStack.Push(Int32Value.Conv_Ovf_I1_Un((Int32Value)val1)); break;
+			case ValueType.Int64:	valueStack.Push(Int64Value.Conv_Ovf_I1_Un((Int64Value)val1)); break;
+			case ValueType.Real8:	valueStack.Push(Real8Value.Conv_Ovf_I1_Un((Real8Value)val1)); break;
+			default:				valueStack.Push(Int32Value.CreateUnknown()); break;
+			}
+		}
+
+		void Emulate_Conv_Ovf_I2(Instruction instr) {
+			var val1 = valueStack.Pop();
+			switch (val1.valueType) {
+			case ValueType.Int32:	valueStack.Push(Int32Value.Conv_Ovf_I2((Int32Value)val1)); break;
+			case ValueType.Int64:	valueStack.Push(Int64Value.Conv_Ovf_I2((Int64Value)val1)); break;
+			case ValueType.Real8:	valueStack.Push(Real8Value.Conv_Ovf_I2((Real8Value)val1)); break;
+			default:				valueStack.Push(Int32Value.CreateUnknown()); break;
+			}
+		}
+
+		void Emulate_Conv_Ovf_I2_Un(Instruction instr) {
+			var val1 = valueStack.Pop();
+			switch (val1.valueType) {
+			case ValueType.Int32:	valueStack.Push(Int32Value.Conv_Ovf_I2_Un((Int32Value)val1)); break;
+			case ValueType.Int64:	valueStack.Push(Int64Value.Conv_Ovf_I2_Un((Int64Value)val1)); break;
+			case ValueType.Real8:	valueStack.Push(Real8Value.Conv_Ovf_I2_Un((Real8Value)val1)); break;
+			default:				valueStack.Push(Int32Value.CreateUnknown()); break;
+			}
+		}
+
+		void Emulate_Conv_Ovf_I4(Instruction instr) {
+			var val1 = valueStack.Pop();
+			switch (val1.valueType) {
+			case ValueType.Int32:	valueStack.Push(Int32Value.Conv_Ovf_I4((Int32Value)val1)); break;
+			case ValueType.Int64:	valueStack.Push(Int64Value.Conv_Ovf_I4((Int64Value)val1)); break;
+			case ValueType.Real8:	valueStack.Push(Real8Value.Conv_Ovf_I4((Real8Value)val1)); break;
+			default:				valueStack.Push(Int32Value.CreateUnknown()); break;
+			}
+		}
+
+		void Emulate_Conv_Ovf_I4_Un(Instruction instr) {
+			var val1 = valueStack.Pop();
+			switch (val1.valueType) {
+			case ValueType.Int32:	valueStack.Push(Int32Value.Conv_Ovf_I4_Un((Int32Value)val1)); break;
+			case ValueType.Int64:	valueStack.Push(Int64Value.Conv_Ovf_I4_Un((Int64Value)val1)); break;
+			case ValueType.Real8:	valueStack.Push(Real8Value.Conv_Ovf_I4_Un((Real8Value)val1)); break;
+			default:				valueStack.Push(Int32Value.CreateUnknown()); break;
+			}
+		}
+
+		void Emulate_Conv_Ovf_I8(Instruction instr) {
+			var val1 = valueStack.Pop();
+			switch (val1.valueType) {
+			case ValueType.Int32:	valueStack.Push(Int32Value.Conv_Ovf_I8((Int32Value)val1)); break;
+			case ValueType.Int64:	valueStack.Push(Int64Value.Conv_Ovf_I8((Int64Value)val1)); break;
+			case ValueType.Real8:	valueStack.Push(Real8Value.Conv_Ovf_I8((Real8Value)val1)); break;
+			default:				valueStack.Push(Int64Value.CreateUnknown()); break;
+			}
+		}
+
+		void Emulate_Conv_Ovf_I8_Un(Instruction instr) {
+			var val1 = valueStack.Pop();
+			switch (val1.valueType) {
+			case ValueType.Int32:	valueStack.Push(Int32Value.Conv_Ovf_I8_Un((Int32Value)val1)); break;
+			case ValueType.Int64:	valueStack.Push(Int64Value.Conv_Ovf_I8_Un((Int64Value)val1)); break;
+			case ValueType.Real8:	valueStack.Push(Real8Value.Conv_Ovf_I8_Un((Real8Value)val1)); break;
+			default:				valueStack.Push(Int64Value.CreateUnknown()); break;
+			}
+		}
+
+		void Emulate_Conv_Ovf_U1(Instruction instr) {
+			var val1 = valueStack.Pop();
+			switch (val1.valueType) {
+			case ValueType.Int32:	valueStack.Push(Int32Value.Conv_Ovf_U1((Int32Value)val1)); break;
+			case ValueType.Int64:	valueStack.Push(Int64Value.Conv_Ovf_U1((Int64Value)val1)); break;
+			case ValueType.Real8:	valueStack.Push(Real8Value.Conv_Ovf_U1((Real8Value)val1)); break;
+			default:				valueStack.Push(Int32Value.CreateUnknownUInt8()); break;
+			}
+		}
+
+		void Emulate_Conv_Ovf_U1_Un(Instruction instr) {
+			var val1 = valueStack.Pop();
+			switch (val1.valueType) {
+			case ValueType.Int32:	valueStack.Push(Int32Value.Conv_Ovf_U1_Un((Int32Value)val1)); break;
+			case ValueType.Int64:	valueStack.Push(Int64Value.Conv_Ovf_U1_Un((Int64Value)val1)); break;
+			case ValueType.Real8:	valueStack.Push(Real8Value.Conv_Ovf_U1_Un((Real8Value)val1)); break;
+			default:				valueStack.Push(Int32Value.CreateUnknownUInt8()); break;
+			}
+		}
+
+		void Emulate_Conv_Ovf_U2(Instruction instr) {
+			var val1 = valueStack.Pop();
+			switch (val1.valueType) {
+			case ValueType.Int32:	valueStack.Push(Int32Value.Conv_Ovf_U2((Int32Value)val1)); break;
+			case ValueType.Int64:	valueStack.Push(Int64Value.Conv_Ovf_U2((Int64Value)val1)); break;
+			case ValueType.Real8:	valueStack.Push(Real8Value.Conv_Ovf_U2((Real8Value)val1)); break;
+			default:				valueStack.Push(Int32Value.CreateUnknownUInt16()); break;
+			}
+		}
+
+		void Emulate_Conv_Ovf_U2_Un(Instruction instr) {
+			var val1 = valueStack.Pop();
+			switch (val1.valueType) {
+			case ValueType.Int32:	valueStack.Push(Int32Value.Conv_Ovf_U2_Un((Int32Value)val1)); break;
+			case ValueType.Int64:	valueStack.Push(Int64Value.Conv_Ovf_U2_Un((Int64Value)val1)); break;
+			case ValueType.Real8:	valueStack.Push(Real8Value.Conv_Ovf_U2_Un((Real8Value)val1)); break;
+			default:				valueStack.Push(Int32Value.CreateUnknownUInt16()); break;
+			}
+		}
+
+		void Emulate_Conv_Ovf_U4(Instruction instr) {
+			var val1 = valueStack.Pop();
+			switch (val1.valueType) {
+			case ValueType.Int32:	valueStack.Push(Int32Value.Conv_Ovf_U4((Int32Value)val1)); break;
+			case ValueType.Int64:	valueStack.Push(Int64Value.Conv_Ovf_U4((Int64Value)val1)); break;
+			case ValueType.Real8:	valueStack.Push(Real8Value.Conv_Ovf_U4((Real8Value)val1)); break;
+			default:				valueStack.Push(Int32Value.CreateUnknown()); break;
+			}
+		}
+
+		void Emulate_Conv_Ovf_U4_Un(Instruction instr) {
+			var val1 = valueStack.Pop();
+			switch (val1.valueType) {
+			case ValueType.Int32:	valueStack.Push(Int32Value.Conv_Ovf_U4_Un((Int32Value)val1)); break;
+			case ValueType.Int64:	valueStack.Push(Int64Value.Conv_Ovf_U4_Un((Int64Value)val1)); break;
+			case ValueType.Real8:	valueStack.Push(Real8Value.Conv_Ovf_U4_Un((Real8Value)val1)); break;
+			default:				valueStack.Push(Int32Value.CreateUnknown()); break;
+			}
+		}
+
+		void Emulate_Conv_Ovf_U8(Instruction instr) {
+			var val1 = valueStack.Pop();
+			switch (val1.valueType) {
+			case ValueType.Int32:	valueStack.Push(Int32Value.Conv_Ovf_U8((Int32Value)val1)); break;
+			case ValueType.Int64:	valueStack.Push(Int64Value.Conv_Ovf_U8((Int64Value)val1)); break;
+			case ValueType.Real8:	valueStack.Push(Real8Value.Conv_Ovf_U8((Real8Value)val1)); break;
+			default:				valueStack.Push(Int64Value.CreateUnknown()); break;
+			}
+		}
+
+		void Emulate_Conv_Ovf_U8_Un(Instruction instr) {
+			var val1 = valueStack.Pop();
+			switch (val1.valueType) {
+			case ValueType.Int32:	valueStack.Push(Int32Value.Conv_Ovf_U8_Un((Int32Value)val1)); break;
+			case ValueType.Int64:	valueStack.Push(Int64Value.Conv_Ovf_U8_Un((Int64Value)val1)); break;
+			case ValueType.Real8:	valueStack.Push(Real8Value.Conv_Ovf_U8_Un((Real8Value)val1)); break;
+			default:				valueStack.Push(Int64Value.CreateUnknown()); break;
+			}
+		}
+
 		void Emulate_Add(Instruction instr) {
 			var val2 = valueStack.Pop();
 			var val1 = valueStack.Pop();
@@ -702,6 +862,78 @@ namespace de4dot.blocks.cflow {
 				valueStack.PushUnknown();
 		}
 
+		void Emulate_Add_Ovf(Instruction instr) {
+			var val2 = valueStack.Pop();
+			var val1 = valueStack.Pop();
+
+			if (val1.IsInt32() && val2.IsInt32())
+				valueStack.Push(Int32Value.Add_Ovf((Int32Value)val1, (Int32Value)val2));
+			else if (val1.IsInt64() && val2.IsInt64())
+				valueStack.Push(Int64Value.Add_Ovf((Int64Value)val1, (Int64Value)val2));
+			else
+				valueStack.PushUnknown();
+		}
+
+		void Emulate_Add_Ovf_Un(Instruction instr) {
+			var val2 = valueStack.Pop();
+			var val1 = valueStack.Pop();
+
+			if (val1.IsInt32() && val2.IsInt32())
+				valueStack.Push(Int32Value.Add_Ovf_Un((Int32Value)val1, (Int32Value)val2));
+			else if (val1.IsInt64() && val2.IsInt64())
+				valueStack.Push(Int64Value.Add_Ovf_Un((Int64Value)val1, (Int64Value)val2));
+			else
+				valueStack.PushUnknown();
+		}
+
+		void Emulate_Sub_Ovf(Instruction instr) {
+			var val2 = valueStack.Pop();
+			var val1 = valueStack.Pop();
+
+			if (val1.IsInt32() && val2.IsInt32())
+				valueStack.Push(Int32Value.Sub_Ovf((Int32Value)val1, (Int32Value)val2));
+			else if (val1.IsInt64() && val2.IsInt64())
+				valueStack.Push(Int64Value.Sub_Ovf((Int64Value)val1, (Int64Value)val2));
+			else
+				valueStack.PushUnknown();
+		}
+
+		void Emulate_Sub_Ovf_Un(Instruction instr) {
+			var val2 = valueStack.Pop();
+			var val1 = valueStack.Pop();
+
+			if (val1.IsInt32() && val2.IsInt32())
+				valueStack.Push(Int32Value.Sub_Ovf_Un((Int32Value)val1, (Int32Value)val2));
+			else if (val1.IsInt64() && val2.IsInt64())
+				valueStack.Push(Int64Value.Sub_Ovf_Un((Int64Value)val1, (Int64Value)val2));
+			else
+				valueStack.PushUnknown();
+		}
+
+		void Emulate_Mul_Ovf(Instruction instr) {
+			var val2 = valueStack.Pop();
+			var val1 = valueStack.Pop();
+
+			if (val1.IsInt32() && val2.IsInt32())
+				valueStack.Push(Int32Value.Mul_Ovf((Int32Value)val1, (Int32Value)val2));
+			else if (val1.IsInt64() && val2.IsInt64())
+				valueStack.Push(Int64Value.Mul_Ovf((Int64Value)val1, (Int64Value)val2));
+			else
+				valueStack.PushUnknown();
+		}
+
+		void Emulate_Mul_Ovf_Un(Instruction instr) {
+			var val2 = valueStack.Pop();
+			var val1 = valueStack.Pop();
+
+			if (val1.IsInt32() && val2.IsInt32())
+				valueStack.Push(Int32Value.Mul_Ovf_Un((Int32Value)val1, (Int32Value)val2));
+			else if (val1.IsInt64() && val2.IsInt64())
+				valueStack.Push(Int64Value.Mul_Ovf_Un((Int64Value)val1, (Int64Value)val2));
+			else
+				valueStack.PushUnknown();
+		}
+
 		void Emulate_And(Instruction instr) {
 			var val2 = valueStack.Pop();
 			var val1 = valueStack.Pop();
@@ -794,7 +1026,7 @@ namespace de4dot.blocks.cflow {
 			else if (val1.IsInt64() && val2.IsInt64())
 				valueStack.Push(Int64Value.Ceq((Int64Value)val1, (Int64Value)val2));
 			else if (val1.IsNull() && val2.IsNull())
-				valueStack.Push(Int32Value.one);
+				valueStack.Push(Int32Value.One);
 			else
 				valueStack.Push(Int32Value.CreateUnknownBool());
 		}
diff --git a/de4dot.blocks/cflow/Int32Value.cs b/de4dot.blocks/cflow/Int32Value.cs
index f885bf6a..94008b9d 100644
--- a/de4dot.blocks/cflow/Int32Value.cs
+++ b/de4dot.blocks/cflow/Int32Value.cs
@@ -21,10 +21,10 @@ using System;
 
 namespace de4dot.blocks.cflow {
 	public class Int32Value : Value {
-		public static readonly Int32Value zero = new Int32Value(0);
-		public static readonly Int32Value one = new Int32Value(1);
+		public static readonly Int32Value Zero = new Int32Value(0);
+		public static readonly Int32Value One = new Int32Value(1);
 
-		const uint NO_UNKNOWN_BITS = uint.MaxValue;
+		internal const uint NO_UNKNOWN_BITS = uint.MaxValue;
 		public readonly int value;
 		public readonly uint validMask;
 
@@ -56,6 +56,10 @@ namespace de4dot.blocks.cflow {
 			return (validMask & (1U << n)) != 0;
 		}
 
+		bool AreBitsValid(uint bitsToTest) {
+			return (validMask & bitsToTest) == bitsToTest;
+		}
+
 		public static Int32Value CreateUnknownBool() {
 			return new Int32Value(0, NO_UNKNOWN_BITS << 1);
 		}
@@ -214,6 +218,107 @@ namespace de4dot.blocks.cflow {
 			return new Int32Value((int)a.value);
 		}
 
+		bool CheckSign(uint mask) {
+			return ((uint)value & mask) == 0 || ((uint)value & mask) == mask;
+		}
+
+		public static Int32Value Conv_Ovf_I1(Int32Value a) {
+			if (!a.AreBitsValid(NO_UNKNOWN_BITS << 7) ||
+				!a.CheckSign(NO_UNKNOWN_BITS << 7))
+				return CreateUnknown();
+			return Conv_I1(a);
+		}
+
+		public static Int32Value Conv_Ovf_I1_Un(Int32Value a) {
+			if (!a.AreBitsValid(NO_UNKNOWN_BITS << 7) ||
+				(uint)a.value > sbyte.MaxValue)
+				return CreateUnknown();
+			return Conv_I1(a);
+		}
+
+		public static Int32Value Conv_Ovf_I2(Int32Value a) {
+			if (!a.AreBitsValid(NO_UNKNOWN_BITS << 15) ||
+				!a.CheckSign(NO_UNKNOWN_BITS << 15))
+				return CreateUnknown();
+			return Conv_I2(a);
+		}
+
+		public static Int32Value Conv_Ovf_I2_Un(Int32Value a) {
+			if (!a.AreBitsValid(NO_UNKNOWN_BITS << 15) ||
+				(uint)a.value > short.MaxValue)
+				return CreateUnknown();
+			return Conv_I2(a);
+		}
+
+		public static Int32Value Conv_Ovf_I4(Int32Value a) {
+			return a;
+		}
+
+		public static Int32Value Conv_Ovf_I4_Un(Int32Value a) {
+			if (!IsBitValid(a.validMask, 31) || a.value < 0)
+				return CreateUnknown();
+			return a;
+		}
+
+		public static Int64Value Conv_Ovf_I8(Int32Value a) {
+			ulong validMask = a.validMask;
+			if (IsBitValid(a.validMask, 31))
+				validMask |= Int64Value.NO_UNKNOWN_BITS << 32;
+			return new Int64Value(a.value, validMask);
+		}
+
+		public static Int64Value Conv_Ovf_I8_Un(Int32Value a) {
+			return new Int64Value((long)(uint)a.value, a.validMask | (Int64Value.NO_UNKNOWN_BITS << 32));
+		}
+
+		public static Int32Value Conv_Ovf_U1(Int32Value a) {
+			if (!a.AreBitsValid(NO_UNKNOWN_BITS << 7) ||
+				a.value < 0 || a.value > byte.MaxValue)
+				return CreateUnknownUInt8();
+			return Conv_U1(a);
+		}
+
+		public static Int32Value Conv_Ovf_U1_Un(Int32Value a) {
+			if (!a.AreBitsValid(NO_UNKNOWN_BITS << 8) ||
+				(uint)a.value > byte.MaxValue)
+				return CreateUnknownUInt8();
+			return Conv_U1(a);
+		}
+
+		public static Int32Value Conv_Ovf_U2(Int32Value a) {
+			if (!a.AreBitsValid(NO_UNKNOWN_BITS << 15) ||
+				a.value < 0 || a.value > ushort.MaxValue)
+				return CreateUnknownUInt16();
+			return Conv_U2(a);
+		}
+
+		public static Int32Value Conv_Ovf_U2_Un(Int32Value a) {
+			if (!a.AreBitsValid(NO_UNKNOWN_BITS << 16) ||
+				(uint)a.value > ushort.MaxValue)
+				return CreateUnknownUInt16();
+			return Conv_U2(a);
+		}
+
+		public static Int32Value Conv_Ovf_U4(Int32Value a) {
+			if (!IsBitValid(a.validMask, 31) || a.value < 0)
+				return CreateUnknown();
+			return a;
+		}
+
+		public static Int32Value Conv_Ovf_U4_Un(Int32Value a) {
+			return a;
+		}
+
+		public static Int64Value Conv_Ovf_U8(Int32Value a) {
+			if (!IsBitValid(a.validMask, 31) || a.value < 0)
+				return Int64Value.CreateUnknown();
+			return new Int64Value(a.value, (ulong)a.validMask | (Int64Value.NO_UNKNOWN_BITS << 32));
+		}
+
+		public static Int64Value Conv_Ovf_U8_Un(Int32Value a) {
+			return new Int64Value((long)(uint)a.value, a.validMask | (Int64Value.NO_UNKNOWN_BITS << 32));
+		}
+
 		public static Int32Value Add(Int32Value a, Int32Value b) {
 			if (a.AllBitsValid() && b.AllBitsValid())
 				return new Int32Value(a.value + b.value);
@@ -226,7 +331,7 @@ namespace de4dot.blocks.cflow {
 			if (a.AllBitsValid() && b.AllBitsValid())
 				return new Int32Value(a.value - b.value);
 			if (ReferenceEquals(a, b))
-				return zero;
+				return Zero;
 			return CreateUnknown();
 		}
 
@@ -234,7 +339,7 @@ namespace de4dot.blocks.cflow {
 			if (a.AllBitsValid() && b.AllBitsValid())
 				return new Int32Value(a.value * b.value);
 			if (a.IsZero() || b.IsZero())
-				return zero;
+				return Zero;
 			if (a.HasValue(1))
 				return b;
 			if (b.HasValue(1))
@@ -252,7 +357,7 @@ namespace de4dot.blocks.cflow {
 				}
 			}
 			if (ReferenceEquals(a, b) && a.IsNonZero())
-				return one;
+				return One;
 			if (b.HasValue(1))
 				return a;
 			return CreateUnknown();
@@ -268,7 +373,7 @@ namespace de4dot.blocks.cflow {
 				}
 			}
 			if (ReferenceEquals(a, b) && a.IsNonZero())
-				return one;
+				return One;
 			if (b.HasValue(1))
 				return a;
 			return CreateUnknown();
@@ -284,7 +389,7 @@ namespace de4dot.blocks.cflow {
 				}
 			}
 			if ((ReferenceEquals(a, b) && a.IsNonZero()) || b.HasValue(1))
-				return zero;
+				return Zero;
 			return CreateUnknown();
 		}
 
@@ -298,7 +403,7 @@ namespace de4dot.blocks.cflow {
 				}
 			}
 			if ((ReferenceEquals(a, b) && a.IsNonZero()) || b.HasValue(1))
-				return zero;
+				return Zero;
 			return CreateUnknown();
 		}
 
@@ -308,24 +413,93 @@ namespace de4dot.blocks.cflow {
 			return CreateUnknown();
 		}
 
+		public static Int32Value Add_Ovf(Int32Value a, Int32Value b) {
+			if (a.AllBitsValid() && b.AllBitsValid()) {
+				try {
+					return new Int32Value(checked(a.value + b.value));
+				}
+				catch (OverflowException) {
+				}
+			}
+			return CreateUnknown();
+		}
+
+		public static Int32Value Add_Ovf_Un(Int32Value a, Int32Value b) {
+			if (a.AllBitsValid() && b.AllBitsValid()) {
+				uint aa = (uint)a.value, bb = (uint)b.value;
+				try {
+					return new Int32Value((int)checked(aa + bb));
+				}
+				catch (OverflowException) {
+				}
+			}
+			return CreateUnknown();
+		}
+
+		public static Int32Value Sub_Ovf(Int32Value a, Int32Value b) {
+			if (a.AllBitsValid() && b.AllBitsValid()) {
+				try {
+					return new Int32Value(checked(a.value - b.value));
+				}
+				catch (OverflowException) {
+				}
+			}
+			return CreateUnknown();
+		}
+
+		public static Int32Value Sub_Ovf_Un(Int32Value a, Int32Value b) {
+			if (a.AllBitsValid() && b.AllBitsValid()) {
+				uint aa = (uint)a.value, bb = (uint)b.value;
+				try {
+					return new Int32Value((int)checked(aa - bb));
+				}
+				catch (OverflowException) {
+				}
+			}
+			return CreateUnknown();
+		}
+
+		public static Int32Value Mul_Ovf(Int32Value a, Int32Value b) {
+			if (a.AllBitsValid() && b.AllBitsValid()) {
+				try {
+					return new Int32Value(checked(a.value * b.value));
+				}
+				catch (OverflowException) {
+				}
+			}
+			return CreateUnknown();
+		}
+
+		public static Int32Value Mul_Ovf_Un(Int32Value a, Int32Value b) {
+			if (a.AllBitsValid() && b.AllBitsValid()) {
+				uint aa = (uint)a.value, bb = (uint)b.value;
+				try {
+					return new Int32Value((int)checked(aa * bb));
+				}
+				catch (OverflowException) {
+				}
+			}
+			return CreateUnknown();
+		}
+
 		public static Int32Value And(Int32Value a, Int32Value b) {
 			int av = a.value, bv = b.value;
 			uint am = a.validMask, bm = b.validMask;
-			return new Int32Value(av & bv, (uint)((am & bm) | ((av & am) ^ am) | ((bv & bm) ^ bm)));
+			return new Int32Value(av & bv, (am & bm) | (((uint)av & am) ^ am) | (((uint)bv & bm) ^ bm));
 		}
 
 		public static Int32Value Or(Int32Value a, Int32Value b) {
 			int av = a.value, bv = b.value;
 			uint am = a.validMask, bm = b.validMask;
-			return new Int32Value(av | bv, (uint)((am & bm) | (av & am) | (bv & bm)));
+			return new Int32Value(av | bv, (am & bm) | ((uint)av & am) | ((uint)bv & bm));
 		}
 
 		public static Int32Value Xor(Int32Value a, Int32Value b) {
 			if (ReferenceEquals(a, b))
-				return zero;
+				return Zero;
 			int av = a.value, bv = b.value;
 			uint am = a.validMask, bm = b.validMask;
-			return new Int32Value(av ^ bv, (uint)(am & bm));
+			return new Int32Value(av ^ bv, am & bm);
 		}
 
 		public static Int32Value Not(Int32Value a) {
@@ -372,8 +546,8 @@ namespace de4dot.blocks.cflow {
 
 		static Int32Value create(Bool3 b) {
 			switch (b) {
-			case Bool3.False:	return zero;
-			case Bool3.True:	return one;
+			case Bool3.False:	return Zero;
+			case Bool3.True:	return One;
 			default:			return CreateUnknownBool();
 			}
 		}
diff --git a/de4dot.blocks/cflow/Int64Value.cs b/de4dot.blocks/cflow/Int64Value.cs
index 9ec2ff41..d9f129ae 100644
--- a/de4dot.blocks/cflow/Int64Value.cs
+++ b/de4dot.blocks/cflow/Int64Value.cs
@@ -21,10 +21,10 @@ using System;
 
 namespace de4dot.blocks.cflow {
 	public class Int64Value : Value {
-		public static readonly Int64Value zero = new Int64Value(0);
-		public static readonly Int64Value one = new Int64Value(1);
+		public static readonly Int64Value Zero = new Int64Value(0);
+		public static readonly Int64Value One = new Int64Value(1);
 
-		const ulong NO_UNKNOWN_BITS = ulong.MaxValue;
+		internal const ulong NO_UNKNOWN_BITS = ulong.MaxValue;
 		public readonly long value;
 		public readonly ulong validMask;
 
@@ -56,6 +56,10 @@ namespace de4dot.blocks.cflow {
 			return (validMask & (1UL << n)) != 0;
 		}
 
+		bool AreBitsValid(ulong bitsToTest) {
+			return (validMask & bitsToTest) == bitsToTest;
+		}
+
 		public static Int64Value CreateUnknown() {
 			return new Int64Value(0, 0UL);
 		}
@@ -108,6 +112,114 @@ namespace de4dot.blocks.cflow {
 			return new Int64Value((long)a.value);
 		}
 
+		bool CheckSign(ulong mask) {
+			return ((ulong)value & mask) == 0 || ((ulong)value & mask) == mask;
+		}
+
+		public static Int32Value Conv_Ovf_I1(Int64Value a) {
+			if (!a.AreBitsValid(NO_UNKNOWN_BITS << 7) ||
+				!a.CheckSign(NO_UNKNOWN_BITS << 7))
+				return Int32Value.CreateUnknown();
+			return Int32Value.Conv_I1(a);
+		}
+
+		public static Int32Value Conv_Ovf_I1_Un(Int64Value a) {
+			if (!a.AreBitsValid(NO_UNKNOWN_BITS << 7) ||
+				(ulong)a.value > (ulong)sbyte.MaxValue)
+				return Int32Value.CreateUnknown();
+			return Int32Value.Conv_I1(a);
+		}
+
+		public static Int32Value Conv_Ovf_I2(Int64Value a) {
+			if (!a.AreBitsValid(NO_UNKNOWN_BITS << 15) ||
+				!a.CheckSign(NO_UNKNOWN_BITS << 15))
+				return Int32Value.CreateUnknown();
+			return Int32Value.Conv_I2(a);
+		}
+
+		public static Int32Value Conv_Ovf_I2_Un(Int64Value a) {
+			if (!a.AreBitsValid(NO_UNKNOWN_BITS << 15) ||
+				(ulong)a.value > (ulong)short.MaxValue)
+				return Int32Value.CreateUnknown();
+			return Int32Value.Conv_I2(a);
+		}
+
+		public static Int32Value Conv_Ovf_I4(Int64Value a) {
+			if (!a.AreBitsValid(NO_UNKNOWN_BITS << 31) ||
+				!a.CheckSign(NO_UNKNOWN_BITS << 31))
+				return Int32Value.CreateUnknown();
+			return Int32Value.Conv_I4(a);
+		}
+
+		public static Int32Value Conv_Ovf_I4_Un(Int64Value a) {
+			if (!a.AreBitsValid(NO_UNKNOWN_BITS << 31) ||
+				(ulong)a.value > (ulong)int.MaxValue)
+				return Int32Value.CreateUnknown();
+			return Int32Value.Conv_I4(a);
+		}
+
+		public static Int64Value Conv_Ovf_I8(Int64Value a) {
+			return a;
+		}
+
+		public static Int64Value Conv_Ovf_I8_Un(Int64Value a) {
+			if (!IsBitValid(a.validMask, 63) || a.value < 0)
+				return CreateUnknown();
+			return a;
+		}
+
+		public static Int32Value Conv_Ovf_U1(Int64Value a) {
+			if (!a.AreBitsValid(NO_UNKNOWN_BITS << 7) ||
+				a.value < 0 || a.value > byte.MaxValue)
+				return Int32Value.CreateUnknownUInt8();
+			return Int32Value.Conv_U1(a);
+		}
+
+		public static Int32Value Conv_Ovf_U1_Un(Int64Value a) {
+			if (!a.AreBitsValid(NO_UNKNOWN_BITS << 8) ||
+				(ulong)a.value > byte.MaxValue)
+				return Int32Value.CreateUnknownUInt8();
+			return Int32Value.Conv_U1(a);
+		}
+
+		public static Int32Value Conv_Ovf_U2(Int64Value a) {
+			if (!a.AreBitsValid(NO_UNKNOWN_BITS << 15) ||
+				a.value < 0 || a.value > ushort.MaxValue)
+				return Int32Value.CreateUnknownUInt16();
+			return Int32Value.Conv_U2(a);
+		}
+
+		public static Int32Value Conv_Ovf_U2_Un(Int64Value a) {
+			if (!a.AreBitsValid(NO_UNKNOWN_BITS << 16) ||
+				(ulong)a.value > ushort.MaxValue)
+				return Int32Value.CreateUnknownUInt16();
+			return Int32Value.Conv_U2(a);
+		}
+
+		public static Int32Value Conv_Ovf_U4(Int64Value a) {
+			if (!a.AreBitsValid(NO_UNKNOWN_BITS << 31) ||
+				a.value < 0 || a.value > uint.MaxValue)
+				return Int32Value.CreateUnknown();
+			return Int32Value.Conv_U4(a);
+		}
+
+		public static Int32Value Conv_Ovf_U4_Un(Int64Value a) {
+			if (!a.AreBitsValid(NO_UNKNOWN_BITS << 32) ||
+				(ulong)a.value > uint.MaxValue)
+				return Int32Value.CreateUnknown();
+			return Int32Value.Conv_U4(a);
+		}
+
+		public static Int64Value Conv_Ovf_U8(Int64Value a) {
+			if (!IsBitValid(a.validMask, 63) || a.value < 0)
+				return CreateUnknown();
+			return a;
+		}
+
+		public static Int64Value Conv_Ovf_U8_Un(Int64Value a) {
+			return a;
+		}
+
 		public static Int64Value Add(Int64Value a, Int64Value b) {
 			if (a.AllBitsValid() && b.AllBitsValid())
 				return new Int64Value(a.value + b.value);
@@ -120,7 +232,7 @@ namespace de4dot.blocks.cflow {
 			if (a.AllBitsValid() && b.AllBitsValid())
 				return new Int64Value(a.value - b.value);
 			if (ReferenceEquals(a, b))
-				return zero;
+				return Zero;
 			return CreateUnknown();
 		}
 
@@ -128,7 +240,7 @@ namespace de4dot.blocks.cflow {
 			if (a.AllBitsValid() && b.AllBitsValid())
 				return new Int64Value(a.value * b.value);
 			if (a.IsZero() || b.IsZero())
-				return zero;
+				return Zero;
 			if (a.HasValue(1))
 				return b;
 			if (b.HasValue(1))
@@ -146,7 +258,7 @@ namespace de4dot.blocks.cflow {
 				}
 			}
 			if (ReferenceEquals(a, b) && a.IsNonZero())
-				return one;
+				return One;
 			if (b.HasValue(1))
 				return a;
 			return CreateUnknown();
@@ -162,7 +274,7 @@ namespace de4dot.blocks.cflow {
 				}
 			}
 			if (ReferenceEquals(a, b) && a.IsNonZero())
-				return one;
+				return One;
 			if (b.HasValue(1))
 				return a;
 			return CreateUnknown();
@@ -178,7 +290,7 @@ namespace de4dot.blocks.cflow {
 				}
 			}
 			if ((ReferenceEquals(a, b) && a.IsNonZero()) || b.HasValue(1))
-				return zero;
+				return Zero;
 			return CreateUnknown();
 		}
 
@@ -192,7 +304,7 @@ namespace de4dot.blocks.cflow {
 				}
 			}
 			if ((ReferenceEquals(a, b) && a.IsNonZero()) || b.HasValue(1))
-				return zero;
+				return Zero;
 			return CreateUnknown();
 		}
 
@@ -202,6 +314,75 @@ namespace de4dot.blocks.cflow {
 			return CreateUnknown();
 		}
 
+		public static Int64Value Add_Ovf(Int64Value a, Int64Value b) {
+			if (a.AllBitsValid() && b.AllBitsValid()) {
+				try {
+					return new Int64Value(checked(a.value + b.value));
+				}
+				catch (OverflowException) {
+				}
+			}
+			return CreateUnknown();
+		}
+
+		public static Int64Value Add_Ovf_Un(Int64Value a, Int64Value b) {
+			if (a.AllBitsValid() && b.AllBitsValid()) {
+				ulong aa = (ulong)a.value, bb = (ulong)b.value;
+				try {
+					return new Int64Value((long)checked(aa + bb));
+				}
+				catch (OverflowException) {
+				}
+			}
+			return CreateUnknown();
+		}
+
+		public static Int64Value Sub_Ovf(Int64Value a, Int64Value b) {
+			if (a.AllBitsValid() && b.AllBitsValid()) {
+				try {
+					return new Int64Value(checked(a.value - b.value));
+				}
+				catch (OverflowException) {
+				}
+			}
+			return CreateUnknown();
+		}
+
+		public static Int64Value Sub_Ovf_Un(Int64Value a, Int64Value b) {
+			if (a.AllBitsValid() && b.AllBitsValid()) {
+				ulong aa = (ulong)a.value, bb = (ulong)b.value;
+				try {
+					return new Int64Value((long)checked(aa - bb));
+				}
+				catch (OverflowException) {
+				}
+			}
+			return CreateUnknown();
+		}
+
+		public static Int64Value Mul_Ovf(Int64Value a, Int64Value b) {
+			if (a.AllBitsValid() && b.AllBitsValid()) {
+				try {
+					return new Int64Value(checked(a.value * b.value));
+				}
+				catch (OverflowException) {
+				}
+			}
+			return CreateUnknown();
+		}
+
+		public static Int64Value Mul_Ovf_Un(Int64Value a, Int64Value b) {
+			if (a.AllBitsValid() && b.AllBitsValid()) {
+				ulong aa = (ulong)a.value, bb = (ulong)b.value;
+				try {
+					return new Int64Value((long)checked(aa * bb));
+				}
+				catch (OverflowException) {
+				}
+			}
+			return CreateUnknown();
+		}
+
 		public static Int64Value And(Int64Value a, Int64Value b) {
 			long av = a.value, bv = b.value;
 			ulong am = a.validMask, bm = b.validMask;
@@ -216,7 +397,7 @@ namespace de4dot.blocks.cflow {
 
 		public static Int64Value Xor(Int64Value a, Int64Value b) {
 			if (ReferenceEquals(a, b))
-				return zero;
+				return Zero;
 			long av = a.value, bv = b.value;
 			ulong am = a.validMask, bm = b.validMask;
 			return new Int64Value(av ^ bv, am & bm);
@@ -266,8 +447,8 @@ namespace de4dot.blocks.cflow {
 
 		static Int32Value Create(Bool3 b) {
 			switch (b) {
-			case Bool3.False:	return Int32Value.zero;
-			case Bool3.True:	return Int32Value.one;
+			case Bool3.False:	return Int32Value.Zero;
+			case Bool3.True:	return Int32Value.One;
 			default:			return Int32Value.CreateUnknownBool();
 			}
 		}
diff --git a/de4dot.blocks/cflow/Real8Value.cs b/de4dot.blocks/cflow/Real8Value.cs
index 868f2339..430ef9c6 100644
--- a/de4dot.blocks/cflow/Real8Value.cs
+++ b/de4dot.blocks/cflow/Real8Value.cs
@@ -49,5 +49,69 @@ namespace de4dot.blocks.cflow {
 		public static Real8Value Neg(Real8Value a) {
 			return new Real8Value(-a.value);
 		}
+
+		public static Int32Value Conv_Ovf_I1(Real8Value a) {
+			return Int32Value.CreateUnknown();
+		}
+
+		public static Int32Value Conv_Ovf_I1_Un(Real8Value a) {
+			return Int32Value.CreateUnknown();
+		}
+
+		public static Int32Value Conv_Ovf_I2(Real8Value a) {
+			return Int32Value.CreateUnknown();
+		}
+
+		public static Int32Value Conv_Ovf_I2_Un(Real8Value a) {
+			return Int32Value.CreateUnknown();
+		}
+
+		public static Int32Value Conv_Ovf_I4(Real8Value a) {
+			return Int32Value.CreateUnknown();
+		}
+
+		public static Int32Value Conv_Ovf_I4_Un(Real8Value a) {
+			return Int32Value.CreateUnknown();
+		}
+
+		public static Int64Value Conv_Ovf_I8(Real8Value a) {
+			return Int64Value.CreateUnknown();
+		}
+
+		public static Int64Value Conv_Ovf_I8_Un(Real8Value a) {
+			return Int64Value.CreateUnknown();
+		}
+
+		public static Int32Value Conv_Ovf_U1(Real8Value a) {
+			return Int32Value.CreateUnknownUInt8();
+		}
+
+		public static Int32Value Conv_Ovf_U1_Un(Real8Value a) {
+			return Int32Value.CreateUnknownUInt8();
+		}
+
+		public static Int32Value Conv_Ovf_U2(Real8Value a) {
+			return Int32Value.CreateUnknownUInt16();
+		}
+
+		public static Int32Value Conv_Ovf_U2_Un(Real8Value a) {
+			return Int32Value.CreateUnknownUInt16();
+		}
+
+		public static Int32Value Conv_Ovf_U4(Real8Value a) {
+			return Int32Value.CreateUnknown();
+		}
+
+		public static Int32Value Conv_Ovf_U4_Un(Real8Value a) {
+			return Int32Value.CreateUnknown();
+		}
+
+		public static Int64Value Conv_Ovf_U8(Real8Value a) {
+			return Int64Value.CreateUnknown();
+		}
+
+		public static Int64Value Conv_Ovf_U8_Un(Real8Value a) {
+			return Int64Value.CreateUnknown();
+		}
 	}
 }

From 1dee5e80173c73ad7815d67ea1b70ce85fc46050 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Tue, 15 Oct 2013 10:12:53 +0200
Subject: [PATCH 19/58] Support latest Dotfuscator

---
 .../Dotfuscator/StringDecrypter.cs            | 22 +++++++++++++------
 1 file changed, 15 insertions(+), 7 deletions(-)

diff --git a/de4dot.code/deobfuscators/Dotfuscator/StringDecrypter.cs b/de4dot.code/deobfuscators/Dotfuscator/StringDecrypter.cs
index 71466c7b..5576b00f 100644
--- a/de4dot.code/deobfuscators/Dotfuscator/StringDecrypter.cs
+++ b/de4dot.code/deobfuscators/Dotfuscator/StringDecrypter.cs
@@ -73,15 +73,23 @@ namespace de4dot.code.deobfuscators.Dotfuscator {
 					continue;
 
 				simpleDeobfuscator.Deobfuscate(method);
-				var instructions = method.Body.Instructions;
-				for (int i = 0; i <= instructions.Count - 3; i++) {
-					var ldci4 = method.Body.Instructions[i];
+				var instrs = method.Body.Instructions;
+				for (int i = 0; i < instrs.Count - 3; i++) {
+					var ldarg = instrs[i];
+					if (!ldarg.IsLdarg() || ldarg.GetParameterIndex() != 0)
+						continue;
+					var callvirt = instrs[i + 1];
+					if (callvirt.OpCode.Code != Code.Callvirt)
+						continue;
+					var calledMethod = callvirt.Operand as MemberRef;
+					if (calledMethod == null || calledMethod.FullName != "System.Char[] System.String::ToCharArray()")
+						continue;
+					var stloc = instrs[i + 2];
+					if (!stloc.IsStloc())
+						continue;
+					var ldci4 = instrs[i + 3];
 					if (!ldci4.IsLdcI4())
 						continue;
-					if (instructions[i + 1].OpCode.Code != Code.Ldarg_1)
-						continue;
-					if (instructions[i + 2].OpCode.Code != Code.Add)
-						continue;
 
 					var info = new StringDecrypterInfo(method, ldci4.GetLdcI4Value());
 					stringDecrypterMethods.Add(info.method, info);

From 156bc4c7ee3e6564df24c66a9b6857319a7f17e9 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Wed, 16 Oct 2013 10:13:09 +0200
Subject: [PATCH 20/58] Rename public value -> Value, validMask -> ValidMask

---
 de4dot.blocks/cflow/CflowUtils.cs             |   2 +-
 de4dot.blocks/cflow/ConstantsFolder.cs        |   4 +-
 de4dot.blocks/cflow/InstructionEmulator.cs    |   2 +-
 de4dot.blocks/cflow/Int32Value.cs             | 196 +++++++++---------
 de4dot.blocks/cflow/Int64Value.cs             | 168 +++++++--------
 de4dot.blocks/cflow/Real8Value.cs             |  16 +-
 de4dot.code/deobfuscators/ArrayFinder.cs      |  10 +-
 .../Babel_NET/BabelMethodCallInliner.cs       |   6 +-
 .../Babel_NET/StringDecrypter.cs              |  18 +-
 .../DeepSea/DsMethodCallInliner.cs            |   4 +-
 .../Eazfuscator_NET/StringDecrypter.cs        |   6 +-
 11 files changed, 216 insertions(+), 216 deletions(-)

diff --git a/de4dot.blocks/cflow/CflowUtils.cs b/de4dot.blocks/cflow/CflowUtils.cs
index 1f644bf1..401f75d1 100644
--- a/de4dot.blocks/cflow/CflowUtils.cs
+++ b/de4dot.blocks/cflow/CflowUtils.cs
@@ -25,7 +25,7 @@ namespace de4dot.blocks.cflow {
 			if (!intValue.AllBitsValid())
 				return null;
 
-			int index = intValue.value;
+			int index = intValue.Value;
 			if (targets == null || index < 0 || index >= targets.Count)
 				return fallThrough;
 			else
diff --git a/de4dot.blocks/cflow/ConstantsFolder.cs b/de4dot.blocks/cflow/ConstantsFolder.cs
index 43c291de..917b5c28 100644
--- a/de4dot.blocks/cflow/ConstantsFolder.cs
+++ b/de4dot.blocks/cflow/ConstantsFolder.cs
@@ -89,14 +89,14 @@ namespace de4dot.blocks.cflow {
 				var intValue = (Int32Value)value;
 				if (!intValue.AllBitsValid())
 					return false;
-				block.Instructions[index] = new Instr(Instruction.CreateLdcI4(intValue.value));
+				block.Instructions[index] = new Instr(Instruction.CreateLdcI4(intValue.Value));
 				return true;
 			}
 			else if (value.IsInt64()) {
 				var intValue = (Int64Value)value;
 				if (!intValue.AllBitsValid())
 					return false;
-				block.Instructions[index] = new Instr(OpCodes.Ldc_I8.ToInstruction(intValue.value));
+				block.Instructions[index] = new Instr(OpCodes.Ldc_I8.ToInstruction(intValue.Value));
 				return true;
 			}
 			return false;
diff --git a/de4dot.blocks/cflow/InstructionEmulator.cs b/de4dot.blocks/cflow/InstructionEmulator.cs
index 1e9468c2..56f6a47f 100644
--- a/de4dot.blocks/cflow/InstructionEmulator.cs
+++ b/de4dot.blocks/cflow/InstructionEmulator.cs
@@ -141,7 +141,7 @@ namespace de4dot.blocks.cflow {
 
 			case ElementType.R4:
 				if (value.IsReal8())
-					return new Real8Value((float)((Real8Value)value).value);
+					return new Real8Value((float)((Real8Value)value).Value);
 				return new UnknownValue();
 
 			case ElementType.R8:
diff --git a/de4dot.blocks/cflow/Int32Value.cs b/de4dot.blocks/cflow/Int32Value.cs
index 94008b9d..41844f33 100644
--- a/de4dot.blocks/cflow/Int32Value.cs
+++ b/de4dot.blocks/cflow/Int32Value.cs
@@ -25,23 +25,23 @@ namespace de4dot.blocks.cflow {
 		public static readonly Int32Value One = new Int32Value(1);
 
 		internal const uint NO_UNKNOWN_BITS = uint.MaxValue;
-		public readonly int value;
-		public readonly uint validMask;
+		public readonly int Value;
+		public readonly uint ValidMask;
 
 		public Int32Value(int value)
 			: base(ValueType.Int32) {
-			this.value = value;
-			this.validMask = NO_UNKNOWN_BITS;
+			this.Value = value;
+			this.ValidMask = NO_UNKNOWN_BITS;
 		}
 
 		public Int32Value(int value, uint validMask)
 			: base(ValueType.Int32) {
-			this.value = value;
-			this.validMask = validMask;
+			this.Value = value;
+			this.ValidMask = validMask;
 		}
 
 		public bool HasUnknownBits() {
-			return validMask != NO_UNKNOWN_BITS;
+			return ValidMask != NO_UNKNOWN_BITS;
 		}
 
 		public bool AllBitsValid() {
@@ -49,7 +49,7 @@ namespace de4dot.blocks.cflow {
 		}
 
 		bool IsBitValid(int n) {
-			return IsBitValid(validMask, n);
+			return IsBitValid(ValidMask, n);
 		}
 
 		static bool IsBitValid(uint validMask, int n) {
@@ -57,7 +57,7 @@ namespace de4dot.blocks.cflow {
 		}
 
 		bool AreBitsValid(uint bitsToTest) {
-			return (validMask & bitsToTest) == bitsToTest;
+			return (ValidMask & bitsToTest) == bitsToTest;
 		}
 
 		public static Int32Value CreateUnknownBool() {
@@ -81,11 +81,11 @@ namespace de4dot.blocks.cflow {
 		}
 
 		public bool IsNonZero() {
-			return (value & validMask) != 0;
+			return (Value & ValidMask) != 0;
 		}
 
 		public bool HasValue(int value) {
-			return AllBitsValid() && this.value == value;
+			return AllBitsValid() && this.Value == value;
 		}
 
 		public bool HasValue(uint value) {
@@ -117,11 +117,11 @@ namespace de4dot.blocks.cflow {
 		}
 
 		public static Int32Value Conv_U1(Int32Value a) {
-			return Conv_U1(a.value, a.validMask);
+			return Conv_U1(a.Value, a.ValidMask);
 		}
 
 		public static Int32Value Conv_U1(Int64Value a) {
-			return Conv_U1((int)a.value, (uint)a.validMask);
+			return Conv_U1((int)a.Value, (uint)a.ValidMask);
 		}
 
 		public static Int32Value Conv_U1(int value, uint validMask) {
@@ -131,15 +131,15 @@ namespace de4dot.blocks.cflow {
 		}
 
 		public static Int32Value Conv_U1(Real8Value a) {
-			return new Int32Value((int)(byte)a.value);
+			return new Int32Value((int)(byte)a.Value);
 		}
 
 		public static Int32Value Conv_I1(Int32Value a) {
-			return Conv_I1(a.value, a.validMask);
+			return Conv_I1(a.Value, a.ValidMask);
 		}
 
 		public static Int32Value Conv_I1(Int64Value a) {
-			return Conv_I1((int)a.value, (uint)a.validMask);
+			return Conv_I1((int)a.Value, (uint)a.ValidMask);
 		}
 
 		public static Int32Value Conv_I1(int value, uint validMask) {
@@ -152,15 +152,15 @@ namespace de4dot.blocks.cflow {
 		}
 
 		public static Int32Value Conv_I1(Real8Value a) {
-			return new Int32Value((int)(sbyte)a.value);
+			return new Int32Value((int)(sbyte)a.Value);
 		}
 
 		public static Int32Value Conv_U2(Int32Value a) {
-			return Conv_U2(a.value, a.validMask);
+			return Conv_U2(a.Value, a.ValidMask);
 		}
 
 		public static Int32Value Conv_U2(Int64Value a) {
-			return Conv_U2((int)a.value, (uint)a.validMask);
+			return Conv_U2((int)a.Value, (uint)a.ValidMask);
 		}
 
 		public static Int32Value Conv_U2(int value, uint validMask) {
@@ -170,15 +170,15 @@ namespace de4dot.blocks.cflow {
 		}
 
 		public static Int32Value Conv_U2(Real8Value a) {
-			return new Int32Value((int)(ushort)a.value);
+			return new Int32Value((int)(ushort)a.Value);
 		}
 
 		public static Int32Value Conv_I2(Int32Value a) {
-			return Conv_I2(a.value, a.validMask);
+			return Conv_I2(a.Value, a.ValidMask);
 		}
 
 		public static Int32Value Conv_I2(Int64Value a) {
-			return Conv_I2((int)a.value, (uint)a.validMask);
+			return Conv_I2((int)a.Value, (uint)a.ValidMask);
 		}
 
 		public static Int32Value Conv_I2(int value, uint validMask) {
@@ -191,7 +191,7 @@ namespace de4dot.blocks.cflow {
 		}
 
 		public static Int32Value Conv_I2(Real8Value a) {
-			return new Int32Value((int)(short)a.value);
+			return new Int32Value((int)(short)a.Value);
 		}
 
 		public static Int32Value Conv_U4(Int32Value a) {
@@ -199,11 +199,11 @@ namespace de4dot.blocks.cflow {
 		}
 
 		public static Int32Value Conv_U4(Int64Value a) {
-			return new Int32Value((int)(uint)a.value, (uint)a.validMask);
+			return new Int32Value((int)(uint)a.Value, (uint)a.ValidMask);
 		}
 
 		public static Int32Value Conv_U4(Real8Value a) {
-			return new Int32Value((int)(uint)a.value);
+			return new Int32Value((int)(uint)a.Value);
 		}
 
 		public static Int32Value Conv_I4(Int32Value a) {
@@ -211,15 +211,15 @@ namespace de4dot.blocks.cflow {
 		}
 
 		public static Int32Value Conv_I4(Int64Value a) {
-			return new Int32Value((int)a.value, (uint)a.validMask);
+			return new Int32Value((int)a.Value, (uint)a.ValidMask);
 		}
 
 		public static Int32Value Conv_I4(Real8Value a) {
-			return new Int32Value((int)a.value);
+			return new Int32Value((int)a.Value);
 		}
 
 		bool CheckSign(uint mask) {
-			return ((uint)value & mask) == 0 || ((uint)value & mask) == mask;
+			return ((uint)Value & mask) == 0 || ((uint)Value & mask) == mask;
 		}
 
 		public static Int32Value Conv_Ovf_I1(Int32Value a) {
@@ -231,7 +231,7 @@ namespace de4dot.blocks.cflow {
 
 		public static Int32Value Conv_Ovf_I1_Un(Int32Value a) {
 			if (!a.AreBitsValid(NO_UNKNOWN_BITS << 7) ||
-				(uint)a.value > sbyte.MaxValue)
+				(uint)a.Value > sbyte.MaxValue)
 				return CreateUnknown();
 			return Conv_I1(a);
 		}
@@ -245,7 +245,7 @@ namespace de4dot.blocks.cflow {
 
 		public static Int32Value Conv_Ovf_I2_Un(Int32Value a) {
 			if (!a.AreBitsValid(NO_UNKNOWN_BITS << 15) ||
-				(uint)a.value > short.MaxValue)
+				(uint)a.Value > short.MaxValue)
 				return CreateUnknown();
 			return Conv_I2(a);
 		}
@@ -255,52 +255,52 @@ namespace de4dot.blocks.cflow {
 		}
 
 		public static Int32Value Conv_Ovf_I4_Un(Int32Value a) {
-			if (!IsBitValid(a.validMask, 31) || a.value < 0)
+			if (!IsBitValid(a.ValidMask, 31) || a.Value < 0)
 				return CreateUnknown();
 			return a;
 		}
 
 		public static Int64Value Conv_Ovf_I8(Int32Value a) {
-			ulong validMask = a.validMask;
-			if (IsBitValid(a.validMask, 31))
+			ulong validMask = a.ValidMask;
+			if (IsBitValid(a.ValidMask, 31))
 				validMask |= Int64Value.NO_UNKNOWN_BITS << 32;
-			return new Int64Value(a.value, validMask);
+			return new Int64Value(a.Value, validMask);
 		}
 
 		public static Int64Value Conv_Ovf_I8_Un(Int32Value a) {
-			return new Int64Value((long)(uint)a.value, a.validMask | (Int64Value.NO_UNKNOWN_BITS << 32));
+			return new Int64Value((long)(uint)a.Value, a.ValidMask | (Int64Value.NO_UNKNOWN_BITS << 32));
 		}
 
 		public static Int32Value Conv_Ovf_U1(Int32Value a) {
 			if (!a.AreBitsValid(NO_UNKNOWN_BITS << 7) ||
-				a.value < 0 || a.value > byte.MaxValue)
+				a.Value < 0 || a.Value > byte.MaxValue)
 				return CreateUnknownUInt8();
 			return Conv_U1(a);
 		}
 
 		public static Int32Value Conv_Ovf_U1_Un(Int32Value a) {
 			if (!a.AreBitsValid(NO_UNKNOWN_BITS << 8) ||
-				(uint)a.value > byte.MaxValue)
+				(uint)a.Value > byte.MaxValue)
 				return CreateUnknownUInt8();
 			return Conv_U1(a);
 		}
 
 		public static Int32Value Conv_Ovf_U2(Int32Value a) {
 			if (!a.AreBitsValid(NO_UNKNOWN_BITS << 15) ||
-				a.value < 0 || a.value > ushort.MaxValue)
+				a.Value < 0 || a.Value > ushort.MaxValue)
 				return CreateUnknownUInt16();
 			return Conv_U2(a);
 		}
 
 		public static Int32Value Conv_Ovf_U2_Un(Int32Value a) {
 			if (!a.AreBitsValid(NO_UNKNOWN_BITS << 16) ||
-				(uint)a.value > ushort.MaxValue)
+				(uint)a.Value > ushort.MaxValue)
 				return CreateUnknownUInt16();
 			return Conv_U2(a);
 		}
 
 		public static Int32Value Conv_Ovf_U4(Int32Value a) {
-			if (!IsBitValid(a.validMask, 31) || a.value < 0)
+			if (!IsBitValid(a.ValidMask, 31) || a.Value < 0)
 				return CreateUnknown();
 			return a;
 		}
@@ -310,26 +310,26 @@ namespace de4dot.blocks.cflow {
 		}
 
 		public static Int64Value Conv_Ovf_U8(Int32Value a) {
-			if (!IsBitValid(a.validMask, 31) || a.value < 0)
+			if (!IsBitValid(a.ValidMask, 31) || a.Value < 0)
 				return Int64Value.CreateUnknown();
-			return new Int64Value(a.value, (ulong)a.validMask | (Int64Value.NO_UNKNOWN_BITS << 32));
+			return new Int64Value(a.Value, (ulong)a.ValidMask | (Int64Value.NO_UNKNOWN_BITS << 32));
 		}
 
 		public static Int64Value Conv_Ovf_U8_Un(Int32Value a) {
-			return new Int64Value((long)(uint)a.value, a.validMask | (Int64Value.NO_UNKNOWN_BITS << 32));
+			return new Int64Value((long)(uint)a.Value, a.ValidMask | (Int64Value.NO_UNKNOWN_BITS << 32));
 		}
 
 		public static Int32Value Add(Int32Value a, Int32Value b) {
 			if (a.AllBitsValid() && b.AllBitsValid())
-				return new Int32Value(a.value + b.value);
+				return new Int32Value(a.Value + b.Value);
 			if (ReferenceEquals(a, b))
-				return new Int32Value(a.value << 1, (a.validMask << 1) | 1);
+				return new Int32Value(a.Value << 1, (a.ValidMask << 1) | 1);
 			return CreateUnknown();
 		}
 
 		public static Int32Value Sub(Int32Value a, Int32Value b) {
 			if (a.AllBitsValid() && b.AllBitsValid())
-				return new Int32Value(a.value - b.value);
+				return new Int32Value(a.Value - b.Value);
 			if (ReferenceEquals(a, b))
 				return Zero;
 			return CreateUnknown();
@@ -337,7 +337,7 @@ namespace de4dot.blocks.cflow {
 
 		public static Int32Value Mul(Int32Value a, Int32Value b) {
 			if (a.AllBitsValid() && b.AllBitsValid())
-				return new Int32Value(a.value * b.value);
+				return new Int32Value(a.Value * b.Value);
 			if (a.IsZero() || b.IsZero())
 				return Zero;
 			if (a.HasValue(1))
@@ -350,7 +350,7 @@ namespace de4dot.blocks.cflow {
 		public static Int32Value Div(Int32Value a, Int32Value b) {
 			if (a.AllBitsValid() && b.AllBitsValid()) {
 				try {
-					return new Int32Value(a.value / b.value);
+					return new Int32Value(a.Value / b.Value);
 				}
 				catch (ArithmeticException) {
 					return CreateUnknown();
@@ -366,7 +366,7 @@ namespace de4dot.blocks.cflow {
 		public static Int32Value Div_Un(Int32Value a, Int32Value b) {
 			if (a.AllBitsValid() && b.AllBitsValid()) {
 				try {
-					return new Int32Value((int)((uint)a.value / (uint)b.value));
+					return new Int32Value((int)((uint)a.Value / (uint)b.Value));
 				}
 				catch (ArithmeticException) {
 					return CreateUnknown();
@@ -382,7 +382,7 @@ namespace de4dot.blocks.cflow {
 		public static Int32Value Rem(Int32Value a, Int32Value b) {
 			if (a.AllBitsValid() && b.AllBitsValid()) {
 				try {
-					return new Int32Value(a.value % b.value);
+					return new Int32Value(a.Value % b.Value);
 				}
 				catch (ArithmeticException) {
 					return CreateUnknown();
@@ -396,7 +396,7 @@ namespace de4dot.blocks.cflow {
 		public static Int32Value Rem_Un(Int32Value a, Int32Value b) {
 			if (a.AllBitsValid() && b.AllBitsValid()) {
 				try {
-					return new Int32Value((int)((uint)a.value % (uint)b.value));
+					return new Int32Value((int)((uint)a.Value % (uint)b.Value));
 				}
 				catch (ArithmeticException) {
 					return CreateUnknown();
@@ -409,14 +409,14 @@ namespace de4dot.blocks.cflow {
 
 		public static Int32Value Neg(Int32Value a) {
 			if (a.AllBitsValid())
-				return new Int32Value(-a.value);
+				return new Int32Value(-a.Value);
 			return CreateUnknown();
 		}
 
 		public static Int32Value Add_Ovf(Int32Value a, Int32Value b) {
 			if (a.AllBitsValid() && b.AllBitsValid()) {
 				try {
-					return new Int32Value(checked(a.value + b.value));
+					return new Int32Value(checked(a.Value + b.Value));
 				}
 				catch (OverflowException) {
 				}
@@ -426,7 +426,7 @@ namespace de4dot.blocks.cflow {
 
 		public static Int32Value Add_Ovf_Un(Int32Value a, Int32Value b) {
 			if (a.AllBitsValid() && b.AllBitsValid()) {
-				uint aa = (uint)a.value, bb = (uint)b.value;
+				uint aa = (uint)a.Value, bb = (uint)b.Value;
 				try {
 					return new Int32Value((int)checked(aa + bb));
 				}
@@ -439,7 +439,7 @@ namespace de4dot.blocks.cflow {
 		public static Int32Value Sub_Ovf(Int32Value a, Int32Value b) {
 			if (a.AllBitsValid() && b.AllBitsValid()) {
 				try {
-					return new Int32Value(checked(a.value - b.value));
+					return new Int32Value(checked(a.Value - b.Value));
 				}
 				catch (OverflowException) {
 				}
@@ -449,7 +449,7 @@ namespace de4dot.blocks.cflow {
 
 		public static Int32Value Sub_Ovf_Un(Int32Value a, Int32Value b) {
 			if (a.AllBitsValid() && b.AllBitsValid()) {
-				uint aa = (uint)a.value, bb = (uint)b.value;
+				uint aa = (uint)a.Value, bb = (uint)b.Value;
 				try {
 					return new Int32Value((int)checked(aa - bb));
 				}
@@ -462,7 +462,7 @@ namespace de4dot.blocks.cflow {
 		public static Int32Value Mul_Ovf(Int32Value a, Int32Value b) {
 			if (a.AllBitsValid() && b.AllBitsValid()) {
 				try {
-					return new Int32Value(checked(a.value * b.value));
+					return new Int32Value(checked(a.Value * b.Value));
 				}
 				catch (OverflowException) {
 				}
@@ -472,7 +472,7 @@ namespace de4dot.blocks.cflow {
 
 		public static Int32Value Mul_Ovf_Un(Int32Value a, Int32Value b) {
 			if (a.AllBitsValid() && b.AllBitsValid()) {
-				uint aa = (uint)a.value, bb = (uint)b.value;
+				uint aa = (uint)a.Value, bb = (uint)b.Value;
 				try {
 					return new Int32Value((int)checked(aa * bb));
 				}
@@ -483,65 +483,65 @@ namespace de4dot.blocks.cflow {
 		}
 
 		public static Int32Value And(Int32Value a, Int32Value b) {
-			int av = a.value, bv = b.value;
-			uint am = a.validMask, bm = b.validMask;
+			int av = a.Value, bv = b.Value;
+			uint am = a.ValidMask, bm = b.ValidMask;
 			return new Int32Value(av & bv, (am & bm) | (((uint)av & am) ^ am) | (((uint)bv & bm) ^ bm));
 		}
 
 		public static Int32Value Or(Int32Value a, Int32Value b) {
-			int av = a.value, bv = b.value;
-			uint am = a.validMask, bm = b.validMask;
+			int av = a.Value, bv = b.Value;
+			uint am = a.ValidMask, bm = b.ValidMask;
 			return new Int32Value(av | bv, (am & bm) | ((uint)av & am) | ((uint)bv & bm));
 		}
 
 		public static Int32Value Xor(Int32Value a, Int32Value b) {
 			if (ReferenceEquals(a, b))
 				return Zero;
-			int av = a.value, bv = b.value;
-			uint am = a.validMask, bm = b.validMask;
+			int av = a.Value, bv = b.Value;
+			uint am = a.ValidMask, bm = b.ValidMask;
 			return new Int32Value(av ^ bv, am & bm);
 		}
 
 		public static Int32Value Not(Int32Value a) {
-			return new Int32Value(~a.value, a.validMask);
+			return new Int32Value(~a.Value, a.ValidMask);
 		}
 
 		public static Int32Value Shl(Int32Value a, Int32Value b) {
 			if (b.HasUnknownBits())
 				return CreateUnknown();
-			if (b.value == 0)
+			if (b.Value == 0)
 				return a;
-			if (b.value < 0 || b.value >= sizeof(int) * 8)
+			if (b.Value < 0 || b.Value >= sizeof(int) * 8)
 				return CreateUnknown();
-			int shift = b.value;
-			uint validMask = (a.validMask << shift) | (uint.MaxValue >> (sizeof(int) * 8 - shift));
-			return new Int32Value(a.value << shift, validMask);
+			int shift = b.Value;
+			uint validMask = (a.ValidMask << shift) | (uint.MaxValue >> (sizeof(int) * 8 - shift));
+			return new Int32Value(a.Value << shift, validMask);
 		}
 
 		public static Int32Value Shr(Int32Value a, Int32Value b) {
 			if (b.HasUnknownBits())
 				return CreateUnknown();
-			if (b.value == 0)
+			if (b.Value == 0)
 				return a;
-			if (b.value < 0 || b.value >= sizeof(int) * 8)
+			if (b.Value < 0 || b.Value >= sizeof(int) * 8)
 				return CreateUnknown();
-			int shift = b.value;
-			uint validMask = a.validMask >> shift;
+			int shift = b.Value;
+			uint validMask = a.ValidMask >> shift;
 			if (a.IsBitValid(sizeof(int) * 8 - 1))
 				validMask |= (uint.MaxValue << (sizeof(int) * 8 - shift));
-			return new Int32Value(a.value >> shift, validMask);
+			return new Int32Value(a.Value >> shift, validMask);
 		}
 
 		public static Int32Value Shr_Un(Int32Value a, Int32Value b) {
 			if (b.HasUnknownBits())
 				return CreateUnknown();
-			if (b.value == 0)
+			if (b.Value == 0)
 				return a;
-			if (b.value < 0 || b.value >= sizeof(int) * 8)
+			if (b.Value < 0 || b.Value >= sizeof(int) * 8)
 				return CreateUnknown();
-			int shift = b.value;
-			uint validMask = (a.validMask >> shift) | (uint.MaxValue << (sizeof(int) * 8 - shift));
-			return new Int32Value((int)((uint)a.value >> shift), validMask);
+			int shift = b.Value;
+			uint validMask = (a.ValidMask >> shift) | (uint.MaxValue << (sizeof(int) * 8 - shift));
+			return new Int32Value((int)((uint)a.Value >> shift), validMask);
 		}
 
 		static Int32Value create(Bool3 b) {
@@ -574,27 +574,27 @@ namespace de4dot.blocks.cflow {
 
 		public static Bool3 CompareEq(Int32Value a, Int32Value b) {
 			if (a.AllBitsValid() && b.AllBitsValid())
-				return a.value == b.value ? Bool3.True : Bool3.False;
+				return a.Value == b.Value ? Bool3.True : Bool3.False;
 			if (ReferenceEquals(a, b))
 				return Bool3.True;
-			if ((a.value & a.validMask & b.validMask) != (b.value & a.validMask & b.validMask))
+			if ((a.Value & a.ValidMask & b.ValidMask) != (b.Value & a.ValidMask & b.ValidMask))
 				return Bool3.False;
 			return Bool3.Unknown;
 		}
 
 		public static Bool3 CompareNeq(Int32Value a, Int32Value b) {
 			if (a.AllBitsValid() && b.AllBitsValid())
-				return a.value != b.value ? Bool3.True : Bool3.False;
+				return a.Value != b.Value ? Bool3.True : Bool3.False;
 			if (ReferenceEquals(a, b))
 				return Bool3.False;
-			if ((a.value & a.validMask & b.validMask) != (b.value & a.validMask & b.validMask))
+			if ((a.Value & a.ValidMask & b.ValidMask) != (b.Value & a.ValidMask & b.ValidMask))
 				return Bool3.True;
 			return Bool3.Unknown;
 		}
 
 		public static Bool3 CompareGt(Int32Value a, Int32Value b) {
 			if (a.AllBitsValid() && b.AllBitsValid())
-				return a.value > b.value ? Bool3.True : Bool3.False;
+				return a.Value > b.Value ? Bool3.True : Bool3.False;
 			if (a.HasValue(int.MinValue))
 				return Bool3.False;	// min > x => false
 			if (b.HasValue(int.MaxValue))
@@ -604,7 +604,7 @@ namespace de4dot.blocks.cflow {
 
 		public static Bool3 CompareGt_Un(Int32Value a, Int32Value b) {
 			if (a.AllBitsValid() && b.AllBitsValid())
-				return (uint)a.value > (uint)b.value ? Bool3.True : Bool3.False;
+				return (uint)a.Value > (uint)b.Value ? Bool3.True : Bool3.False;
 			if (a.HasValue(uint.MinValue))
 				return Bool3.False;	// min > x => false
 			if (b.HasValue(uint.MaxValue))
@@ -614,7 +614,7 @@ namespace de4dot.blocks.cflow {
 
 		public static Bool3 CompareGe(Int32Value a, Int32Value b) {
 			if (a.AllBitsValid() && b.AllBitsValid())
-				return a.value >= b.value ? Bool3.True : Bool3.False;
+				return a.Value >= b.Value ? Bool3.True : Bool3.False;
 			if (a.HasValue(int.MaxValue))
 				return Bool3.True;	// max >= x => true
 			if (b.HasValue(int.MinValue))
@@ -624,7 +624,7 @@ namespace de4dot.blocks.cflow {
 
 		public static Bool3 CompareGe_Un(Int32Value a, Int32Value b) {
 			if (a.AllBitsValid() && b.AllBitsValid())
-				return (uint)a.value >= (uint)b.value ? Bool3.True : Bool3.False;
+				return (uint)a.Value >= (uint)b.Value ? Bool3.True : Bool3.False;
 			if (a.HasValue(uint.MaxValue))
 				return Bool3.True;	// max >= x => true
 			if (b.HasValue(uint.MinValue))
@@ -634,7 +634,7 @@ namespace de4dot.blocks.cflow {
 
 		public static Bool3 CompareLe(Int32Value a, Int32Value b) {
 			if (a.AllBitsValid() && b.AllBitsValid())
-				return a.value <= b.value ? Bool3.True : Bool3.False;
+				return a.Value <= b.Value ? Bool3.True : Bool3.False;
 			if (a.HasValue(int.MinValue))
 				return Bool3.True;	// min <= x => true
 			if (b.HasValue(int.MaxValue))
@@ -644,7 +644,7 @@ namespace de4dot.blocks.cflow {
 
 		public static Bool3 CompareLe_Un(Int32Value a, Int32Value b) {
 			if (a.AllBitsValid() && b.AllBitsValid())
-				return (uint)a.value <= (uint)b.value ? Bool3.True : Bool3.False;
+				return (uint)a.Value <= (uint)b.Value ? Bool3.True : Bool3.False;
 			if (a.HasValue(uint.MinValue))
 				return Bool3.True;	// min <= x => true
 			if (b.HasValue(uint.MaxValue))
@@ -654,7 +654,7 @@ namespace de4dot.blocks.cflow {
 
 		public static Bool3 CompareLt(Int32Value a, Int32Value b) {
 			if (a.AllBitsValid() && b.AllBitsValid())
-				return a.value < b.value ? Bool3.True : Bool3.False;
+				return a.Value < b.Value ? Bool3.True : Bool3.False;
 			if (a.HasValue(int.MaxValue))
 				return Bool3.False;	// max < x => false
 			if (b.HasValue(int.MinValue))
@@ -664,7 +664,7 @@ namespace de4dot.blocks.cflow {
 
 		public static Bool3 CompareLt_Un(Int32Value a, Int32Value b) {
 			if (a.AllBitsValid() && b.AllBitsValid())
-				return (uint)a.value < (uint)b.value ? Bool3.True : Bool3.False;
+				return (uint)a.Value < (uint)b.Value ? Bool3.True : Bool3.False;
 			if (a.HasValue(uint.MaxValue))
 				return Bool3.False;	// max < x => false
 			if (b.HasValue(uint.MinValue))
@@ -674,24 +674,24 @@ namespace de4dot.blocks.cflow {
 
 		public static Bool3 CompareTrue(Int32Value a) {
 			if (a.AllBitsValid())
-				return a.value != 0 ? Bool3.True : Bool3.False;
-			if ((a.value & a.validMask) != 0)
+				return a.Value != 0 ? Bool3.True : Bool3.False;
+			if ((a.Value & a.ValidMask) != 0)
 				return Bool3.True;
 			return Bool3.Unknown;
 		}
 
 		public static Bool3 CompareFalse(Int32Value a) {
 			if (a.AllBitsValid())
-				return a.value == 0 ? Bool3.True : Bool3.False;
-			if ((a.value & a.validMask) != 0)
+				return a.Value == 0 ? Bool3.True : Bool3.False;
+			if ((a.Value & a.ValidMask) != 0)
 				return Bool3.False;
 			return Bool3.Unknown;
 		}
 
 		public override string ToString() {
 			if (AllBitsValid())
-				return value.ToString();
-			return string.Format("0x{0:X8}({1:X8})", value, validMask);
+				return Value.ToString();
+			return string.Format("0x{0:X8}({1:X8})", Value, ValidMask);
 		}
 	}
 }
diff --git a/de4dot.blocks/cflow/Int64Value.cs b/de4dot.blocks/cflow/Int64Value.cs
index d9f129ae..0bf4a558 100644
--- a/de4dot.blocks/cflow/Int64Value.cs
+++ b/de4dot.blocks/cflow/Int64Value.cs
@@ -25,23 +25,23 @@ namespace de4dot.blocks.cflow {
 		public static readonly Int64Value One = new Int64Value(1);
 
 		internal const ulong NO_UNKNOWN_BITS = ulong.MaxValue;
-		public readonly long value;
-		public readonly ulong validMask;
+		public readonly long Value;
+		public readonly ulong ValidMask;
 
 		public Int64Value(long value)
 			: base(ValueType.Int64) {
-			this.value = value;
-			this.validMask = NO_UNKNOWN_BITS;
+			this.Value = value;
+			this.ValidMask = NO_UNKNOWN_BITS;
 		}
 
 		public Int64Value(long value, ulong validMask)
 			: base(ValueType.Int64) {
-			this.value = value;
-			this.validMask = validMask;
+			this.Value = value;
+			this.ValidMask = validMask;
 		}
 
 		bool HasUnknownBits() {
-			return validMask != NO_UNKNOWN_BITS;
+			return ValidMask != NO_UNKNOWN_BITS;
 		}
 
 		public bool AllBitsValid() {
@@ -49,7 +49,7 @@ namespace de4dot.blocks.cflow {
 		}
 
 		bool IsBitValid(int n) {
-			return IsBitValid(validMask, n);
+			return IsBitValid(ValidMask, n);
 		}
 
 		static bool IsBitValid(ulong validMask, int n) {
@@ -57,7 +57,7 @@ namespace de4dot.blocks.cflow {
 		}
 
 		bool AreBitsValid(ulong bitsToTest) {
-			return (validMask & bitsToTest) == bitsToTest;
+			return (ValidMask & bitsToTest) == bitsToTest;
 		}
 
 		public static Int64Value CreateUnknown() {
@@ -69,11 +69,11 @@ namespace de4dot.blocks.cflow {
 		}
 
 		public bool IsNonZero() {
-			return ((ulong)value & validMask) != 0;
+			return ((ulong)Value & ValidMask) != 0;
 		}
 
 		public bool HasValue(long value) {
-			return AllBitsValid() && this.value == value;
+			return AllBitsValid() && this.Value == value;
 		}
 
 		public bool HasValue(ulong value) {
@@ -81,8 +81,8 @@ namespace de4dot.blocks.cflow {
 		}
 
 		public static Int64Value Conv_U8(Int32Value a) {
-			long value = (long)(ulong)(uint)a.value;
-			ulong validMask = a.validMask | (NO_UNKNOWN_BITS << 32);
+			long value = (long)(ulong)(uint)a.Value;
+			ulong validMask = a.ValidMask | (NO_UNKNOWN_BITS << 32);
 			return new Int64Value(value, validMask);
 		}
 
@@ -91,12 +91,12 @@ namespace de4dot.blocks.cflow {
 		}
 
 		public static Int64Value Conv_U8(Real8Value a) {
-			return new Int64Value((long)(ulong)a.value);
+			return new Int64Value((long)(ulong)a.Value);
 		}
 
 		public static Int64Value Conv_I8(Int32Value a) {
-			long value = a.value;
-			ulong validMask = a.validMask;
+			long value = a.Value;
+			ulong validMask = a.ValidMask;
 			if (IsBitValid(validMask, 31))
 				validMask |= NO_UNKNOWN_BITS << 32;
 			else
@@ -109,11 +109,11 @@ namespace de4dot.blocks.cflow {
 		}
 
 		public static Int64Value Conv_I8(Real8Value a) {
-			return new Int64Value((long)a.value);
+			return new Int64Value((long)a.Value);
 		}
 
 		bool CheckSign(ulong mask) {
-			return ((ulong)value & mask) == 0 || ((ulong)value & mask) == mask;
+			return ((ulong)Value & mask) == 0 || ((ulong)Value & mask) == mask;
 		}
 
 		public static Int32Value Conv_Ovf_I1(Int64Value a) {
@@ -125,7 +125,7 @@ namespace de4dot.blocks.cflow {
 
 		public static Int32Value Conv_Ovf_I1_Un(Int64Value a) {
 			if (!a.AreBitsValid(NO_UNKNOWN_BITS << 7) ||
-				(ulong)a.value > (ulong)sbyte.MaxValue)
+				(ulong)a.Value > (ulong)sbyte.MaxValue)
 				return Int32Value.CreateUnknown();
 			return Int32Value.Conv_I1(a);
 		}
@@ -139,7 +139,7 @@ namespace de4dot.blocks.cflow {
 
 		public static Int32Value Conv_Ovf_I2_Un(Int64Value a) {
 			if (!a.AreBitsValid(NO_UNKNOWN_BITS << 15) ||
-				(ulong)a.value > (ulong)short.MaxValue)
+				(ulong)a.Value > (ulong)short.MaxValue)
 				return Int32Value.CreateUnknown();
 			return Int32Value.Conv_I2(a);
 		}
@@ -153,7 +153,7 @@ namespace de4dot.blocks.cflow {
 
 		public static Int32Value Conv_Ovf_I4_Un(Int64Value a) {
 			if (!a.AreBitsValid(NO_UNKNOWN_BITS << 31) ||
-				(ulong)a.value > (ulong)int.MaxValue)
+				(ulong)a.Value > (ulong)int.MaxValue)
 				return Int32Value.CreateUnknown();
 			return Int32Value.Conv_I4(a);
 		}
@@ -163,55 +163,55 @@ namespace de4dot.blocks.cflow {
 		}
 
 		public static Int64Value Conv_Ovf_I8_Un(Int64Value a) {
-			if (!IsBitValid(a.validMask, 63) || a.value < 0)
+			if (!IsBitValid(a.ValidMask, 63) || a.Value < 0)
 				return CreateUnknown();
 			return a;
 		}
 
 		public static Int32Value Conv_Ovf_U1(Int64Value a) {
 			if (!a.AreBitsValid(NO_UNKNOWN_BITS << 7) ||
-				a.value < 0 || a.value > byte.MaxValue)
+				a.Value < 0 || a.Value > byte.MaxValue)
 				return Int32Value.CreateUnknownUInt8();
 			return Int32Value.Conv_U1(a);
 		}
 
 		public static Int32Value Conv_Ovf_U1_Un(Int64Value a) {
 			if (!a.AreBitsValid(NO_UNKNOWN_BITS << 8) ||
-				(ulong)a.value > byte.MaxValue)
+				(ulong)a.Value > byte.MaxValue)
 				return Int32Value.CreateUnknownUInt8();
 			return Int32Value.Conv_U1(a);
 		}
 
 		public static Int32Value Conv_Ovf_U2(Int64Value a) {
 			if (!a.AreBitsValid(NO_UNKNOWN_BITS << 15) ||
-				a.value < 0 || a.value > ushort.MaxValue)
+				a.Value < 0 || a.Value > ushort.MaxValue)
 				return Int32Value.CreateUnknownUInt16();
 			return Int32Value.Conv_U2(a);
 		}
 
 		public static Int32Value Conv_Ovf_U2_Un(Int64Value a) {
 			if (!a.AreBitsValid(NO_UNKNOWN_BITS << 16) ||
-				(ulong)a.value > ushort.MaxValue)
+				(ulong)a.Value > ushort.MaxValue)
 				return Int32Value.CreateUnknownUInt16();
 			return Int32Value.Conv_U2(a);
 		}
 
 		public static Int32Value Conv_Ovf_U4(Int64Value a) {
 			if (!a.AreBitsValid(NO_UNKNOWN_BITS << 31) ||
-				a.value < 0 || a.value > uint.MaxValue)
+				a.Value < 0 || a.Value > uint.MaxValue)
 				return Int32Value.CreateUnknown();
 			return Int32Value.Conv_U4(a);
 		}
 
 		public static Int32Value Conv_Ovf_U4_Un(Int64Value a) {
 			if (!a.AreBitsValid(NO_UNKNOWN_BITS << 32) ||
-				(ulong)a.value > uint.MaxValue)
+				(ulong)a.Value > uint.MaxValue)
 				return Int32Value.CreateUnknown();
 			return Int32Value.Conv_U4(a);
 		}
 
 		public static Int64Value Conv_Ovf_U8(Int64Value a) {
-			if (!IsBitValid(a.validMask, 63) || a.value < 0)
+			if (!IsBitValid(a.ValidMask, 63) || a.Value < 0)
 				return CreateUnknown();
 			return a;
 		}
@@ -222,15 +222,15 @@ namespace de4dot.blocks.cflow {
 
 		public static Int64Value Add(Int64Value a, Int64Value b) {
 			if (a.AllBitsValid() && b.AllBitsValid())
-				return new Int64Value(a.value + b.value);
+				return new Int64Value(a.Value + b.Value);
 			if (ReferenceEquals(a, b))
-				return new Int64Value(a.value << 1, (a.validMask << 1) | 1);
+				return new Int64Value(a.Value << 1, (a.ValidMask << 1) | 1);
 			return CreateUnknown();
 		}
 
 		public static Int64Value Sub(Int64Value a, Int64Value b) {
 			if (a.AllBitsValid() && b.AllBitsValid())
-				return new Int64Value(a.value - b.value);
+				return new Int64Value(a.Value - b.Value);
 			if (ReferenceEquals(a, b))
 				return Zero;
 			return CreateUnknown();
@@ -238,7 +238,7 @@ namespace de4dot.blocks.cflow {
 
 		public static Int64Value Mul(Int64Value a, Int64Value b) {
 			if (a.AllBitsValid() && b.AllBitsValid())
-				return new Int64Value(a.value * b.value);
+				return new Int64Value(a.Value * b.Value);
 			if (a.IsZero() || b.IsZero())
 				return Zero;
 			if (a.HasValue(1))
@@ -251,7 +251,7 @@ namespace de4dot.blocks.cflow {
 		public static Int64Value Div(Int64Value a, Int64Value b) {
 			if (a.AllBitsValid() && b.AllBitsValid()) {
 				try {
-					return new Int64Value(a.value / b.value);
+					return new Int64Value(a.Value / b.Value);
 				}
 				catch (ArithmeticException) {
 					return CreateUnknown();
@@ -267,7 +267,7 @@ namespace de4dot.blocks.cflow {
 		public static Int64Value Div_Un(Int64Value a, Int64Value b) {
 			if (a.AllBitsValid() && b.AllBitsValid()) {
 				try {
-					return new Int64Value((long)((ulong)a.value / (ulong)b.value));
+					return new Int64Value((long)((ulong)a.Value / (ulong)b.Value));
 				}
 				catch (ArithmeticException) {
 					return CreateUnknown();
@@ -283,7 +283,7 @@ namespace de4dot.blocks.cflow {
 		public static Int64Value Rem(Int64Value a, Int64Value b) {
 			if (a.AllBitsValid() && b.AllBitsValid()) {
 				try {
-					return new Int64Value(a.value % b.value);
+					return new Int64Value(a.Value % b.Value);
 				}
 				catch (ArithmeticException) {
 					return CreateUnknown();
@@ -297,7 +297,7 @@ namespace de4dot.blocks.cflow {
 		public static Int64Value Rem_Un(Int64Value a, Int64Value b) {
 			if (a.AllBitsValid() && b.AllBitsValid()) {
 				try {
-					return new Int64Value((long)((ulong)a.value % (ulong)b.value));
+					return new Int64Value((long)((ulong)a.Value % (ulong)b.Value));
 				}
 				catch (ArithmeticException) {
 					return CreateUnknown();
@@ -310,14 +310,14 @@ namespace de4dot.blocks.cflow {
 
 		public static Int64Value Neg(Int64Value a) {
 			if (a.AllBitsValid())
-				return new Int64Value(-a.value);
+				return new Int64Value(-a.Value);
 			return CreateUnknown();
 		}
 
 		public static Int64Value Add_Ovf(Int64Value a, Int64Value b) {
 			if (a.AllBitsValid() && b.AllBitsValid()) {
 				try {
-					return new Int64Value(checked(a.value + b.value));
+					return new Int64Value(checked(a.Value + b.Value));
 				}
 				catch (OverflowException) {
 				}
@@ -327,7 +327,7 @@ namespace de4dot.blocks.cflow {
 
 		public static Int64Value Add_Ovf_Un(Int64Value a, Int64Value b) {
 			if (a.AllBitsValid() && b.AllBitsValid()) {
-				ulong aa = (ulong)a.value, bb = (ulong)b.value;
+				ulong aa = (ulong)a.Value, bb = (ulong)b.Value;
 				try {
 					return new Int64Value((long)checked(aa + bb));
 				}
@@ -340,7 +340,7 @@ namespace de4dot.blocks.cflow {
 		public static Int64Value Sub_Ovf(Int64Value a, Int64Value b) {
 			if (a.AllBitsValid() && b.AllBitsValid()) {
 				try {
-					return new Int64Value(checked(a.value - b.value));
+					return new Int64Value(checked(a.Value - b.Value));
 				}
 				catch (OverflowException) {
 				}
@@ -350,7 +350,7 @@ namespace de4dot.blocks.cflow {
 
 		public static Int64Value Sub_Ovf_Un(Int64Value a, Int64Value b) {
 			if (a.AllBitsValid() && b.AllBitsValid()) {
-				ulong aa = (ulong)a.value, bb = (ulong)b.value;
+				ulong aa = (ulong)a.Value, bb = (ulong)b.Value;
 				try {
 					return new Int64Value((long)checked(aa - bb));
 				}
@@ -363,7 +363,7 @@ namespace de4dot.blocks.cflow {
 		public static Int64Value Mul_Ovf(Int64Value a, Int64Value b) {
 			if (a.AllBitsValid() && b.AllBitsValid()) {
 				try {
-					return new Int64Value(checked(a.value * b.value));
+					return new Int64Value(checked(a.Value * b.Value));
 				}
 				catch (OverflowException) {
 				}
@@ -373,7 +373,7 @@ namespace de4dot.blocks.cflow {
 
 		public static Int64Value Mul_Ovf_Un(Int64Value a, Int64Value b) {
 			if (a.AllBitsValid() && b.AllBitsValid()) {
-				ulong aa = (ulong)a.value, bb = (ulong)b.value;
+				ulong aa = (ulong)a.Value, bb = (ulong)b.Value;
 				try {
 					return new Int64Value((long)checked(aa * bb));
 				}
@@ -384,65 +384,65 @@ namespace de4dot.blocks.cflow {
 		}
 
 		public static Int64Value And(Int64Value a, Int64Value b) {
-			long av = a.value, bv = b.value;
-			ulong am = a.validMask, bm = b.validMask;
+			long av = a.Value, bv = b.Value;
+			ulong am = a.ValidMask, bm = b.ValidMask;
 			return new Int64Value(av & bv, (am & bm) | (((ulong)av & am) ^ am) | (((ulong)bv & bm) ^ bm));
 		}
 
 		public static Int64Value Or(Int64Value a, Int64Value b) {
-			long av = a.value, bv = b.value;
-			ulong am = a.validMask, bm = b.validMask;
+			long av = a.Value, bv = b.Value;
+			ulong am = a.ValidMask, bm = b.ValidMask;
 			return new Int64Value(av | bv, (am & bm) | ((ulong)av & am) | ((ulong)bv & bm));
 		}
 
 		public static Int64Value Xor(Int64Value a, Int64Value b) {
 			if (ReferenceEquals(a, b))
 				return Zero;
-			long av = a.value, bv = b.value;
-			ulong am = a.validMask, bm = b.validMask;
+			long av = a.Value, bv = b.Value;
+			ulong am = a.ValidMask, bm = b.ValidMask;
 			return new Int64Value(av ^ bv, am & bm);
 		}
 
 		public static Int64Value Not(Int64Value a) {
-			return new Int64Value(~a.value, a.validMask);
+			return new Int64Value(~a.Value, a.ValidMask);
 		}
 
 		public static Int64Value Shl(Int64Value a, Int32Value b) {
 			if (b.HasUnknownBits())
 				return CreateUnknown();
-			if (b.value == 0)
+			if (b.Value == 0)
 				return a;
-			if (b.value < 0 || b.value >= sizeof(long) * 8)
+			if (b.Value < 0 || b.Value >= sizeof(long) * 8)
 				return CreateUnknown();
-			int shift = b.value;
-			ulong validMask = (a.validMask << shift) | (ulong.MaxValue >> (sizeof(long) * 8 - shift));
-			return new Int64Value(a.value << shift, validMask);
+			int shift = b.Value;
+			ulong validMask = (a.ValidMask << shift) | (ulong.MaxValue >> (sizeof(long) * 8 - shift));
+			return new Int64Value(a.Value << shift, validMask);
 		}
 
 		public static Int64Value Shr(Int64Value a, Int32Value b) {
 			if (b.HasUnknownBits())
 				return CreateUnknown();
-			if (b.value == 0)
+			if (b.Value == 0)
 				return a;
-			if (b.value < 0 || b.value >= sizeof(long) * 8)
+			if (b.Value < 0 || b.Value >= sizeof(long) * 8)
 				return CreateUnknown();
-			int shift = b.value;
-			ulong validMask = a.validMask >> shift;
+			int shift = b.Value;
+			ulong validMask = a.ValidMask >> shift;
 			if (a.IsBitValid(sizeof(long) * 8 - 1))
 				validMask |= (ulong.MaxValue << (sizeof(long) * 8 - shift));
-			return new Int64Value(a.value >> shift, validMask);
+			return new Int64Value(a.Value >> shift, validMask);
 		}
 
 		public static Int64Value Shr_Un(Int64Value a, Int32Value b) {
 			if (b.HasUnknownBits())
 				return CreateUnknown();
-			if (b.value == 0)
+			if (b.Value == 0)
 				return a;
-			if (b.value < 0 || b.value >= sizeof(long) * 8)
+			if (b.Value < 0 || b.Value >= sizeof(long) * 8)
 				return CreateUnknown();
-			int shift = b.value;
-			ulong validMask = (a.validMask >> shift) | (ulong.MaxValue << (sizeof(long) * 8 - shift));
-			return new Int64Value((long)((ulong)a.value >> shift), validMask);
+			int shift = b.Value;
+			ulong validMask = (a.ValidMask >> shift) | (ulong.MaxValue << (sizeof(long) * 8 - shift));
+			return new Int64Value((long)((ulong)a.Value >> shift), validMask);
 		}
 
 		static Int32Value Create(Bool3 b) {
@@ -475,27 +475,27 @@ namespace de4dot.blocks.cflow {
 
 		public static Bool3 CompareEq(Int64Value a, Int64Value b) {
 			if (a.AllBitsValid() && b.AllBitsValid())
-				return a.value == b.value ? Bool3.True : Bool3.False;
+				return a.Value == b.Value ? Bool3.True : Bool3.False;
 			if (ReferenceEquals(a, b))
 				return Bool3.True;
-			if (((ulong)a.value & a.validMask & b.validMask) != ((ulong)b.value & a.validMask & b.validMask))
+			if (((ulong)a.Value & a.ValidMask & b.ValidMask) != ((ulong)b.Value & a.ValidMask & b.ValidMask))
 				return Bool3.False;
 			return Bool3.Unknown;
 		}
 
 		public static Bool3 CompareNeq(Int64Value a, Int64Value b) {
 			if (a.AllBitsValid() && b.AllBitsValid())
-				return a.value != b.value ? Bool3.True : Bool3.False;
+				return a.Value != b.Value ? Bool3.True : Bool3.False;
 			if (ReferenceEquals(a, b))
 				return Bool3.False;
-			if (((ulong)a.value & a.validMask & b.validMask) != ((ulong)b.value & a.validMask & b.validMask))
+			if (((ulong)a.Value & a.ValidMask & b.ValidMask) != ((ulong)b.Value & a.ValidMask & b.ValidMask))
 				return Bool3.True;
 			return Bool3.Unknown;
 		}
 
 		public static Bool3 CompareGt(Int64Value a, Int64Value b) {
 			if (a.AllBitsValid() && b.AllBitsValid())
-				return a.value > b.value ? Bool3.True : Bool3.False;
+				return a.Value > b.Value ? Bool3.True : Bool3.False;
 			if (a.HasValue(long.MinValue))
 				return Bool3.False;	// min > x => false
 			if (b.HasValue(long.MaxValue))
@@ -505,7 +505,7 @@ namespace de4dot.blocks.cflow {
 
 		public static Bool3 CompareGt_Un(Int64Value a, Int64Value b) {
 			if (a.AllBitsValid() && b.AllBitsValid())
-				return (ulong)a.value > (ulong)b.value ? Bool3.True : Bool3.False;
+				return (ulong)a.Value > (ulong)b.Value ? Bool3.True : Bool3.False;
 			if (a.HasValue(ulong.MinValue))
 				return Bool3.False;	// min > x => false
 			if (b.HasValue(ulong.MaxValue))
@@ -515,7 +515,7 @@ namespace de4dot.blocks.cflow {
 
 		public static Bool3 CompareGe(Int64Value a, Int64Value b) {
 			if (a.AllBitsValid() && b.AllBitsValid())
-				return a.value >= b.value ? Bool3.True : Bool3.False;
+				return a.Value >= b.Value ? Bool3.True : Bool3.False;
 			if (a.HasValue(long.MaxValue))
 				return Bool3.True;	// max >= x => true
 			if (b.HasValue(long.MinValue))
@@ -525,7 +525,7 @@ namespace de4dot.blocks.cflow {
 
 		public static Bool3 CompareGe_Un(Int64Value a, Int64Value b) {
 			if (a.AllBitsValid() && b.AllBitsValid())
-				return (ulong)a.value >= (ulong)b.value ? Bool3.True : Bool3.False;
+				return (ulong)a.Value >= (ulong)b.Value ? Bool3.True : Bool3.False;
 			if (a.HasValue(ulong.MaxValue))
 				return Bool3.True;	// max >= x => true
 			if (b.HasValue(ulong.MinValue))
@@ -535,7 +535,7 @@ namespace de4dot.blocks.cflow {
 
 		public static Bool3 CompareLe(Int64Value a, Int64Value b) {
 			if (a.AllBitsValid() && b.AllBitsValid())
-				return a.value <= b.value ? Bool3.True : Bool3.False;
+				return a.Value <= b.Value ? Bool3.True : Bool3.False;
 			if (a.HasValue(long.MinValue))
 				return Bool3.True;	// min <= x => true
 			if (b.HasValue(long.MaxValue))
@@ -545,7 +545,7 @@ namespace de4dot.blocks.cflow {
 
 		public static Bool3 CompareLe_Un(Int64Value a, Int64Value b) {
 			if (a.AllBitsValid() && b.AllBitsValid())
-				return (ulong)a.value <= (ulong)b.value ? Bool3.True : Bool3.False;
+				return (ulong)a.Value <= (ulong)b.Value ? Bool3.True : Bool3.False;
 			if (a.HasValue(ulong.MinValue))
 				return Bool3.True;	// min <= x => true
 			if (b.HasValue(ulong.MaxValue))
@@ -555,7 +555,7 @@ namespace de4dot.blocks.cflow {
 
 		public static Bool3 CompareLt(Int64Value a, Int64Value b) {
 			if (a.AllBitsValid() && b.AllBitsValid())
-				return a.value < b.value ? Bool3.True : Bool3.False;
+				return a.Value < b.Value ? Bool3.True : Bool3.False;
 			if (a.HasValue(long.MaxValue))
 				return Bool3.False;	// max < x => false
 			if (b.HasValue(long.MinValue))
@@ -565,7 +565,7 @@ namespace de4dot.blocks.cflow {
 
 		public static Bool3 CompareLt_Un(Int64Value a, Int64Value b) {
 			if (a.AllBitsValid() && b.AllBitsValid())
-				return (ulong)a.value < (ulong)b.value ? Bool3.True : Bool3.False;
+				return (ulong)a.Value < (ulong)b.Value ? Bool3.True : Bool3.False;
 			if (a.HasValue(ulong.MaxValue))
 				return Bool3.False;	// max < x => false
 			if (b.HasValue(ulong.MinValue))
@@ -575,24 +575,24 @@ namespace de4dot.blocks.cflow {
 
 		public static Bool3 CompareTrue(Int64Value a) {
 			if (a.AllBitsValid())
-				return a.value != 0 ? Bool3.True : Bool3.False;
-			if (((ulong)a.value & a.validMask) != 0)
+				return a.Value != 0 ? Bool3.True : Bool3.False;
+			if (((ulong)a.Value & a.ValidMask) != 0)
 				return Bool3.True;
 			return Bool3.Unknown;
 		}
 
 		public static Bool3 CompareFalse(Int64Value a) {
 			if (a.AllBitsValid())
-				return a.value == 0 ? Bool3.True : Bool3.False;
-			if (((ulong)a.value & a.validMask) != 0)
+				return a.Value == 0 ? Bool3.True : Bool3.False;
+			if (((ulong)a.Value & a.ValidMask) != 0)
 				return Bool3.False;
 			return Bool3.Unknown;
 		}
 
 		public override string ToString() {
 			if (AllBitsValid())
-				return value.ToString();
-			return string.Format("0x{0:X8}L({1:X8})", value, validMask);
+				return Value.ToString();
+			return string.Format("0x{0:X8}L({1:X8})", Value, ValidMask);
 		}
 	}
 }
diff --git a/de4dot.blocks/cflow/Real8Value.cs b/de4dot.blocks/cflow/Real8Value.cs
index 430ef9c6..511fcbaf 100644
--- a/de4dot.blocks/cflow/Real8Value.cs
+++ b/de4dot.blocks/cflow/Real8Value.cs
@@ -19,35 +19,35 @@
 
 namespace de4dot.blocks.cflow {
 	public class Real8Value : Value {
-		public readonly double value;
+		public readonly double Value;
 
 		public Real8Value(double value)
 			: base(ValueType.Real8) {
-			this.value = value;
+			this.Value = value;
 		}
 
 		public static Real8Value Add(Real8Value a, Real8Value b) {
-			return new Real8Value(a.value + b.value);
+			return new Real8Value(a.Value + b.Value);
 		}
 
 		public static Real8Value Sub(Real8Value a, Real8Value b) {
-			return new Real8Value(a.value - b.value);
+			return new Real8Value(a.Value - b.Value);
 		}
 
 		public static Real8Value Mul(Real8Value a, Real8Value b) {
-			return new Real8Value(a.value * b.value);
+			return new Real8Value(a.Value * b.Value);
 		}
 
 		public static Real8Value Div(Real8Value a, Real8Value b) {
-			return new Real8Value(a.value / b.value);
+			return new Real8Value(a.Value / b.Value);
 		}
 
 		public static Real8Value Rem(Real8Value a, Real8Value b) {
-			return new Real8Value(a.value % b.value);
+			return new Real8Value(a.Value % b.Value);
 		}
 
 		public static Real8Value Neg(Real8Value a) {
-			return new Real8Value(-a.value);
+			return new Real8Value(-a.Value);
 		}
 
 		public static Int32Value Conv_Ovf_I1(Real8Value a) {
diff --git a/de4dot.code/deobfuscators/ArrayFinder.cs b/de4dot.code/deobfuscators/ArrayFinder.cs
index 821405eb..af7ccc1b 100644
--- a/de4dot.code/deobfuscators/ArrayFinder.cs
+++ b/de4dot.code/deobfuscators/ArrayFinder.cs
@@ -86,7 +86,7 @@ namespace de4dot.code.deobfuscators {
 				var intValue = resultValueArray[i] as Int32Value;
 				if (intValue == null || !intValue.AllBitsValid())
 					return null;
-				resultArray[i] = (byte)intValue.value;
+				resultArray[i] = (byte)intValue.Value;
 			}
 			return resultArray;
 		}
@@ -99,7 +99,7 @@ namespace de4dot.code.deobfuscators {
 				var intValue = resultValueArray[i] as Int32Value;
 				if (intValue == null || !intValue.AllBitsValid())
 					return null;
-				resultArray[i] = (short)intValue.value;
+				resultArray[i] = (short)intValue.Value;
 			}
 			return resultArray;
 		}
@@ -112,7 +112,7 @@ namespace de4dot.code.deobfuscators {
 				var intValue = resultValueArray[i] as Int32Value;
 				if (intValue == null || !intValue.AllBitsValid())
 					return null;
-				resultArray[i] = (int)intValue.value;
+				resultArray[i] = (int)intValue.Value;
 			}
 			return resultArray;
 		}
@@ -168,8 +168,8 @@ namespace de4dot.code.deobfuscators {
 					var index = emulator.Pop() as Int32Value;
 					var array = emulator.Pop();
 					if (ReferenceEquals(array, theArray) && index != null && index.AllBitsValid()) {
-						if (0 <= index.value && index.value < resultValueArray.Length)
-							resultValueArray[index.value] = value;
+						if (0 <= index.Value && index.Value < resultValueArray.Length)
+							resultValueArray[index.Value] = value;
 					}
 				}
 				else
diff --git a/de4dot.code/deobfuscators/Babel_NET/BabelMethodCallInliner.cs b/de4dot.code/deobfuscators/Babel_NET/BabelMethodCallInliner.cs
index eb514e26..88623545 100644
--- a/de4dot.code/deobfuscators/Babel_NET/BabelMethodCallInliner.cs
+++ b/de4dot.code/deobfuscators/Babel_NET/BabelMethodCallInliner.cs
@@ -64,8 +64,8 @@ namespace de4dot.code.deobfuscators.Babel_NET {
 				return false;
 			var instr = instructions[emulateIndex];
 			var targets = (Instruction[])instr.Operand;
-			if (switchIndex.value >= 0 && switchIndex.value < targets.Length)
-				emulateIndex = instructions.IndexOf(targets[switchIndex.value]);
+			if (switchIndex.Value >= 0 && switchIndex.Value < targets.Length)
+				emulateIndex = instructions.IndexOf(targets[switchIndex.Value]);
 			else
 				emulateIndex++;
 			return true;
@@ -221,7 +221,7 @@ namespace de4dot.code.deobfuscators.Babel_NET {
 					var retValue2 = (Int32Value)retValue;
 					if (!retValue2.AllBitsValid())
 						return false;
-					newValue = retValue2.value;
+					newValue = retValue2.Value;
 					return true;
 
 				default:
diff --git a/de4dot.code/deobfuscators/Babel_NET/StringDecrypter.cs b/de4dot.code/deobfuscators/Babel_NET/StringDecrypter.cs
index bda53b08..77b4f663 100644
--- a/de4dot.code/deobfuscators/Babel_NET/StringDecrypter.cs
+++ b/de4dot.code/deobfuscators/Babel_NET/StringDecrypter.cs
@@ -126,7 +126,7 @@ namespace de4dot.code.deobfuscators.Babel_NET {
 				emulator.Push(new Int32Value(offset));
 				foreach (var instr in OffsetCalcInstructions)
 					emulator.Emulate(instr);
-				return ((Int32Value)emulator.Pop()).value;
+				return ((Int32Value)emulator.Pop()).Value;
 			}
 
 			public string Decrypt(object[] args) {
@@ -348,7 +348,7 @@ namespace de4dot.code.deobfuscators.Babel_NET {
 
 					case Code.Newarr:
 						var arrayType = (ITypeDefOrRef)instr.Operand;
-						int arrayCount = ((Int32Value)emulator.Pop()).value;
+						int arrayCount = ((Int32Value)emulator.Pop()).Value;
 						if (arrayType.FullName == "System.Char")
 							emulator.Push(new UserValue(new char[arrayCount]));
 						else
@@ -362,7 +362,7 @@ namespace de4dot.code.deobfuscators.Babel_NET {
 						break;
 
 					case Code.Ldelem_U1:
-						arrayIndex = ((Int32Value)emulator.Pop()).value;
+						arrayIndex = ((Int32Value)emulator.Pop()).Value;
 						array = (Value)emulator.Pop();
 						if (array is UserValue)
 							emulator.Push(new Int32Value(((byte[])((UserValue)array).obj)[arrayIndex]));
@@ -372,22 +372,22 @@ namespace de4dot.code.deobfuscators.Babel_NET {
 
 					case Code.Stelem_I1:
 						value = emulator.Pop();
-						arrayIndex = ((Int32Value)emulator.Pop()).value;
+						arrayIndex = ((Int32Value)emulator.Pop()).Value;
 						array = (Value)emulator.Pop();
 						if (array is UserValue)
-							((byte[])((UserValue)array).obj)[arrayIndex] = (byte)((Int32Value)value).value;
+							((byte[])((UserValue)array).obj)[arrayIndex] = (byte)((Int32Value)value).Value;
 						break;
 
 					case Code.Stelem_I2:
 						value = emulator.Pop();
-						arrayIndex = ((Int32Value)emulator.Pop()).value;
+						arrayIndex = ((Int32Value)emulator.Pop()).Value;
 						array = (Value)emulator.Pop();
 						if (array is UserValue)
-							((char[])((UserValue)array).obj)[arrayIndex] = (char)((Int32Value)value).value;
+							((char[])((UserValue)array).obj)[arrayIndex] = (char)((Int32Value)value).Value;
 						break;
 
 					case Code.Ldelem_Ref:
-						arrayIndex = ((Int32Value)emulator.Pop()).value;
+						arrayIndex = ((Int32Value)emulator.Pop()).Value;
 						array = (Value)emulator.Pop();
 						var userValue = array as UserValue;
 						if (userValue != null && userValue.obj is string[])
@@ -451,7 +451,7 @@ namespace de4dot.code.deobfuscators.Babel_NET {
 
 			object CreateDNLibOperand(OpCode opcode, Value op) {
 				if (op is Int32Value)
-					return ((Int32Value)op).value;
+					return ((Int32Value)op).Value;
 				if (op is StringValue)
 					return ((StringValue)op).value;
 				return null;
diff --git a/de4dot.code/deobfuscators/DeepSea/DsMethodCallInliner.cs b/de4dot.code/deobfuscators/DeepSea/DsMethodCallInliner.cs
index 0a23829a..7da4cc1d 100644
--- a/de4dot.code/deobfuscators/DeepSea/DsMethodCallInliner.cs
+++ b/de4dot.code/deobfuscators/DeepSea/DsMethodCallInliner.cs
@@ -191,8 +191,8 @@ namespace de4dot.code.deobfuscators.DeepSea {
 					if (value == null || !value.AllBitsValid())
 						return false;
 					var targets = (Instruction[])instr.Operand;
-					if (value.value >= 0 && value.value < targets.Length)
-						index = instrs.IndexOf(targets[value.value]);
+					if (value.Value >= 0 && value.Value < targets.Length)
+						index = instrs.IndexOf(targets[value.Value]);
 					else
 						index++;
 					break;
diff --git a/de4dot.code/deobfuscators/Eazfuscator_NET/StringDecrypter.cs b/de4dot.code/deobfuscators/Eazfuscator_NET/StringDecrypter.cs
index dd40699d..b8a3e082 100644
--- a/de4dot.code/deobfuscators/Eazfuscator_NET/StringDecrypter.cs
+++ b/de4dot.code/deobfuscators/Eazfuscator_NET/StringDecrypter.cs
@@ -626,7 +626,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
 					if (val == null || !val.AllBitsValid())
 						fields[field] = null;
 					else
-						fields[field] = val.value;
+						fields[field] = val.Value;
 					break;
 
 				case Code.Call:
@@ -695,8 +695,8 @@ done: ;
 			var dcGen = dynocode.GetDynocodeGenerator(ctor.DeclaringType);
 			if (dcGen == null)
 				return false;
-			int loopLocalValue = initValue2.value;
-			foreach (var val in dcGen.GetValues(initValue.value))
+			int loopLocalValue = initValue2.Value;
+			foreach (var val in dcGen.GetValues(initValue.Value))
 				loopLocalValue ^= val;
 
 			emu.SetLocal(loopLocal, new Int32Value(loopLocalValue));

From 52111f7e393a94391ccf7da3c70c1500a4f74336 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Wed, 16 Oct 2013 10:13:19 +0200
Subject: [PATCH 21/58] Real8Value can now also be "invalid", like
 Int{32|64}Value

---
 de4dot.blocks/cflow/InstructionEmulator.cs | 14 +++++-
 de4dot.blocks/cflow/Int32Value.cs          | 12 +++++
 de4dot.blocks/cflow/Int64Value.cs          |  4 ++
 de4dot.blocks/cflow/Real8Value.cs          | 54 ++++++++++++++++++++++
 4 files changed, 83 insertions(+), 1 deletion(-)

diff --git a/de4dot.blocks/cflow/InstructionEmulator.cs b/de4dot.blocks/cflow/InstructionEmulator.cs
index 56f6a47f..0eab99ee 100644
--- a/de4dot.blocks/cflow/InstructionEmulator.cs
+++ b/de4dot.blocks/cflow/InstructionEmulator.cs
@@ -141,7 +141,7 @@ namespace de4dot.blocks.cflow {
 
 			case ElementType.R4:
 				if (value.IsReal8())
-					return new Real8Value((float)((Real8Value)value).Value);
+					return ((Real8Value)value).ToSingle();
 				return new UnknownValue();
 
 			case ElementType.R8:
@@ -870,6 +870,8 @@ namespace de4dot.blocks.cflow {
 				valueStack.Push(Int32Value.Add_Ovf((Int32Value)val1, (Int32Value)val2));
 			else if (val1.IsInt64() && val2.IsInt64())
 				valueStack.Push(Int64Value.Add_Ovf((Int64Value)val1, (Int64Value)val2));
+			else if (val1.IsReal8() && val2.IsReal8())
+				valueStack.Push(Real8Value.Add_Ovf((Real8Value)val1, (Real8Value)val2));
 			else
 				valueStack.PushUnknown();
 		}
@@ -882,6 +884,8 @@ namespace de4dot.blocks.cflow {
 				valueStack.Push(Int32Value.Add_Ovf_Un((Int32Value)val1, (Int32Value)val2));
 			else if (val1.IsInt64() && val2.IsInt64())
 				valueStack.Push(Int64Value.Add_Ovf_Un((Int64Value)val1, (Int64Value)val2));
+			else if (val1.IsReal8() && val2.IsReal8())
+				valueStack.Push(Real8Value.Add_Ovf_Un((Real8Value)val1, (Real8Value)val2));
 			else
 				valueStack.PushUnknown();
 		}
@@ -894,6 +898,8 @@ namespace de4dot.blocks.cflow {
 				valueStack.Push(Int32Value.Sub_Ovf((Int32Value)val1, (Int32Value)val2));
 			else if (val1.IsInt64() && val2.IsInt64())
 				valueStack.Push(Int64Value.Sub_Ovf((Int64Value)val1, (Int64Value)val2));
+			else if (val1.IsReal8() && val2.IsReal8())
+				valueStack.Push(Real8Value.Sub_Ovf((Real8Value)val1, (Real8Value)val2));
 			else
 				valueStack.PushUnknown();
 		}
@@ -906,6 +912,8 @@ namespace de4dot.blocks.cflow {
 				valueStack.Push(Int32Value.Sub_Ovf_Un((Int32Value)val1, (Int32Value)val2));
 			else if (val1.IsInt64() && val2.IsInt64())
 				valueStack.Push(Int64Value.Sub_Ovf_Un((Int64Value)val1, (Int64Value)val2));
+			else if (val1.IsReal8() && val2.IsReal8())
+				valueStack.Push(Real8Value.Sub_Ovf_Un((Real8Value)val1, (Real8Value)val2));
 			else
 				valueStack.PushUnknown();
 		}
@@ -918,6 +926,8 @@ namespace de4dot.blocks.cflow {
 				valueStack.Push(Int32Value.Mul_Ovf((Int32Value)val1, (Int32Value)val2));
 			else if (val1.IsInt64() && val2.IsInt64())
 				valueStack.Push(Int64Value.Mul_Ovf((Int64Value)val1, (Int64Value)val2));
+			else if (val1.IsReal8() && val2.IsReal8())
+				valueStack.Push(Real8Value.Mul_Ovf((Real8Value)val1, (Real8Value)val2));
 			else
 				valueStack.PushUnknown();
 		}
@@ -930,6 +940,8 @@ namespace de4dot.blocks.cflow {
 				valueStack.Push(Int32Value.Mul_Ovf_Un((Int32Value)val1, (Int32Value)val2));
 			else if (val1.IsInt64() && val2.IsInt64())
 				valueStack.Push(Int64Value.Mul_Ovf_Un((Int64Value)val1, (Int64Value)val2));
+			else if (val1.IsReal8() && val2.IsReal8())
+				valueStack.Push(Real8Value.Mul_Ovf_Un((Real8Value)val1, (Real8Value)val2));
 			else
 				valueStack.PushUnknown();
 		}
diff --git a/de4dot.blocks/cflow/Int32Value.cs b/de4dot.blocks/cflow/Int32Value.cs
index 41844f33..85c9b544 100644
--- a/de4dot.blocks/cflow/Int32Value.cs
+++ b/de4dot.blocks/cflow/Int32Value.cs
@@ -131,6 +131,8 @@ namespace de4dot.blocks.cflow {
 		}
 
 		public static Int32Value Conv_U1(Real8Value a) {
+			if (!a.IsValid)
+				return CreateUnknownUInt8();
 			return new Int32Value((int)(byte)a.Value);
 		}
 
@@ -152,6 +154,8 @@ namespace de4dot.blocks.cflow {
 		}
 
 		public static Int32Value Conv_I1(Real8Value a) {
+			if (!a.IsValid)
+				return CreateUnknown();
 			return new Int32Value((int)(sbyte)a.Value);
 		}
 
@@ -170,6 +174,8 @@ namespace de4dot.blocks.cflow {
 		}
 
 		public static Int32Value Conv_U2(Real8Value a) {
+			if (!a.IsValid)
+				return CreateUnknownUInt16();
 			return new Int32Value((int)(ushort)a.Value);
 		}
 
@@ -191,6 +197,8 @@ namespace de4dot.blocks.cflow {
 		}
 
 		public static Int32Value Conv_I2(Real8Value a) {
+			if (!a.IsValid)
+				return CreateUnknown();
 			return new Int32Value((int)(short)a.Value);
 		}
 
@@ -203,6 +211,8 @@ namespace de4dot.blocks.cflow {
 		}
 
 		public static Int32Value Conv_U4(Real8Value a) {
+			if (!a.IsValid)
+				return CreateUnknown();
 			return new Int32Value((int)(uint)a.Value);
 		}
 
@@ -215,6 +225,8 @@ namespace de4dot.blocks.cflow {
 		}
 
 		public static Int32Value Conv_I4(Real8Value a) {
+			if (!a.IsValid)
+				return CreateUnknown();
 			return new Int32Value((int)a.Value);
 		}
 
diff --git a/de4dot.blocks/cflow/Int64Value.cs b/de4dot.blocks/cflow/Int64Value.cs
index 0bf4a558..48a236e3 100644
--- a/de4dot.blocks/cflow/Int64Value.cs
+++ b/de4dot.blocks/cflow/Int64Value.cs
@@ -91,6 +91,8 @@ namespace de4dot.blocks.cflow {
 		}
 
 		public static Int64Value Conv_U8(Real8Value a) {
+			if (!a.IsValid)
+				return CreateUnknown();
 			return new Int64Value((long)(ulong)a.Value);
 		}
 
@@ -109,6 +111,8 @@ namespace de4dot.blocks.cflow {
 		}
 
 		public static Int64Value Conv_I8(Real8Value a) {
+			if (!a.IsValid)
+				return CreateUnknown();
 			return new Int64Value((long)a.Value);
 		}
 
diff --git a/de4dot.blocks/cflow/Real8Value.cs b/de4dot.blocks/cflow/Real8Value.cs
index 511fcbaf..d6c7bbd8 100644
--- a/de4dot.blocks/cflow/Real8Value.cs
+++ b/de4dot.blocks/cflow/Real8Value.cs
@@ -20,36 +20,90 @@
 namespace de4dot.blocks.cflow {
 	public class Real8Value : Value {
 		public readonly double Value;
+		public readonly bool IsValid;
 
 		public Real8Value(double value)
 			: base(ValueType.Real8) {
 			this.Value = value;
+			this.IsValid = true;
+		}
+
+		public Real8Value(double value, bool isValid)
+			: base(ValueType.Real8) {
+			this.Value = value;
+			this.IsValid = isValid;
+		}
+
+		public static Real8Value CreateUnknown() {
+			return new Real8Value(0, false);
+		}
+
+		public Real8Value ToSingle() {
+			if (!IsValid)
+				return CreateUnknown();
+			return new Real8Value((float)Value);
 		}
 
 		public static Real8Value Add(Real8Value a, Real8Value b) {
+			if (!a.IsValid || !b.IsValid)
+				return CreateUnknown();
 			return new Real8Value(a.Value + b.Value);
 		}
 
 		public static Real8Value Sub(Real8Value a, Real8Value b) {
+			if (!a.IsValid || !b.IsValid)
+				return CreateUnknown();
 			return new Real8Value(a.Value - b.Value);
 		}
 
 		public static Real8Value Mul(Real8Value a, Real8Value b) {
+			if (!a.IsValid || !b.IsValid)
+				return CreateUnknown();
 			return new Real8Value(a.Value * b.Value);
 		}
 
 		public static Real8Value Div(Real8Value a, Real8Value b) {
+			if (!a.IsValid || !b.IsValid)
+				return CreateUnknown();
 			return new Real8Value(a.Value / b.Value);
 		}
 
 		public static Real8Value Rem(Real8Value a, Real8Value b) {
+			if (!a.IsValid || !b.IsValid)
+				return CreateUnknown();
 			return new Real8Value(a.Value % b.Value);
 		}
 
 		public static Real8Value Neg(Real8Value a) {
+			if (!a.IsValid)
+				return CreateUnknown();
 			return new Real8Value(-a.Value);
 		}
 
+		public static Real8Value Add_Ovf(Real8Value a, Real8Value b) {
+			return CreateUnknown();
+		}
+
+		public static Real8Value Add_Ovf_Un(Real8Value a, Real8Value b) {
+			return CreateUnknown();
+		}
+
+		public static Real8Value Sub_Ovf(Real8Value a, Real8Value b) {
+			return CreateUnknown();
+		}
+
+		public static Real8Value Sub_Ovf_Un(Real8Value a, Real8Value b) {
+			return CreateUnknown();
+		}
+
+		public static Real8Value Mul_Ovf(Real8Value a, Real8Value b) {
+			return CreateUnknown();
+		}
+
+		public static Real8Value Mul_Ovf_Un(Real8Value a, Real8Value b) {
+			return CreateUnknown();
+		}
+
 		public static Int32Value Conv_Ovf_I1(Real8Value a) {
 			return Int32Value.CreateUnknown();
 		}

From ae408ab6eb36652ff735184d63968a0a189a47a4 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Thu, 17 Oct 2013 19:19:21 +0200
Subject: [PATCH 22/58] Rename create() -> Create()

---
 de4dot.blocks/cflow/Int32Value.cs | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/de4dot.blocks/cflow/Int32Value.cs b/de4dot.blocks/cflow/Int32Value.cs
index 85c9b544..32fe2cae 100644
--- a/de4dot.blocks/cflow/Int32Value.cs
+++ b/de4dot.blocks/cflow/Int32Value.cs
@@ -556,7 +556,7 @@ namespace de4dot.blocks.cflow {
 			return new Int32Value((int)((uint)a.Value >> shift), validMask);
 		}
 
-		static Int32Value create(Bool3 b) {
+		static Int32Value Create(Bool3 b) {
 			switch (b) {
 			case Bool3.False:	return Zero;
 			case Bool3.True:	return One;
@@ -565,23 +565,23 @@ namespace de4dot.blocks.cflow {
 		}
 
 		public static Int32Value Ceq(Int32Value a, Int32Value b) {
-			return create(CompareEq(a, b));
+			return Create(CompareEq(a, b));
 		}
 
 		public static Int32Value Cgt(Int32Value a, Int32Value b) {
-			return create(CompareGt(a, b));
+			return Create(CompareGt(a, b));
 		}
 
 		public static Int32Value Cgt_Un(Int32Value a, Int32Value b) {
-			return create(CompareGt_Un(a, b));
+			return Create(CompareGt_Un(a, b));
 		}
 
 		public static Int32Value Clt(Int32Value a, Int32Value b) {
-			return create(CompareLt(a, b));
+			return Create(CompareLt(a, b));
 		}
 
 		public static Int32Value Clt_Un(Int32Value a, Int32Value b) {
-			return create(CompareLt_Un(a, b));
+			return Create(CompareLt_Un(a, b));
 		}
 
 		public static Bool3 CompareEq(Int32Value a, Int32Value b) {

From 78196ffeee66e3dd94fe1ce2642ab395fc2cd137 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Thu, 17 Oct 2013 19:26:06 +0200
Subject: [PATCH 23/58] Add (uint) casts to prevent long temp values

---
 de4dot.blocks/cflow/Int32Value.cs | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/de4dot.blocks/cflow/Int32Value.cs b/de4dot.blocks/cflow/Int32Value.cs
index 32fe2cae..bb838288 100644
--- a/de4dot.blocks/cflow/Int32Value.cs
+++ b/de4dot.blocks/cflow/Int32Value.cs
@@ -81,7 +81,7 @@ namespace de4dot.blocks.cflow {
 		}
 
 		public bool IsNonZero() {
-			return (Value & ValidMask) != 0;
+			return ((uint)Value & ValidMask) != 0;
 		}
 
 		public bool HasValue(int value) {
@@ -589,7 +589,7 @@ namespace de4dot.blocks.cflow {
 				return a.Value == b.Value ? Bool3.True : Bool3.False;
 			if (ReferenceEquals(a, b))
 				return Bool3.True;
-			if ((a.Value & a.ValidMask & b.ValidMask) != (b.Value & a.ValidMask & b.ValidMask))
+			if (((uint)a.Value & a.ValidMask & b.ValidMask) != ((uint)b.Value & a.ValidMask & b.ValidMask))
 				return Bool3.False;
 			return Bool3.Unknown;
 		}
@@ -599,7 +599,7 @@ namespace de4dot.blocks.cflow {
 				return a.Value != b.Value ? Bool3.True : Bool3.False;
 			if (ReferenceEquals(a, b))
 				return Bool3.False;
-			if ((a.Value & a.ValidMask & b.ValidMask) != (b.Value & a.ValidMask & b.ValidMask))
+			if (((uint)a.Value & a.ValidMask & b.ValidMask) != ((uint)b.Value & a.ValidMask & b.ValidMask))
 				return Bool3.True;
 			return Bool3.Unknown;
 		}
@@ -687,7 +687,7 @@ namespace de4dot.blocks.cflow {
 		public static Bool3 CompareTrue(Int32Value a) {
 			if (a.AllBitsValid())
 				return a.Value != 0 ? Bool3.True : Bool3.False;
-			if ((a.Value & a.ValidMask) != 0)
+			if (((uint)a.Value & a.ValidMask) != 0)
 				return Bool3.True;
 			return Bool3.Unknown;
 		}
@@ -695,7 +695,7 @@ namespace de4dot.blocks.cflow {
 		public static Bool3 CompareFalse(Int32Value a) {
 			if (a.AllBitsValid())
 				return a.Value == 0 ? Bool3.True : Bool3.False;
-			if ((a.Value & a.ValidMask) != 0)
+			if (((uint)a.Value & a.ValidMask) != 0)
 				return Bool3.False;
 			return Bool3.Unknown;
 		}

From f05fd30dc5e8031d1015bfa62701c0628e6367de Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Thu, 17 Oct 2013 20:20:27 +0200
Subject: [PATCH 24/58] Add Real8Value.ToString()

---
 de4dot.blocks/cflow/Real8Value.cs | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/de4dot.blocks/cflow/Real8Value.cs b/de4dot.blocks/cflow/Real8Value.cs
index d6c7bbd8..5087046d 100644
--- a/de4dot.blocks/cflow/Real8Value.cs
+++ b/de4dot.blocks/cflow/Real8Value.cs
@@ -167,5 +167,11 @@ namespace de4dot.blocks.cflow {
 		public static Int64Value Conv_Ovf_U8_Un(Real8Value a) {
 			return Int64Value.CreateUnknown();
 		}
+
+		public override string ToString() {
+			if (!IsValid)
+				return "<INVALID_REAL8>";
+			return Value.ToString();
+		}
 	}
 }

From 6f925abab7b3f3e67f9cfbbf0db8c3b72aaa10d2 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Sun, 20 Oct 2013 10:25:51 +0200
Subject: [PATCH 25/58] Make FindSection() public

---
 de4dot.code/deobfuscators/MyPEImage.cs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/de4dot.code/deobfuscators/MyPEImage.cs b/de4dot.code/deobfuscators/MyPEImage.cs
index f933887e..a3661cea 100644
--- a/de4dot.code/deobfuscators/MyPEImage.cs
+++ b/de4dot.code/deobfuscators/MyPEImage.cs
@@ -73,7 +73,7 @@ namespace de4dot.code.deobfuscators {
 			this.peStream = peImage.CreateFullStream();
 		}
 
-		ImageSectionHeader FindSection(RVA rva) {
+		public ImageSectionHeader FindSection(RVA rva) {
 			foreach (var section in peImage.ImageSectionHeaders) {
 				if (section.VirtualAddress <= rva && rva < section.VirtualAddress + Math.Max(section.VirtualSize, section.SizeOfRawData))
 					return section;

From 7c6005cde5966e16f55f0bef97617ea0395d5a7e Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Sun, 20 Oct 2013 18:09:38 +0200
Subject: [PATCH 26/58] Support more MaxtoCode runtimes

---
 .../deobfuscators/MaxtoCode/Deobfuscator.cs   |   2 +-
 .../MaxtoCode/EncryptionInfos.cs              |  30 +++
 .../deobfuscators/MaxtoCode/MainType.cs       |  13 +-
 .../MaxtoCode/MethodsDecrypter.cs             | 210 +++++++++++++++---
 .../deobfuscators/MaxtoCode/PeHeader.cs       |  17 +-
 5 files changed, 232 insertions(+), 40 deletions(-)

diff --git a/de4dot.code/deobfuscators/MaxtoCode/Deobfuscator.cs b/de4dot.code/deobfuscators/MaxtoCode/Deobfuscator.cs
index 47bff0f6..63e5ffbe 100644
--- a/de4dot.code/deobfuscators/MaxtoCode/Deobfuscator.cs
+++ b/de4dot.code/deobfuscators/MaxtoCode/Deobfuscator.cs
@@ -106,7 +106,7 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
 
 			var fileData = DeobUtils.ReadModule(module);
 			decrypterInfo = new DecrypterInfo(mainType, fileData);
-			var methodsDecrypter = new MethodsDecrypter(decrypterInfo);
+			var methodsDecrypter = new MethodsDecrypter(module, decrypterInfo);
 
 			if (!methodsDecrypter.Decrypt(ref dumpedMethods))
 				return false;
diff --git a/de4dot.code/deobfuscators/MaxtoCode/EncryptionInfos.cs b/de4dot.code/deobfuscators/MaxtoCode/EncryptionInfos.cs
index 1a24dbad..4baf7b93 100644
--- a/de4dot.code/deobfuscators/MaxtoCode/EncryptionInfos.cs
+++ b/de4dot.code/deobfuscators/MaxtoCode/EncryptionInfos.cs
@@ -95,6 +95,21 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
 				MagicHi = 0x828ECDA3,
 				Version = EncryptionVersion.V7,
 			},
+			// 513D4492
+			// 51413BD8
+			// 51413D68
+			// 5166DB4F
+			new EncryptionInfo {
+				MagicLo = 0x1A683B87,
+				MagicHi = 0x128ECDA3,
+				Version = EncryptionVersion.V8,
+			},
+			// 51927495
+			new EncryptionInfo {
+				MagicLo = 0x7A643B87,
+				MagicHi = 0x624ECDA3,
+				Version = EncryptionVersion.V8,
+			},
 		};
 
 		public static readonly EncryptionInfo[] McKey8C0h = new EncryptionInfo[] {
@@ -149,6 +164,21 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
 				MagicHi = 0x8723891F,
 				Version = EncryptionVersion.V7,
 			},
+			// 513D4492
+			// 51413BD8
+			// 51413D68
+			// 5166DB4F
+			new EncryptionInfo {
+				MagicLo = 0x1A731B13,
+				MagicHi = 0x1723891F,
+				Version = EncryptionVersion.V8,
+			},
+			// 51927495
+			new EncryptionInfo {
+				MagicLo = 0x7A731B13,
+				MagicHi = 0x1723891F,
+				Version = EncryptionVersion.V8,
+			},
 		};
 	}
 }
diff --git a/de4dot.code/deobfuscators/MaxtoCode/MainType.cs b/de4dot.code/deobfuscators/MaxtoCode/MainType.cs
index 76d0913c..93d0f420 100644
--- a/de4dot.code/deobfuscators/MaxtoCode/MainType.cs
+++ b/de4dot.code/deobfuscators/MaxtoCode/MainType.cs
@@ -27,6 +27,7 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
 		ModuleDefMD module;
 		TypeDef mcType;
 		bool isOld;
+		ModuleRef runtimeModule1, runtimeModule2;
 
 		public bool IsOld {
 			get { return isOld; }
@@ -49,6 +50,15 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
 			}
 		}
 
+		public IEnumerable<ModuleRef> RuntimeModuleRefs {
+			get {
+				if (runtimeModule1 != null)
+					yield return runtimeModule1;
+				if (runtimeModule2 != null)
+					yield return runtimeModule2;
+			}
+		}
+
 		public bool Detected {
 			get { return mcType != null; }
 		}
@@ -80,9 +90,8 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
 				if (!DotNetUtils.IsMethod(method, "System.Void", "()"))
 					continue;
 
-				ModuleRef module1, module2;
 				bool isOldTmp;
-				if (!CheckType(method.DeclaringType, out module1, out module2, out isOldTmp))
+				if (!CheckType(method.DeclaringType, out runtimeModule1, out runtimeModule2, out isOldTmp))
 					continue;
 
 				mcType = method.DeclaringType;
diff --git a/de4dot.code/deobfuscators/MaxtoCode/MethodsDecrypter.cs b/de4dot.code/deobfuscators/MaxtoCode/MethodsDecrypter.cs
index b3151eeb..179aca66 100644
--- a/de4dot.code/deobfuscators/MaxtoCode/MethodsDecrypter.cs
+++ b/de4dot.code/deobfuscators/MaxtoCode/MethodsDecrypter.cs
@@ -21,15 +21,19 @@ using System;
 using System.Collections.Generic;
 using System.IO;
 using System.Text;
+using dnlib.DotNet;
 using dnlib.IO;
+using dnlib.PE;
 using de4dot.blocks;
 
 namespace de4dot.code.deobfuscators.MaxtoCode {
 	// Decrypts methods, resources and strings (#US heap)
 	class MethodsDecrypter {
+		ModuleDef module;
 		DecrypterInfo decrypterInfo;
 
 		class MethodInfos {
+			ModuleDef module;
 			MainType mainType;
 			MyPEImage peImage;
 			PeHeader peHeader;
@@ -43,16 +47,6 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
 			const int ENCRYPTED_DATA_INFO_SIZE = 0x13;
 
 			delegate byte[] DecryptFunc(byte[] encrypted);
-			readonly DecryptFunc[] decryptHandlersV1a;
-			readonly DecryptFunc[] decryptHandlersV1b;
-			readonly DecryptFunc[] decryptHandlersV2;
-			readonly DecryptFunc[] decryptHandlersV3;
-			readonly DecryptFunc[] decryptHandlersV4;
-			readonly DecryptFunc[] decryptHandlersV5a;
-			readonly DecryptFunc[] decryptHandlersV5b;
-			readonly DecryptFunc[] decryptHandlersV5c;
-			readonly DecryptFunc[] decryptHandlersV6;
-			readonly DecryptFunc[] decryptHandlersV7;
 
 			public class DecryptedMethodInfo {
 				public uint bodyRva;
@@ -64,23 +58,13 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
 				}
 			}
 
-			public MethodInfos(MainType mainType, MyPEImage peImage, PeHeader peHeader, McKey mcKey) {
+			public MethodInfos(ModuleDef module, MainType mainType, MyPEImage peImage, PeHeader peHeader, McKey mcKey) {
+				this.module = module;
 				this.mainType = mainType;
 				this.peImage = peImage;
 				this.peHeader = peHeader;
 				this.mcKey = mcKey;
 
-				decryptHandlersV1a = new DecryptFunc[] { Decrypt1_v1, Decrypt4_v1, Decrypt2_v1, Decrypt3_v1, Decrypt5, Decrypt6, Decrypt7 };
-				decryptHandlersV1b = new DecryptFunc[] { Decrypt4_v1, Decrypt1_v1, Decrypt2_v1, Decrypt3_v1, Decrypt5, Decrypt6, Decrypt7 };
-				decryptHandlersV2 = new DecryptFunc[] { Decrypt3_v1, Decrypt2_v1, Decrypt1_v1, Decrypt4_v1, Decrypt5, Decrypt6, Decrypt7 };
-				decryptHandlersV3 = new DecryptFunc[] { Decrypt1_v1, Decrypt2_v1, Decrypt3_v1, Decrypt4_v1, Decrypt5, Decrypt6, Decrypt7 };
-				decryptHandlersV4 = new DecryptFunc[] { Decrypt2_v1, Decrypt1_v1, Decrypt3_v1, Decrypt4_v1, Decrypt5, Decrypt6, Decrypt7 };
-				decryptHandlersV5a = new DecryptFunc[] { Decrypt4_v1, Decrypt2_v1, Decrypt3_v1, Decrypt1_v1, Decrypt5, Decrypt6, Decrypt7 };
-				decryptHandlersV5b = new DecryptFunc[] { Decrypt4_v2, Decrypt2_v2, Decrypt3_v2, Decrypt1_v2, Decrypt6, Decrypt7, Decrypt5 };
-				decryptHandlersV5c = new DecryptFunc[] { Decrypt4_v3, Decrypt2_v3, Decrypt3_v3, Decrypt1_v3, Decrypt6, Decrypt7, Decrypt5 };
-				decryptHandlersV6 = new DecryptFunc[] { Decrypt4_v4, Decrypt2_v4, Decrypt3_v4, Decrypt1_v4, Decrypt6, Decrypt7, Decrypt5 };
-				decryptHandlersV7 = new DecryptFunc[] { Decrypt4_v5, Decrypt2_v5, Decrypt3_v5, Decrypt1_v5, Decrypt6, Decrypt8_v5, Decrypt9_v5, Decrypt7, Decrypt5 };
-
 				structSize = GetStructSize(mcKey);
 
 				uint methodInfosRva = peHeader.GetRva(0x0FF8, mcKey.ReadUInt32(0x005A));
@@ -152,13 +136,20 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
 
 			interface IDecrypter {
 				byte[] Decrypt(int type, byte[] encrypted);
+				bool HasTimeStamp(uint timeStamp);
 			}
 
 			class Decrypter : IDecrypter {
 				DecryptFunc[] decrypterHandlers;
+				uint[] timeStamps;
 
-				public Decrypter(DecryptFunc[] decrypterHandlers) {
+				public Decrypter(DecryptFunc[] decrypterHandlers)
+					: this(decrypterHandlers, null) {
+				}
+
+				public Decrypter(DecryptFunc[] decrypterHandlers, uint[] timeStamps) {
 					this.decrypterHandlers = decrypterHandlers;
+					this.timeStamps = timeStamps ?? new uint[0];
 				}
 
 				public byte[] Decrypt(int type, byte[] encrypted) {
@@ -166,27 +157,42 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
 						return decrypterHandlers[type - 1](encrypted);
 					throw new ApplicationException(string.Format("Invalid encryption type: {0:X2}", type));
 				}
+
+				public bool HasTimeStamp(uint timeStamp) {
+					foreach (var ts in timeStamps) {
+						if (timeStamp == ts)
+							return true;
+					}
+					return false;
+				}
 			}
 
 			void InitializeDecrypter() {
 				switch (GetVersion()) {
 				case EncryptionVersion.V1:
-					decrypters.Add(new Decrypter(decryptHandlersV1a));
-					decrypters.Add(new Decrypter(decryptHandlersV1b));
+					decrypters.Add(new Decrypter(new DecryptFunc[] { Decrypt1_v1, Decrypt4_v1, Decrypt2_v1, Decrypt3_v1, Decrypt5, Decrypt6, Decrypt7 }));
+					decrypters.Add(new Decrypter(new DecryptFunc[] { Decrypt4_v1, Decrypt1_v1, Decrypt2_v1, Decrypt3_v1, Decrypt5, Decrypt6, Decrypt7 }));
 					break;
 
-				case EncryptionVersion.V2: decrypters.Add(new Decrypter(decryptHandlersV2)); break;
-				case EncryptionVersion.V3: decrypters.Add(new Decrypter(decryptHandlersV3)); break;
-				case EncryptionVersion.V4: decrypters.Add(new Decrypter(decryptHandlersV4)); break;
+				case EncryptionVersion.V2: decrypters.Add(new Decrypter(new DecryptFunc[] { Decrypt3_v1, Decrypt2_v1, Decrypt1_v1, Decrypt4_v1, Decrypt5, Decrypt6, Decrypt7 })); break;
+				case EncryptionVersion.V3: decrypters.Add(new Decrypter(new DecryptFunc[] { Decrypt1_v1, Decrypt2_v1, Decrypt3_v1, Decrypt4_v1, Decrypt5, Decrypt6, Decrypt7 })); break;
+				case EncryptionVersion.V4: decrypters.Add(new Decrypter(new DecryptFunc[] { Decrypt2_v1, Decrypt1_v1, Decrypt3_v1, Decrypt4_v1, Decrypt5, Decrypt6, Decrypt7 })); break;
 
 				case EncryptionVersion.V5:
-					decrypters.Add(new Decrypter(decryptHandlersV5a));
-					decrypters.Add(new Decrypter(decryptHandlersV5b));
-					decrypters.Add(new Decrypter(decryptHandlersV5c));
+					decrypters.Add(new Decrypter(new DecryptFunc[] { Decrypt4_v1, Decrypt2_v1, Decrypt3_v1, Decrypt1_v1, Decrypt5, Decrypt6, Decrypt7 }));
+					decrypters.Add(new Decrypter(new DecryptFunc[] { Decrypt4_v2, Decrypt2_v2, Decrypt3_v2, Decrypt1_v2, Decrypt6, Decrypt7, Decrypt5 }));
+					decrypters.Add(new Decrypter(new DecryptFunc[] { Decrypt4_v3, Decrypt2_v3, Decrypt3_v3, Decrypt1_v3, Decrypt6, Decrypt7, Decrypt5 }));
 					break;
 
-				case EncryptionVersion.V6: decrypters.Add(new Decrypter(decryptHandlersV6)); break;
-				case EncryptionVersion.V7: decrypters.Add(new Decrypter(decryptHandlersV7)); break;
+				case EncryptionVersion.V6: decrypters.Add(new Decrypter(new DecryptFunc[] { Decrypt4_v4, Decrypt2_v4, Decrypt3_v4, Decrypt1_v4, Decrypt6, Decrypt7, Decrypt5 })); break;
+				case EncryptionVersion.V7: decrypters.Add(new Decrypter(new DecryptFunc[] { Decrypt4_v5, Decrypt2_v5, Decrypt3_v5, Decrypt1_v5, Decrypt6, Decrypt8_v5, Decrypt9_v5, Decrypt7, Decrypt5 })); break;
+
+				case EncryptionVersion.V8:
+					decrypters.Add(new Decrypter(new DecryptFunc[] { Decrypt4_v6, Decrypt2_v2, Decrypt3_v6, Decrypt1_v6, Decrypt6, Decrypt8_v6, Decrypt9_v6, Decrypt7, Decrypt10, Decrypt5 }, new uint[] { 0x5166DB4F, 0x51927495 }));
+					decrypters.Add(new Decrypter(new DecryptFunc[] { Decrypt4_v7, Decrypt2_v2, Decrypt3_v6, Decrypt1_v7, Decrypt6, Decrypt8_v7, Decrypt9_v7, Decrypt7, Decrypt5 }, new uint[] { 0x51413D68 }));
+					decrypters.Add(new Decrypter(new DecryptFunc[] { Decrypt4_v7, Decrypt2_v2, Decrypt3_v6, Decrypt1_v7, Decrypt6, Decrypt8_v8, Decrypt9_v8, Decrypt7, Decrypt5 }, new uint[] { 0x513D7124, 0x51413BD8 }));
+					decrypters.Add(new Decrypter(new DecryptFunc[] { Decrypt4_v5, Decrypt2_v2, Decrypt3_v6, Decrypt1_v9, Decrypt6, Decrypt8_v8, Decrypt9_v9, Decrypt7, Decrypt5 }, new uint[] { 0x513D4492 }));
+					break;
 
 				case EncryptionVersion.Unknown:
 				default:
@@ -200,7 +206,55 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
 					throw new ApplicationException("Could not decrypt methods");
 			}
 
+			uint GetRuntimeTimeStamp() {
+				string path = module.Location;
+				if (string.IsNullOrEmpty(path))
+					return 0;
+
+				try {
+					var rtNames = new List<string>();
+					foreach (var rtModRef in mainType.RuntimeModuleRefs) {
+						string dllName = rtModRef.Name;
+						if (!dllName.ToUpperInvariant().EndsWith(".DLL"))
+							dllName += ".dll";
+						rtNames.Add(dllName);
+					}
+					if (rtNames.Count == 0)
+						return 0;
+
+					for (var di = new DirectoryInfo(Path.GetDirectoryName(path)); di != null; di = di.Parent) {
+						foreach (var dllName in rtNames) {
+							try {
+								using (var peImage = new PEImage(Path.Combine(di.FullName, dllName))) {
+									if (peImage.ImageNTHeaders.FileHeader.Machine == Machine.I386)
+										return peImage.ImageNTHeaders.FileHeader.TimeDateStamp;
+								}
+							}
+							catch {
+							}
+						}
+					}
+				}
+				catch {
+				}
+
+				return 0;
+			}
+
 			bool InitializeInfos2() {
+				if (decrypters.Count > 1) {
+					uint rtTimeStamp = GetRuntimeTimeStamp();
+					var decrypter = GetCorrectDecrypter(rtTimeStamp);
+					if (decrypter != null) {
+						try {
+							if (InitializeInfos2(decrypter))
+								return true;
+						}
+						catch {
+						}
+					}
+				}
+
 				foreach (var decrypter in decrypters) {
 					try {
 						if (InitializeInfos2(decrypter))
@@ -212,6 +266,14 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
 				return false;
 			}
 
+			IDecrypter GetCorrectDecrypter(uint timeStamp) {
+				foreach (var decrypter in decrypters) {
+					if (decrypter.HasTimeStamp(timeStamp))
+						return decrypter;
+				}
+				return null;
+			}
+
 			bool InitializeInfos2(IDecrypter decrypter) {
 				int numMethods = ReadInt32(0) ^ ReadInt32(4);
 				if (numMethods < 0)
@@ -313,6 +375,18 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
 				return Decrypt1(encrypted, 9, 9, 0x500);
 			}
 
+			byte[] Decrypt1_v6(byte[] encrypted) {
+				return Decrypt1(encrypted, 0x27, 0x27, 0x100);
+			}
+
+			byte[] Decrypt1_v7(byte[] encrypted) {
+				return Decrypt1(encrypted, 0x1D, 0x1D, 0x400);
+			}
+
+			byte[] Decrypt1_v9(byte[] encrypted) {
+				return Decrypt1(encrypted, 9, 0x13, 0x400);
+			}
+
 			byte[] Decrypt1(byte[] encrypted, int keyStart, int keyReset, int keyEnd) {
 				var decrypted = new byte[encrypted.Length];
 				for (int i = 0, ki = keyStart; i < decrypted.Length; i++) {
@@ -386,6 +460,10 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
 				return Decrypt3(encrypted, 0x015E + 7);
 			}
 
+			byte[] Decrypt3_v6(byte[] encrypted) {
+				return Decrypt3(encrypted, 0x015E + 0x7F);
+			}
+
 			static readonly byte[] decrypt3Shifts = new byte[16] { 5, 11, 14, 21, 6, 20, 17, 29, 4, 10, 3, 2, 7, 1, 26, 18 };
 			byte[] Decrypt3(byte[] encrypted, int offset) {
 				if ((encrypted.Length & 7) != 0)
@@ -435,6 +513,14 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
 				return Decrypt4(encrypted, 0x15, 0x15, 0x100);
 			}
 
+			byte[] Decrypt4_v6(byte[] encrypted) {
+				return Decrypt4(encrypted, 0x63, 0x63, 0x150);
+			}
+
+			byte[] Decrypt4_v7(byte[] encrypted) {
+				return Decrypt4(encrypted, 0x0B, 0x0B, 0x100);
+			}
+
 			byte[] Decrypt4(byte[] encrypted, int keyStart, int keyReset, int keyEnd) {
 				var decrypted = new byte[encrypted.Length / 3 * 2 + 1];
 
@@ -476,6 +562,18 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
 				return Decrypt8(encrypted, 7, 7, 0x600);
 			}
 
+			byte[] Decrypt8_v6(byte[] encrypted) {
+				return Decrypt8(encrypted, 0x1B, 0x1B, 0x100);
+			}
+
+			byte[] Decrypt8_v7(byte[] encrypted) {
+				return Decrypt8(encrypted, 0x0D, 0x0D, 0x600);
+			}
+
+			byte[] Decrypt8_v8(byte[] encrypted) {
+				return Decrypt8(encrypted, 0x11, 0x11, 0x600);
+			}
+
 			byte[] Decrypt8(byte[] encrypted, int keyStart, int keyReset, int keyEnd) {
 				var decrypted = new byte[encrypted.Length];
 				int ki = keyStart;
@@ -493,6 +591,22 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
 				return Decrypt9(encrypted, 0x11, 0x11, 0x610);
 			}
 
+			byte[] Decrypt9_v6(byte[] encrypted) {
+				return Decrypt9(encrypted, 0x2E, 0x2E, 0x310);
+			}
+
+			byte[] Decrypt9_v7(byte[] encrypted) {
+				return Decrypt9(encrypted, 0x28, 0x28, 0x510);
+			}
+
+			byte[] Decrypt9_v8(byte[] encrypted) {
+				return Decrypt9(encrypted, 0x2C, 0x2C, 0x510);
+			}
+
+			byte[] Decrypt9_v9(byte[] encrypted) {
+				return Decrypt9(encrypted, 0x10, 0x10, 0x510);
+			}
+
 			byte[] Decrypt9(byte[] encrypted, int keyStart, int keyReset, int keyEnd) {
 				var decrypted = new byte[encrypted.Length];
 				int ki = keyStart;
@@ -527,6 +641,31 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
 				return decrypted;
 			}
 
+			byte[] Decrypt10(byte[] encrypted) {
+				byte[] enc = (byte[])encrypted.Clone();
+				byte[] dest = new byte[enc.Length];
+				int halfSize = enc.Length / 2;
+
+				byte b = enc[0];
+				b ^= 0xA1;
+				dest[0] = b;
+
+				b = enc[enc.Length - 1];
+				b ^= 0x1A;
+				dest[enc.Length - 1] = b;
+
+				enc[0] = dest[0];
+				enc[enc.Length - 1] = b;
+
+				for (int i = 1; i < halfSize; i++)
+					dest[i] = (byte)(enc[i] ^ dest[i - 1]);
+
+				for (int i = enc.Length - 2; i >= halfSize; i--)
+					dest[i] = (byte)(enc[i] ^ dest[i + 1]);
+
+				return dest;
+			}
+
 			byte[] blowfishKey;
 			byte[] GetBlowfishKey() {
 				if (blowfishKey != null)
@@ -546,7 +685,8 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
 			}
 		}
 
-		public MethodsDecrypter(DecrypterInfo decrypterInfo) {
+		public MethodsDecrypter(ModuleDef module, DecrypterInfo decrypterInfo) {
+			this.module = module;
 			this.decrypterInfo = decrypterInfo;
 		}
 
@@ -565,7 +705,7 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
 			var dumpedMethods = new DumpedMethods();
 
 			var peImage = decrypterInfo.peImage;
-			var methodInfos = new MethodInfos(decrypterInfo.mainType, peImage, decrypterInfo.peHeader, decrypterInfo.mcKey);
+			var methodInfos = new MethodInfos(module, decrypterInfo.mainType, peImage, decrypterInfo.peHeader, decrypterInfo.mcKey);
 			methodInfos.InitializeInfos();
 
 			var methodDef = peImage.DotNetFile.MetaData.TablesStream.MethodTable;
diff --git a/de4dot.code/deobfuscators/MaxtoCode/PeHeader.cs b/de4dot.code/deobfuscators/MaxtoCode/PeHeader.cs
index b5109c75..2922361f 100644
--- a/de4dot.code/deobfuscators/MaxtoCode/PeHeader.cs
+++ b/de4dot.code/deobfuscators/MaxtoCode/PeHeader.cs
@@ -30,6 +30,7 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
 		V5,
 		V6,
 		V7,
+		V8,
 	}
 
 	class PeHeader {
@@ -44,6 +45,7 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
 		public PeHeader(MainType mainType, MyPEImage peImage) {
 			uint headerOffset;
 			version = GetHeaderOffsetAndVersion(peImage, out headerOffset);
+			headerData = peImage.OffsetReadBytes(headerOffset, 0x1000);
 
 			switch (version) {
 			case EncryptionVersion.V1:
@@ -62,9 +64,20 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
 			case EncryptionVersion.V7:
 				xorKey = 0x8ABA931;
 				break;
-			}
 
-			headerData = peImage.OffsetReadBytes(headerOffset, 0x1000);
+			case EncryptionVersion.V8:
+				if (CheckMcKeyRva(peImage, 0x99BA9A13))
+					break;
+				if (CheckMcKeyRva(peImage, 0x18ABA931))
+					break;
+				break;
+			}
+		}
+
+		bool CheckMcKeyRva(MyPEImage peImage, uint newXorKey) {
+			xorKey = newXorKey;
+			uint rva = GetMcKeyRva();
+			return (rva & 0xFFF) == 0 && peImage.FindSection((RVA)rva) != null;
 		}
 
 		public uint GetMcKeyRva() {

From 8808c049f1aced1699ec1326b96d91d76358beab Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Mon, 21 Oct 2013 07:19:39 +0200
Subject: [PATCH 27/58] Clear old data if we re-try decryption

---
 de4dot.code/deobfuscators/MaxtoCode/MethodsDecrypter.cs | 1 +
 1 file changed, 1 insertion(+)

diff --git a/de4dot.code/deobfuscators/MaxtoCode/MethodsDecrypter.cs b/de4dot.code/deobfuscators/MaxtoCode/MethodsDecrypter.cs
index 179aca66..ea296afc 100644
--- a/de4dot.code/deobfuscators/MaxtoCode/MethodsDecrypter.cs
+++ b/de4dot.code/deobfuscators/MaxtoCode/MethodsDecrypter.cs
@@ -284,6 +284,7 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
 				var encryptedDataInfos = new byte[numEncryptedDataInfos][];
 
 				uint offset = 8;
+				infos.Clear();
 				for (int i = 0; i < numMethods; i++, offset += structSize) {
 					uint methodBodyRva = ReadEncryptedUInt32(offset);
 					uint totalSize = ReadEncryptedUInt32(offset + 4);

From 730505fd4f573ef12fa018f567fe3884afea1645 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Mon, 21 Oct 2013 07:29:20 +0200
Subject: [PATCH 28/58] Write a message if decryption probably failed

---
 .../deobfuscators/MaxtoCode/MethodsDecrypter.cs  | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/de4dot.code/deobfuscators/MaxtoCode/MethodsDecrypter.cs b/de4dot.code/deobfuscators/MaxtoCode/MethodsDecrypter.cs
index ea296afc..27cfb8b8 100644
--- a/de4dot.code/deobfuscators/MaxtoCode/MethodsDecrypter.cs
+++ b/de4dot.code/deobfuscators/MaxtoCode/MethodsDecrypter.cs
@@ -255,15 +255,25 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
 					}
 				}
 
+				Dictionary<uint, DecryptedMethodInfo> savedInfos = null;
 				foreach (var decrypter in decrypters) {
 					try {
-						if (InitializeInfos2(decrypter))
-							return true;
+						if (InitializeInfos2(decrypter)) {
+							if (savedInfos != null) {
+								Logger.w("Decryption probably failed. Make sure the correct MaxtoCode runtime file is present.");
+								break;
+							}
+							savedInfos = infos;
+							infos = new Dictionary<uint, DecryptedMethodInfo>();
+						}
 					}
 					catch {
 					}
 				}
-				return false;
+				if (savedInfos == null)
+					return false;
+				infos = savedInfos;
+				return true;
 			}
 
 			IDecrypter GetCorrectDecrypter(uint timeStamp) {

From 293de3c36104bf3a315c48d0c74fae6f101c1ed8 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Mon, 21 Oct 2013 17:19:08 +0200
Subject: [PATCH 29/58] Add updated dnlib

---
 dnlib | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dnlib b/dnlib
index 236585fb..819ef389 160000
--- a/dnlib
+++ b/dnlib
@@ -1 +1 @@
-Subproject commit 236585fbdf5693f3e4ee92a858bbf70e9657a386
+Subproject commit 819ef3890267f7bec108346def38a87ddfcbd9a1

From b004db1aedb8288d491cb035414ba547eaf94792 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Fri, 25 Oct 2013 21:44:50 +0200
Subject: [PATCH 30/58] Add StackTracePatcher class

---
 de4dot.blocks/StackTracePatcher.cs | 95 ++++++++++++++++++++++++++++++
 de4dot.blocks/de4dot.blocks.csproj |  1 +
 2 files changed, 96 insertions(+)
 create mode 100644 de4dot.blocks/StackTracePatcher.cs

diff --git a/de4dot.blocks/StackTracePatcher.cs b/de4dot.blocks/StackTracePatcher.cs
new file mode 100644
index 00000000..e97432f0
--- /dev/null
+++ b/de4dot.blocks/StackTracePatcher.cs
@@ -0,0 +1,95 @@
+/*
+    Copyright (C) 2011-2013 de4dot@gmail.com
+
+    This file is part of de4dot.
+
+    de4dot is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    de4dot is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with de4dot.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+using System;
+using System.Reflection;
+using System.Diagnostics;
+
+namespace de4dot.blocks {
+	public class StackTracePatcher {
+		static readonly FieldInfo methodField;
+		static readonly FieldInfo framesField;
+		static readonly FieldInfo iMethodsToSkip;
+
+		static StackTracePatcher() {
+			methodField = GetStackFrameMethodField();
+			framesField = GetStackTraceStackFramesField();
+			iMethodsToSkip = GetMethodsToSkip();
+		}
+
+		static FieldInfo GetStackFrameMethodField() {
+			var flags = BindingFlags.Public | BindingFlags.NonPublic | BindingFlags.Instance;
+			return GetFieldThrow(typeof(StackFrame), typeof(MethodBase), flags, "Could not find StackFrame's method (MethodBase) field");
+		}
+
+		static FieldInfo GetStackTraceStackFramesField() {
+			var flags = BindingFlags.Public | BindingFlags.NonPublic | BindingFlags.Instance;
+			return GetFieldThrow(typeof(StackTrace), typeof(StackFrame[]), flags, "Could not find StackTrace's frames (StackFrame[]) field");
+		}
+
+		static FieldInfo GetMethodsToSkip() {
+			var flags = BindingFlags.Public | BindingFlags.NonPublic | BindingFlags.Instance;
+			return GetFieldThrow(typeof(StackTrace), "m_iMethodsToSkip", flags, "Could not find StackTrace's iMethodsToSkip field");
+		}
+
+		static FieldInfo GetFieldThrow(Type type, Type fieldType, BindingFlags flags, string msg) {
+			var info = GetField(type, fieldType, flags);
+			if (info != null)
+				return info;
+			throw new ApplicationException(msg);
+		}
+
+		static FieldInfo GetField(Type type, Type fieldType, BindingFlags flags) {
+			foreach (var field in type.GetFields(flags)) {
+				if (field.FieldType == fieldType)
+					return field;
+			}
+			return null;
+		}
+
+		static FieldInfo GetFieldThrow(Type type, string fieldName, BindingFlags flags, string msg) {
+			var info = GetField(type, fieldName, flags);
+			if (info != null)
+				return info;
+			throw new ApplicationException(msg);
+		}
+
+		static FieldInfo GetField(Type type, string fieldName, BindingFlags flags) {
+			foreach (var field in type.GetFields(flags)) {
+				if (field.Name == fieldName)
+					return field;
+			}
+			return null;
+		}
+
+		public static StackTrace WriteStackFrame(StackTrace stackTrace, int frameNo, MethodBase newMethod) {
+			var framesField = GetStackTraceStackFramesField();
+			var frames = (StackFrame[])framesField.GetValue(stackTrace);
+			int numFramesToSkip = (int)iMethodsToSkip.GetValue(stackTrace);
+			WriteMethodBase(frames[numFramesToSkip + frameNo], newMethod);
+			return stackTrace;
+		}
+
+		static void WriteMethodBase(StackFrame frame, MethodBase method) {
+			methodField.SetValue(frame, method);
+			if (frame.GetMethod() != method)
+				throw new ApplicationException(string.Format("Could not set new method: {0}", method));
+		}
+	}
+}
diff --git a/de4dot.blocks/de4dot.blocks.csproj b/de4dot.blocks/de4dot.blocks.csproj
index ce78064d..677d22f4 100644
--- a/de4dot.blocks/de4dot.blocks.csproj
+++ b/de4dot.blocks/de4dot.blocks.csproj
@@ -76,6 +76,7 @@
     <Compile Include="MethodBlocks.cs" />
     <Compile Include="Properties\AssemblyInfo.cs" />
     <Compile Include="ScopeBlock.cs" />
+    <Compile Include="StackTracePatcher.cs" />
     <Compile Include="TryBlock.cs" />
     <Compile Include="TryHandlerBlock.cs" />
     <Compile Include="Utils.cs" />

From 1d6a71221a9e41ce11a7f6ee62a0d58a06d757b6 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Fri, 25 Oct 2013 21:45:07 +0200
Subject: [PATCH 31/58] Fix name of method

---
 AssemblyData/methodsrewriter/MethodsRewriter.cs | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/AssemblyData/methodsrewriter/MethodsRewriter.cs b/AssemblyData/methodsrewriter/MethodsRewriter.cs
index 117128ff..c37a9ae7 100644
--- a/AssemblyData/methodsrewriter/MethodsRewriter.cs
+++ b/AssemblyData/methodsrewriter/MethodsRewriter.cs
@@ -338,7 +338,7 @@ namespace AssemblyData.methodsrewriter {
 			return list;
 		}
 
-		static FieldInfo GgetStackTraceStackFramesField() {
+		static FieldInfo GetStackTraceStackFramesField() {
 			var flags = BindingFlags.Public | BindingFlags.NonPublic | BindingFlags.Instance;
 			return ResolverUtils.GetFieldThrow(typeof(StackTrace), typeof(StackFrame[]), flags, "Could not find StackTrace's frames (StackFrame[]) field");
 		}
@@ -367,7 +367,7 @@ namespace AssemblyData.methodsrewriter {
 		}
 
 		StackTrace RtFixStackTrace(StackTrace stackTrace) {
-			var framesField = GgetStackTraceStackFramesField();
+			var framesField = GetStackTraceStackFramesField();
 			var frames = (StackFrame[])framesField.GetValue(stackTrace);
 
 			var newFrames = new List<StackFrame>(frames.Length);

From 9ede6f669eaa3189f51196dcd900ec9dfd1c0bf9 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Fri, 25 Oct 2013 21:45:34 +0200
Subject: [PATCH 32/58] Add a generic service

---
 AssemblyData/AssemblyData.csproj              |  3 +
 AssemblyData/AssemblyService.cs               |  8 ++-
 AssemblyData/GenericService.cs                | 69 +++++++++++++++++++
 AssemblyData/IAssemblyService.cs              |  1 +
 AssemblyData/IGenericService.cs               | 31 +++++++++
 AssemblyData/IUserGenericService.cs           | 28 ++++++++
 de4dot.code/AssemblyClient/AssemblyClient.cs  |  4 ++
 de4dot.code/AssemblyClient/IAssemblyClient.cs |  1 +
 8 files changed, 144 insertions(+), 1 deletion(-)
 create mode 100644 AssemblyData/GenericService.cs
 create mode 100644 AssemblyData/IGenericService.cs
 create mode 100644 AssemblyData/IUserGenericService.cs

diff --git a/AssemblyData/AssemblyData.csproj b/AssemblyData/AssemblyData.csproj
index 552ed0ef..f34df5c0 100644
--- a/AssemblyData/AssemblyData.csproj
+++ b/AssemblyData/AssemblyData.csproj
@@ -41,10 +41,13 @@
     <Compile Include="AssemblyService.cs" />
     <Compile Include="DelegateStringDecrypter.cs" />
     <Compile Include="EmuStringDecrypter.cs" />
+    <Compile Include="GenericService.cs" />
     <Compile Include="IAssemblyService.cs" />
+    <Compile Include="IGenericService.cs" />
     <Compile Include="IMethodDecrypterService.cs" />
     <Compile Include="IStringDecrypter.cs" />
     <Compile Include="IStringDecrypterService.cs" />
+    <Compile Include="IUserGenericService.cs" />
     <Compile Include="MethodDecrypterService.cs" />
     <Compile Include="methodsrewriter\AssemblyResolver.cs" />
     <Compile Include="methodsrewriter\CodeGenerator.cs" />
diff --git a/AssemblyData/AssemblyService.cs b/AssemblyData/AssemblyService.cs
index d272deeb..74798b51 100644
--- a/AssemblyData/AssemblyService.cs
+++ b/AssemblyData/AssemblyService.cs
@@ -35,6 +35,9 @@ namespace AssemblyData {
 			case AssemblyServiceType.MethodDecrypter:
 				return new MethodDecrypterService();
 
+			case AssemblyServiceType.Generic:
+				return new GenericService();
+
 			default:
 				throw new ArgumentException("Invalid assembly service type");
 			}
@@ -48,6 +51,9 @@ namespace AssemblyData {
 			case AssemblyServiceType.MethodDecrypter:
 				return typeof(MethodDecrypterService);
 
+			case AssemblyServiceType.Generic:
+				return typeof(GenericService);
+
 			default:
 				throw new ArgumentException("Invalid assembly service type");
 			}
@@ -56,7 +62,7 @@ namespace AssemblyData {
 		public void DoNothing() {
 		}
 
-		public void Exit() {
+		public virtual void Exit() {
 			exitEvent.Set();
 		}
 
diff --git a/AssemblyData/GenericService.cs b/AssemblyData/GenericService.cs
new file mode 100644
index 00000000..16e8ad2e
--- /dev/null
+++ b/AssemblyData/GenericService.cs
@@ -0,0 +1,69 @@
+/*
+    Copyright (C) 2011-2013 de4dot@gmail.com
+
+    This file is part of de4dot.
+
+    de4dot is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    de4dot is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with de4dot.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+using System;
+using System.Reflection;
+
+namespace AssemblyData {
+	class GenericService : AssemblyService, IGenericService {
+		Assembly userServiceAssembly;
+		IUserGenericService userGenericService;
+
+		public override void Exit() {
+			if (userGenericService != null)
+				userGenericService.Dispose();
+			userGenericService = null;
+			base.Exit();
+		}
+
+		public void LoadUserService(string asmPath, Type createServiceType, object createMethodArgs) {
+			userServiceAssembly = Assembly.LoadFile(asmPath);
+			var createServiceMethod = GetCreateUserServiceMethod(createServiceType);
+			userGenericService = createServiceMethod.Invoke(null, null) as IUserGenericService;
+			if (userGenericService == null)
+				throw new ApplicationException("create-service-method failed to create user service");
+		}
+
+		MethodInfo GetCreateUserServiceMethod(Type createServiceType) {
+			if (createServiceType == null)
+				throw new ApplicationException(string.Format("Create-service-type is null"));
+			foreach (var method in createServiceType.GetMethods(BindingFlags.DeclaredOnly | BindingFlags.Static | BindingFlags.Public | BindingFlags.NonPublic)) {
+				if (method.GetCustomAttributes(typeof(CreateUserGenericServiceAttribute), false).Length > 0)
+					return method;
+			}
+			throw new ApplicationException(string.Format("Failed to find create-service-method. Type token: Type: {0}", createServiceType));
+		}
+
+		void CheckUserService() {
+			if (userGenericService == null)
+				throw new ApplicationException("LoadUserService() hasn't been called yet.");
+		}
+
+		public void LoadAssembly(string filename) {
+			CheckUserService();
+			LoadAssemblyInternal(filename);
+			userGenericService.AssemblyLoaded(assembly);
+		}
+
+		public object SendMessage(int msg, object[] args) {
+			CheckUserService();
+			return userGenericService.HandleMessage(msg, args);
+		}
+	}
+}
diff --git a/AssemblyData/IAssemblyService.cs b/AssemblyData/IAssemblyService.cs
index 3a0dc700..b0e1da67 100644
--- a/AssemblyData/IAssemblyService.cs
+++ b/AssemblyData/IAssemblyService.cs
@@ -21,6 +21,7 @@ namespace AssemblyData {
 	public enum AssemblyServiceType {
 		StringDecrypter,
 		MethodDecrypter,
+		Generic,
 	}
 
 	public interface IAssemblyService {
diff --git a/AssemblyData/IGenericService.cs b/AssemblyData/IGenericService.cs
new file mode 100644
index 00000000..017f9c28
--- /dev/null
+++ b/AssemblyData/IGenericService.cs
@@ -0,0 +1,31 @@
+/*
+    Copyright (C) 2011-2013 de4dot@gmail.com
+
+    This file is part of de4dot.
+
+    de4dot is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    de4dot is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with de4dot.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+using System;
+
+namespace AssemblyData {
+	public class CreateUserGenericServiceAttribute : Attribute {
+	}
+
+	public interface IGenericService : IAssemblyService {
+		void LoadUserService(string asmPath, Type createServiceType, object createMethodArgs);
+		void LoadAssembly(string filename);
+		object SendMessage(int msg, object[] args);
+	}
+}
diff --git a/AssemblyData/IUserGenericService.cs b/AssemblyData/IUserGenericService.cs
new file mode 100644
index 00000000..635ae7f6
--- /dev/null
+++ b/AssemblyData/IUserGenericService.cs
@@ -0,0 +1,28 @@
+/*
+    Copyright (C) 2011-2013 de4dot@gmail.com
+
+    This file is part of de4dot.
+
+    de4dot is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    de4dot is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with de4dot.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+using System;
+using System.Reflection;
+
+namespace AssemblyData {
+	public interface IUserGenericService : IDisposable {
+		void AssemblyLoaded(Assembly assembly);
+		object HandleMessage(int msg, object[] args);
+	}
+}
diff --git a/de4dot.code/AssemblyClient/AssemblyClient.cs b/de4dot.code/AssemblyClient/AssemblyClient.cs
index 1693a269..b6a01103 100644
--- a/de4dot.code/AssemblyClient/AssemblyClient.cs
+++ b/de4dot.code/AssemblyClient/AssemblyClient.cs
@@ -43,6 +43,10 @@ namespace de4dot.code.AssemblyClient {
 			get { return (IMethodDecrypterService)service; }
 		}
 
+		public IGenericService GenericService {
+			get { return (IGenericService)service; }
+		}
+
 		public AssemblyClient(IAssemblyServerLoader loader) {
 			this.loader = loader;
 		}
diff --git a/de4dot.code/AssemblyClient/IAssemblyClient.cs b/de4dot.code/AssemblyClient/IAssemblyClient.cs
index 8477806c..1b7a2547 100644
--- a/de4dot.code/AssemblyClient/IAssemblyClient.cs
+++ b/de4dot.code/AssemblyClient/IAssemblyClient.cs
@@ -25,6 +25,7 @@ namespace de4dot.code.AssemblyClient {
 		IAssemblyService Service { get; }
 		IStringDecrypterService StringDecrypterService { get; }
 		IMethodDecrypterService MethodDecrypterService { get; }
+		IGenericService GenericService { get; }
 		void Connect();
 		void WaitConnected();
 	}

From 45c8d3ed89291610df288e0c3495d1084efcc79f Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Fri, 25 Oct 2013 21:46:05 +0200
Subject: [PATCH 33/58] Add HandleProcessCorruptedStateExceptionsAttribute

---
 ...rocessCorruptedStateExceptionsAttribute.cs | 24 +++++++++++++++++++
 de4dot.code/de4dot.code.csproj                |  1 +
 2 files changed, 25 insertions(+)
 create mode 100644 de4dot.code/HandleProcessCorruptedStateExceptionsAttribute.cs

diff --git a/de4dot.code/HandleProcessCorruptedStateExceptionsAttribute.cs b/de4dot.code/HandleProcessCorruptedStateExceptionsAttribute.cs
new file mode 100644
index 00000000..35fa3230
--- /dev/null
+++ b/de4dot.code/HandleProcessCorruptedStateExceptionsAttribute.cs
@@ -0,0 +1,24 @@
+/*
+    Copyright (C) 2011-2013 de4dot@gmail.com
+
+    This file is part of de4dot.
+
+    de4dot is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    de4dot is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with de4dot.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+namespace System.Runtime.ExceptionServices {
+	[AttributeUsage(AttributeTargets.Method, AllowMultiple = false, Inherited = false)]
+	class HandleProcessCorruptedStateExceptionsAttribute : Attribute {
+	}
+}
diff --git a/de4dot.code/de4dot.code.csproj b/de4dot.code/de4dot.code.csproj
index 55c6a658..3d11949b 100644
--- a/de4dot.code/de4dot.code.csproj
+++ b/de4dot.code/de4dot.code.csproj
@@ -271,6 +271,7 @@
     <Compile Include="deobfuscators\Xenocode\Deobfuscator.cs" />
     <Compile Include="deobfuscators\Xenocode\StringDecrypter.cs" />
     <Compile Include="DumpedMethodsRestorer.cs" />
+    <Compile Include="HandleProcessCorruptedStateExceptionsAttribute.cs" />
     <Compile Include="IDeobfuscatorContext.cs" />
     <Compile Include="IObfuscatedFile.cs" />
     <Compile Include="Logger.cs" />

From c956e0fc2e351bcc6ed9ccb23fe5ba70dedac1cc Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Fri, 25 Oct 2013 21:46:24 +0200
Subject: [PATCH 34/58] Allow "non-safe" code

---
 de4dot.code/de4dot.code.csproj | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/de4dot.code/de4dot.code.csproj b/de4dot.code/de4dot.code.csproj
index 3d11949b..7c946ab2 100644
--- a/de4dot.code/de4dot.code.csproj
+++ b/de4dot.code/de4dot.code.csproj
@@ -24,6 +24,7 @@
     <DefineConstants>DEBUG;TRACE</DefineConstants>
     <ErrorReport>prompt</ErrorReport>
     <WarningLevel>4</WarningLevel>
+    <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
   </PropertyGroup>
   <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
     <PlatformTarget>AnyCPU</PlatformTarget>
@@ -34,6 +35,7 @@
     <ErrorReport>prompt</ErrorReport>
     <WarningLevel>4</WarningLevel>
     <TreatWarningsAsErrors>true</TreatWarningsAsErrors>
+    <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
   </PropertyGroup>
   <PropertyGroup>
     <StartupObject />

From d53e321b9912c901a827364fd7c50e6afefa5dd1 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Fri, 25 Oct 2013 22:08:52 +0200
Subject: [PATCH 35/58] Rename field and method

---
 de4dot.blocks/StackTracePatcher.cs | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/de4dot.blocks/StackTracePatcher.cs b/de4dot.blocks/StackTracePatcher.cs
index e97432f0..a5acce88 100644
--- a/de4dot.blocks/StackTracePatcher.cs
+++ b/de4dot.blocks/StackTracePatcher.cs
@@ -25,12 +25,12 @@ namespace de4dot.blocks {
 	public class StackTracePatcher {
 		static readonly FieldInfo methodField;
 		static readonly FieldInfo framesField;
-		static readonly FieldInfo iMethodsToSkip;
+		static readonly FieldInfo methodsToSkipField;
 
 		static StackTracePatcher() {
 			methodField = GetStackFrameMethodField();
 			framesField = GetStackTraceStackFramesField();
-			iMethodsToSkip = GetMethodsToSkip();
+			methodsToSkipField = GetMethodsToSkipField();
 		}
 
 		static FieldInfo GetStackFrameMethodField() {
@@ -43,7 +43,7 @@ namespace de4dot.blocks {
 			return GetFieldThrow(typeof(StackTrace), typeof(StackFrame[]), flags, "Could not find StackTrace's frames (StackFrame[]) field");
 		}
 
-		static FieldInfo GetMethodsToSkip() {
+		static FieldInfo GetMethodsToSkipField() {
 			var flags = BindingFlags.Public | BindingFlags.NonPublic | BindingFlags.Instance;
 			return GetFieldThrow(typeof(StackTrace), "m_iMethodsToSkip", flags, "Could not find StackTrace's iMethodsToSkip field");
 		}
@@ -81,7 +81,7 @@ namespace de4dot.blocks {
 		public static StackTrace WriteStackFrame(StackTrace stackTrace, int frameNo, MethodBase newMethod) {
 			var framesField = GetStackTraceStackFramesField();
 			var frames = (StackFrame[])framesField.GetValue(stackTrace);
-			int numFramesToSkip = (int)iMethodsToSkip.GetValue(stackTrace);
+			int numFramesToSkip = (int)methodsToSkipField.GetValue(stackTrace);
 			WriteMethodBase(frames[numFramesToSkip + frameNo], newMethod);
 			return stackTrace;
 		}

From 22ffec3e1c495132c125a18eefccca61ed99fc4e Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Sat, 26 Oct 2013 00:26:23 +0200
Subject: [PATCH 36/58] Remove call since value is cached

---
 de4dot.blocks/StackTracePatcher.cs | 1 -
 1 file changed, 1 deletion(-)

diff --git a/de4dot.blocks/StackTracePatcher.cs b/de4dot.blocks/StackTracePatcher.cs
index a5acce88..1d4334f7 100644
--- a/de4dot.blocks/StackTracePatcher.cs
+++ b/de4dot.blocks/StackTracePatcher.cs
@@ -79,7 +79,6 @@ namespace de4dot.blocks {
 		}
 
 		public static StackTrace WriteStackFrame(StackTrace stackTrace, int frameNo, MethodBase newMethod) {
-			var framesField = GetStackTraceStackFramesField();
 			var frames = (StackFrame[])framesField.GetValue(stackTrace);
 			int numFramesToSkip = (int)methodsToSkipField.GetValue(stackTrace);
 			WriteMethodBase(frames[numFramesToSkip + frameNo], newMethod);

From 83e3cc0f573ff26422d293f9cf8cd0ae96ea207e Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Sat, 26 Oct 2013 00:29:38 +0200
Subject: [PATCH 37/58] Remove unused assembly field

---
 AssemblyData/GenericService.cs  | 4 +---
 AssemblyData/IGenericService.cs | 2 +-
 2 files changed, 2 insertions(+), 4 deletions(-)

diff --git a/AssemblyData/GenericService.cs b/AssemblyData/GenericService.cs
index 16e8ad2e..a214f024 100644
--- a/AssemblyData/GenericService.cs
+++ b/AssemblyData/GenericService.cs
@@ -22,7 +22,6 @@ using System.Reflection;
 
 namespace AssemblyData {
 	class GenericService : AssemblyService, IGenericService {
-		Assembly userServiceAssembly;
 		IUserGenericService userGenericService;
 
 		public override void Exit() {
@@ -32,8 +31,7 @@ namespace AssemblyData {
 			base.Exit();
 		}
 
-		public void LoadUserService(string asmPath, Type createServiceType, object createMethodArgs) {
-			userServiceAssembly = Assembly.LoadFile(asmPath);
+		public void LoadUserService(Type createServiceType, object createMethodArgs) {
 			var createServiceMethod = GetCreateUserServiceMethod(createServiceType);
 			userGenericService = createServiceMethod.Invoke(null, null) as IUserGenericService;
 			if (userGenericService == null)
diff --git a/AssemblyData/IGenericService.cs b/AssemblyData/IGenericService.cs
index 017f9c28..db4d7a91 100644
--- a/AssemblyData/IGenericService.cs
+++ b/AssemblyData/IGenericService.cs
@@ -24,7 +24,7 @@ namespace AssemblyData {
 	}
 
 	public interface IGenericService : IAssemblyService {
-		void LoadUserService(string asmPath, Type createServiceType, object createMethodArgs);
+		void LoadUserService(Type createServiceType, object createMethodArgs);
 		void LoadAssembly(string filename);
 		object SendMessage(int msg, object[] args);
 	}

From 2cc12006aa8680427ffe88f77e07caea842516b4 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Sat, 26 Oct 2013 17:25:58 +0200
Subject: [PATCH 38/58] Support ILProtector 1.0.7.1 - 2.0.11.0

---
 de4dot.code/de4dot.code.csproj                |   7 +-
 .../ILProtector/DecryptedMethodInfo.cs        |  42 ++
 .../deobfuscators/ILProtector/Deobfuscator.cs |  43 +-
 .../ILProtector/DynamicMethodsDecrypter.cs    | 490 ++++++++++++++++++
 .../DynamicMethodsDecrypterService.cs         |  72 +++
 .../ILProtector/DynamicMethodsRestorer.cs     |  69 +++
 .../deobfuscators/ILProtector/MainType.cs     |  32 +-
 .../ILProtector/MethodsDecrypterBase.cs       | 125 +++++
 ...Decrypter.cs => StaticMethodsDecrypter.cs} | 132 +----
 9 files changed, 870 insertions(+), 142 deletions(-)
 create mode 100644 de4dot.code/deobfuscators/ILProtector/DecryptedMethodInfo.cs
 create mode 100644 de4dot.code/deobfuscators/ILProtector/DynamicMethodsDecrypter.cs
 create mode 100644 de4dot.code/deobfuscators/ILProtector/DynamicMethodsDecrypterService.cs
 create mode 100644 de4dot.code/deobfuscators/ILProtector/DynamicMethodsRestorer.cs
 create mode 100644 de4dot.code/deobfuscators/ILProtector/MethodsDecrypterBase.cs
 rename de4dot.code/deobfuscators/ILProtector/{MethodsDecrypter.cs => StaticMethodsDecrypter.cs} (71%)

diff --git a/de4dot.code/de4dot.code.csproj b/de4dot.code/de4dot.code.csproj
index 7c946ab2..f97e575e 100644
--- a/de4dot.code/de4dot.code.csproj
+++ b/de4dot.code/de4dot.code.csproj
@@ -160,6 +160,11 @@
     <Compile Include="deobfuscators\Dotfuscator\Deobfuscator.cs" />
     <Compile Include="deobfuscators\Dotfuscator\StringDecrypter.cs" />
     <Compile Include="deobfuscators\Eazfuscator_NET\Dynocode.cs" />
+    <Compile Include="deobfuscators\ILProtector\DecryptedMethodInfo.cs" />
+    <Compile Include="deobfuscators\ILProtector\DynamicMethodsDecrypter.cs" />
+    <Compile Include="deobfuscators\ILProtector\DynamicMethodsDecrypterService.cs" />
+    <Compile Include="deobfuscators\ILProtector\DynamicMethodsRestorer.cs" />
+    <Compile Include="deobfuscators\ILProtector\MethodsDecrypterBase.cs" />
     <Compile Include="deobfuscators\MyPEImage.cs" />
     <Compile Include="deobfuscators\dotNET_Reactor\v3\AntiStrongName.cs" />
     <Compile Include="deobfuscators\dotNET_Reactor\v3\ApplicationModeDecrypter.cs" />
@@ -211,7 +216,7 @@
     <Compile Include="deobfuscators\ILProtector\Deobfuscator.cs" />
     <Compile Include="deobfuscators\ILProtector\MainType.cs" />
     <Compile Include="deobfuscators\ILProtector\MethodReader.cs" />
-    <Compile Include="deobfuscators\ILProtector\MethodsDecrypter.cs" />
+    <Compile Include="deobfuscators\ILProtector\StaticMethodsDecrypter.cs" />
     <Compile Include="deobfuscators\InitializedDataCreator.cs" />
     <Compile Include="deobfuscators\InlinedMethodsFinder.cs" />
     <Compile Include="deobfuscators\ISimpleDeobfuscator.cs" />
diff --git a/de4dot.code/deobfuscators/ILProtector/DecryptedMethodInfo.cs b/de4dot.code/deobfuscators/ILProtector/DecryptedMethodInfo.cs
new file mode 100644
index 00000000..23080df2
--- /dev/null
+++ b/de4dot.code/deobfuscators/ILProtector/DecryptedMethodInfo.cs
@@ -0,0 +1,42 @@
+/*
+    Copyright (C) 2011-2013 de4dot@gmail.com
+
+    This file is part of de4dot.
+
+    de4dot is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    de4dot is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with de4dot.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+using System;
+
+namespace de4dot.code.deobfuscators.ILProtector {
+	[Serializable]
+	class DecryptedMethodInfo {
+		public int id;
+		public byte[] data;
+
+		public DecryptedMethodInfo(int id, int size) {
+			this.id = id;
+			this.data = new byte[size];
+		}
+
+		public DecryptedMethodInfo(int id, byte[] data) {
+			this.id = id;
+			this.data = data;
+		}
+
+		public override string ToString() {
+			return string.Format("ID: {0}, Size: 0x{1:X}", id, data.Length);
+		}
+	}
+}
diff --git a/de4dot.code/deobfuscators/ILProtector/Deobfuscator.cs b/de4dot.code/deobfuscators/ILProtector/Deobfuscator.cs
index a0c4fea2..0594e3da 100644
--- a/de4dot.code/deobfuscators/ILProtector/Deobfuscator.cs
+++ b/de4dot.code/deobfuscators/ILProtector/Deobfuscator.cs
@@ -56,7 +56,8 @@ namespace de4dot.code.deobfuscators.ILProtector {
 		string obfuscatorName = DeobfuscatorInfo.THE_NAME;
 
 		MainType mainType;
-		MethodsDecrypter methodsDecrypter;
+		StaticMethodsDecrypter staticMethodsDecrypter;
+		DynamicMethodsRestorer dynamicMethodsRestorer;
 
 		internal class Options : OptionsBase {
 		}
@@ -85,33 +86,45 @@ namespace de4dot.code.deobfuscators.ILProtector {
 		protected override void ScanForObfuscator() {
 			mainType = new MainType(module);
 			mainType.Find();
-			methodsDecrypter = new MethodsDecrypter(module, mainType);
-			if (mainType.Detected)
-				methodsDecrypter.Find();
 
-			if (mainType.Detected && methodsDecrypter.Detected && methodsDecrypter.Version != null)
-				obfuscatorName += " " + methodsDecrypter.Version;
+			staticMethodsDecrypter = new StaticMethodsDecrypter(module, mainType);
+			if (mainType.Detected)
+				staticMethodsDecrypter.Find();
+
+			if (mainType.Detected && !staticMethodsDecrypter.Detected)
+				dynamicMethodsRestorer = new DynamicMethodsRestorer(module, mainType);
+
+			if (mainType.Detected && staticMethodsDecrypter.Detected && staticMethodsDecrypter.Version != null)
+				obfuscatorName += " " + staticMethodsDecrypter.Version;
 		}
 
 		public override void DeobfuscateBegin() {
 			base.DeobfuscateBegin();
 
 			if (mainType.Detected) {
-				if (methodsDecrypter.Detected) {
-					methodsDecrypter.Decrypt();
-					AddTypesToBeRemoved(methodsDecrypter.DelegateTypes, "Obfuscator method delegate type");
-					AddResourceToBeRemoved(methodsDecrypter.Resource, "Encrypted methods resource");
-					AddTypeToBeRemoved(mainType.InvokerDelegate, "Invoker delegate type");
-					AddFieldToBeRemoved(mainType.InvokerInstanceField, "Invoker delegate instance field");
-					foreach (var pm in mainType.ProtectMethods)
-						AddMethodToBeRemoved(pm, "Obfuscator 'Protect' init method");
-					mainType.CleanUp();
+				if (staticMethodsDecrypter.Detected) {
+					staticMethodsDecrypter.Decrypt();
+					RemoveObfuscatorJunk(staticMethodsDecrypter);
+				}
+				else if (dynamicMethodsRestorer != null) {
+					dynamicMethodsRestorer.Decrypt();
+					RemoveObfuscatorJunk(dynamicMethodsRestorer);
 				}
 				else
 					Logger.w("New ILProtector version. Can't decrypt methods (yet)");
 			}
 		}
 
+		void RemoveObfuscatorJunk(MethodsDecrypterBase methodsDecrypter) {
+			AddTypesToBeRemoved(methodsDecrypter.DelegateTypes, "Obfuscator method delegate type");
+			AddResourceToBeRemoved(methodsDecrypter.Resource, "Encrypted methods resource");
+			AddTypeToBeRemoved(mainType.InvokerDelegate, "Invoker delegate type");
+			AddFieldToBeRemoved(mainType.InvokerInstanceField, "Invoker delegate instance field");
+			foreach (var pm in mainType.ProtectMethods)
+				AddMethodToBeRemoved(pm, "Obfuscator 'Protect' init method");
+			mainType.CleanUp();
+		}
+
 		public override IEnumerable<int> GetStringDecrypterMethods() {
 			return new List<int>();
 		}
diff --git a/de4dot.code/deobfuscators/ILProtector/DynamicMethodsDecrypter.cs b/de4dot.code/deobfuscators/ILProtector/DynamicMethodsDecrypter.cs
new file mode 100644
index 00000000..dcae0f9f
--- /dev/null
+++ b/de4dot.code/deobfuscators/ILProtector/DynamicMethodsDecrypter.cs
@@ -0,0 +1,490 @@
+/*
+    Copyright (C) 2011-2013 de4dot@gmail.com
+
+    This file is part of de4dot.
+
+    de4dot is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    de4dot is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with de4dot.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+using System;
+using System.Collections.Generic;
+using System.Diagnostics;
+using System.Reflection;
+using System.Runtime.CompilerServices;
+using System.Runtime.ExceptionServices;
+using System.Runtime.InteropServices;
+using System.Security;
+using dnlib.DotNet;
+using de4dot.blocks;
+
+namespace de4dot.code.deobfuscators.ILProtector {
+	sealed class DynamicMethodsDecrypter : IDisposable {
+		ModuleDefMD module;
+		Module reflectionModule;
+		Module reflectionProtectModule;
+		TypeDef protectMainType;
+		Type reflectionProtectMainType;
+		FieldInfo invokerFieldInfo;
+		ModuleDefMD moduleProtect;
+		IDecrypter decrypter;
+
+		interface IDecrypter {
+			byte[] Decrypt(int methodId, uint rid);
+		}
+
+		abstract class DecrypterBase : IDecrypter {
+			protected readonly DynamicMethodsDecrypter dmd;
+			protected readonly int appDomainId;
+			protected readonly int asmHashCode;
+
+			class PatchData {
+				public int RVA { get; set; }
+				public byte[] Data { get; set; }
+
+				public PatchData() {
+				}
+
+				public PatchData(int rva, byte[] data) {
+					this.RVA = rva;
+					this.Data = data;
+				}
+			}
+
+			class PatchInfo {
+				public int RvaDecryptMethod { get; set; }
+				public List<PatchData> PatchData { get; set; }
+
+				public PatchInfo() {
+				}
+
+				public PatchInfo(int rvaDecryptMethod, PatchData patchData) {
+					this.RvaDecryptMethod = rvaDecryptMethod;
+					this.PatchData = new List<PatchData> { patchData };
+				}
+			}
+
+			static readonly byte[] nops2 = new byte[] { 0x90, 0x90 };
+			static readonly byte[] nops6 = new byte[] { 0x90, 0x90, 0x90, 0x90, 0x90, 0x90 };
+			static readonly Dictionary<Version, PatchInfo> patchInfos32 = new Dictionary<Version, PatchInfo> {
+				{ new Version(2, 0, 8, 0),	new PatchInfo(0x00020B20, new PatchData(0x00005733, nops2)) },
+				{ new Version(2, 0, 8, 5),	new PatchInfo(0x000221A0, new PatchData(0x00005742, nops2)) },
+				{ new Version(2, 0, 9, 0),	new PatchInfo(0x00023360, new PatchData(0x000056F2, nops6)) },
+				{ new Version(2, 0, 10, 0), new PatchInfo(0x00023B30, new PatchData(0x00005B12, nops6)) },
+				{ new Version(2, 0, 11, 0), new PatchInfo(0x000207C0, new PatchData(0x00018432, nops6)) },
+			};
+			static readonly Dictionary<Version, PatchInfo> patchInfos64 = new Dictionary<Version, PatchInfo> {
+				{ new Version(2, 0, 8, 0),	new PatchInfo(0x00026090, new PatchData(0x00005E0C, nops6)) },
+				{ new Version(2, 0, 8, 5),	new PatchInfo(0x000273D0, new PatchData(0x000060CA, nops6)) },
+				{ new Version(2, 0, 9, 0),	new PatchInfo(0x00028B00, new PatchData(0x00005F70, nops6)) },
+				{ new Version(2, 0, 10, 0), new PatchInfo(0x00029630, new PatchData(0x00006510, nops6)) },
+				{ new Version(2, 0, 11, 0), new PatchInfo(0x000257C0, new PatchData(0x0001C9A0, nops6)) },
+			};
+
+			[DllImport("kernel32")]
+			static extern bool VirtualProtect(IntPtr addr, int size, uint newProtect, out uint oldProtect);
+			const uint PAGE_EXECUTE_READWRITE = 0x40;
+
+			public DecrypterBase(DynamicMethodsDecrypter dmd) {
+				this.dmd = dmd;
+				this.appDomainId = AppDomain.CurrentDomain.Id;
+				this.asmHashCode = dmd.reflectionModule.Assembly.GetHashCode();
+			}
+
+			protected IntPtr GetDelegateAddress(FieldDef delegateField) {
+				FieldInfo delegateFieldInfo = dmd.reflectionProtectModule.ResolveField(0x04000000 + (int)delegateField.Rid);
+				object mainTypeInst = ((Delegate)dmd.invokerFieldInfo.GetValue(null)).Target;
+				return GetNativeAddressOfDelegate((Delegate)delegateFieldInfo.GetValue(mainTypeInst));
+			}
+
+			static IntPtr GetNativeAddressOfDelegate(Delegate del) {
+				var field = typeof(Delegate).GetField("_methodPtrAux", BindingFlags.Instance | BindingFlags.Public | BindingFlags.NonPublic);
+				if (field == null)
+					return IntPtr.Zero;
+
+				return (IntPtr)field.GetValue(del);
+			}
+
+			protected void PatchRuntime(IntPtr decryptAddr) {
+				if (!PatchRuntimeInternal(decryptAddr))
+					throw new ApplicationException("Probably a new version. Could not patch runtime.");
+			}
+
+			bool PatchRuntimeInternal(IntPtr decryptAddr) {
+				var patchInfos = IntPtr.Size == 4 ? patchInfos32 : patchInfos64;
+				var protectVersion = dmd.reflectionProtectModule.Assembly.GetName().Version;
+				PatchInfo info;
+				if (!patchInfos.TryGetValue(protectVersion, out info))
+					return false;
+				return PatchRuntime(decryptAddr, info);
+			}
+
+			[HandleProcessCorruptedStateExceptions, SecurityCritical]	// Req'd on .NET 4.0
+			static bool PatchRuntime(IntPtr decryptAddr, PatchInfo info) {
+				try {
+					IntPtr baseAddr = new IntPtr(decryptAddr.ToInt64() - info.RvaDecryptMethod);
+					if ((baseAddr.ToInt64() & 0xFFFF) != 0)
+						return false;
+
+					if (Marshal.ReadInt16(baseAddr) != 0x5A4D)
+						return false;
+
+					foreach (var patchData in info.PatchData) {
+						var patchAddr = new IntPtr(baseAddr.ToInt64() + patchData.RVA);
+						uint oldProtect;
+						if (!VirtualProtect(patchAddr, patchData.Data.Length, PAGE_EXECUTE_READWRITE, out oldProtect))
+							return false;
+						Marshal.Copy(patchData.Data, 0, patchAddr, patchData.Data.Length);
+						VirtualProtect(patchAddr, patchData.Data.Length, oldProtect, out oldProtect);
+					}
+
+					return true;
+				}
+				catch {
+				}
+
+				return false;
+			}
+
+			public abstract byte[] Decrypt(int methodId, uint rid);
+		}
+
+		// 1.0.7.1 - 1.0.8.0
+		class DecrypterV1_0_7_1 : DecrypterBase {
+			DecryptMethod decryptMethod;
+
+			unsafe delegate bool DecryptMethod(int appDomainId, int asmHashCode, int methodId, out byte* pMethodCode, out int methodSize);
+
+			public DecrypterV1_0_7_1(DynamicMethodsDecrypter dmd, FieldDef delegateField)
+				: base(dmd) {
+				IntPtr addr = GetDelegateAddress(delegateField);
+				decryptMethod = (DecryptMethod)Marshal.GetDelegateForFunctionPointer(addr, typeof(DecryptMethod));
+			}
+
+			public unsafe override byte[] Decrypt(int methodId, uint rid) {
+				byte* pMethodCode;
+				int methodSize;
+				if (!decryptMethod(appDomainId, asmHashCode, methodId, out pMethodCode, out methodSize))
+					return null;
+				byte[] methodData = new byte[methodSize];
+				Marshal.Copy(new IntPtr(pMethodCode), methodData, 0, methodData.Length);
+				return methodData;
+			}
+		}
+
+		// 2.0.0.0 - 2.0.7.6
+		class DecrypterV2_0_0_0 : DecrypterBase {
+			DecryptMethod decryptMethod;
+
+			unsafe delegate bool DecryptMethod(int clrMajorVersion, int appDomainId, int asmHashCode, int methodId, out byte* pMethodCode, out int methodSize);
+
+			public DecrypterV2_0_0_0(DynamicMethodsDecrypter dmd, FieldDef delegateField)
+				: base(dmd) {
+				IntPtr addr = GetDelegateAddress(delegateField);
+				decryptMethod = (DecryptMethod)Marshal.GetDelegateForFunctionPointer(addr, typeof(DecryptMethod));
+			}
+
+			public unsafe override byte[] Decrypt(int methodId, uint rid) {
+				byte* pMethodCode;
+				int methodSize;
+				if (!decryptMethod(Environment.Version.Major, appDomainId, asmHashCode, methodId, out pMethodCode, out methodSize))
+					return null;
+				byte[] methodData = new byte[methodSize];
+				Marshal.Copy(new IntPtr(pMethodCode), methodData, 0, methodData.Length);
+				return methodData;
+			}
+		}
+
+		// 2.0.8.0
+		class DecrypterV2_0_8_0 : DecrypterBase {
+			DecryptMethod decryptMethod;
+			byte[] decryptedData;
+
+			delegate bool DecryptMethod(int clrMajorVersion, int appDomainId, int asmHashCode, int methodId, [MarshalAs(UnmanagedType.FunctionPtr)] DecryptCallback decryptCallback, [MarshalAs(UnmanagedType.Interface)] out Delegate createdDelegate);
+			unsafe delegate bool DecryptCallback(byte* pMethodCode, int methodSize, [MarshalAs(UnmanagedType.Interface)] ref Delegate createdDelegate);
+
+			public DecrypterV2_0_8_0(DynamicMethodsDecrypter dmd, FieldDef delegateField)
+				: base(dmd) {
+				IntPtr addr = GetDelegateAddress(delegateField);
+				decryptMethod = (DecryptMethod)Marshal.GetDelegateForFunctionPointer(addr, typeof(DecryptMethod));
+				PatchRuntime(addr);
+			}
+
+			public unsafe override byte[] Decrypt(int methodId, uint rid) {
+				Delegate createdDelegate;
+				if (!decryptMethod(Environment.Version.Major, appDomainId, asmHashCode, methodId, MyDecryptCallback, out createdDelegate))
+					return null;
+				return decryptedData;
+			}
+
+			unsafe bool MyDecryptCallback(byte* pMethodCode, int methodSize, ref Delegate createdDelegate) {
+				decryptedData = new byte[methodSize];
+				Marshal.Copy(new IntPtr(pMethodCode), decryptedData, 0, decryptedData.Length);
+				return true;
+			}
+		}
+
+		// 2.0.8.5
+		class DecrypterV2_0_8_5 : DecrypterBase {
+			DecryptMethod decryptMethod;
+			byte[] decryptedData;
+			bool decryptReturnValue;
+
+			delegate bool DecryptMethod(int clrMajorVersion, int appDomainId, int asmHashCode, int methodId, [MarshalAs(UnmanagedType.Interface)] StackTrace stackTrace, [MarshalAs(UnmanagedType.FunctionPtr)] DecryptCallback decryptCallback, [MarshalAs(UnmanagedType.Interface)] out Delegate createdDelegate);
+			unsafe delegate bool DecryptCallback(byte* pMethodCode, int methodSize, [MarshalAs(UnmanagedType.Interface)] ref Delegate createdDelegate);
+
+			public DecrypterV2_0_8_5(DynamicMethodsDecrypter dmd, FieldDef delegateField)
+				: base(dmd) {
+				IntPtr addr = GetDelegateAddress(delegateField);
+				decryptMethod = (DecryptMethod)Marshal.GetDelegateForFunctionPointer(addr, typeof(DecryptMethod));
+				PatchRuntime(addr);
+			}
+
+			public unsafe override byte[] Decrypt(int methodId, uint rid) {
+				Delegate createdDelegate;
+				decryptReturnValue = false;
+				if (!decryptMethod(Environment.Version.Major, appDomainId, asmHashCode, methodId, new StackTrace(), MyDecryptCallback, out createdDelegate) &&
+					!decryptReturnValue)
+					return null;
+				return decryptedData;
+			}
+
+			unsafe bool MyDecryptCallback(byte* pMethodCode, int methodSize, ref Delegate createdDelegate) {
+				createdDelegate = new DecryptCallback(MyDecryptCallback);
+				decryptedData = new byte[methodSize];
+				Marshal.Copy(new IntPtr(pMethodCode), decryptedData, 0, decryptedData.Length);
+				return decryptReturnValue = true;
+			}
+		}
+
+		// 2.0.9.0 - 2.0.11.0
+		class DecrypterV2_0_9_0 : DecrypterBase {
+			DecryptMethod decryptMethod;
+			byte[] decryptedData;
+
+			delegate bool DecryptMethod(int clrMajorVersion, int appDomainId, int asmHashCode, int methodId, [MarshalAs(UnmanagedType.Interface)] StackTrace stackTrace, [MarshalAs(UnmanagedType.FunctionPtr)] DecryptCallback decryptCallback);
+			unsafe delegate bool DecryptCallback(byte* pMethodCode, int methodSize, int methodId);
+
+			public DecrypterV2_0_9_0(DynamicMethodsDecrypter dmd, FieldDef delegateField)
+				: base(dmd) {
+				IntPtr addr = GetDelegateAddress(delegateField);
+				decryptMethod = (DecryptMethod)Marshal.GetDelegateForFunctionPointer(addr, typeof(DecryptMethod));
+				PatchRuntime(addr);
+			}
+
+			public unsafe override byte[] Decrypt(int methodId, uint rid) {
+				var encMethod = this.dmd.reflectionModule.ResolveMethod(0x06000000 + (int)rid);
+				var stackTrace = StackTracePatcher.WriteStackFrame(new StackTrace(), 1, encMethod);
+				if (!decryptMethod(Environment.Version.Major, appDomainId, asmHashCode, methodId, stackTrace, MyDecryptCallback))
+					return null;
+				return decryptedData;
+			}
+
+			unsafe bool MyDecryptCallback(byte* pMethodCode, int methodSize, int methodId) {
+				decryptedData = new byte[methodSize];
+				Marshal.Copy(new IntPtr(pMethodCode), decryptedData, 0, decryptedData.Length);
+				return true;
+			}
+		}
+
+		public DynamicMethodsDecrypter(ModuleDefMD module, Module reflectionModule) {
+			this.module = module;
+			this.reflectionModule = reflectionModule;
+		}
+
+		public void Initialize() {
+			RuntimeHelpers.RunModuleConstructor(reflectionModule.ModuleHandle);
+			var reflectionProtectAssembly = GetProtectAssembly();
+			if (reflectionProtectAssembly == null)
+				throw new ApplicationException("Could not find 'Protect' assembly");
+			reflectionProtectModule = reflectionProtectAssembly.ManifestModule;
+			moduleProtect = ModuleDefMD.Load(reflectionProtectModule);
+			protectMainType = FindMainType(moduleProtect);
+			if (protectMainType == null)
+				throw new ApplicationException("Could not find Protect.MainType");
+			var invokerField = FindInvokerField(module);
+
+			reflectionProtectMainType = reflectionProtectModule.ResolveType(0x02000000 + (int)protectMainType.Rid);
+			invokerFieldInfo = reflectionModule.ResolveField(0x04000000 + (int)invokerField.Rid);
+
+			decrypter = CreateDecrypter();
+			if (decrypter == null)
+				throw new ApplicationException("Probably a new version. Could not create a decrypter.");
+		}
+
+		public DecryptedMethodInfo Decrypt(int methodId, uint rid) {
+			byte[] methodData = decrypter.Decrypt(methodId, rid);
+			if (methodData == null)
+				throw new ApplicationException(string.Format("Probably a new version. Could not decrypt method. ID:{0}, RID:{1:X4}", methodId, rid));
+			return new DecryptedMethodInfo(methodId, methodData);
+		}
+
+		public void Dispose() {
+			if (moduleProtect != null)
+				moduleProtect.Dispose();
+			moduleProtect = null;
+		}
+
+		IDecrypter CreateDecrypter() {
+			return CreateDecrypterV1_0_7_1() ??
+				CreateDecrypterV2_0_0_0() ??
+				CreateDecrypterV2_0_8_0() ??
+				CreateDecrypterV2_0_8_5() ??
+				CreateDecrypterV2_0_9_0();
+		}
+
+		IDecrypter CreateDecrypterV1_0_7_1() {
+			var delegateField = FindDelegateFieldV1_0_7_1(protectMainType);
+			if (delegateField == null)
+				return null;
+
+			return new DecrypterV1_0_7_1(this, delegateField);
+		}
+
+		IDecrypter CreateDecrypterV2_0_0_0() {
+			var delegateField = FindDelegateFieldV2_0_0_0(protectMainType);
+			if (delegateField == null)
+				return null;
+
+			return new DecrypterV2_0_0_0(this, delegateField);
+		}
+
+		IDecrypter CreateDecrypterV2_0_8_0() {
+			var delegateField = FindDelegateFieldV2_0_8_0(protectMainType, FindDecryptCallbackV2_0_8_0(protectMainType));
+			if (delegateField == null)
+				return null;
+
+			return new DecrypterV2_0_8_0(this, delegateField);
+		}
+
+		IDecrypter CreateDecrypterV2_0_8_5() {
+			var delegateField = FindDelegateFieldV2_0_8_5(protectMainType, FindDecryptCallbackV2_0_8_0(protectMainType));
+			if (delegateField == null)
+				return null;
+
+			return new DecrypterV2_0_8_5(this, delegateField);
+		}
+
+		IDecrypter CreateDecrypterV2_0_9_0() {
+			var delegateField = FindDelegateFieldV2_0_9_0(protectMainType, FindDecryptCallbackV2_0_9_0(protectMainType));
+			if (delegateField == null)
+				return null;
+
+			return new DecrypterV2_0_9_0(this, delegateField);
+		}
+
+		static readonly byte[] ilpPublicKeyToken = new byte[8] { 0x20, 0x12, 0xD3, 0xC0, 0x55, 0x1F, 0xE0, 0x3D };
+		static Assembly GetProtectAssembly() {
+			foreach (var asm in AppDomain.CurrentDomain.GetAssemblies()) {
+				if (!string.IsNullOrEmpty(asm.Location))
+					continue;
+				var asmName = asm.GetName();
+				if (asmName.Name != "Protect")
+					continue;
+				if (!Compare(asmName.GetPublicKeyToken(), ilpPublicKeyToken))
+					continue;
+
+				return asm;
+			}
+			return null;
+		}
+
+		static bool Compare(byte[] a, byte[] b) {
+			if (a == null && b == null)
+				return true;
+			if (a == null || b == null)
+				return false;
+			if (a.Length != b.Length)
+				return false;
+			for (int i = 0; i < a.Length; i++) {
+				if (a[i] != b[i])
+					return false;
+			}
+			return true;
+		}
+
+		static TypeDef FindMainType(ModuleDef module) {
+			foreach (var type in module.Types) {
+				if (type.FindMethod("Finalize") != null)
+					return type;
+			}
+			return null;
+		}
+
+		static FieldDef FindInvokerField(ModuleDef module) {
+			return FindDelegateField(module.GlobalType, "System.Delegate", "(System.Int32)");
+		}
+
+		static FieldDef FindDelegateFieldV1_0_7_1(TypeDef mainType) {
+			return FindDelegateField(mainType, "System.Boolean", "(System.Int32,System.Int32,System.Int32,System.Byte*&,System.Int32&)");
+		}
+
+		static FieldDef FindDelegateFieldV2_0_0_0(TypeDef mainType) {
+			return FindDelegateField(mainType, "System.Boolean", "(System.Int32,System.Int32,System.Int32,System.Int32,System.Byte*&,System.Int32&)");
+		}
+
+		static FieldDef FindDecryptCallbackV2_0_8_0(TypeDef mainType) {
+			return FindDelegateField(mainType, "System.Boolean", "(System.Byte*,System.Int32,System.Delegate&)");
+		}
+
+		static FieldDef FindDecryptCallbackV2_0_9_0(TypeDef mainType) {
+			return FindDelegateField(mainType, "System.Boolean", "(System.Byte*,System.Int32,System.Int32)");
+		}
+
+		static FieldDef FindDelegateFieldV2_0_8_0(TypeDef mainType, FieldDef decryptCallbackField) {
+			if (decryptCallbackField == null)
+				return null;
+			var type = decryptCallbackField.FieldSig.GetFieldType().ToTypeDefOrRef() as TypeDef;
+			if (type == null)
+				return null;
+			return FindDelegateField(mainType, "System.Boolean", string.Format("(System.Int32,System.Int32,System.Int32,System.Int32,{0},System.Delegate&)", type.FullName));
+		}
+
+		static FieldDef FindDelegateFieldV2_0_8_5(TypeDef mainType, FieldDef decryptCallbackField) {
+			if (decryptCallbackField == null)
+				return null;
+			var type = decryptCallbackField.FieldSig.GetFieldType().ToTypeDefOrRef() as TypeDef;
+			if (type == null)
+				return null;
+			return FindDelegateField(mainType, "System.Boolean", string.Format("(System.Int32,System.Int32,System.Int32,System.Int32,System.Diagnostics.StackTrace,{0},System.Delegate&)", type.FullName));
+		}
+
+		static FieldDef FindDelegateFieldV2_0_9_0(TypeDef mainType, FieldDef decryptCallbackField) {
+			if (decryptCallbackField == null)
+				return null;
+			var type = decryptCallbackField.FieldSig.GetFieldType().ToTypeDefOrRef() as TypeDef;
+			if (type == null)
+				return null;
+			return FindDelegateField(mainType, "System.Boolean", string.Format("(System.Int32,System.Int32,System.Int32,System.Int32,System.Diagnostics.StackTrace,{0})", type.FullName));
+		}
+
+		static FieldDef FindDelegateField(TypeDef mainType, string returnType, string parameters) {
+			foreach (var field in mainType.Fields) {
+				var fieldSig = field.FieldSig;
+				if (fieldSig == null)
+					continue;
+				var fieldType = fieldSig.Type.ToTypeDefOrRef() as TypeDef;
+				if (fieldType == null)
+					continue;
+				if (fieldType.BaseType != null && fieldType.BaseType.FullName != "System.MulticastDelegate")
+					continue;
+				var invokeMethod = fieldType.FindMethod("Invoke");
+				if (!DotNetUtils.IsMethod(invokeMethod, returnType, parameters))
+					continue;
+
+				return field;
+			}
+			return null;
+		}
+	}
+}
diff --git a/de4dot.code/deobfuscators/ILProtector/DynamicMethodsDecrypterService.cs b/de4dot.code/deobfuscators/ILProtector/DynamicMethodsDecrypterService.cs
new file mode 100644
index 00000000..ead8f085
--- /dev/null
+++ b/de4dot.code/deobfuscators/ILProtector/DynamicMethodsDecrypterService.cs
@@ -0,0 +1,72 @@
+/*
+    Copyright (C) 2011-2013 de4dot@gmail.com
+
+    This file is part of de4dot.
+
+    de4dot is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    de4dot is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with de4dot.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+using System;
+using System.Reflection;
+using System.Collections.Generic;
+using dnlib.DotNet;
+using AssemblyData;
+
+namespace de4dot.code.deobfuscators.ILProtector {
+	sealed class DynamicMethodsDecrypterService : IUserGenericService {
+		public const int MSG_DECRYPT_METHODS = 0;
+
+		Module reflObfModule;
+		ModuleDefMD obfModule;
+
+		[CreateUserGenericService]
+		public static IUserGenericService Create() {
+			return new DynamicMethodsDecrypterService();
+		}
+
+		public void Dispose() {
+			if (obfModule != null)
+				obfModule.Dispose();
+			obfModule = null;
+		}
+
+		public void AssemblyLoaded(Assembly assembly) {
+			this.reflObfModule = assembly.ManifestModule;
+			this.obfModule = ModuleDefMD.Load(reflObfModule);
+		}
+
+		public object HandleMessage(int msg, object[] args) {
+			switch (msg) {
+			case MSG_DECRYPT_METHODS:
+				return DecryptMethods(args[0] as IList<int>);
+
+			default:
+				throw new ApplicationException(string.Format("Invalid msg: {0:X8}", msg));
+			}
+		}
+
+		IList<DecryptedMethodInfo> DecryptMethods(IList<int> methodIds) {
+			using (var decrypter = new DynamicMethodsDecrypter(obfModule, reflObfModule)) {
+				decrypter.Initialize();
+
+				var infos = new List<DecryptedMethodInfo>();
+
+				for (int i = 0; i < methodIds.Count; i += 2)
+					infos.Add(decrypter.Decrypt(methodIds[i], (uint)methodIds[i + 1]));
+
+				return infos;
+			}
+		}
+	}
+}
diff --git a/de4dot.code/deobfuscators/ILProtector/DynamicMethodsRestorer.cs b/de4dot.code/deobfuscators/ILProtector/DynamicMethodsRestorer.cs
new file mode 100644
index 00000000..ecbff882
--- /dev/null
+++ b/de4dot.code/deobfuscators/ILProtector/DynamicMethodsRestorer.cs
@@ -0,0 +1,69 @@
+/*
+    Copyright (C) 2011-2013 de4dot@gmail.com
+
+    This file is part of de4dot.
+
+    de4dot is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    de4dot is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with de4dot.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+using System;
+using System.Collections.Generic;
+using dnlib.DotNet;
+using AssemblyData;
+using de4dot.code.AssemblyClient;
+
+namespace de4dot.code.deobfuscators.ILProtector {
+	// Calls class to dynamically decrypt methods, then restores them.
+	class DynamicMethodsRestorer : MethodsDecrypterBase {
+		public DynamicMethodsRestorer(ModuleDefMD module, MainType mainType)
+			: base(module, mainType) {
+		}
+
+		protected override void DecryptInternal() {
+			IList<DecryptedMethodInfo> decryptedData;
+			var serverVersion = NewProcessAssemblyClientFactory.GetServerClrVersion(module);
+			using (var client = new NewProcessAssemblyClientFactory(serverVersion).Create(AssemblyServiceType.Generic)) {
+				client.Connect();
+				client.WaitConnected();
+
+				client.GenericService.LoadUserService(typeof(DynamicMethodsDecrypterService), null);
+				client.GenericService.LoadAssembly(module.Location);
+				decryptedData = client.GenericService.SendMessage(DynamicMethodsDecrypterService.MSG_DECRYPT_METHODS, new object[] { GetMethodIds() }) as IList<DecryptedMethodInfo>;
+			}
+
+			if (decryptedData == null)
+				throw new ApplicationException("Unknown return value from dynamic methods decrypter service");
+
+			foreach (var info in decryptedData)
+				methodInfos[info.id] = info;
+		}
+
+		IList<int> GetMethodIds() {
+			var ids = new List<int>();
+
+			foreach (var type in module.GetTypes()) {
+				foreach (var method in type.Methods) {
+					int? id = GetMethodId(method);
+					if (id == null)
+						continue;
+
+					ids.Add(id.Value);
+					ids.Add((int)method.Rid);
+				}
+			}
+
+			return ids;
+		}
+	}
+}
diff --git a/de4dot.code/deobfuscators/ILProtector/MainType.cs b/de4dot.code/deobfuscators/ILProtector/MainType.cs
index f853b289..92b8a399 100644
--- a/de4dot.code/deobfuscators/ILProtector/MainType.cs
+++ b/de4dot.code/deobfuscators/ILProtector/MainType.cs
@@ -53,15 +53,20 @@ namespace de4dot.code.deobfuscators.ILProtector {
 			CheckMethod(DotNetUtils.GetModuleTypeCctor(module));
 		}
 
-		static string[] ilpLocals = new string[] {
+		static string[] ilpLocalsV1x = new string[] {
 			"System.Boolean",
 			"System.IntPtr",
 			"System.Object[]",
 		};
+		static string[] ilpLocalsV2x = new string[] {
+			"System.IntPtr",
+		};
 		bool CheckMethod(MethodDef cctor) {
 			if (cctor == null || cctor.Body == null)
 				return false;
-			if (!new LocalTypes(cctor).Exactly(ilpLocals))
+			var localTypes = new LocalTypes(cctor);
+			if (!localTypes.Exactly(ilpLocalsV1x) &&
+				!localTypes.Exactly(ilpLocalsV2x))
 				return false;
 
 			var type = cctor.DeclaringType;
@@ -70,20 +75,31 @@ namespace de4dot.code.deobfuscators.ILProtector {
 				methods = GetPinvokeMethods(type, "P0");
 			if (methods.Count != 2)
 				return false;
-			if (type.Fields.Count != 1)
+			if (type.Fields.Count < 1 || type.Fields.Count > 2)
 				return false;
 
-			var theField = type.Fields[0];
-			var theDelegate = theField.FieldType.TryGetTypeDef();
-			if (theDelegate == null || !DotNetUtils.DerivesFromDelegate(theDelegate))
+			if (!GetDelegate(type, out invokerInstanceField, out invokerDelegate))
 				return false;
 
 			protectMethods = methods;
-			invokerDelegate = theDelegate;
-			invokerInstanceField = theField;
 			return true;
 		}
 
+		bool GetDelegate(TypeDef type, out FieldDef field, out TypeDef del) {
+			foreach (var fld in type.Fields) {
+				var theDelegate = fld.FieldType.TryGetTypeDef();
+				if (theDelegate != null && DotNetUtils.DerivesFromDelegate(theDelegate)) {
+					field = fld;
+					del = theDelegate;
+					return true;
+				}
+			}
+
+			field = null;
+			del = null;
+			return false;
+		}
+
 		static List<MethodDef> GetPinvokeMethods(TypeDef type, string name) {
 			var list = new List<MethodDef>();
 			foreach (var method in type.Methods) {
diff --git a/de4dot.code/deobfuscators/ILProtector/MethodsDecrypterBase.cs b/de4dot.code/deobfuscators/ILProtector/MethodsDecrypterBase.cs
new file mode 100644
index 00000000..2ac46930
--- /dev/null
+++ b/de4dot.code/deobfuscators/ILProtector/MethodsDecrypterBase.cs
@@ -0,0 +1,125 @@
+/*
+    Copyright (C) 2011-2013 de4dot@gmail.com
+
+    This file is part of de4dot.
+
+    de4dot is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    de4dot is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with de4dot.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+using System.Collections.Generic;
+using dnlib.DotNet;
+using dnlib.DotNet.Emit;
+
+namespace de4dot.code.deobfuscators.ILProtector {
+	abstract class MethodsDecrypterBase {
+		protected ModuleDefMD module;
+		protected MainType mainType;
+		protected EmbeddedResource methodsResource;
+		protected Dictionary<int, DecryptedMethodInfo> methodInfos = new Dictionary<int, DecryptedMethodInfo>();
+		List<TypeDef> delegateTypes = new List<TypeDef>();
+
+		public EmbeddedResource Resource {
+			get { return methodsResource; }
+		}
+
+		public IEnumerable<TypeDef> DelegateTypes {
+			get { return delegateTypes; }
+		}
+
+		public MethodsDecrypterBase(ModuleDefMD module, MainType mainType) {
+			this.module = module;
+			this.mainType = mainType;
+		}
+
+		public void Decrypt() {
+			DecryptInternal();
+			RestoreMethods();
+		}
+
+		protected abstract void DecryptInternal();
+
+		void RestoreMethods() {
+			if (methodInfos.Count == 0)
+				return;
+
+			Logger.v("Restoring {0} methods", methodInfos.Count);
+			Logger.Instance.Indent();
+			foreach (var type in module.GetTypes()) {
+				foreach (var method in type.Methods) {
+					if (method.Body == null)
+						continue;
+
+					if (RestoreMethod(method)) {
+						Logger.v("Restored method {0} ({1:X8}). Instrs:{2}, Locals:{3}, Exceptions:{4}",
+							Utils.RemoveNewlines(method.FullName),
+							method.MDToken.ToInt32(),
+							method.Body.Instructions.Count,
+							method.Body.Variables.Count,
+							method.Body.ExceptionHandlers.Count);
+					}
+				}
+			}
+			Logger.Instance.DeIndent();
+			if (methodInfos.Count != 0)
+				Logger.w("{0} methods weren't restored", methodInfos.Count);
+		}
+
+		bool RestoreMethod(MethodDef method) {
+			int? methodId = GetMethodId(method);
+			if (methodId == null)
+				return false;
+
+			var parameters = method.Parameters;
+			var methodInfo = methodInfos[methodId.Value];
+			methodInfos.Remove(methodId.Value);
+			var methodReader = new MethodReader(module, methodInfo.data, parameters);
+			methodReader.Read();
+
+			RestoreMethod(method, methodReader);
+			delegateTypes.Add(methodReader.DelegateType);
+
+			return true;
+		}
+
+		static void RestoreMethod(MethodDef method, MethodReader methodReader) {
+			// body.MaxStackSize = <let dnlib calculate this>
+			method.Body.InitLocals = methodReader.InitLocals;
+			methodReader.RestoreMethod(method);
+		}
+
+		protected int? GetMethodId(MethodDef method) {
+			if (method == null || method.Body == null)
+				return null;
+
+			var instrs = method.Body.Instructions;
+			for (int i = 0; i < instrs.Count - 1; i++) {
+				var ldsfld = instrs[i];
+				if (ldsfld.OpCode.Code != Code.Ldsfld)
+					continue;
+
+				var ldci4 = instrs[i + 1];
+				if (!ldci4.IsLdcI4())
+					continue;
+
+				var field = ldsfld.Operand as FieldDef;
+				if (field == null || field != mainType.InvokerInstanceField)
+					continue;
+
+				return ldci4.GetLdcI4Value();
+			}
+
+			return null;
+		}
+	}
+}
diff --git a/de4dot.code/deobfuscators/ILProtector/MethodsDecrypter.cs b/de4dot.code/deobfuscators/ILProtector/StaticMethodsDecrypter.cs
similarity index 71%
rename from de4dot.code/deobfuscators/ILProtector/MethodsDecrypter.cs
rename to de4dot.code/deobfuscators/ILProtector/StaticMethodsDecrypter.cs
index 47be38aa..c614017b 100644
--- a/de4dot.code/deobfuscators/ILProtector/MethodsDecrypter.cs
+++ b/de4dot.code/deobfuscators/ILProtector/StaticMethodsDecrypter.cs
@@ -22,16 +22,9 @@ using System.Collections.Generic;
 using System.IO;
 using dnlib.IO;
 using dnlib.DotNet;
-using dnlib.DotNet.Emit;
-using de4dot.blocks;
 
 namespace de4dot.code.deobfuscators.ILProtector {
-	class MethodsDecrypter {
-		ModuleDefMD module;
-		MainType mainType;
-		EmbeddedResource methodsResource;
-		Dictionary<int, MethodInfo2> methodInfos = new Dictionary<int, MethodInfo2>();
-		List<TypeDef> delegateTypes = new List<TypeDef>();
+	class StaticMethodsDecrypter : MethodsDecrypterBase {
 		IDecrypter decrypter;
 
 		interface IDecrypter {
@@ -153,13 +146,13 @@ namespace de4dot.code.deobfuscators.ILProtector {
 			}
 		}
 
-		// 1.0.6
+		// 1.0.6 - 1.0.7.0
 		class DecrypterV106 : DecrypterBase {
 			byte[] decryptionKey6;
 			byte[] decryptionKey7;
 
 			DecrypterV106(byte[] key0, byte[] key6, byte[] key7, int startOffset) {
-				this.ilpVersion = "1.0.6";
+				this.ilpVersion = "1.0.6 - 1.0.7.0";
 				this.startOffset = startOffset;
 				this.decryptionKey = key0;
 				this.decryptionKey6 = key6;
@@ -185,7 +178,7 @@ namespace de4dot.code.deobfuscators.ILProtector {
 
 					var key0 = DeobUtils.Sha1Sum(sha1Data);			// 1.0.6.0
 					var key6 = GetKey(reader, key0, keyXorOffs6);	// 1.0.6.6
-					var key7 = GetKey(reader, key0, keyXorOffs7);	// 1.0.6.7
+					var key7 = GetKey(reader, key0, keyXorOffs7);	// 1.0.6.7 - 1.0.7.0
 					return new DecrypterV106(key0, key6, key7, encryptedOffs);
 				}
 				catch (IOException) {
@@ -232,29 +225,6 @@ namespace de4dot.code.deobfuscators.ILProtector {
 			}
 		}
 
-		class MethodInfo2 {
-			public int id;
-			public int offset;
-			public byte[] data;
-			public MethodInfo2(int id, int offset, int size) {
-				this.id = id;
-				this.offset = offset;
-				this.data = new byte[size];
-			}
-
-			public override string ToString() {
-				return string.Format("{0} {1:X8} 0x{2:X}", id, offset, data.Length);
-			}
-		}
-
-		public EmbeddedResource Resource {
-			get { return methodsResource; }
-		}
-
-		public IEnumerable<TypeDef> DelegateTypes {
-			get { return delegateTypes; }
-		}
-
 		public string Version {
 			get { return decrypter == null ? null : decrypter.Version; }
 		}
@@ -263,9 +233,8 @@ namespace de4dot.code.deobfuscators.ILProtector {
 			get { return methodsResource != null; }
 		}
 
-		public MethodsDecrypter(ModuleDefMD module, MainType mainType) {
-			this.module = module;
-			this.mainType = mainType;
+		public StaticMethodsDecrypter(ModuleDefMD module, MainType mainType)
+			: base(module, mainType) {
 		}
 
 		public void Find() {
@@ -300,108 +269,35 @@ namespace de4dot.code.deobfuscators.ILProtector {
 			return decrypter != null;
 		}
 
-		public void Decrypt() {
+		protected override void DecryptInternal() {
 			if (methodsResource == null || decrypter == null)
 				return;
 
 			foreach (var info in ReadMethodInfos(decrypter.GetMethodsData(methodsResource)))
 				methodInfos[info.id] = info;
-
-			RestoreMethods();
 		}
 
-		static MethodInfo2[] ReadMethodInfos(byte[] data) {
+		static DecryptedMethodInfo[] ReadMethodInfos(byte[] data) {
+			var toOffset = new Dictionary<DecryptedMethodInfo, int>();
 			var reader = MemoryImageStream.Create(data);
 			int numMethods = (int)reader.Read7BitEncodedUInt32();
 			int totalCodeSize = (int)reader.Read7BitEncodedUInt32();
-			var methodInfos = new MethodInfo2[numMethods];
+			var methodInfos = new DecryptedMethodInfo[numMethods];
 			int offset = 0;
 			for (int i = 0; i < numMethods; i++) {
 				int id = (int)reader.Read7BitEncodedUInt32();
 				int size = (int)reader.Read7BitEncodedUInt32();
-				methodInfos[i] = new MethodInfo2(id, offset, size);
+				var info = new DecryptedMethodInfo(id, size);
+				methodInfos[i] = info;
+				toOffset[info] = offset;
 				offset += size;
 			}
 			long dataOffset = reader.Position;
 			foreach (var info in methodInfos) {
-				reader.Position = dataOffset + info.offset;
+				reader.Position = dataOffset + toOffset[info];
 				reader.Read(info.data, 0, info.data.Length);
 			}
 			return methodInfos;
 		}
-
-		void RestoreMethods() {
-			if (methodInfos.Count == 0)
-				return;
-
-			Logger.v("Restoring {0} methods", methodInfos.Count);
-			Logger.Instance.Indent();
-			foreach (var type in module.GetTypes()) {
-				foreach (var method in type.Methods) {
-					if (method.Body == null)
-						continue;
-
-					if (RestoreMethod(method)) {
-						Logger.v("Restored method {0} ({1:X8}). Instrs:{2}, Locals:{3}, Exceptions:{4}",
-							Utils.RemoveNewlines(method.FullName),
-							method.MDToken.ToInt32(),
-							method.Body.Instructions.Count,
-							method.Body.Variables.Count,
-							method.Body.ExceptionHandlers.Count);
-					}
-				}
-			}
-			Logger.Instance.DeIndent();
-			if (methodInfos.Count != 0)
-				Logger.w("{0} methods weren't restored", methodInfos.Count);
-		}
-
-		const int INVALID_METHOD_ID = -1;
-		bool RestoreMethod(MethodDef method) {
-			int methodId = GetMethodId(method);
-			if (methodId == INVALID_METHOD_ID)
-				return false;
-
-			var parameters = method.Parameters;
-			var methodInfo = methodInfos[methodId];
-			methodInfos.Remove(methodId);
-			var methodReader = new MethodReader(module, methodInfo.data, parameters);
-			methodReader.Read();
-
-			RestoreMethod(method, methodReader);
-			delegateTypes.Add(methodReader.DelegateType);
-
-			return true;
-		}
-
-		static void RestoreMethod(MethodDef method, MethodReader methodReader) {
-			// body.MaxStackSize = <let dnlib calculate this>
-			method.Body.InitLocals = methodReader.InitLocals;
-			methodReader.RestoreMethod(method);
-		}
-
-		int GetMethodId(MethodDef method) {
-			if (method == null || method.Body == null)
-				return INVALID_METHOD_ID;
-
-			var instrs = method.Body.Instructions;
-			for (int i = 0; i < instrs.Count - 1; i++) {
-				var ldsfld = instrs[i];
-				if (ldsfld.OpCode.Code != Code.Ldsfld)
-					continue;
-
-				var ldci4 = instrs[i + 1];
-				if (!ldci4.IsLdcI4())
-					continue;
-
-				var field = ldsfld.Operand as FieldDef;
-				if (field == null || field != mainType.InvokerInstanceField)
-					continue;
-
-				return ldci4.GetLdcI4Value();
-			}
-
-			return INVALID_METHOD_ID;
-		}
 	}
 }

From 511a061f64bf4441557c07d8494aee876703ea7d Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Sun, 27 Oct 2013 19:40:51 +0100
Subject: [PATCH 39/58] Support latest Eazfuscator.NET

---
 de4dot.code/de4dot.code.csproj                |   3 +-
 .../Eazfuscator_NET/Deobfuscator.cs           |  10 +
 .../DynamicDynocodeIterator.cs                | 109 +++++++
 .../deobfuscators/Eazfuscator_NET/Dynocode.cs | 289 ------------------
 .../Eazfuscator_NET/DynocodeService.cs        | 100 ++++++
 .../ResourceMethodsRestorer.cs                |   5 +-
 .../Eazfuscator_NET/StringDecrypter.cs        |  63 +++-
 .../Eazfuscator_NET/VersionDetector.cs        |   2 +-
 .../deobfuscators/MethodCallRestorerBase.cs   |   9 +
 9 files changed, 287 insertions(+), 303 deletions(-)
 create mode 100644 de4dot.code/deobfuscators/Eazfuscator_NET/DynamicDynocodeIterator.cs
 delete mode 100644 de4dot.code/deobfuscators/Eazfuscator_NET/Dynocode.cs
 create mode 100644 de4dot.code/deobfuscators/Eazfuscator_NET/DynocodeService.cs

diff --git a/de4dot.code/de4dot.code.csproj b/de4dot.code/de4dot.code.csproj
index 7c946ab2..be5b26b7 100644
--- a/de4dot.code/de4dot.code.csproj
+++ b/de4dot.code/de4dot.code.csproj
@@ -159,7 +159,8 @@
     <Compile Include="deobfuscators\DeobUtils.cs" />
     <Compile Include="deobfuscators\Dotfuscator\Deobfuscator.cs" />
     <Compile Include="deobfuscators\Dotfuscator\StringDecrypter.cs" />
-    <Compile Include="deobfuscators\Eazfuscator_NET\Dynocode.cs" />
+    <Compile Include="deobfuscators\Eazfuscator_NET\DynamicDynocodeIterator.cs" />
+    <Compile Include="deobfuscators\Eazfuscator_NET\DynocodeService.cs" />
     <Compile Include="deobfuscators\MyPEImage.cs" />
     <Compile Include="deobfuscators\dotNET_Reactor\v3\AntiStrongName.cs" />
     <Compile Include="deobfuscators\dotNET_Reactor\v3\ApplicationModeDecrypter.cs" />
diff --git a/de4dot.code/deobfuscators/Eazfuscator_NET/Deobfuscator.cs b/de4dot.code/deobfuscators/Eazfuscator_NET/Deobfuscator.cs
index 284d2dbe..74a3db9b 100644
--- a/de4dot.code/deobfuscators/Eazfuscator_NET/Deobfuscator.cs
+++ b/de4dot.code/deobfuscators/Eazfuscator_NET/Deobfuscator.cs
@@ -159,6 +159,8 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
 				AddTypesToBeRemoved(stringDecrypter.DynocodeTypes, "Dynocode type");
 				AddResourceToBeRemoved(stringDecrypter.Resource, "Encrypted strings");
 			}
+			stringDecrypter.CloseServer();
+
 			AddTypeToBeRemoved(assemblyResolver.Type, "Assembly resolver type");
 			AddTypeToBeRemoved(assemblyResolver.OtherType, "Assembly resolver other type");
 			AddTypeToBeRemoved(resourceResolver.Type, "Resource resolver type");
@@ -214,6 +216,14 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
 			DotNetUtils.RestoreBody(cctor, allInstructions, allExceptionHandlers);
 		}
 
+		protected override void Dispose(bool disposing) {
+			if (disposing) {
+				if (stringDecrypter != null)
+					stringDecrypter.Dispose();
+			}
+			base.Dispose(disposing);
+		}
+
 		public override IEnumerable<int> GetStringDecrypterMethods() {
 			var list = new List<int>();
 			if (stringDecrypter.Method != null)
diff --git a/de4dot.code/deobfuscators/Eazfuscator_NET/DynamicDynocodeIterator.cs b/de4dot.code/deobfuscators/Eazfuscator_NET/DynamicDynocodeIterator.cs
new file mode 100644
index 00000000..1d60eed1
--- /dev/null
+++ b/de4dot.code/deobfuscators/Eazfuscator_NET/DynamicDynocodeIterator.cs
@@ -0,0 +1,109 @@
+/*
+    Copyright (C) 2011-2013 de4dot@gmail.com
+
+    This file is part of de4dot.
+
+    de4dot is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    de4dot is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with de4dot.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+using System;
+using System.Collections.Generic;
+using AssemblyData;
+using de4dot.code.AssemblyClient;
+using dnlib.DotNet;
+
+namespace de4dot.code.deobfuscators.Eazfuscator_NET {
+	class DynamicDynocodeIterator : IDisposable, IEnumerable<int> {
+		IAssemblyClient assemblyClient;
+		List<TypeDef> dynocodeTypes = new List<TypeDef>();
+
+		public List<TypeDef> Types {
+			get { return dynocodeTypes; }
+		}
+
+		class MyEnumerator : IEnumerator<int> {
+			DynamicDynocodeIterator ddi;
+
+			public MyEnumerator(DynamicDynocodeIterator ddi) {
+				this.ddi = ddi;
+			}
+
+			public int Current {
+				get {
+					return (int)ddi.assemblyClient.GenericService.SendMessage(DynocodeService.MSG_CALL_GET_CURRENT, null);
+				}
+			}
+
+			public void Dispose() {
+			}
+
+			object System.Collections.IEnumerator.Current {
+				get { return Current; }
+			}
+
+			public bool MoveNext() {
+				return (bool)ddi.assemblyClient.GenericService.SendMessage(DynocodeService.MSG_CALL_MOVE_NEXT, null);
+			}
+
+			public void Reset() {
+				throw new NotImplementedException();
+			}
+		}
+
+		public void Dispose() {
+			if (assemblyClient != null)
+				assemblyClient.Dispose();
+			assemblyClient = null;
+		}
+
+		public void Initialize(ModuleDef module) {
+			if (assemblyClient != null)
+				return;
+
+			var serverVersion = NewProcessAssemblyClientFactory.GetServerClrVersion(module);
+			assemblyClient = new NewProcessAssemblyClientFactory(serverVersion).Create(AssemblyServiceType.Generic);
+			assemblyClient.Connect();
+			assemblyClient.WaitConnected();
+
+			assemblyClient.GenericService.LoadUserService(typeof(DynocodeService), null);
+			assemblyClient.GenericService.LoadAssembly(module.Location);
+		}
+
+		public void CreateEnumerable(MethodDef ctor, object[] args) {
+			var type = ctor.DeclaringType;
+			while (type.DeclaringType != null)
+				type = type.DeclaringType;
+			dynocodeTypes.Add(type);
+			assemblyClient.GenericService.SendMessage(DynocodeService.MSG_CREATE_ENUMERABLE,
+					new object[] { ctor.MDToken.ToUInt32(), args });
+		}
+
+		public void WriteEnumerableField(uint fieldToken, object value) {
+			assemblyClient.GenericService.SendMessage(DynocodeService.MSG_WRITE_ENUMERABLE_FIELD,
+					new object[] { fieldToken, value });
+		}
+
+		public void CreateEnumerator() {
+			assemblyClient.GenericService.SendMessage(DynocodeService.MSG_CREATE_ENUMERATOR, null);
+		}
+
+		public IEnumerator<int> GetEnumerator() {
+			return new MyEnumerator(this);
+		}
+
+		System.Collections.IEnumerator System.Collections.IEnumerable.GetEnumerator() {
+			return new MyEnumerator(this);
+		}
+	}
+}
diff --git a/de4dot.code/deobfuscators/Eazfuscator_NET/Dynocode.cs b/de4dot.code/deobfuscators/Eazfuscator_NET/Dynocode.cs
deleted file mode 100644
index fcd689ba..00000000
--- a/de4dot.code/deobfuscators/Eazfuscator_NET/Dynocode.cs
+++ /dev/null
@@ -1,289 +0,0 @@
-/*
-    Copyright (C) 2011-2013 de4dot@gmail.com
-
-    This file is part of de4dot.
-
-    de4dot is free software: you can redistribute it and/or modify
-    it under the terms of the GNU General Public License as published by
-    the Free Software Foundation, either version 3 of the License, or
-    (at your option) any later version.
-
-    de4dot is distributed in the hope that it will be useful,
-    but WITHOUT ANY WARRANTY; without even the implied warranty of
-    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-    GNU General Public License for more details.
-
-    You should have received a copy of the GNU General Public License
-    along with de4dot.  If not, see <http://www.gnu.org/licenses/>.
-*/
-
-using System.Collections.Generic;
-using dnlib.DotNet;
-using dnlib.DotNet.Emit;
-using de4dot.blocks;
-
-namespace de4dot.code.deobfuscators.Eazfuscator_NET {
-	interface IDynocodeGenerator {
-		IEnumerable<int> GetValues(int input);
-	}
-
-	// Something added in EF 3.5 which they call Dynocode. The string decrypter can now
-	// call some iterator classes that will return some integers that it will use to
-	// XOR some key.
-	class Dynocode {
-		ISimpleDeobfuscator simpleDeobfuscator;
-		Dictionary<TypeDef, IDynocodeGenerator> typeToDCGen = new Dictionary<TypeDef, IDynocodeGenerator>();
-
-		class DCGen1 : IDynocodeGenerator {
-			public int magic1;
-			public int magic2;
-			public int magic3;
-			public int magic4;
-			public int magic5;
-			public int magic6;
-			public int magic7;
-
-			public IEnumerable<int> GetValues(int input) {
-				yield return magic1;
-				yield return magic2;
-				yield return input ^ magic3;
-				yield return magic4;
-				yield return magic5;
-				yield return magic6;
-				yield return input ^ magic7;
-			}
-		}
-
-		class DCGen2 : IDynocodeGenerator {
-			public int magic1;
-
-			public IEnumerable<int> GetValues(int input) {
-				int x = 0;
-				int y = 1;
-				while (true) {
-					yield return y;
-					if (--input == 0)
-						break;
-					int tmp = y;
-					y = (x + y + input) ^ magic1;
-					x = tmp;
-				}
-			}
-		}
-
-		class DCGen3 : IDynocodeGenerator {
-			public int magic1;
-			public int magic2;
-			public DCGen2 dc2;
-
-			public IEnumerable<int> GetValues(int input) {
-				int i = 7;
-				foreach (var val in dc2.GetValues(input)) {
-					int x = val ^ input;
-					if ((x % 4) == 0)
-						x ^= magic1;
-					if ((x % 16) == 0)
-						x ^= magic2;
-					yield return x;
-					if (--i == 0)
-						break;
-				}
-			}
-		}
-
-		public IEnumerable<TypeDef> Types {
-			get {
-				foreach (var type in typeToDCGen.Keys)
-					yield return type.DeclaringType;
-			}
-		}
-
-		public Dynocode(ISimpleDeobfuscator simpleDeobfuscator) {
-			this.simpleDeobfuscator = simpleDeobfuscator;
-		}
-
-		public IDynocodeGenerator GetDynocodeGenerator(TypeDef type) {
-			if (type == null)
-				return null;
-			var dt = type.DeclaringType;
-			if (dt == null)
-				return null;
-			IDynocodeGenerator dcGen;
-			if (typeToDCGen.TryGetValue(type, out dcGen))
-				return dcGen;
-
-			if (dt.NestedTypes.Count == 1)
-				dcGen = GetDCGen1(type);
-			else if (dt.NestedTypes.Count == 2)
-				dcGen = GetDCGen3(type);
-
-			typeToDCGen[type] = dcGen;
-
-			return dcGen;
-		}
-
-		DCGen1 GetDCGen1(TypeDef type) {
-			var method = GetMoveNext(type);
-			if (method == null)
-				return null;
-			simpleDeobfuscator.Deobfuscate(method);
-			var swLabels = GetSwitchLabels(method);
-			if (swLabels == null || swLabels.Count < 7)
-				return null;
-
-			var dcGen = new DCGen1();
-			if (!GetMagicDC1(method, swLabels[0], out dcGen.magic1))
-				return null;
-			if (!GetMagicDC1(method, swLabels[1], out dcGen.magic2))
-				return null;
-			if (!GetMagicXorDC1(method, swLabels[2], out dcGen.magic3))
-				return null;
-			if (!GetMagicDC1(method, swLabels[3], out dcGen.magic4))
-				return null;
-			if (!GetMagicDC1(method, swLabels[4], out dcGen.magic5))
-				return null;
-			if (!GetMagicDC1(method, swLabels[5], out dcGen.magic6))
-				return null;
-			if (!GetMagicXorDC1(method, swLabels[6], out dcGen.magic7))
-				return null;
-
-			return dcGen;
-		}
-
-		static IList<Instruction> GetSwitchLabels(MethodDef method) {
-			foreach (var instr in method.Body.Instructions) {
-				if (instr.OpCode.Code != Code.Switch)
-					continue;
-				return instr.Operand as IList<Instruction>;
-			}
-			return null;
-		}
-
-		static bool GetMagicDC1(MethodDef method, Instruction target, out int magic) {
-			magic = 0;
-			var instrs = method.Body.Instructions;
-			int index = instrs.IndexOf(target);
-			if (index < 0)
-				return false;
-
-			for (int i = index; i < instrs.Count - 3; i++) {
-				var instr = instrs[i];
-				if (instr.OpCode.FlowControl != FlowControl.Next)
-					return false;
-				if (instr.OpCode.Code != Code.Stfld)
-					continue;
-				if (instrs[i + 1].OpCode.Code != Code.Ldarg_0)
-					continue;
-				var ldci4 = instrs[i + 2];
-				if (!ldci4.IsLdcI4())
-					continue;
-				if (instrs[i + 3].OpCode.Code != Code.Stfld)
-					continue;
-
-				magic = ldci4.GetLdcI4Value();
-				return true;
-			}
-
-			return false;
-		}
-
-		static bool GetMagicXorDC1(MethodDef method, Instruction target, out int magic) {
-			magic = 0;
-			var instrs = method.Body.Instructions;
-			int index = instrs.IndexOf(target);
-			if (index < 0)
-				return false;
-
-			for (int i = index; i < instrs.Count - 2; i++) {
-				var instr = instrs[i];
-				if (instr.OpCode.FlowControl != FlowControl.Next)
-					return false;
-				if (!instr.IsLdcI4())
-					continue;
-				if (instrs[i + 1].OpCode.Code != Code.Xor)
-					continue;
-				if (instrs[i + 2].OpCode.Code != Code.Stfld)
-					continue;
-
-				magic = instr.GetLdcI4Value();
-				return true;
-			}
-
-			return false;
-		}
-
-		DCGen3 GetDCGen3(TypeDef type) {
-			var method = GetMoveNext(type);
-			if (method == null)
-				return null;
-			simpleDeobfuscator.Deobfuscate(method);
-
-			var dcGen = new DCGen3();
-			int index = 0;
-			if (!GetMagicDC3(method, ref index, out dcGen.magic1))
-				return null;
-			if (!GetMagicDC3(method, ref index, out dcGen.magic2))
-				return null;
-
-			var dt = type.DeclaringType;
-			dcGen.dc2 = GetDCGen2(dt.NestedTypes[0] == type ? dt.NestedTypes[1] : dt.NestedTypes[0]);
-
-			return dcGen;
-		}
-
-		static bool GetMagicDC3(MethodDef method, ref int index, out int magic) {
-			var instrs = method.Body.Instructions;
-			for (int i = index; i < instrs.Count - 2; i++) {
-				var ldci4 = instrs[i];
-				if (!ldci4.IsLdcI4())
-					continue;
-				if (instrs[i + 1].OpCode.Code != Code.Xor)
-					continue;
-				if (instrs[i + 2].OpCode.Code != Code.Stfld)
-					continue;
-
-				index = i + 3;
-				magic = ldci4.GetLdcI4Value();
-				return true;
-			}
-
-			magic = 0;
-			return false;
-		}
-
-		DCGen2 GetDCGen2(TypeDef type) {
-			var method = GetMoveNext(type);
-			if (method == null)
-				return null;
-			simpleDeobfuscator.Deobfuscate(method);
-
-			var dcGen = new DCGen2();
-			int index = 0;
-			if (!GetMagicDC3(method, ref index, out dcGen.magic1))
-				return null;
-
-			return dcGen;
-		}
-
-		static MethodDef GetMoveNext(TypeDef type) {
-			foreach (var m in type.Methods) {
-				if (!m.IsVirtual)
-					continue;
-				foreach (var mo in m.Overrides) {
-					if (mo.MethodDeclaration.FullName == "System.Boolean System.Collections.IEnumerator::MoveNext()")
-						return m;
-				}
-			}
-			foreach (var m in type.Methods) {
-				if (!m.IsVirtual)
-					continue;
-				if (m.Name != "MoveNext")
-					continue;
-				if (!DotNetUtils.IsMethod(m, "System.Boolean", "()"))
-					continue;
-				return m;
-			}
-			return null;
-		}
-	}
-}
diff --git a/de4dot.code/deobfuscators/Eazfuscator_NET/DynocodeService.cs b/de4dot.code/deobfuscators/Eazfuscator_NET/DynocodeService.cs
new file mode 100644
index 00000000..4c98d3d5
--- /dev/null
+++ b/de4dot.code/deobfuscators/Eazfuscator_NET/DynocodeService.cs
@@ -0,0 +1,100 @@
+/*
+    Copyright (C) 2011-2013 de4dot@gmail.com
+
+    This file is part of de4dot.
+
+    de4dot is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    de4dot is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with de4dot.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+using System;
+using System.Collections.Generic;
+using System.Reflection;
+using AssemblyData;
+
+namespace de4dot.code.deobfuscators.Eazfuscator_NET {
+	class DynocodeService : IUserGenericService {
+		public const int MSG_CREATE_ENUMERABLE = 0;
+		public const int MSG_WRITE_ENUMERABLE_FIELD = 1;
+		public const int MSG_CREATE_ENUMERATOR = 2;
+		public const int MSG_CALL_GET_CURRENT = 3;
+		public const int MSG_CALL_MOVE_NEXT = 4;
+
+		Module reflObfModule;
+		IEnumerable<int> ienumerable = null;
+		IEnumerator<int> ienumerator = null;
+
+		[CreateUserGenericService]
+		public static IUserGenericService Create() {
+			return new DynocodeService();
+		}
+
+		public void AssemblyLoaded(Assembly assembly) {
+			this.reflObfModule = assembly.ManifestModule;
+		}
+
+		public object HandleMessage(int msg, object[] args) {
+			switch (msg) {
+			case MSG_CREATE_ENUMERABLE:
+				CreateEnumerable((uint)args[0], args[1] as object[]);
+				return true;
+
+			case MSG_WRITE_ENUMERABLE_FIELD:
+				WriteEnumerableField((uint)args[0], args[1] as object);
+				return true;
+
+			case MSG_CREATE_ENUMERATOR:
+				CreateEnumerator();
+				return true;
+
+			case MSG_CALL_GET_CURRENT:
+				return CallGetCurrent();
+
+			case MSG_CALL_MOVE_NEXT:
+				return CallMoveNext();
+
+			default:
+				throw new ApplicationException(string.Format("Invalid msg: {0:X8}", msg));
+			}
+		}
+
+		void CreateEnumerable(uint ctorToken, object[] args) {
+			var ctor = reflObfModule.ResolveMethod((int)ctorToken) as ConstructorInfo;
+			if (ctor == null)
+				throw new ApplicationException(string.Format("Invalid ctor with token: {0:X8}", ctorToken));
+			ienumerable = (IEnumerable<int>)ctor.Invoke(args);
+		}
+
+		void WriteEnumerableField(uint fieldToken, object value) {
+			var field = reflObfModule.ResolveField((int)fieldToken);
+			if (field == null)
+				throw new ApplicationException(string.Format("Invalid field: {0:X8}", fieldToken));
+			field.SetValue(ienumerable, value);
+		}
+
+		void CreateEnumerator() {
+			ienumerator = ienumerable.GetEnumerator();
+		}
+
+		int CallGetCurrent() {
+			return ienumerator.Current;
+		}
+
+		bool CallMoveNext() {
+			return ienumerator.MoveNext();
+		}
+
+		public void Dispose() {
+		}
+	}
+}
diff --git a/de4dot.code/deobfuscators/Eazfuscator_NET/ResourceMethodsRestorer.cs b/de4dot.code/deobfuscators/Eazfuscator_NET/ResourceMethodsRestorer.cs
index ec9a2216..96db8fe4 100644
--- a/de4dot.code/deobfuscators/Eazfuscator_NET/ResourceMethodsRestorer.cs
+++ b/de4dot.code/deobfuscators/Eazfuscator_NET/ResourceMethodsRestorer.cs
@@ -50,9 +50,11 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
 
 				var getStream2 = GetTheOnlyMethod(type, "System.IO.Stream", "(System.Reflection.Assembly,System.Type,System.String)");
 				var getNames = GetTheOnlyMethod(type, "System.String[]", "(System.Reflection.Assembly)");
+				var getRefAsms = GetTheOnlyMethod(type, "System.Reflection.AssemblyName[]", "(System.Reflection.Assembly)");
 				var bitmapCtor = GetTheOnlyMethod(type, "System.Drawing.Bitmap", "(System.Type,System.String)");
 				var iconCtor = GetTheOnlyMethod(type, "System.Drawing.Icon", "(System.Type,System.String)");
-				if (getStream2 == null && getNames == null && bitmapCtor == null && iconCtor == null)
+				if (getStream2 == null && getNames == null && getRefAsms == null &&
+					bitmapCtor == null && iconCtor == null)
 					continue;
 
 				var resource = FindGetManifestResourceStreamTypeResource(type, simpleDeobfuscator, deob);
@@ -62,6 +64,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
 				getManifestResourceStreamType = type;
 				CreateGetManifestResourceStream2(getStream2);
 				CreateGetManifestResourceNames(getNames);
+				CreateGetReferencedAssemblies(getRefAsms);
 				CreateBitmapCtor(bitmapCtor);
 				CreateIconCtor(iconCtor);
 				getManifestResourceStreamTypeResource = resource;
diff --git a/de4dot.code/deobfuscators/Eazfuscator_NET/StringDecrypter.cs b/de4dot.code/deobfuscators/Eazfuscator_NET/StringDecrypter.cs
index dd40699d..26b0d1cc 100644
--- a/de4dot.code/deobfuscators/Eazfuscator_NET/StringDecrypter.cs
+++ b/de4dot.code/deobfuscators/Eazfuscator_NET/StringDecrypter.cs
@@ -27,7 +27,7 @@ using de4dot.blocks;
 using de4dot.blocks.cflow;
 
 namespace de4dot.code.deobfuscators.Eazfuscator_NET {
-	class StringDecrypter {
+	class StringDecrypter : IDisposable {
 		ModuleDefMD module;
 		TypeDef stringType;
 		MethodDef stringMethod;
@@ -47,7 +47,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
 		EfConstantsReader stringMethodConsts;
 		bool isV32OrLater;
 		int? validStringDecrypterValue;
-		Dynocode dynocode;
+		DynamicDynocodeIterator dynocode;
 
 		class StreamHelperType {
 			public TypeDef type;
@@ -228,7 +228,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
 		}
 
 		bool FindConstants(ISimpleDeobfuscator simpleDeobfuscator) {
-			dynocode = new Dynocode(simpleDeobfuscator);
+			dynocode = new DynamicDynocodeIterator();
 			simpleDeobfuscator.Deobfuscate(stringMethod);
 			stringMethodConsts = new EfConstantsReader(stringMethod);
 
@@ -671,7 +671,11 @@ done: ;
 			if (index + 4 >= instrs.Count)
 				return false;
 			var ldloc = instrs[index + 3];
-			if (!ldloc.IsLdloc() || instrs[index + 4].OpCode.Code != Code.Stfld)
+			var stfld = instrs[index + 4];
+			if (!ldloc.IsLdloc() || stfld.OpCode.Code != Code.Stfld)
+				return false;
+			var enumerableField = stfld.Operand as FieldDef;
+			if (enumerableField == null)
 				return false;
 
 			var initValue = emu.GetLocal(ldloc.GetLocal(stringMethod.Body.Variables)) as Int32Value;
@@ -692,19 +696,46 @@ done: ;
 			if (initValue2 == null || !initValue2.AllBitsValid())
 				return false;
 
-			var dcGen = dynocode.GetDynocodeGenerator(ctor.DeclaringType);
-			if (dcGen == null)
+			int loopStart = GetIndexOfCall(instrs, index, leaveIndex, "System.Int32 System.Collections.Generic.IEnumerator`1<System.Int32>::get_Current()");
+			int loopEnd = GetIndexOfCall(instrs, loopStart, leaveIndex, "System.Boolean System.Collections.IEnumerator::MoveNext()");
+			if (loopStart < 0 || loopEnd < 0)
 				return false;
-			int loopLocalValue = initValue2.value;
-			foreach (var val in dcGen.GetValues(initValue.value))
-				loopLocalValue ^= val;
+			loopStart++;
+			loopEnd--;
+
+			dynocode.Initialize(module);
+			var ctorArg = emu.Pop() as Int32Value;
+			if (ctorArg == null || !ctorArg.AllBitsValid())
+				return false;
+			dynocode.CreateEnumerable(ctor, new object[] { ctorArg.value });
+			dynocode.WriteEnumerableField(enumerableField.MDToken.ToUInt32(), initValue.value);
+			dynocode.CreateEnumerator();
+			foreach (var val in dynocode) {
+				emu.Push(new Int32Value(val));
+				for (int i = loopStart; i < loopEnd; i++)
+					emu.Emulate(instrs[i]);
+			}
 
-			emu.SetLocal(loopLocal, new Int32Value(loopLocalValue));
-			emu.Emulate(instr);
 			index = newIndex - 1;
 			return true;
 		}
 
+		static int GetIndexOfCall(IList<Instruction> instrs, int startIndex, int endIndex, string fullMethodName) {
+			if (startIndex < 0 || endIndex < 0)
+				return -1;
+			for (int i = startIndex; i < endIndex; i++) {
+				var instr = instrs[i];
+				if (instr.OpCode.Code != Code.Call && instr.OpCode.Code != Code.Callvirt)
+					continue;
+				var method = instr.Operand as IMethod;
+				if (method == null || method.FullName != fullMethodName)
+					continue;
+
+				return i;
+			}
+			return -1;
+		}
+
 		Local GetDCLoopLocal(int start, int end) {
 			var instrs = stringMethod.Body.Instructions;
 			for (int i = start; i < end - 1; i++) {
@@ -980,5 +1011,15 @@ done: ;
 
 			return false;
 		}
+
+		public void Dispose() {
+			CloseServer();
+		}
+
+		public void CloseServer() {
+			if (dynocode != null)
+				dynocode.Dispose();
+			dynocode = null;
+		}
 	}
 }
diff --git a/de4dot.code/deobfuscators/Eazfuscator_NET/VersionDetector.cs b/de4dot.code/deobfuscators/Eazfuscator_NET/VersionDetector.cs
index f88d7f10..e38a6f98 100644
--- a/de4dot.code/deobfuscators/Eazfuscator_NET/VersionDetector.cs
+++ b/de4dot.code/deobfuscators/Eazfuscator_NET/VersionDetector.cs
@@ -722,7 +722,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
 					decryptStringMethod.Body.ExceptionHandlers.Count >= 2 &&
 					new LocalTypes(decryptStringMethod).All(locals35) &&
 					CheckTypeFields2(fields35)) {
-					return "3.5 - 3.6";
+					return "3.5 - 4.0";
 				}
 			}
 
diff --git a/de4dot.code/deobfuscators/MethodCallRestorerBase.cs b/de4dot.code/deobfuscators/MethodCallRestorerBase.cs
index 220067af..189549df 100644
--- a/de4dot.code/deobfuscators/MethodCallRestorerBase.cs
+++ b/de4dot.code/deobfuscators/MethodCallRestorerBase.cs
@@ -71,6 +71,15 @@ namespace de4dot.code.deobfuscators {
 			Add(oldMethod, newMethod, OpCodes.Callvirt);
 		}
 
+		public void CreateGetReferencedAssemblies(MethodDef oldMethod) {
+			if (oldMethod == null)
+				return;
+			var assemblyType = builder.Type("System.Reflection", "Assembly", builder.CorLib);
+			var asmNameArray = builder.Array(builder.Type("System.Reflection", "AssemblyName", builder.CorLib));
+			var newMethod = builder.InstanceMethod("GetReferencedAssemblies", assemblyType.TypeDefOrRef, asmNameArray);
+			Add(oldMethod, newMethod, OpCodes.Callvirt);
+		}
+
 		public void CreateBitmapCtor(MethodDef oldMethod) {
 			if (oldMethod == null)
 				return;

From f9dde3317c256f028c16672107e2c52e900d2830 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Tue, 29 Oct 2013 18:11:31 +0100
Subject: [PATCH 40/58] Rename namespace vm -> vm.v1

---
 de4dot.code/de4dot.code.csproj                | 22 +++++++++----------
 .../deobfuscators/Agile_NET/Deobfuscator.cs   |  6 ++---
 .../{ => v1}/CilOperandInstructionRestorer.cs |  2 +-
 .../Agile_NET/vm/{ => v1}/Csvm.cs             |  2 +-
 .../Agile_NET/vm/{ => v1}/CsvmDataReader.cs   |  2 +-
 .../Agile_NET/vm/{ => v1}/CsvmMethodData.cs   |  2 +-
 .../vm/{ => v1}/CsvmToCilMethodConverter.cs   |  2 +-
 .../Agile_NET/vm/{ => v1}/FieldsInfo.cs       |  2 +-
 .../Agile_NET/vm/{ => v1}/OpCodeHandler.cs    |  2 +-
 .../Agile_NET/vm/{ => v1}/OpCodeHandlers.cs   |  2 +-
 .../vm/{ => v1}/UnknownHandlerInfo.cs         |  2 +-
 .../vm/{ => v1}/VmOpCodeHandlerDetector.cs    |  2 +-
 .../Agile_NET/vm/{ => v1}/VmOperands.cs       |  2 +-
 13 files changed, 25 insertions(+), 25 deletions(-)
 rename de4dot.code/deobfuscators/Agile_NET/vm/{ => v1}/CilOperandInstructionRestorer.cs (98%)
 rename de4dot.code/deobfuscators/Agile_NET/vm/{ => v1}/Csvm.cs (98%)
 rename de4dot.code/deobfuscators/Agile_NET/vm/{ => v1}/CsvmDataReader.cs (96%)
 rename de4dot.code/deobfuscators/Agile_NET/vm/{ => v1}/CsvmMethodData.cs (95%)
 rename de4dot.code/deobfuscators/Agile_NET/vm/{ => v1}/CsvmToCilMethodConverter.cs (99%)
 rename de4dot.code/deobfuscators/Agile_NET/vm/{ => v1}/FieldsInfo.cs (97%)
 rename de4dot.code/deobfuscators/Agile_NET/vm/{ => v1}/OpCodeHandler.cs (99%)
 rename de4dot.code/deobfuscators/Agile_NET/vm/{ => v1}/OpCodeHandlers.cs (99%)
 rename de4dot.code/deobfuscators/Agile_NET/vm/{ => v1}/UnknownHandlerInfo.cs (98%)
 rename de4dot.code/deobfuscators/Agile_NET/vm/{ => v1}/VmOpCodeHandlerDetector.cs (99%)
 rename de4dot.code/deobfuscators/Agile_NET/vm/{ => v1}/VmOperands.cs (97%)

diff --git a/de4dot.code/de4dot.code.csproj b/de4dot.code/de4dot.code.csproj
index 7c946ab2..c5a3f7a4 100644
--- a/de4dot.code/de4dot.code.csproj
+++ b/de4dot.code/de4dot.code.csproj
@@ -66,17 +66,17 @@
     <Compile Include="deobfuscators\Agile_NET\ResourceDecrypter.cs" />
     <Compile Include="deobfuscators\Agile_NET\StackFrameHelper.cs" />
     <Compile Include="deobfuscators\Agile_NET\StringDecrypter.cs" />
-    <Compile Include="deobfuscators\Agile_NET\vm\CilOperandInstructionRestorer.cs" />
-    <Compile Include="deobfuscators\Agile_NET\vm\Csvm.cs" />
-    <Compile Include="deobfuscators\Agile_NET\vm\CsvmDataReader.cs" />
-    <Compile Include="deobfuscators\Agile_NET\vm\CsvmMethodData.cs" />
-    <Compile Include="deobfuscators\Agile_NET\vm\CsvmToCilMethodConverter.cs" />
-    <Compile Include="deobfuscators\Agile_NET\vm\FieldsInfo.cs" />
-    <Compile Include="deobfuscators\Agile_NET\vm\OpCodeHandler.cs" />
-    <Compile Include="deobfuscators\Agile_NET\vm\OpCodeHandlers.cs" />
-    <Compile Include="deobfuscators\Agile_NET\vm\UnknownHandlerInfo.cs" />
-    <Compile Include="deobfuscators\Agile_NET\vm\VmOpCodeHandlerDetector.cs" />
-    <Compile Include="deobfuscators\Agile_NET\vm\VmOperands.cs" />
+    <Compile Include="deobfuscators\Agile_NET\vm\v1\CilOperandInstructionRestorer.cs" />
+    <Compile Include="deobfuscators\Agile_NET\vm\v1\Csvm.cs" />
+    <Compile Include="deobfuscators\Agile_NET\vm\v1\CsvmDataReader.cs" />
+    <Compile Include="deobfuscators\Agile_NET\vm\v1\CsvmMethodData.cs" />
+    <Compile Include="deobfuscators\Agile_NET\vm\v1\CsvmToCilMethodConverter.cs" />
+    <Compile Include="deobfuscators\Agile_NET\vm\v1\FieldsInfo.cs" />
+    <Compile Include="deobfuscators\Agile_NET\vm\v1\OpCodeHandler.cs" />
+    <Compile Include="deobfuscators\Agile_NET\vm\v1\OpCodeHandlers.cs" />
+    <Compile Include="deobfuscators\Agile_NET\vm\v1\UnknownHandlerInfo.cs" />
+    <Compile Include="deobfuscators\Agile_NET\vm\v1\VmOpCodeHandlerDetector.cs" />
+    <Compile Include="deobfuscators\Agile_NET\vm\v1\VmOperands.cs" />
     <Compile Include="deobfuscators\ArrayFinder.cs" />
     <Compile Include="deobfuscators\Babel_NET\AssemblyResolver.cs" />
     <Compile Include="deobfuscators\Babel_NET\BabelInflater.cs" />
diff --git a/de4dot.code/deobfuscators/Agile_NET/Deobfuscator.cs b/de4dot.code/deobfuscators/Agile_NET/Deobfuscator.cs
index 4caf59ad..0533d003 100644
--- a/de4dot.code/deobfuscators/Agile_NET/Deobfuscator.cs
+++ b/de4dot.code/deobfuscators/Agile_NET/Deobfuscator.cs
@@ -85,7 +85,7 @@ namespace de4dot.code.deobfuscators.Agile_NET {
 		ResourceDecrypter resourceDecrypter;
 
 		StackFrameHelper stackFrameHelper;
-		vm.Csvm csvm;
+		vm.v1.Csvm csvm;
 
 		internal class Options : OptionsBase {
 			public bool DecryptMethods { get; set; }
@@ -185,7 +185,7 @@ namespace de4dot.code.deobfuscators.Agile_NET {
 			resourceDecrypter.Find();
 			proxyCallFixer = new ProxyCallFixer(module);
 			proxyCallFixer.FindDelegateCreator();
-			csvm = new vm.Csvm(DeobfuscatedFile.DeobfuscatorContext, module);
+			csvm = new vm.v1.Csvm(DeobfuscatedFile.DeobfuscatorContext, module);
 			csvm.Find();
 		}
 
@@ -227,7 +227,7 @@ namespace de4dot.code.deobfuscators.Agile_NET {
 			newOne.stringDecrypter = new StringDecrypter(module, stringDecrypter);
 			newOne.resourceDecrypter = new ResourceDecrypter(module, resourceDecrypter);
 			newOne.proxyCallFixer = new ProxyCallFixer(module, proxyCallFixer);
-			newOne.csvm = new vm.Csvm(DeobfuscatedFile.DeobfuscatorContext, module, csvm);
+			newOne.csvm = new vm.v1.Csvm(DeobfuscatedFile.DeobfuscatorContext, module, csvm);
 			return newOne;
 		}
 
diff --git a/de4dot.code/deobfuscators/Agile_NET/vm/CilOperandInstructionRestorer.cs b/de4dot.code/deobfuscators/Agile_NET/vm/v1/CilOperandInstructionRestorer.cs
similarity index 98%
rename from de4dot.code/deobfuscators/Agile_NET/vm/CilOperandInstructionRestorer.cs
rename to de4dot.code/deobfuscators/Agile_NET/vm/v1/CilOperandInstructionRestorer.cs
index 313243c0..69b93d5c 100644
--- a/de4dot.code/deobfuscators/Agile_NET/vm/CilOperandInstructionRestorer.cs
+++ b/de4dot.code/deobfuscators/Agile_NET/vm/v1/CilOperandInstructionRestorer.cs
@@ -21,7 +21,7 @@ using dnlib.DotNet;
 using dnlib.DotNet.Emit;
 using de4dot.blocks;
 
-namespace de4dot.code.deobfuscators.Agile_NET.vm {
+namespace de4dot.code.deobfuscators.Agile_NET.vm.v1 {
 	// Tries to restore the operands of the following CIL instructions:
 	//	ldelema
 	//	ldobj
diff --git a/de4dot.code/deobfuscators/Agile_NET/vm/Csvm.cs b/de4dot.code/deobfuscators/Agile_NET/vm/v1/Csvm.cs
similarity index 98%
rename from de4dot.code/deobfuscators/Agile_NET/vm/Csvm.cs
rename to de4dot.code/deobfuscators/Agile_NET/vm/v1/Csvm.cs
index e3030940..055edbec 100644
--- a/de4dot.code/deobfuscators/Agile_NET/vm/Csvm.cs
+++ b/de4dot.code/deobfuscators/Agile_NET/vm/v1/Csvm.cs
@@ -23,7 +23,7 @@ using System.IO;
 using dnlib.DotNet;
 using de4dot.blocks;
 
-namespace de4dot.code.deobfuscators.Agile_NET.vm {
+namespace de4dot.code.deobfuscators.Agile_NET.vm.v1 {
 	class Csvm {
 		IDeobfuscatorContext deobfuscatorContext;
 		ModuleDefMD module;
diff --git a/de4dot.code/deobfuscators/Agile_NET/vm/CsvmDataReader.cs b/de4dot.code/deobfuscators/Agile_NET/vm/v1/CsvmDataReader.cs
similarity index 96%
rename from de4dot.code/deobfuscators/Agile_NET/vm/CsvmDataReader.cs
rename to de4dot.code/deobfuscators/Agile_NET/vm/v1/CsvmDataReader.cs
index 60e810f5..6a2753d8 100644
--- a/de4dot.code/deobfuscators/Agile_NET/vm/CsvmDataReader.cs
+++ b/de4dot.code/deobfuscators/Agile_NET/vm/v1/CsvmDataReader.cs
@@ -24,7 +24,7 @@ using dnlib.IO;
 using dnlib.DotNet;
 using de4dot.blocks;
 
-namespace de4dot.code.deobfuscators.Agile_NET.vm {
+namespace de4dot.code.deobfuscators.Agile_NET.vm.v1 {
 	class CsvmDataReader {
 		IBinaryReader reader;
 
diff --git a/de4dot.code/deobfuscators/Agile_NET/vm/CsvmMethodData.cs b/de4dot.code/deobfuscators/Agile_NET/vm/v1/CsvmMethodData.cs
similarity index 95%
rename from de4dot.code/deobfuscators/Agile_NET/vm/CsvmMethodData.cs
rename to de4dot.code/deobfuscators/Agile_NET/vm/v1/CsvmMethodData.cs
index 0e67d178..99928842 100644
--- a/de4dot.code/deobfuscators/Agile_NET/vm/CsvmMethodData.cs
+++ b/de4dot.code/deobfuscators/Agile_NET/vm/v1/CsvmMethodData.cs
@@ -19,7 +19,7 @@
 
 using System;
 
-namespace de4dot.code.deobfuscators.Agile_NET.vm {
+namespace de4dot.code.deobfuscators.Agile_NET.vm.v1 {
 	class CsvmMethodData {
 		public Guid Guid { get; set; }
 		public int Token { get; set; }
diff --git a/de4dot.code/deobfuscators/Agile_NET/vm/CsvmToCilMethodConverter.cs b/de4dot.code/deobfuscators/Agile_NET/vm/v1/CsvmToCilMethodConverter.cs
similarity index 99%
rename from de4dot.code/deobfuscators/Agile_NET/vm/CsvmToCilMethodConverter.cs
rename to de4dot.code/deobfuscators/Agile_NET/vm/v1/CsvmToCilMethodConverter.cs
index b468ef9e..e93d1d02 100644
--- a/de4dot.code/deobfuscators/Agile_NET/vm/CsvmToCilMethodConverter.cs
+++ b/de4dot.code/deobfuscators/Agile_NET/vm/v1/CsvmToCilMethodConverter.cs
@@ -24,7 +24,7 @@ using dnlib.DotNet;
 using dnlib.DotNet.Emit;
 using de4dot.blocks;
 
-namespace de4dot.code.deobfuscators.Agile_NET.vm {
+namespace de4dot.code.deobfuscators.Agile_NET.vm.v1 {
 	class CsvmToCilMethodConverter {
 		IDeobfuscatorContext deobfuscatorContext;
 		ModuleDefMD module;
diff --git a/de4dot.code/deobfuscators/Agile_NET/vm/FieldsInfo.cs b/de4dot.code/deobfuscators/Agile_NET/vm/v1/FieldsInfo.cs
similarity index 97%
rename from de4dot.code/deobfuscators/Agile_NET/vm/FieldsInfo.cs
rename to de4dot.code/deobfuscators/Agile_NET/vm/v1/FieldsInfo.cs
index a6945092..875d349d 100644
--- a/de4dot.code/deobfuscators/Agile_NET/vm/FieldsInfo.cs
+++ b/de4dot.code/deobfuscators/Agile_NET/vm/v1/FieldsInfo.cs
@@ -21,7 +21,7 @@ using System;
 using System.Collections.Generic;
 using dnlib.DotNet;
 
-namespace de4dot.code.deobfuscators.Agile_NET.vm {
+namespace de4dot.code.deobfuscators.Agile_NET.vm.v1 {
 	class FieldsInfo {
 		public static readonly object EnumType = new object();
 		Dictionary<string, int> fieldTypes = new Dictionary<string, int>(StringComparer.Ordinal);
diff --git a/de4dot.code/deobfuscators/Agile_NET/vm/OpCodeHandler.cs b/de4dot.code/deobfuscators/Agile_NET/vm/v1/OpCodeHandler.cs
similarity index 99%
rename from de4dot.code/deobfuscators/Agile_NET/vm/OpCodeHandler.cs
rename to de4dot.code/deobfuscators/Agile_NET/vm/v1/OpCodeHandler.cs
index 1a911df6..625d5638 100644
--- a/de4dot.code/deobfuscators/Agile_NET/vm/OpCodeHandler.cs
+++ b/de4dot.code/deobfuscators/Agile_NET/vm/v1/OpCodeHandler.cs
@@ -24,7 +24,7 @@ using de4dot.blocks;
 using dnlib.DotNet;
 using dnlib.DotNet.Emit;
 
-namespace de4dot.code.deobfuscators.Agile_NET.vm {
+namespace de4dot.code.deobfuscators.Agile_NET.vm.v1 {
 	partial class OpCodeHandler {
 		public string Name { get; set; }
 		public OpCodeHandlerSigInfo OpCodeHandlerSigInfo { get; set; }
diff --git a/de4dot.code/deobfuscators/Agile_NET/vm/OpCodeHandlers.cs b/de4dot.code/deobfuscators/Agile_NET/vm/v1/OpCodeHandlers.cs
similarity index 99%
rename from de4dot.code/deobfuscators/Agile_NET/vm/OpCodeHandlers.cs
rename to de4dot.code/deobfuscators/Agile_NET/vm/v1/OpCodeHandlers.cs
index 6b9dd252..3dc9fc80 100644
--- a/de4dot.code/deobfuscators/Agile_NET/vm/OpCodeHandlers.cs
+++ b/de4dot.code/deobfuscators/Agile_NET/vm/v1/OpCodeHandlers.cs
@@ -17,7 +17,7 @@
     along with de4dot.  If not, see <http://www.gnu.org/licenses/>.
 */
 
-namespace de4dot.code.deobfuscators.Agile_NET.vm {
+namespace de4dot.code.deobfuscators.Agile_NET.vm.v1 {
 	static partial class OpCodeHandlers {
 		public static readonly OpCodeHandler[][] opcodeHandlers = new OpCodeHandler[][] {
 			new OpCodeHandler[] {
diff --git a/de4dot.code/deobfuscators/Agile_NET/vm/UnknownHandlerInfo.cs b/de4dot.code/deobfuscators/Agile_NET/vm/v1/UnknownHandlerInfo.cs
similarity index 98%
rename from de4dot.code/deobfuscators/Agile_NET/vm/UnknownHandlerInfo.cs
rename to de4dot.code/deobfuscators/Agile_NET/vm/v1/UnknownHandlerInfo.cs
index 05557708..b2a08276 100644
--- a/de4dot.code/deobfuscators/Agile_NET/vm/UnknownHandlerInfo.cs
+++ b/de4dot.code/deobfuscators/Agile_NET/vm/v1/UnknownHandlerInfo.cs
@@ -23,7 +23,7 @@ using dnlib.DotNet;
 using dnlib.DotNet.Emit;
 using de4dot.blocks;
 
-namespace de4dot.code.deobfuscators.Agile_NET.vm {
+namespace de4dot.code.deobfuscators.Agile_NET.vm.v1 {
 	class UnknownHandlerInfo {
 		TypeDef type;
 		CsvmInfo csvmInfo;
diff --git a/de4dot.code/deobfuscators/Agile_NET/vm/VmOpCodeHandlerDetector.cs b/de4dot.code/deobfuscators/Agile_NET/vm/v1/VmOpCodeHandlerDetector.cs
similarity index 99%
rename from de4dot.code/deobfuscators/Agile_NET/vm/VmOpCodeHandlerDetector.cs
rename to de4dot.code/deobfuscators/Agile_NET/vm/v1/VmOpCodeHandlerDetector.cs
index 5be219cc..7ec49e86 100644
--- a/de4dot.code/deobfuscators/Agile_NET/vm/VmOpCodeHandlerDetector.cs
+++ b/de4dot.code/deobfuscators/Agile_NET/vm/v1/VmOpCodeHandlerDetector.cs
@@ -24,7 +24,7 @@ using dnlib.DotNet.Emit;
 using de4dot.blocks;
 using de4dot.blocks.cflow;
 
-namespace de4dot.code.deobfuscators.Agile_NET.vm {
+namespace de4dot.code.deobfuscators.Agile_NET.vm.v1 {
 	class OpCodeHandlerSigInfo {
 		public object[] RequiredFieldTypes { get; set; }
 		public string[] ExecuteMethodLocals { get; set; }
diff --git a/de4dot.code/deobfuscators/Agile_NET/vm/VmOperands.cs b/de4dot.code/deobfuscators/Agile_NET/vm/v1/VmOperands.cs
similarity index 97%
rename from de4dot.code/deobfuscators/Agile_NET/vm/VmOperands.cs
rename to de4dot.code/deobfuscators/Agile_NET/vm/v1/VmOperands.cs
index bfb143a8..108bfff2 100644
--- a/de4dot.code/deobfuscators/Agile_NET/vm/VmOperands.cs
+++ b/de4dot.code/deobfuscators/Agile_NET/vm/v1/VmOperands.cs
@@ -17,7 +17,7 @@
     along with de4dot.  If not, see <http://www.gnu.org/licenses/>.
 */
 
-namespace de4dot.code.deobfuscators.Agile_NET.vm {
+namespace de4dot.code.deobfuscators.Agile_NET.vm.v1 {
 	interface IVmOperand {
 	}
 

From eb284bf4bf2d9f0a1f9aa26f616c32324a52c3e0 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Tue, 5 Nov 2013 13:52:58 +0100
Subject: [PATCH 41/58] Support .NET Reactor 4.7

---
 .../dotNET_Reactor/v4/AssemblyResolver.cs           |  1 -
 .../deobfuscators/dotNET_Reactor/v4/Deobfuscator.cs | 13 ++++++++++---
 .../dotNET_Reactor/v4/EncryptedResource.cs          |  3 ++-
 3 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/de4dot.code/deobfuscators/dotNET_Reactor/v4/AssemblyResolver.cs b/de4dot.code/deobfuscators/dotNET_Reactor/v4/AssemblyResolver.cs
index 08f3ba8b..8a4ce825 100644
--- a/de4dot.code/deobfuscators/dotNET_Reactor/v4/AssemblyResolver.cs
+++ b/de4dot.code/deobfuscators/dotNET_Reactor/v4/AssemblyResolver.cs
@@ -87,7 +87,6 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
 			var resolverLocals = new string[] {
 				"System.Byte[]",
 				"System.Reflection.Assembly",
-				"System.Security.Cryptography.MD5",
 				"System.String",
 				"System.IO.BinaryReader",
 				"System.IO.Stream",
diff --git a/de4dot.code/deobfuscators/dotNET_Reactor/v4/Deobfuscator.cs b/de4dot.code/deobfuscators/dotNET_Reactor/v4/Deobfuscator.cs
index 360c0e9d..b0f2fd22 100644
--- a/de4dot.code/deobfuscators/dotNET_Reactor/v4/Deobfuscator.cs
+++ b/de4dot.code/deobfuscators/dotNET_Reactor/v4/Deobfuscator.cs
@@ -32,7 +32,7 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
 	public class DeobfuscatorInfo : DeobfuscatorInfoBase {
 		public const string THE_NAME = ".NET Reactor";
 		public const string THE_TYPE = "dr4";
-		const string DEFAULT_REGEX = DeobfuscatorBase.DEFAULT_VALID_NAME_REGEX;
+		const string DEFAULT_REGEX = @"!^[A-Za-z0-9]{2,3}$&" + DeobfuscatorBase.DEFAULT_VALID_NAME_REGEX;
 		BoolOption decryptMethods;
 		BoolOption decryptBools;
 		BoolOption restoreTypes;
@@ -366,16 +366,23 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
 					return DeobfuscatorInfo.THE_NAME + " 4.0 - 4.4";
 
 				int numIntPtrSizeCompares = CountCompareSystemIntPtrSize(methodsDecrypter.Method);
+				bool hasSymmetricAlgorithm = new LocalTypes(methodsDecrypter.Method).Exists("System.Security.Cryptography.SymmetricAlgorithm");
 				if (module.IsClr40) {
 					switch (numIntPtrSizeCompares) {
 					case 9: return DeobfuscatorInfo.THE_NAME + " 4.5";
-					case 10:return DeobfuscatorInfo.THE_NAME + " 4.6";
+					case 10:
+						if (!hasSymmetricAlgorithm)
+							return DeobfuscatorInfo.THE_NAME + " 4.6";
+						return DeobfuscatorInfo.THE_NAME + " 4.7";
 					}
 				}
 				else {
 					switch (numIntPtrSizeCompares) {
 					case 8: return DeobfuscatorInfo.THE_NAME + " 4.5";
-					case 9: return DeobfuscatorInfo.THE_NAME + " 4.6";
+					case 9:
+						if (!hasSymmetricAlgorithm)
+							return DeobfuscatorInfo.THE_NAME + " 4.6";
+						return DeobfuscatorInfo.THE_NAME + " 4.7";
 					}
 				}
 
diff --git a/de4dot.code/deobfuscators/dotNET_Reactor/v4/EncryptedResource.cs b/de4dot.code/deobfuscators/dotNET_Reactor/v4/EncryptedResource.cs
index c9f59963..9660c66e 100644
--- a/de4dot.code/deobfuscators/dotNET_Reactor/v4/EncryptedResource.cs
+++ b/de4dot.code/deobfuscators/dotNET_Reactor/v4/EncryptedResource.cs
@@ -91,7 +91,8 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
 			if (!localTypes.All(requiredTypes))
 				return false;
 			if (!localTypes.Exists("System.Security.Cryptography.RijndaelManaged") &&
-				!localTypes.Exists("System.Security.Cryptography.AesManaged"))
+				!localTypes.Exists("System.Security.Cryptography.AesManaged") &&
+				!localTypes.Exists("System.Security.Cryptography.SymmetricAlgorithm"))
 				return false;
 
 			if (checkResource && FindMethodsDecrypterResource(method) == null)

From 85c565fc20565d7cc80eca4ea7b460f5a1ac35ec Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Wed, 6 Nov 2013 03:20:44 +0100
Subject: [PATCH 42/58] Support more MaxtoCode runtimes

---
 .../deobfuscators/MaxtoCode/EncryptionInfos.cs |  9 +++++++++
 .../MaxtoCode/MethodsDecrypter.cs              | 18 ++++++++++++++++++
 .../deobfuscators/MaxtoCode/PeHeader.cs        |  2 ++
 3 files changed, 29 insertions(+)

diff --git a/de4dot.code/deobfuscators/MaxtoCode/EncryptionInfos.cs b/de4dot.code/deobfuscators/MaxtoCode/EncryptionInfos.cs
index 4baf7b93..f5efc42e 100644
--- a/de4dot.code/deobfuscators/MaxtoCode/EncryptionInfos.cs
+++ b/de4dot.code/deobfuscators/MaxtoCode/EncryptionInfos.cs
@@ -110,6 +110,13 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
 				MagicHi = 0x624ECDA3,
 				Version = EncryptionVersion.V8,
 			},
+			// 526BC020
+			// 526BDD12
+			new EncryptionInfo {
+				MagicLo = 0x9A683B87,
+				MagicHi = 0x928ECDA3,
+				Version = EncryptionVersion.V8,
+			},
 		};
 
 		public static readonly EncryptionInfo[] McKey8C0h = new EncryptionInfo[] {
@@ -168,6 +175,8 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
 			// 51413BD8
 			// 51413D68
 			// 5166DB4F
+			// 526BC020
+			// 526BDD12
 			new EncryptionInfo {
 				MagicLo = 0x1A731B13,
 				MagicHi = 0x1723891F,
diff --git a/de4dot.code/deobfuscators/MaxtoCode/MethodsDecrypter.cs b/de4dot.code/deobfuscators/MaxtoCode/MethodsDecrypter.cs
index 27cfb8b8..b312d2a5 100644
--- a/de4dot.code/deobfuscators/MaxtoCode/MethodsDecrypter.cs
+++ b/de4dot.code/deobfuscators/MaxtoCode/MethodsDecrypter.cs
@@ -192,6 +192,8 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
 					decrypters.Add(new Decrypter(new DecryptFunc[] { Decrypt4_v7, Decrypt2_v2, Decrypt3_v6, Decrypt1_v7, Decrypt6, Decrypt8_v7, Decrypt9_v7, Decrypt7, Decrypt5 }, new uint[] { 0x51413D68 }));
 					decrypters.Add(new Decrypter(new DecryptFunc[] { Decrypt4_v7, Decrypt2_v2, Decrypt3_v6, Decrypt1_v7, Decrypt6, Decrypt8_v8, Decrypt9_v8, Decrypt7, Decrypt5 }, new uint[] { 0x513D7124, 0x51413BD8 }));
 					decrypters.Add(new Decrypter(new DecryptFunc[] { Decrypt4_v5, Decrypt2_v2, Decrypt3_v6, Decrypt1_v9, Decrypt6, Decrypt8_v8, Decrypt9_v9, Decrypt7, Decrypt5 }, new uint[] { 0x513D4492 }));
+					decrypters.Add(new Decrypter(new DecryptFunc[] { Decrypt3_v6, Decrypt2_v2, Decrypt4_v8, Decrypt1_v10, Decrypt8_v9, Decrypt9_v10, Decrypt6, Decrypt7, Decrypt5 }, new uint[] { 0x526BDD12 }));
+					decrypters.Add(new Decrypter(new DecryptFunc[] { Decrypt1_v10, Decrypt4_v8, Decrypt2_v2, Decrypt3_v6, Decrypt6, Decrypt8_v9, Decrypt9_v10, Decrypt7, Decrypt5 }, new uint[] { 0x526BC020 }));
 					break;
 
 				case EncryptionVersion.Unknown:
@@ -398,6 +400,10 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
 				return Decrypt1(encrypted, 9, 0x13, 0x400);
 			}
 
+			byte[] Decrypt1_v10(byte[] encrypted) {
+				return Decrypt1(encrypted, 0x11, 0x11, 0x400);
+			}
+
 			byte[] Decrypt1(byte[] encrypted, int keyStart, int keyReset, int keyEnd) {
 				var decrypted = new byte[encrypted.Length];
 				for (int i = 0, ki = keyStart; i < decrypted.Length; i++) {
@@ -532,6 +538,10 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
 				return Decrypt4(encrypted, 0x0B, 0x0B, 0x100);
 			}
 
+			byte[] Decrypt4_v8(byte[] encrypted) {
+				return Decrypt4(encrypted, 9, 9, 0x100);
+			}
+
 			byte[] Decrypt4(byte[] encrypted, int keyStart, int keyReset, int keyEnd) {
 				var decrypted = new byte[encrypted.Length / 3 * 2 + 1];
 
@@ -585,6 +595,10 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
 				return Decrypt8(encrypted, 0x11, 0x11, 0x600);
 			}
 
+			byte[] Decrypt8_v9(byte[] encrypted) {
+				return Decrypt8(encrypted, 0xA, 0xA, 0x600);
+			}
+
 			byte[] Decrypt8(byte[] encrypted, int keyStart, int keyReset, int keyEnd) {
 				var decrypted = new byte[encrypted.Length];
 				int ki = keyStart;
@@ -618,6 +632,10 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
 				return Decrypt9(encrypted, 0x10, 0x10, 0x510);
 			}
 
+			byte[] Decrypt9_v10(byte[] encrypted) {
+				return Decrypt9(encrypted, 5, 5, 0x510);
+			}
+
 			byte[] Decrypt9(byte[] encrypted, int keyStart, int keyReset, int keyEnd) {
 				var decrypted = new byte[encrypted.Length];
 				int ki = keyStart;
diff --git a/de4dot.code/deobfuscators/MaxtoCode/PeHeader.cs b/de4dot.code/deobfuscators/MaxtoCode/PeHeader.cs
index 2922361f..5eeeb246 100644
--- a/de4dot.code/deobfuscators/MaxtoCode/PeHeader.cs
+++ b/de4dot.code/deobfuscators/MaxtoCode/PeHeader.cs
@@ -70,6 +70,8 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
 					break;
 				if (CheckMcKeyRva(peImage, 0x18ABA931))
 					break;
+				if (CheckMcKeyRva(peImage, 0x18ABA933))
+					break;
 				break;
 			}
 		}

From d410d808154670ece0ecadb631210e9de85c14b7 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Wed, 6 Nov 2013 08:12:40 +0100
Subject: [PATCH 43/58] Update CO resource class detector code

---
 .../CryptoObfuscator/ResourceDecrypter.cs      | 18 ++++++------------
 1 file changed, 6 insertions(+), 12 deletions(-)

diff --git a/de4dot.code/deobfuscators/CryptoObfuscator/ResourceDecrypter.cs b/de4dot.code/deobfuscators/CryptoObfuscator/ResourceDecrypter.cs
index 3bc60166..d78cbac3 100644
--- a/de4dot.code/deobfuscators/CryptoObfuscator/ResourceDecrypter.cs
+++ b/de4dot.code/deobfuscators/CryptoObfuscator/ResourceDecrypter.cs
@@ -48,17 +48,11 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
 
 		void Find(ISimpleDeobfuscator simpleDeobfuscator) {
 			switch (frameworkType) {
-			case FrameworkType.Desktop:
-				if (!module.IsClr1x)
-					FindDesktopOrCompactFramework();
-				else
-					FindDesktopOrCompactFrameworkV1();
-				break;
-
 			case FrameworkType.Silverlight:
 				FindSilverlight();
 				break;
 
+			case FrameworkType.Desktop:
 			case FrameworkType.CompactFramework:
 				if (!module.IsClr1x) {
 					if (FindDesktopOrCompactFramework())
@@ -243,11 +237,9 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
 						return true;
 					}
 				}
-				else {
-					if (constants.Count == 1) {
-						desEncryptedFlag = (byte)constants[0];
-						return true;
-					}
+				if (constants.Count == 1) {
+					desEncryptedFlag = (byte)constants[0];
+					return true;
 				}
 				break;
 
@@ -302,6 +294,8 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
 					yield return method;
 				else if (DotNetUtils.IsMethod(method, "System.Byte[]", "(System.Int64,System.IO.Stream)"))
 					yield return method;
+				else if (DotNetUtils.IsMethod(method, "System.Byte[]", "(System.Int64,System.IO.Stream,System.UInt32)"))
+					yield return method;
 				else if (DotNetUtils.IsMethod(method, "System.Byte[]", "(System.Int32,System.IO.Stream)"))
 					yield return method;
 				else if (DotNetUtils.IsMethod(method, "System.Byte[]", "(System.Int16,System.IO.Stream)"))

From 6dfe2fd1b60e815a04cde59911275e91d4231309 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Wed, 6 Nov 2013 08:13:43 +0100
Subject: [PATCH 44/58] Add updated dnlib submodule

---
 dnlib | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dnlib b/dnlib
index 819ef389..d317a317 160000
--- a/dnlib
+++ b/dnlib
@@ -1 +1 @@
-Subproject commit 819ef3890267f7bec108346def38a87ddfcbd9a1
+Subproject commit d317a317ce5b80868d7b94149ffc22fa9fd54810

From d4ff713b95a48664c7c224768983605c9183eb68 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Thu, 7 Nov 2013 03:25:52 +0100
Subject: [PATCH 45/58] Update DNR name regex

---
 de4dot.code/deobfuscators/dotNET_Reactor/v4/Deobfuscator.cs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/de4dot.code/deobfuscators/dotNET_Reactor/v4/Deobfuscator.cs b/de4dot.code/deobfuscators/dotNET_Reactor/v4/Deobfuscator.cs
index b0f2fd22..3a24139d 100644
--- a/de4dot.code/deobfuscators/dotNET_Reactor/v4/Deobfuscator.cs
+++ b/de4dot.code/deobfuscators/dotNET_Reactor/v4/Deobfuscator.cs
@@ -178,7 +178,7 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
 
 		static Regex isRandomName = new Regex(@"^[A-Z]{30,40}$");
 		static Regex isRandomNameMembers = new Regex(@"^[a-zA-Z0-9]{9,11}$");	// methods, fields, props, events
-		static Regex isRandomNameTypes = new Regex(@"^[a-zA-Z0-9]{18,19}(?:`\d+)?$");	// types, namespaces
+		static Regex isRandomNameTypes = new Regex(@"^[a-zA-Z0-9]{18,20}(?:`\d+)?$");	// types, namespaces
 
 		bool CheckValidName(string name, Regex regex) {
 			if (isRandomName.IsMatch(name))

From b65e9a59dfbe793363a599494b4ea501c7e179dc Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Fri, 8 Nov 2013 11:05:17 +0100
Subject: [PATCH 46/58] Support latest Agile.NET

---
 de4dot.code/de4dot.code.csproj                |  35 +-
 .../Agile_NET/CliSecureRtType.cs              |  28 +-
 .../deobfuscators/Agile_NET/Deobfuscator.cs   |  23 +-
 .../{v1 => }/CilOperandInstructionRestorer.cs |  70 +-
 .../Agile_NET/vm/{v1 => }/CsvmDataReader.cs   |   2 +-
 .../Agile_NET/vm/{v1 => }/CsvmMethodData.cs   |   2 +-
 .../vm/CsvmToCilMethodConverterBase.cs        | 417 ++++++++++
 .../vm/{v1/VmOperands.cs => VmOperand.cs}     |  56 +-
 .../deobfuscators/Agile_NET/vm/v1/Csvm.cs     |   2 +-
 .../vm/v1/CsvmToCilMethodConverter.cs         | 397 +--------
 .../Agile_NET/vm/v1/OpCodeHandler.cs          | 139 ++--
 .../Agile_NET/vm/v1/OpCodeHandlers.cs         |   2 +-
 .../vm/v1/VmOpCodeHandlerDetector.cs          |   2 +-
 .../Agile_NET/vm/v2/CSVM1_v2.bin              | Bin 0 -> 9520 bytes
 .../Agile_NET/vm/v2/CSVM2_v2.bin              | Bin 0 -> 9520 bytes
 .../Agile_NET/vm/v2/CSVM3_v2.bin              | Bin 0 -> 9580 bytes
 .../vm/v2/CompositeHandlerDetector.cs         | 335 ++++++++
 .../Agile_NET/vm/v2/CompositeOpCodeHandler.cs |  67 ++
 .../deobfuscators/Agile_NET/vm/v2/Csvm.cs     | 164 ++++
 .../deobfuscators/Agile_NET/vm/v2/CsvmInfo.cs | 779 ++++++++++++++++++
 .../Agile_NET/vm/v2/CsvmResources.Designer.cs |  93 +++
 .../Agile_NET/vm/v2/CsvmResources.resx        | 130 +++
 .../vm/v2/CsvmToCilMethodConverter.cs         |  64 ++
 .../Agile_NET/vm/v2/HandlerTypeCode.cs        | 102 +++
 .../Agile_NET/vm/v2/MethodFinder.cs           | 109 +++
 .../Agile_NET/vm/v2/MethodSigInfoCreator.cs   | 737 +++++++++++++++++
 .../Agile_NET/vm/v2/OpCodeHandler.cs          |  38 +
 .../Agile_NET/vm/v2/OpCodeHandlerInfo.cs      | 123 +++
 .../vm/v2/OpCodeHandlerInfoReader.cs          | 528 ++++++++++++
 .../Agile_NET/vm/v2/OpCodeHandlerInfos.cs     |  98 +++
 .../deobfuscators/Agile_NET/vm/v2/VmOpCode.cs |  44 +
 .../vm/v2/VmOpCodeHandlerDetector.cs          | 297 +++++++
 de4dot.code/deobfuscators/NullStream.cs       |  87 ++
 de4dot.mdecrypt/DynamicMethodsDecrypter.cs    |  94 ++-
 34 files changed, 4497 insertions(+), 567 deletions(-)
 rename de4dot.code/deobfuscators/Agile_NET/vm/{v1 => }/CilOperandInstructionRestorer.cs (59%)
 rename de4dot.code/deobfuscators/Agile_NET/vm/{v1 => }/CsvmDataReader.cs (96%)
 rename de4dot.code/deobfuscators/Agile_NET/vm/{v1 => }/CsvmMethodData.cs (95%)
 create mode 100644 de4dot.code/deobfuscators/Agile_NET/vm/CsvmToCilMethodConverterBase.cs
 rename de4dot.code/deobfuscators/Agile_NET/vm/{v1/VmOperands.cs => VmOperand.cs} (51%)
 create mode 100644 de4dot.code/deobfuscators/Agile_NET/vm/v2/CSVM1_v2.bin
 create mode 100644 de4dot.code/deobfuscators/Agile_NET/vm/v2/CSVM2_v2.bin
 create mode 100644 de4dot.code/deobfuscators/Agile_NET/vm/v2/CSVM3_v2.bin
 create mode 100644 de4dot.code/deobfuscators/Agile_NET/vm/v2/CompositeHandlerDetector.cs
 create mode 100644 de4dot.code/deobfuscators/Agile_NET/vm/v2/CompositeOpCodeHandler.cs
 create mode 100644 de4dot.code/deobfuscators/Agile_NET/vm/v2/Csvm.cs
 create mode 100644 de4dot.code/deobfuscators/Agile_NET/vm/v2/CsvmInfo.cs
 create mode 100644 de4dot.code/deobfuscators/Agile_NET/vm/v2/CsvmResources.Designer.cs
 create mode 100644 de4dot.code/deobfuscators/Agile_NET/vm/v2/CsvmResources.resx
 create mode 100644 de4dot.code/deobfuscators/Agile_NET/vm/v2/CsvmToCilMethodConverter.cs
 create mode 100644 de4dot.code/deobfuscators/Agile_NET/vm/v2/HandlerTypeCode.cs
 create mode 100644 de4dot.code/deobfuscators/Agile_NET/vm/v2/MethodFinder.cs
 create mode 100644 de4dot.code/deobfuscators/Agile_NET/vm/v2/MethodSigInfoCreator.cs
 create mode 100644 de4dot.code/deobfuscators/Agile_NET/vm/v2/OpCodeHandler.cs
 create mode 100644 de4dot.code/deobfuscators/Agile_NET/vm/v2/OpCodeHandlerInfo.cs
 create mode 100644 de4dot.code/deobfuscators/Agile_NET/vm/v2/OpCodeHandlerInfoReader.cs
 create mode 100644 de4dot.code/deobfuscators/Agile_NET/vm/v2/OpCodeHandlerInfos.cs
 create mode 100644 de4dot.code/deobfuscators/Agile_NET/vm/v2/VmOpCode.cs
 create mode 100644 de4dot.code/deobfuscators/Agile_NET/vm/v2/VmOpCodeHandlerDetector.cs
 create mode 100644 de4dot.code/deobfuscators/NullStream.cs

diff --git a/de4dot.code/de4dot.code.csproj b/de4dot.code/de4dot.code.csproj
index c5a3f7a4..086e236c 100644
--- a/de4dot.code/de4dot.code.csproj
+++ b/de4dot.code/de4dot.code.csproj
@@ -66,17 +66,37 @@
     <Compile Include="deobfuscators\Agile_NET\ResourceDecrypter.cs" />
     <Compile Include="deobfuscators\Agile_NET\StackFrameHelper.cs" />
     <Compile Include="deobfuscators\Agile_NET\StringDecrypter.cs" />
-    <Compile Include="deobfuscators\Agile_NET\vm\v1\CilOperandInstructionRestorer.cs" />
+    <Compile Include="deobfuscators\Agile_NET\vm\CilOperandInstructionRestorer.cs" />
+    <Compile Include="deobfuscators\Agile_NET\vm\CsvmDataReader.cs" />
+    <Compile Include="deobfuscators\Agile_NET\vm\CsvmMethodData.cs" />
+    <Compile Include="deobfuscators\Agile_NET\vm\CsvmToCilMethodConverterBase.cs" />
     <Compile Include="deobfuscators\Agile_NET\vm\v1\Csvm.cs" />
-    <Compile Include="deobfuscators\Agile_NET\vm\v1\CsvmDataReader.cs" />
-    <Compile Include="deobfuscators\Agile_NET\vm\v1\CsvmMethodData.cs" />
     <Compile Include="deobfuscators\Agile_NET\vm\v1\CsvmToCilMethodConverter.cs" />
     <Compile Include="deobfuscators\Agile_NET\vm\v1\FieldsInfo.cs" />
     <Compile Include="deobfuscators\Agile_NET\vm\v1\OpCodeHandler.cs" />
     <Compile Include="deobfuscators\Agile_NET\vm\v1\OpCodeHandlers.cs" />
     <Compile Include="deobfuscators\Agile_NET\vm\v1\UnknownHandlerInfo.cs" />
     <Compile Include="deobfuscators\Agile_NET\vm\v1\VmOpCodeHandlerDetector.cs" />
-    <Compile Include="deobfuscators\Agile_NET\vm\v1\VmOperands.cs" />
+    <Compile Include="deobfuscators\Agile_NET\vm\v2\CompositeHandlerDetector.cs" />
+    <Compile Include="deobfuscators\Agile_NET\vm\v2\CompositeOpCodeHandler.cs" />
+    <Compile Include="deobfuscators\Agile_NET\vm\v2\Csvm.cs" />
+    <Compile Include="deobfuscators\Agile_NET\vm\v2\CsvmInfo.cs" />
+    <Compile Include="deobfuscators\Agile_NET\vm\v2\CsvmResources.Designer.cs">
+      <AutoGen>True</AutoGen>
+      <DesignTime>True</DesignTime>
+      <DependentUpon>CsvmResources.resx</DependentUpon>
+    </Compile>
+    <Compile Include="deobfuscators\Agile_NET\vm\v2\CsvmToCilMethodConverter.cs" />
+    <Compile Include="deobfuscators\Agile_NET\vm\v2\HandlerTypeCode.cs" />
+    <Compile Include="deobfuscators\Agile_NET\vm\v2\MethodFinder.cs" />
+    <Compile Include="deobfuscators\Agile_NET\vm\v2\MethodSigInfoCreator.cs" />
+    <Compile Include="deobfuscators\Agile_NET\vm\v2\OpCodeHandler.cs" />
+    <Compile Include="deobfuscators\Agile_NET\vm\v2\OpCodeHandlerInfo.cs" />
+    <Compile Include="deobfuscators\Agile_NET\vm\v2\OpCodeHandlerInfoReader.cs" />
+    <Compile Include="deobfuscators\Agile_NET\vm\v2\OpCodeHandlerInfos.cs" />
+    <Compile Include="deobfuscators\Agile_NET\vm\v2\VmOpCode.cs" />
+    <Compile Include="deobfuscators\Agile_NET\vm\v2\VmOpCodeHandlerDetector.cs" />
+    <Compile Include="deobfuscators\Agile_NET\vm\VmOperand.cs" />
     <Compile Include="deobfuscators\ArrayFinder.cs" />
     <Compile Include="deobfuscators\Babel_NET\AssemblyResolver.cs" />
     <Compile Include="deobfuscators\Babel_NET\BabelInflater.cs" />
@@ -233,6 +253,7 @@
     <Compile Include="deobfuscators\MethodStack.cs" />
     <Compile Include="deobfuscators\MPRESS\Deobfuscator.cs" />
     <Compile Include="deobfuscators\MPRESS\Lzmat.cs" />
+    <Compile Include="deobfuscators\NullStream.cs" />
     <Compile Include="deobfuscators\Operations.cs" />
     <Compile Include="deobfuscators\ProxyCallFixerBase.cs" />
     <Compile Include="deobfuscators\QuickLZ.cs" />
@@ -351,6 +372,12 @@
       <Name>dnlib</Name>
     </ProjectReference>
   </ItemGroup>
+  <ItemGroup>
+    <EmbeddedResource Include="deobfuscators\Agile_NET\vm\v2\CsvmResources.resx">
+      <Generator>ResXFileCodeGenerator</Generator>
+      <LastGenOutput>CsvmResources.Designer.cs</LastGenOutput>
+    </EmbeddedResource>
+  </ItemGroup>
   <Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
   <PropertyGroup>
     <PostBuildEvent>mkdir "..\$(OutDir)..\LICENSES"
diff --git a/de4dot.code/deobfuscators/Agile_NET/CliSecureRtType.cs b/de4dot.code/deobfuscators/Agile_NET/CliSecureRtType.cs
index 6f6f233e..3eb06f57 100644
--- a/de4dot.code/deobfuscators/Agile_NET/CliSecureRtType.cs
+++ b/de4dot.code/deobfuscators/Agile_NET/CliSecureRtType.cs
@@ -88,19 +88,6 @@ namespace de4dot.code.deobfuscators.Agile_NET {
 		static readonly string[] requiredFields1 = new string[] {
 			"System.Boolean",
 		};
-		static readonly string[] requiredFields2 = new string[] {
-			"System.Boolean",
-			"System.Reflection.Assembly",
-		};
-		static readonly string[] requiredFields3 = new string[] {
-			"System.Boolean",
-			"System.Byte[]",
-		};
-		static readonly string[] requiredFields4 = new string[] {
-			"System.Boolean",
-			"System.Reflection.Assembly",
-			"System.Byte[]",
-		};
 		bool Find2() {
 			foreach (var cctor in DeobUtils.GetInitCctors(module, 3)) {
 				foreach (var calledMethod in DotNetUtils.GetCalledMethods(module, cctor)) {
@@ -108,8 +95,7 @@ namespace de4dot.code.deobfuscators.Agile_NET {
 					if (type.IsPublic)
 						continue;
 					var fieldTypes = new FieldTypes(type);
-					if (!fieldTypes.Exactly(requiredFields1) && !fieldTypes.Exactly(requiredFields2) &&
-						!fieldTypes.Exactly(requiredFields3) && !fieldTypes.Exactly(requiredFields4))
+					if (!fieldTypes.All(requiredFields1))
 						continue;
 					if (!HasInitializeMethod(type, "_Initialize") && !HasInitializeMethod(type, "_Initialize64"))
 						continue;
@@ -126,11 +112,19 @@ namespace de4dot.code.deobfuscators.Agile_NET {
 			return false;
 		}
 
+		static string[] requiredFields6 = new string[] {
+			"System.Byte[]",
+		};
+		static string[] requiredFields7 = new string[] {
+			"System.Byte[]",
+			"System.Collections.Hashtable",
+		};
 		bool Find3() {
 			foreach (var type in module.Types) {
-				if (type.Fields.Count != 1)
+				if (type.Fields.Count < 1 || type.Fields.Count > 2)
 					continue;
-				if (type.Fields[0].FieldSig.GetFieldType().GetFullName() != "System.Byte[]")
+				var fieldTypes = new FieldTypes(type);
+				if (!fieldTypes.Exactly(requiredFields6) && !fieldTypes.Exactly(requiredFields7))
 					continue;
 				if (type.Methods.Count != 2)
 					continue;
diff --git a/de4dot.code/deobfuscators/Agile_NET/Deobfuscator.cs b/de4dot.code/deobfuscators/Agile_NET/Deobfuscator.cs
index 0533d003..b0ac7bde 100644
--- a/de4dot.code/deobfuscators/Agile_NET/Deobfuscator.cs
+++ b/de4dot.code/deobfuscators/Agile_NET/Deobfuscator.cs
@@ -85,7 +85,8 @@ namespace de4dot.code.deobfuscators.Agile_NET {
 		ResourceDecrypter resourceDecrypter;
 
 		StackFrameHelper stackFrameHelper;
-		vm.v1.Csvm csvm;
+		vm.v1.Csvm csvmV1;
+		vm.v2.Csvm csvmV2;
 
 		internal class Options : OptionsBase {
 			public bool DecryptMethods { get; set; }
@@ -166,7 +167,8 @@ namespace de4dot.code.deobfuscators.Agile_NET {
 					ToInt32(stringDecrypter.Detected) +
 					ToInt32(proxyCallFixer.Detected) +
 					ToInt32(resourceDecrypter.Detected) +
-					ToInt32(csvm.Detected);
+					ToInt32(csvmV1.Detected) +
+					ToInt32(csvmV2.Detected);
 			if (sum > 0)
 				val += 100 + 10 * (sum - 1);
 			if (cliSecureAttributes.Count != 0)
@@ -185,8 +187,10 @@ namespace de4dot.code.deobfuscators.Agile_NET {
 			resourceDecrypter.Find();
 			proxyCallFixer = new ProxyCallFixer(module);
 			proxyCallFixer.FindDelegateCreator();
-			csvm = new vm.v1.Csvm(DeobfuscatedFile.DeobfuscatorContext, module);
-			csvm.Find();
+			csvmV1 = new vm.v1.Csvm(DeobfuscatedFile.DeobfuscatorContext, module);
+			csvmV1.Find();
+			csvmV2 = new vm.v2.Csvm(DeobfuscatedFile.DeobfuscatorContext, module);
+			csvmV2.Find();
 		}
 
 		void FindCliSecureAttribute() {
@@ -227,7 +231,8 @@ namespace de4dot.code.deobfuscators.Agile_NET {
 			newOne.stringDecrypter = new StringDecrypter(module, stringDecrypter);
 			newOne.resourceDecrypter = new ResourceDecrypter(module, resourceDecrypter);
 			newOne.proxyCallFixer = new ProxyCallFixer(module, proxyCallFixer);
-			newOne.csvm = new vm.v1.Csvm(DeobfuscatedFile.DeobfuscatorContext, module, csvm);
+			newOne.csvmV1 = new vm.v1.Csvm(DeobfuscatedFile.DeobfuscatorContext, module, csvmV1);
+			newOne.csvmV2 = new vm.v2.Csvm(DeobfuscatedFile.DeobfuscatorContext, module, csvmV2);
 			return newOne;
 		}
 
@@ -270,9 +275,11 @@ namespace de4dot.code.deobfuscators.Agile_NET {
 				FindPossibleNamesToRemove(cliSecureRtType.LoadMethod);
 			}
 
-			if (options.RestoreVmCode) {
-				if (csvm.Restore())
-					AddResourceToBeRemoved(csvm.Resource, "CSVM data resource");
+			if (options.RestoreVmCode && (csvmV1.Detected || csvmV2.Detected)) {
+				if (csvmV1.Detected && csvmV1.Restore())
+					AddResourceToBeRemoved(csvmV1.Resource, "CSVM data resource");
+				else if (csvmV2.Detected && csvmV2.Restore())
+					AddResourceToBeRemoved(csvmV2.Resource, "CSVM data resource");
 				else {
 					Logger.e("Couldn't restore VM methods. Use --dont-rename or it will not run");
 					PreserveTokensAndTypes();
diff --git a/de4dot.code/deobfuscators/Agile_NET/vm/v1/CilOperandInstructionRestorer.cs b/de4dot.code/deobfuscators/Agile_NET/vm/CilOperandInstructionRestorer.cs
similarity index 59%
rename from de4dot.code/deobfuscators/Agile_NET/vm/v1/CilOperandInstructionRestorer.cs
rename to de4dot.code/deobfuscators/Agile_NET/vm/CilOperandInstructionRestorer.cs
index 69b93d5c..4df28e4c 100644
--- a/de4dot.code/deobfuscators/Agile_NET/vm/v1/CilOperandInstructionRestorer.cs
+++ b/de4dot.code/deobfuscators/Agile_NET/vm/CilOperandInstructionRestorer.cs
@@ -21,11 +21,9 @@ using dnlib.DotNet;
 using dnlib.DotNet.Emit;
 using de4dot.blocks;
 
-namespace de4dot.code.deobfuscators.Agile_NET.vm.v1 {
+namespace de4dot.code.deobfuscators.Agile_NET.vm {
 	// Tries to restore the operands of the following CIL instructions:
-	//	ldelema
-	//	ldobj
-	//	stobj
+	//	ldelema, ldelem.*, stelem.*, ldobj, stobj
 	class CilOperandInstructionRestorer {
 		MethodDef method;
 
@@ -42,10 +40,66 @@ namespace de4dot.code.deobfuscators.Agile_NET.vm.v1 {
 				if (instr.Operand != null)
 					continue;
 
-				TypeSig operandType = null;
+				TypeSig operandType = null, operandTypeTmp;
+				OpCode newOpCode = null;
+				SZArraySig arrayType;
 				switch (instr.OpCode.Code) {
+				case Code.Ldelem:
+					arrayType = MethodStack.GetLoadedType(method, instrs, i, 1) as SZArraySig;
+					if (arrayType == null)
+						break;
+					operandTypeTmp = arrayType.Next;
+					if (operandTypeTmp == null)
+						newOpCode = OpCodes.Ldelem_Ref;
+					else {
+						switch (operandTypeTmp.ElementType) {
+						case ElementType.I:  newOpCode = OpCodes.Ldelem_I; break;
+						case ElementType.I1: newOpCode = OpCodes.Ldelem_I1; break;
+						case ElementType.I2: newOpCode = OpCodes.Ldelem_I2; break;
+						case ElementType.I4: newOpCode = OpCodes.Ldelem_I4; break;
+						case ElementType.I8: newOpCode = OpCodes.Ldelem_I8; break;
+						case ElementType.U:  newOpCode = OpCodes.Ldelem_I; break;
+						case ElementType.U1: newOpCode = OpCodes.Ldelem_U1; break;
+						case ElementType.U2: newOpCode = OpCodes.Ldelem_U2; break;
+						case ElementType.U4: newOpCode = OpCodes.Ldelem_U4; break;
+						case ElementType.U8: newOpCode = OpCodes.Ldelem_I8; break;
+						case ElementType.R4: newOpCode = OpCodes.Ldelem_R4; break;
+						case ElementType.R8: newOpCode = OpCodes.Ldelem_R8; break;
+						default:             newOpCode = OpCodes.Ldelem_Ref; break;
+						//TODO: Ldelem
+						}
+					}
+					break;
+
+				case Code.Stelem:
+					arrayType = MethodStack.GetLoadedType(method, instrs, i, 2) as SZArraySig;
+					if (arrayType == null)
+						break;
+					operandTypeTmp = arrayType.Next;
+					if (operandTypeTmp == null)
+						newOpCode = OpCodes.Stelem_Ref;
+					else {
+						switch (operandTypeTmp.ElementType) {
+						case ElementType.U:
+						case ElementType.I:  newOpCode = OpCodes.Stelem_I; break;
+						case ElementType.U1:
+						case ElementType.I1: newOpCode = OpCodes.Stelem_I1; break;
+						case ElementType.U2:
+						case ElementType.I2: newOpCode = OpCodes.Stelem_I2; break;
+						case ElementType.U4:
+						case ElementType.I4: newOpCode = OpCodes.Stelem_I4; break;
+						case ElementType.U8:
+						case ElementType.I8: newOpCode = OpCodes.Stelem_I8; break;
+						case ElementType.R4: newOpCode = OpCodes.Stelem_R4; break;
+						case ElementType.R8: newOpCode = OpCodes.Stelem_R8; break;
+						default: newOpCode = OpCodes.Stelem_Ref; break;
+						//TODO: Stelem
+						}
+					}
+					break;
+
 				case Code.Ldelema:
-					var arrayType = MethodStack.GetLoadedType(method, instrs, i, 1) as SZArraySig;
+					arrayType = MethodStack.GetLoadedType(method, instrs, i, 1) as SZArraySig;
 					if (arrayType == null)
 						break;
 					operandType = arrayType.Next;
@@ -64,12 +118,14 @@ namespace de4dot.code.deobfuscators.Agile_NET.vm.v1 {
 				default:
 					continue;
 				}
-				if (!IsValidType(operandType)) {
+				if (newOpCode == null && !IsValidType(operandType)) {
 					atLeastOneFailed = true;
 					continue;
 				}
 
 				instr.Operand = operandType.ToTypeDefOrRef();
+				if (newOpCode != null)
+					instr.OpCode = newOpCode;
 			}
 
 			return !atLeastOneFailed;
diff --git a/de4dot.code/deobfuscators/Agile_NET/vm/v1/CsvmDataReader.cs b/de4dot.code/deobfuscators/Agile_NET/vm/CsvmDataReader.cs
similarity index 96%
rename from de4dot.code/deobfuscators/Agile_NET/vm/v1/CsvmDataReader.cs
rename to de4dot.code/deobfuscators/Agile_NET/vm/CsvmDataReader.cs
index 6a2753d8..60e810f5 100644
--- a/de4dot.code/deobfuscators/Agile_NET/vm/v1/CsvmDataReader.cs
+++ b/de4dot.code/deobfuscators/Agile_NET/vm/CsvmDataReader.cs
@@ -24,7 +24,7 @@ using dnlib.IO;
 using dnlib.DotNet;
 using de4dot.blocks;
 
-namespace de4dot.code.deobfuscators.Agile_NET.vm.v1 {
+namespace de4dot.code.deobfuscators.Agile_NET.vm {
 	class CsvmDataReader {
 		IBinaryReader reader;
 
diff --git a/de4dot.code/deobfuscators/Agile_NET/vm/v1/CsvmMethodData.cs b/de4dot.code/deobfuscators/Agile_NET/vm/CsvmMethodData.cs
similarity index 95%
rename from de4dot.code/deobfuscators/Agile_NET/vm/v1/CsvmMethodData.cs
rename to de4dot.code/deobfuscators/Agile_NET/vm/CsvmMethodData.cs
index 99928842..0e67d178 100644
--- a/de4dot.code/deobfuscators/Agile_NET/vm/v1/CsvmMethodData.cs
+++ b/de4dot.code/deobfuscators/Agile_NET/vm/CsvmMethodData.cs
@@ -19,7 +19,7 @@
 
 using System;
 
-namespace de4dot.code.deobfuscators.Agile_NET.vm.v1 {
+namespace de4dot.code.deobfuscators.Agile_NET.vm {
 	class CsvmMethodData {
 		public Guid Guid { get; set; }
 		public int Token { get; set; }
diff --git a/de4dot.code/deobfuscators/Agile_NET/vm/CsvmToCilMethodConverterBase.cs b/de4dot.code/deobfuscators/Agile_NET/vm/CsvmToCilMethodConverterBase.cs
new file mode 100644
index 00000000..00757dab
--- /dev/null
+++ b/de4dot.code/deobfuscators/Agile_NET/vm/CsvmToCilMethodConverterBase.cs
@@ -0,0 +1,417 @@
+/*
+    Copyright (C) 2011-2013 de4dot@gmail.com
+
+    This file is part of de4dot.
+
+    de4dot is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    de4dot is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with de4dot.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+using System;
+using System.Collections.Generic;
+using System.IO;
+using dnlib.DotNet;
+using dnlib.DotNet.Emit;
+using de4dot.blocks;
+
+namespace de4dot.code.deobfuscators.Agile_NET.vm {
+	abstract class CsvmToCilMethodConverterBase {
+		readonly IDeobfuscatorContext deobfuscatorContext;
+		readonly protected ModuleDefMD module;
+		readonly CilOperandInstructionRestorer operandRestorer = new CilOperandInstructionRestorer();
+		readonly Dictionary<Instruction, int> cilToVmIndex = new Dictionary<Instruction, int>();
+		readonly Dictionary<int, Instruction> vmIndexToCil = new Dictionary<int, Instruction>();
+
+		public CsvmToCilMethodConverterBase(IDeobfuscatorContext deobfuscatorContext, ModuleDefMD module) {
+			this.deobfuscatorContext = deobfuscatorContext;
+			this.module = module;
+		}
+
+		protected void SetCilToVmIndex(Instruction instr, int vmIndex) {
+			cilToVmIndex[instr] = vmIndex;
+		}
+
+		protected void SetVmIndexToCil(Instruction instr, int vmIndex) {
+			vmIndexToCil[vmIndex] = instr;
+		}
+
+		public void Convert(MethodDef cilMethod, CsvmMethodData csvmMethod) {
+			cilToVmIndex.Clear();
+			vmIndexToCil.Clear();
+
+			var newInstructions = ReadInstructions(cilMethod, csvmMethod);
+			var newLocals = ReadLocals(cilMethod, csvmMethod);
+			var newExceptions = ReadExceptions(cilMethod, csvmMethod);
+
+			FixInstructionOperands(newInstructions);
+			FixLocals(newInstructions, cilMethod.Body.Variables);
+			FixArgs(newInstructions, cilMethod);
+
+			DotNetUtils.RestoreBody(cilMethod, newInstructions, newExceptions);
+
+			if (!operandRestorer.Restore(cilMethod))
+				Logger.w("Failed to restore one or more instruction operands in CSVM method {0:X8}", cilMethod.MDToken.ToInt32());
+			RestoreConstrainedPrefix(cilMethod);
+		}
+
+		void FixLocals(IList<Instruction> instrs, IList<Local> locals) {
+			foreach (var instr in instrs) {
+				var op = instr.Operand as LocalOperand;
+				if (op == null)
+					continue;
+
+				UpdateLocalInstruction(instr, locals[op.Local], op.Local);
+			}
+		}
+
+		static void UpdateLocalInstruction(Instruction instr, Local local, int index) {
+			object operand = null;
+			OpCode opcode;
+
+			switch (instr.OpCode.Code) {
+			case Code.Ldloc_S:
+			case Code.Ldloc:
+				if (index == 0)
+					opcode = OpCodes.Ldloc_0;
+				else if (index == 1)
+					opcode = OpCodes.Ldloc_1;
+				else if (index == 2)
+					opcode = OpCodes.Ldloc_2;
+				else if (index == 3)
+					opcode = OpCodes.Ldloc_3;
+				else if (byte.MinValue <= index && index <= byte.MaxValue) {
+					opcode = OpCodes.Ldloc_S;
+					operand = local;
+				}
+				else {
+					opcode = OpCodes.Ldloc;
+					operand = local;
+				}
+				break;
+
+			case Code.Stloc:
+			case Code.Stloc_S:
+				if (index == 0)
+					opcode = OpCodes.Stloc_0;
+				else if (index == 1)
+					opcode = OpCodes.Stloc_1;
+				else if (index == 2)
+					opcode = OpCodes.Stloc_2;
+				else if (index == 3)
+					opcode = OpCodes.Stloc_3;
+				else if (byte.MinValue <= index && index <= byte.MaxValue) {
+					opcode = OpCodes.Stloc_S;
+					operand = local;
+				}
+				else {
+					opcode = OpCodes.Stloc;
+					operand = local;
+				}
+				break;
+
+			case Code.Ldloca:
+			case Code.Ldloca_S:
+				if (byte.MinValue <= index && index <= byte.MaxValue) {
+					opcode = OpCodes.Ldloca_S;
+					operand = local;
+				}
+				else {
+					opcode = OpCodes.Ldloca;
+					operand = local;
+				}
+				break;
+
+			default:
+				throw new ApplicationException("Invalid opcode");
+			}
+
+			instr.OpCode = opcode;
+			instr.Operand = operand;
+		}
+
+		void FixArgs(IList<Instruction> instrs, MethodDef method) {
+			foreach (var instr in instrs) {
+				var op = instr.Operand as ArgOperand;
+				if (op == null)
+					continue;
+
+				UpdateArgInstruction(instr, method.Parameters[op.Arg], op.Arg);
+			}
+		}
+
+		static void UpdateArgInstruction(Instruction instr, Parameter arg, int index) {
+			switch (instr.OpCode.Code) {
+			case Code.Ldarg:
+			case Code.Ldarg_S:
+				if (index == 0) {
+					instr.OpCode = OpCodes.Ldarg_0;
+					instr.Operand = null;
+				}
+				else if (index == 1) {
+					instr.OpCode = OpCodes.Ldarg_1;
+					instr.Operand = null;
+				}
+				else if (index == 2) {
+					instr.OpCode = OpCodes.Ldarg_2;
+					instr.Operand = null;
+				}
+				else if (index == 3) {
+					instr.OpCode = OpCodes.Ldarg_3;
+					instr.Operand = null;
+				}
+				else if (byte.MinValue <= index && index <= byte.MaxValue) {
+					instr.OpCode = OpCodes.Ldarg_S;
+					instr.Operand = arg;
+				}
+				else {
+					instr.OpCode = OpCodes.Ldarg;
+					instr.Operand = arg;
+				}
+				break;
+
+			case Code.Starg:
+			case Code.Starg_S:
+				if (byte.MinValue <= index && index <= byte.MaxValue) {
+					instr.OpCode = OpCodes.Starg_S;
+					instr.Operand = arg;
+				}
+				else {
+					instr.OpCode = OpCodes.Starg;
+					instr.Operand = arg;
+				}
+				break;
+
+			case Code.Ldarga:
+			case Code.Ldarga_S:
+				if (byte.MinValue <= index && index <= byte.MaxValue) {
+					instr.OpCode = OpCodes.Ldarga_S;
+					instr.Operand = arg;
+				}
+				else {
+					instr.OpCode = OpCodes.Ldarga;
+					instr.Operand = arg;
+				}
+				break;
+
+			default:
+				throw new ApplicationException("Invalid opcode");
+			}
+		}
+
+		protected abstract List<Instruction> ReadInstructions(MethodDef cilMethod, CsvmMethodData csvmMethod);
+
+		protected static int GetInstructionSize(Instruction instr) {
+			var opcode = instr.OpCode;
+			if (opcode == null)
+				return 5;	// Load store/field
+			var op = instr.Operand as SwitchTargetDisplOperand;
+			if (op == null)
+				return instr.GetSize();
+			return instr.OpCode.Size + (op.TargetDisplacements.Length + 1) * 4;
+		}
+
+		List<Local> ReadLocals(MethodDef cilMethod, CsvmMethodData csvmMethod) {
+			var locals = new List<Local>();
+			var reader = new BinaryReader(new MemoryStream(csvmMethod.Locals));
+
+			if (csvmMethod.Locals.Length == 0)
+				return locals;
+
+			// v6.0.0.5 sometimes duplicates the last two locals so only check for a negative value.
+			int numLocals = reader.ReadInt32();
+			if (numLocals < 0)
+				throw new ApplicationException("Invalid number of locals");
+
+			for (int i = 0; i < numLocals; i++)
+				locals.Add(new Local(ReadTypeRef(reader)));
+
+			return locals;
+		}
+
+		TypeSig ReadTypeRef(BinaryReader reader) {
+			var etype = (ElementType)reader.ReadInt32();
+			switch (etype) {
+			case ElementType.Void: return module.CorLibTypes.Void;
+			case ElementType.Boolean: return module.CorLibTypes.Boolean;
+			case ElementType.Char: return module.CorLibTypes.Char;
+			case ElementType.I1: return module.CorLibTypes.SByte;
+			case ElementType.U1: return module.CorLibTypes.Byte;
+			case ElementType.I2: return module.CorLibTypes.Int16;
+			case ElementType.U2: return module.CorLibTypes.UInt16;
+			case ElementType.I4: return module.CorLibTypes.Int32;
+			case ElementType.U4: return module.CorLibTypes.UInt32;
+			case ElementType.I8: return module.CorLibTypes.Int64;
+			case ElementType.U8: return module.CorLibTypes.UInt64;
+			case ElementType.R4: return module.CorLibTypes.Single;
+			case ElementType.R8: return module.CorLibTypes.Double;
+			case ElementType.String: return module.CorLibTypes.String;
+			case ElementType.TypedByRef: return module.CorLibTypes.TypedReference;
+			case ElementType.I: return module.CorLibTypes.IntPtr;
+			case ElementType.U: return module.CorLibTypes.UIntPtr;
+			case ElementType.Object: return module.CorLibTypes.Object;
+
+			case ElementType.ValueType:
+			case ElementType.Var:
+			case ElementType.MVar:
+				return (module.ResolveToken(reader.ReadUInt32()) as ITypeDefOrRef).ToTypeSig();
+
+			case ElementType.GenericInst:
+				etype = (ElementType)reader.ReadInt32();
+				if (etype == ElementType.ValueType)
+					return (module.ResolveToken(reader.ReadUInt32()) as ITypeDefOrRef).ToTypeSig();
+				// ElementType.Class
+				return module.CorLibTypes.Object;
+
+			case ElementType.Ptr:
+			case ElementType.Class:
+			case ElementType.Array:
+			case ElementType.FnPtr:
+			case ElementType.SZArray:
+			case ElementType.ByRef:
+			case ElementType.CModReqd:
+			case ElementType.CModOpt:
+			case ElementType.Internal:
+			case ElementType.Sentinel:
+			case ElementType.Pinned:
+			default:
+				return module.CorLibTypes.Object;
+			}
+		}
+
+		List<ExceptionHandler> ReadExceptions(MethodDef cilMethod, CsvmMethodData csvmMethod) {
+			var reader = new BinaryReader(new MemoryStream(csvmMethod.Exceptions));
+			var ehs = new List<ExceptionHandler>();
+
+			if (reader.BaseStream.Length == 0)
+				return ehs;
+
+			int numExceptions = reader.ReadInt32();
+			if (numExceptions < 0)
+				throw new ApplicationException("Invalid number of exception handlers");
+
+			for (int i = 0; i < numExceptions; i++) {
+				var eh = new ExceptionHandler((ExceptionHandlerType)reader.ReadInt32());
+				eh.TryStart = GetInstruction(reader.ReadInt32());
+				eh.TryEnd = GetInstructionEnd(reader.ReadInt32());
+				eh.HandlerStart = GetInstruction(reader.ReadInt32());
+				eh.HandlerEnd = GetInstructionEnd(reader.ReadInt32());
+				if (eh.HandlerType == ExceptionHandlerType.Catch)
+					eh.CatchType = module.ResolveToken(reader.ReadUInt32()) as ITypeDefOrRef;
+				else if (eh.HandlerType == ExceptionHandlerType.Filter)
+					eh.FilterStart = GetInstruction(reader.ReadInt32());
+
+				ehs.Add(eh);
+			}
+
+			return ehs;
+		}
+
+		Instruction GetInstruction(int vmIndex) {
+			return vmIndexToCil[vmIndex];
+		}
+
+		Instruction GetInstructionEnd(int vmIndex) {
+			vmIndex++;
+			Instruction instr;
+			vmIndexToCil.TryGetValue(vmIndex, out instr);
+			return instr;
+		}
+
+		Instruction GetInstruction(Instruction source, int displ) {
+			int vmIndex = cilToVmIndex[source];
+			return vmIndexToCil[vmIndex + displ];
+		}
+
+		void FixInstructionOperands(IList<Instruction> instrs) {
+			foreach (var instr in instrs) {
+				var op = instr.Operand as IVmOperand;
+				if (op != null)
+					instr.Operand = FixOperand(instrs, instr, op);
+			}
+		}
+
+		object FixOperand(IList<Instruction> instrs, Instruction instr, IVmOperand vmOperand) {
+			if (vmOperand is TargetDisplOperand)
+				return GetInstruction(instr, ((TargetDisplOperand)vmOperand).Displacement);
+
+			if (vmOperand is SwitchTargetDisplOperand) {
+				var targetDispls = ((SwitchTargetDisplOperand)vmOperand).TargetDisplacements;
+				Instruction[] targets = new Instruction[targetDispls.Length];
+				for (int i = 0; i < targets.Length; i++)
+					targets[i] = GetInstruction(instr, targetDispls[i]);
+				return targets;
+			}
+
+			if (vmOperand is ArgOperand || vmOperand is LocalOperand)
+				return vmOperand;
+
+			if (vmOperand is FieldInstructionOperand) {
+				var fieldInfo = (FieldInstructionOperand)vmOperand;
+				return FixLoadStoreFieldInstruction(instr, fieldInfo.Field, fieldInfo.StaticOpCode, fieldInfo.InstanceOpCode);
+			}
+
+			throw new ApplicationException(string.Format("Unknown operand type: {0}", vmOperand.GetType()));
+		}
+
+		IField FixLoadStoreFieldInstruction(Instruction instr, IField fieldRef, OpCode staticInstr, OpCode instanceInstr) {
+			var field = deobfuscatorContext.ResolveField(fieldRef);
+			bool isStatic;
+			if (field == null) {
+				Logger.w("Could not resolve field {0:X8}. Assuming it's not static.", fieldRef == null ? 0 : fieldRef.MDToken.Raw);
+				isStatic = false;
+			}
+			else
+				isStatic = field.IsStatic;
+			instr.OpCode = isStatic ? staticInstr : instanceInstr;
+			return fieldRef;
+		}
+
+		static void RestoreConstrainedPrefix(MethodDef method) {
+			if (method == null || method.Body == null)
+				return;
+
+			var instrs = method.Body.Instructions;
+			for (int i = 0; i < instrs.Count; i++) {
+				var instr = instrs[i];
+				if (instr.OpCode.Code != Code.Callvirt)
+					continue;
+
+				var calledMethod = instr.Operand as IMethod;
+				if (calledMethod == null)
+					continue;
+				var sig = calledMethod.MethodSig;
+				if (sig == null || !sig.HasThis)
+					continue;
+				var thisType = MethodStack.GetLoadedType(method, instrs, i, sig.Params.Count) as ByRefSig;
+				if (thisType == null)
+					continue;
+				if (HasPrefix(instrs, i, Code.Constrained))
+					continue;
+				instrs.Insert(i, OpCodes.Constrained.ToInstruction(thisType.Next.ToTypeDefOrRef()));
+				i++;
+			}
+		}
+
+		static bool HasPrefix(IList<Instruction> instrs, int index, Code prefix) {
+			index--;
+			for (; index >= 0; index--) {
+				var instr = instrs[index];
+				if (instr.OpCode.OpCodeType != OpCodeType.Prefix)
+					break;
+				if (instr.OpCode.Code == prefix)
+					return true;
+			}
+			return false;
+		}
+	}
+}
diff --git a/de4dot.code/deobfuscators/Agile_NET/vm/v1/VmOperands.cs b/de4dot.code/deobfuscators/Agile_NET/vm/VmOperand.cs
similarity index 51%
rename from de4dot.code/deobfuscators/Agile_NET/vm/v1/VmOperands.cs
rename to de4dot.code/deobfuscators/Agile_NET/vm/VmOperand.cs
index 108bfff2..03cde6c4 100644
--- a/de4dot.code/deobfuscators/Agile_NET/vm/v1/VmOperands.cs
+++ b/de4dot.code/deobfuscators/Agile_NET/vm/VmOperand.cs
@@ -17,66 +17,50 @@
     along with de4dot.  If not, see <http://www.gnu.org/licenses/>.
 */
 
-namespace de4dot.code.deobfuscators.Agile_NET.vm.v1 {
+using dnlib.DotNet;
+using dnlib.DotNet.Emit;
+
+namespace de4dot.code.deobfuscators.Agile_NET.vm {
 	interface IVmOperand {
 	}
 
-	class TokenOperand : IVmOperand {
-		public int token;	// any type of token
-		public TokenOperand(int token) {
-			this.token = token;
-		}
-	}
-
 	class TargetDisplOperand : IVmOperand {
-		public int displacement;	// number of instructions from current instr
+		public readonly int Displacement;	// number of VM instructions from current VM instr
 		public TargetDisplOperand(int displacement) {
-			this.displacement = displacement;
+			this.Displacement = displacement;
 		}
 	}
 
 	class SwitchTargetDisplOperand : IVmOperand {
-		public int[] targetDisplacements;	// number of instructions from current instr
+		public readonly int[] TargetDisplacements;	// number of VM instructions from current VM instr
 		public SwitchTargetDisplOperand(int[] targetDisplacements) {
-			this.targetDisplacements = targetDisplacements;
+			this.TargetDisplacements = targetDisplacements;
 		}
 	}
 
 	class ArgOperand : IVmOperand {
-		public ushort arg;
+		public readonly ushort Arg;
 		public ArgOperand(ushort arg) {
-			this.arg = arg;
+			this.Arg = arg;
 		}
 	}
 
 	class LocalOperand : IVmOperand {
-		public ushort local;
+		public readonly ushort Local;
 		public LocalOperand(ushort local) {
-			this.local = local;
+			this.Local = local;
 		}
 	}
 
-	// OpCode must be changed to ldfld / ldsfld
-	class LoadFieldOperand : IVmOperand {
-		public int token;
-		public LoadFieldOperand(int token) {
-			this.token = token;
-		}
-	}
+	class FieldInstructionOperand : IVmOperand {
+		public readonly OpCode StaticOpCode;
+		public readonly OpCode InstanceOpCode;
+		public readonly IField Field;
 
-	// OpCode must be changed to ldflda / ldsflda
-	class LoadFieldAddressOperand : IVmOperand {
-		public int token;
-		public LoadFieldAddressOperand(int token) {
-			this.token = token;
-		}
-	}
-
-	// OpCode must be changed to stfld / stsfld
-	class StoreFieldOperand : IVmOperand {
-		public int token;
-		public StoreFieldOperand(int token) {
-			this.token = token;
+		public FieldInstructionOperand(OpCode staticOpCode, OpCode instanceOpCode, IField field) {
+			this.StaticOpCode = staticOpCode;
+			this.InstanceOpCode = instanceOpCode;
+			this.Field = field;
 		}
 	}
 }
diff --git a/de4dot.code/deobfuscators/Agile_NET/vm/v1/Csvm.cs b/de4dot.code/deobfuscators/Agile_NET/vm/v1/Csvm.cs
index 055edbec..91339051 100644
--- a/de4dot.code/deobfuscators/Agile_NET/vm/v1/Csvm.cs
+++ b/de4dot.code/deobfuscators/Agile_NET/vm/v1/Csvm.cs
@@ -140,7 +140,7 @@ namespace de4dot.code.deobfuscators.Agile_NET.vm.v1 {
 			var vmModulePath = Path.Combine(Path.GetDirectoryName(module.Location), vmFilename);
 			Logger.v("CSVM filename: {0}", vmFilename);
 
-			var dataKey = "cs cached VmOpCodeHandlerDetector";
+			var dataKey = "cs cached VmOpCodeHandlerDetector v1";
 			var dict = (Dictionary<string, VmOpCodeHandlerDetector>)deobfuscatorContext.GetData(dataKey);
 			if (dict == null)
 				deobfuscatorContext.SetData(dataKey, dict = new Dictionary<string, VmOpCodeHandlerDetector>(StringComparer.OrdinalIgnoreCase));
diff --git a/de4dot.code/deobfuscators/Agile_NET/vm/v1/CsvmToCilMethodConverter.cs b/de4dot.code/deobfuscators/Agile_NET/vm/v1/CsvmToCilMethodConverter.cs
index e93d1d02..93516c18 100644
--- a/de4dot.code/deobfuscators/Agile_NET/vm/v1/CsvmToCilMethodConverter.cs
+++ b/de4dot.code/deobfuscators/Agile_NET/vm/v1/CsvmToCilMethodConverter.cs
@@ -25,411 +25,28 @@ using dnlib.DotNet.Emit;
 using de4dot.blocks;
 
 namespace de4dot.code.deobfuscators.Agile_NET.vm.v1 {
-	class CsvmToCilMethodConverter {
-		IDeobfuscatorContext deobfuscatorContext;
-		ModuleDefMD module;
+	class CsvmToCilMethodConverter : CsvmToCilMethodConverterBase {
 		VmOpCodeHandlerDetector opCodeDetector;
-		CilOperandInstructionRestorer operandRestorer = new CilOperandInstructionRestorer();
 
-		public CsvmToCilMethodConverter(IDeobfuscatorContext deobfuscatorContext, ModuleDefMD module, VmOpCodeHandlerDetector opCodeDetector) {
-			this.deobfuscatorContext = deobfuscatorContext;
-			this.module = module;
+		public CsvmToCilMethodConverter(IDeobfuscatorContext deobfuscatorContext, ModuleDefMD module, VmOpCodeHandlerDetector opCodeDetector)
+			: base(deobfuscatorContext, module) {
 			this.opCodeDetector = opCodeDetector;
 		}
 
-		public void Convert(MethodDef cilMethod, CsvmMethodData csvmMethod) {
-			var newInstructions = ReadInstructions(cilMethod, csvmMethod);
-			var newLocals = ReadLocals(cilMethod, csvmMethod);
-			var newExceptions = ReadExceptions(cilMethod, csvmMethod, newInstructions);
-
-			FixInstructionOperands(newInstructions);
-			FixLocals(newInstructions, cilMethod.Body.Variables);
-			FixArgs(newInstructions, cilMethod);
-
-			DotNetUtils.RestoreBody(cilMethod, newInstructions, newExceptions);
-
-			if (!operandRestorer.Restore(cilMethod))
-				Logger.w("Failed to restore one or more instruction operands in CSVM method {0:X8}", cilMethod.MDToken.ToInt32());
-			RestoreConstrainedPrefix(cilMethod);
-		}
-
-		void FixLocals(IList<Instruction> instrs, IList<Local> locals) {
-			foreach (var instr in instrs) {
-				var op = instr.Operand as LocalOperand;
-				if (op == null)
-					continue;
-
-				UpdateLocalInstruction(instr, locals[op.local], op.local);
-			}
-		}
-
-		static void UpdateLocalInstruction(Instruction instr, Local local, int index) {
-			object operand = null;
-			OpCode opcode;
-
-			switch (instr.OpCode.Code) {
-			case Code.Ldloc_S:
-			case Code.Ldloc:
-				if (index == 0)
-					opcode = OpCodes.Ldloc_0;
-				else if (index == 1)
-					opcode = OpCodes.Ldloc_1;
-				else if (index == 2)
-					opcode = OpCodes.Ldloc_2;
-				else if (index == 3)
-					opcode = OpCodes.Ldloc_3;
-				else if (byte.MinValue <= index && index <= byte.MaxValue) {
-					opcode = OpCodes.Ldloc_S;
-					operand = local;
-				}
-				else {
-					opcode = OpCodes.Ldloc;
-					operand = local;
-				}
-				break;
-
-			case Code.Stloc:
-			case Code.Stloc_S:
-				if (index == 0)
-					opcode = OpCodes.Stloc_0;
-				else if (index == 1)
-					opcode = OpCodes.Stloc_1;
-				else if (index == 2)
-					opcode = OpCodes.Stloc_2;
-				else if (index == 3)
-					opcode = OpCodes.Stloc_3;
-				else if (byte.MinValue <= index && index <= byte.MaxValue) {
-					opcode = OpCodes.Stloc_S;
-					operand = local;
-				}
-				else {
-					opcode = OpCodes.Stloc;
-					operand = local;
-				}
-				break;
-
-			case Code.Ldloca:
-			case Code.Ldloca_S:
-				if (byte.MinValue <= index && index <= byte.MaxValue) {
-					opcode = OpCodes.Ldloca_S;
-					operand = local;
-				}
-				else {
-					opcode = OpCodes.Ldloca;
-					operand = local;
-				}
-				break;
-
-			default:
-				throw new ApplicationException("Invalid opcode");
-			}
-
-			instr.OpCode = opcode;
-			instr.Operand = operand;
-		}
-
-		void FixArgs(IList<Instruction> instrs, MethodDef method) {
-			foreach (var instr in instrs) {
-				var op = instr.Operand as ArgOperand;
-				if (op == null)
-					continue;
-
-				UpdateArgInstruction(instr, method.Parameters[op.arg], op.arg);
-			}
-		}
-
-		static void UpdateArgInstruction(Instruction instr, Parameter arg, int index) {
-			switch (instr.OpCode.Code) {
-			case Code.Ldarg:
-			case Code.Ldarg_S:
-				if (index == 0) {
-					instr.OpCode = OpCodes.Ldarg_0;
-					instr.Operand = null;
-				}
-				else if (index == 1) {
-					instr.OpCode = OpCodes.Ldarg_1;
-					instr.Operand = null;
-				}
-				else if (index == 2) {
-					instr.OpCode = OpCodes.Ldarg_2;
-					instr.Operand = null;
-				}
-				else if (index == 3) {
-					instr.OpCode = OpCodes.Ldarg_3;
-					instr.Operand = null;
-				}
-				else if (byte.MinValue <= index && index <= byte.MaxValue) {
-					instr.OpCode = OpCodes.Ldarg_S;
-					instr.Operand = arg;
-				}
-				else {
-					instr.OpCode = OpCodes.Ldarg;
-					instr.Operand = arg;
-				}
-				break;
-
-			case Code.Starg:
-			case Code.Starg_S:
-				if (byte.MinValue <= index && index <= byte.MaxValue) {
-					instr.OpCode = OpCodes.Starg_S;
-					instr.Operand = arg;
-				}
-				else {
-					instr.OpCode = OpCodes.Starg;
-					instr.Operand = arg;
-				}
-				break;
-
-			case Code.Ldarga:
-			case Code.Ldarga_S:
-				if (byte.MinValue <= index && index <= byte.MaxValue) {
-					instr.OpCode = OpCodes.Ldarga_S;
-					instr.Operand = arg;
-				}
-				else {
-					instr.OpCode = OpCodes.Ldarga;
-					instr.Operand = arg;
-				}
-				break;
-
-			default:
-				throw new ApplicationException("Invalid opcode");
-			}
-		}
-
-		List<Instruction> ReadInstructions(MethodDef cilMethod, CsvmMethodData csvmMethod) {
+		protected override List<Instruction> ReadInstructions(MethodDef cilMethod, CsvmMethodData csvmMethod) {
 			var reader = new BinaryReader(new MemoryStream(csvmMethod.Instructions));
 			var instrs = new List<Instruction>();
 			uint offset = 0;
 			while (reader.BaseStream.Position < reader.BaseStream.Length) {
 				int vmOpCode = reader.ReadUInt16();
-				var instr = opCodeDetector.Handlers[vmOpCode].Read(reader);
+				var instr = opCodeDetector.Handlers[vmOpCode].Read(reader, module);
 				instr.Offset = offset;
 				offset += (uint)GetInstructionSize(instr);
+				SetCilToVmIndex(instr, instrs.Count);
+				SetVmIndexToCil(instr, instrs.Count);
 				instrs.Add(instr);
 			}
 			return instrs;
 		}
-
-		static int GetInstructionSize(Instruction instr) {
-			var opcode = instr.OpCode;
-			if (opcode == null)
-				return 5;	// Load store/field
-			var op = instr.Operand as SwitchTargetDisplOperand;
-			if (op == null)
-				return instr.GetSize();
-			return instr.OpCode.Size + (op.targetDisplacements.Length + 1) * 4;
-		}
-
-		List<Local> ReadLocals(MethodDef cilMethod, CsvmMethodData csvmMethod) {
-			var locals = new List<Local>();
-			var reader = new BinaryReader(new MemoryStream(csvmMethod.Locals));
-
-			if (csvmMethod.Locals.Length == 0)
-				return locals;
-
-			// v6.0.0.5 sometimes duplicates the last two locals so only check for a negative value.
-			int numLocals = reader.ReadInt32();
-			if (numLocals < 0)
-				throw new ApplicationException("Invalid number of locals");
-
-			for (int i = 0; i < numLocals; i++)
-				locals.Add(new Local(ReadTypeRef(reader)));
-
-			return locals;
-		}
-
-		TypeSig ReadTypeRef(BinaryReader reader) {
-			var etype = (ElementType)reader.ReadInt32();
-			switch (etype) {
-			case ElementType.Void: return module.CorLibTypes.Void;
-			case ElementType.Boolean: return module.CorLibTypes.Boolean;
-			case ElementType.Char: return module.CorLibTypes.Char;
-			case ElementType.I1: return module.CorLibTypes.SByte;
-			case ElementType.U1: return module.CorLibTypes.Byte;
-			case ElementType.I2: return module.CorLibTypes.Int16;
-			case ElementType.U2: return module.CorLibTypes.UInt16;
-			case ElementType.I4: return module.CorLibTypes.Int32;
-			case ElementType.U4: return module.CorLibTypes.UInt32;
-			case ElementType.I8: return module.CorLibTypes.Int64;
-			case ElementType.U8: return module.CorLibTypes.UInt64;
-			case ElementType.R4: return module.CorLibTypes.Single;
-			case ElementType.R8: return module.CorLibTypes.Double;
-			case ElementType.String: return module.CorLibTypes.String;
-			case ElementType.TypedByRef: return module.CorLibTypes.TypedReference;
-			case ElementType.I: return module.CorLibTypes.IntPtr;
-			case ElementType.U: return module.CorLibTypes.UIntPtr;
-			case ElementType.Object: return module.CorLibTypes.Object;
-
-			case ElementType.ValueType:
-			case ElementType.Var:
-			case ElementType.MVar:
-				return (module.ResolveToken(reader.ReadUInt32()) as ITypeDefOrRef).ToTypeSig();
-
-			case ElementType.GenericInst:
-				etype = (ElementType)reader.ReadInt32();
-				if (etype == ElementType.ValueType)
-					return (module.ResolveToken(reader.ReadUInt32()) as ITypeDefOrRef).ToTypeSig();
-				// ElementType.Class
-				return module.CorLibTypes.Object;
-
-			case ElementType.Ptr:
-			case ElementType.Class:
-			case ElementType.Array:
-			case ElementType.FnPtr:
-			case ElementType.SZArray:
-			case ElementType.ByRef:
-			case ElementType.CModReqd:
-			case ElementType.CModOpt:
-			case ElementType.Internal:
-			case ElementType.Sentinel:
-			case ElementType.Pinned:
-			default:
-				return module.CorLibTypes.Object;
-			}
-		}
-
-		List<ExceptionHandler> ReadExceptions(MethodDef cilMethod, CsvmMethodData csvmMethod, List<Instruction> cilInstructions) {
-			var reader = new BinaryReader(new MemoryStream(csvmMethod.Exceptions));
-			var ehs = new List<ExceptionHandler>();
-
-			if (reader.BaseStream.Length == 0)
-				return ehs;
-
-			int numExceptions = reader.ReadInt32();
-			if (numExceptions < 0)
-				throw new ApplicationException("Invalid number of exception handlers");
-
-			for (int i = 0; i < numExceptions; i++) {
-				var eh = new ExceptionHandler((ExceptionHandlerType)reader.ReadInt32());
-				eh.TryStart = GetInstruction(cilInstructions, reader.ReadInt32());
-				eh.TryEnd = GetInstructionEnd(cilInstructions, reader.ReadInt32());
-				eh.HandlerStart = GetInstruction(cilInstructions, reader.ReadInt32());
-				eh.HandlerEnd = GetInstructionEnd(cilInstructions, reader.ReadInt32());
-				if (eh.HandlerType == ExceptionHandlerType.Catch)
-					eh.CatchType = module.ResolveToken(reader.ReadUInt32()) as ITypeDefOrRef;
-				else if (eh.HandlerType == ExceptionHandlerType.Filter)
-					eh.FilterStart = GetInstruction(cilInstructions, reader.ReadInt32());
-
-				ehs.Add(eh);
-			}
-
-			return ehs;
-		}
-
-		static Instruction GetInstruction(IList<Instruction> instrs, int index) {
-			return instrs[index];
-		}
-
-		static Instruction GetInstructionEnd(IList<Instruction> instrs, int index) {
-			index++;
-			if (index == instrs.Count)
-				return null;
-			return instrs[index];
-		}
-
-		static Instruction GetInstruction(IList<Instruction> instrs, Instruction source, int displ) {
-			int sourceIndex = instrs.IndexOf(source);
-			if (sourceIndex < 0)
-				throw new ApplicationException("Could not find source instruction");
-			return instrs[sourceIndex + displ];
-		}
-
-		void FixInstructionOperands(IList<Instruction> instrs) {
-			foreach (var instr in instrs) {
-				var op = instr.Operand as IVmOperand;
-				if (op != null)
-					instr.Operand = FixOperand(instrs, instr, op);
-			}
-		}
-
-		object FixOperand(IList<Instruction> instrs, Instruction instr, IVmOperand vmOperand) {
-			if (vmOperand is TokenOperand)
-				return GetMemberRef(((TokenOperand)vmOperand).token);
-
-			if (vmOperand is TargetDisplOperand)
-				return GetInstruction(instrs, instr, ((TargetDisplOperand)vmOperand).displacement);
-
-			if (vmOperand is SwitchTargetDisplOperand) {
-				var targetDispls = ((SwitchTargetDisplOperand)vmOperand).targetDisplacements;
-				Instruction[] targets = new Instruction[targetDispls.Length];
-				for (int i = 0; i < targets.Length; i++)
-					targets[i] = GetInstruction(instrs, instr, targetDispls[i]);
-				return targets;
-			}
-
-			if (vmOperand is ArgOperand || vmOperand is LocalOperand)
-				return vmOperand;
-
-			if (vmOperand is LoadFieldOperand)
-				return FixLoadStoreFieldInstruction(instr, ((LoadFieldOperand)vmOperand).token, OpCodes.Ldsfld, OpCodes.Ldfld);
-
-			if (vmOperand is LoadFieldAddressOperand)
-				return FixLoadStoreFieldInstruction(instr, ((LoadFieldAddressOperand)vmOperand).token, OpCodes.Ldsflda, OpCodes.Ldflda);
-
-			if (vmOperand is StoreFieldOperand)
-				return FixLoadStoreFieldInstruction(instr, ((StoreFieldOperand)vmOperand).token, OpCodes.Stsfld, OpCodes.Stfld);
-
-			throw new ApplicationException(string.Format("Unknown operand type: {0}", vmOperand.GetType()));
-		}
-
-		IField FixLoadStoreFieldInstruction(Instruction instr, int token, OpCode staticInstr, OpCode instanceInstr) {
-			var fieldRef = module.ResolveToken(token) as IField;
-			var field = deobfuscatorContext.ResolveField(fieldRef);
-			bool isStatic;
-			if (field == null) {
-				Logger.w("Could not resolve field {0:X8}. Assuming it's not static.", token);
-				isStatic = false;
-			}
-			else
-				isStatic = field.IsStatic;
-			instr.OpCode = isStatic ? staticInstr : instanceInstr;
-			return fieldRef;
-		}
-
-		ITokenOperand GetMemberRef(int token) {
-			var memberRef = module.ResolveToken(token) as ITokenOperand;
-			if (memberRef == null)
-				throw new ApplicationException(string.Format("Could not find member ref: {0:X8}", token));
-			return memberRef;
-		}
-
-		static void RestoreConstrainedPrefix(MethodDef method) {
-			if (method == null || method.Body == null)
-				return;
-
-			var instrs = method.Body.Instructions;
-			for (int i = 0; i < instrs.Count; i++) {
-				var instr = instrs[i];
-				if (instr.OpCode.Code != Code.Callvirt)
-					continue;
-
-				var calledMethod = instr.Operand as IMethod;
-				if (calledMethod == null)
-					continue;
-				var sig = calledMethod.MethodSig;
-				if (sig == null || !sig.HasThis)
-					continue;
-				var thisType = MethodStack.GetLoadedType(method, instrs, i, sig.Params.Count) as ByRefSig;
-				if (thisType == null)
-					continue;
-				if (HasPrefix(instrs, i, Code.Constrained))
-					continue;
-				instrs.Insert(i, OpCodes.Constrained.ToInstruction(thisType.Next.ToTypeDefOrRef()));
-				i++;
-			}
-		}
-
-		static bool HasPrefix(IList<Instruction> instrs, int index, Code prefix) {
-			index--;
-			for (; index >= 0; index--) {
-				var instr = instrs[index];
-				if (instr.OpCode.OpCodeType != OpCodeType.Prefix)
-					break;
-				if (instr.OpCode.Code == prefix)
-					return true;
-			}
-			return false;
-		}
 	}
 }
diff --git a/de4dot.code/deobfuscators/Agile_NET/vm/v1/OpCodeHandler.cs b/de4dot.code/deobfuscators/Agile_NET/vm/v1/OpCodeHandler.cs
index 625d5638..9c572780 100644
--- a/de4dot.code/deobfuscators/Agile_NET/vm/v1/OpCodeHandler.cs
+++ b/de4dot.code/deobfuscators/Agile_NET/vm/v1/OpCodeHandler.cs
@@ -29,7 +29,7 @@ namespace de4dot.code.deobfuscators.Agile_NET.vm.v1 {
 		public string Name { get; set; }
 		public OpCodeHandlerSigInfo OpCodeHandlerSigInfo { get; set; }
 		public Predicate<UnknownHandlerInfo> Check { get; set; }
-		public Func<BinaryReader, Instruction> Read { get; set; }
+		public Func<BinaryReader, IInstructionOperandResolver, Instruction> Read { get; set; }
 
 		public bool Detect(UnknownHandlerInfo info) {
 			var sigInfo = OpCodeHandlerSigInfo;
@@ -68,7 +68,7 @@ namespace de4dot.code.deobfuscators.Agile_NET.vm.v1 {
 	}
 
 	static partial class OpCodeHandlers {
-		static Instruction arithmetic_read(BinaryReader reader) {
+		static Instruction arithmetic_read(BinaryReader reader, IInstructionOperandResolver resolver) {
 			switch (reader.ReadByte()) {
 			case 0: return OpCodes.Add.ToInstruction();
 			case 1: return OpCodes.Add_Ovf.ToInstruction();
@@ -91,25 +91,22 @@ namespace de4dot.code.deobfuscators.Agile_NET.vm.v1 {
 			return DotNetUtils.CallsMethod(info.ExecuteMethod, "System.Type System.Reflection.Module::ResolveType(System.Int32)");
 		}
 
-		static Instruction newarr_read(BinaryReader reader) {
-			return new Instruction {
-				OpCode = OpCodes.Newarr,
-				Operand = new TokenOperand(reader.ReadInt32()),
-			};
+		static Instruction newarr_read(BinaryReader reader, IInstructionOperandResolver resolver) {
+			return new Instruction(OpCodes.Newarr, resolver.ResolveToken(reader.ReadUInt32()));
 		}
 
-		static Instruction box_read(BinaryReader reader) {
+		static Instruction box_read(BinaryReader reader, IInstructionOperandResolver resolver) {
 			var instr = new Instruction();
 			switch (reader.ReadByte()) {
 			case 0: instr.OpCode = OpCodes.Box; break;
 			case 1: instr.OpCode = OpCodes.Unbox_Any; break;
 			default: throw new ApplicationException("Invalid opcode");
 			}
-			instr.Operand = new TokenOperand(reader.ReadInt32());
+			instr.Operand = resolver.ResolveToken(reader.ReadUInt32());
 			return instr;
 		}
 
-		static Instruction call_read(BinaryReader reader) {
+		static Instruction call_read(BinaryReader reader, IInstructionOperandResolver resolver) {
 			var instr = new Instruction();
 			switch (reader.ReadByte()) {
 			case 0: instr.OpCode = OpCodes.Newobj; break;
@@ -117,22 +114,22 @@ namespace de4dot.code.deobfuscators.Agile_NET.vm.v1 {
 			case 2: instr.OpCode = OpCodes.Callvirt; break;
 			default: throw new ApplicationException("Invalid opcode");
 			}
-			instr.Operand = new TokenOperand(reader.ReadInt32());
+			instr.Operand = resolver.ResolveToken(reader.ReadUInt32());
 			return instr;
 		}
 
-		static Instruction cast_read(BinaryReader reader) {
+		static Instruction cast_read(BinaryReader reader, IInstructionOperandResolver resolver) {
 			var instr = new Instruction();
 			switch (reader.ReadByte()) {
 			case 0: instr.OpCode = OpCodes.Castclass; break;
 			case 1: instr.OpCode = OpCodes.Isinst; break;
 			default: throw new ApplicationException("Invalid opcode");
 			}
-			instr.Operand = new TokenOperand(reader.ReadInt32());
+			instr.Operand = resolver.ResolveToken(reader.ReadUInt32());
 			return instr;
 		}
 
-		static Instruction compare_read(BinaryReader reader) {
+		static Instruction compare_read(BinaryReader reader, IInstructionOperandResolver resolver) {
 			int type = reader.ReadByte();
 			Instruction instr = new Instruction();
 			switch (type) {
@@ -205,7 +202,7 @@ namespace de4dot.code.deobfuscators.Agile_NET.vm.v1 {
 			new InstructionInfo1 { Type = 11, Second = true, Third = true, OpCode = OpCodes.Conv_Ovf_U_Un },
 			new InstructionInfo1 { Type = 12, Second = true, Third = true, OpCode = OpCodes.Conv_R_Un },
 		};
-		static Instruction convert_read(BinaryReader reader) {
+		static Instruction convert_read(BinaryReader reader, IInstructionOperandResolver resolver) {
 			byte type = reader.ReadByte();
 			bool second = reader.ReadBoolean();
 			bool third = reader.ReadBoolean();
@@ -215,7 +212,7 @@ namespace de4dot.code.deobfuscators.Agile_NET.vm.v1 {
 				if (type != info.Type || info.Second != second || info.Third != third)
 					continue;
 
-				instr = new Instruction { OpCode = info.OpCode };
+				instr = new Instruction(info.OpCode);
 				break;
 			}
 			if (instr == null)
@@ -224,7 +221,7 @@ namespace de4dot.code.deobfuscators.Agile_NET.vm.v1 {
 			return instr;
 		}
 
-		static Instruction dup_read(BinaryReader reader) {
+		static Instruction dup_read(BinaryReader reader, IInstructionOperandResolver resolver) {
 			switch (reader.ReadByte()) {
 			case 0: return OpCodes.Dup.ToInstruction();
 			case 1: return OpCodes.Pop.ToInstruction();
@@ -262,7 +259,7 @@ namespace de4dot.code.deobfuscators.Agile_NET.vm.v1 {
 			new InstructionInfo2 { First = true, Second = true, Value = 28, OpCode = OpCodes.Ldelem_Ref },
 			new InstructionInfo2 { First = true, Second = false, Value = 0, OpCode = OpCodes.Ldelem },
 		};
-		static Instruction ldelem_read(BinaryReader reader) {
+		static Instruction ldelem_read(BinaryReader reader, IInstructionOperandResolver resolver) {
 			Instruction instr = null;
 			bool first = reader.ReadBoolean();
 			bool second = reader.ReadBoolean();
@@ -274,9 +271,9 @@ namespace de4dot.code.deobfuscators.Agile_NET.vm.v1 {
 					continue;
 
 				if (second)
-					instr = new Instruction { OpCode = info.OpCode };
+					instr = new Instruction(info.OpCode);
 				else
-					instr = new Instruction { OpCode = info.OpCode, Operand = new TokenOperand(value) };
+					instr = new Instruction(info.OpCode, resolver.ResolveToken((uint)value));
 				break;
 			}
 			if (instr == null)
@@ -289,29 +286,26 @@ namespace de4dot.code.deobfuscators.Agile_NET.vm.v1 {
 			return DotNetUtils.CallsMethod(info.ExecuteMethod, "System.Reflection.MethodInfo System.Type::GetMethod(System.String,System.Reflection.BindingFlags)");
 		}
 
-		static Instruction endfinally_read(BinaryReader reader) {
+		static Instruction endfinally_read(BinaryReader reader, IInstructionOperandResolver resolver) {
 			return OpCodes.Endfinally.ToInstruction();
 		}
 
-		static Instruction ldfld_read(BinaryReader reader) {
-			var instr = new Instruction();
-			switch (reader.ReadByte()) {
-			case 0: instr.Operand = new LoadFieldOperand(reader.ReadInt32()); break;
-			case 1: instr.Operand = new LoadFieldAddressOperand(reader.ReadInt32()); break;
-			case 2: instr.Operand = new StoreFieldOperand(reader.ReadInt32()); break;
+		static Instruction ldfld_read(BinaryReader reader, IInstructionOperandResolver resolver) {
+			byte b = reader.ReadByte();
+			var field = resolver.ResolveToken(reader.ReadUInt32()) as IField;
+			switch (b) {
+			case 0: return new Instruction(null, new FieldInstructionOperand(OpCodes.Ldsfld, OpCodes.Ldfld, field));
+			case 1: return new Instruction(null, new FieldInstructionOperand(OpCodes.Ldsflda, OpCodes.Ldflda, field));
+			case 2: return new Instruction(null, new FieldInstructionOperand(OpCodes.Stsfld, OpCodes.Stfld, field));
 			default: throw new ApplicationException("Invalid opcode");
 			}
-			return instr;
 		}
 
-		static Instruction initobj_read(BinaryReader reader) {
-			return new Instruction {
-				OpCode = OpCodes.Initobj,
-				Operand = new TokenOperand(reader.ReadInt32()),
-			};
+		static Instruction initobj_read(BinaryReader reader, IInstructionOperandResolver resolver) {
+			return new Instruction(OpCodes.Initobj, resolver.ResolveToken(reader.ReadUInt32()));
 		}
 
-		static Instruction ldloc_read(BinaryReader reader) {
+		static Instruction ldloc_read(BinaryReader reader, IInstructionOperandResolver resolver) {
 			bool isLdarg = reader.ReadBoolean();
 			ushort index = reader.ReadUInt16();
 
@@ -328,7 +322,7 @@ namespace de4dot.code.deobfuscators.Agile_NET.vm.v1 {
 			return instr;
 		}
 
-		static Instruction ldloca_read(BinaryReader reader) {
+		static Instruction ldloca_read(BinaryReader reader, IInstructionOperandResolver resolver) {
 			Instruction instr = new Instruction();
 			if (reader.ReadBoolean()) {
 				instr.OpCode = OpCodes.Ldarga;
@@ -342,25 +336,19 @@ namespace de4dot.code.deobfuscators.Agile_NET.vm.v1 {
 			return instr;
 		}
 
-		static Instruction ldelema_read(BinaryReader reader) {
-			return new Instruction {
-				OpCode = OpCodes.Ldelema,
-				Operand = null,
-			};
+		static Instruction ldelema_read(BinaryReader reader, IInstructionOperandResolver resolver) {
+			return new Instruction(OpCodes.Ldelema, null);
 		}
 
-		static Instruction ldlen_read(BinaryReader reader) {
+		static Instruction ldlen_read(BinaryReader reader, IInstructionOperandResolver resolver) {
 			return OpCodes.Ldlen.ToInstruction();
 		}
 
-		static Instruction ldobj_read(BinaryReader reader) {
-			return new Instruction {
-				OpCode = OpCodes.Ldobj,
-				Operand = null,
-			};
+		static Instruction ldobj_read(BinaryReader reader, IInstructionOperandResolver resolver) {
+			return new Instruction(OpCodes.Ldobj, null);
 		}
 
-		static Instruction ldstr_read(BinaryReader reader) {
+		static Instruction ldstr_read(BinaryReader reader, IInstructionOperandResolver resolver) {
 			return OpCodes.Ldstr.ToInstruction(reader.ReadString());
 		}
 
@@ -368,11 +356,8 @@ namespace de4dot.code.deobfuscators.Agile_NET.vm.v1 {
 			return DotNetUtils.CallsMethod(info.ExecuteMethod, "System.Reflection.MemberInfo System.Reflection.Module::ResolveMember(System.Int32)");
 		}
 
-		static Instruction ldtoken_read(BinaryReader reader) {
-			return new Instruction {
-				OpCode = OpCodes.Ldtoken,
-				Operand = new TokenOperand(reader.ReadInt32()),
-			};
+		static Instruction ldtoken_read(BinaryReader reader, IInstructionOperandResolver resolver) {
+			return new Instruction(OpCodes.Ldtoken, resolver.ResolveToken(reader.ReadUInt32()));
 		}
 
 		static bool leave_check(UnknownHandlerInfo info) {
@@ -381,15 +366,12 @@ namespace de4dot.code.deobfuscators.Agile_NET.vm.v1 {
 				!DotNetUtils.CallsMethod(info.ExecuteMethod, "System.Reflection.MemberInfo System.Reflection.Module::ResolveMember(System.Int32)");
 		}
 
-		static Instruction leave_read(BinaryReader reader) {
+		static Instruction leave_read(BinaryReader reader, IInstructionOperandResolver resolver) {
 			int displacement = reader.ReadInt32();
-			return new Instruction {
-				OpCode = OpCodes.Leave,
-				Operand = new TargetDisplOperand(displacement),
-			};
+			return new Instruction(OpCodes.Leave, new TargetDisplOperand(displacement));
 		}
 
-		static Instruction ldc_read(BinaryReader reader) {
+		static Instruction ldc_read(BinaryReader reader, IInstructionOperandResolver resolver) {
 			switch ((ElementType)reader.ReadByte()) {
 			case ElementType.I4: return Instruction.CreateLdcI4(reader.ReadInt32());
 			case ElementType.I8: return OpCodes.Ldc_I8.ToInstruction(reader.ReadInt64());
@@ -400,29 +382,24 @@ namespace de4dot.code.deobfuscators.Agile_NET.vm.v1 {
 			}
 		}
 
-		static Instruction ldftn_read(BinaryReader reader) {
+		static Instruction ldftn_read(BinaryReader reader, IInstructionOperandResolver resolver) {
 			byte code = reader.ReadByte();
-			int token = reader.ReadInt32();
+			uint token = reader.ReadUInt32();
 
-			Instruction instr;
 			switch (code) {
 			case 0:
-				instr = new Instruction { OpCode = OpCodes.Ldftn, Operand = new TokenOperand(token) };
-				break;
+				return new Instruction(OpCodes.Ldftn, resolver.ResolveToken(token));
 
 			case 1:
 				reader.ReadInt32();	// token of newobj .ctor
-				instr = new Instruction { OpCode = OpCodes.Ldvirtftn, Operand = new TokenOperand(token) };
-				break;
+				return new Instruction(OpCodes.Ldvirtftn, resolver.ResolveToken(token));
 
 			default:
 				throw new ApplicationException("Invalid opcode");
 			}
-
-			return instr;
 		}
 
-		static Instruction logical_read(BinaryReader reader) {
+		static Instruction logical_read(BinaryReader reader, IInstructionOperandResolver resolver) {
 			switch (reader.ReadByte()) {
 			case 0: return OpCodes.And.ToInstruction();
 			case 1: return OpCodes.Or.ToInstruction();
@@ -448,7 +425,7 @@ namespace de4dot.code.deobfuscators.Agile_NET.vm.v1 {
 			return false;
 		}
 
-		static Instruction nop_read(BinaryReader reader) {
+		static Instruction nop_read(BinaryReader reader, IInstructionOperandResolver resolver) {
 			return OpCodes.Nop.ToInstruction();
 		}
 
@@ -456,7 +433,7 @@ namespace de4dot.code.deobfuscators.Agile_NET.vm.v1 {
 			return DotNetUtils.CallsMethod(info.ExecuteMethod, "System.Reflection.MethodBase System.Reflection.Module::ResolveMethod(System.Int32)");
 		}
 
-		static Instruction ret_read(BinaryReader reader) {
+		static Instruction ret_read(BinaryReader reader, IInstructionOperandResolver resolver) {
 			reader.ReadInt32();	// token of current method
 			return OpCodes.Ret.ToInstruction();
 		}
@@ -465,11 +442,11 @@ namespace de4dot.code.deobfuscators.Agile_NET.vm.v1 {
 			return info.ExecuteMethod.Body.Variables.Count == 0;
 		}
 
-		static Instruction rethrow_read(BinaryReader reader) {
+		static Instruction rethrow_read(BinaryReader reader, IInstructionOperandResolver resolver) {
 			return OpCodes.Rethrow.ToInstruction();
 		}
 
-		static Instruction stloc_read(BinaryReader reader) {
+		static Instruction stloc_read(BinaryReader reader, IInstructionOperandResolver resolver) {
 			bool isStarg = reader.ReadBoolean();
 			ushort index = reader.ReadUInt16();
 
@@ -487,33 +464,27 @@ namespace de4dot.code.deobfuscators.Agile_NET.vm.v1 {
 			return instr;
 		}
 
-		static Instruction stobj_read(BinaryReader reader) {
-			return new Instruction {
-				OpCode = OpCodes.Stobj,
-				Operand = null,
-			};
+		static Instruction stobj_read(BinaryReader reader, IInstructionOperandResolver resolver) {
+			return new Instruction(OpCodes.Stobj, null);
 		}
 
-		static Instruction switch_read(BinaryReader reader) {
+		static Instruction switch_read(BinaryReader reader, IInstructionOperandResolver resolver) {
 			int numTargets = reader.ReadInt32();
 			int[] targetDispls = new int[numTargets];
 			for (int i = 0; i < targetDispls.Length; i++)
 				targetDispls[i] = reader.ReadInt32();
-			return new Instruction {
-				OpCode = OpCodes.Switch,
-				Operand = new SwitchTargetDisplOperand(targetDispls),
-			};
+			return new Instruction(OpCodes.Switch, new SwitchTargetDisplOperand(targetDispls));
 		}
 
 		static bool throw_check(UnknownHandlerInfo info) {
 			return !DotNetUtils.CallsMethod(info.ExecuteMethod, "System.Reflection.MethodInfo System.Type::GetMethod(System.String,System.Reflection.BindingFlags)");
 		}
 
-		static Instruction throw_read(BinaryReader reader) {
+		static Instruction throw_read(BinaryReader reader, IInstructionOperandResolver resolver) {
 			return OpCodes.Throw.ToInstruction();
 		}
 
-		static Instruction neg_read(BinaryReader reader) {
+		static Instruction neg_read(BinaryReader reader, IInstructionOperandResolver resolver) {
 			switch (reader.ReadByte()) {
 			case 0: return OpCodes.Neg.ToInstruction();
 			case 1: return OpCodes.Not.ToInstruction();
diff --git a/de4dot.code/deobfuscators/Agile_NET/vm/v1/OpCodeHandlers.cs b/de4dot.code/deobfuscators/Agile_NET/vm/v1/OpCodeHandlers.cs
index 3dc9fc80..aa8419a3 100644
--- a/de4dot.code/deobfuscators/Agile_NET/vm/v1/OpCodeHandlers.cs
+++ b/de4dot.code/deobfuscators/Agile_NET/vm/v1/OpCodeHandlers.cs
@@ -19,7 +19,7 @@
 
 namespace de4dot.code.deobfuscators.Agile_NET.vm.v1 {
 	static partial class OpCodeHandlers {
-		public static readonly OpCodeHandler[][] opcodeHandlers = new OpCodeHandler[][] {
+		public static readonly OpCodeHandler[][] Handlers = new OpCodeHandler[][] {
 			new OpCodeHandler[] {
 				new OpCodeHandler {
 					Name = "arithmetic",
diff --git a/de4dot.code/deobfuscators/Agile_NET/vm/v1/VmOpCodeHandlerDetector.cs b/de4dot.code/deobfuscators/Agile_NET/vm/v1/VmOpCodeHandlerDetector.cs
index 7ec49e86..b06ca9c8 100644
--- a/de4dot.code/deobfuscators/Agile_NET/vm/v1/VmOpCodeHandlerDetector.cs
+++ b/de4dot.code/deobfuscators/Agile_NET/vm/v1/VmOpCodeHandlerDetector.cs
@@ -214,7 +214,7 @@ namespace de4dot.code.deobfuscators.Agile_NET.vm.v1 {
 			opCodeHandlers = new List<OpCodeHandler>();
 			var detected = new List<OpCodeHandler>();
 
-			foreach (var handlersList in OpCodeHandlers.opcodeHandlers) {
+			foreach (var handlersList in OpCodeHandlers.Handlers) {
 				opCodeHandlers.Clear();
 
 				foreach (var handlerType in handlerTypes) {
diff --git a/de4dot.code/deobfuscators/Agile_NET/vm/v2/CSVM1_v2.bin b/de4dot.code/deobfuscators/Agile_NET/vm/v2/CSVM1_v2.bin
new file mode 100644
index 0000000000000000000000000000000000000000..156f0777f02c11e2312c196ba61d21e2391f1a7a
GIT binary patch
literal 9520
zcmdU!2{cvR`^S%n%n8xpqFa({o<im!nXW{)QgRKY3`wYHdMlJn8ACEe*YJiyghJG7
zE{b|n8YmGjQqq8a=ds%Vbyn;4U%&NR%UZ9q*5llDK4(As+28$~y`OWiU>HWl4GtFE
z7UJgV-Om$~^Y+&9#K8pu*DBZ$L)`9Ikj(QvfqGkPpFdo)%=;nmdAK32o1c9#lY5lm
zq-I$hJ73)ZI4glGEsK;_pns^_#uglCQ<-E696I5`4f?03J+@H@;C1uQQy3oKUArCm
zhBNSjS~|yZ$5gKE`Si^NqJe49FZc)MQu$-*(mH8dW$92Cn(w+=B0Eu8)a&P#b4gF$
z_~TGS=_vSve&_#e%gitPPsYqIVx@(5d)!u0xeoEGtT5a1@+kP_z-__Lwk9@>EzdFY
zNzO&tyV`ga${;4rpDa3K?dpz^FC5($4tDcO^H&p@PL|B`_Rxj>SKEvnbPAIn;7w*?
zMLL-+5$mN^Osa;z8n|N~O}75G>m=y;Zu<|bUJFI}mru8sN4CtSPB1q}Ckxf{m4<xD
zwlC`6pA9|D{^8%Q6EDL*{)n`M=VE(@?8c(k*|Vt=<SEi=uH{qxd(Wg#1NW5f)AXDB
z9_$&MO`YIbMmo*4eA-%UR=~RHYfyC|eabk=<I-&E1nU~oX|Cl{XqCXW`x6bFY0ZKx
znv2s`&!$eG5z=X{<<n}dCdIna`h>tIC%Ox5^{Qu6CvJjHb1k0?xQ_M|=|(!8ceXC~
zA#2X;&$Cq*@DOyGYx!jFBV&1p!cD4s<<I|t>yGVg<`eH6)~VRWNxp2%<GPu3`04y-
ztGZ@WCq7&!s70ZsRy8*|=KF{)erPPj)lyet8GZ@l#|?3(4)!3sj-|TS=U*&}ZhVjq
z9NIyy!#UOVi`!fB`C?jx&7O=8o1`IbXbWfH%<As{rk>AC9hB@E4hl?vu6-&-b+0}6
zBi8fG>TXoCGpoB1V^((y;J#;jJSM$0V&8JE8qx>JRW_L5!r2_pB78jXEP(zVI@50w
zUq5*qPJ3WMqP8DF^Ml4KCwVzD+*_kK_XIUZEyq$9I2f9vc^!P5RL&MV9RZ%E@c4%H
zFt;!d;G5YTAU3)()OlD`uZi3z@A{R;paFcsyBL~>J61x@VOpC%^LZMxObseu!qJRR
zdTdscvXHrpp6?L_#~mFm&>xCbV)59-lJ=L;8w5CPPPDxE2tJ{9L+@L0?Nv{=Ifyf|
zgyb}q3tfByZP7l=ELOyr#R_{9th+GIvgn%ce?7~m)d#d^9M8~U0l$ca<t<P?;Wnge
ze<5}rL(6mKbz2bUNdM_gW-GVV9Bp9hr`!|VId3V%OdQi((%**Venh{7vzW!aloe~-
zO1b~7`U~M2qdYTW&?sE8RjJ`w6(n8zU^b*b`YsTs;8ak(dtl=^R@U|+j#gRVU?~4B
zs74a64ot`14tF*pyLl(U+@Ty#y{qCnAf*#o`1PQF+^T^{9L*eX5AyH)c|DsVW4<<*
zi}tfi`|3jA24UP#?#;FDAvW1cChX;>clkF6Y~r_k&j799`9$ACa#{{l3>ljCJh3Pb
zm-aZQ1zMozli4$fn1b`4?7RZepD5F0#;FmRP`nwo7`M5q(_`sRZn>^Tlvu6?&c=z-
z-r3YigrL)0s}EBwV+A~-*&RwmqI8A_I8|m-CsBe<bM3kNG5>SGbkux3?Swd=;WAJ2
z+0<zXL8rNvPpbyBlZ51x#G?-0Nb%X1pfsC0EhXqwzhKbSF0CP7G>cN<oGNk=`h~R*
z&QL=L1nTuCi54#lAS-n@ouqCChV~d{YbIjMY7=4|ysayO#b0pn+EQAnOs^m{in!i7
z)>vIVW_{vjGCQekKlc}Bhz0gVR8MV{911QQJ+pVHO?|-QYKRrIMeBH4x7n(w%dFb%
zZj^X(uTUY8$&opaCv|V^A2bnmU%m7xjo2rPBW=SLWjB)Cz8^bC_iNK}ml(WMz&)UY
z?Vo&`k|<FZ7<{5SRa<QX@k`ip+z@9BWxj3nQH<G=v^DnKg;Qg|#R%N>M7^$NbDhxF
zHp!<7rb#=1lW;@(y<bGcWQal1--)(~J<}wkm2e$=gPx!pXaIXNoZ$e5_UZ|%y^8z&
zZ3`~^BQaude!PUp<TIA-bN4lyY%4#ov(I%Slz%hh`5rc<?#1((uTh24$CmG*1J}_Z
zj{iV$#qVsk5{vN-HOiD?-)AQ>^M3^JkMe_=AJFTHPm_@qmx*;*PItAN-2P~|AB_e0
zOTGZ5dyHqa7emtT@5boAB*xq}RpqCvq>|vM?=9!mSCNev-fZTO!2hDL|E^9#wa))i
zCqbNWK)=WjvwBGK=RGi<qgySWUHTDMzgcdj9c^*NBz_57LEz6Ol%`MZy4oeO)Hg#Z
z(hHV!j7;F6ZjL*}WQs+e^hBCq*vL2FD+zpFMd4k&E&G;}UMq}y?lYbVaTS4|9AmiC
zX<^UD-$Xa?7EiQ7dnw%DMu?9m)8R>qW)S(IN-}#@zq1<52aFHR;~6Q{f*jd6PI1<H
zy)KgZ3L?vU*V2|%tq`9PTKCU{JM|OZ3|oyG@~v|Cd+eeFfy--d-r!Sg3rqghciLZJ
zt>Hg38oYMh>MF<$h#~rJuQL7-lAckrsKxVIR^7sL;9D9uxCi2{w+=0*QN0H#)&XM&
z550jU9$SMOnipI13|)_%*Yq1X)`|P=UO!W>5d8<Xy%+EjR^A)wIz-BpedPoU#hn>P
z+M!i``Sn@eHE-N9lC_D9*?J&@w?%Q$?`|G3T_I;ASymvAO?sZj5k?{KjuEA8w+?jH
zS*8e|x^OZt8MrKNsPDaP=?0VY#7V=PFV>RP`S1Ly+3%jK_+*>W(eI;$3@J@LDlgk(
z@GFNKitG5-&e8Dq=`v|=tz@nQuJr;gj~iMa8>4c%<+^rvek&4UYqEPN@N2&xDPjFA
z9SV}3)+;PTy3*3YFIsoYYcmGSCn^&6%g36ej8LvaTNn?Ti@*1I>tEq+@yUxwP7AFx
zctdQPpwy~5!e$u#y<+)*XW^|5XbaCUT4!8iYHXg<=O1@DT%F8!wp5DP_IFw^n<E9>
zC(=UBPX0lHP;b$W)~nWvI^Q~Qgel?%@5qo_B}v`ZQVk5jz~I#<Q-V1jBP~!&FR%mh
zuZC*hb+5^lZ5p-S02~bQBPuN+QK@%3&mJdnpXHER0*t7K)`qf0y=r|2RwxLuR-U_F
z0db*qi`hE`FgS=~XST<p`Czuk!aSpQlRyS%<kVq@YEgZ%-ejqv2>3<sCFLG68`FJ{
zaCqfDJ{0ihOGU(>e>jwIgKMBuU1@OGXhMv8P4q4)-Rb@`{1T>&8{)=!ZI8{T3P%Su
zTO$etouItHR0#ZLe%Y4Y{701Yiu<I#2-EF>s}lHTgR;!jrqJQ66sk&~r?ozCHQZ2M
z`3HaBov#pk##y5?Ye{E)H<~9nLwu^H*RW`>igo?u$}uNb(RPRnJ!kZ)i2duQ)Bd<B
zP`fa7q3{@yRanJ;96zKKBBQzS)yqV)?RYax9XB+ty4pf(*&SU%UgHhNBnNq5JIB`k
z<nS8~4cyTEnxDeVPd|t?|9D2jq1x4Q7`P^Z``L3D8%qe4Txz+YA}J&Q<pZWg;Oiws
zt~eHnI6gf$6lAg-V*p=A;H_JI`^Gaml-VNUYn%cSjsVvtaF@h&YFzYZ(LG)lmxUC_
z!RG`FHg=SAX2O-~-=wN!_)E6^k@YUO6zPa`UVK|6=BB4BPe{d?9&*dZnQwh4r$OiJ
zUg2DaGl$Dgm6f!+kMAl*T0%eY8~Nd}ktIDkGPUw0iPU72OD_km`|}>~!-%w`1pWP)
zq~Bvvm!c{>Gfq7M=j4)jw#7%S^%(X?I*)=sq#~wI;2{`B!@hJl?7E1(HQw&n0^ESW
z6%BF(!>%QIRJS#6m@e@F2{A(gSCG4|s8>6vt-ZH0_nLQLJa8id-#j!<byjCpGi~Z<
z8ToN)X0JBJIm)Swoo^HTN+z#wq1UzdF6^Nr9pMb)`~UV*Q}=s&3j1E&*(4EtR@|uR
zE`B>^f*bO!*KXKzFMqy0Ws#D$It}~3?{3I<>_hG)B(2*bdCe(oH;(5QfbNK0Iqhwc
z%)_JJDOsa>LsKyYe6J_?zW@C+jqm%&9`~@3CX$KB%={AD|8AX)lU43m6fIx2OR6Qe
zy4)K+J7cD}L0cHFhIfWbs+N>xqB#G4YLx6P{1UbSH^i~#TcT4#)={pJnm2j>(P;o~
zM&KF=X5r=a4Ge>KtFpbicFwFH<~T>1Bny5Kn-ZZ+u4#x3x_`FS;#a*x?wC?#Zid`0
z^4R_Pb8}H18WZ#bhXroPm&Qu2?BSv2Az4bzc%28&!(V;<P6Mas)u;8G@?_QrC)BWx
z@_2(^OWaV-yZA+Z6}TPzXlu@~zpTF23IFQ1+~_>phE2iuCahZQavS{~K#VA+vy8-J
r^4YSl#~#TItul;Sgc$SzhZSx}%aRXIuiGij6N@v_{}y248wdP9UpA5V

literal 0
HcmV?d00001

diff --git a/de4dot.code/deobfuscators/Agile_NET/vm/v2/CSVM2_v2.bin b/de4dot.code/deobfuscators/Agile_NET/vm/v2/CSVM2_v2.bin
new file mode 100644
index 0000000000000000000000000000000000000000..81bd5ae61b634bf895c08f7254eacd511e1bd157
GIT binary patch
literal 9520
zcmds+2{cvR`^S$=nG>SvqFa)SYYv%*WKKjWxu#S|DiytrhRBpLBtvu!Zzx14M7^e~
zDAk+NK#6#fk_PfSkJVo5tk&(n{_D4vwO+ro*5llDK4(As+28$~y`OWiU>IhF8yqaS
zEx^s&x1TpI@9oXw$%FF+uU4@khPd6aV43H;0(Bj1pFdc$)b|1KdAK32Q<!@pn`e~n
zqH0kZ&#tBqoRz>8mqyD|X&)N4vV{cNRHv8#hfcV0gZ?S1k8P*{e4hRV)Zy`+_1lnd
zI0G-Lr*R&4PUqfMNZVW_7MKD3f`4Fc)zecK*GbzdNr$`HA6QpUWGAXidJlT$UDTB~
z`ZyF-J_`PzU-qAEnfc}T$(Z>?ti1S6kLM~Y?!yAgD@+|;{sDeDahw0Mt+7or<2hzF
z$+a-oqn(dh0Wop?WU*OmS9gwl;p{$tsGCn(pq9wAb7Y=(gfHm7(r)OaU7UI!Z!!}r
z(#dr3@?NW|NtMV~1Gmj$$=3gNorJvKZJW02HCK>-`E*-lG-Eb(g1JFDnX8<uHsDXS
zebM+nEIf$g!@pf8KDvM6QE3V9MUGCn%_XmMXHzH0Q>4>e%csWo-YK63?ke81*K6&&
zziV(db%JLZ=``2!X-lbT5$mR}!L`M-DWepxi?gW{tZPW8xt34iHG*63O*B2qXcc17
zSd_7PHgy7xkWO<gpH^$OC^VEeCIvn@(Oqn-TRWRN@ep*HYx$(l{YOuUPPEH8SL;eY
zvc}B*JX>`EFF~idmQRj;G8Ts^JfwzK{sJGkZ`;mhKJm?Aol0$7<SWL!u9;d#1{FSA
z)is+s@#8u{EebWYikacD0}pB9hsQ$QEp#N7;+HT1+z@x^<OsIwT%vQ0{X$7>^ZiWV
z&<=7P&gr&aJl~SfmD)$y?8^GENgCpYwr~c{tnU8*)brWtgOXjt!GW32wNA&W>~;iy
z#Co1t-HmE?W_34W%<67I-1lsc$GEp{`M10)2DCwPjSVKWU^d6I5FZab3!uO2{GL9U
zO!Mn3`u8{RUv_Um^Ml4KCwVD5(pSAS|AbYZYMzA-a4<AS^E&ytthg9<+Jd|-k%>*~
zVQyg_z&EowKx}knxa+W(ZVS0j-u)}DeiQhFcQG^%w=IQTBQ!UE=Jz&YnHp5Oh@%;w
zwD_DBC1Eo+-2+Fd&f7cPpg$C=#G<i@#T_qWHwbdtoM6282tJ{9L+@J&9W_t4I*HSB
zgyqzi314^uZP7l=ELOyr#R_{9th+GIirBjEe?2R-Zw%<jI-aG?0)7#TD44Hw!gEN+
z@qGL|x~BKc>$VWi{}=VQVYwI8FX6h}d|uj$HJ;@>|5p8las5%A8Pe@3+_E+4kvUZ)
z9mfzhh#BS&eHTcex)jy!9N2i4m9?XUvrQH_7|MThD?^D_`+vmWigYz3d-|q8Ta@GJ
zca+@+q_m@pzaH{WSTzuhqnU%~-}Uo)HU&Dn7Pp($vx|EhLg5Ax+)(b#weKM|xr)Xd
zl|df<O@f;QEZ);WD|kN9_mDis{;DAZlb$E$m66h3hcrP8^n5aV1`(sW{>i~782gFx
zgG@g?A`^}`!xrH-S9N+U{mC=m-H;N`-Ne;AQQkY7I*Af=nrro8nnk>zS1gB9nP`mm
z@Bo+cZ0aON&}ptcchl^j1AfG?>uMz>_zhQho6V+9iwQc-wR~DNpp_ylpCTS}=z5yp
z-Xz7@)M*Jpr^fk%?sgeXg<?6BD%W(;3(zmDeQ<^vLNHLbKSiu`X#iQVyXBPCW?*QK
zVYX%>#;i6W*1=o5qFDTe2Cpu$FPG^RvWg+Dx6XBzSB_bqxRJ_1s@TW##T8<KeG%1D
zTO@}<Dn`%j9%@$`@VXLe32o6jp3!Z(D&`WaR);4gk=!d>Ok{FouHz})8~X>1MfR*-
z^3<N#CyTTF1_vcilHA_u?WBA4nYc>~UMk=o(82ak{!J;AnDcagG3}Zywt@I1Y#DBd
z(}%L(Hv1{WIizffe|P@$81Ur;?tY?CN29et_-ni5Q>sbIcHku3(0+d~Drz!RKjrUa
z+vJ`fB*T?(9ejhHpc`ladq14v0ETLT3CrCI`}}Q-&i^AZqJM6@jL6bgh?mNSoox74
z!_N3PaQ`s0h4Flkm{RlMea+vjOzC4Q^wNgw=n%($pturuv|28YI}mP|Eyc0dPITt~
z2;d*(2Qxq5|FU0;p(VGmbwyrxt*6|+ShydJ1^7$;0L8oXXZA0Kq~G6((|bvbxqYhU
zppK$)lCz$#oKIg>E@F7InL`5qi^l%DItkS}|4p3)al!%pB0tRPA<3Wjz<B=HV*c#n
zbVB21xs`VIi>fB^OV|nme>S1`<Fv<>F3}|ivJ|6zU`fZw1Rn0`ykogcspylQXk!c;
z`38I?fzPWdzN71~cNyt5b=-Te(M*V|2>jF-eGkn(;`#WS*e1Txi8g32g&W)m@$qIm
zJxS9DCO=S4<*4a*RfYM0@u7J<Bc)Q5C!4?}&f2KkMKW7KWCiaS?K!p7#H{d!e<t==
zeZrezt8qiVm5+RnUzj9#Y0Zu6{0i+6slWQp_$#6<a$3E~$Kz&KQGP%i(RW9U(R65L
zR@p*^_tl(+1!uvxG;VMY#NB8eUTJUTJ4mq(7&~<M4J`548r;yl*qUYOc<s2V*UY(2
z{NT>@GxZA5e_;E2K_3yN-O=ttq-@z&F2GRS*$JfWnw6Jchw-g><C&GJMP$s@0~x$6
zii>t<^N7g`IYY^cB6)1mI|xS@g}^&U6t~{o|ER$tP2}|XQw6EOWpP7&?{3f3pPVO7
z8s>VjmaHal`&Z3=_gp2W+Ki5VA1$U!Y3N$<u{{RAa=4+mj(>eL8u>m`CgZK8%;mtf
zKEUO1L+fL6OkTHK*Um@ZN`%>3>>ddI+V4k7L_bR>Rnpsfg}G=~Mke@0>uzOz)_~bW
zRq{Uhc;mDY$~9;U<3V%r_g-JU%RCIff~eGt@M`@x#I{L_Z7L&d2C?6(mJN6p-|U38
z@C>7M#yzgi<~fc1xZ9E1RQ|AXDPr5-X~ArcsJKt0g`A!I{UqVulI?9*tQEAsb>aw9
zzzyD!A-Bp>x~-*}=t6-Zt52nca6U#_pqO4@`{iE^)xYarlP}vcYP|tC7~)5j8KE)h
zcOHcuC-H=FN-YLP)I)Pa#ll|IzWpnx!mQP2uT?=@Xx(D=P5}%K;@Fw(v1mS+?XfV=
z=-nic&J{g%#Hm(HkE}acZXgPN(R)dym(0e@14lW1@*f`#`17R#V$eSvinzfw(5az3
zBw{ovZckmThm_8b{tWyQri2^fMg{GU&8CV+2Q}KFiiBLCyug$R{6=Ag!%l&tN(H5T
zQeQ-9j=)t2e6xN<c6v+ra88<)a-g@h9&lCMP+s|meBW6}jX&e6{wQbhqsDGDPjH6#
zR7|d7u|8Gn`pMN}F79F-5EpvRXf;v$*8j*jc}1{(LHYubF(Rw7O#C>0STR&aW8<rr
z$)?-zW|$goXj~2T#n!UhyM%qln~q5i^1^nGt^LX2HyrA?q5CyHMVJNMk2m{xM%}5_
z-C`KH27w=R<Tf&r5H7pOxUMWIEC}TTrb*!IB}6Yfmxww)Jv$U^ybPlQUq|3=TMqP%
zXLTyEMJ3j`1SA~=u0`N($?H_PY0qMNd@d{vEs}%J2^ehbDCbN?s@1+p)yN2xZ9SRu
zF25Y<h;&|bOF8a_w>xiW)tMeLW8=)XK9tj-b8fFlzSEf_6{jo8I`)ivlp-ymANY;@
z@Y=|d9v+=q`I1CxG0dk`0@wL@5BQ-+TTp`k{!G&AF>gpy5t$jME`f7#OFVP%Q*Aqj
zoy_E=`a>#WdITPdVfNUUPA88G*juA*&J5uC1g@Z;Clqlt*{im_b;FM`KadbJAaJVO
zH3i-JK`pJ_)%jO_0~3K868Pq!aVu9fR#lUhPR7Xe>6yLS2<IrLvUa>pI#@P&&4Jd?
z(Yv6BhIE88jPL*2OHKCN-BsN8>h>my*f4R!mOJ?Em@#h1w{C|)&)q_HN6JD)Ej4>=
z$*;cSAMh+DY2FeoXia0ge!Q><bVvPO4)Qfm<>gg-Bw43&T|*%ae6J_?zV|)Ip8xyE
zu00VWEhJ;nnfWEQ|J^#9Agk25Fjl_8LyD1KTj>j*oiP*Kpe>A7-8aiET~o>;SzKVB
zRgCOS{1UbSH^i~ln_^Q#)-mqU8aMd<(QX26O5o~ArjeD6O?3Ttt8#t1cFe3FW;jQh
zqzZjmJ|#+-T+<XEd@roc{8vpvZ<|=j+z7o@;<fYh=hl(}G$!Z=4s+a)FZGq&xx+)P
zL$Z{*@dhv62fzCIodzz?YlC!M3S`!YB-OEw^7?{b3*1o7yB&=FDtIg8;g-B(e_4KQ
z5c$<_rQtcY4VyylPFOPR@|zFdhZs>zVf5r<^0~6F#~#WJtulyNh#2$%hb3-E%d!to
Uuh}WiTb^L3_btHqKmzdp07N>HDF6Tf

literal 0
HcmV?d00001

diff --git a/de4dot.code/deobfuscators/Agile_NET/vm/v2/CSVM3_v2.bin b/de4dot.code/deobfuscators/Agile_NET/vm/v2/CSVM3_v2.bin
new file mode 100644
index 0000000000000000000000000000000000000000..a86daab3f42c88aeacb7e76b96e4f02550db89d4
GIT binary patch
literal 9580
zcmds+2{2ae`^S%Lk$s64k1dkNzJ=^db`nua)>0uUDtb$0iELRzvP6&N4TT7WsMlVU
z>P=~(M7&5zh5XKCx@XRqr~mxtH)H1YyJs%vne#dKbzk@Q-mY`dU>IhJ8x$JcIB@gw
z8Dxpie}DT_%J6c|>(z9KA#QszMDpdnKy7=Qmyb5A@p%M%8E%Mc73E#ZSusv=Q8q72
zpjXiaPD|kOYhq+%oj*11pbHJOu1Pfl4vjG52JMrTpIXZXuzL6x%8pL%ZP<x?!xeaO
zgEQkPrwrzuMb6ub`2#bdUGNXgt!8fa@+Juz1&IhZyCa(#h%Bh4wBOGo|FX7>!RL|a
zigEA<?b83MOU*CCFGkHTVihI#`aHxenUAq6ikR5H{sa6n;<o%(T|?`Z_LrFH3=>!0
zo=#TTN{ET+7mLf@xW0Sr8)NUqqrI#W>~%z@nJf9SD}rP2TBp9FW=YyZyvls6NGFq3
z0{xcNGfGi!hVGiiiCX>Jb>jB=uyf9$-%L*C_4A!oG3|?~6O0Yg$xP`&jUHQ?&8w!5
z;Ss?MpZ@JSu~Ph#PDluOt#okAYbkx3x0pJ?JViP!wfWTa(JS@K(0%y_b~<eX5BCi(
zrcSVykxol(K5Z{EDW=`}J*2M0dDbA+^YUWq1p6A&X{pVph+57a52l)*WVUhBsIAOg
zznD6KMo6cnHlNn3x5_nEG$jW<3+gSg(XLxeomLQZT59u2m-&yrQmq)53$9jGzM^XL
z=ksFa1uO)emfC!B@Rc+_MqWW`eB;mliTSS0V$LVlC9G4KwTn#Ugy#(ttEk|j7h*k&
zsS_Kn6Xc?hQ!AP3pFHx|S@76In7g@_&>H*}#*Q1}F5L_vw%x0>ZqQ#Ujca+B1sv+Z
zT!(9h%{Pztq8G~SqOJF3f7&VmaYJ3W0;iUD|9|rNoQz@Np3#uNtd|;R<CXS1fInhB
zPc838IXkty8!>8mHz)3UvHN4#UoY?@|C*ljuxPC{#?7&q{o%s<18V{FcU|5$Aem)$
zlScQUG22!5Ml?RCztX~2a-w`x%L;-l^Of_>wSa@6F<REm#$?IVZmY@3(i)Z2ycxz8
z#sPd&8w13~*G0IF@@uz>4#>EFXVGm2pYSe*#^J67k87m*wy$hn1~jw73YT#-@6$OU
zw^f11)J^-y30bFI-EPnxidAUk#MG*;*Kx+2jMhQzuReoM$lcKUR$^D}^Bs<Ylw2NZ
z)wMjAo<Uu74pWO2F>0~G*#!G8^s_Rqe)_K$MRrXAUD>CyHEF;vVv&W*6@olQv>Yxb
zETgD<&A)DQ<NSY7e`}ft(St&+0%pt7MK*X;toXO;&x7la=9xalj?64on-P^;P114*
zrGuDZ{LpuSL|K>Oy1heN&ePI%l`?in0S80#-^@~9=*{7u33sAg^+i2=QlT!I;~Do9
z-G{_AV@kds^-mNViowx*A^Layx|vRnLa)K>rt#wP!NxFnfEPD3_m<lC5bHd7Lx!s0
zJ^sy{TiMM&Qa~$MpXhr?e*59-5j~^6XJ%DV5}rrZK?}4#sjWf8WL^JcVC9VaLjEaA
zIXfm9fmg#;;<i+EdMfe7qrhFCoWR`7)G}4kznD7l5p-H=`C+<w0;gvjgJU^gtmfzt
zlj36P#81#^sja&?`mX^$W9hXuk`sMLE4@q?Q>Rq~otD~s5*yM;<&jAhj6HfY-S=R!
z{9@{~nxIqD@?m$|%;qBgTynK*2Hz!U7xq55LJq+hs6Cj<U$!PdRKB<MjO8|9=!~JZ
zXCg)|HzDT1J9?sN{JDp(uePg@?B}+OCGNLQ^%mDoS_R!oV<1%?TJg;lVu5oJ<x|^*
zM?x#d&+Q-SR2lNT7G?o;(LSEpYa$kVg;t}>gPbJV&r?EV(xObKQhT=y4jb|wSikzY
z9kERsCp%+%1rL(+!MR<e2Mt-cOAKBr;2F@t=1;b*spQy;6gGa%+U+)h_$_QLZirJx
za^AQ2%EjBKZcq4d@$3X}0RndqYSL0`YvlRfDg0d4D0LTb5^m_c_lu663DZseJH;lY
z?<Yxr9oz@speN`C8o=2PS17<xE-+=WU+$2<P4UHlgvN9)OqLT_hKOL9RQTz}AGP%D
zpNAeEgSyb4>Bw0XZ<e=gEsEp;x*|_axQ~h;{sYC8w7bnhApS^%evUZ9L0i80|095Z
zG(V{M0smKhTlFoN4XrBkd+R);55>Xrs4u`@vjxcCr@XLxH6roxUcAn0V$7YhwSHRi
zipfqoKGNO;)p>~F)#i&3{ulNAcX<-Zb^e<?3F3qT?IJ(a@*&}0&p?0v*lzaX@?2um
zHtBV?b}OrA@LQM&fxnoN|9N)LwI06JN3!K(ykSenL<u~?!)dpGWEtPHz8FIc8~Xu#
z9f2>aF1e>|e{e17t?Z=NL4)}a#R&Y&1m%FUUF6HjcX7?EWm6qcUmQ1h5aMIWaeS7p
z79#pcF^!>i&{Y}61Nw)?@tn9)alTX{lOS!Ab`Qx^gvbg%w0Gv#$tGn-H2yPn!14=T
z4O@>J@~wD$I)N*h^U8)>H`(MmBhwc8&ipH~BWg~y*?Z6Jp5lUlc%tvFT7$W;tn6~G
zcCYKXjU4B}w*+qR48+}J6;Wkp=`&2W3Ya*0>>X_J*aqCtxY(FxYkBUzuG7M}NziZa
z=J|Yu=s&RYBd0g7!u}Zd5mJuS8y8?G?wmx@F7>J_Z^KzPyz|IT(;zZx`++207scg#
zZ`+uWh_t?NWw8u4;}wh}j7;F&WAZz0AAZtkp3Zyr;+euU;8M7uw)b~t>CP+@B#kn?
z+9;~Res`f}zgt&HY1ZT8)8i!+aW!pAR=TI)R~k1I*QxJM#-l!FNoKyckh~hW(Hpo7
zZfJjOiOuho?%Dg~M=1|otL-Dsh3$SOM-I|-%L;p0iJ0;AWM+Y1wC`3mWDl86Ri_-1
zNia+wBj13!&>u7we;@SGxw@j=w=g;_GonWK9kFh*e23B)onG8@_1Yn?lH1)-7uGP^
zXWZlKtzSCRpK?21m&O)eAx^COJ1wY<ku2^LX(4SZ^DvpGzjRl}H7hyIAKf^@<Zy#`
zWSCp!sl8U>%@ppy(Di51Lm8hUEl^Cau){KMMjAf!ZYYpy9k((D4u<#%#rCk+jC)VQ
zPmxxHGm5VQM$|*yxRR@1dEl^!EDvqX`5V;`7uvU|y;A^#LhL)WGZu{pwKEpR8NHhX
zQkY_9k2}`!>xgR4ROs=6U-Vv5<te!(>&OX4?}Det0{(n0hZwXEMIJY}2Rb!Yghq}h
z#~-MV+as>^b1)OXg(={MxItm(Q`6a!@nN-&=wfacNG~u&0>4#MX}_2KghFB2fcQ6F
zX9wU)1inqTGAE-oVl+41QZdlWN(Z<yZb)bU(CNKJvI*y0RiEUpdeYR3#tE(vpOVpa
zEY7=n)1YY0go`_W7sQ2hrjf|V^z>s~eay7F;XG5Y@WL@Nbqi9tO)29jJJ3cMxcBV@
zv95D%^r6i^Gf!XRY~aY?;GH0{YKx@LlgH%4B-OUOd7Wai6K@hz!3}BB*id36wX286
zd$ReY@GuLc0@%i19DYMl#SJ~L_9fCZ_+f(S=X0u#b?)Y)z|{!c&w<&%K!~UOa{En1
zVIEFMJur0w-z>y;)v1)v>G}DQ5W}??1^6Zc@7R81U^2T~fi60!-X$RU1aJ)kcT3r%
z%<TLkuFw0@ny_MN_!NObQh;<c;jK~mAzmxVUcTdW?uUX3GzMtxue_ref6L3AC9L{f
zpJ@A*`R{~CYZ#-ve%=DdbH^*sR+e`inA}qa{f4yy1%4wxEY?z_$0ugjy(W=b^$VP<
zfNTAF2K-QB%*i2te<kVknKh;>@y_>Co4}cvg<jbEDtDa3PG_;m`olEFbO<~Q!|bqc
z-Hv-MVebugI<*7WC2%?2eD28WDV}wmZN@*#eL+G@kHBT6Z^&sk3~OlYuPM0h6PN^C
zpTM_`Oj^3C&?+0XcDIksot;1D4R8*9h4`~~zfblnpSfZ0+}PF6(dUeGge&m>>l`*Z
zaDQLPz?-{Uh2p{m^;_@Zk7I_oA>Z0vdVTkc=pD#h@)|03*y@G86CSNtMN+@RSJ;+L
zck@(HG3buky&CLemd3)O@<g~^>86@oI{4m9@cm#q*p6*_Y~O*%u~w2H-~9Lz>;G<#
zPLxvU=8BW4+#}vzP*>#xpR6$>+@LP>SJfxmEkj-0JVlWGkY%jYZTuEyj2q%u+im{Y
z5vy4D7`0oh|7bP?Hz9D<WRs|>re=!n2eCZwp560%k15WPCTZN?1ZMfjGaH%{LLP*7
zm@U*K?5>fe<gKtfrJj4ger+o)M16vGpqSx?e5tNu&Kn(R8<8T{Pd0k8JX+}McN)07
ztP9q5DU{qCnp{si&f)`p&2d9>-pw!OJLjFy$J_Hy{$=sKk$0irD*X#|##=-0Pg%6v
z7PR<1gcwmw;gpn<GI>&OCmu_Wi0Q?0AqH(gvA_*!S^nwy4O{tT0*U%MKLQMoBm(~r
D(I=s5

literal 0
HcmV?d00001

diff --git a/de4dot.code/deobfuscators/Agile_NET/vm/v2/CompositeHandlerDetector.cs b/de4dot.code/deobfuscators/Agile_NET/vm/v2/CompositeHandlerDetector.cs
new file mode 100644
index 00000000..9ae1debc
--- /dev/null
+++ b/de4dot.code/deobfuscators/Agile_NET/vm/v2/CompositeHandlerDetector.cs
@@ -0,0 +1,335 @@
+/*
+    Copyright (C) 2011-2013 de4dot@gmail.com
+
+    This file is part of de4dot.
+
+    de4dot is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    de4dot is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with de4dot.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+using System;
+using System.Collections.Generic;
+using dnlib.DotNet;
+using dnlib.DotNet.Emit;
+using de4dot.blocks;
+
+namespace de4dot.code.deobfuscators.Agile_NET.vm.v2 {
+	class CompositeHandlerDetector {
+		readonly List<OpCodeHandler> handlers;
+
+		public CompositeHandlerDetector(IList<OpCodeHandler> handlers) {
+			this.handlers = new List<OpCodeHandler>(handlers.Count);
+			OpCodeHandler nop = null;
+			foreach (var handler in handlers) {
+				if (nop == null && handler.OpCodeHandlerInfo.TypeCode == HandlerTypeCode.Nop)
+					nop = handler;
+				else
+					this.handlers.Add(handler);
+			}
+			if (nop != null)
+				this.handlers.Add(nop);
+		}
+
+		struct MatchState {
+			public HandlerState OtherState;
+			public HandlerState CompositeState;
+
+			public MatchState(HandlerState OtherState, HandlerState CompositeState) {
+				this.OtherState = OtherState;
+				this.CompositeState = CompositeState;
+			}
+		}
+
+		struct HandlerState {
+			public readonly HandlerMethod HandlerMethod;
+			public readonly IList<Block> Blocks;
+			public readonly int BlockIndex;
+			public int InstructionIndex;
+
+			public HandlerState(HandlerMethod handlerMethod, int blockIndex, int instructionIndex) {
+				this.HandlerMethod = handlerMethod;
+				this.Blocks = handlerMethod.Blocks.MethodBlocks.GetAllBlocks();
+				this.BlockIndex = blockIndex;
+				this.InstructionIndex = instructionIndex;
+			}
+
+			public HandlerState(HandlerMethod handlerMethod, IList<Block> blocks, int blockIndex, int instructionIndex) {
+				this.HandlerMethod = handlerMethod;
+				this.Blocks = blocks;
+				this.BlockIndex = blockIndex;
+				this.InstructionIndex = instructionIndex;
+			}
+
+			public HandlerState Clone() {
+				return new HandlerState(HandlerMethod, Blocks, BlockIndex, InstructionIndex);
+			}
+		}
+
+		struct FindHandlerState {
+			public HandlerState CompositeState;
+			public readonly Dictionary<int, bool> VisitedCompositeBlocks;
+			public bool Done;
+
+			public FindHandlerState(HandlerState compositeState) {
+				this.CompositeState = compositeState;
+				this.VisitedCompositeBlocks = new Dictionary<int, bool>();
+				this.Done = false;
+			}
+
+			public FindHandlerState(HandlerState compositeState, Dictionary<int, bool> visitedCompositeBlocks, bool done) {
+				this.CompositeState = compositeState;
+				this.VisitedCompositeBlocks = new Dictionary<int, bool>(visitedCompositeBlocks);
+				this.Done = done;
+			}
+
+			public FindHandlerState Clone() {
+				return new FindHandlerState(CompositeState.Clone(), VisitedCompositeBlocks, Done);
+			}
+		}
+
+		public bool FindHandlers(CompositeOpCodeHandler composite) {
+			composite.OpCodeHandlerInfos.Clear();
+			var compositeExecState = new FindHandlerState(new HandlerState(composite.ExecMethod, 0, 0));
+			while (!compositeExecState.Done) {
+				var handler = FindHandlerMethod(ref compositeExecState);
+				if (handler == null)
+					return false;
+
+				composite.OpCodeHandlerInfos.Add(handler.OpCodeHandlerInfo);
+			}
+			return composite.OpCodeHandlerInfos.Count != 0;
+		}
+
+		OpCodeHandler FindHandlerMethod(ref FindHandlerState findExecState) {
+			foreach (var handler in handlers) {
+				FindHandlerState findExecStateNew = findExecState.Clone();
+				if (!Matches(handler.ExecMethod, ref findExecStateNew))
+					continue;
+
+				findExecState = findExecStateNew;
+				return handler;
+			}
+			return null;
+		}
+
+		Stack<MatchState> stack = new Stack<MatchState>();
+		bool Matches(HandlerMethod handler, ref FindHandlerState findState) {
+			HandlerState? nextState = null;
+			stack.Clear();
+			stack.Push(new MatchState(new HandlerState(handler, 0, 0), findState.CompositeState));
+			while (stack.Count > 0) {
+				var matchState = stack.Pop();
+
+				if (matchState.CompositeState.InstructionIndex == 0) {
+					if (findState.VisitedCompositeBlocks.ContainsKey(matchState.CompositeState.BlockIndex))
+						continue;
+					findState.VisitedCompositeBlocks[matchState.CompositeState.BlockIndex] = true;
+				}
+				else {
+					if (!findState.VisitedCompositeBlocks.ContainsKey(matchState.CompositeState.BlockIndex))
+						throw new ApplicationException("Block hasn't been visited");
+				}
+
+				if (!Compare(ref matchState.OtherState, ref matchState.CompositeState))
+					return false;
+
+				var hblock = matchState.OtherState.Blocks[matchState.OtherState.BlockIndex];
+				var hinstrs = hblock.Instructions;
+				int hi = matchState.OtherState.InstructionIndex;
+				var cblock = matchState.CompositeState.Blocks[matchState.CompositeState.BlockIndex];
+				var cinstrs = cblock.Instructions;
+				int ci = matchState.CompositeState.InstructionIndex;
+				if (hi < hinstrs.Count)
+					return false;
+
+				if (ci < cinstrs.Count) {
+					if (hblock.CountTargets() != 0)
+						return false;
+					if (hblock.LastInstr.OpCode.Code == Code.Ret) {
+						if (nextState != null)
+							return false;
+						nextState = matchState.CompositeState;
+					}
+				}
+				else {
+					if (cblock.CountTargets() != hblock.CountTargets())
+						return false;
+					if (cblock.FallThrough != null || hblock.FallThrough != null) {
+						if (cblock.FallThrough == null || hblock.FallThrough == null)
+							return false;
+
+						var hs = CreateHandlerState(handler, matchState.OtherState.Blocks, hblock.FallThrough);
+						var cs = CreateHandlerState(findState.CompositeState.HandlerMethod, findState.CompositeState.Blocks, cblock.FallThrough);
+						stack.Push(new MatchState(hs, cs));
+					}
+					if (cblock.Targets != null || hblock.Targets != null) {
+						if (cblock.Targets == null || hblock.Targets == null ||
+							cblock.Targets.Count != hblock.Targets.Count)
+							return false;
+
+						for (int i = 0; i < cblock.Targets.Count; i++) {
+							var hs = CreateHandlerState(handler, matchState.OtherState.Blocks, hblock.Targets[i]);
+							var cs = CreateHandlerState(findState.CompositeState.HandlerMethod, findState.CompositeState.Blocks, cblock.Targets[i]);
+							stack.Push(new MatchState(hs, cs));
+						}
+					}
+				}
+			}
+
+			if (nextState == null) {
+				findState.Done = true;
+				return true;
+			}
+			else {
+				if (findState.CompositeState.BlockIndex == nextState.Value.BlockIndex &&
+					findState.CompositeState.InstructionIndex == nextState.Value.InstructionIndex)
+					return false;
+				findState.CompositeState = nextState.Value;
+				return true;
+			}
+		}
+
+		static HandlerState CreateHandlerState(HandlerMethod handler, IList<Block> blocks, Block target) {
+			return new HandlerState(handler, blocks.IndexOf(target), 0);
+		}
+
+		static bool Compare(ref HandlerState handler, ref HandlerState composite) {
+			var hinstrs = handler.Blocks[handler.BlockIndex].Instructions;
+			int hi = handler.InstructionIndex;
+			var cinstrs = composite.Blocks[composite.BlockIndex].Instructions;
+			int ci = composite.InstructionIndex;
+
+			while (true) {
+				if (hi >= hinstrs.Count && ci >= cinstrs.Count)
+					break;
+				if (hi >= hinstrs.Count || ci >= cinstrs.Count)
+					return false;
+
+				var hinstr = hinstrs[hi++];
+				var cinstr = cinstrs[ci++];
+				if (hinstr.OpCode.Code == Code.Nop ||
+					cinstr.OpCode.Code == Code.Nop) {
+					if (hinstr.OpCode.Code != Code.Nop)
+						hi--;
+					if (cinstr.OpCode.Code != Code.Nop)
+						ci--;
+					continue;
+				}
+
+				if (hi == hinstrs.Count && hinstr.OpCode.Code == Code.Ret) {
+					if (cinstr.OpCode.Code != Code.Br && cinstr.OpCode.Code != Code.Ret)
+						ci--;
+					break;
+				}
+
+				if (hinstr.OpCode.Code != cinstr.OpCode.Code)
+					return false;
+
+				if (hinstr.OpCode.Code == Code.Ldfld &&
+					hi + 1 < hinstrs.Count && ci + 1 < cinstrs.Count) {
+					var hfield = hinstr.Operand as FieldDef;
+					var cfield = cinstr.Operand as FieldDef;
+					if (hfield != null && cfield != null &&
+						!hfield.IsStatic && !cfield.IsStatic &&
+						hfield.DeclaringType == handler.HandlerMethod.Method.DeclaringType &&
+						cfield.DeclaringType == composite.HandlerMethod.Method.DeclaringType &&
+						SignatureEqualityComparer.Instance.Equals(hfield.Signature, cfield.Signature)) {
+						cinstr = cinstrs[ci++];
+						hinstr = hinstrs[hi++];
+						if (cinstr.OpCode.Code != Code.Ldc_I4 ||
+							hinstr.OpCode.Code != Code.Ldc_I4)
+							return false;
+						continue;
+					}
+				}
+
+				if (!CompareOperand(hinstr.OpCode.OperandType, cinstr.Operand, hinstr.Operand))
+					return false;
+			}
+
+			handler.InstructionIndex = hi;
+			composite.InstructionIndex = ci;
+			return true;
+		}
+
+		static bool CompareOperand(OperandType opType, object a, object b) {
+			switch (opType) {
+			case OperandType.ShortInlineI:
+				return (a is byte && b is byte && (byte)a == (byte)b) ||
+					(a is sbyte && b is sbyte && (sbyte)a == (sbyte)b);
+
+			case OperandType.InlineI:
+				return a is int && b is int && (int)a == (int)b;
+
+			case OperandType.InlineI8:
+				return a is long && b is long && (long)a == (long)b;
+
+			case OperandType.ShortInlineR:
+				return a is float && b is float && (float)a == (float)b;
+
+			case OperandType.InlineR:
+				return a is double && b is double && (double)a == (double)b;
+
+			case OperandType.InlineField:
+				return FieldEqualityComparer.CompareDeclaringTypes.Equals(a as IField, b as IField);
+
+			case OperandType.InlineMethod:
+				return MethodEqualityComparer.CompareDeclaringTypes.Equals(a as IMethod, b as IMethod);
+
+			case OperandType.InlineSig:
+				return SignatureEqualityComparer.Instance.Equals(a as MethodSig, b as MethodSig);
+
+			case OperandType.InlineString:
+				return string.Equals(a as string, b as string);
+
+			case OperandType.InlineSwitch:
+				var al = a as IList<Instruction>;
+				var bl = b as IList<Instruction>;
+				return al != null && bl != null && al.Count == bl.Count;
+
+			case OperandType.InlineTok:
+				var fa = a as IField;
+				var fb = b as IField;
+				if (fa != null && fb != null)
+					return FieldEqualityComparer.CompareDeclaringTypes.Equals(fa, fb);
+				var ma = a as IMethod;
+				var mb = b as IMethod;
+				if (ma != null && mb != null)
+					return MethodEqualityComparer.CompareDeclaringTypes.Equals(ma, mb);
+				return TypeEqualityComparer.Instance.Equals(a as ITypeDefOrRef, b as ITypeDefOrRef);
+
+			case OperandType.InlineType:
+				return TypeEqualityComparer.Instance.Equals(a as ITypeDefOrRef, b as ITypeDefOrRef);
+
+			case OperandType.InlineVar:
+			case OperandType.ShortInlineVar:
+				var la = a as Local;
+				var lb = b as Local;
+				if (la != null && lb != null)
+					return true;
+				var pa = a as Parameter;
+				var pb = b as Parameter;
+				return pa != null && pb != null && pa.Index == pb.Index;
+
+			case OperandType.InlineBrTarget:
+			case OperandType.ShortInlineBrTarget:
+			case OperandType.InlineNone:
+			case OperandType.InlinePhi:
+				return true;
+
+			default:
+				return false;
+			}
+		}
+	}
+}
diff --git a/de4dot.code/deobfuscators/Agile_NET/vm/v2/CompositeOpCodeHandler.cs b/de4dot.code/deobfuscators/Agile_NET/vm/v2/CompositeOpCodeHandler.cs
new file mode 100644
index 00000000..2508d020
--- /dev/null
+++ b/de4dot.code/deobfuscators/Agile_NET/vm/v2/CompositeOpCodeHandler.cs
@@ -0,0 +1,67 @@
+/*
+    Copyright (C) 2011-2013 de4dot@gmail.com
+
+    This file is part of de4dot.
+
+    de4dot is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    de4dot is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with de4dot.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+using System.Collections.Generic;
+using System.Text;
+using dnlib.DotNet;
+using de4dot.blocks;
+
+namespace de4dot.code.deobfuscators.Agile_NET.vm.v2 {
+	class HandlerMethod {
+		public MethodDef Method { get; private set; }
+		public Blocks Blocks { get; private set; }
+
+		public HandlerMethod(MethodDef method) {
+			this.Method = method;
+			this.Blocks = new Blocks(method);
+		}
+	}
+
+	class PrimitiveHandlerMethod : HandlerMethod {
+		public MethodSigInfo Sig { get; set; }
+
+		public PrimitiveHandlerMethod(MethodDef method)
+			: base(method) {
+		}
+	}
+
+	class CompositeOpCodeHandler {
+		public TypeDef HandlerType { get; private set; }
+		public HandlerMethod ExecMethod { get; private set; }
+		public List<OpCodeHandlerInfo> OpCodeHandlerInfos { get; private set; }
+
+		public CompositeOpCodeHandler(TypeDef handlerType, HandlerMethod execMethod) {
+			this.HandlerType = handlerType;
+			this.ExecMethod = execMethod;
+			this.OpCodeHandlerInfos = new List<OpCodeHandlerInfo>();
+		}
+
+		public override string ToString() {
+			if (OpCodeHandlerInfos.Count == 0)
+				return "<nothing>";
+			var sb = new StringBuilder();
+			foreach (var handler in OpCodeHandlerInfos) {
+				if (sb.Length != 0)
+					sb.Append(", ");
+				sb.Append(handler.Name);
+			}
+			return sb.ToString();
+		}
+	}
+}
diff --git a/de4dot.code/deobfuscators/Agile_NET/vm/v2/Csvm.cs b/de4dot.code/deobfuscators/Agile_NET/vm/v2/Csvm.cs
new file mode 100644
index 00000000..9b6f0c10
--- /dev/null
+++ b/de4dot.code/deobfuscators/Agile_NET/vm/v2/Csvm.cs
@@ -0,0 +1,164 @@
+/*
+    Copyright (C) 2011-2013 de4dot@gmail.com
+
+    This file is part of de4dot.
+
+    de4dot is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    de4dot is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with de4dot.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+using System;
+using System.Collections.Generic;
+using System.IO;
+using dnlib.DotNet;
+using de4dot.blocks;
+
+namespace de4dot.code.deobfuscators.Agile_NET.vm.v2 {
+	class Csvm {
+		IDeobfuscatorContext deobfuscatorContext;
+		ModuleDefMD module;
+		EmbeddedResource resource;
+		AssemblyRef vmAssemblyRef;
+
+		public bool Detected {
+			get { return resource != null && vmAssemblyRef != null; }
+		}
+
+		public EmbeddedResource Resource {
+			get { return Detected ? resource : null; }
+		}
+
+		public Csvm(IDeobfuscatorContext deobfuscatorContext, ModuleDefMD module) {
+			this.deobfuscatorContext = deobfuscatorContext;
+			this.module = module;
+		}
+
+		public Csvm(IDeobfuscatorContext deobfuscatorContext, ModuleDefMD module, Csvm oldOne) {
+			this.deobfuscatorContext = deobfuscatorContext;
+			this.module = module;
+			if (oldOne.resource != null)
+				this.resource = (EmbeddedResource)module.Resources[oldOne.module.Resources.IndexOf(oldOne.resource)];
+			if (oldOne.vmAssemblyRef != null)
+				this.vmAssemblyRef = module.ResolveAssemblyRef(oldOne.vmAssemblyRef.Rid);
+		}
+
+		public void Find() {
+			resource = FindCsvmResource();
+			vmAssemblyRef = FindVmAssemblyRef();
+		}
+
+		AssemblyRef FindVmAssemblyRef() {
+			foreach (var memberRef in module.GetMemberRefs()) {
+				var sig = memberRef.MethodSig;
+				if (sig == null)
+					continue;
+				if (sig.RetType.GetElementType() != ElementType.Object)
+					continue;
+				if (sig.Params.Count != 2)
+					continue;
+				if (memberRef.Name != "RunMethod")
+					continue;
+				if (memberRef.FullName == "System.Object VMRuntime.Libraries.CSVMRuntime::RunMethod(System.String,System.Object[])")
+					return memberRef.DeclaringType.Scope as AssemblyRef;
+			}
+			return null;
+		}
+
+		EmbeddedResource FindCsvmResource() {
+			return DotNetUtils.GetResource(module, "_CSVM") as EmbeddedResource;
+		}
+
+		public bool Restore() {
+			if (!Detected)
+				return true;
+
+			int oldIndent = Logger.Instance.IndentLevel;
+			try {
+				Restore2();
+				return true;
+			}
+			catch {
+				return false;
+			}
+			finally {
+				Logger.Instance.IndentLevel = oldIndent;
+			}
+		}
+
+		void Restore2() {
+			Logger.n("Restoring CSVM methods");
+			Logger.Instance.Indent();
+
+			var opcodeDetector = GetVmOpCodeHandlerDetector();
+			var csvmMethods = new CsvmDataReader(resource.Data).Read();
+
+			var converter = new CsvmToCilMethodConverter(deobfuscatorContext, module, opcodeDetector);
+			var methodPrinter = new MethodPrinter();
+			foreach (var csvmMethod in csvmMethods) {
+				var cilMethod = module.ResolveToken(csvmMethod.Token) as MethodDef;
+				if (cilMethod == null)
+					throw new ApplicationException(string.Format("Could not find method {0:X8}", csvmMethod.Token));
+				converter.Convert(cilMethod, csvmMethod);
+				Logger.v("Restored method {0:X8}", cilMethod.MDToken.ToInt32());
+				PrintMethod(methodPrinter, cilMethod);
+			}
+			Logger.Instance.DeIndent();
+			Logger.n("Restored {0} CSVM methods", csvmMethods.Count);
+		}
+
+		static void PrintMethod(MethodPrinter methodPrinter, MethodDef method) {
+			const LoggerEvent dumpLogLevel = LoggerEvent.Verbose;
+			if (Logger.Instance.IgnoresEvent(dumpLogLevel))
+				return;
+
+			Logger.Instance.Indent();
+
+			Logger.v("Locals:");
+			Logger.Instance.Indent();
+			for (int i = 0; i < method.Body.Variables.Count; i++)
+				Logger.v("#{0}: {1}", i, method.Body.Variables[i].Type);
+			Logger.Instance.DeIndent();
+
+			Logger.v("Code:");
+			Logger.Instance.Indent();
+			methodPrinter.Print(dumpLogLevel, method.Body.Instructions, method.Body.ExceptionHandlers);
+			Logger.Instance.DeIndent();
+
+			Logger.Instance.DeIndent();
+		}
+
+		VmOpCodeHandlerDetector GetVmOpCodeHandlerDetector() {
+			var vmFilename = vmAssemblyRef.Name + ".dll";
+			var vmModulePath = Path.Combine(Path.GetDirectoryName(module.Location), vmFilename);
+			Logger.v("CSVM filename: {0}", vmFilename);
+
+			var dataKey = "cs cached VmOpCodeHandlerDetector v2";
+			var dict = (Dictionary<string, VmOpCodeHandlerDetector>)deobfuscatorContext.GetData(dataKey);
+			if (dict == null)
+				deobfuscatorContext.SetData(dataKey, dict = new Dictionary<string, VmOpCodeHandlerDetector>(StringComparer.OrdinalIgnoreCase));
+			VmOpCodeHandlerDetector detector;
+			if (dict.TryGetValue(vmModulePath, out detector))
+				return detector;
+			dict[vmModulePath] = detector = new VmOpCodeHandlerDetector(ModuleDefMD.Load(vmModulePath));
+
+			detector.FindHandlers();
+			Logger.v("CSVM opcodes: {0}", detector.Handlers.Count);
+			Logger.Instance.Indent();
+			for (int i = 0; i < detector.Handlers.Count; i++)
+				Logger.v("{0:X4}: {1}", i, detector.Handlers[i]);
+			Logger.Instance.DeIndent();
+
+			return detector;
+		}
+	}
+}
diff --git a/de4dot.code/deobfuscators/Agile_NET/vm/v2/CsvmInfo.cs b/de4dot.code/deobfuscators/Agile_NET/vm/v2/CsvmInfo.cs
new file mode 100644
index 00000000..815cc53d
--- /dev/null
+++ b/de4dot.code/deobfuscators/Agile_NET/vm/v2/CsvmInfo.cs
@@ -0,0 +1,779 @@
+/*
+    Copyright (C) 2011-2013 de4dot@gmail.com
+
+    This file is part of de4dot.
+
+    de4dot is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    de4dot is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with de4dot.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+using System;
+using dnlib.DotNet;
+using dnlib.DotNet.Emit;
+using de4dot.blocks;
+
+namespace de4dot.code.deobfuscators.Agile_NET.vm.v2 {
+	class CsvmInfo {
+		ModuleDef module;
+
+		public TypeDef VmHandlerBaseType;
+
+		public MethodDef LogicalOpShrUn;
+		public MethodDef LogicalOpShl;
+		public MethodDef LogicalOpShr;
+		public MethodDef LogicalOpAnd;
+		public MethodDef LogicalOpXor;
+		public MethodDef LogicalOpOr;
+
+		public MethodDef CompareLt;
+		public MethodDef CompareLte;
+		public MethodDef CompareGt;
+		public MethodDef CompareGte;
+		public MethodDef CompareEq;
+		public MethodDef CompareEqz;
+
+		public MethodDef ArithmeticSubOvfUn;
+		public MethodDef ArithmeticMulOvfUn;
+		public MethodDef ArithmeticRemUn;
+		public MethodDef ArithmeticRem;
+		public MethodDef ArithmeticDivUn;
+		public MethodDef ArithmeticDiv;
+		public MethodDef ArithmeticMul;
+		public MethodDef ArithmeticMulOvf;
+		public MethodDef ArithmeticSub;
+		public MethodDef ArithmeticSubOvf;
+		public MethodDef ArithmeticAddOvfUn;
+		public MethodDef ArithmeticAddOvf;
+		public MethodDef ArithmeticAdd;
+
+		public MethodDef UnaryNot;
+		public MethodDef UnaryNeg;
+
+		public MethodDef ArgsGet;
+		public MethodDef ArgsSet;
+		public MethodDef LocalsGet;
+		public MethodDef LocalsSet;
+
+		public CsvmInfo(ModuleDef module) {
+			this.module = module;
+		}
+
+		public bool Initialize() {
+			return FindVmHandlerBase() &&
+					FindLocalOpsMethods() &&
+					FindComparerMethods() &&
+					FindArithmeticMethods() &&
+					FindUnaryOpsMethods() &&
+					FindArgsLocals();
+		}
+
+		public bool FindVmHandlerBase() {
+			foreach (var type in module.Types) {
+				if (!type.IsPublic || !type.IsAbstract)
+					continue;
+				if (type.HasFields || type.HasProperties || type.HasEvents)
+					continue;
+				if (type.BaseType == null || type.BaseType.FullName != "System.Object")
+					continue;
+				if (CountVirtual(type) != 2)
+					continue;
+
+				VmHandlerBaseType = type;
+				return true;
+			}
+
+			return false;
+		}
+
+		public bool FindLocalOpsMethods() {
+			foreach (var type in module.Types) {
+				if (type.BaseType == null || type.BaseType.FullName != "System.Object")
+					continue;
+				if (type.Methods.Count != 6 && type.Methods.Count != 7)
+					continue;
+				LogicalOpShrUn = FindLogicalOpMethodShrUn(type);
+				if (LogicalOpShrUn == null)
+					continue;
+				LogicalOpShl = FindLogicalOpMethodShl(type);
+				LogicalOpShr = FindLogicalOpMethodShr(type);
+				LogicalOpAnd = FindLogicalOpMethodAnd(type);
+				LogicalOpXor = FindLogicalOpMethodXor(type);
+				LogicalOpOr = FindLogicalOpMethodOr(type);
+				if (LogicalOpShrUn != null && LogicalOpShl != null &&
+					LogicalOpShr != null && LogicalOpAnd != null &&
+					LogicalOpXor != null && LogicalOpOr != null)
+					return true;
+			}
+
+			return false;
+		}
+
+		MethodDef FindLogicalOpMethodShrUn(TypeDef type) {
+			return FindLogicalOpMethod(type, ElementType.U4, ElementType.I4, ElementType.U4, Code.Shr_Un);
+		}
+
+		MethodDef FindLogicalOpMethodShl(TypeDef type) {
+			return FindLogicalOpMethod(type, ElementType.I4, ElementType.I4, ElementType.I4, Code.Shl);
+		}
+
+		MethodDef FindLogicalOpMethodShr(TypeDef type) {
+			return FindLogicalOpMethod(type, ElementType.I4, ElementType.I4, ElementType.I4, Code.Shr);
+		}
+
+		MethodDef FindLogicalOpMethod(TypeDef type, ElementType e1, ElementType e2, ElementType e3, Code code) {
+			foreach (var method in type.Methods) {
+				if (!CheckLogicalMethodSig(method))
+					continue;
+				if (method.Body == null)
+					continue;
+				var instrs = method.Body.Instructions;
+				for (int i = 0; i < instrs.Count - 7; i++) {
+					var ldarg0 = instrs[i];
+					if (!ldarg0.IsLdarg() || ldarg0.GetParameterIndex() != 0)
+						continue;
+					if (!CheckUnboxAny(instrs[i + 1], e1))
+						continue;
+					var ldarg1 = instrs[i + 2];
+					if (!ldarg1.IsLdarg() || ldarg1.GetParameterIndex() != 1)
+						continue;
+					if (!CheckUnboxAny(instrs[i + 3], e2))
+						continue;
+					var ldci4 = instrs[i + 4];
+					if (!ldci4.IsLdcI4() || ldci4.GetLdcI4Value() != 0x1F)
+						continue;
+					if (instrs[i + 5].OpCode.Code != Code.And)
+						continue;
+					if (instrs[i + 6].OpCode.Code != code)
+						continue;
+					if (!CheckBox(instrs[i + 7], e3))
+						continue;
+
+					return method;
+				}
+			}
+
+			return null;
+		}
+
+		MethodDef FindLogicalOpMethodAnd(TypeDef type) {
+			return FindLogicalOpMethod(type, Code.And);
+		}
+
+		MethodDef FindLogicalOpMethodXor(TypeDef type) {
+			return FindLogicalOpMethod(type, Code.Xor);
+		}
+
+		MethodDef FindLogicalOpMethodOr(TypeDef type) {
+			return FindLogicalOpMethod(type, Code.Or);
+		}
+
+		MethodDef FindLogicalOpMethod(TypeDef type, Code code) {
+			foreach (var method in type.Methods) {
+				if (!CheckLogicalMethodSig(method))
+					continue;
+				if (method.Body == null)
+					continue;
+				var instrs = method.Body.Instructions;
+				for (int i = 0; i < instrs.Count - 5; i++) {
+					var ldarg0 = instrs[i];
+					if (!ldarg0.IsLdarg() || ldarg0.GetParameterIndex() != 0)
+						continue;
+					if (!CheckUnboxAny(instrs[i + 1], ElementType.I4))
+						continue;
+					var ldarg1 = instrs[i + 2];
+					if (!ldarg1.IsLdarg() || ldarg1.GetParameterIndex() != 1)
+						continue;
+					if (!CheckUnboxAny(instrs[i + 3], ElementType.I4))
+						continue;
+					if (instrs[i + 4].OpCode.Code != code)
+						continue;
+					if (!CheckBox(instrs[i + 5], ElementType.I4))
+						continue;
+
+					return method;
+				}
+			}
+
+			return null;
+		}
+
+		static bool CheckLogicalMethodSig(MethodDef method) {
+			return method != null &&
+				method.IsStatic &&
+				method.MethodSig.GetParamCount() == 2 &&
+				method.MethodSig.RetType.GetElementType() == ElementType.Object &&
+				method.MethodSig.Params[0].GetElementType() == ElementType.Object &&
+				method.MethodSig.Params[1].GetElementType() == ElementType.Object;
+		}
+
+		public bool FindComparerMethods() {
+			foreach (var type in module.Types) {
+				if (type.BaseType == null || type.BaseType.FullName != "System.Object")
+					continue;
+				if (type.Methods.Count != 9)
+					continue;
+				CompareLt = FindCompareLt(type);
+				if (CompareLt == null)
+					continue;
+				CompareLte = FindCompareLte(type);
+				CompareGt = FindCompareGt(type);
+				CompareGte = FindCompareGte(type);
+				CompareEq = FindCompareEq(type);
+				CompareEqz = FindCompareEqz(type);
+				if (CompareLt != null && CompareLte != null &&
+					CompareGt != null && CompareGte != null &&
+					CompareEq != null && CompareEqz != null)
+					return true;
+			}
+
+			return false;
+		}
+
+		MethodDef FindCompareLt(TypeDef type) {
+			return FindCompareMethod(type, Code.Clt, false);
+		}
+
+		MethodDef FindCompareLte(TypeDef type) {
+			return FindCompareMethod(type, Code.Cgt, true);
+		}
+
+		MethodDef FindCompareGt(TypeDef type) {
+			return FindCompareMethod(type, Code.Cgt, false);
+		}
+
+		MethodDef FindCompareGte(TypeDef type) {
+			return FindCompareMethod(type, Code.Clt, true);
+		}
+
+		MethodDef FindCompareMethod(TypeDef type, Code code, bool invert) {
+			foreach (var method in type.Methods) {
+				if (!CheckCompareMethodSig(method))
+					continue;
+				if (method.Body == null)
+					continue;
+				var instrs = method.Body.Instructions;
+				int end = instrs.Count - 6;
+				if (invert)
+					end -= 2;
+				for (int i = 0; i < end; i++) {
+					int index = i;
+					var ldarg0 = instrs[index++];
+					if (!ldarg0.IsLdarg() || ldarg0.GetParameterIndex() != 0)
+						continue;
+					if (!CheckUnboxAny(instrs[index++], ElementType.I4))
+						continue;
+					var ldarg1 = instrs[index++];
+					if (!ldarg1.IsLdarg() || ldarg1.GetParameterIndex() != 1)
+						continue;
+					if (!CheckUnboxAny(instrs[index++], ElementType.I4))
+						continue;
+					if (instrs[index++].OpCode.Code != code)
+						continue;
+					if (invert) {
+						var ldci4 = instrs[index++];
+						if (!ldci4.IsLdcI4() || ldci4.GetLdcI4Value() != 0)
+							continue;
+						if (instrs[index++].OpCode.Code != Code.Ceq)
+							continue;
+					}
+					if (!instrs[index++].IsStloc())
+						continue;
+
+					return method;
+				}
+			}
+
+			return null;
+		}
+
+		static bool CheckCompareMethodSig(MethodDef method) {
+			if (method == null || !method.IsStatic)
+				return false;
+			var sig = method.MethodSig;
+			if (sig == null || sig.GetParamCount() != 3)
+				return false;
+			if (sig.RetType.GetElementType() != ElementType.Boolean)
+				return false;
+			if (sig.Params[0].GetElementType() != ElementType.Object)
+				return false;
+			if (sig.Params[1].GetElementType() != ElementType.Object)
+				return false;
+			var arg2 = sig.Params[2] as ValueTypeSig;
+			if (arg2 == null || arg2.TypeDef == null || !arg2.TypeDef.IsEnum)
+				return false;
+
+			return true;
+		}
+
+		MethodDef FindCompareEq(TypeDef type) {
+			foreach (var method in type.Methods) {
+				if (!CheckCompareEqMethodSig(method))
+					continue;
+				if (method.Body == null)
+					continue;
+				var instrs = method.Body.Instructions;
+				for (int i = 0; i < instrs.Count - 5; i++) {
+					var ldarg0 = instrs[i];
+					if (!ldarg0.IsLdarg() || ldarg0.GetParameterIndex() != 0)
+						continue;
+					if (!CheckUnboxAny(instrs[i + 1], ElementType.I4))
+						continue;
+					var ldarg1 = instrs[i + 2];
+					if (!ldarg1.IsLdarg() || ldarg1.GetParameterIndex() != 1)
+						continue;
+					if (!CheckUnboxAny(instrs[i + 3], ElementType.I4))
+						continue;
+					if (instrs[i + 4].OpCode.Code != Code.Ceq)
+						continue;
+					if (!instrs[i + 5].IsStloc())
+						continue;
+
+					return method;
+				}
+			}
+
+			return null;
+		}
+
+		static bool CheckCompareEqMethodSig(MethodDef method) {
+			return method != null &&
+				method.IsStatic &&
+				method.MethodSig.GetParamCount() == 2 &&
+				method.MethodSig.RetType.GetElementType() == ElementType.Boolean &&
+				method.MethodSig.Params[0].GetElementType() == ElementType.Object &&
+				method.MethodSig.Params[1].GetElementType() == ElementType.Object;
+		}
+
+		MethodDef FindCompareEqz(TypeDef type) {
+			foreach (var method in type.Methods) {
+				if (!CheckCompareEqzMethodSig(method))
+					continue;
+				if (method.Body == null)
+					continue;
+				var instrs = method.Body.Instructions;
+				for (int i = 0; i < instrs.Count - 4; i++) {
+					var ldarg0 = instrs[i];
+					if (!ldarg0.IsLdarg() || ldarg0.GetParameterIndex() != 0)
+						continue;
+					if (!CheckUnboxAny(instrs[i + 1], ElementType.I4))
+						continue;
+					var ldci4 = instrs[i + 2];
+					if (!ldci4.IsLdcI4() || ldci4.GetLdcI4Value() != 0)
+						continue;
+					if (instrs[i + 3].OpCode.Code != Code.Ceq)
+						continue;
+					if (!instrs[i + 4].IsStloc())
+						continue;
+
+					return method;
+				}
+			}
+
+			return null;
+		}
+
+		static bool CheckCompareEqzMethodSig(MethodDef method) {
+			return method != null &&
+				method.IsStatic &&
+				method.MethodSig.GetParamCount() == 1 &&
+				method.MethodSig.RetType.GetElementType() == ElementType.Boolean &&
+				method.MethodSig.Params[0].GetElementType() == ElementType.Object;
+		}
+
+		public bool FindArithmeticMethods() {
+			foreach (var type in module.Types) {
+				if (type.BaseType == null || type.BaseType.FullName != "System.Object")
+					continue;
+				if (type.Methods.Count != 15)
+					continue;
+				ArithmeticSubOvfUn = FindArithmeticSubOvfUn(type);
+				if (ArithmeticSubOvfUn == null)
+					continue;
+				ArithmeticMulOvfUn = FindArithmeticMulOvfUn(type);
+				ArithmeticRemUn = FindArithmeticRemUn(type);
+				ArithmeticRem = FindArithmeticRem(type);
+				ArithmeticDivUn = FindArithmeticDivUn(type);
+				ArithmeticDiv = FindArithmeticDiv(type);
+				ArithmeticMul = FindArithmeticMul(type);
+				ArithmeticMulOvf = FindArithmeticMulOvf(type);
+				ArithmeticSub = FindArithmeticSub(type);
+				ArithmeticSubOvf = FindArithmeticSubOvf(type);
+				ArithmeticAddOvfUn = FindArithmeticAddOvfUn(type);
+				ArithmeticAddOvf = FindArithmeticAddOvf(type);
+				ArithmeticAdd = FindArithmeticAdd(type);
+
+				if (ArithmeticSubOvfUn != null && ArithmeticMulOvfUn != null &&
+					ArithmeticRemUn != null && ArithmeticRem != null &&
+					ArithmeticDivUn != null && ArithmeticDiv != null &&
+					ArithmeticMul != null && ArithmeticMulOvf != null &&
+					ArithmeticSub != null && ArithmeticSubOvf != null &&
+					ArithmeticAddOvfUn != null && ArithmeticAddOvf != null &&
+					ArithmeticAdd != null)
+					return true;
+			}
+
+			return false;
+		}
+
+		MethodDef FindArithmeticSubOvfUn(TypeDef type) {
+			return FindArithmeticOpUn(type, Code.Sub_Ovf_Un);
+		}
+
+		MethodDef FindArithmeticMulOvfUn(TypeDef type) {
+			return FindArithmeticOpUn(type, Code.Mul_Ovf_Un);
+		}
+
+		MethodDef FindArithmeticAddOvfUn(TypeDef type) {
+			return FindArithmeticOpUn(type, Code.Add_Ovf_Un);
+		}
+
+		MethodDef FindArithmeticOpUn(TypeDef type, Code code) {
+			foreach (var method in type.Methods) {
+				if (!CheckArithmeticUnMethodSig(method))
+					continue;
+				if (method.Body == null)
+					continue;
+				var instrs = method.Body.Instructions;
+				for (int i = 0; i < instrs.Count - 8; i++) {
+					var ldarg0 = instrs[i];
+					if (!ldarg0.IsLdarg() || ldarg0.GetParameterIndex() != 0)
+						continue;
+					if (!CheckCallvirt(instrs[i + 1], "System.Int32", "()"))
+						continue;
+					if (instrs[i + 2].OpCode.Code != Code.Conv_Ovf_U4)
+						continue;
+					var ldarg1 = instrs[i + 3];
+					if (!ldarg1.IsLdarg() || ldarg1.GetParameterIndex() != 1)
+						continue;
+					if (!CheckCallvirt(instrs[i + 4], "System.Int32", "()"))
+						continue;
+					if (instrs[i + 5].OpCode.Code != Code.Conv_Ovf_U4)
+						continue;
+					if (instrs[i + 6].OpCode.Code != code)
+						continue;
+					if (!CheckBox(instrs[i + 7], ElementType.U4))
+						continue;
+					if (!instrs[i + 8].IsStloc())
+						continue;
+
+					return method;
+				}
+			}
+
+			return null;
+		}
+
+		static bool CheckArithmeticUnMethodSig(MethodDef method) {
+			return method != null &&
+				method.IsStatic &&
+				method.MethodSig.GetParamCount() == 2 &&
+				method.MethodSig.RetType.GetElementType() == ElementType.Object &&
+				method.MethodSig.Params[0].GetElementType() == ElementType.Class &&
+				method.MethodSig.Params[1].GetElementType() == ElementType.Class;
+		}
+
+		MethodDef FindArithmeticRemUn(TypeDef type) {
+			return FindArithmeticDivOrRemUn(type, Code.Rem_Un);
+		}
+
+		MethodDef FindArithmeticDivUn(TypeDef type) {
+			return FindArithmeticDivOrRemUn(type, Code.Div_Un);
+		}
+
+		MethodDef FindArithmeticDivOrRemUn(TypeDef type, Code code) {
+			foreach (var method in type.Methods) {
+				if (!CheckArithmeticUnMethodSig(method))
+					continue;
+				if (method.Body == null)
+					continue;
+				var instrs = method.Body.Instructions;
+				for (int i = 0; i < instrs.Count - 7; i++) {
+					var ldarg0 = instrs[i];
+					if (!ldarg0.IsLdarg() || ldarg0.GetParameterIndex() != 0)
+						continue;
+					if (!CheckCallvirt(instrs[i + 1], "System.Int32", "()"))
+						continue;
+					var ldarg1 = instrs[i + 2];
+					if (!ldarg1.IsLdarg() || ldarg1.GetParameterIndex() != 1)
+						continue;
+					if (!CheckCallvirt(instrs[i + 3], "System.Int32", "()"))
+						continue;
+					if (instrs[i + 4].OpCode.Code != code)
+						continue;
+					if (!CheckBox(instrs[i + 5], ElementType.U4))
+						continue;
+					if (!instrs[i + 6].IsStloc())
+						continue;
+
+					return method;
+				}
+			}
+
+			return null;
+		}
+
+		MethodDef FindArithmeticRem(TypeDef type) {
+			return FindArithmeticOther(type, Code.Rem);
+		}
+
+		MethodDef FindArithmeticDiv(TypeDef type) {
+			return FindArithmeticOther(type, Code.Div);
+		}
+
+		MethodDef FindArithmeticMul(TypeDef type) {
+			return FindArithmeticOther(type, Code.Mul);
+		}
+
+		MethodDef FindArithmeticMulOvf(TypeDef type) {
+			return FindArithmeticOther(type, Code.Mul_Ovf);
+		}
+
+		MethodDef FindArithmeticSub(TypeDef type) {
+			return FindArithmeticOther(type, Code.Sub);
+		}
+
+		MethodDef FindArithmeticSubOvf(TypeDef type) {
+			return FindArithmeticOther(type, Code.Sub_Ovf);
+		}
+
+		MethodDef FindArithmeticAdd(TypeDef type) {
+			return FindArithmeticOther(type, Code.Add);
+		}
+
+		MethodDef FindArithmeticAddOvf(TypeDef type) {
+			return FindArithmeticOther(type, Code.Add_Ovf);
+		}
+
+		MethodDef FindArithmeticOther(TypeDef type, Code code) {
+			foreach (var method in type.Methods) {
+				if (!CheckArithmeticOtherMethodSig(method))
+					continue;
+				if (method.Body == null)
+					continue;
+				var instrs = method.Body.Instructions;
+				for (int i = 0; i < instrs.Count - 6; i++) {
+					var ldarg0 = instrs[i];
+					if (!ldarg0.IsLdarg() || ldarg0.GetParameterIndex() != 0)
+						continue;
+					if (!CheckUnboxAny(instrs[i + 1], ElementType.I4))
+						continue;
+					var ldarg1 = instrs[i + 2];
+					if (!ldarg1.IsLdarg() || ldarg1.GetParameterIndex() != 1)
+						continue;
+					if (!CheckUnboxAny(instrs[i + 3], ElementType.I4))
+						continue;
+					if (instrs[i + 4].OpCode.Code != code)
+						continue;
+					if (!CheckBox(instrs[i + 5], ElementType.I4))
+						continue;
+
+					return method;
+				}
+			}
+
+			return null;
+		}
+
+		static bool CheckArithmeticOtherMethodSig(MethodDef method) {
+			return method != null &&
+				method.IsStatic &&
+				method.MethodSig.GetParamCount() == 2 &&
+				method.MethodSig.RetType.GetElementType() == ElementType.Object &&
+				method.MethodSig.Params[0].GetElementType() == ElementType.Object &&
+				method.MethodSig.Params[1].GetElementType() == ElementType.Object;
+		}
+
+		public bool FindUnaryOpsMethods() {
+			UnaryNot = FindUnaryOpMethod(Code.Not);
+			UnaryNeg = FindUnaryOpMethod(Code.Neg);
+			return UnaryNot != null && UnaryNeg != null;
+		}
+
+		MethodDef FindUnaryOpMethod(Code code) {
+			foreach (var type in module.Types) {
+				if (type.BaseType != VmHandlerBaseType)
+					continue;
+				if (type.Methods.Count != 4)
+					continue;
+				foreach (var method in type.Methods) {
+					if (!method.HasBody || !method.IsStatic)
+						continue;
+					if (!DotNetUtils.IsMethod(method, "System.Object", "(System.Object)"))
+						continue;
+					if (CountThrows(method) != 1)
+						continue;
+					var instrs = method.Body.Instructions;
+					for (int i = 0; i < instrs.Count - 4; i++) {
+						var ldarg = instrs[i];
+						if (!ldarg.IsLdarg() || ldarg.GetParameterIndex() != 0)
+							continue;
+						if (!CheckUnboxAny(instrs[i + 1], ElementType.I4))
+							continue;
+						if (instrs[i + 2].OpCode.Code != code)
+							continue;
+						if (!CheckBox(instrs[i + 3], ElementType.I4))
+							continue;
+						if (!instrs[i + 4].IsStloc())
+							continue;
+
+						return method;
+					}
+				}
+			}
+			return null;
+		}
+
+		static int CountThrows(MethodDef method) {
+			if (method == null || method.Body == null)
+				return 0;
+			int count = 0;
+			foreach (var instr in method.Body.Instructions) {
+				if (instr.OpCode.Code == Code.Throw)
+					count++;
+			}
+			return count;
+		}
+
+		public bool FindArgsLocals() {
+			var vmState = FindVmState();
+			if (vmState == null)
+				return false;
+
+			var ctor = vmState.FindMethod(".ctor");
+			return FindArgsLocals(ctor, 1, out ArgsGet, out ArgsSet) &&
+				FindArgsLocals(ctor, 2, out LocalsGet, out LocalsSet);
+		}
+
+		TypeDef FindVmState() {
+			if (VmHandlerBaseType == null)
+				return null;
+			foreach (var method in VmHandlerBaseType.Methods) {
+				if (method.IsStatic || !method.IsAbstract)
+					continue;
+				if (method.Parameters.Count != 2)
+					continue;
+				var arg1 = method.Parameters[1].Type.TryGetTypeDef();
+				if (arg1 == null)
+					continue;
+
+				return arg1;
+			}
+			return null;
+		}
+
+		static bool FindArgsLocals(MethodDef ctor, int arg, out MethodDef getter, out MethodDef setter) {
+			getter = null;
+			setter = null;
+			if (ctor == null || !ctor.HasBody)
+				return false;
+
+			setter = FindSetter(ctor, arg);
+			if (setter == null)
+				return false;
+
+			var propField = GetPropField(setter);
+			if (propField == null)
+				return false;
+
+			getter = FindGetter(ctor.DeclaringType, propField);
+			return getter != null;
+		}
+
+		static MethodDef FindSetter(MethodDef ctor, int arg) {
+			if (ctor == null || !ctor.HasBody)
+				return null;
+
+			var instrs = ctor.Body.Instructions;
+			for (int i = 0; i < instrs.Count - 1; i++) {
+				var ldarg = instrs[i];
+				if (!ldarg.IsLdarg() || ldarg.GetParameterIndex() != arg)
+					continue;
+				var call = instrs[i + 1];
+				if (call.OpCode.Code != Code.Call)
+					continue;
+				var method = call.Operand as MethodDef;
+				if (method == null)
+					continue;
+				if (method.DeclaringType != ctor.DeclaringType)
+					continue;
+
+				return method;
+			}
+
+			return null;
+		}
+
+		static FieldDef GetPropField(MethodDef method) {
+			if (method == null || !method.HasBody)
+				return null;
+
+			foreach (var instr in method.Body.Instructions) {
+				if (instr.OpCode.Code != Code.Stfld)
+					continue;
+				var field = instr.Operand as FieldDef;
+				if (field == null || field.DeclaringType != method.DeclaringType)
+					continue;
+
+				return field;
+			}
+
+			return null;
+		}
+
+		static MethodDef FindGetter(TypeDef type, FieldDef propField) {
+			foreach (var method in type.Methods) {
+				if (method.IsStatic || !method.HasBody)
+					continue;
+				foreach (var instr in method.Body.Instructions) {
+					if (instr.OpCode.Code != Code.Ldfld)
+						continue;
+					if (instr.Operand != propField)
+						continue;
+
+					return method;
+				}
+			}
+
+			return null;
+		}
+
+		static bool CheckCallvirt(Instruction instr, string returnType, string parameters) {
+			if (instr.OpCode.Code != Code.Callvirt)
+				return false;
+			return DotNetUtils.IsMethod(instr.Operand as IMethod, returnType, parameters);
+		}
+
+		bool CheckUnboxAny(Instruction instr, ElementType expectedType) {
+			if (instr == null || instr.OpCode.Code != Code.Unbox_Any)
+				return false;
+			var typeSig = module.CorLibTypes.GetCorLibTypeSig(instr.Operand as ITypeDefOrRef);
+			return typeSig.GetElementType() == expectedType;
+		}
+
+		bool CheckBox(Instruction instr, ElementType expectedType) {
+			if (instr == null || instr.OpCode.Code != Code.Box)
+				return false;
+			var typeSig = module.CorLibTypes.GetCorLibTypeSig(instr.Operand as ITypeDefOrRef);
+			return typeSig.GetElementType() == expectedType;
+		}
+
+		static int CountVirtual(TypeDef type) {
+			int count = 0;
+			foreach (var method in type.Methods) {
+				if (method.IsVirtual)
+					count++;
+			}
+			return count;
+		}
+	}
+}
diff --git a/de4dot.code/deobfuscators/Agile_NET/vm/v2/CsvmResources.Designer.cs b/de4dot.code/deobfuscators/Agile_NET/vm/v2/CsvmResources.Designer.cs
new file mode 100644
index 00000000..6153040b
--- /dev/null
+++ b/de4dot.code/deobfuscators/Agile_NET/vm/v2/CsvmResources.Designer.cs
@@ -0,0 +1,93 @@
+//------------------------------------------------------------------------------
+// <auto-generated>
+//     This code was generated by a tool.
+//     Runtime Version:4.0.30319.18052
+//
+//     Changes to this file may cause incorrect behavior and will be lost if
+//     the code is regenerated.
+// </auto-generated>
+//------------------------------------------------------------------------------
+
+namespace de4dot.code.deobfuscators.Agile_NET.vm.v2 {
+    using System;
+    
+    
+    /// <summary>
+    ///   A strongly-typed resource class, for looking up localized strings, etc.
+    /// </summary>
+    // This class was auto-generated by the StronglyTypedResourceBuilder
+    // class via a tool like ResGen or Visual Studio.
+    // To add or remove a member, edit your .ResX file then rerun ResGen
+    // with the /str option, or rebuild your VS project.
+    [global::System.CodeDom.Compiler.GeneratedCodeAttribute("System.Resources.Tools.StronglyTypedResourceBuilder", "4.0.0.0")]
+    [global::System.Diagnostics.DebuggerNonUserCodeAttribute()]
+    [global::System.Runtime.CompilerServices.CompilerGeneratedAttribute()]
+    internal class CsvmResources {
+        
+        private static global::System.Resources.ResourceManager resourceMan;
+        
+        private static global::System.Globalization.CultureInfo resourceCulture;
+        
+        [global::System.Diagnostics.CodeAnalysis.SuppressMessageAttribute("Microsoft.Performance", "CA1811:AvoidUncalledPrivateCode")]
+        internal CsvmResources() {
+        }
+        
+        /// <summary>
+        ///   Returns the cached ResourceManager instance used by this class.
+        /// </summary>
+        [global::System.ComponentModel.EditorBrowsableAttribute(global::System.ComponentModel.EditorBrowsableState.Advanced)]
+        internal static global::System.Resources.ResourceManager ResourceManager {
+            get {
+                if (object.ReferenceEquals(resourceMan, null)) {
+                    global::System.Resources.ResourceManager temp = new global::System.Resources.ResourceManager("de4dot.code.deobfuscators.Agile_NET.vm.v2.CsvmResources", typeof(CsvmResources).Assembly);
+                    resourceMan = temp;
+                }
+                return resourceMan;
+            }
+        }
+        
+        /// <summary>
+        ///   Overrides the current thread's CurrentUICulture property for all
+        ///   resource lookups using this strongly typed resource class.
+        /// </summary>
+        [global::System.ComponentModel.EditorBrowsableAttribute(global::System.ComponentModel.EditorBrowsableState.Advanced)]
+        internal static global::System.Globalization.CultureInfo Culture {
+            get {
+                return resourceCulture;
+            }
+            set {
+                resourceCulture = value;
+            }
+        }
+        
+        /// <summary>
+        ///   Looks up a localized resource of type System.Byte[].
+        /// </summary>
+        internal static byte[] CSVM1_v2 {
+            get {
+                object obj = ResourceManager.GetObject("CSVM1_v2", resourceCulture);
+                return ((byte[])(obj));
+            }
+        }
+        
+        /// <summary>
+        ///   Looks up a localized resource of type System.Byte[].
+        /// </summary>
+        internal static byte[] CSVM2_v2 {
+            get {
+                object obj = ResourceManager.GetObject("CSVM2_v2", resourceCulture);
+                return ((byte[])(obj));
+            }
+        }
+        
+        /// <summary>
+        ///   Looks up a localized resource of type System.Byte[].
+        /// </summary>
+        internal static byte[] CSVM3_v2 {
+            get {
+                object obj = ResourceManager.GetObject("CSVM3_v2", resourceCulture);
+                return ((byte[])(obj));
+            }
+        }
+    }
+}
diff --git a/de4dot.code/deobfuscators/Agile_NET/vm/v2/CsvmResources.resx b/de4dot.code/deobfuscators/Agile_NET/vm/v2/CsvmResources.resx
new file mode 100644
index 00000000..254aef83
--- /dev/null
+++ b/de4dot.code/deobfuscators/Agile_NET/vm/v2/CsvmResources.resx
@@ -0,0 +1,130 @@
+<?xml version="1.0" encoding="utf-8"?>
+<root>
+  <!-- 
+    Microsoft ResX Schema 
+    
+    Version 2.0
+    
+    The primary goals of this format is to allow a simple XML format 
+    that is mostly human readable. The generation and parsing of the 
+    various data types are done through the TypeConverter classes 
+    associated with the data types.
+    
+    Example:
+    
+    ... ado.net/XML headers & schema ...
+    <resheader name="resmimetype">text/microsoft-resx</resheader>
+    <resheader name="version">2.0</resheader>
+    <resheader name="reader">System.Resources.ResXResourceReader, System.Windows.Forms, ...</resheader>
+    <resheader name="writer">System.Resources.ResXResourceWriter, System.Windows.Forms, ...</resheader>
+    <data name="Name1"><value>this is my long string</value><comment>this is a comment</comment></data>
+    <data name="Color1" type="System.Drawing.Color, System.Drawing">Blue</data>
+    <data name="Bitmap1" mimetype="application/x-microsoft.net.object.binary.base64">
+        <value>[base64 mime encoded serialized .NET Framework object]</value>
+    </data>
+    <data name="Icon1" type="System.Drawing.Icon, System.Drawing" mimetype="application/x-microsoft.net.object.bytearray.base64">
+        <value>[base64 mime encoded string representing a byte array form of the .NET Framework object]</value>
+        <comment>This is a comment</comment>
+    </data>
+                
+    There are any number of "resheader" rows that contain simple 
+    name/value pairs.
+    
+    Each data row contains a name, and value. The row also contains a 
+    type or mimetype. Type corresponds to a .NET class that support 
+    text/value conversion through the TypeConverter architecture. 
+    Classes that don't support this are serialized and stored with the 
+    mimetype set.
+    
+    The mimetype is used for serialized objects, and tells the 
+    ResXResourceReader how to depersist the object. This is currently not 
+    extensible. For a given mimetype the value must be set accordingly:
+    
+    Note - application/x-microsoft.net.object.binary.base64 is the format 
+    that the ResXResourceWriter will generate, however the reader can 
+    read any of the formats listed below.
+    
+    mimetype: application/x-microsoft.net.object.binary.base64
+    value   : The object must be serialized with 
+            : System.Runtime.Serialization.Formatters.Binary.BinaryFormatter
+            : and then encoded with base64 encoding.
+    
+    mimetype: application/x-microsoft.net.object.soap.base64
+    value   : The object must be serialized with 
+            : System.Runtime.Serialization.Formatters.Soap.SoapFormatter
+            : and then encoded with base64 encoding.
+
+    mimetype: application/x-microsoft.net.object.bytearray.base64
+    value   : The object must be serialized into a byte array 
+            : using a System.ComponentModel.TypeConverter
+            : and then encoded with base64 encoding.
+    -->
+  <xsd:schema id="root" xmlns="" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:msdata="urn:schemas-microsoft-com:xml-msdata">
+    <xsd:import namespace="http://www.w3.org/XML/1998/namespace" />
+    <xsd:element name="root" msdata:IsDataSet="true">
+      <xsd:complexType>
+        <xsd:choice maxOccurs="unbounded">
+          <xsd:element name="metadata">
+            <xsd:complexType>
+              <xsd:sequence>
+                <xsd:element name="value" type="xsd:string" minOccurs="0" />
+              </xsd:sequence>
+              <xsd:attribute name="name" use="required" type="xsd:string" />
+              <xsd:attribute name="type" type="xsd:string" />
+              <xsd:attribute name="mimetype" type="xsd:string" />
+              <xsd:attribute ref="xml:space" />
+            </xsd:complexType>
+          </xsd:element>
+          <xsd:element name="assembly">
+            <xsd:complexType>
+              <xsd:attribute name="alias" type="xsd:string" />
+              <xsd:attribute name="name" type="xsd:string" />
+            </xsd:complexType>
+          </xsd:element>
+          <xsd:element name="data">
+            <xsd:complexType>
+              <xsd:sequence>
+                <xsd:element name="value" type="xsd:string" minOccurs="0" msdata:Ordinal="1" />
+                <xsd:element name="comment" type="xsd:string" minOccurs="0" msdata:Ordinal="2" />
+              </xsd:sequence>
+              <xsd:attribute name="name" type="xsd:string" use="required" msdata:Ordinal="1" />
+              <xsd:attribute name="type" type="xsd:string" msdata:Ordinal="3" />
+              <xsd:attribute name="mimetype" type="xsd:string" msdata:Ordinal="4" />
+              <xsd:attribute ref="xml:space" />
+            </xsd:complexType>
+          </xsd:element>
+          <xsd:element name="resheader">
+            <xsd:complexType>
+              <xsd:sequence>
+                <xsd:element name="value" type="xsd:string" minOccurs="0" msdata:Ordinal="1" />
+              </xsd:sequence>
+              <xsd:attribute name="name" type="xsd:string" use="required" />
+            </xsd:complexType>
+          </xsd:element>
+        </xsd:choice>
+      </xsd:complexType>
+    </xsd:element>
+  </xsd:schema>
+  <resheader name="resmimetype">
+    <value>text/microsoft-resx</value>
+  </resheader>
+  <resheader name="version">
+    <value>2.0</value>
+  </resheader>
+  <resheader name="reader">
+    <value>System.Resources.ResXResourceReader, System.Windows.Forms, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</value>
+  </resheader>
+  <resheader name="writer">
+    <value>System.Resources.ResXResourceWriter, System.Windows.Forms, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</value>
+  </resheader>
+  <assembly alias="System.Windows.Forms" name="System.Windows.Forms, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
+  <data name="CSVM1_v2" type="System.Resources.ResXFileRef, System.Windows.Forms">
+    <value>CSVM1_v2.bin;System.Byte[], mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</value>
+  </data>
+  <data name="CSVM2_v2" type="System.Resources.ResXFileRef, System.Windows.Forms">
+    <value>CSVM2_v2.bin;System.Byte[], mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</value>
+  </data>
+  <data name="CSVM3_v2" type="System.Resources.ResXFileRef, System.Windows.Forms">
+    <value>CSVM3_v2.bin;System.Byte[], mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</value>
+  </data>
+</root>
\ No newline at end of file
diff --git a/de4dot.code/deobfuscators/Agile_NET/vm/v2/CsvmToCilMethodConverter.cs b/de4dot.code/deobfuscators/Agile_NET/vm/v2/CsvmToCilMethodConverter.cs
new file mode 100644
index 00000000..3cc2f2f6
--- /dev/null
+++ b/de4dot.code/deobfuscators/Agile_NET/vm/v2/CsvmToCilMethodConverter.cs
@@ -0,0 +1,64 @@
+/*
+    Copyright (C) 2011-2013 de4dot@gmail.com
+
+    This file is part of de4dot.
+
+    de4dot is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    de4dot is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with de4dot.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+using System;
+using System.Collections.Generic;
+using System.IO;
+using dnlib.DotNet;
+using dnlib.DotNet.Emit;
+
+namespace de4dot.code.deobfuscators.Agile_NET.vm.v2 {
+	class CsvmToCilMethodConverter : CsvmToCilMethodConverterBase {
+		VmOpCodeHandlerDetector opCodeDetector;
+
+		public CsvmToCilMethodConverter(IDeobfuscatorContext deobfuscatorContext, ModuleDefMD module, VmOpCodeHandlerDetector opCodeDetector)
+			: base(deobfuscatorContext, module) {
+			this.opCodeDetector = opCodeDetector;
+		}
+
+		protected override List<Instruction> ReadInstructions(MethodDef cilMethod, CsvmMethodData csvmMethod) {
+			var reader = new BinaryReader(new MemoryStream(csvmMethod.Instructions));
+			var instrs = new List<Instruction>();
+			var handlerInfoReader = new OpCodeHandlerInfoReader(module);
+
+			int numVmInstrs = reader.ReadInt32();
+			var vmInstrs = new ushort[numVmInstrs];
+			for (int i = 0; i < numVmInstrs; i++)
+				vmInstrs[i] = reader.ReadUInt16();
+
+			uint offset = 0;
+			for (int vmInstrIndex = 0; vmInstrIndex < numVmInstrs; vmInstrIndex++) {
+				var composite = opCodeDetector.Handlers[vmInstrs[vmInstrIndex]];
+				var handlerInfos = composite.OpCodeHandlerInfos;
+				if (handlerInfos.Count == 0)
+					handlerInfos = new List<OpCodeHandlerInfo>() { new OpCodeHandlerInfo(HandlerTypeCode.Nop, null) };
+				for (int hi = 0; hi < handlerInfos.Count; hi++) {
+					var instr = handlerInfoReader.Read(handlerInfos[hi].TypeCode, reader);
+					instr.Offset = offset;
+					offset += (uint)GetInstructionSize(instr);
+					SetCilToVmIndex(instr, vmInstrIndex);
+					if (hi == 0)
+						SetVmIndexToCil(instr, vmInstrIndex);
+					instrs.Add(instr);
+				}
+			}
+			return instrs;
+		}
+	}
+}
diff --git a/de4dot.code/deobfuscators/Agile_NET/vm/v2/HandlerTypeCode.cs b/de4dot.code/deobfuscators/Agile_NET/vm/v2/HandlerTypeCode.cs
new file mode 100644
index 00000000..d679c54d
--- /dev/null
+++ b/de4dot.code/deobfuscators/Agile_NET/vm/v2/HandlerTypeCode.cs
@@ -0,0 +1,102 @@
+/*
+    Copyright (C) 2011-2013 de4dot@gmail.com
+
+    This file is part of de4dot.
+
+    de4dot is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    de4dot is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with de4dot.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+namespace de4dot.code.deobfuscators.Agile_NET.vm.v2 {
+	// These constants are hard coded. Don't change the values (i.e., only append if more are needed)
+	enum HandlerTypeCode {
+		Add,
+		Add_Ovf,
+		Add_Ovf_Un,
+		And,
+		Beq,
+		Bge,
+		Bge_Un,
+		Bgt,
+		Bgt_Un,
+		Ble,
+		Ble_Un,
+		Blt,
+		Blt_Un,
+		Bne_Un,
+		Box,
+		Br,
+		Brfalse,
+		Brtrue,
+		Call,
+		Callvirt,
+		Castclass,
+		Ceq,
+		Cgt,
+		Cgt_Un,
+		Clt,
+		Clt_Un,
+		Conv,
+		Div,
+		Div_Un,
+		Dup,
+		Endfinally,
+		Initobj,
+		Isinst,
+		Ldarg,
+		Ldarga,
+		Ldc,
+		Ldelem,
+		Ldelema,
+		Ldfld_Ldsfld,
+		Ldflda_Ldsflda,
+		Ldftn,
+		Ldlen,
+		Ldloc,
+		Ldloca,
+		Ldobj,
+		Ldstr,
+		Ldtoken,
+		Ldvirtftn,
+		Leave,
+		Mul,
+		Mul_Ovf,
+		Mul_Ovf_Un,
+		Neg,
+		Newarr,
+		Newobj,
+		Nop,
+		Not,
+		Or,
+		Pop,
+		Rem,
+		Rem_Un,
+		Ret,
+		Rethrow,
+		Shl,
+		Shr,
+		Shr_Un,
+		Starg,
+		Stelem,
+		Stfld_Stsfld,
+		Stloc,
+		Stobj,
+		Sub,
+		Sub_Ovf,
+		Sub_Ovf_Un,
+		Switch,
+		Throw,
+		Unbox_Any,
+		Xor,
+	}
+}
diff --git a/de4dot.code/deobfuscators/Agile_NET/vm/v2/MethodFinder.cs b/de4dot.code/deobfuscators/Agile_NET/vm/v2/MethodFinder.cs
new file mode 100644
index 00000000..ca206830
--- /dev/null
+++ b/de4dot.code/deobfuscators/Agile_NET/vm/v2/MethodFinder.cs
@@ -0,0 +1,109 @@
+/*
+    Copyright (C) 2011-2013 de4dot@gmail.com
+
+    This file is part of de4dot.
+
+    de4dot is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    de4dot is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with de4dot.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+using System.Collections.Generic;
+
+namespace de4dot.code.deobfuscators.Agile_NET.vm.v2 {
+	class MethodFinder {
+		readonly IList<OpCodeHandlerInfo> handlerInfos;
+		readonly PrimitiveHandlerMethod handlerMethod;
+
+		class SigState {
+			public readonly MethodSigInfo SigInfo;
+
+			public SigState(PrimitiveHandlerMethod handlerMethod) {
+				this.SigInfo = handlerMethod.Sig;
+			}
+		}
+
+		public MethodFinder(IList<OpCodeHandlerInfo> handlerInfos, PrimitiveHandlerMethod handlerMethod) {
+			this.handlerInfos = handlerInfos;
+			this.handlerMethod = handlerMethod;
+		}
+
+		public OpCodeHandler FindHandler() {
+			var handler = FindHandler(new SigState(handlerMethod));
+			if (handler == null)
+				return null;
+
+			return new OpCodeHandler(handler, handlerMethod.Method.DeclaringType, handlerMethod);
+		}
+
+		OpCodeHandlerInfo FindHandler(SigState execSigState) {
+			foreach (var handler in handlerInfos) {
+				if (Matches(handler.ExecSig, execSigState))
+					return handler;
+			}
+			return null;
+		}
+
+		struct MatchInfo {
+			public int HandlerIndex;
+			public int SigIndex;
+
+			public MatchInfo(int handlerIndex, int sigIndex) {
+				this.HandlerIndex = handlerIndex;
+				this.SigIndex = sigIndex;
+			}
+		}
+
+		Dictionary<int, int> sigIndexToHandlerIndex = new Dictionary<int, int>();
+		Dictionary<int, int> handlerIndexToSigIndex = new Dictionary<int, int>();
+		Stack<MatchInfo> stack = new Stack<MatchInfo>();
+		bool Matches(MethodSigInfo handlerSig, SigState sigState) {
+			stack.Clear();
+			sigIndexToHandlerIndex.Clear();
+			handlerIndexToSigIndex.Clear();
+			var handlerInfos = handlerSig.BlockInfos;
+			var sigInfos = sigState.SigInfo.BlockInfos;
+
+			stack.Push(new MatchInfo(0, 0));
+			while (stack.Count > 0) {
+				var info = stack.Pop();
+
+				int handlerIndex, sigIndex;
+				bool hasVisitedHandler = handlerIndexToSigIndex.TryGetValue(info.HandlerIndex, out sigIndex);
+				bool hasVisitedSig = sigIndexToHandlerIndex.TryGetValue(info.SigIndex, out handlerIndex);
+				if (hasVisitedHandler != hasVisitedSig)
+					return false;
+				if (hasVisitedHandler) {
+					if (handlerIndex != info.HandlerIndex || sigIndex != info.SigIndex)
+						return false;
+					continue;
+				}
+				handlerIndexToSigIndex[info.HandlerIndex] = info.SigIndex;
+				sigIndexToHandlerIndex[info.SigIndex] = info.HandlerIndex;
+
+				var handlerBlock = handlerInfos[info.HandlerIndex];
+				var sigBlock = sigInfos[info.SigIndex];
+
+				if (!handlerBlock.Equals(sigBlock))
+					return false;
+
+				for (int i = 0; i < handlerBlock.Targets.Count; i++) {
+					int handlerTargetIndex = handlerBlock.Targets[i];
+					int sigTargetIndex = sigBlock.Targets[i];
+					stack.Push(new MatchInfo(handlerTargetIndex, sigTargetIndex));
+				}
+			}
+
+			return true;
+		}
+	}
+}
diff --git a/de4dot.code/deobfuscators/Agile_NET/vm/v2/MethodSigInfoCreator.cs b/de4dot.code/deobfuscators/Agile_NET/vm/v2/MethodSigInfoCreator.cs
new file mode 100644
index 00000000..c311e0a9
--- /dev/null
+++ b/de4dot.code/deobfuscators/Agile_NET/vm/v2/MethodSigInfoCreator.cs
@@ -0,0 +1,737 @@
+/*
+    Copyright (C) 2011-2013 de4dot@gmail.com
+
+    This file is part of de4dot.
+
+    de4dot is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    de4dot is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with de4dot.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+using System;
+using System.Collections.Generic;
+using System.IO;
+using System.Security.Cryptography;
+using dnlib.DotNet;
+using dnlib.DotNet.Emit;
+using dnlib.DotNet.MD;
+using de4dot.blocks;
+
+namespace de4dot.code.deobfuscators.Agile_NET.vm.v2 {
+	class MethodSigInfo {
+		readonly List<BlockInfo> blockInfos;
+
+		public List<BlockInfo> BlockInfos {
+			get { return blockInfos; }
+		}
+
+		public MethodSigInfo() {
+			this.blockInfos = new List<BlockInfo>();
+		}
+
+		public MethodSigInfo(IEnumerable<BlockInfo> blockInfos) {
+			this.blockInfos = new List<BlockInfo>(blockInfos);
+		}
+	}
+
+	class BlockInfo : IEquatable<BlockInfo> {
+		readonly List<int> targets;
+
+		public byte[] Hash { get; set; }
+		public List<int> Targets {
+			get { return targets; }
+		}
+
+		public BlockInfo() {
+			this.targets = new List<int>();
+		}
+
+		public BlockInfo(byte[] hash, IEnumerable<int> targets) {
+			this.Hash = hash;
+			this.targets = new List<int>(targets);
+		}
+
+		public override string ToString() {
+			if (Hash == null)
+				return "<null>";
+			return BitConverter.ToString(Hash).Replace("-", string.Empty);
+		}
+
+		public bool Equals(BlockInfo other) {
+			return Equals(Hash, other.Hash) &&
+				Targets.Count == other.Targets.Count;
+		}
+
+		bool Equals(byte[] a, byte[] b) {
+			if (a == b)
+				return true;
+			if (a == null || b == null)
+				return false;
+			if (a.Length != b.Length)
+				return false;
+			for (int i = 0; i < a.Length; i++) {
+				if (a[i] != b[i])
+					return false;
+			}
+			return true;
+		}
+	}
+
+	class MethodSigInfoCreator {
+		MethodSigInfo methodSigInfo;
+		Blocks blocks;
+		IList<Block> allBlocks;
+		Dictionary<Block, BlockInfo> blockToInfo;
+		Dictionary<object, int> methodToId = new Dictionary<object, int>();
+
+		public void AddId(object key, int id) {
+			if (key != null)
+				methodToId[key] = id;
+		}
+
+		int GetId(object key) {
+			if (key == null)
+				return int.MinValue;
+
+			int id;
+			if (methodToId.TryGetValue(key, out id))
+				return id;
+			return int.MinValue + 1;
+		}
+
+		public MethodSigInfo Create(Blocks blocks) {
+			methodSigInfo = new MethodSigInfo();
+
+			this.blocks = blocks;
+			allBlocks = blocks.MethodBlocks.GetAllBlocks();
+
+			blockToInfo = new Dictionary<Block, BlockInfo>();
+			foreach (var block in allBlocks) {
+				var blockInfo = new BlockInfo();
+				blockToInfo[block] = blockInfo;
+				methodSigInfo.BlockInfos.Add(blockInfo);
+			}
+
+			foreach (var block in allBlocks) {
+				var blockInfo = blockToInfo[block];
+				Update(blockInfo, block);
+				if (block.FallThrough != null)
+					blockInfo.Targets.Add(allBlocks.IndexOf(block.FallThrough));
+				if (block.Targets != null) {
+					foreach (var target in block.Targets)
+						blockInfo.Targets.Add(allBlocks.IndexOf(target));
+				}
+			}
+
+			return methodSigInfo;
+		}
+
+		void Update(BlockInfo blockInfo, Block block) {
+			using (var hasher = MD5.Create()) {
+				bool emptyHash;
+				using (var outStream = new NullStream()) {
+					using (var csStream = new CryptoStream(outStream, hasher, CryptoStreamMode.Write)) {
+						var writer = new BinaryWriter(csStream);
+						Update(writer, blockInfo, block);
+					}
+					emptyHash = outStream.Length == 0;
+				}
+				if (!emptyHash)
+					blockInfo.Hash = hasher.Hash;
+			}
+		}
+
+		void Update(BinaryWriter writer, BlockInfo blockInfo, Block block) {
+			var instrs = block.Instructions;
+			for (int i = 0; i < instrs.Count; i++) {
+				var instr = instrs[i];
+				switch (instr.OpCode.Code) {
+				case Code.Beq_S:
+				case Code.Bge_S:
+				case Code.Bgt_S:
+				case Code.Ble_S:
+				case Code.Blt_S:
+				case Code.Bne_Un_S:
+				case Code.Bge_Un_S:
+				case Code.Bgt_Un_S:
+				case Code.Ble_Un_S:
+				case Code.Blt_Un_S:
+				case Code.Brfalse_S:
+				case Code.Brtrue_S:
+				case Code.Leave_S:
+				case Code.Beq:
+				case Code.Bge:
+				case Code.Bgt:
+				case Code.Ble:
+				case Code.Blt:
+				case Code.Bne_Un:
+				case Code.Bge_Un:
+				case Code.Bgt_Un:
+				case Code.Ble_Un:
+				case Code.Blt_Un:
+				case Code.Brfalse:
+				case Code.Brtrue:
+				case Code.Leave:
+					writer.Write((ushort)SimplifyBranch(instr.OpCode.Code));
+					break;
+
+				case Code.Switch:
+					writer.Write((ushort)instr.OpCode.Code);
+					writer.Write(blockInfo.Targets.Count);
+					break;
+
+				case Code.Br_S:
+				case Code.Br:
+					break;
+
+				case Code.Ret:
+					break;
+
+				case Code.Ldc_I4_M1:
+				case Code.Ldc_I4_0:
+				case Code.Ldc_I4_1:
+				case Code.Ldc_I4_2:
+				case Code.Ldc_I4_3:
+				case Code.Ldc_I4_4:
+				case Code.Ldc_I4_5:
+				case Code.Ldc_I4_6:
+				case Code.Ldc_I4_7:
+				case Code.Ldc_I4_8:
+				case Code.Ldc_I4:
+				case Code.Ldc_I4_S:
+					writer.Write((ushort)Code.Ldc_I4);
+					writer.Write(instr.GetLdcI4Value());
+					break;
+
+				case Code.Ldc_I8:
+					writer.Write((ushort)instr.OpCode.Code);
+					writer.Write((long)instr.Operand);
+					break;
+
+				case Code.Ldc_R4:
+					writer.Write((ushort)instr.OpCode.Code);
+					writer.Write((float)instr.Operand);
+					break;
+
+				case Code.Ldc_R8:
+					writer.Write((ushort)instr.OpCode.Code);
+					writer.Write((double)instr.Operand);
+					break;
+
+				case Code.Ldfld:
+					var typeField = instr.Operand as FieldDef;
+					bool isField = IsTypeField(typeField);
+					writer.Write((ushort)instr.OpCode.Code);
+					writer.Write(isField);
+					if (isField) {
+						if (i + 1 < instrs.Count && instrs[i + 1].IsLdcI4())
+							i++;
+						writer.Write(GetFieldId(typeField));
+					}
+					else
+						Write(writer, instr.Operand);
+					break;
+
+				case Code.Call:
+				case Code.Callvirt:
+				case Code.Newobj:
+				case Code.Jmp:
+				case Code.Ldftn:
+				case Code.Ldvirtftn:
+				case Code.Ldtoken:
+				case Code.Stfld:
+				case Code.Ldsfld:
+				case Code.Stsfld:
+				case Code.Ldflda:
+				case Code.Ldsflda:
+				case Code.Cpobj:
+				case Code.Ldobj:
+				case Code.Castclass:
+				case Code.Isinst:
+				case Code.Unbox:
+				case Code.Stobj:
+				case Code.Box:
+				case Code.Newarr:
+				case Code.Ldelema:
+				case Code.Ldelem:
+				case Code.Stelem:
+				case Code.Unbox_Any:
+				case Code.Refanyval:
+				case Code.Mkrefany:
+				case Code.Initobj:
+				case Code.Constrained:
+				case Code.Sizeof:
+					writer.Write((ushort)instr.OpCode.Code);
+					Write(writer, instr.Operand);
+					break;
+
+				case Code.Ldstr:
+					writer.Write((ushort)instr.OpCode.Code);
+					break;
+
+				case Code.Ldarg:
+				case Code.Ldarg_S:
+				case Code.Ldarg_0:
+				case Code.Ldarg_1:
+				case Code.Ldarg_2:
+				case Code.Ldarg_3:
+					writer.Write((ushort)Code.Ldarg);
+					writer.Write(instr.Instruction.GetParameterIndex());
+					break;
+
+				case Code.Ldarga:
+				case Code.Ldarga_S:
+					writer.Write((ushort)Code.Ldarga);
+					writer.Write(instr.Instruction.GetParameterIndex());
+					break;
+
+				case Code.Starg:
+				case Code.Starg_S:
+					writer.Write((ushort)Code.Starg);
+					writer.Write(instr.Instruction.GetParameterIndex());
+					break;
+
+				case Code.Ldloc:
+				case Code.Ldloc_S:
+				case Code.Ldloc_0:
+				case Code.Ldloc_1:
+				case Code.Ldloc_2:
+				case Code.Ldloc_3:
+					writer.Write((ushort)Code.Ldloc);
+					break;
+
+				case Code.Ldloca:
+				case Code.Ldloca_S:
+					writer.Write((ushort)Code.Ldloca);
+					break;
+
+				case Code.Stloc:
+				case Code.Stloc_S:
+				case Code.Stloc_0:
+				case Code.Stloc_1:
+				case Code.Stloc_2:
+				case Code.Stloc_3:
+					writer.Write((ushort)Code.Stloc);
+					break;
+
+				case Code.Ldnull:
+				case Code.Throw:
+				case Code.Rethrow:
+				case Code.Ldlen:
+				case Code.Ckfinite:
+				case Code.Arglist:
+				case Code.Localloc:
+				case Code.Volatile:
+				case Code.Tailcall:
+				case Code.Cpblk:
+				case Code.Initblk:
+				case Code.Refanytype:
+				case Code.Readonly:
+				case Code.Break:
+				case Code.Endfinally:
+				case Code.Endfilter:
+					writer.Write((ushort)instr.OpCode.Code);
+					break;
+
+				case Code.Calli:
+					writer.Write((ushort)instr.OpCode.Code);
+					Write(writer, instr.Operand);
+					break;
+
+				case Code.Unaligned:
+					writer.Write((ushort)instr.OpCode.Code);
+					writer.Write((byte)instr.Operand);
+					break;
+
+				default:
+					break;
+				}
+			}
+		}
+
+		void Write(BinaryWriter writer, object op) {
+			var fd = op as FieldDef;
+			if (fd != null) {
+				Write(writer, fd);
+				return;
+			}
+
+			var mr = op as MemberRef;
+			if (mr != null) {
+				Write(writer, mr);
+				return;
+			}
+
+			var md = op as MethodDef;
+			if (md != null) {
+				Write(writer, md);
+				return;
+			}
+
+			var ms = op as MethodSpec;
+			if (ms != null) {
+				Write(writer, ms);
+				return;
+			}
+
+			var td = op as TypeDef;
+			if (td != null) {
+				Write(writer, td);
+				return;
+			}
+
+			var tr = op as TypeRef;
+			if (tr != null) {
+				Write(writer, tr);
+				return;
+			}
+
+			var ts = op as TypeSpec;
+			if (ts != null) {
+				Write(writer, ts);
+				return;
+			}
+
+			var fsig = op as FieldSig;
+			if (fsig != null) {
+				Write(writer, fsig);
+				return;
+			}
+
+			var msig = op as MethodSig;
+			if (msig != null) {
+				Write(writer, msig);
+				return;
+			}
+
+			var gsig = op as GenericInstMethodSig;
+			if (gsig != null) {
+				Write(writer, gsig);
+				return;
+			}
+
+			var asmRef = op as AssemblyRef;
+			if (asmRef != null) {
+				Write(writer, asmRef);
+				return;
+			}
+
+			writer.Write((byte)ObjectType.Unknown);
+		}
+
+		enum ObjectType : byte {
+			// 00..3F = Table.XXX values.
+			Unknown = 0x40,
+			TypeSig = 0x41,
+			FieldSig = 0x42,
+			MethodSig = 0x43,
+			GenericInstMethodSig = 0x44,
+		}
+
+		void Write(BinaryWriter writer, TypeSig sig) {
+			Write(writer, sig, 0);
+		}
+
+		void Write(BinaryWriter writer, TypeSig sig, int level) {
+			if (level++ > 20)
+				return;
+
+			writer.Write((byte)ObjectType.TypeSig);
+			var etype = sig.GetElementType();
+			writer.Write((byte)etype);
+			switch (etype) {
+			case ElementType.Ptr:
+			case ElementType.ByRef:
+			case ElementType.SZArray:
+			case ElementType.Pinned:
+				Write(writer, sig.Next, level);
+				break;
+
+			case ElementType.Array:
+				var arySig = (ArraySig)sig;
+				writer.Write(arySig.Rank);
+				writer.Write(arySig.Sizes.Count);
+				writer.Write(arySig.LowerBounds.Count);
+				Write(writer, sig.Next, level);
+				break;
+
+			case ElementType.CModReqd:
+			case ElementType.CModOpt:
+				Write(writer, ((ModifierSig)sig).Modifier);
+				Write(writer, sig.Next, level);
+				break;
+
+			case ElementType.ValueArray:
+				writer.Write(((ValueArraySig)sig).Size);
+				Write(writer, sig.Next, level);
+				break;
+
+			case ElementType.Module:
+				writer.Write(((ModuleSig)sig).Index);
+				Write(writer, sig.Next, level);
+				break;
+
+			case ElementType.GenericInst:
+				var gis = (GenericInstSig)sig;
+				Write(writer, gis.GenericType, level);
+				foreach (var ga in gis.GenericArguments)
+					Write(writer, ga, level);
+				Write(writer, sig.Next, level);
+				break;
+
+			case ElementType.FnPtr:
+				Write(writer, ((FnPtrSig)sig).Signature);
+				break;
+
+			case ElementType.Var:
+			case ElementType.MVar:
+				writer.Write(((GenericSig)sig).Number);
+				break;
+
+			case ElementType.ValueType:
+			case ElementType.Class:
+				Write(writer, ((TypeDefOrRefSig)sig).TypeDefOrRef);
+				break;
+
+			case ElementType.End:
+			case ElementType.Void:
+			case ElementType.Boolean:
+			case ElementType.Char:
+			case ElementType.I1:
+			case ElementType.U1:
+			case ElementType.I2:
+			case ElementType.U2:
+			case ElementType.I4:
+			case ElementType.U4:
+			case ElementType.I8:
+			case ElementType.U8:
+			case ElementType.R4:
+			case ElementType.R8:
+			case ElementType.String:
+			case ElementType.TypedByRef:
+			case ElementType.I:
+			case ElementType.U:
+			case ElementType.R:
+			case ElementType.Object:
+			case ElementType.Internal:
+			case ElementType.Sentinel:
+			default:
+				break;
+			}
+		}
+
+		void Write(BinaryWriter writer, FieldSig sig) {
+			writer.Write((byte)ObjectType.FieldSig);
+			writer.Write((byte)(sig == null ? 0 : sig.GetCallingConvention()));
+			Write(writer, sig.GetFieldType());
+		}
+
+		void Write(BinaryWriter writer, MethodSig sig) {
+			writer.Write((byte)ObjectType.MethodSig);
+			writer.Write((byte)(sig == null ? 0 : sig.GetCallingConvention()));
+			Write(writer, sig.GetRetType());
+			foreach (var p in sig.GetParams())
+				Write(writer, p);
+			writer.Write(sig.GetParamCount());
+			bool hasParamsAfterSentinel = sig.GetParamsAfterSentinel() != null;
+			writer.Write(hasParamsAfterSentinel);
+			if (hasParamsAfterSentinel) {
+				foreach (var p in sig.GetParamsAfterSentinel())
+					Write(writer, p);
+			}
+		}
+
+		void Write(BinaryWriter writer, GenericInstMethodSig sig) {
+			writer.Write((byte)ObjectType.GenericInstMethodSig);
+			writer.Write((byte)(sig == null ? 0 : sig.GetCallingConvention()));
+			foreach (var ga in sig.GetGenericArguments())
+				Write(writer, ga);
+		}
+
+		void Write(BinaryWriter writer, FieldDef fd) {
+			writer.Write((byte)Table.Field);
+			Write(writer, fd.DeclaringType);
+			var attrMask = FieldAttributes.Static | FieldAttributes.InitOnly |
+							FieldAttributes.Literal | FieldAttributes.SpecialName |
+							FieldAttributes.PinvokeImpl | FieldAttributes.RTSpecialName;
+			writer.Write((ushort)(fd == null ? 0 : fd.Attributes & attrMask));
+			Write(writer, fd == null ? null : fd.Signature);
+		}
+
+		void Write(BinaryWriter writer, MemberRef mr) {
+			writer.Write((byte)Table.MemberRef);
+			var parent = mr == null ? null : mr.Class;
+			Write(writer, parent);
+			bool canWriteName = IsFromNonObfuscatedAssembly(parent);
+			writer.Write(canWriteName);
+			if (canWriteName)
+				writer.Write(mr.Name);
+			Write(writer, mr == null ? null : mr.Signature);
+		}
+
+		void Write(BinaryWriter writer, MethodDef md) {
+			writer.Write((byte)Table.Method);
+			Write(writer, md.DeclaringType);
+			var attrMask1 = MethodImplAttributes.CodeTypeMask | MethodImplAttributes.ManagedMask |
+							MethodImplAttributes.ForwardRef | MethodImplAttributes.PreserveSig |
+							MethodImplAttributes.InternalCall;
+			writer.Write((ushort)(md == null ? 0 : md.ImplAttributes & attrMask1));
+			var attrMask2 = MethodAttributes.Static | MethodAttributes.Virtual |
+							MethodAttributes.HideBySig | MethodAttributes.VtableLayoutMask |
+							MethodAttributes.CheckAccessOnOverride | MethodAttributes.Abstract |
+							MethodAttributes.SpecialName | MethodAttributes.PinvokeImpl |
+							MethodAttributes.UnmanagedExport | MethodAttributes.RTSpecialName;
+			writer.Write((ushort)(md == null ? 0 : md.Attributes & attrMask2));
+			Write(writer, md == null ? null : md.Signature);
+			writer.Write(md == null ? 0 : md.ParamDefs.Count);
+			writer.Write(md == null ? 0 : md.GenericParameters.Count);
+			writer.Write(md == null ? false : md.HasImplMap);
+			writer.Write(GetId(md));
+		}
+
+		void Write(BinaryWriter writer, MethodSpec ms) {
+			writer.Write((byte)Table.MethodSpec);
+			Write(writer, ms == null ? null : ms.Method);
+			Write(writer, ms == null ? null : ms.Instantiation);
+		}
+
+		void Write(BinaryWriter writer, TypeDef td) {
+			writer.Write((byte)Table.TypeDef);
+			Write(writer, td == null ? null : td.BaseType);
+			var attrMask = TypeAttributes.LayoutMask | TypeAttributes.ClassSemanticsMask |
+							TypeAttributes.Abstract | TypeAttributes.SpecialName |
+							TypeAttributes.Import | TypeAttributes.WindowsRuntime |
+							TypeAttributes.StringFormatMask | TypeAttributes.RTSpecialName;
+			writer.Write((uint)(td == null ? 0 : td.Attributes & attrMask));
+			Write(writer, td == null ? null : td.BaseType);
+			writer.Write(td == null ? 0 : td.GenericParameters.Count);
+			writer.Write(td == null ? 0 : td.Interfaces.Count);
+			if (td != null) {
+				foreach (var iface in td.Interfaces)
+					Write(writer, iface);
+			}
+			writer.Write(GetId(td));
+		}
+
+		void Write(BinaryWriter writer, TypeRef tr) {
+			writer.Write((byte)Table.TypeRef);
+			Write(writer, tr == null ? null : tr.ResolutionScope);
+			bool canWriteName = IsFromNonObfuscatedAssembly(tr);
+			writer.Write(canWriteName);
+			if (canWriteName) {
+				writer.Write(tr.Namespace);
+				writer.Write(tr.Name);
+			}
+		}
+
+		void Write(BinaryWriter writer, TypeSpec ts) {
+			writer.Write((byte)Table.TypeSpec);
+			Write(writer, ts == null ? null : ts.TypeSig);
+		}
+
+		void Write(BinaryWriter writer, AssemblyRef asmRef) {
+			writer.Write((byte)Table.AssemblyRef);
+
+			bool canWriteAsm = IsNonObfuscatedAssembly(asmRef);
+			writer.Write(canWriteAsm);
+			if (canWriteAsm) {
+				bool hasPk = !PublicKeyBase.IsNullOrEmpty2(asmRef.PublicKeyOrToken);
+				writer.Write(hasPk);
+				if (hasPk)
+					writer.Write(PublicKeyBase.ToPublicKeyToken(asmRef.PublicKeyOrToken).Data);
+				writer.Write(asmRef.Name);
+				writer.Write(asmRef.Culture);
+			}
+		}
+
+		static bool IsFromNonObfuscatedAssembly(IMemberRefParent mrp) {
+			return IsFromNonObfuscatedAssembly(mrp as TypeRef);
+		}
+
+		static bool IsFromNonObfuscatedAssembly(TypeRef tr) {
+			if (tr == null)
+				return false;
+
+			for (int i = 0; i < 100; i++) {
+				var asmRef = tr.ResolutionScope as AssemblyRef;
+				if (asmRef != null)
+					return IsNonObfuscatedAssembly(asmRef);
+
+				var tr2 = tr.ResolutionScope as TypeRef;
+				if (tr2 != null) {
+					tr = tr2;
+					continue;
+				}
+
+				break;
+			}
+
+			return false;
+		}
+
+		static bool IsNonObfuscatedAssembly(AssemblyRef asmRef) {
+			if (asmRef == null)
+				return false;
+			// The only external asm refs it uses...
+			if (asmRef.Name != "mscorlib" && asmRef.Name != "System")
+				return false;
+
+			return true;
+		}
+
+		bool IsTypeField(FieldDef fd) {
+			return fd != null && fd.DeclaringType == blocks.Method.DeclaringType;
+		}
+
+		int GetFieldId(FieldDef fd) {
+			if (fd == null)
+				return int.MinValue;
+			var fieldType = fd.FieldSig.GetFieldType();
+			if (fieldType == null)
+				return int.MinValue + 1;
+
+			int result = 0;
+			for (int i = 0; i < 100; i++) {
+				result += (int)fieldType.ElementType;
+				if (fieldType.Next == null)
+					break;
+				result += 0x100;
+				fieldType = fieldType.Next;
+			}
+
+			var td = fieldType.TryGetTypeDef();
+			if (td != null && td.IsEnum)
+				return result + 0x10000000;
+			return result;
+		}
+
+		static Code SimplifyBranch(Code code) {
+			switch (code) {
+			case Code.Beq_S:		return Code.Beq;
+			case Code.Bge_S:		return Code.Bge;
+			case Code.Bgt_S:		return Code.Bgt;
+			case Code.Ble_S:		return Code.Ble;
+			case Code.Blt_S:		return Code.Blt;
+			case Code.Bne_Un_S:		return Code.Bne_Un;
+			case Code.Bge_Un_S:		return Code.Bge_Un;
+			case Code.Bgt_Un_S:		return Code.Bgt_Un;
+			case Code.Ble_Un_S:		return Code.Ble_Un;
+			case Code.Blt_Un_S:		return Code.Blt_Un;
+			case Code.Br_S:			return Code.Br;
+			case Code.Brfalse_S:	return Code.Brfalse;
+			case Code.Brtrue_S:		return Code.Brtrue;
+			case Code.Leave_S:		return Code.Leave;
+			default:				return code;
+			}
+		}
+	}
+}
diff --git a/de4dot.code/deobfuscators/Agile_NET/vm/v2/OpCodeHandler.cs b/de4dot.code/deobfuscators/Agile_NET/vm/v2/OpCodeHandler.cs
new file mode 100644
index 00000000..606d1f68
--- /dev/null
+++ b/de4dot.code/deobfuscators/Agile_NET/vm/v2/OpCodeHandler.cs
@@ -0,0 +1,38 @@
+/*
+    Copyright (C) 2011-2013 de4dot@gmail.com
+
+    This file is part of de4dot.
+
+    de4dot is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    de4dot is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with de4dot.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+using dnlib.DotNet;
+
+namespace de4dot.code.deobfuscators.Agile_NET.vm.v2 {
+	class OpCodeHandler {
+		public OpCodeHandlerInfo OpCodeHandlerInfo { get; private set; }
+		public TypeDef HandlerType { get; private set; }
+		public HandlerMethod ExecMethod { get; private set; }
+
+		public OpCodeHandler(OpCodeHandlerInfo opCodeHandlerInfo, TypeDef handlerType, HandlerMethod execMethod) {
+			this.OpCodeHandlerInfo = opCodeHandlerInfo;
+			this.HandlerType = handlerType;
+			this.ExecMethod = execMethod;
+		}
+
+		public override string ToString() {
+			return OpCodeHandlerInfo.Name;
+		}
+	}
+}
diff --git a/de4dot.code/deobfuscators/Agile_NET/vm/v2/OpCodeHandlerInfo.cs b/de4dot.code/deobfuscators/Agile_NET/vm/v2/OpCodeHandlerInfo.cs
new file mode 100644
index 00000000..d7d3d48d
--- /dev/null
+++ b/de4dot.code/deobfuscators/Agile_NET/vm/v2/OpCodeHandlerInfo.cs
@@ -0,0 +1,123 @@
+/*
+    Copyright (C) 2011-2013 de4dot@gmail.com
+
+    This file is part of de4dot.
+
+    de4dot is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    de4dot is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with de4dot.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+using System;
+using System.Collections.Generic;
+
+namespace de4dot.code.deobfuscators.Agile_NET.vm.v2 {
+	class OpCodeHandlerInfo {
+		public HandlerTypeCode TypeCode { get; private set; }
+		public string Name { get; private set; }
+		public MethodSigInfo ExecSig { get; private set; }
+
+		public OpCodeHandlerInfo(HandlerTypeCode typeCode, MethodSigInfo execSig) {
+			this.TypeCode = typeCode;
+			this.Name = GetHandlerName(typeCode);
+			this.ExecSig = execSig;
+		}
+
+		public override string ToString() {
+			return Name;
+		}
+
+		static string GetHandlerName(HandlerTypeCode code) {
+			switch (code) {
+			case HandlerTypeCode.Add:			return "add";
+			case HandlerTypeCode.Add_Ovf:		return "add.ovf";
+			case HandlerTypeCode.Add_Ovf_Un:	return "add.ovf.un";
+			case HandlerTypeCode.And:			return "and";
+			case HandlerTypeCode.Beq:			return "beq";
+			case HandlerTypeCode.Bge:			return "bge";
+			case HandlerTypeCode.Bge_Un:		return "bge.un";
+			case HandlerTypeCode.Bgt:			return "bgt";
+			case HandlerTypeCode.Bgt_Un:		return "bgt.un";
+			case HandlerTypeCode.Ble:			return "ble";
+			case HandlerTypeCode.Ble_Un:		return "ble.un";
+			case HandlerTypeCode.Blt:			return "blt";
+			case HandlerTypeCode.Blt_Un:		return "blt.un";
+			case HandlerTypeCode.Bne_Un:		return "bne.un";
+			case HandlerTypeCode.Box:			return "box";
+			case HandlerTypeCode.Br:			return "br";
+			case HandlerTypeCode.Brfalse:		return "brfalse";
+			case HandlerTypeCode.Brtrue:		return "brtrue";
+			case HandlerTypeCode.Call:			return "call";
+			case HandlerTypeCode.Callvirt:		return "callvirt";
+			case HandlerTypeCode.Castclass:		return "castclass";
+			case HandlerTypeCode.Ceq:			return "ceq";
+			case HandlerTypeCode.Cgt:			return "cgt";
+			case HandlerTypeCode.Cgt_Un:		return "cgt.un";
+			case HandlerTypeCode.Clt:			return "clt";
+			case HandlerTypeCode.Clt_Un:		return "clt.un";
+			case HandlerTypeCode.Conv:			return "conv";
+			case HandlerTypeCode.Div:			return "div";
+			case HandlerTypeCode.Div_Un:		return "div.un";
+			case HandlerTypeCode.Dup:			return "dup";
+			case HandlerTypeCode.Endfinally:	return "endfinally";
+			case HandlerTypeCode.Initobj:		return "initobj";
+			case HandlerTypeCode.Isinst:		return "isinst";
+			case HandlerTypeCode.Ldarg:			return "ldarg";
+			case HandlerTypeCode.Ldarga:		return "ldarga";
+			case HandlerTypeCode.Ldc:			return "ldc";
+			case HandlerTypeCode.Ldelem:		return "ldelem";
+			case HandlerTypeCode.Ldelema:		return "ldelema";
+			case HandlerTypeCode.Ldfld_Ldsfld:	return "ldfld/ldsfld";
+			case HandlerTypeCode.Ldflda_Ldsflda:return "ldflda/ldsflda";
+			case HandlerTypeCode.Ldftn:			return "ldftn";
+			case HandlerTypeCode.Ldlen:			return "ldlen";
+			case HandlerTypeCode.Ldloc:			return "ldloc";
+			case HandlerTypeCode.Ldloca:		return "ldloca";
+			case HandlerTypeCode.Ldobj:			return "ldobj";
+			case HandlerTypeCode.Ldstr:			return "ldstr";
+			case HandlerTypeCode.Ldtoken:		return "ldtoken";
+			case HandlerTypeCode.Ldvirtftn:		return "ldvirtftn";
+			case HandlerTypeCode.Leave:			return "leave";
+			case HandlerTypeCode.Mul:			return "mul";
+			case HandlerTypeCode.Mul_Ovf:		return "mul.ovf";
+			case HandlerTypeCode.Mul_Ovf_Un:	return "mul.ovf.un";
+			case HandlerTypeCode.Neg:			return "neg";
+			case HandlerTypeCode.Newarr:		return "newarr";
+			case HandlerTypeCode.Newobj:		return "newobj";
+			case HandlerTypeCode.Nop:			return "nop";
+			case HandlerTypeCode.Not:			return "not";
+			case HandlerTypeCode.Or:			return "or";
+			case HandlerTypeCode.Pop:			return "pop";
+			case HandlerTypeCode.Rem:			return "rem";
+			case HandlerTypeCode.Rem_Un:		return "rem.un";
+			case HandlerTypeCode.Ret:			return "ret";
+			case HandlerTypeCode.Rethrow:		return "rethrow";
+			case HandlerTypeCode.Shl:			return "shl";
+			case HandlerTypeCode.Shr:			return "shr";
+			case HandlerTypeCode.Shr_Un:		return "shr.un";
+			case HandlerTypeCode.Starg:			return "starg";
+			case HandlerTypeCode.Stelem:		return "stelem";
+			case HandlerTypeCode.Stfld_Stsfld:	return "stfld/stsfld";
+			case HandlerTypeCode.Stloc:			return "stloc";
+			case HandlerTypeCode.Stobj:			return "stobj";
+			case HandlerTypeCode.Sub:			return "sub";
+			case HandlerTypeCode.Sub_Ovf:		return "sub.ovf";
+			case HandlerTypeCode.Sub_Ovf_Un:	return "sub.ovf.un";
+			case HandlerTypeCode.Switch:		return "switch";
+			case HandlerTypeCode.Throw:			return "throw";
+			case HandlerTypeCode.Unbox_Any:		return "unbox.any";
+			case HandlerTypeCode.Xor:			return "xor";
+			default: throw new ApplicationException("Invalid handler type code");
+			}
+		}
+	}
+}
diff --git a/de4dot.code/deobfuscators/Agile_NET/vm/v2/OpCodeHandlerInfoReader.cs b/de4dot.code/deobfuscators/Agile_NET/vm/v2/OpCodeHandlerInfoReader.cs
new file mode 100644
index 00000000..96721152
--- /dev/null
+++ b/de4dot.code/deobfuscators/Agile_NET/vm/v2/OpCodeHandlerInfoReader.cs
@@ -0,0 +1,528 @@
+/*
+    Copyright (C) 2011-2013 de4dot@gmail.com
+
+    This file is part of de4dot.
+
+    de4dot is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    de4dot is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with de4dot.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+using System;
+using System.Collections.Generic;
+using System.IO;
+using dnlib.DotNet.Emit;
+using dnlib.DotNet;
+
+namespace de4dot.code.deobfuscators.Agile_NET.vm.v2 {
+	class OpCodeHandlerInfoReader {
+		IInstructionOperandResolver resolver;
+		Dictionary<HandlerTypeCode, Func<BinaryReader, Instruction>> readHandlers;
+
+		public OpCodeHandlerInfoReader(IInstructionOperandResolver resolver) {
+			this.resolver = resolver;
+			this.readHandlers = new Dictionary<HandlerTypeCode, Func<BinaryReader, Instruction>> {
+				{ HandlerTypeCode.Add,			Handler_Add },
+				{ HandlerTypeCode.Add_Ovf,		Handler_Add_Ovf },
+				{ HandlerTypeCode.Add_Ovf_Un,	Handler_Add_Ovf_Un },
+				{ HandlerTypeCode.And,			Handler_And },
+				{ HandlerTypeCode.Beq,			Handler_Beq },
+				{ HandlerTypeCode.Bge,			Handler_Bge },
+				{ HandlerTypeCode.Bge_Un,		Handler_Bge_Un },
+				{ HandlerTypeCode.Bgt,			Handler_Bgt },
+				{ HandlerTypeCode.Bgt_Un,		Handler_Bgt_Un },
+				{ HandlerTypeCode.Ble,			Handler_Ble },
+				{ HandlerTypeCode.Ble_Un,		Handler_Ble_Un },
+				{ HandlerTypeCode.Blt,			Handler_Blt },
+				{ HandlerTypeCode.Blt_Un,		Handler_Blt_Un },
+				{ HandlerTypeCode.Bne_Un,		Handler_Bne_Un },
+				{ HandlerTypeCode.Box,			Handler_Box },
+				{ HandlerTypeCode.Br,			Handler_Br },
+				{ HandlerTypeCode.Brfalse,		Handler_Brfalse },
+				{ HandlerTypeCode.Brtrue,		Handler_Brtrue },
+				{ HandlerTypeCode.Call,			Handler_Call },
+				{ HandlerTypeCode.Callvirt,		Handler_Callvirt },
+				{ HandlerTypeCode.Castclass,	Handler_Castclass },
+				{ HandlerTypeCode.Ceq,			Handler_Ceq },
+				{ HandlerTypeCode.Cgt,			Handler_Cgt },
+				{ HandlerTypeCode.Cgt_Un,		Handler_Cgt_Un },
+				{ HandlerTypeCode.Clt,			Handler_Clt },
+				{ HandlerTypeCode.Clt_Un,		Handler_Clt_Un },
+				{ HandlerTypeCode.Conv,			Handler_Conv },
+				{ HandlerTypeCode.Div,			Handler_Div },
+				{ HandlerTypeCode.Div_Un,		Handler_Div_Un },
+				{ HandlerTypeCode.Dup,			Handler_Dup },
+				{ HandlerTypeCode.Endfinally,	Handler_Endfinally },
+				{ HandlerTypeCode.Initobj,		Handler_Initobj },
+				{ HandlerTypeCode.Isinst,		Handler_Isinst },
+				{ HandlerTypeCode.Ldarg,		Handler_Ldarg },
+				{ HandlerTypeCode.Ldarga,		Handler_Ldarga },
+				{ HandlerTypeCode.Ldc,			Handler_Ldc },
+				{ HandlerTypeCode.Ldelem,		Handler_Ldelem },
+				{ HandlerTypeCode.Ldelema,		Handler_Ldelema },
+				{ HandlerTypeCode.Ldfld_Ldsfld,	Handler_Ldfld_Ldsfld },
+				{ HandlerTypeCode.Ldflda_Ldsflda, Handler_Ldflda_Ldsflda },
+				{ HandlerTypeCode.Ldftn,		Handler_Ldftn },
+				{ HandlerTypeCode.Ldlen,		Handler_Ldlen },
+				{ HandlerTypeCode.Ldloc,		Handler_Ldloc },
+				{ HandlerTypeCode.Ldloca,		Handler_Ldloca },
+				{ HandlerTypeCode.Ldobj,		Handler_Ldobj },
+				{ HandlerTypeCode.Ldstr,		Handler_Ldstr },
+				{ HandlerTypeCode.Ldtoken,		Handler_Ldtoken },
+				{ HandlerTypeCode.Ldvirtftn,	Handler_Ldvirtftn },
+				{ HandlerTypeCode.Leave,		Handler_Leave },
+				{ HandlerTypeCode.Mul,			Handler_Mul },
+				{ HandlerTypeCode.Mul_Ovf,		Handler_Mul_Ovf },
+				{ HandlerTypeCode.Mul_Ovf_Un,	Handler_Mul_Ovf_Un },
+				{ HandlerTypeCode.Neg,			Handler_Neg },
+				{ HandlerTypeCode.Newarr,		Handler_Newarr },
+				{ HandlerTypeCode.Newobj,		Handler_Newobj },
+				{ HandlerTypeCode.Nop,			Handler_Nop },
+				{ HandlerTypeCode.Not,			Handler_Not },
+				{ HandlerTypeCode.Or,			Handler_Or },
+				{ HandlerTypeCode.Pop,			Handler_Pop },
+				{ HandlerTypeCode.Rem,			Handler_Rem },
+				{ HandlerTypeCode.Rem_Un,		Handler_Rem_Un },
+				{ HandlerTypeCode.Ret,			Handler_Ret },
+				{ HandlerTypeCode.Rethrow,		Handler_Rethrow },
+				{ HandlerTypeCode.Shl,			Handler_Shl },
+				{ HandlerTypeCode.Shr,			Handler_Shr },
+				{ HandlerTypeCode.Shr_Un,		Handler_Shr_Un },
+				{ HandlerTypeCode.Starg,		Handler_Starg },
+				{ HandlerTypeCode.Stelem,		Handler_Stelem },
+				{ HandlerTypeCode.Stfld_Stsfld,	Handler_Stfld_Stsfld },
+				{ HandlerTypeCode.Stloc,		Handler_Stloc },
+				{ HandlerTypeCode.Stobj,		Handler_Stobj },
+				{ HandlerTypeCode.Sub,			Handler_Sub },
+				{ HandlerTypeCode.Sub_Ovf,		Handler_Sub_Ovf },
+				{ HandlerTypeCode.Sub_Ovf_Un,	Handler_Sub_Ovf_Un },
+				{ HandlerTypeCode.Switch,		Handler_Switch },
+				{ HandlerTypeCode.Throw,		Handler_Throw },
+				{ HandlerTypeCode.Unbox_Any,	Handler_Unbox_Any },
+				{ HandlerTypeCode.Xor,			Handler_Xor },
+			};
+		}
+
+		public Instruction Read(HandlerTypeCode typeCode, BinaryReader reader) {
+			Func<BinaryReader, Instruction> readHandler;
+			if (!readHandlers.TryGetValue(typeCode, out readHandler))
+				throw new ApplicationException("Invalid handler type");
+			return readHandler(reader);
+		}
+
+		Instruction Handler_Add(BinaryReader reader) {
+			return OpCodes.Add.ToInstruction();
+		}
+
+		Instruction Handler_Add_Ovf(BinaryReader reader) {
+			return OpCodes.Add_Ovf.ToInstruction();
+		}
+
+		Instruction Handler_Add_Ovf_Un(BinaryReader reader) {
+			return OpCodes.Add_Ovf_Un.ToInstruction();
+		}
+
+		Instruction Handler_And(BinaryReader reader) {
+			return OpCodes.And.ToInstruction();
+		}
+
+		Instruction Handler_Beq(BinaryReader reader) {
+			return new Instruction(OpCodes.Beq, new TargetDisplOperand(reader.ReadInt32()));
+		}
+
+		Instruction Handler_Bge(BinaryReader reader) {
+			return new Instruction(OpCodes.Bge, new TargetDisplOperand(reader.ReadInt32()));
+		}
+
+		Instruction Handler_Bge_Un(BinaryReader reader) {
+			return new Instruction(OpCodes.Bge_Un, new TargetDisplOperand(reader.ReadInt32()));
+		}
+
+		Instruction Handler_Bgt(BinaryReader reader) {
+			return new Instruction(OpCodes.Bgt, new TargetDisplOperand(reader.ReadInt32()));
+		}
+
+		Instruction Handler_Bgt_Un(BinaryReader reader) {
+			return new Instruction(OpCodes.Bgt_Un, new TargetDisplOperand(reader.ReadInt32()));
+		}
+
+		Instruction Handler_Ble(BinaryReader reader) {
+			return new Instruction(OpCodes.Ble, new TargetDisplOperand(reader.ReadInt32()));
+		}
+
+		Instruction Handler_Ble_Un(BinaryReader reader) {
+			return new Instruction(OpCodes.Ble_Un, new TargetDisplOperand(reader.ReadInt32()));
+		}
+
+		Instruction Handler_Blt(BinaryReader reader) {
+			return new Instruction(OpCodes.Blt, new TargetDisplOperand(reader.ReadInt32()));
+		}
+
+		Instruction Handler_Blt_Un(BinaryReader reader) {
+			return new Instruction(OpCodes.Blt_Un, new TargetDisplOperand(reader.ReadInt32()));
+		}
+
+		Instruction Handler_Bne_Un(BinaryReader reader) {
+			return new Instruction(OpCodes.Bne_Un, new TargetDisplOperand(reader.ReadInt32()));
+		}
+
+		Instruction Handler_Box(BinaryReader reader) {
+			var type = resolver.ResolveToken(reader.ReadUInt32()) as ITypeDefOrRef;
+			return OpCodes.Box.ToInstruction(type);
+		}
+
+		Instruction Handler_Br(BinaryReader reader) {
+			return new Instruction(OpCodes.Br, new TargetDisplOperand(reader.ReadInt32()));
+		}
+
+		Instruction Handler_Brfalse(BinaryReader reader) {
+			return new Instruction(OpCodes.Brfalse, new TargetDisplOperand(reader.ReadInt32()));
+		}
+
+		Instruction Handler_Brtrue(BinaryReader reader) {
+			return new Instruction(OpCodes.Brtrue, new TargetDisplOperand(reader.ReadInt32()));
+		}
+
+		Instruction Handler_Call(BinaryReader reader) {
+			var method = resolver.ResolveToken(reader.ReadUInt32()) as IMethod;
+			return OpCodes.Call.ToInstruction(method);
+		}
+
+		Instruction Handler_Callvirt(BinaryReader reader) {
+			var method = resolver.ResolveToken(reader.ReadUInt32()) as IMethod;
+			return OpCodes.Callvirt.ToInstruction(method);
+		}
+
+		Instruction Handler_Castclass(BinaryReader reader) {
+			var type = resolver.ResolveToken(reader.ReadUInt32()) as ITypeDefOrRef;
+			return OpCodes.Castclass.ToInstruction(type);
+		}
+
+		Instruction Handler_Ceq(BinaryReader reader) {
+			return OpCodes.Ceq.ToInstruction();
+		}
+
+		Instruction Handler_Cgt(BinaryReader reader) {
+			return OpCodes.Cgt.ToInstruction();
+		}
+
+		Instruction Handler_Cgt_Un(BinaryReader reader) {
+			return OpCodes.Cgt_Un.ToInstruction();
+		}
+
+		Instruction Handler_Clt(BinaryReader reader) {
+			return OpCodes.Clt.ToInstruction();
+		}
+
+		Instruction Handler_Clt_Un(BinaryReader reader) {
+			return OpCodes.Clt_Un.ToInstruction();
+		}
+
+		class ConvInfo {
+			public byte Type { get; private set; }
+			public bool Second { get; private set; }
+			public bool Third { get; private set; }
+			public OpCode OpCode { get; private set; }
+			public ConvInfo(byte type, bool second, bool third, OpCode opCode) {
+				this.Type = type;
+				this.Second = second;
+				this.Third = third;
+				this.OpCode = opCode;
+			}
+		}
+		readonly static List<ConvInfo> instructionInfos1 = new List<ConvInfo> {
+			new ConvInfo(0, false, false, OpCodes.Conv_I1),
+			new ConvInfo(1, false, false, OpCodes.Conv_I2),
+			new ConvInfo(2, false, false, OpCodes.Conv_I4),
+			new ConvInfo(3, false, false, OpCodes.Conv_I8),
+			new ConvInfo(4, false, false, OpCodes.Conv_R4),
+			new ConvInfo(5, false, false, OpCodes.Conv_R8),
+			new ConvInfo(6, false, false, OpCodes.Conv_U1),
+			new ConvInfo(7, false, false, OpCodes.Conv_U2),
+			new ConvInfo(8, false, false, OpCodes.Conv_U4),
+			new ConvInfo(9, false, false, OpCodes.Conv_U8),
+			new ConvInfo(10, false, false, OpCodes.Conv_I),
+			new ConvInfo(11, false, false, OpCodes.Conv_U),
+
+			new ConvInfo(0, true, false, OpCodes.Conv_Ovf_I1),
+			new ConvInfo(1, true, false, OpCodes.Conv_Ovf_I2),
+			new ConvInfo(2, true, false, OpCodes.Conv_Ovf_I4),
+			new ConvInfo(3, true, false, OpCodes.Conv_Ovf_I8),
+			new ConvInfo(6, true, false, OpCodes.Conv_Ovf_U1),
+			new ConvInfo(7, true, false, OpCodes.Conv_Ovf_U2),
+			new ConvInfo(8, true, false, OpCodes.Conv_Ovf_U4),
+			new ConvInfo(9, true, false, OpCodes.Conv_Ovf_U8),
+			new ConvInfo(10, true, false, OpCodes.Conv_Ovf_I),
+			new ConvInfo(11, true, false, OpCodes.Conv_Ovf_U),
+
+			new ConvInfo(0, true, true, OpCodes.Conv_Ovf_I1_Un),
+			new ConvInfo(1, true, true, OpCodes.Conv_Ovf_I2_Un),
+			new ConvInfo(2, true, true, OpCodes.Conv_Ovf_I4_Un),
+			new ConvInfo(3, true, true, OpCodes.Conv_Ovf_I8_Un),
+			new ConvInfo(6, true, true, OpCodes.Conv_Ovf_U1_Un),
+			new ConvInfo(7, true, true, OpCodes.Conv_Ovf_U2_Un),
+			new ConvInfo(8, true, true, OpCodes.Conv_Ovf_U4_Un),
+			new ConvInfo(9, true, true, OpCodes.Conv_Ovf_U8_Un),
+			new ConvInfo(10, true, true, OpCodes.Conv_Ovf_I_Un),
+			new ConvInfo(11, true, true, OpCodes.Conv_Ovf_U_Un),
+			new ConvInfo(12, true, true, OpCodes.Conv_R_Un),
+		};
+		Instruction Handler_Conv(BinaryReader reader) {
+			byte type = reader.ReadByte();
+			bool second = reader.ReadBoolean();
+			bool third = reader.ReadBoolean();
+
+			Instruction instr = null;
+			foreach (var info in instructionInfos1) {
+				if (type != info.Type || info.Second != second || info.Third != third)
+					continue;
+
+				instr = new Instruction { OpCode = info.OpCode };
+				break;
+			}
+			if (instr == null)
+				throw new ApplicationException("Invalid opcode");
+
+			return instr;
+		}
+
+		Instruction Handler_Div(BinaryReader reader) {
+			return OpCodes.Div.ToInstruction();
+		}
+
+		Instruction Handler_Div_Un(BinaryReader reader) {
+			return OpCodes.Div_Un.ToInstruction();
+		}
+
+		Instruction Handler_Dup(BinaryReader reader) {
+			return OpCodes.Dup.ToInstruction();
+		}
+
+		Instruction Handler_Endfinally(BinaryReader reader) {
+			return OpCodes.Endfinally.ToInstruction();
+		}
+
+		Instruction Handler_Initobj(BinaryReader reader) {
+			var type = resolver.ResolveToken(reader.ReadUInt32()) as ITypeDefOrRef;
+			return OpCodes.Initobj.ToInstruction(type);
+		}
+
+		Instruction Handler_Isinst(BinaryReader reader) {
+			var type = resolver.ResolveToken(reader.ReadUInt32()) as ITypeDefOrRef;
+			return OpCodes.Isinst.ToInstruction(type);
+		}
+
+		Instruction Handler_Ldarg(BinaryReader reader) {
+			return new Instruction(OpCodes.Ldarg, new ArgOperand(reader.ReadUInt16()));
+		}
+
+		Instruction Handler_Ldarga(BinaryReader reader) {
+			return new Instruction(OpCodes.Ldarga, new ArgOperand(reader.ReadUInt16()));
+		}
+
+		Instruction Handler_Ldc(BinaryReader reader) {
+			switch ((ElementType)reader.ReadByte()) {
+			case ElementType.I4:		return Instruction.CreateLdcI4(reader.ReadInt32());
+			case ElementType.I8:		return OpCodes.Ldc_I8.ToInstruction(reader.ReadInt64());
+			case ElementType.R4:		return OpCodes.Ldc_R4.ToInstruction(reader.ReadSingle());
+			case ElementType.R8:		return OpCodes.Ldc_R8.ToInstruction(reader.ReadDouble());
+			case ElementType.Object:	return OpCodes.Ldnull.ToInstruction();
+			default: throw new ApplicationException("Invalid instruction");
+			}
+		}
+
+		Instruction Handler_Ldelem(BinaryReader reader) {
+			return new Instruction(OpCodes.Ldelem, null);
+		}
+
+		Instruction Handler_Ldelema(BinaryReader reader) {
+			return new Instruction(OpCodes.Ldelema, null);
+		}
+
+		Instruction Handler_Ldfld_Ldsfld(BinaryReader reader) {
+			var field = resolver.ResolveToken(reader.ReadUInt32()) as IField;
+			return new Instruction(null, new FieldInstructionOperand(OpCodes.Ldsfld, OpCodes.Ldfld, field));
+		}
+
+		Instruction Handler_Ldflda_Ldsflda(BinaryReader reader) {
+			var field = resolver.ResolveToken(reader.ReadUInt32()) as IField;
+			return new Instruction(null, new FieldInstructionOperand(OpCodes.Ldsflda, OpCodes.Ldflda, field));
+		}
+
+		Instruction Handler_Ldftn(BinaryReader reader) {
+			var method = resolver.ResolveToken(reader.ReadUInt32()) as IMethod;
+			return OpCodes.Ldftn.ToInstruction(method);
+		}
+
+		Instruction Handler_Ldlen(BinaryReader reader) {
+			return OpCodes.Ldlen.ToInstruction();
+		}
+
+		Instruction Handler_Ldloc(BinaryReader reader) {
+			return new Instruction(OpCodes.Ldloc, new LocalOperand(reader.ReadUInt16()));
+		}
+
+		Instruction Handler_Ldloca(BinaryReader reader) {
+			return new Instruction(OpCodes.Ldloca, new LocalOperand(reader.ReadUInt16()));
+		}
+
+		Instruction Handler_Ldobj(BinaryReader reader) {
+			return new Instruction(OpCodes.Ldobj, null);
+		}
+
+		Instruction Handler_Ldstr(BinaryReader reader) {
+			return OpCodes.Ldstr.ToInstruction(reader.ReadString());
+		}
+
+		Instruction Handler_Ldtoken(BinaryReader reader) {
+			var member = resolver.ResolveToken(reader.ReadUInt32()) as ITokenOperand;
+			return OpCodes.Ldtoken.ToInstruction(member);
+		}
+
+		Instruction Handler_Ldvirtftn(BinaryReader reader) {
+			var method = resolver.ResolveToken(reader.ReadUInt32()) as IMethod;
+			reader.ReadUInt32();
+			return OpCodes.Ldvirtftn.ToInstruction(method);
+		}
+
+		Instruction Handler_Leave(BinaryReader reader) {
+			return new Instruction(OpCodes.Leave, new TargetDisplOperand(reader.ReadInt32()));
+		}
+
+		Instruction Handler_Mul(BinaryReader reader) {
+			return OpCodes.Mul.ToInstruction();
+		}
+
+		Instruction Handler_Mul_Ovf(BinaryReader reader) {
+			return OpCodes.Mul_Ovf.ToInstruction();
+		}
+
+		Instruction Handler_Mul_Ovf_Un(BinaryReader reader) {
+			return OpCodes.Mul_Ovf_Un.ToInstruction();
+		}
+
+		Instruction Handler_Neg(BinaryReader reader) {
+			return OpCodes.Neg.ToInstruction();
+		}
+
+		Instruction Handler_Newarr(BinaryReader reader) {
+			var type = resolver.ResolveToken(reader.ReadUInt32()) as ITypeDefOrRef;
+			return OpCodes.Newarr.ToInstruction(type);
+		}
+
+		Instruction Handler_Newobj(BinaryReader reader) {
+			var method = resolver.ResolveToken(reader.ReadUInt32()) as IMethod;
+			return OpCodes.Newobj.ToInstruction(method);
+		}
+
+		Instruction Handler_Nop(BinaryReader reader) {
+			return OpCodes.Nop.ToInstruction();
+		}
+
+		Instruction Handler_Not(BinaryReader reader) {
+			return OpCodes.Not.ToInstruction();
+		}
+
+		Instruction Handler_Or(BinaryReader reader) {
+			return OpCodes.Or.ToInstruction();
+		}
+
+		Instruction Handler_Pop(BinaryReader reader) {
+			return OpCodes.Pop.ToInstruction();
+		}
+
+		Instruction Handler_Rem(BinaryReader reader) {
+			return OpCodes.Rem.ToInstruction();
+		}
+
+		Instruction Handler_Rem_Un(BinaryReader reader) {
+			return OpCodes.Rem_Un.ToInstruction();
+		}
+
+		Instruction Handler_Ret(BinaryReader reader) {
+			var method = resolver.ResolveToken(reader.ReadUInt32()) as IMethod;
+			return OpCodes.Ret.ToInstruction();
+		}
+
+		Instruction Handler_Rethrow(BinaryReader reader) {
+			return OpCodes.Rethrow.ToInstruction();
+		}
+
+		Instruction Handler_Shl(BinaryReader reader) {
+			return OpCodes.Shl.ToInstruction();
+		}
+
+		Instruction Handler_Shr(BinaryReader reader) {
+			return OpCodes.Shr.ToInstruction();
+		}
+
+		Instruction Handler_Shr_Un(BinaryReader reader) {
+			return OpCodes.Shr_Un.ToInstruction();
+		}
+
+		Instruction Handler_Starg(BinaryReader reader) {
+			return new Instruction(OpCodes.Starg, new ArgOperand(reader.ReadUInt16()));
+		}
+
+		Instruction Handler_Stelem(BinaryReader reader) {
+			return new Instruction(OpCodes.Stelem, null);
+		}
+
+		Instruction Handler_Stfld_Stsfld(BinaryReader reader) {
+			var field = resolver.ResolveToken(reader.ReadUInt32()) as IField;
+			return new Instruction(null, new FieldInstructionOperand(OpCodes.Stsfld, OpCodes.Stfld, field));
+		}
+
+		Instruction Handler_Stloc(BinaryReader reader) {
+			ushort loc = reader.ReadUInt16();
+			var etype = (ElementType)reader.ReadInt32();
+			return new Instruction(OpCodes.Stloc, new LocalOperand(loc));
+		}
+
+		Instruction Handler_Stobj(BinaryReader reader) {
+			return new Instruction(OpCodes.Stobj, null);
+		}
+
+		Instruction Handler_Sub(BinaryReader reader) {
+			return OpCodes.Sub.ToInstruction();
+		}
+
+		Instruction Handler_Sub_Ovf(BinaryReader reader) {
+			return OpCodes.Sub_Ovf.ToInstruction();
+		}
+
+		Instruction Handler_Sub_Ovf_Un(BinaryReader reader) {
+			return OpCodes.Sub_Ovf_Un.ToInstruction();
+		}
+
+		Instruction Handler_Switch(BinaryReader reader) {
+			int size = reader.ReadInt32();
+			var offsets = new int[size];
+			for (int i = 0; i < size; i++)
+				offsets[i] = reader.ReadInt32();
+			return new Instruction(OpCodes.Switch, new SwitchTargetDisplOperand(offsets));
+		}
+
+		Instruction Handler_Throw(BinaryReader reader) {
+			return OpCodes.Throw.ToInstruction();
+		}
+
+		Instruction Handler_Unbox_Any(BinaryReader reader) {
+			var type = resolver.ResolveToken(reader.ReadUInt32()) as ITypeDefOrRef;
+			return OpCodes.Unbox_Any.ToInstruction(type);
+		}
+
+		Instruction Handler_Xor(BinaryReader reader) {
+			return OpCodes.Xor.ToInstruction();
+		}
+	}
+}
diff --git a/de4dot.code/deobfuscators/Agile_NET/vm/v2/OpCodeHandlerInfos.cs b/de4dot.code/deobfuscators/Agile_NET/vm/v2/OpCodeHandlerInfos.cs
new file mode 100644
index 00000000..13165b97
--- /dev/null
+++ b/de4dot.code/deobfuscators/Agile_NET/vm/v2/OpCodeHandlerInfos.cs
@@ -0,0 +1,98 @@
+/*
+    Copyright (C) 2011-2013 de4dot@gmail.com
+
+    This file is part of de4dot.
+
+    de4dot is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    de4dot is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with de4dot.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+using System;
+using System.Collections.Generic;
+using System.IO;
+
+namespace de4dot.code.deobfuscators.Agile_NET.vm.v2 {
+	static class OpCodeHandlerInfos {
+		enum OpCodeHandlersFileVersion : int {
+			V1 = 1,
+		}
+
+		public static void Write(BinaryWriter writer, IList<OpCodeHandlerInfo> handlerInfos) {
+			WriteV1(writer, handlerInfos);
+		}
+
+		public static void WriteV1(BinaryWriter writer, IList<OpCodeHandlerInfo> handlerInfos) {
+			writer.Write((int)OpCodeHandlersFileVersion.V1);
+			writer.Write(handlerInfos.Count);
+			foreach (var handler in handlerInfos) {
+				writer.Write((int)handler.TypeCode);
+				var infos = handler.ExecSig.BlockInfos;
+				writer.Write(infos.Count);
+				foreach (var info in infos) {
+					if (info.Hash == null)
+						writer.Write(0);
+					else {
+						writer.Write(info.Hash.Length);
+						writer.Write(info.Hash);
+					}
+					writer.Write(info.Targets.Count);
+					foreach (var target in info.Targets)
+						writer.Write(target);
+				}
+			}
+		}
+
+		public static List<OpCodeHandlerInfo> Read(BinaryReader reader) {
+			switch ((OpCodeHandlersFileVersion)reader.ReadInt32()) {
+			case OpCodeHandlersFileVersion.V1: return ReadV1(reader);
+			default: throw new ApplicationException("Invalid file version");
+			}
+		}
+
+		static List<OpCodeHandlerInfo> ReadV1(BinaryReader reader) {
+			int numHandlers = reader.ReadInt32();
+			var list = new List<OpCodeHandlerInfo>(numHandlers);
+			for (int i = 0; i < numHandlers; i++) {
+				var typeCode = (HandlerTypeCode)reader.ReadInt32();
+				int numInfos = reader.ReadInt32();
+				var sigInfo = new MethodSigInfo();
+				for (int j = 0; j < numInfos; j++) {
+					var info = new BlockInfo();
+
+					info.Hash = reader.ReadBytes(reader.ReadInt32());
+					if (info.Hash.Length == 0)
+						info.Hash = null;
+
+					int numTargets = reader.ReadInt32();
+					for (int k = 0; k < numTargets; k++)
+						info.Targets.Add(reader.ReadInt32());
+
+					sigInfo.BlockInfos.Add(info);
+				}
+
+				list.Add(new OpCodeHandlerInfo(typeCode, sigInfo));
+			}
+			return list;
+		}
+
+		public static readonly IList<OpCodeHandlerInfo>[] HandlerInfos = new IList<OpCodeHandlerInfo>[] {
+			ReadOpCodeHandlerInfos(CsvmResources.CSVM1_v2),
+			ReadOpCodeHandlerInfos(CsvmResources.CSVM2_v2),
+			ReadOpCodeHandlerInfos(CsvmResources.CSVM3_v2),
+		};
+
+		static IList<OpCodeHandlerInfo> ReadOpCodeHandlerInfos(byte[] data) {
+			return OpCodeHandlerInfos.Read(new BinaryReader(new MemoryStream(data)));
+		}
+	}
+}
diff --git a/de4dot.code/deobfuscators/Agile_NET/vm/v2/VmOpCode.cs b/de4dot.code/deobfuscators/Agile_NET/vm/v2/VmOpCode.cs
new file mode 100644
index 00000000..bb1fdd85
--- /dev/null
+++ b/de4dot.code/deobfuscators/Agile_NET/vm/v2/VmOpCode.cs
@@ -0,0 +1,44 @@
+/*
+    Copyright (C) 2011-2013 de4dot@gmail.com
+
+    This file is part of de4dot.
+
+    de4dot is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    de4dot is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with de4dot.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+using System.Collections.Generic;
+using System.Text;
+
+namespace de4dot.code.deobfuscators.Agile_NET.vm.v2 {
+	class VmOpCode {
+		public List<OpCodeHandlerInfo> OpCodeHandlerInfos { get; private set; }
+
+		public VmOpCode(List<OpCodeHandlerInfo> opCodeHandlerInfos) {
+			this.OpCodeHandlerInfos = new List<OpCodeHandlerInfo>(opCodeHandlerInfos.Count);
+			this.OpCodeHandlerInfos.AddRange(opCodeHandlerInfos);
+		}
+
+		public override string ToString() {
+			if (OpCodeHandlerInfos.Count == 0)
+				return "<nothing>";
+			var sb = new StringBuilder();
+			foreach (var handler in OpCodeHandlerInfos) {
+				if (sb.Length != 0)
+					sb.Append(", ");
+				sb.Append(handler.Name);
+			}
+			return sb.ToString();
+		}
+	}
+}
diff --git a/de4dot.code/deobfuscators/Agile_NET/vm/v2/VmOpCodeHandlerDetector.cs b/de4dot.code/deobfuscators/Agile_NET/vm/v2/VmOpCodeHandlerDetector.cs
new file mode 100644
index 00000000..ea234c72
--- /dev/null
+++ b/de4dot.code/deobfuscators/Agile_NET/vm/v2/VmOpCodeHandlerDetector.cs
@@ -0,0 +1,297 @@
+/*
+    Copyright (C) 2011-2013 de4dot@gmail.com
+
+    This file is part of de4dot.
+
+    de4dot is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    de4dot is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with de4dot.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+using System;
+using System.Collections.Generic;
+using dnlib.DotNet;
+using dnlib.DotNet.Emit;
+using de4dot.blocks;
+using de4dot.blocks.cflow;
+
+namespace de4dot.code.deobfuscators.Agile_NET.vm.v2 {
+	class MyDeobfuscator {
+		CliSecureRtType cliSecureRtType;
+		StringDecrypter stringDecrypter;
+		StaticStringInliner staticStringInliner = new StaticStringInliner();
+
+		public MyDeobfuscator(ModuleDefMD module) {
+			cliSecureRtType = new CliSecureRtType(module);
+			cliSecureRtType.Find(null);
+			stringDecrypter = new StringDecrypter(module, cliSecureRtType.StringDecrypterMethod);
+			stringDecrypter.Find();
+			cliSecureRtType.FindStringDecrypterMethod();
+			stringDecrypter.Method = cliSecureRtType.StringDecrypterMethod;
+			staticStringInliner.Add(stringDecrypter.Method, (method, gim, args) => stringDecrypter.Decrypt((string)args[0]));
+		}
+
+		void RestoreMethod(Blocks blocks) {
+			IList<Instruction> allInstructions;
+			IList<ExceptionHandler> allExceptionHandlers;
+			blocks.GetCode(out allInstructions, out allExceptionHandlers);
+			DotNetUtils.RestoreBody(blocks.Method, allInstructions, allExceptionHandlers);
+		}
+
+		public void DecryptStrings(MethodDef method) {
+			var blocks = new Blocks(method);
+			DecryptStrings(blocks);
+			RestoreMethod(blocks);
+		}
+
+		public void DecryptStrings(Blocks blocks) {
+			staticStringInliner.Decrypt(blocks);
+		}
+
+		public void Deobfuscate(MethodDef method) {
+			DecryptStrings(method);
+		}
+	}
+
+	class VmOpCodeHandlerDetector {
+		const int NUM_HANDLERS = 78;
+		ModuleDefMD module;
+		List<VmOpCode> vmOpCodes;
+		MyDeobfuscator deobfuscator;
+
+		public IList<VmOpCode> Handlers {
+			get { return vmOpCodes; }
+		}
+
+		public VmOpCodeHandlerDetector(ModuleDefMD module) {
+			this.module = module;
+		}
+
+		public void FindHandlers() {
+			if (vmOpCodes != null)
+				return;
+
+			deobfuscator = new MyDeobfuscator(module);
+
+			var csvmInfo = new CsvmInfo(module);
+			csvmInfo.Initialize();
+			var vmHandlerTypes = FindVmHandlerTypes();
+			if (vmHandlerTypes == null)
+				throw new ApplicationException("Could not find CSVM opcode handler types");
+
+			var composites = CreateCompositeOpCodeHandlers(csvmInfo, vmHandlerTypes);
+			foreach (var handlerInfos in OpCodeHandlerInfos.HandlerInfos) {
+				var otherHandlers = CreateOtherHandlers(csvmInfo, handlerInfos);
+
+				if (!DetectCompositeHandlers(composites, otherHandlers))
+					continue;
+
+				vmOpCodes = CreateVmOpCodes(composites);
+				break;
+			}
+			if (vmOpCodes == null)
+				throw new ApplicationException("Could not find any/all CSVM handlers");
+		}
+
+		static List<VmOpCode> CreateVmOpCodes(IList<CompositeOpCodeHandler> composites) {
+			var list = new List<VmOpCode>(composites.Count);
+			foreach (var composite in composites)
+				list.Add(new VmOpCode(composite.OpCodeHandlerInfos));
+			return list;
+		}
+
+		bool DetectCompositeHandlers(IEnumerable<CompositeOpCodeHandler> composites, List<OpCodeHandler> otherHandlers) {
+			var detector = new CompositeHandlerDetector(otherHandlers);
+			foreach (var composite in composites) {
+				if (!detector.FindHandlers(composite))
+					return false;
+			}
+			return true;
+		}
+
+		static MethodDef SimplifyInstructions(MethodDef method) {
+			if (method.Body == null)
+				return method;
+			method.Body.SimplifyMacros(method.Parameters);
+			return method;
+		}
+
+		List<CompositeOpCodeHandler> CreateCompositeOpCodeHandlers(CsvmInfo csvmInfo, List<TypeDef> handlers) {
+			var list = new List<CompositeOpCodeHandler>(handlers.Count);
+
+			foreach (var handler in handlers) {
+				var execHandler = new HandlerMethod(GetExecMethod(handler));
+				list.Add(new CompositeOpCodeHandler(handler, execHandler));
+			}
+
+			return list;
+		}
+
+		MethodDef GetExecMethod(TypeDef type) {
+			MethodDef readMethod, execMethod;
+			GetReadAndExecMethods(type, out readMethod, out execMethod);
+			deobfuscator.Deobfuscate(execMethod);
+			SimplifyInstructions(execMethod);
+			return execMethod;
+		}
+
+		static MethodSigInfoCreator CreateMethodSigInfoCreator(CsvmInfo csvmInfo) {
+			var creator = new MethodSigInfoCreator();
+
+			creator.AddId(csvmInfo.LogicalOpShrUn, 1);
+			creator.AddId(csvmInfo.LogicalOpShl, 2);
+			creator.AddId(csvmInfo.LogicalOpShr, 3);
+			creator.AddId(csvmInfo.LogicalOpAnd, 4);
+			creator.AddId(csvmInfo.LogicalOpXor, 5);
+			creator.AddId(csvmInfo.LogicalOpOr, 6);
+
+			creator.AddId(csvmInfo.CompareLt, 7);
+			creator.AddId(csvmInfo.CompareLte, 8);
+			creator.AddId(csvmInfo.CompareGt, 9);
+			creator.AddId(csvmInfo.CompareGte, 10);
+			creator.AddId(csvmInfo.CompareEq, 11);
+			creator.AddId(csvmInfo.CompareEqz, 12);
+
+			creator.AddId(csvmInfo.ArithmeticSubOvfUn, 13);
+			creator.AddId(csvmInfo.ArithmeticMulOvfUn, 14);
+			creator.AddId(csvmInfo.ArithmeticRemUn, 15);
+			creator.AddId(csvmInfo.ArithmeticRem, 16);
+			creator.AddId(csvmInfo.ArithmeticDivUn, 17);
+			creator.AddId(csvmInfo.ArithmeticDiv, 18);
+			creator.AddId(csvmInfo.ArithmeticMul, 19);
+			creator.AddId(csvmInfo.ArithmeticMulOvf, 20);
+			creator.AddId(csvmInfo.ArithmeticSub, 21);
+			creator.AddId(csvmInfo.ArithmeticSubOvf, 22);
+			creator.AddId(csvmInfo.ArithmeticAddOvfUn, 23);
+			creator.AddId(csvmInfo.ArithmeticAddOvf, 24);
+			creator.AddId(csvmInfo.ArithmeticAdd, 25);
+
+			creator.AddId(csvmInfo.UnaryNot, 26);
+			creator.AddId(csvmInfo.UnaryNeg, 27);
+
+			creator.AddId(csvmInfo.ArgsGet, 28);
+			creator.AddId(csvmInfo.ArgsSet, 29);
+			creator.AddId(csvmInfo.LocalsGet, 30);
+			creator.AddId(csvmInfo.LocalsSet, 31);
+
+			return creator;
+		}
+
+		static void GetReadAndExecMethods(TypeDef handler, out MethodDef readMethod, out MethodDef execMethod) {
+			readMethod = execMethod = null;
+			foreach (var method in handler.Methods) {
+				if (!method.IsVirtual)
+					continue;
+				if (DotNetUtils.IsMethod(method, "System.Void", "(System.IO.BinaryReader)")) {
+					if (readMethod != null)
+						throw new ApplicationException("Found another read method");
+					readMethod = method;
+				}
+				else if (!DotNetUtils.HasReturnValue(method) && method.MethodSig.GetParamCount() == 1) {
+					if (execMethod != null)
+						throw new ApplicationException("Found another execute method");
+					execMethod = method;
+				}
+			}
+
+			if (readMethod == null)
+				throw new ApplicationException("Could not find read method");
+			if (execMethod == null)
+				throw new ApplicationException("Could not find execute method");
+		}
+
+		IEnumerable<TypeDef> GetVmHandlerTypes(TypeDef baseType) {
+			foreach (var type in module.Types) {
+				if (type.BaseType == baseType)
+					yield return type;
+			}
+		}
+
+		List<TypeDef> FindBasicVmHandlerTypes(CsvmInfo csvmInfo) {
+			var list = new List<TypeDef>();
+			if (csvmInfo.VmHandlerBaseType == null)
+				return list;
+			foreach (var type in module.Types) {
+				if (list.Count == NUM_HANDLERS)
+					break;
+				if (type.BaseType == csvmInfo.VmHandlerBaseType)
+					list.Add(type);
+			}
+			return list;
+		}
+
+		List<TypeDef> FindVmHandlerTypes() {
+			var requiredFields = new string[] {
+				null,
+				"System.Collections.Generic.Dictionary`2<System.UInt16,System.Type>",
+				"System.UInt16",
+			};
+			var cflowDeobfuscator = new CflowDeobfuscator();
+			foreach (var type in module.Types) {
+				var cctor = type.FindStaticConstructor();
+				if (cctor == null)
+					continue;
+				requiredFields[0] = type.FullName;
+				if (!new FieldTypes(type).Exactly(requiredFields))
+					continue;
+
+				cflowDeobfuscator.Deobfuscate(cctor);
+				var handlers = FindVmHandlerTypes(cctor);
+				if (handlers.Count < NUM_HANDLERS)
+					continue;
+
+				return handlers;
+			}
+
+			return null;
+		}
+
+		static List<TypeDef> FindVmHandlerTypes(MethodDef method) {
+			var list = new List<TypeDef>();
+
+			foreach (var instr in method.Body.Instructions) {
+				if (instr.OpCode.Code != Code.Ldtoken)
+					continue;
+				var type = instr.Operand as TypeDef;
+				if (type == null)
+					continue;
+
+				list.Add(type);
+			}
+
+			return list;
+		}
+
+		List<OpCodeHandler> CreateOtherHandlers(CsvmInfo csvmInfo, IList<OpCodeHandlerInfo> handlerInfos) {
+			var list = new List<OpCodeHandler>(NUM_HANDLERS);
+
+			foreach (var type in GetVmHandlerTypes(csvmInfo.VmHandlerBaseType)) {
+				if (list.Count == NUM_HANDLERS)
+					break;
+
+				var execHandler = new PrimitiveHandlerMethod(GetExecMethod(type));
+				execHandler.Sig = CreateMethodSigInfoCreator(csvmInfo).Create(execHandler.Blocks);
+
+				var finder = new MethodFinder(handlerInfos, execHandler);
+				var handler = finder.FindHandler();
+				if (handler == null)
+					continue;
+
+				list.Add(handler);
+			}
+
+			list.Sort((a, b) => a.OpCodeHandlerInfo.Name.ToUpperInvariant().CompareTo(b.OpCodeHandlerInfo.Name.ToUpperInvariant()));
+
+			return list;
+		}
+	}
+}
diff --git a/de4dot.code/deobfuscators/NullStream.cs b/de4dot.code/deobfuscators/NullStream.cs
new file mode 100644
index 00000000..a88b0728
--- /dev/null
+++ b/de4dot.code/deobfuscators/NullStream.cs
@@ -0,0 +1,87 @@
+/*
+    Copyright (C) 2011-2013 de4dot@gmail.com
+
+    This file is part of de4dot.
+
+    de4dot is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    de4dot is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with de4dot.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+using System;
+using System.IO;
+
+namespace de4dot.code.deobfuscators {
+	class NullStream : Stream {
+		long offset = 0;
+		long length = 0;
+
+		public override bool CanRead {
+			get { return false; }
+		}
+
+		public override bool CanSeek {
+			get { return true; }
+		}
+
+		public override bool CanWrite {
+			get { return true; }
+		}
+
+		public override void Flush() {
+		}
+
+		public override long Length {
+			get { return length; }
+		}
+
+		public override long Position {
+			get { return offset; }
+			set { offset = value; }
+		}
+
+		public override int Read(byte[] buffer, int offset, int count) {
+			throw new NotImplementedException();
+		}
+
+		public override long Seek(long offset, SeekOrigin origin) {
+			switch (origin) {
+			case SeekOrigin.Begin:
+				this.offset = offset;
+				break;
+
+			case SeekOrigin.Current:
+				this.offset += offset;
+				break;
+
+			case SeekOrigin.End:
+				this.offset = length + offset;
+				break;
+
+			default:
+				throw new NotSupportedException();
+			}
+
+			return this.offset;
+		}
+
+		public override void SetLength(long value) {
+			this.length = value;
+		}
+
+		public override void Write(byte[] buffer, int offset, int count) {
+			this.offset += count;
+			if (this.offset > this.length)
+				this.length = this.offset;
+		}
+	}
+}
diff --git a/de4dot.mdecrypt/DynamicMethodsDecrypter.cs b/de4dot.mdecrypt/DynamicMethodsDecrypter.cs
index 3aa2c949..f25c8697 100644
--- a/de4dot.mdecrypt/DynamicMethodsDecrypter.cs
+++ b/de4dot.mdecrypt/DynamicMethodsDecrypter.cs
@@ -20,12 +20,21 @@
 using System;
 using System.IO;
 using System.Runtime.CompilerServices;
+using System.Runtime.ExceptionServices;
 using System.Runtime.InteropServices;
 using System.Reflection;
+using System.Security;
 using dnlib.DotNet;
 using dnlib.DotNet.MD;
+using dnlib.PE;
 using de4dot.blocks;
 
+namespace System.Runtime.ExceptionServices {
+	[AttributeUsage(AttributeTargets.Method, AllowMultiple = false, Inherited = false)]
+	class HandleProcessCorruptedStateExceptionsAttribute : Attribute {
+	}
+}
+
 namespace de4dot.mdecrypt {
 	public class DynamicMethodsDecrypter {
 		static DynamicMethodsDecrypter instance;
@@ -132,6 +141,9 @@ namespace de4dot.mdecrypt {
 		[DllImport("kernel32")]
 		static extern IntPtr VirtualAlloc(IntPtr lpAddress, UIntPtr dwSize, uint flAllocationType, uint flProtect);
 
+		[DllImport("kernel32")]
+		static extern bool GetModuleHandleEx(uint dwFlags, IntPtr lpModuleName, out IntPtr phModule);
+
 		delegate IntPtr GetJit();
 		delegate int CompileMethod(IntPtr jitter, IntPtr comp, IntPtr info, uint flags, IntPtr nativeEntry, IntPtr nativeSizeOfCode, out bool handled);
 		delegate int ReturnMethodToken();
@@ -364,13 +376,15 @@ namespace de4dot.mdecrypt {
 				// We're not decrypting methods
 
 				var info2 = (CORINFO_METHOD_INFO*)info;
-				if (info2->scope != moduleToDecryptScope) {
+				if (info2->scope != moduleToDecryptScope ||
+					decryptMethodsInfo.moduleCctorBytes == null ||
+					moduleCctorCodeRva == 0) {
 					handled = false;
 					return 0;
 				}
 
 				uint codeRva = (uint)((byte*)info2->ILCode - (byte*)hInstModule);
-				if (decryptMethodsInfo.moduleCctorBytes != null && moduleCctorCodeRva != 0 && moduleCctorCodeRva == codeRva) {
+				if (moduleCctorCodeRva == codeRva) {
 					fixed (byte* newIlCodeBytes = &decryptMethodsInfo.moduleCctorBytes[0]) {
 						WriteCompileMethod(origCompileMethod);
 						info2->ILCode = new IntPtr(newIlCodeBytes);
@@ -553,30 +567,78 @@ namespace de4dot.mdecrypt {
 			if (hasInstalledCompileMethod2)
 				return;
 
-			if (!PatchDword(*(IntPtr*)jitterVtbl, 0x30000, origCompileMethod, ourCompileMethodInfo.ptrInDll))
+			if (!PatchCM(*(IntPtr*)jitterVtbl, origCompileMethod, ourCompileMethodInfo.ptrInDll))
 				throw new ApplicationException("Couldn't patch compileMethod");
 
 			hasInstalledCompileMethod2 = true;
 			return;
 		}
 
-		unsafe bool PatchDword(IntPtr addr, int size, IntPtr origValue, IntPtr newValue) {
-			addr = new IntPtr(addr.ToInt64() & ~0xFFF);
-			var endAddr = new IntPtr(addr.ToInt64() + size);
-			for (; addr.ToPointer() < endAddr.ToPointer(); addr = new IntPtr(addr.ToInt64() + 0x1000)) {
-				try {
-					for (int i = 0; i < 0x1000; i += IntPtr.Size) {
-						var addr2 = (IntPtr*)((byte*)addr + i);
-						if (*addr2 == origValue) {
-							*addr2 = newValue;
-							return true;
+		static IntPtr GetModuleHandle(IntPtr addr) {
+			IntPtr hModule;
+			if (!GetModuleHandleEx(4, addr, out hModule))
+				throw new ApplicationException("GetModuleHandleEx() failed");
+			return hModule;
+		}
+
+		static unsafe bool PatchCM(IntPtr addr, IntPtr origValue, IntPtr newValue) {
+			var baseAddr = GetModuleHandle(addr);
+			IntPtr patchAddr;
+			using (var peImage = new PEImage(baseAddr))
+				patchAddr = FindCMAddress(peImage, baseAddr, origValue);
+			if (patchAddr == IntPtr.Zero)
+				return false;
+
+			*(IntPtr*)patchAddr = newValue;
+			return true;
+		}
+
+		[HandleProcessCorruptedStateExceptions, SecurityCritical]	// Req'd on .NET 4.0
+		static unsafe IntPtr FindCMAddress(PEImage peImage, IntPtr baseAddr, IntPtr origValue) {
+			const int offset1_CLR2 = 0x78;
+			const int offset1_CLR4 = 0x74;
+			int offset1 = Environment.Version.Major == 2 ? offset1_CLR2 : offset1_CLR4;
+
+			const int offset2_CLR2 = 0x10;
+			const int offset2_CLR4 = 0x28;
+			int offset2 = Environment.Version.Major == 2 ? offset2_CLR2 : offset2_CLR4;
+
+			foreach (var section in peImage.ImageSectionHeaders) {
+				const uint RW = 0x80000000 | 0x40000000;
+				if ((section.Characteristics & RW) != RW)
+					continue;
+
+				byte* p = (byte*)baseAddr + (uint)section.VirtualAddress + ((section.VirtualSize + IntPtr.Size - 1) & ~(IntPtr.Size - 1)) - IntPtr.Size;
+				for (; p >= (byte*)baseAddr; p -= IntPtr.Size) {
+					try {
+						byte* p2 = (byte*)*(IntPtr**)p;
+						if ((ulong)p2 >= 0x10000) {
+							p2 += offset1;
+							if (*(IntPtr*)p2 == origValue)
+								return new IntPtr(p2);
 						}
 					}
-				}
-				catch {
+					catch {
+					}
+					try {
+						byte* p2 = (byte*)*(IntPtr**)p;
+						if ((ulong)p2 >= 0x10000) {
+							p2 += offset2;
+							if (*(IntPtr*)p2 == origValue)
+								return new IntPtr(p2);
+						}
+					}
+					catch {
+					}
+					try {
+						if (*(IntPtr*)p == origValue)
+							return new IntPtr(p);
+					}
+					catch {
+					}
 				}
 			}
-			return false;
+			return IntPtr.Zero;
 		}
 	}
 }

From db0001f4814dfc37610aedca33419dd53f2a4022 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Mon, 11 Nov 2013 18:26:09 +0100
Subject: [PATCH 47/58] Count both VM classes as one

---
 de4dot.code/deobfuscators/Agile_NET/Deobfuscator.cs | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/de4dot.code/deobfuscators/Agile_NET/Deobfuscator.cs b/de4dot.code/deobfuscators/Agile_NET/Deobfuscator.cs
index b0ac7bde..e0546f3f 100644
--- a/de4dot.code/deobfuscators/Agile_NET/Deobfuscator.cs
+++ b/de4dot.code/deobfuscators/Agile_NET/Deobfuscator.cs
@@ -167,8 +167,7 @@ namespace de4dot.code.deobfuscators.Agile_NET {
 					ToInt32(stringDecrypter.Detected) +
 					ToInt32(proxyCallFixer.Detected) +
 					ToInt32(resourceDecrypter.Detected) +
-					ToInt32(csvmV1.Detected) +
-					ToInt32(csvmV2.Detected);
+					ToInt32(csvmV1.Detected || csvmV2.Detected);
 			if (sum > 0)
 				val += 100 + 10 * (sum - 1);
 			if (cliSecureAttributes.Count != 0)

From 4fcb332ddf9f4cc80df454fbe88aab671504508c Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Tue, 12 Nov 2013 09:41:38 +0100
Subject: [PATCH 48/58] Use non-recursive methods to prevent StackOverflow
 exceptions

---
 de4dot.blocks/BlocksSorter.cs     | 64 +++++++++++++++++++++++--------
 de4dot.blocks/ForwardScanOrder.cs | 45 ++++++++++++++--------
 2 files changed, 76 insertions(+), 33 deletions(-)

diff --git a/de4dot.blocks/BlocksSorter.cs b/de4dot.blocks/BlocksSorter.cs
index 2bf6aec2..484f8f1c 100644
--- a/de4dot.blocks/BlocksSorter.cs
+++ b/de4dot.blocks/BlocksSorter.cs
@@ -170,38 +170,60 @@ namespace de4dot.blocks {
 					dest.Add(block);
 			}
 
+			struct VisitState {
+				public BlockInfo Info;
+				public List<BaseBlock> Targets;
+				public int TargetIndex;
+				public BlockInfo TargetInfo;
+				public VisitState(BlockInfo info) {
+					this.Info = info;
+					this.Targets = null;
+					this.TargetIndex = 0;
+					this.TargetInfo = null;
+				}
+			}
+			Stack<VisitState> visitStateStack = new Stack<VisitState>();
 			void Visit(BlockInfo info) {
-				if (info.baseBlock == firstBlock)
+				// This method used to be recursive but to prevent stack overflows,
+				// it's not recursive anymore.
+
+				VisitState state = new VisitState(info);
+recursive_call:
+				if (state.Info.baseBlock == firstBlock)
 					throw new ApplicationException("Can't visit firstBlock");
-				stack.Push(info);
-				info.onStack = true;
-				info.dfsNumber = dfsNumber;
-				info.low = dfsNumber;
+				stack.Push(state.Info);
+				state.Info.onStack = true;
+				state.Info.dfsNumber = dfsNumber;
+				state.Info.low = dfsNumber;
 				dfsNumber++;
 
-				foreach (var tmp in GetTargets(info.baseBlock)) {
-					var targetInfo = GetInfo(tmp);
-					if (targetInfo == null)
+				state.Targets = GetTargets(state.Info.baseBlock);
+				state.TargetIndex = 0;
+return_to_caller:
+				for (; state.TargetIndex < state.Targets.Count; state.TargetIndex++) {
+					state.TargetInfo = GetInfo(state.Targets[state.TargetIndex]);
+					if (state.TargetInfo == null)
 						continue;
-					if (targetInfo.baseBlock == firstBlock)
+					if (state.TargetInfo.baseBlock == firstBlock)
 						continue;
 
-					if (!targetInfo.Visited()) {
-						Visit(targetInfo);
-						info.low = Math.Min(info.low, targetInfo.low);
+					if (!state.TargetInfo.Visited()) {
+						visitStateStack.Push(state);
+						state = new VisitState(state.TargetInfo);
+						goto recursive_call;
 					}
-					else if (targetInfo.onStack)
-						info.low = Math.Min(info.low, targetInfo.dfsNumber);
+					else if (state.TargetInfo.onStack)
+						state.Info.low = Math.Min(state.Info.low, state.TargetInfo.dfsNumber);
 				}
 
-				if (info.low != info.dfsNumber)
-					return;
+				if (state.Info.low != state.Info.dfsNumber)
+					goto return_from_method;
 				var sccBlocks = new List<BaseBlock>();
 				while (true) {
 					var poppedInfo = stack.Pop();
 					poppedInfo.onStack = false;
 					sccBlocks.Add(poppedInfo.baseBlock);
-					if (ReferenceEquals(info, poppedInfo))
+					if (ReferenceEquals(state.Info, poppedInfo))
 						break;
 				}
 				if (sccBlocks.Count > 1) {
@@ -213,6 +235,14 @@ namespace de4dot.blocks {
 				else {
 					sorted.Insert(0, sccBlocks[0]);
 				}
+
+return_from_method:
+				if (visitStateStack.Count == 0)
+					return;
+				state = visitStateStack.Pop();
+				state.Info.low = Math.Min(state.Info.low, state.TargetInfo.low);
+				state.TargetIndex++;
+				goto return_to_caller;
 			}
 
 			void SortLoopBlock(List<BaseBlock> list) {
diff --git a/de4dot.blocks/ForwardScanOrder.cs b/de4dot.blocks/ForwardScanOrder.cs
index a46355e0..e876f40c 100644
--- a/de4dot.blocks/ForwardScanOrder.cs
+++ b/de4dot.blocks/ForwardScanOrder.cs
@@ -100,25 +100,38 @@ namespace de4dot.blocks {
 			return false;
 		}
 
-		void ScanBaseBlock(BaseBlock bb, int stackStart) {
-			if (blockInfos.ContainsKey(bb) || !scopeBlock.IsOurBaseBlock(bb))
-				return;
-
-			var blockInfo = new BlockInfo(bb, stackStart);
-			blockInfos[bb] = blockInfo;
-
-			var block = bb as Block;
-			if (block == null) {	// i.e., if try, filter, or handler block
-				// It's not important to know the exact values, so we set them both to 0.
-				// Compilers must make sure the stack is empty when entering a try block.
-				blockInfo.stackStart = blockInfo.stackEnd = 0;
-				return;
+		struct ScanBaseBlockState {
+			public BaseBlock bb;
+			public int stackStart;
+			public ScanBaseBlockState(BaseBlock bb, int stackStart) {
+				this.bb = bb;
+				this.stackStart = stackStart;
 			}
+		}
+		Stack<ScanBaseBlockState> scanBaseBlockStack = new Stack<ScanBaseBlockState>();
+		void ScanBaseBlock(BaseBlock bbx, int stackStartx) {
+			scanBaseBlockStack.Push(new ScanBaseBlockState(bbx, stackStartx));
+			while (scanBaseBlockStack.Count > 0) {
+				var state = scanBaseBlockStack.Pop();
+				if (blockInfos.ContainsKey(state.bb) || !scopeBlock.IsOurBaseBlock(state.bb))
+					continue;
 
-			blockInfo.CalculateStackUsage();
+				var blockInfo = new BlockInfo(state.bb, state.stackStart);
+				blockInfos[state.bb] = blockInfo;
 
-			foreach (var target in block.GetTargets())
-				ScanBaseBlock(target, blockInfo.stackEnd);
+				var block = state.bb as Block;
+				if (block == null) {	// i.e., if try, filter, or handler block
+					// It's not important to know the exact values, so we set them both to 0.
+					// Compilers must make sure the stack is empty when entering a try block.
+					blockInfo.stackStart = blockInfo.stackEnd = 0;
+					continue;
+				}
+
+				blockInfo.CalculateStackUsage();
+
+				foreach (var target in block.GetTargets())
+					scanBaseBlockStack.Push(new ScanBaseBlockState(target, blockInfo.stackEnd));
+			}
 		}
 
 		void CreateNewList() {

From 682b0df04abc644f120ff0e2b484dd489aa26b70 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Tue, 12 Nov 2013 17:11:54 +0100
Subject: [PATCH 49/58] Set locals = 0 when emulating from first instruction

---
 de4dot.blocks/cflow/BlockCflowDeobfuscator.cs |  2 +-
 de4dot.blocks/cflow/ConstantsFolder.cs        |  2 +-
 de4dot.blocks/cflow/InstructionEmulator.cs    | 37 ++++++++++++++++---
 .../cflow/SwitchCflowDeobfuscator.cs          | 12 +++---
 4 files changed, 40 insertions(+), 13 deletions(-)

diff --git a/de4dot.blocks/cflow/BlockCflowDeobfuscator.cs b/de4dot.blocks/cflow/BlockCflowDeobfuscator.cs
index 24975de0..3bc44f1f 100644
--- a/de4dot.blocks/cflow/BlockCflowDeobfuscator.cs
+++ b/de4dot.blocks/cflow/BlockCflowDeobfuscator.cs
@@ -35,7 +35,7 @@ namespace de4dot.blocks.cflow {
 			this.block = block;
 			if (!block.LastInstr.IsConditionalBranch() && block.LastInstr.OpCode.Code != Code.Switch)
 				return false;
-			instructionEmulator.Initialize(blocks);
+			instructionEmulator.Initialize(blocks, allBlocks[0] == block);
 
 			var instructions = block.Instructions;
 			if (instructions.Count == 0)
diff --git a/de4dot.blocks/cflow/ConstantsFolder.cs b/de4dot.blocks/cflow/ConstantsFolder.cs
index 43c291de..a0c7b5a7 100644
--- a/de4dot.blocks/cflow/ConstantsFolder.cs
+++ b/de4dot.blocks/cflow/ConstantsFolder.cs
@@ -37,7 +37,7 @@ namespace de4dot.blocks.cflow {
 		protected override bool Deobfuscate(Block block) {
 			bool modified = false;
 
-			instructionEmulator.Initialize(blocks);
+			instructionEmulator.Initialize(blocks, allBlocks[0] == block);
 			var instrs = block.Instructions;
 			for (int i = 0; i < instrs.Count; i++) {
 				var instr = instrs[i];
diff --git a/de4dot.blocks/cflow/InstructionEmulator.cs b/de4dot.blocks/cflow/InstructionEmulator.cs
index 3345cf64..9dd11a1a 100644
--- a/de4dot.blocks/cflow/InstructionEmulator.cs
+++ b/de4dot.blocks/cflow/InstructionEmulator.cs
@@ -34,19 +34,24 @@ namespace de4dot.blocks.cflow {
 		MethodDef prev_method;
 		List<Value> cached_args = new List<Value>();
 		List<Value> cached_locals = new List<Value>();
+		List<Value> cached_zeroed_locals = new List<Value>();
 
 		public InstructionEmulator() {
 		}
 
 		public InstructionEmulator(MethodDef method) {
-			Initialize(method);
+			Initialize(method, false);
 		}
 
-		public void Initialize(Blocks blocks) {
-			Initialize(blocks.Method);
+		public void Initialize(Blocks blocks, bool emulateFromFirstInstruction) {
+			Initialize(blocks.Method, emulateFromFirstInstruction);
 		}
 
 		public void Initialize(MethodDef method) {
+			Initialize(method, false);
+		}
+
+		public void Initialize(MethodDef method, bool emulateFromFirstInstruction) {
 			this.parameterDefs = method.Parameters;
 			this.localDefs = method.Body.Variables;
 			valueStack.Initialize();
@@ -60,14 +65,17 @@ namespace de4dot.blocks.cflow {
 					cached_args.Add(GetUnknownValue(parameterDefs[i].Type));
 
 				cached_locals.Clear();
-				for (int i = 0; i < localDefs.Count; i++)
+				cached_zeroed_locals.Clear();
+				for (int i = 0; i < localDefs.Count; i++) {
 					cached_locals.Add(GetUnknownValue(localDefs[i].Type));
+					cached_zeroed_locals.Add(GetDefaultValue(localDefs[i].Type));
+				}
 			}
 
 			args.Clear();
 			args.AddRange(cached_args);
 			locals.Clear();
-			locals.AddRange(cached_locals);
+			locals.AddRange(method.Body.InitLocals && emulateFromFirstInstruction ? cached_zeroed_locals : cached_locals);
 		}
 
 		public void SetProtected(Value value) {
@@ -95,6 +103,25 @@ namespace de4dot.blocks.cflow {
 			return new UnknownValue();
 		}
 
+		static Value GetDefaultValue(TypeSig type) {
+			if (type == null)
+				return new UnknownValue();
+			switch (type.ElementType) {
+			case ElementType.Boolean:
+			case ElementType.I1:
+			case ElementType.U1:
+			case ElementType.I2:
+			case ElementType.U2:
+			case ElementType.I4:
+			case ElementType.U4:
+				return Int32Value.zero;
+			case ElementType.I8:
+			case ElementType.U8:
+				return Int64Value.zero;
+			}
+			return new UnknownValue();
+		}
+
 		Value TruncateValue(Value value, TypeSig type) {
 			if (type == null)
 				return value;
diff --git a/de4dot.blocks/cflow/SwitchCflowDeobfuscator.cs b/de4dot.blocks/cflow/SwitchCflowDeobfuscator.cs
index 329843f3..abec82b8 100644
--- a/de4dot.blocks/cflow/SwitchCflowDeobfuscator.cs
+++ b/de4dot.blocks/cflow/SwitchCflowDeobfuscator.cs
@@ -158,7 +158,7 @@ namespace de4dot.blocks.cflow {
 			foreach (var source in new List<Block>(block.Sources)) {
 				if (!isBranchBlock(source))
 					continue;
-				instructionEmulator.Initialize(blocks);
+				instructionEmulator.Initialize(blocks, allBlocks[0] == source);
 				instructionEmulator.Emulate(source.Instructions);
 
 				var target = GetSwitchTarget(switchTargets, switchFallThrough, instructionEmulator.Pop());
@@ -183,7 +183,7 @@ namespace de4dot.blocks.cflow {
 			bool modified = false;
 			foreach (var source in new List<Block>(block.Sources)) {
 				if (isBranchBlock(source)) {
-					instructionEmulator.Initialize(blocks);
+					instructionEmulator.Initialize(blocks, allBlocks[0] == source);
 					instructionEmulator.Emulate(source.Instructions);
 
 					var target = GetSwitchTarget(switchTargets, switchFallThrough, instructionEmulator.GetLocal(switchVariable));
@@ -193,7 +193,7 @@ namespace de4dot.blocks.cflow {
 					modified = true;
 				}
 				else if (IsBccBlock(source)) {
-					instructionEmulator.Initialize(blocks);
+					instructionEmulator.Initialize(blocks, allBlocks[0] == source);
 					instructionEmulator.Emulate(source.Instructions);
 
 					var target = GetSwitchTarget(switchTargets, switchFallThrough, instructionEmulator.GetLocal(switchVariable));
@@ -223,7 +223,7 @@ namespace de4dot.blocks.cflow {
 			foreach (var source in new List<Block>(block.Sources)) {
 				if (!isBranchBlock(source))
 					continue;
-				instructionEmulator.Initialize(blocks);
+				instructionEmulator.Initialize(blocks, allBlocks[0] == source);
 				instructionEmulator.Emulate(source.Instructions);
 
 				var target = GetSwitchTarget(switchTargets, switchFallThrough, instructionEmulator.Pop());
@@ -407,7 +407,7 @@ namespace de4dot.blocks.cflow {
 		}
 
 		bool EmulateGetTarget(Block switchBlock, out Block target) {
-			instructionEmulator.Initialize(blocks);
+			instructionEmulator.Initialize(blocks, allBlocks[0] == switchBlock);
 			try {
 				instructionEmulator.Emulate(switchBlock.Instructions, 0, switchBlock.Instructions.Count - 1);
 			}
@@ -421,7 +421,7 @@ namespace de4dot.blocks.cflow {
 		}
 
 		bool WillHaveKnownTarget(Block switchBlock, Block source) {
-			instructionEmulator.Initialize(blocks);
+			instructionEmulator.Initialize(blocks, allBlocks[0] == source);
 			try {
 				instructionEmulator.Emulate(source.Instructions);
 				instructionEmulator.Emulate(switchBlock.Instructions, 0, switchBlock.Instructions.Count - 1);

From 130e188e6af8b693a02b1339f4c788a2c5359a1a Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Tue, 12 Nov 2013 22:02:19 +0100
Subject: [PATCH 50/58] Remove the x from arg names

---
 de4dot.blocks/ForwardScanOrder.cs | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/de4dot.blocks/ForwardScanOrder.cs b/de4dot.blocks/ForwardScanOrder.cs
index e876f40c..a2029955 100644
--- a/de4dot.blocks/ForwardScanOrder.cs
+++ b/de4dot.blocks/ForwardScanOrder.cs
@@ -109,8 +109,8 @@ namespace de4dot.blocks {
 			}
 		}
 		Stack<ScanBaseBlockState> scanBaseBlockStack = new Stack<ScanBaseBlockState>();
-		void ScanBaseBlock(BaseBlock bbx, int stackStartx) {
-			scanBaseBlockStack.Push(new ScanBaseBlockState(bbx, stackStartx));
+		void ScanBaseBlock(BaseBlock bb, int stackStart) {
+			scanBaseBlockStack.Push(new ScanBaseBlockState(bb, stackStart));
 			while (scanBaseBlockStack.Count > 0) {
 				var state = scanBaseBlockStack.Pop();
 				if (blockInfos.ContainsKey(state.bb) || !scopeBlock.IsOurBaseBlock(state.bb))

From 892fa4cd3dd39d06a55b92a292e1319cd7ffbcce Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Wed, 13 Nov 2013 18:54:06 +0100
Subject: [PATCH 51/58] Check both locations at the same time

---
 de4dot.mdecrypt/DynamicMethodsDecrypter.cs | 17 ++++++-----------
 1 file changed, 6 insertions(+), 11 deletions(-)

diff --git a/de4dot.mdecrypt/DynamicMethodsDecrypter.cs b/de4dot.mdecrypt/DynamicMethodsDecrypter.cs
index f25c8697..9d40208c 100644
--- a/de4dot.mdecrypt/DynamicMethodsDecrypter.cs
+++ b/de4dot.mdecrypt/DynamicMethodsDecrypter.cs
@@ -595,13 +595,7 @@ namespace de4dot.mdecrypt {
 
 		[HandleProcessCorruptedStateExceptions, SecurityCritical]	// Req'd on .NET 4.0
 		static unsafe IntPtr FindCMAddress(PEImage peImage, IntPtr baseAddr, IntPtr origValue) {
-			const int offset1_CLR2 = 0x78;
-			const int offset1_CLR4 = 0x74;
-			int offset1 = Environment.Version.Major == 2 ? offset1_CLR2 : offset1_CLR4;
-
-			const int offset2_CLR2 = 0x10;
-			const int offset2_CLR4 = 0x28;
-			int offset2 = Environment.Version.Major == 2 ? offset2_CLR2 : offset2_CLR4;
+			int offset = Environment.Version.Major == 2 ? 0x10 : 0x28;
 
 			foreach (var section in peImage.ImageSectionHeaders) {
 				const uint RW = 0x80000000 | 0x40000000;
@@ -613,9 +607,10 @@ namespace de4dot.mdecrypt {
 					try {
 						byte* p2 = (byte*)*(IntPtr**)p;
 						if ((ulong)p2 >= 0x10000) {
-							p2 += offset1;
-							if (*(IntPtr*)p2 == origValue)
-								return new IntPtr(p2);
+							if (*(IntPtr*)(p2 + 0x74) == origValue)
+								return new IntPtr(p2 + 0x74);
+							if (*(IntPtr*)(p2 + 0x78) == origValue)
+								return new IntPtr(p2 + 0x78);
 						}
 					}
 					catch {
@@ -623,7 +618,7 @@ namespace de4dot.mdecrypt {
 					try {
 						byte* p2 = (byte*)*(IntPtr**)p;
 						if ((ulong)p2 >= 0x10000) {
-							p2 += offset2;
+							p2 += offset;
 							if (*(IntPtr*)p2 == origValue)
 								return new IntPtr(p2);
 						}

From b88ecc8a6300c8da5a928ff5decca38ec99d7014 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Thu, 14 Nov 2013 10:48:07 +0100
Subject: [PATCH 52/58] Update name regex

---
 de4dot.code/deobfuscators/MaxtoCode/Deobfuscator.cs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/de4dot.code/deobfuscators/MaxtoCode/Deobfuscator.cs b/de4dot.code/deobfuscators/MaxtoCode/Deobfuscator.cs
index 63e5ffbe..62b57472 100644
--- a/de4dot.code/deobfuscators/MaxtoCode/Deobfuscator.cs
+++ b/de4dot.code/deobfuscators/MaxtoCode/Deobfuscator.cs
@@ -27,7 +27,7 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
 	public class DeobfuscatorInfo : DeobfuscatorInfoBase {
 		public const string THE_NAME = "MaxtoCode";
 		public const string THE_TYPE = "mc";
-		const string DEFAULT_REGEX = @"!^[oO01l]+$&" + DeobfuscatorBase.DEFAULT_VALID_NAME_REGEX;
+		const string DEFAULT_REGEX = @"!^[oO01l]+$&!^[A-F0-9]{20,}$&" + DeobfuscatorBase.DEFAULT_VALID_NAME_REGEX;
 		IntOption stringCodePage;
 
 		public DeobfuscatorInfo()

From 239bfbfc2b78f7cf895344046dcad017beadc7ba Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Thu, 14 Nov 2013 13:38:57 +0100
Subject: [PATCH 53/58] Add known timestamps

---
 .../MaxtoCode/MethodsDecrypter.cs             | 26 +++++++++----------
 1 file changed, 13 insertions(+), 13 deletions(-)

diff --git a/de4dot.code/deobfuscators/MaxtoCode/MethodsDecrypter.cs b/de4dot.code/deobfuscators/MaxtoCode/MethodsDecrypter.cs
index b312d2a5..ccda3adb 100644
--- a/de4dot.code/deobfuscators/MaxtoCode/MethodsDecrypter.cs
+++ b/de4dot.code/deobfuscators/MaxtoCode/MethodsDecrypter.cs
@@ -170,28 +170,28 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
 			void InitializeDecrypter() {
 				switch (GetVersion()) {
 				case EncryptionVersion.V1:
-					decrypters.Add(new Decrypter(new DecryptFunc[] { Decrypt1_v1, Decrypt4_v1, Decrypt2_v1, Decrypt3_v1, Decrypt5, Decrypt6, Decrypt7 }));
-					decrypters.Add(new Decrypter(new DecryptFunc[] { Decrypt4_v1, Decrypt1_v1, Decrypt2_v1, Decrypt3_v1, Decrypt5, Decrypt6, Decrypt7 }));
+					decrypters.Add(new Decrypter(new DecryptFunc[] { Decrypt1_v1, Decrypt4_v1, Decrypt2_v1, Decrypt3_v1, Decrypt5, Decrypt6, Decrypt7 }, new uint[] { 0x462FA2D2 }));
+					decrypters.Add(new Decrypter(new DecryptFunc[] { Decrypt4_v1, Decrypt1_v1, Decrypt2_v1, Decrypt3_v1, Decrypt5, Decrypt6, Decrypt7 }, new uint[] { 0x471299D3 }));
 					break;
 
-				case EncryptionVersion.V2: decrypters.Add(new Decrypter(new DecryptFunc[] { Decrypt3_v1, Decrypt2_v1, Decrypt1_v1, Decrypt4_v1, Decrypt5, Decrypt6, Decrypt7 })); break;
-				case EncryptionVersion.V3: decrypters.Add(new Decrypter(new DecryptFunc[] { Decrypt1_v1, Decrypt2_v1, Decrypt3_v1, Decrypt4_v1, Decrypt5, Decrypt6, Decrypt7 })); break;
-				case EncryptionVersion.V4: decrypters.Add(new Decrypter(new DecryptFunc[] { Decrypt2_v1, Decrypt1_v1, Decrypt3_v1, Decrypt4_v1, Decrypt5, Decrypt6, Decrypt7 })); break;
+				case EncryptionVersion.V2: decrypters.Add(new Decrypter(new DecryptFunc[] { Decrypt3_v1, Decrypt2_v1, Decrypt1_v1, Decrypt4_v1, Decrypt5, Decrypt6, Decrypt7 }, new uint[] { 0x482384FB, 0x4A5EEC64, 0x4BD6F703, 0x4C6220EC, 0x4C622357, 0x4C6E4605, 0x4D0E220D, 0x4DC2FC75, 0x4DC2FE0C, 0x4DFA3D5D })); break;
+				case EncryptionVersion.V3: decrypters.Add(new Decrypter(new DecryptFunc[] { Decrypt1_v1, Decrypt2_v1, Decrypt3_v1, Decrypt4_v1, Decrypt5, Decrypt6, Decrypt7 }, new uint[] { 0x4ECF2195, 0x4ED76740, 0x4EE1FAD1 })); break;
+				case EncryptionVersion.V4: decrypters.Add(new Decrypter(new DecryptFunc[] { Decrypt2_v1, Decrypt1_v1, Decrypt3_v1, Decrypt4_v1, Decrypt5, Decrypt6, Decrypt7 }, new uint[] { 0x4F832868, 0x4F8C86BE, 0x4F9447DB, 0x4FDEF2FF })); break;
 
 				case EncryptionVersion.V5:
-					decrypters.Add(new Decrypter(new DecryptFunc[] { Decrypt4_v1, Decrypt2_v1, Decrypt3_v1, Decrypt1_v1, Decrypt5, Decrypt6, Decrypt7 }));
-					decrypters.Add(new Decrypter(new DecryptFunc[] { Decrypt4_v2, Decrypt2_v2, Decrypt3_v2, Decrypt1_v2, Decrypt6, Decrypt7, Decrypt5 }));
-					decrypters.Add(new Decrypter(new DecryptFunc[] { Decrypt4_v3, Decrypt2_v3, Decrypt3_v3, Decrypt1_v3, Decrypt6, Decrypt7, Decrypt5 }));
+					decrypters.Add(new Decrypter(new DecryptFunc[] { Decrypt4_v1, Decrypt2_v1, Decrypt3_v1, Decrypt1_v1, Decrypt5, Decrypt6, Decrypt7 }, new uint[] { 0x4F8E262C, 0x4F966B0B, 0x4FAB3CCF }));
+					decrypters.Add(new Decrypter(new DecryptFunc[] { Decrypt4_v2, Decrypt2_v2, Decrypt3_v2, Decrypt1_v2, Decrypt6, Decrypt7, Decrypt5 }, new uint[] { 0x4FC7459E, 0x4FCEBD7B }));
+					decrypters.Add(new Decrypter(new DecryptFunc[] { Decrypt4_v3, Decrypt2_v3, Decrypt3_v3, Decrypt1_v3, Decrypt6, Decrypt7, Decrypt5 }, new uint[] { 0x4FBE81DE }));
 					break;
 
-				case EncryptionVersion.V6: decrypters.Add(new Decrypter(new DecryptFunc[] { Decrypt4_v4, Decrypt2_v4, Decrypt3_v4, Decrypt1_v4, Decrypt6, Decrypt7, Decrypt5 })); break;
-				case EncryptionVersion.V7: decrypters.Add(new Decrypter(new DecryptFunc[] { Decrypt4_v5, Decrypt2_v5, Decrypt3_v5, Decrypt1_v5, Decrypt6, Decrypt8_v5, Decrypt9_v5, Decrypt7, Decrypt5 })); break;
+				case EncryptionVersion.V6: decrypters.Add(new Decrypter(new DecryptFunc[] { Decrypt4_v4, Decrypt2_v4, Decrypt3_v4, Decrypt1_v4, Decrypt6, Decrypt7, Decrypt5 }, new uint[] { 0x50A0963C })); break;
+				case EncryptionVersion.V7: decrypters.Add(new Decrypter(new DecryptFunc[] { Decrypt4_v5, Decrypt2_v5, Decrypt3_v5, Decrypt1_v5, Decrypt6, Decrypt8_v5, Decrypt9_v5, Decrypt7, Decrypt5 }, new uint[] { 0x50D367A5 })); break;
 
 				case EncryptionVersion.V8:
 					decrypters.Add(new Decrypter(new DecryptFunc[] { Decrypt4_v6, Decrypt2_v2, Decrypt3_v6, Decrypt1_v6, Decrypt6, Decrypt8_v6, Decrypt9_v6, Decrypt7, Decrypt10, Decrypt5 }, new uint[] { 0x5166DB4F, 0x51927495 }));
 					decrypters.Add(new Decrypter(new DecryptFunc[] { Decrypt4_v7, Decrypt2_v2, Decrypt3_v6, Decrypt1_v7, Decrypt6, Decrypt8_v7, Decrypt9_v7, Decrypt7, Decrypt5 }, new uint[] { 0x51413D68 }));
 					decrypters.Add(new Decrypter(new DecryptFunc[] { Decrypt4_v7, Decrypt2_v2, Decrypt3_v6, Decrypt1_v7, Decrypt6, Decrypt8_v8, Decrypt9_v8, Decrypt7, Decrypt5 }, new uint[] { 0x513D7124, 0x51413BD8 }));
-					decrypters.Add(new Decrypter(new DecryptFunc[] { Decrypt4_v5, Decrypt2_v2, Decrypt3_v6, Decrypt1_v9, Decrypt6, Decrypt8_v8, Decrypt9_v9, Decrypt7, Decrypt5 }, new uint[] { 0x513D4492 }));
+					decrypters.Add(new Decrypter(new DecryptFunc[] { Decrypt4_v5, Decrypt2_v2, Decrypt3_v6, Decrypt1_v9, Decrypt6, Decrypt8_v8, Decrypt9_v9, Decrypt7, Decrypt5 }, new uint[] { 0x513D4492, 0x5113E277 }));
 					decrypters.Add(new Decrypter(new DecryptFunc[] { Decrypt3_v6, Decrypt2_v2, Decrypt4_v8, Decrypt1_v10, Decrypt8_v9, Decrypt9_v10, Decrypt6, Decrypt7, Decrypt5 }, new uint[] { 0x526BDD12 }));
 					decrypters.Add(new Decrypter(new DecryptFunc[] { Decrypt1_v10, Decrypt4_v8, Decrypt2_v2, Decrypt3_v6, Decrypt6, Decrypt8_v9, Decrypt9_v10, Decrypt7, Decrypt5 }, new uint[] { 0x526BC020 }));
 					break;
@@ -244,8 +244,8 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
 			}
 
 			bool InitializeInfos2() {
-				if (decrypters.Count > 1) {
-					uint rtTimeStamp = GetRuntimeTimeStamp();
+				uint rtTimeStamp = GetRuntimeTimeStamp();
+				if (rtTimeStamp != 0) {
 					var decrypter = GetCorrectDecrypter(rtTimeStamp);
 					if (decrypter != null) {
 						try {

From 7c44c2616cdb0bf4ddc9020e3bb73b45f9098d15 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Thu, 14 Nov 2013 17:39:59 +0100
Subject: [PATCH 54/58] If an IOException is thrown, it's not a PE file

---
 de4dot.cui/FilesDeobfuscator.cs | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/de4dot.cui/FilesDeobfuscator.cs b/de4dot.cui/FilesDeobfuscator.cs
index f7106c4d..e16a2d35 100644
--- a/de4dot.cui/FilesDeobfuscator.cs
+++ b/de4dot.cui/FilesDeobfuscator.cs
@@ -229,6 +229,11 @@ namespace de4dot.cui {
 				catch (EndOfStreamException) {
 					return false;
 				}
+				catch (IOException) {
+					if (isFromPossibleFiles)
+						Logger.Instance.Log(false, null, LoggerEvent.Warning, "The file isn't a .NET PE file: {0}", file.Filename);
+					return false;	// Not a .NET file
+				}
 				catch (Exception ex) {
 					Logger.Instance.Log(false, null, LoggerEvent.Warning, "Could not load file ({0}): {1}", ex.GetType(), file.Filename);
 					return false;

From 5d6db10ba47b5601cc4041ff2a894787b9d7a1cb Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Thu, 14 Nov 2013 22:48:44 +0100
Subject: [PATCH 55/58] Don't decrypt already decrypted resources

---
 de4dot.code/deobfuscators/MaxtoCode/MethodsDecrypter.cs | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/de4dot.code/deobfuscators/MaxtoCode/MethodsDecrypter.cs b/de4dot.code/deobfuscators/MaxtoCode/MethodsDecrypter.cs
index ccda3adb..af2489a7 100644
--- a/de4dot.code/deobfuscators/MaxtoCode/MethodsDecrypter.cs
+++ b/de4dot.code/deobfuscators/MaxtoCode/MethodsDecrypter.cs
@@ -765,9 +765,14 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
 			var peImage = decrypterInfo.peImage;
 			var fileData = decrypterInfo.fileData;
 
+			uint decryptedResources = peHeader.ReadUInt32(0xFE8) ^ mcKey.ReadUInt32(0);
 			uint resourceRva = peHeader.GetRva(0x0E10, mcKey.ReadUInt32(0x00A0));
-			uint resourceSize = peHeader.ReadUInt32(0x0E14) ^ mcKey.ReadUInt32(0x00AA);
-			if (resourceRva == 0 || resourceSize == 0)
+			int resourceSize = (int)(peHeader.ReadUInt32(0x0E14) ^ mcKey.ReadUInt32(0x00AA));
+			if (decryptedResources == 1) {
+				Logger.v("Resources have already been decrypted");
+				return;
+			}
+			if (resourceRva == 0 || resourceSize <= 0)
 				return;
 			if (resourceRva != (uint)peImage.Cor20Header.Resources.VirtualAddress ||
 				resourceSize != peImage.Cor20Header.Resources.Size) {

From 48f31acb7eb0c75ee3d9f47b54be1f6f0f6129ca Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Fri, 15 Nov 2013 14:44:20 +0100
Subject: [PATCH 56/58] Detect some other DNR 4.5 version

---
 de4dot.code/deobfuscators/dotNET_Reactor/v4/Deobfuscator.cs | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/de4dot.code/deobfuscators/dotNET_Reactor/v4/Deobfuscator.cs b/de4dot.code/deobfuscators/dotNET_Reactor/v4/Deobfuscator.cs
index 3a24139d..70e24bca 100644
--- a/de4dot.code/deobfuscators/dotNET_Reactor/v4/Deobfuscator.cs
+++ b/de4dot.code/deobfuscators/dotNET_Reactor/v4/Deobfuscator.cs
@@ -369,6 +369,7 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
 				bool hasSymmetricAlgorithm = new LocalTypes(methodsDecrypter.Method).Exists("System.Security.Cryptography.SymmetricAlgorithm");
 				if (module.IsClr40) {
 					switch (numIntPtrSizeCompares) {
+					case 7:
 					case 9: return DeobfuscatorInfo.THE_NAME + " 4.5";
 					case 10:
 						if (!hasSymmetricAlgorithm)
@@ -378,6 +379,7 @@ namespace de4dot.code.deobfuscators.dotNET_Reactor.v4 {
 				}
 				else {
 					switch (numIntPtrSizeCompares) {
+					case 6:
 					case 8: return DeobfuscatorInfo.THE_NAME + " 4.5";
 					case 9:
 						if (!hasSymmetricAlgorithm)

From f2a9118bf5bda07655afb0655b16ef138d5196ca Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Fri, 15 Nov 2013 19:30:11 +0100
Subject: [PATCH 57/58] Fix merges

---
 de4dot.blocks/cflow/InstructionEmulator.cs                   | 4 ++--
 de4dot.code/deobfuscators/Eazfuscator_NET/StringDecrypter.cs | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/de4dot.blocks/cflow/InstructionEmulator.cs b/de4dot.blocks/cflow/InstructionEmulator.cs
index 450eca08..a829d02a 100644
--- a/de4dot.blocks/cflow/InstructionEmulator.cs
+++ b/de4dot.blocks/cflow/InstructionEmulator.cs
@@ -114,10 +114,10 @@ namespace de4dot.blocks.cflow {
 			case ElementType.U2:
 			case ElementType.I4:
 			case ElementType.U4:
-				return Int32Value.zero;
+				return Int32Value.Zero;
 			case ElementType.I8:
 			case ElementType.U8:
-				return Int64Value.zero;
+				return Int64Value.Zero;
 			}
 			return new UnknownValue();
 		}
diff --git a/de4dot.code/deobfuscators/Eazfuscator_NET/StringDecrypter.cs b/de4dot.code/deobfuscators/Eazfuscator_NET/StringDecrypter.cs
index a03df11b..a4620bbb 100644
--- a/de4dot.code/deobfuscators/Eazfuscator_NET/StringDecrypter.cs
+++ b/de4dot.code/deobfuscators/Eazfuscator_NET/StringDecrypter.cs
@@ -707,8 +707,8 @@ done: ;
 			var ctorArg = emu.Pop() as Int32Value;
 			if (ctorArg == null || !ctorArg.AllBitsValid())
 				return false;
-			dynocode.CreateEnumerable(ctor, new object[] { ctorArg.value });
-			dynocode.WriteEnumerableField(enumerableField.MDToken.ToUInt32(), initValue.value);
+			dynocode.CreateEnumerable(ctor, new object[] { ctorArg.Value });
+			dynocode.WriteEnumerableField(enumerableField.MDToken.ToUInt32(), initValue.Value);
 			dynocode.CreateEnumerator();
 			foreach (var val in dynocode) {
 				emu.Push(new Int32Value(val));

From 2d4397e2b711881855b006adc8b0c93cea40026e Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Fri, 15 Nov 2013 20:38:34 +0100
Subject: [PATCH 58/58] Add updated dnlib submodule

---
 dnlib | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dnlib b/dnlib
index d317a317..557af37b 160000
--- a/dnlib
+++ b/dnlib
@@ -1 +1 @@
-Subproject commit d317a317ce5b80868d7b94149ffc22fa9fd54810
+Subproject commit 557af37b82fb0012b99f60157715c5e45ca5bc4b