From 3f1b9152bd40615fc43536bc9752cab29fec5524 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Sat, 22 Oct 2011 14:31:38 +0200
Subject: [PATCH] Add CO deobfuscator. Can decrypt embedded assemblies.

---
 blocks/DotNetUtils.cs                         |   4 +
 de4dot.code/ObfuscatedFile.cs                 |   6 +-
 de4dot.code/Program.cs                        |   1 +
 de4dot.code/Utils.cs                          |   7 +
 de4dot.code/de4dot.code.csproj                |   5 +-
 .../CryptoObfuscator/AssemblyResolver.cs      | 144 ++++++++++++++++
 .../CryptoObfuscator/Deobfuscator.cs          | 161 ++++++++++++++++++
 .../CryptoObfuscator/ResourceDecrypter.cs     | 103 +++++++++++
 .../CryptoObfuscator/ResourceResolver.cs      |  82 +++++++++
 .../deobfuscators/IDeobfuscatedFile.cs        |   2 +-
 .../SmartAssembly/AssemblyResolverInfo.cs     |   2 +-
 .../SmartAssembly/ResourceResolverInfo.cs     |   2 +-
 .../deobfuscators/SmartAssembly/SA_Utils.cs   |  29 ----
 .../deobfuscators/Unknown/Deobfuscator.cs     |  17 --
 14 files changed, 513 insertions(+), 52 deletions(-)
 create mode 100644 de4dot.code/deobfuscators/CryptoObfuscator/AssemblyResolver.cs
 create mode 100644 de4dot.code/deobfuscators/CryptoObfuscator/Deobfuscator.cs
 create mode 100644 de4dot.code/deobfuscators/CryptoObfuscator/ResourceDecrypter.cs
 create mode 100644 de4dot.code/deobfuscators/CryptoObfuscator/ResourceResolver.cs
 delete mode 100644 de4dot.code/deobfuscators/SmartAssembly/SA_Utils.cs

diff --git a/blocks/DotNetUtils.cs b/blocks/DotNetUtils.cs
index 3d377474..2134718d 100644
--- a/blocks/DotNetUtils.cs
+++ b/blocks/DotNetUtils.cs
@@ -468,6 +468,10 @@ namespace de4dot.blocks {
 		public static IList<Instruction> getInstructions(IList<Instruction> instructions, int i, params OpCode[] opcodes) {
 			if (i + opcodes.Length > instructions.Count)
 				return null;
+			if (opcodes.Length == 0)
+				return new List<Instruction>();
+			if (opcodes[0] != instructions[i].OpCode)
+				return null;
 
 			var list = new List<Instruction>(opcodes.Length);
 			for (int j = 0; j < opcodes.Length; j++) {
diff --git a/de4dot.code/ObfuscatedFile.cs b/de4dot.code/ObfuscatedFile.cs
index c783af78..031cfb71 100644
--- a/de4dot.code/ObfuscatedFile.cs
+++ b/de4dot.code/ObfuscatedFile.cs
@@ -749,9 +749,11 @@ namespace de4dot {
 			deobfuscate(method, "Static string decryption", (blocks) => theDeob.deobfuscateStrings(blocks));
 		}
 
-		void IDeobfuscatedFile.createAssemblyFile(byte[] data, string assemblyName) {
+		void IDeobfuscatedFile.createAssemblyFile(byte[] data, string assemblyName, string extension) {
+			if (extension == null)
+				extension = ".dll";
 			var baseDir = Utils.getDirName(options.NewFilename);
-			var newName = Path.Combine(baseDir, assemblyName + ".dll");
+			var newName = Path.Combine(baseDir, assemblyName + extension);
 			Log.n("Creating file {0}", newName);
 			using (var writer = new BinaryWriter(new FileStream(newName, FileMode.Create))) {
 				writer.Write(data);
diff --git a/de4dot.code/Program.cs b/de4dot.code/Program.cs
index c2571a8f..959ec59b 100644
--- a/de4dot.code/Program.cs
+++ b/de4dot.code/Program.cs
@@ -30,6 +30,7 @@ namespace de4dot {
 			return new List<IDeobfuscatorInfo> {
 				new de4dot.deobfuscators.Unknown.DeobfuscatorInfo(),
 				new de4dot.deobfuscators.CliSecure.DeobfuscatorInfo(),
+				new de4dot.deobfuscators.CryptoObfuscator.DeobfuscatorInfo(),
 				new de4dot.deobfuscators.Dotfuscator.DeobfuscatorInfo(),
 				new de4dot.deobfuscators.Eazfuscator.DeobfuscatorInfo(),
 				new de4dot.deobfuscators.SmartAssembly.DeobfuscatorInfo(),
diff --git a/de4dot.code/Utils.cs b/de4dot.code/Utils.cs
index 65f7967d..ed1f492e 100644
--- a/de4dot.code/Utils.cs
+++ b/de4dot.code/Utils.cs
@@ -191,5 +191,12 @@ namespace de4dot {
 				return false;
 			return left.Substring(0, right.Length).Equals(right, stringComparison);
 		}
+
+		public static string getAssemblySimpleName(string name) {
+			int i = name.IndexOf(',');
+			if (i < 0)
+				return name;
+			return name.Substring(0, i);
+		}
 	}
 }
diff --git a/de4dot.code/de4dot.code.csproj b/de4dot.code/de4dot.code.csproj
index 5d9739b6..3dcd2afe 100644
--- a/de4dot.code/de4dot.code.csproj
+++ b/de4dot.code/de4dot.code.csproj
@@ -57,6 +57,10 @@
     <Compile Include="CommandLineParser.cs" />
     <Compile Include="deobfuscators\CliSecure\Deobfuscator.cs" />
     <Compile Include="deobfuscators\CliSecure\ProxyDelegateFinder.cs" />
+    <Compile Include="deobfuscators\CryptoObfuscator\AssemblyResolver.cs" />
+    <Compile Include="deobfuscators\CryptoObfuscator\Deobfuscator.cs" />
+    <Compile Include="deobfuscators\CryptoObfuscator\ResourceDecrypter.cs" />
+    <Compile Include="deobfuscators\CryptoObfuscator\ResourceResolver.cs" />
     <Compile Include="deobfuscators\DeobfuscatorBase.cs" />
     <Compile Include="deobfuscators\DeobfuscatorInfoBase.cs" />
     <Compile Include="deobfuscators\DeobUtils.cs" />
@@ -80,7 +84,6 @@
     <Compile Include="deobfuscators\SmartAssembly\ResourceDecrypterInfo.cs" />
     <Compile Include="deobfuscators\SmartAssembly\ResourceResolver.cs" />
     <Compile Include="deobfuscators\SmartAssembly\ResourceResolverInfo.cs" />
-    <Compile Include="deobfuscators\SmartAssembly\SA_Utils.cs" />
     <Compile Include="deobfuscators\SmartAssembly\SimpleZipInfo.cs" />
     <Compile Include="deobfuscators\SmartAssembly\StringDecrypter.cs" />
     <Compile Include="deobfuscators\SmartAssembly\StringDecrypterInfo.cs" />
diff --git a/de4dot.code/deobfuscators/CryptoObfuscator/AssemblyResolver.cs b/de4dot.code/deobfuscators/CryptoObfuscator/AssemblyResolver.cs
new file mode 100644
index 00000000..61380ffa
--- /dev/null
+++ b/de4dot.code/deobfuscators/CryptoObfuscator/AssemblyResolver.cs
@@ -0,0 +1,144 @@
+/*
+    Copyright (C) 2011 de4dot@gmail.com
+
+    This file is part of de4dot.
+
+    de4dot is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    de4dot is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with de4dot.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+using System;
+using System.Collections.Generic;
+using System.Text;
+using Mono.Cecil;
+using Mono.Cecil.Cil;
+using de4dot.blocks;
+
+namespace de4dot.deobfuscators.CryptoObfuscator {
+	class AssemblyResolver {
+		ModuleDefinition module;
+		ResourceDecrypter resourceDecrypter;
+		TypeDefinition resolverType;
+		List<AssemblyInfo> assemblyInfos;
+
+		public class AssemblyInfo {
+			public string assemblyName;
+			public EmbeddedResource resource;
+			public EmbeddedResource symbolsResource;
+			public AssemblyInfo(string assemblyName, EmbeddedResource resource, EmbeddedResource symbolsResource) {
+				this.assemblyName = assemblyName;
+				this.resource = resource;
+				this.symbolsResource = symbolsResource;
+			}
+
+			public override string ToString() {
+				return string.Format("{{{0} => {1}}}", assemblyName, resource.Name);
+			}
+		}
+
+		public List<AssemblyInfo> AssemblyInfos {
+			get { return assemblyInfos; }
+		}
+
+		public AssemblyResolver(ModuleDefinition module, ResourceDecrypter resourceDecrypter) {
+			this.module = module;
+			this.resourceDecrypter = resourceDecrypter;
+		}
+
+		public void find() {
+			var cctor = DotNetUtils.getMethod(DotNetUtils.getModuleType(module), ".cctor");
+			if (cctor == null)
+				return;
+
+			foreach (var tuple in DotNetUtils.getCalledMethods(module, cctor)) {
+				var method = tuple.Item2;
+				if (method.Name == ".cctor" || method.Name == ".ctor")
+					continue;
+				if (!method.IsStatic || !DotNetUtils.isMethod(method, "System.Void", "()"))
+					continue;
+				if (checkType(tuple.Item1, method))
+					break;
+			}
+		}
+
+		bool checkType(TypeDefinition type, MethodDefinition initMethod) {
+			if (DotNetUtils.findFieldType(type, "System.Collections.Hashtable", true) == null)
+				return false;
+			if (!checkInitMethod(initMethod))
+				return false;
+
+			List<AssemblyInfo> newAssemblyInfos = null;
+			foreach (var s in DotNetUtils.getCodeStrings(initMethod)) {
+				newAssemblyInfos = initializeEmbeddedAssemblies(s);
+				if (newAssemblyInfos != null)
+					break;
+			}
+			if (newAssemblyInfos == null)
+				return false;
+
+			resolverType = type;
+			assemblyInfos = newAssemblyInfos;
+			return true;
+		}
+
+		bool checkInitMethod(MethodDefinition initMethod) {
+			if (!initMethod.HasBody)
+				return false;
+
+			var instructions = initMethod.Body.Instructions;
+			for (int i = 0; i < instructions.Count; i++) {
+				var instrs = DotNetUtils.getInstructions(instructions, i, OpCodes.Ldnull, OpCodes.Ldftn, OpCodes.Newobj);
+				if (instrs == null)
+					continue;
+
+				MethodReference methodRef;
+				var ldftn = instrs[1];
+				var newobj = instrs[2];
+
+				methodRef = ldftn.Operand as MethodReference;
+				if (methodRef == null || !MemberReferenceHelper.compareTypes(initMethod.DeclaringType, methodRef.DeclaringType))
+					continue;
+
+				methodRef = newobj.Operand as MethodReference;
+				if (methodRef == null || methodRef.FullName != "System.Void System.ResolveEventHandler::.ctor(System.Object,System.IntPtr)")
+					continue;
+
+				return true;
+			}
+
+			return false;
+		}
+
+		List<AssemblyInfo> initializeEmbeddedAssemblies(string s) {
+			var sb = new StringBuilder(s.Length);
+			foreach (var c in s)
+				sb.Append((char)~c);
+			var tmpAssemblyInfos = sb.ToString().Split(new string[] { "##" }, StringSplitOptions.RemoveEmptyEntries);
+			if (tmpAssemblyInfos.Length == 0 || (tmpAssemblyInfos.Length & 1) == 1)
+				return null;
+
+			var newAssemblyInfos = new List<AssemblyInfo>(tmpAssemblyInfos.Length / 2);
+			for (int i = 0; i < tmpAssemblyInfos.Length; i += 2) {
+				var assemblyName = tmpAssemblyInfos[i];
+				var resourceName = tmpAssemblyInfos[i + 1];
+				var resource = DotNetUtils.getResource(module, resourceName) as EmbeddedResource;
+				var symbolsResource = DotNetUtils.getResource(module, resourceName + "#") as EmbeddedResource;
+				if (resource == null)
+					return null;
+				newAssemblyInfos.Add(new AssemblyInfo(assemblyName, resource, symbolsResource));
+			}
+
+			return newAssemblyInfos;
+		}
+	}
+}
diff --git a/de4dot.code/deobfuscators/CryptoObfuscator/Deobfuscator.cs b/de4dot.code/deobfuscators/CryptoObfuscator/Deobfuscator.cs
new file mode 100644
index 00000000..4b9a4f73
--- /dev/null
+++ b/de4dot.code/deobfuscators/CryptoObfuscator/Deobfuscator.cs
@@ -0,0 +1,161 @@
+/*
+    Copyright (C) 2011 de4dot@gmail.com
+
+    This file is part of de4dot.
+
+    de4dot is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    de4dot is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with de4dot.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+using System.Collections.Generic;
+using System.Text.RegularExpressions;
+using Mono.Cecil;
+using de4dot.blocks;
+
+namespace de4dot.deobfuscators.CryptoObfuscator {
+	class DeobfuscatorInfo : DeobfuscatorInfoBase {
+		const string DEFAULT_REGEX = @"!^[A-Z]{1,3}(?:`\d+)?$&!^c[0-9a-f]{32}(?:`\d+)?$&" + DeobfuscatorBase.DEFAULT_VALID_NAME_REGEX;
+		public DeobfuscatorInfo()
+			: base("co", DEFAULT_REGEX) {
+		}
+
+		internal static string ObfuscatorType {
+			get { return "CryptoObfuscator"; }
+		}
+
+		public override string Type {
+			get { return ObfuscatorType; }
+		}
+
+		public override IDeobfuscator createDeobfuscator() {
+			return new Deobfuscator(new Deobfuscator.Options {
+				ValidNameRegex = validNameRegex.get(),
+			});
+		}
+
+		protected override IEnumerable<Option> getOptionsInternal() {
+			return new List<Option>() {
+			};
+		}
+	}
+
+	class Deobfuscator : DeobfuscatorBase {
+		Options options;
+		string obfuscatorName = "Crypto Obfuscator";
+		bool foundCryptoObfuscatorAttribute = false;
+		bool foundObfuscatedSymbols = false;
+
+		ResourceDecrypter resourceDecrypter;
+		ResourceResolver resourceResolver;
+		AssemblyResolver assemblyResolver;
+
+		internal class Options : OptionsBase {
+		}
+
+		public override string Type {
+			get { return DeobfuscatorInfo.ObfuscatorType; }
+		}
+
+		public override string Name {
+			get { return obfuscatorName; }
+		}
+
+		public Deobfuscator(Options options)
+			: base(options) {
+			this.options = options;
+		}
+
+		public override void init(ModuleDefinition module) {
+			base.init(module);
+		}
+
+		public override int detect() {
+			scanForObfuscator();
+
+			int val = 0;
+
+			if (foundCryptoObfuscatorAttribute)
+				val += 100;
+			else if (foundObfuscatedSymbols)
+				val += 10;
+
+			return val;
+		}
+
+		protected override void scanForObfuscatorInternal() {
+			foreach (var type in module.Types) {
+				if (type.FullName == "CryptoObfuscator.ProtectedWithCryptoObfuscatorAttribute") {
+					foundCryptoObfuscatorAttribute = true;
+					addAttributeToBeRemoved(type, "Obfuscator attribute");
+					initializeVersion(type);
+				}
+			}
+			if (checkCryptoObfuscator())
+				foundObfuscatedSymbols = true;
+		}
+
+		void initializeVersion(TypeDefinition attr) {
+			var s = DotNetUtils.getCustomArgAsString(getAssemblyAttribute(attr), 0);
+			if (s == null)
+				return;
+
+			var val = Regex.Match(s, @"^Protected with (Crypto Obfuscator.*)$");
+			if (val.Groups.Count < 2)
+				return;
+			obfuscatorName = val.Groups[1].ToString();
+			return;
+		}
+
+		bool checkCryptoObfuscator() {
+			int matched = 0;
+			foreach (var type in module.Types) {
+				if (type.Namespace != "A")
+					continue;
+				if (Regex.IsMatch(type.Name, "^c[0-9a-f]{32}$"))
+					return true;
+				else if (Regex.IsMatch(type.Name, "^A[A-Z]*$")) {
+					if (++matched >= 10)
+						return true;
+				}
+			}
+			return false;
+		}
+
+		public override void deobfuscateBegin() {
+			base.deobfuscateBegin();
+
+			resourceDecrypter = new ResourceDecrypter(module);
+			resourceResolver = new ResourceResolver(module, resourceDecrypter);
+			assemblyResolver = new AssemblyResolver(module, resourceDecrypter);
+			resourceResolver.find();
+			assemblyResolver.find();
+
+			dumpEmbeddedAssemblies();
+		}
+
+		void dumpEmbeddedAssemblies() {
+			foreach (var info in assemblyResolver.AssemblyInfos) {
+				dumpEmbeddedFile(info.resource, info.assemblyName, true);
+
+				if (info.symbolsResource != null)
+					dumpEmbeddedFile(info.symbolsResource, info.assemblyName, false);
+			}
+		}
+
+		void dumpEmbeddedFile(EmbeddedResource resource, string assemblyName, bool isAssembly) {
+			string extension = isAssembly ? ".dll" : ".pdb";
+			DeobfuscatedFile.createAssemblyFile(resourceDecrypter.decrypt(resource.GetResourceStream()), Utils.getAssemblySimpleName(assemblyName), extension);
+			addResourceToBeRemoved(resource, string.Format("Embedded assembly{0}: {1}", isAssembly ? "" : " (pdb)", assemblyName));
+		}
+	}
+}
diff --git a/de4dot.code/deobfuscators/CryptoObfuscator/ResourceDecrypter.cs b/de4dot.code/deobfuscators/CryptoObfuscator/ResourceDecrypter.cs
new file mode 100644
index 00000000..497c5b58
--- /dev/null
+++ b/de4dot.code/deobfuscators/CryptoObfuscator/ResourceDecrypter.cs
@@ -0,0 +1,103 @@
+/*
+    Copyright (C) 2011 de4dot@gmail.com
+
+    This file is part of de4dot.
+
+    de4dot is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    de4dot is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with de4dot.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+using System;
+using System.IO;
+using System.IO.Compression;
+using System.Security.Cryptography;
+using Mono.Cecil;
+
+namespace de4dot.deobfuscators.CryptoObfuscator {
+	class ResourceDecrypter {
+		const int BUFLEN = 0x8000;
+		ModuleDefinition module;
+		byte[] buffer1 = new byte[BUFLEN];
+		byte[] buffer2 = new byte[BUFLEN];
+
+		public ResourceDecrypter(ModuleDefinition module) {
+			this.module = module;
+		}
+
+		public byte[] decrypt(Stream resourceStream) {
+			byte flags = (byte)resourceStream.ReadByte();
+			Stream sourceStream = resourceStream;
+
+			if ((flags & 1) != 0) {
+				var memStream = new MemoryStream((int)resourceStream.Length);
+				using (var provider = new DESCryptoServiceProvider()) {
+					var iv = new byte[8];
+					sourceStream.Read(iv, 0, 8);
+					provider.IV = iv;
+					provider.Key = getKey(sourceStream);
+
+					using (var transform = provider.CreateDecryptor()) {
+						while (true) {
+							int count = sourceStream.Read(buffer1, 0, buffer1.Length);
+							if (count <= 0)
+								break;
+							int count2 = transform.TransformBlock(buffer1, 0, count, buffer2, 0);
+							memStream.Write(buffer2, 0, count2);
+						}
+						var finalData = transform.TransformFinalBlock(buffer1, 0, 0);
+						memStream.Write(finalData, 0, finalData.Length);
+					}
+				}
+				sourceStream = memStream;
+			}
+
+			if ((flags & 2) != 0) {
+				var memStream = new MemoryStream((int)resourceStream.Length);
+				sourceStream.Position = 0;
+				var inflater = new DeflateStream(sourceStream, CompressionMode.Decompress);
+				while (true) {
+					int count = inflater.Read(buffer1, 0, buffer1.Length);
+					if (count <= 0)
+						break;
+					memStream.Write(buffer1, 0, count);
+				}
+
+				sourceStream = memStream;
+			}
+
+			if (sourceStream is MemoryStream) {
+				var memStream = (MemoryStream)sourceStream;
+				return memStream.ToArray();
+			}
+			else {
+				int len = (int)(sourceStream.Length - sourceStream.Position);
+				byte[] data = new byte[len];
+				sourceStream.Read(data, 0, len);
+				return data;
+			}
+		}
+
+		byte[] getKey(Stream resourceStream) {
+			byte[] key = new byte[8];
+			resourceStream.Read(key, 0, key.Length);
+			for (int i = 0; i < key.Length; i++) {
+				if (key[i] != 0)
+					return key;
+			}
+			key = module.Assembly.Name.PublicKeyToken;
+			if (key == null)
+				throw new ApplicationException("PublicKeyToken is null, can't decrypt resources");
+			return key;
+		}
+	}
+}
diff --git a/de4dot.code/deobfuscators/CryptoObfuscator/ResourceResolver.cs b/de4dot.code/deobfuscators/CryptoObfuscator/ResourceResolver.cs
new file mode 100644
index 00000000..f7cb3f05
--- /dev/null
+++ b/de4dot.code/deobfuscators/CryptoObfuscator/ResourceResolver.cs
@@ -0,0 +1,82 @@
+/*
+    Copyright (C) 2011 de4dot@gmail.com
+
+    This file is part of de4dot.
+
+    de4dot is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    de4dot is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with de4dot.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+using Mono.Cecil;
+using Mono.Cecil.Cil;
+using de4dot.blocks;
+
+namespace de4dot.deobfuscators.CryptoObfuscator {
+	class ResourceResolver {
+		ModuleDefinition module;
+		ResourceDecrypter resourceDecrypter;
+		TypeDefinition resolverType;
+
+		public ResourceResolver(ModuleDefinition module, ResourceDecrypter resourceDecrypter) {
+			this.module = module;
+			this.resourceDecrypter = resourceDecrypter;
+		}
+
+		public void find() {
+			var cctor = DotNetUtils.getMethod(DotNetUtils.getModuleType(module), ".cctor");
+			if (cctor == null)
+				return;
+
+			foreach (var tuple in DotNetUtils.getCalledMethods(module, cctor)) {
+				var method = tuple.Item2;
+				if (method.Name == ".cctor" || method.Name == ".ctor")
+					continue;
+				if (!method.IsStatic || !DotNetUtils.isMethod(method, "System.Void", "()"))
+					continue;
+				if (checkType(tuple.Item1, method))
+					break;
+			}
+		}
+
+		bool checkType(TypeDefinition type, MethodDefinition initMethod) {
+			if (!initMethod.HasBody)
+				return false;
+			if (DotNetUtils.findFieldType(type, "System.Reflection.Assembly", true) == null)
+				return false;
+
+			var instructions = initMethod.Body.Instructions;
+			for (int i = 0; i < instructions.Count; i++) {
+				var instrs = DotNetUtils.getInstructions(instructions, i, OpCodes.Ldnull, OpCodes.Ldftn, OpCodes.Newobj);
+				if (instrs == null)
+					continue;
+
+				MethodReference methodRef;
+				var ldftn = instrs[1];
+				var newobj = instrs[2];
+
+				methodRef = ldftn.Operand as MethodReference;
+				if (methodRef == null || !MemberReferenceHelper.compareTypes(type, methodRef.DeclaringType))
+					continue;
+
+				methodRef = newobj.Operand as MethodReference;
+				if (methodRef == null || methodRef.FullName != "System.Void System.ResolveEventHandler::.ctor(System.Object,System.IntPtr)")
+					continue;
+
+				resolverType = type;
+				return true;
+			}
+
+			return false;
+		}
+	}
+}
diff --git a/de4dot.code/deobfuscators/IDeobfuscatedFile.cs b/de4dot.code/deobfuscators/IDeobfuscatedFile.cs
index 38d9cc01..56535f0e 100644
--- a/de4dot.code/deobfuscators/IDeobfuscatedFile.cs
+++ b/de4dot.code/deobfuscators/IDeobfuscatedFile.cs
@@ -19,7 +19,7 @@
 
 namespace de4dot.deobfuscators {
 	interface IDeobfuscatedFile : ISimpleDeobfuscator {
-		void createAssemblyFile(byte[] data, string assemblyName);
+		void createAssemblyFile(byte[] data, string assemblyName, string extension = null);
 		void stringDecryptersAdded();
 	}
 }
diff --git a/de4dot.code/deobfuscators/SmartAssembly/AssemblyResolverInfo.cs b/de4dot.code/deobfuscators/SmartAssembly/AssemblyResolverInfo.cs
index bf9b8934..f753ec2e 100644
--- a/de4dot.code/deobfuscators/SmartAssembly/AssemblyResolverInfo.cs
+++ b/de4dot.code/deobfuscators/SmartAssembly/AssemblyResolverInfo.cs
@@ -68,7 +68,7 @@ namespace de4dot.deobfuscators.SmartAssembly {
 				info.assemblyName = Encoding.UTF8.GetString(Convert.FromBase64String(encName));
 				info.resourceName = rsrcName;
 				info.resource = DotNetUtils.getResource(module, rsrcName) as EmbeddedResource;
-				info.simpleName = SA_Utils.getAssemblySimpleName(info.assemblyName);
+				info.simpleName = Utils.getAssemblySimpleName(info.assemblyName);
 
 				return info;
 			}
diff --git a/de4dot.code/deobfuscators/SmartAssembly/ResourceResolverInfo.cs b/de4dot.code/deobfuscators/SmartAssembly/ResourceResolverInfo.cs
index 98d94338..bf5c1989 100644
--- a/de4dot.code/deobfuscators/SmartAssembly/ResourceResolverInfo.cs
+++ b/de4dot.code/deobfuscators/SmartAssembly/ResourceResolverInfo.cs
@@ -53,7 +53,7 @@ namespace de4dot.deobfuscators.SmartAssembly {
 				if (s == null || calledMethod == null)
 					continue;
 
-				resource = DotNetUtils.getResource(module, SA_Utils.getAssemblySimpleName(s)) as EmbeddedResource;
+				resource = DotNetUtils.getResource(module, Utils.getAssemblySimpleName(s)) as EmbeddedResource;
 				if (resource != null)
 					break;
 			}
diff --git a/de4dot.code/deobfuscators/SmartAssembly/SA_Utils.cs b/de4dot.code/deobfuscators/SmartAssembly/SA_Utils.cs
deleted file mode 100644
index d8b44ae0..00000000
--- a/de4dot.code/deobfuscators/SmartAssembly/SA_Utils.cs
+++ /dev/null
@@ -1,29 +0,0 @@
-/*
-    Copyright (C) 2011 de4dot@gmail.com
-
-    This file is part of de4dot.
-
-    de4dot is free software: you can redistribute it and/or modify
-    it under the terms of the GNU General Public License as published by
-    the Free Software Foundation, either version 3 of the License, or
-    (at your option) any later version.
-
-    de4dot is distributed in the hope that it will be useful,
-    but WITHOUT ANY WARRANTY; without even the implied warranty of
-    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-    GNU General Public License for more details.
-
-    You should have received a copy of the GNU General Public License
-    along with de4dot.  If not, see <http://www.gnu.org/licenses/>.
-*/
-
-namespace de4dot.deobfuscators.SmartAssembly {
-	static class SA_Utils {
-		public static string getAssemblySimpleName(string name) {
-			int i = name.IndexOf(',');
-			if (i < 0)
-				return name;
-			return name.Substring(0, i);
-		}
-	}
-}
diff --git a/de4dot.code/deobfuscators/Unknown/Deobfuscator.cs b/de4dot.code/deobfuscators/Unknown/Deobfuscator.cs
index 80e072b5..3cff3cbb 100644
--- a/de4dot.code/deobfuscators/Unknown/Deobfuscator.cs
+++ b/de4dot.code/deobfuscators/Unknown/Deobfuscator.cs
@@ -90,8 +90,6 @@ namespace de4dot.deobfuscators.Unknown {
 					return "CodeFort";
 				if (type.FullName == "____KILL")
 					return "DeployLX CodeVeil";
-				if (type.FullName == "CryptoObfuscator.ProtectedWithCryptoObfuscatorAttribute")
-					return "Crypto Obfuscator";
 				if (type.FullName.Contains("ObfuscatedByGoliath"))
 					return "Goliath .NET Obfuscator";
 				if (type.FullName == "Xenocode.Client.Attributes.AssemblyAttributes.ProcessedByXenocode")
@@ -109,21 +107,6 @@ namespace de4dot.deobfuscators.Unknown {
 				if (type.FullName == "YanoAttribute")
 					return "Yano Obfuscator";
 			}
-			return checkCryptoObfuscator();
-		}
-
-		string checkCryptoObfuscator() {
-			int matched = 0;
-			foreach (var type in module.Types) {
-				if (type.Namespace != "A")
-					continue;
-				if (Regex.IsMatch(type.Name, "^c[0-9a-f]{32}$"))
-					return "Crypto Obfuscator";
-				else if (Regex.IsMatch(type.Name, "^A[A-Z]*$")) {
-					if (++matched >= 10)
-						return "Crypto Obfuscator";
-				}
-			}
 			return null;
 		}
 	}