From 6b04c230369f94f3e997a49ba3ce5106b96aeb58 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Mon, 31 Oct 2011 00:09:38 +0100
Subject: [PATCH] Update decrypter and version detecter code

---
 .../dotNET_Reactor/Deobfuscator.cs            | 23 ++------------
 .../dotNET_Reactor/MethodsDecrypter.cs        | 31 ++++++++++++-------
 2 files changed, 23 insertions(+), 31 deletions(-)

diff --git a/de4dot.code/deobfuscators/dotNET_Reactor/Deobfuscator.cs b/de4dot.code/deobfuscators/dotNET_Reactor/Deobfuscator.cs
index 3f4b4219..d5c0e4bd 100644
--- a/de4dot.code/deobfuscators/dotNET_Reactor/Deobfuscator.cs
+++ b/de4dot.code/deobfuscators/dotNET_Reactor/Deobfuscator.cs
@@ -192,7 +192,7 @@ namespace de4dot.deobfuscators.dotNET_Reactor {
 					return ".NET Reactor 3.9.8.0";
 			}
 
-			var compileMethod = findDnrCompileMethod(methodsDecrypter.MethodsDecrypterMethod.DeclaringType);
+			var compileMethod = MethodsDecrypter.findDnrCompileMethod(methodsDecrypter.MethodsDecrypterMethod.DeclaringType);
 			if (compileMethod == null)
 				return ".NET Reactor < 4.0";
 			DeobfuscatedFile.deobfuscate(compileMethod);
@@ -219,12 +219,8 @@ namespace de4dot.deobfuscators.dotNET_Reactor {
 		}
 
 		static bool findString(MethodDefinition method, string s) {
-			if (method == null || method.Body == null)
-				return false;
-			foreach (var instr in method.Body.Instructions) {
-				if (instr.OpCode.Code != Code.Ldstr)
-					continue;
-				if (s == (string)instr.Operand)
+			foreach (var cs in DotNetUtils.getCodeStrings(method)) {
+				if (cs == s)
 					return true;
 			}
 			return false;
@@ -242,19 +238,6 @@ namespace de4dot.deobfuscators.dotNET_Reactor {
 			return false;
 		}
 
-		static MethodDefinition findDnrCompileMethod(TypeDefinition type) {
-			foreach (var method in type.Methods) {
-				if (!method.IsStatic || method.Body == null)
-					continue;
-				if (method.Parameters.Count != 6)
-					continue;
-				if (!DotNetUtils.isMethod(method, "System.UInt32", "(System.UInt64&,System.IntPtr,System.IntPtr,System.UInt32,System.IntPtr&,System.UInt32&)"))
-					continue;
-				return method;
-			}
-			return null;
-		}
-
 		public override bool getDecryptedModule(ref byte[] newFileData, ref Dictionary<uint, DumpedMethod> dumpedMethods) {
 			using (var fileStream = new FileStream(module.FullyQualifiedName, FileMode.Open, FileAccess.Read, FileShare.Read)) {
 				fileData = new byte[(int)fileStream.Length];
diff --git a/de4dot.code/deobfuscators/dotNET_Reactor/MethodsDecrypter.cs b/de4dot.code/deobfuscators/dotNET_Reactor/MethodsDecrypter.cs
index 001dbe89..13bfdf6d 100644
--- a/de4dot.code/deobfuscators/dotNET_Reactor/MethodsDecrypter.cs
+++ b/de4dot.code/deobfuscators/dotNET_Reactor/MethodsDecrypter.cs
@@ -29,8 +29,6 @@ namespace de4dot.deobfuscators.dotNET_Reactor {
 	class MethodsDecrypter {
 		ModuleDefinition module;
 		EncryptedResource encryptedResource;
-		long xorKey;
-		bool useXorKey;
 
 		public bool Detected {
 			get { return encryptedResource.ResourceDecrypterMethod != null; }
@@ -97,13 +95,12 @@ namespace de4dot.deobfuscators.dotNET_Reactor {
 				return false;
 
 			encryptedResource.init(simpleDeobfuscator);
-			initXorKey();
 			var methodsData = encryptedResource.decrypt();
 
-			ArrayFinder arrayFinder = new ArrayFinder(encryptedResource.ResourceDecrypterMethod);
-			bool hooksJitter = arrayFinder.exists(new byte[] { (byte)'g', (byte)'e', (byte)'t', (byte)'J', (byte)'i', (byte)'t' });
+			bool hooksJitter = findDnrCompileMethod(encryptedResource.ResourceDecrypterMethod.DeclaringType) != null;
 
-			if (useXorKey) {
+			long xorKey;
+			if (getXorKey(out xorKey)) {
 				// DNR 4.3, 4.4
 				var stream = new MemoryStream(methodsData);
 				var reader = new BinaryReader(stream);
@@ -229,9 +226,7 @@ namespace de4dot.deobfuscators.dotNET_Reactor {
 			}
 		}
 
-		void initXorKey() {
-			useXorKey = false;
-
+		bool getXorKey(out long xorKey) {
 			var instructions = encryptedResource.ResourceDecrypterMethod.Body.Instructions;
 			for (int i = 0; i < instructions.Count - 1; i++) {
 				if (instructions[i].OpCode.Code != Code.Ldind_I8)
@@ -241,9 +236,23 @@ namespace de4dot.deobfuscators.dotNET_Reactor {
 					continue;
 
 				xorKey = DotNetUtils.getLdcI4Value(ldci4);
-				useXorKey = true;
-				return;
+				return true;
 			}
+			xorKey = 0;
+			return false;
+		}
+
+		public static MethodDefinition findDnrCompileMethod(TypeDefinition type) {
+			foreach (var method in type.Methods) {
+				if (!method.IsStatic || method.Body == null)
+					continue;
+				if (method.Parameters.Count != 6)
+					continue;
+				if (!DotNetUtils.isMethod(method, "System.UInt32", "(System.UInt64&,System.IntPtr,System.IntPtr,System.UInt32,System.IntPtr&,System.UInt32&)"))
+					continue;
+				return method;
+			}
+			return null;
 		}
 	}
 }