From 7c4f014da32af9980f8e25b62cd3dc819e8d1d5a Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Wed, 22 Feb 2012 12:38:02 +0100
Subject: [PATCH] Support old MC 3.2

---
 .../deobfuscators/MaxtoCode/FileDecrypter.cs  | 62 +++++++++++++++----
 1 file changed, 50 insertions(+), 12 deletions(-)

diff --git a/de4dot.code/deobfuscators/MaxtoCode/FileDecrypter.cs b/de4dot.code/deobfuscators/MaxtoCode/FileDecrypter.cs
index 6ace5b34..d06ccdbd 100644
--- a/de4dot.code/deobfuscators/MaxtoCode/FileDecrypter.cs
+++ b/de4dot.code/deobfuscators/MaxtoCode/FileDecrypter.cs
@@ -115,6 +115,7 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
 			Unknown,
 			V1,
 			V2,
+			V3,
 		}
 
 		class EncryptionInfo {
@@ -125,11 +126,17 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
 
 		static EncryptionInfo[] encryptionInfos_Rva900h = new EncryptionInfo[] {
 			// PE header timestamp
+			// 462FA2D2 = Wed, 25 Apr 2007 18:49:54 (3.20)
+			new EncryptionInfo {
+				MagicLo = 0xA098B387,
+				MagicHi = 0x1E8EBCA3,
+				Version = EncryptionVersion.V1,
+			},
 			// 482384FB = Thu, 08 May 2008 22:55:55 (3.36)
 			new EncryptionInfo {
 				MagicLo = 0xAA98B387,
 				MagicHi = 0x1E8EECA3,
-				Version = EncryptionVersion.V1,
+				Version = EncryptionVersion.V2,
 			},
 			// 4C622357 = Wed, 11 Aug 2010 04:13:11
 			// 4C6220EC = Wed, 11 Aug 2010 04:02:52
@@ -137,7 +144,7 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
 			new EncryptionInfo {
 				MagicLo = 0xAA98B387,
 				MagicHi = 0x128EECA3,
-				Version = EncryptionVersion.V1,
+				Version = EncryptionVersion.V2,
 			},
 			// 4DFA3D5D = Thu, 16 Jun 2011 17:29:01
 			// 4DC2FC75 = Thu, 05 May 2011 19:37:25
@@ -146,29 +153,35 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
 			new EncryptionInfo {
 				MagicLo = 0xAA98B387,
 				MagicHi = 0xF28EECA3,
-				Version = EncryptionVersion.V1,
+				Version = EncryptionVersion.V2,
 			},
 			// 4DC2FE0C = Thu, 05 May 2011 19:44:12
 			new EncryptionInfo {
 				MagicLo = 0xAA98B387,
 				MagicHi = 0xF28EEAA3,
-				Version = EncryptionVersion.V1,
+				Version = EncryptionVersion.V2,
 			},
 			// 4EE1FAD1 = Fri, 09 Dec 2011 12:10:57
 			// 4ED76740 = Thu, 01 Dec 2011 11:38:40
 			new EncryptionInfo {
 				MagicLo = 0xAA983B87,
 				MagicHi = 0xF28EECA3,
-				Version = EncryptionVersion.V2,
+				Version = EncryptionVersion.V3,
 			},
 		};
 
 		static EncryptionInfo[] encryptionInfos_McHeader8C0h = new EncryptionInfo[] {
+			// 462FA2D2 = Wed, 25 Apr 2007 18:49:54 (3.20)
+			new EncryptionInfo {
+				MagicLo = 0x6AA13B13,
+				MagicHi = 0xD72B991F,
+				Version = EncryptionVersion.V1,
+			},
 			// 482384FB = Thu, 08 May 2008 22:55:55 (3.36)
 			new EncryptionInfo {
 				MagicLo = 0x6A713B13,
 				MagicHi = 0xD72B891F,
-				Version = EncryptionVersion.V1,
+				Version = EncryptionVersion.V2,
 			},
 			// 4DFA3D5D = Thu, 16 Jun 2011 17:29:01
 			// 4DC2FE0C = Thu, 05 May 2011 19:44:12
@@ -181,14 +194,14 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
 			new EncryptionInfo {
 				MagicLo = 0x6A713B13,
 				MagicHi = 0xD72B891F,
-				Version = EncryptionVersion.V1,
+				Version = EncryptionVersion.V2,
 			},
 			// 4EE1FAD1 = Fri, 09 Dec 2011 12:10:57
 			// 4ED76740 = Thu, 01 Dec 2011 11:38:40
 			new EncryptionInfo {
 				MagicLo = 0x6A731B13,
 				MagicHi = 0xD72B891F,
-				Version = EncryptionVersion.V2,
+				Version = EncryptionVersion.V3,
 			},
 		};
 
@@ -307,10 +320,10 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
 
 				public byte[] decrypt(int type, byte[] encrypted) {
 					switch (type) {
-					case 1: return methodInfos.decrypt3(encrypted);
-					case 2: return methodInfos.decrypt2(encrypted);
-					case 3: return methodInfos.decrypt1(encrypted);
-					case 4: return methodInfos.decrypt4(encrypted);
+					case 1: return methodInfos.decrypt1(encrypted);
+					case 2: return methodInfos.decrypt4(encrypted);
+					case 3: return methodInfos.decrypt2(encrypted);
+					case 4: return methodInfos.decrypt3(encrypted);
 					case 5: return methodInfos.decrypt5(encrypted);
 					case 6: return methodInfos.decrypt6(encrypted);
 					case 7: return methodInfos.decrypt7(encrypted);
@@ -326,6 +339,27 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
 					this.methodInfos = methodInfos;
 				}
 
+				public byte[] decrypt(int type, byte[] encrypted) {
+					switch (type) {
+					case 1: return methodInfos.decrypt3(encrypted);
+					case 2: return methodInfos.decrypt2(encrypted);
+					case 3: return methodInfos.decrypt1(encrypted);
+					case 4: return methodInfos.decrypt4(encrypted);
+					case 5: return methodInfos.decrypt5(encrypted);
+					case 6: return methodInfos.decrypt6(encrypted);
+					case 7: return methodInfos.decrypt7(encrypted);
+					default: throw new ApplicationException(string.Format("Invalid encryption type: {0:X2}", type));
+					}
+				}
+			}
+
+			class DecrypterV3 : IDecrypter {
+				MethodInfos methodInfos;
+
+				public DecrypterV3(MethodInfos methodInfos) {
+					this.methodInfos = methodInfos;
+				}
+
 				public byte[] decrypt(int type, byte[] encrypted) {
 					switch (type) {
 					case 1: return methodInfos.decrypt1(encrypted);
@@ -350,6 +384,10 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
 					decrypter = new DecrypterV2(this);
 					break;
 
+				case EncryptionVersion.V3:
+					decrypter = new DecrypterV3(this);
+					break;
+
 				case EncryptionVersion.Unknown:
 				default:
 					throw new ApplicationException("Unknown MC version");