From 7c8259905b59afb7842ff503e165ffd03ed0c1ae Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Sat, 31 Mar 2012 13:26:11 +0200
Subject: [PATCH] Update CO code. Fixes #39

---
 .../CryptoObfuscator/ProxyDelegateFinder.cs   |  2 +-
 .../CryptoObfuscator/ResourceDecrypter.cs     | 25 +++++++++++++++++++
 2 files changed, 26 insertions(+), 1 deletion(-)

diff --git a/de4dot.code/deobfuscators/CryptoObfuscator/ProxyDelegateFinder.cs b/de4dot.code/deobfuscators/CryptoObfuscator/ProxyDelegateFinder.cs
index cf2603ae..d38f4a37 100644
--- a/de4dot.code/deobfuscators/CryptoObfuscator/ProxyDelegateFinder.cs
+++ b/de4dot.code/deobfuscators/CryptoObfuscator/ProxyDelegateFinder.cs
@@ -125,7 +125,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
 		}
 
 		MethodDefinition getProxyCreateMethod(TypeDefinition type) {
-			if (type.Fields.Count != 1 && type.Fields.Count != 2)
+			if (type.Fields.Count < 1 || type.Fields.Count > 3)
 				return null;
 			if (DotNetUtils.findFieldType(type, "System.ModuleHandle", true) == null)
 				return null;
diff --git a/de4dot.code/deobfuscators/CryptoObfuscator/ResourceDecrypter.cs b/de4dot.code/deobfuscators/CryptoObfuscator/ResourceDecrypter.cs
index 28e427cc..95ef8436 100644
--- a/de4dot.code/deobfuscators/CryptoObfuscator/ResourceDecrypter.cs
+++ b/de4dot.code/deobfuscators/CryptoObfuscator/ResourceDecrypter.cs
@@ -37,6 +37,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
 		byte deflatedFlag;
 		byte bitwiseNotEncryptedFlag;
 		FrameworkType frameworkType;
+		bool flipFlagsBits;
 
 		public ResourceDecrypter(ModuleDefinition module, ISimpleDeobfuscator simpleDeobfuscator) {
 			this.module = module;
@@ -178,6 +179,26 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
 			bitwiseNotEncryptedFlag = 4;
 		}
 
+		static bool checkFlipBits(MethodDefinition method) {
+			var instrs = method.Body.Instructions;
+			for (int i = 0; i < instrs.Count - 1; i++) {
+				var ldloc = instrs[i];
+				if (!DotNetUtils.isLdloc(ldloc))
+					continue;
+				var local = DotNetUtils.getLocalVar(method.Body.Variables, ldloc);
+				if (local == null || !local.VariableType.IsPrimitive)
+					continue;
+
+				var not = instrs[i + 1];
+				if (not.OpCode.Code != Code.Not)
+					continue;
+
+				return true;
+			}
+
+			return false;
+		}
+
 		bool updateFlags(MethodDefinition method, ISimpleDeobfuscator simpleDeobfuscator) {
 			if (method == null || method.Body == null)
 				return false;
@@ -204,6 +225,8 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
 				constants.Add(flagValue);
 			}
 
+			flipFlagsBits = checkFlipBits(method);
+
 			switch (frameworkType) {
 			case FrameworkType.Desktop:
 				if (module.Runtime >= TargetRuntime.Net_2_0) {
@@ -261,6 +284,8 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
 
 		public byte[] decrypt(Stream resourceStream) {
 			byte flags = (byte)resourceStream.ReadByte();
+			if (flipFlagsBits)
+				flags = (byte)~flags;
 			Stream sourceStream = resourceStream;
 			int sourceStreamOffset = 1;
 			bool didSomething = false;