From 7e1bf542af8f7d22b4748ce204b263eac401eadf Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Sun, 11 Mar 2012 15:34:53 +0100
Subject: [PATCH] Support a new EF 3.3 version that was released 1-2 days ago

---
 .../Eazfuscator_NET/StringDecrypter.cs        | 28 +++++++++++++++++--
 1 file changed, 26 insertions(+), 2 deletions(-)

diff --git a/de4dot.code/deobfuscators/Eazfuscator_NET/StringDecrypter.cs b/de4dot.code/deobfuscators/Eazfuscator_NET/StringDecrypter.cs
index 4839f429..8da355ee 100644
--- a/de4dot.code/deobfuscators/Eazfuscator_NET/StringDecrypter.cs
+++ b/de4dot.code/deobfuscators/Eazfuscator_NET/StringDecrypter.cs
@@ -31,7 +31,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
 		MethodDefinition stringMethod;
 		TypeDefinition dataDecrypterType;
 		short s1, s2, s3;
-		int i1, i2, i3, i4, i5;
+		int i1, i2, i3, i4, i5, i6;
 		bool checkMinus2;
 		bool usePublicKeyToken;
 		int keyLen;
@@ -262,7 +262,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
 
 		public string decrypt(int val) {
 			while (true) {
-				int offset = magic1 ^ i3 ^ val;
+				int offset = magic1 ^ i3 ^ val ^ i6;
 				reader.BaseStream.Position = offset;
 				byte[] tmpKey;
 				if (theKey == null) {
@@ -523,12 +523,23 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
 					continue;
 
 				i3 = DotNetUtils.getLdcI4Value(ldci4);
+				if (!findInt6(method, i + 5))
+					return false;
 				return true;
 			}
 
 			return false;
 		}
 
+		// v3.3.134.30672+ (not 3.3.128.10407)
+		bool findInt6(MethodDefinition method, int index) {
+			index = getNextLdci4InSameBlock(method, index);
+			if (index < 0)
+				return true;
+
+			return EfUtils.getNextInt32(method, ref index, out i6);
+		}
+
 		bool findInt4(MethodDefinition method) {
 			int index = 0;
 			if (!findCallReadInt32(method, ref index))
@@ -539,6 +550,19 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
 			return true;
 		}
 
+		static int getNextLdci4InSameBlock(MethodDefinition method, int index) {
+			var instrs = method.Body.Instructions;
+			for (int i = index; i < instrs.Count; i++) {
+				var instr = instrs[i];
+				if (instr.OpCode.FlowControl != FlowControl.Next)
+					return -1;
+				if (DotNetUtils.isLdcI4(instr))
+					return i;
+			}
+
+			return -1;
+		}
+
 		bool findInt5(MethodDefinition method) {
 			int index = -1;
 			while (true) {