From 7e1d16dafb4dd585248b134d54f3f944c0bf03b5 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Sat, 17 Nov 2012 11:45:24 +0100
Subject: [PATCH] Clear RVA when resetting field type and initial value

---
 de4dot.code/deobfuscators/CodeVeil/ProxyCallFixer.cs    | 1 +
 de4dot.code/deobfuscators/CodeVeil/StringDecrypter.cs   | 1 +
 de4dot.code/deobfuscators/DeepSea/ArrayBlockState.cs    | 1 +
 de4dot.code/deobfuscators/DeepSea/AssemblyResolver.cs   | 1 +
 de4dot.code/deobfuscators/DeepSea/ResourceResolver.cs   | 1 +
 de4dot.code/deobfuscators/DeepSea/StringDecrypter.cs    | 2 ++
 de4dot.code/deobfuscators/Spices_Net/StringDecrypter.cs | 1 +
 7 files changed, 8 insertions(+)

diff --git a/de4dot.code/deobfuscators/CodeVeil/ProxyCallFixer.cs b/de4dot.code/deobfuscators/CodeVeil/ProxyCallFixer.cs
index df3c9ba9..e9310f17 100644
--- a/de4dot.code/deobfuscators/CodeVeil/ProxyCallFixer.cs
+++ b/de4dot.code/deobfuscators/CodeVeil/ProxyCallFixer.cs
@@ -221,6 +221,7 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 			reader = MemoryImageStream.Create(decompressed);
 			info.dataField.FieldSig.Type = module.CorLibTypes.Byte;
 			info.dataField.InitialValue = new byte[1];
+			info.dataField.RVA = 0;
 		}
 
 		void findOtherTypes() {
diff --git a/de4dot.code/deobfuscators/CodeVeil/StringDecrypter.cs b/de4dot.code/deobfuscators/CodeVeil/StringDecrypter.cs
index cab30692..12753dce 100644
--- a/de4dot.code/deobfuscators/CodeVeil/StringDecrypter.cs
+++ b/de4dot.code/deobfuscators/CodeVeil/StringDecrypter.cs
@@ -192,6 +192,7 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 
 			stringDataField.FieldSig.Type = module.CorLibTypes.Byte;
 			stringDataField.InitialValue = new byte[1];
+			stringDataField.RVA = 0;
 		}
 
 		static uint[] getKey(MethodDef method) {
diff --git a/de4dot.code/deobfuscators/DeepSea/ArrayBlockState.cs b/de4dot.code/deobfuscators/DeepSea/ArrayBlockState.cs
index a0a9e3b1..b0156011 100644
--- a/de4dot.code/deobfuscators/DeepSea/ArrayBlockState.cs
+++ b/de4dot.code/deobfuscators/DeepSea/ArrayBlockState.cs
@@ -118,6 +118,7 @@ namespace de4dot.code.deobfuscators.DeepSea {
 				}
 				fieldInfo.arrayInitField.InitialValue = new byte[1];
 				fieldInfo.arrayInitField.FieldSig.Type = module.CorLibTypes.Byte;
+				fieldInfo.arrayInitField.RVA = 0;
 			}
 
 			IList<Instruction> allInstructions;
diff --git a/de4dot.code/deobfuscators/DeepSea/AssemblyResolver.cs b/de4dot.code/deobfuscators/DeepSea/AssemblyResolver.cs
index 8805c058..587acfb2 100644
--- a/de4dot.code/deobfuscators/DeepSea/AssemblyResolver.cs
+++ b/de4dot.code/deobfuscators/DeepSea/AssemblyResolver.cs
@@ -497,6 +497,7 @@ namespace de4dot.code.deobfuscators.DeepSea {
 				infos.Add(getAssemblyInfo(decrypted, null));
 				fieldInfo.field.InitialValue = new byte[1];
 				fieldInfo.field.FieldSig.Type = module.CorLibTypes.Byte;
+				fieldInfo.field.RVA = 0;
 			}
 
 			return infos;
diff --git a/de4dot.code/deobfuscators/DeepSea/ResourceResolver.cs b/de4dot.code/deobfuscators/DeepSea/ResourceResolver.cs
index f3ac9a72..2b419051 100644
--- a/de4dot.code/deobfuscators/DeepSea/ResourceResolver.cs
+++ b/de4dot.code/deobfuscators/DeepSea/ResourceResolver.cs
@@ -345,6 +345,7 @@ namespace de4dot.code.deobfuscators.DeepSea {
 			DeobUtils.decryptAndAddResources(module, name, () => decryptResourceV4(resourceField.InitialValue, magic));
 			resourceField.InitialValue = new byte[1];
 			resourceField.FieldSig.Type = module.CorLibTypes.Byte;
+			resourceField.RVA = 0;
 			return true;
 		}
 	}
diff --git a/de4dot.code/deobfuscators/DeepSea/StringDecrypter.cs b/de4dot.code/deobfuscators/DeepSea/StringDecrypter.cs
index bb4a4180..f1410077 100644
--- a/de4dot.code/deobfuscators/DeepSea/StringDecrypter.cs
+++ b/de4dot.code/deobfuscators/DeepSea/StringDecrypter.cs
@@ -380,6 +380,7 @@ namespace de4dot.code.deobfuscators.DeepSea {
 			public void cleanup() {
 				arrayInfo.initField.InitialValue = new byte[1];
 				arrayInfo.initField.FieldSig.Type = arrayInfo.initField.Module.CorLibTypes.Byte;
+				arrayInfo.initField.RVA = 0;
 				removeInitializeArrayCall(cctor, arrayInfo.initField);
 			}
 		}
@@ -539,6 +540,7 @@ namespace de4dot.code.deobfuscators.DeepSea {
 			public void cleanup() {
 				encryptedDataField.InitialValue = new byte[1];
 				encryptedDataField.FieldSig.Type = encryptedDataField.Module.CorLibTypes.Byte;
+				encryptedDataField.RVA = 0;
 				removeInitializeArrayCall(cctor, encryptedDataField);
 			}
 		}
diff --git a/de4dot.code/deobfuscators/Spices_Net/StringDecrypter.cs b/de4dot.code/deobfuscators/Spices_Net/StringDecrypter.cs
index 9cd1ec0a..60256419 100644
--- a/de4dot.code/deobfuscators/Spices_Net/StringDecrypter.cs
+++ b/de4dot.code/deobfuscators/Spices_Net/StringDecrypter.cs
@@ -341,6 +341,7 @@ namespace de4dot.code.deobfuscators.Spices_Net {
 
 			encryptedDataField.InitialValue = new byte[1];
 			encryptedDataField.FieldSig.Type = module.CorLibTypes.Byte;
+			encryptedDataField.RVA = 0;
 		}
 
 		public string decrypt(MethodDef method) {