From 85c565fc20565d7cc80eca4ea7b460f5a1ac35ec Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Wed, 6 Nov 2013 03:20:44 +0100
Subject: [PATCH] Support more MaxtoCode runtimes

---
 .../deobfuscators/MaxtoCode/EncryptionInfos.cs |  9 +++++++++
 .../MaxtoCode/MethodsDecrypter.cs              | 18 ++++++++++++++++++
 .../deobfuscators/MaxtoCode/PeHeader.cs        |  2 ++
 3 files changed, 29 insertions(+)

diff --git a/de4dot.code/deobfuscators/MaxtoCode/EncryptionInfos.cs b/de4dot.code/deobfuscators/MaxtoCode/EncryptionInfos.cs
index 4baf7b93..f5efc42e 100644
--- a/de4dot.code/deobfuscators/MaxtoCode/EncryptionInfos.cs
+++ b/de4dot.code/deobfuscators/MaxtoCode/EncryptionInfos.cs
@@ -110,6 +110,13 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
 				MagicHi = 0x624ECDA3,
 				Version = EncryptionVersion.V8,
 			},
+			// 526BC020
+			// 526BDD12
+			new EncryptionInfo {
+				MagicLo = 0x9A683B87,
+				MagicHi = 0x928ECDA3,
+				Version = EncryptionVersion.V8,
+			},
 		};
 
 		public static readonly EncryptionInfo[] McKey8C0h = new EncryptionInfo[] {
@@ -168,6 +175,8 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
 			// 51413BD8
 			// 51413D68
 			// 5166DB4F
+			// 526BC020
+			// 526BDD12
 			new EncryptionInfo {
 				MagicLo = 0x1A731B13,
 				MagicHi = 0x1723891F,
diff --git a/de4dot.code/deobfuscators/MaxtoCode/MethodsDecrypter.cs b/de4dot.code/deobfuscators/MaxtoCode/MethodsDecrypter.cs
index 27cfb8b8..b312d2a5 100644
--- a/de4dot.code/deobfuscators/MaxtoCode/MethodsDecrypter.cs
+++ b/de4dot.code/deobfuscators/MaxtoCode/MethodsDecrypter.cs
@@ -192,6 +192,8 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
 					decrypters.Add(new Decrypter(new DecryptFunc[] { Decrypt4_v7, Decrypt2_v2, Decrypt3_v6, Decrypt1_v7, Decrypt6, Decrypt8_v7, Decrypt9_v7, Decrypt7, Decrypt5 }, new uint[] { 0x51413D68 }));
 					decrypters.Add(new Decrypter(new DecryptFunc[] { Decrypt4_v7, Decrypt2_v2, Decrypt3_v6, Decrypt1_v7, Decrypt6, Decrypt8_v8, Decrypt9_v8, Decrypt7, Decrypt5 }, new uint[] { 0x513D7124, 0x51413BD8 }));
 					decrypters.Add(new Decrypter(new DecryptFunc[] { Decrypt4_v5, Decrypt2_v2, Decrypt3_v6, Decrypt1_v9, Decrypt6, Decrypt8_v8, Decrypt9_v9, Decrypt7, Decrypt5 }, new uint[] { 0x513D4492 }));
+					decrypters.Add(new Decrypter(new DecryptFunc[] { Decrypt3_v6, Decrypt2_v2, Decrypt4_v8, Decrypt1_v10, Decrypt8_v9, Decrypt9_v10, Decrypt6, Decrypt7, Decrypt5 }, new uint[] { 0x526BDD12 }));
+					decrypters.Add(new Decrypter(new DecryptFunc[] { Decrypt1_v10, Decrypt4_v8, Decrypt2_v2, Decrypt3_v6, Decrypt6, Decrypt8_v9, Decrypt9_v10, Decrypt7, Decrypt5 }, new uint[] { 0x526BC020 }));
 					break;
 
 				case EncryptionVersion.Unknown:
@@ -398,6 +400,10 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
 				return Decrypt1(encrypted, 9, 0x13, 0x400);
 			}
 
+			byte[] Decrypt1_v10(byte[] encrypted) {
+				return Decrypt1(encrypted, 0x11, 0x11, 0x400);
+			}
+
 			byte[] Decrypt1(byte[] encrypted, int keyStart, int keyReset, int keyEnd) {
 				var decrypted = new byte[encrypted.Length];
 				for (int i = 0, ki = keyStart; i < decrypted.Length; i++) {
@@ -532,6 +538,10 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
 				return Decrypt4(encrypted, 0x0B, 0x0B, 0x100);
 			}
 
+			byte[] Decrypt4_v8(byte[] encrypted) {
+				return Decrypt4(encrypted, 9, 9, 0x100);
+			}
+
 			byte[] Decrypt4(byte[] encrypted, int keyStart, int keyReset, int keyEnd) {
 				var decrypted = new byte[encrypted.Length / 3 * 2 + 1];
 
@@ -585,6 +595,10 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
 				return Decrypt8(encrypted, 0x11, 0x11, 0x600);
 			}
 
+			byte[] Decrypt8_v9(byte[] encrypted) {
+				return Decrypt8(encrypted, 0xA, 0xA, 0x600);
+			}
+
 			byte[] Decrypt8(byte[] encrypted, int keyStart, int keyReset, int keyEnd) {
 				var decrypted = new byte[encrypted.Length];
 				int ki = keyStart;
@@ -618,6 +632,10 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
 				return Decrypt9(encrypted, 0x10, 0x10, 0x510);
 			}
 
+			byte[] Decrypt9_v10(byte[] encrypted) {
+				return Decrypt9(encrypted, 5, 5, 0x510);
+			}
+
 			byte[] Decrypt9(byte[] encrypted, int keyStart, int keyReset, int keyEnd) {
 				var decrypted = new byte[encrypted.Length];
 				int ki = keyStart;
diff --git a/de4dot.code/deobfuscators/MaxtoCode/PeHeader.cs b/de4dot.code/deobfuscators/MaxtoCode/PeHeader.cs
index 2922361f..5eeeb246 100644
--- a/de4dot.code/deobfuscators/MaxtoCode/PeHeader.cs
+++ b/de4dot.code/deobfuscators/MaxtoCode/PeHeader.cs
@@ -70,6 +70,8 @@ namespace de4dot.code.deobfuscators.MaxtoCode {
 					break;
 				if (CheckMcKeyRva(peImage, 0x18ABA931))
 					break;
+				if (CheckMcKeyRva(peImage, 0x18ABA933))
+					break;
 				break;
 			}
 		}