Remove decrypt method and other init method

de4dot.code/deobfuscators/DeepSea/AssemblyResolver.cs

@@ -29,6 +29,7 @@ namespace de4dot.code.deobfuscators.DeepSea {
 	class AssemblyResolver : ResolverBase {
 		Version version;
 		List<FieldInfo> fieldInfos;
+		MethodDefinition decryptMethod;
 
 		enum Version {
 			Unknown,
@@ -69,6 +70,10 @@ namespace de4dot.code.deobfuscators.DeepSea {
 			}
 		}
 
+		public MethodDefinition DecryptMethod {
+			get { return decryptMethod; }
+		}
+
 		public AssemblyResolver(ModuleDefinition module, ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob)
 			: base(module, simpleDeobfuscator, deob) {
 		}
@@ -129,16 +134,19 @@ namespace de4dot.code.deobfuscators.DeepSea {
 
 			simpleDeobfuscator.deobfuscate(handler);
 			List<FieldInfo> fieldInfosTmp;
-			if (checkHandlerV4(handler, out fieldInfosTmp)) {
+			MethodDefinition decryptMethodTmp;
+			if (checkHandlerV4(handler, out fieldInfosTmp, out decryptMethodTmp)) {
 				version = Version.V4;
 				fieldInfos = fieldInfosTmp;
+				decryptMethod = decryptMethodTmp;
 				return true;
 			}
 
-			Version versionTmp = checkHandlerV404_41(handler, out fieldInfosTmp);
+			Version versionTmp = checkHandlerV404_41(handler, out fieldInfosTmp, out decryptMethodTmp);
 			if (fieldInfosTmp.Count != 0) {
 				version = versionTmp;
 				fieldInfos = fieldInfosTmp;
+				decryptMethod = decryptMethodTmp;
 				return true;
 			}
 
@@ -171,8 +179,9 @@ namespace de4dot.code.deobfuscators.DeepSea {
 		}
 
 		// 4.0.1.18 .. 4.0.3
-		bool checkHandlerV4(MethodDefinition handler, out List<FieldInfo> fieldInfos) {
+		bool checkHandlerV4(MethodDefinition handler, out List<FieldInfo> fieldInfos, out MethodDefinition decryptMethod) {
 			fieldInfos = new List<FieldInfo>();
+			decryptMethod = null;
 
 			var instrs = handler.Body.Instructions;
 			for (int i = 0; i < instrs.Count - 3; i++) {
@@ -201,9 +210,11 @@ namespace de4dot.code.deobfuscators.DeepSea {
 					call = instrs[index++];
 				if (call.OpCode.Code != Code.Call)
 					return false;
-				if (!DotNetUtils.isMethod(call.Operand as MethodReference, "System.Reflection.Assembly", "(System.RuntimeFieldHandle,System.Int32,System.Int32)"))
+				var decryptMethodTmp = call.Operand as MethodDefinition;
+				if (!DotNetUtils.isMethod(decryptMethodTmp, "System.Reflection.Assembly", "(System.RuntimeFieldHandle,System.Int32,System.Int32)"))
 					return false;
 
+				decryptMethod = decryptMethodTmp;
 				fieldInfos.Add(new FieldInfo(field, magic));
 			}
 
@@ -211,9 +222,10 @@ namespace de4dot.code.deobfuscators.DeepSea {
 		}
 
 		// 4.0.4, 4.1+
-		Version checkHandlerV404_41(MethodDefinition handler, out List<FieldInfo> fieldInfos) {
+		Version checkHandlerV404_41(MethodDefinition handler, out List<FieldInfo> fieldInfos, out MethodDefinition decryptMethod) {
 			Version version = Version.Unknown;
 			fieldInfos = new List<FieldInfo>();
+			decryptMethod = null;
 
 			var instrs = handler.Body.Instructions;
 			for (int i = 0; i < instrs.Count - 6; i++) {
@@ -248,14 +260,15 @@ namespace de4dot.code.deobfuscators.DeepSea {
 				var args = DsUtils.getArgValues(instrs, callIndex);
 				if (args == null)
 					continue;
-				var decryptMethod = instrs[callIndex].Operand as MethodDefinition;
-				if (decryptMethod == null)
+				var decryptMethodTmp = instrs[callIndex].Operand as MethodDefinition;
+				if (decryptMethodTmp == null)
 					continue;
 				int magic;
 				Version versionTmp;
-				getMagic(decryptMethod, args, out versionTmp, out magic);
+				getMagic(decryptMethodTmp, args, out versionTmp, out magic);
 
 				version = versionTmp;
+				decryptMethod = decryptMethodTmp;
 				fieldInfos.Add(new FieldInfo(field, magic));
 			}
 

de4dot.code/deobfuscators/DeepSea/Deobfuscator.cs

@@ -238,6 +238,7 @@ done:
 			addCctorInitCallToBeRemoved(resourceResolver.InitMethod);
 			addCallToBeRemoved(module.EntryPoint, resourceResolver.InitMethod);
 			addMethodToBeRemoved(resourceResolver.InitMethod, "Resource resolver init method");
+			addMethodToBeRemoved(resourceResolver.InitMethod2, "Resource resolver init method #2");
 			addMethodToBeRemoved(resourceResolver.HandlerMethod, "Resource resolver handler method");
 			addMethodToBeRemoved(resourceResolver.GetDataMethod, "Resource resolver 'get resource data' method");
 		}
@@ -255,6 +256,7 @@ done:
 			addCallToBeRemoved(module.EntryPoint, assemblyResolver.InitMethod);
 			addMethodToBeRemoved(assemblyResolver.InitMethod, "Assembly resolver init method");
 			addMethodToBeRemoved(assemblyResolver.HandlerMethod, "Assembly resolver handler method");
+			addMethodToBeRemoved(assemblyResolver.DecryptMethod, "Assembly resolver decrypt method");
 		}
 
 		public override void deobfuscateMethodEnd(Blocks blocks) {

de4dot.code/deobfuscators/DeepSea/ResourceResolver.cs

@@ -43,6 +43,7 @@ namespace de4dot.code.deobfuscators.DeepSea {
 
 		class Data40 {
 			public FieldDefinition resourceField;
+			public MethodDefinition resolveHandler2;
 			public MethodDefinition getDataMethod;
 			public int magic;
 		}
@@ -64,6 +65,16 @@ namespace de4dot.code.deobfuscators.DeepSea {
 			}
 		}
 
+		public MethodDefinition InitMethod2 {
+			get {
+				if (data40 != null)
+					return data40.resolveHandler2;
+				if (data41 != null)
+					return data41.resolveHandler2;
+				return null;
+			}
+		}
+
 		public MethodDefinition GetDataMethod {
 			get { return data40 != null ? data40.getDataMethod : null; }
 		}
@@ -260,11 +271,13 @@ namespace de4dot.code.deobfuscators.DeepSea {
 					call = instrs[index++];
 				if (call.OpCode.Code != Code.Call)
 					continue;
-				if (!DotNetUtils.isMethod(call.Operand as MethodReference, "System.Reflection.Assembly", methodSig))
+				var resolveHandler2 = call.Operand as MethodDefinition;
+				if (!DotNetUtils.isMethod(resolveHandler2, "System.Reflection.Assembly", methodSig))
 					continue;
 
 				data40.resourceField = field;
 				data40.getDataMethod = method;
+				data40.resolveHandler2 = resolveHandler2;
 				return data40;
 			}