From b299257c26e9ff5cb1de483a16e6c33a84bc0a72 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Wed, 4 Dec 2013 15:37:02 +0100
Subject: [PATCH] Support latest CryptoObfuscator

---
 de4dot.code/deobfuscators/CryptoObfuscator/AntiDebugger.cs    | 4 +++-
 de4dot.code/deobfuscators/CryptoObfuscator/ProxyCallFixer.cs  | 2 +-
 .../deobfuscators/CryptoObfuscator/ResourceDecrypter.cs       | 2 +-
 de4dot.code/deobfuscators/CryptoObfuscator/TamperDetection.cs | 2 +-
 4 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/de4dot.code/deobfuscators/CryptoObfuscator/AntiDebugger.cs b/de4dot.code/deobfuscators/CryptoObfuscator/AntiDebugger.cs
index 5480bba8..b611aac3 100644
--- a/de4dot.code/deobfuscators/CryptoObfuscator/AntiDebugger.cs
+++ b/de4dot.code/deobfuscators/CryptoObfuscator/AntiDebugger.cs
@@ -68,7 +68,9 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
 					!ContainsString(method, "Debugger was detected") &&
 					!ContainsString(method, "{0} was detected") &&
 					!ContainsString(method, "run under") &&
-					!ContainsString(method, "run with"))
+					!ContainsString(method, "run with") &&
+					!ContainsString(method, "started under") &&
+					!ContainsString(method, "{0} detected"))
 					continue;
 
 				antiDebuggerType = type;
diff --git a/de4dot.code/deobfuscators/CryptoObfuscator/ProxyCallFixer.cs b/de4dot.code/deobfuscators/CryptoObfuscator/ProxyCallFixer.cs
index 26bd02a8..320b1f26 100644
--- a/de4dot.code/deobfuscators/CryptoObfuscator/ProxyCallFixer.cs
+++ b/de4dot.code/deobfuscators/CryptoObfuscator/ProxyCallFixer.cs
@@ -110,7 +110,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
 		MethodDef GetProxyCreateMethod(TypeDef type) {
 			if (DotNetUtils.FindFieldType(type, "System.ModuleHandle", true) == null)
 				return null;
-			if (type.Fields.Count < 1 || type.Fields.Count > 16)
+			if (type.Fields.Count < 1 || type.Fields.Count > 18)
 				return null;
 
 			MethodDef createMethod = null;
diff --git a/de4dot.code/deobfuscators/CryptoObfuscator/ResourceDecrypter.cs b/de4dot.code/deobfuscators/CryptoObfuscator/ResourceDecrypter.cs
index d78cbac3..314ba0b8 100644
--- a/de4dot.code/deobfuscators/CryptoObfuscator/ResourceDecrypter.cs
+++ b/de4dot.code/deobfuscators/CryptoObfuscator/ResourceDecrypter.cs
@@ -268,7 +268,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
 				if (!ldci4.IsLdcI4())
 					continue;
 				int loopCount = ldci4.GetLdcI4Value();
-				if (loopCount < 2 || loopCount > 3)
+				if (loopCount < 2 || loopCount > 4)
 					continue;
 				var blt = instrs[i + 1];
 				if (blt.OpCode.Code != Code.Blt && blt.OpCode.Code != Code.Blt_S && blt.OpCode.Code != Code.Clt)
diff --git a/de4dot.code/deobfuscators/CryptoObfuscator/TamperDetection.cs b/de4dot.code/deobfuscators/CryptoObfuscator/TamperDetection.cs
index 79a5a6ff..22cc18e1 100644
--- a/de4dot.code/deobfuscators/CryptoObfuscator/TamperDetection.cs
+++ b/de4dot.code/deobfuscators/CryptoObfuscator/TamperDetection.cs
@@ -84,7 +84,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
 
 			if (!method.IsStatic || !DotNetUtils.IsMethod(method, "System.Void", "()"))
 				return false;
-			if (type.Methods.Count < 3 || type.Methods.Count > 24)
+			if (type.Methods.Count < 3 || type.Methods.Count > 27)
 				return false;
 			if (DotNetUtils.GetPInvokeMethod(type, "mscoree", "StrongNameSignatureVerificationEx") != null) {
 			}