From b7255bc3b58c7358a9314151247c4488ddf5472a Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Tue, 24 Sep 2013 21:44:21 +0200
Subject: [PATCH] Add assembly string separator detection code

---
 .../CryptoObfuscator/AssemblyResolver.cs      | 24 ++++++++++++++++++-
 1 file changed, 23 insertions(+), 1 deletion(-)

diff --git a/de4dot.code/deobfuscators/CryptoObfuscator/AssemblyResolver.cs b/de4dot.code/deobfuscators/CryptoObfuscator/AssemblyResolver.cs
index 5b107767..998e952f 100644
--- a/de4dot.code/deobfuscators/CryptoObfuscator/AssemblyResolver.cs
+++ b/de4dot.code/deobfuscators/CryptoObfuscator/AssemblyResolver.cs
@@ -30,6 +30,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
 		TypeDef resolverType;
 		MethodDef resolverMethod;
 		List<AssemblyInfo> assemblyInfos = new List<AssemblyInfo>();
+		string asmSeparator;
 
 		public class AssemblyInfo {
 			public string assemblyName;
@@ -86,6 +87,8 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
 				return false;
 			if (!CheckInitMethod(initMethod))
 				return false;
+			if ((asmSeparator = FindAssemblySeparator(initMethod)) == null)
+				return false;
 
 			List<AssemblyInfo> newAssemblyInfos = null;
 			foreach (var s in DotNetUtils.GetCodeStrings(initMethod)) {
@@ -134,7 +137,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
 			var sb = new StringBuilder(s.Length);
 			foreach (var c in s)
 				sb.Append((char)~c);
-			var tmpAssemblyInfos = sb.ToString().Split(new string[] { "##" }, StringSplitOptions.RemoveEmptyEntries);
+			var tmpAssemblyInfos = sb.ToString().Split(new string[] { asmSeparator }, StringSplitOptions.RemoveEmptyEntries);
 			if (tmpAssemblyInfos.Length == 0 || (tmpAssemblyInfos.Length & 1) == 1)
 				return null;
 
@@ -151,5 +154,24 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
 
 			return newAssemblyInfos;
 		}
+
+		string FindAssemblySeparator(MethodDef initMethod) {
+			if (!initMethod.HasBody)
+				return null;
+
+			foreach (var instr in initMethod.Body.Instructions) {
+				if (instr.OpCode.Code != Code.Newarr)
+					continue;
+				var op = module.CorLibTypes.GetCorLibTypeSig(instr.Operand as ITypeDefOrRef);
+				if (op == null)
+					continue;
+				if (op.ElementType == ElementType.String)
+					return "##";
+				if (op.ElementType == ElementType.Char)
+					return "`";
+			}
+
+			return null;
+		}
 	}
 }