From 7e229a29b7b5e16ce34051190cf4311a637d72b8 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Sun, 5 Feb 2012 16:14:13 +0100
Subject: [PATCH 01/78] Add updated cecil submodule

---
 cecil | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cecil b/cecil
index 9b28c58c..9d3c2ac9 160000
--- a/cecil
+++ b/cecil
@@ -1 +1 @@
-Subproject commit 9b28c58c35470f7cef5f03d3c50c9ba1e65b6843
+Subproject commit 9d3c2ac91cfcbdce0e2c389a4229ae9b3abfba7c

From 82cc64bd77d93522f206aeb81e5d37ba947921e1 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Sun, 5 Feb 2012 16:14:46 +0100
Subject: [PATCH 02/78] Add Sections property

---
 de4dot.code/PE/PeImage.cs | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/de4dot.code/PE/PeImage.cs b/de4dot.code/PE/PeImage.cs
index ab702f0d..b9a880af 100644
--- a/de4dot.code/PE/PeImage.cs
+++ b/de4dot.code/PE/PeImage.cs
@@ -47,6 +47,10 @@ namespace de4dot.code.PE {
 			get { return resources; }
 		}
 
+		internal SectionHeader[] Sections {
+			get { return sectionHeaders; }
+		}
+
 		public uint FileHeaderOffset {
 			get { return fileHeader.Offset; }
 		}

From 23c72927b57e037ee24c2725116ad119292b1a8c Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Sun, 5 Feb 2012 16:17:47 +0100
Subject: [PATCH 03/78] Add CV and methods decrypter

---
 de4dot.code/de4dot.code.csproj                |   2 +
 .../deobfuscators/CodeVeil/Deobfuscator.cs    | 144 ++++++++
 .../CodeVeil/MethodsDecrypter.cs              | 309 ++++++++++++++++++
 .../deobfuscators/Unknown/Deobfuscator.cs     |   2 -
 de4dot.cui/Program.cs                         |   1 +
 5 files changed, 456 insertions(+), 2 deletions(-)
 create mode 100644 de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs
 create mode 100644 de4dot.code/deobfuscators/CodeVeil/MethodsDecrypter.cs

diff --git a/de4dot.code/de4dot.code.csproj b/de4dot.code/de4dot.code.csproj
index 8a368666..3aaaa13f 100644
--- a/de4dot.code/de4dot.code.csproj
+++ b/de4dot.code/de4dot.code.csproj
@@ -79,6 +79,8 @@
     <Compile Include="deobfuscators\CliSecure\ResourceDecrypter.cs" />
     <Compile Include="deobfuscators\CliSecure\StackFrameHelper.cs" />
     <Compile Include="deobfuscators\CliSecure\StringDecrypter.cs" />
+    <Compile Include="deobfuscators\CodeVeil\Deobfuscator.cs" />
+    <Compile Include="deobfuscators\CodeVeil\MethodsDecrypter.cs" />
     <Compile Include="deobfuscators\CryptoObfuscator\AntiDebugger.cs" />
     <Compile Include="deobfuscators\CryptoObfuscator\AssemblyResolver.cs" />
     <Compile Include="deobfuscators\CryptoObfuscator\Deobfuscator.cs" />
diff --git a/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs b/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs
new file mode 100644
index 00000000..33c041c5
--- /dev/null
+++ b/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs
@@ -0,0 +1,144 @@
+/*
+    Copyright (C) 2011-2012 de4dot@gmail.com
+
+    This file is part of de4dot.
+
+    de4dot is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    de4dot is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with de4dot.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+using System.Collections.Generic;
+using Mono.Cecil;
+using Mono.MyStuff;
+using de4dot.blocks.cflow;
+
+namespace de4dot.code.deobfuscators.CodeVeil {
+	public class DeobfuscatorInfo : DeobfuscatorInfoBase {
+		public const string THE_NAME = "CodeVeil";
+		public const string THE_TYPE = "cv";
+
+		public DeobfuscatorInfo()
+			: base() {
+		}
+
+		public override string Name {
+			get { return THE_NAME; }
+		}
+
+		public override string Type {
+			get { return THE_TYPE; }
+		}
+
+		public override IDeobfuscator createDeobfuscator() {
+			return new Deobfuscator(new Deobfuscator.Options {
+				ValidNameRegex = validNameRegex.get(),
+			});
+		}
+
+		protected override IEnumerable<Option> getOptionsInternal() {
+			return new List<Option>() {
+			};
+		}
+	}
+
+	class Deobfuscator : DeobfuscatorBase {
+		Options options;
+		string obfuscatorName = DeobfuscatorInfo.THE_NAME;
+		bool foundKillType = false;
+
+		MethodsDecrypter methodsDecrypter;
+
+		internal class Options : OptionsBase {
+		}
+
+		public override string Type {
+			get { return DeobfuscatorInfo.THE_TYPE; }
+		}
+
+		public override string TypeLong {
+			get { return DeobfuscatorInfo.THE_NAME; }
+		}
+
+		public override string Name {
+			get { return obfuscatorName; }
+		}
+
+		public Deobfuscator(Options options)
+			: base(options) {
+			this.options = options;
+		}
+
+		protected override int detectInternal() {
+			int val = 0;
+
+			int sum = toInt32(foundKillType) +
+					toInt32(methodsDecrypter.Detected);
+			if (sum > 0)
+				val += 100 + 10 * (sum - 1);
+
+			return val;
+		}
+
+		protected override void scanForObfuscator() {
+			findKillType();
+			methodsDecrypter = new MethodsDecrypter(module);
+			methodsDecrypter.find();
+		}
+
+		void findKillType() {
+			foreach (var type in module.Types) {
+				if (type.FullName == "____KILL") {
+					addTypeToBeRemoved(type, "KILL type");
+					break;
+				}
+			}
+		}
+
+		public override bool getDecryptedModule(ref byte[] newFileData, ref Dictionary<uint, DumpedMethod> dumpedMethods) {
+			if (!methodsDecrypter.Detected)
+				return false;
+
+			var fileData = DeobUtils.readModule(module);
+			if (!methodsDecrypter.decrypt(fileData, ref dumpedMethods))
+				return false;
+
+			newFileData = fileData;
+			return true;
+		}
+
+		public override IDeobfuscator moduleReloaded(ModuleDefinition module) {
+			var newOne = new Deobfuscator(options);
+			newOne.setModule(module);
+			newOne.methodsDecrypter = new MethodsDecrypter(module, methodsDecrypter);
+			return newOne;
+		}
+
+		public override void deobfuscateBegin() {
+			base.deobfuscateBegin();
+
+			//TODO:
+		}
+
+		public override void deobfuscateEnd() {
+			//TODO:
+
+			base.deobfuscateEnd();
+		}
+
+		public override IEnumerable<string> getStringDecrypterMethods() {
+			var list = new List<string>();
+			//TODO:
+			return list;
+		}
+	}
+}
diff --git a/de4dot.code/deobfuscators/CodeVeil/MethodsDecrypter.cs b/de4dot.code/deobfuscators/CodeVeil/MethodsDecrypter.cs
new file mode 100644
index 00000000..135507e2
--- /dev/null
+++ b/de4dot.code/deobfuscators/CodeVeil/MethodsDecrypter.cs
@@ -0,0 +1,309 @@
+/*
+    Copyright (C) 2011-2012 de4dot@gmail.com
+
+    This file is part of de4dot.
+
+    de4dot is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    de4dot is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with de4dot.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+using System;
+using System.Collections.Generic;
+using System.IO;
+using Mono.Cecil;
+using Mono.Cecil.Cil;
+using Mono.Cecil.Metadata;
+using Mono.MyStuff;
+using de4dot.blocks;
+using de4dot.code.PE;
+
+namespace de4dot.code.deobfuscators.CodeVeil {
+	// The code isn't currently encrypted at all! But let's keep this class name.
+	class MethodsDecrypter {
+		ModuleDefinition module;
+		TypeDefinition methodsType;
+		List<int> rvas;	// _stub and _executive
+
+		public bool Detected {
+			get { return methodsType != null; }
+		}
+
+		public MethodsDecrypter(ModuleDefinition module) {
+			this.module = module;
+		}
+
+		public MethodsDecrypter(ModuleDefinition module, MethodsDecrypter oldOne) {
+			this.module = module;
+			this.methodsType = lookup(oldOne.methodsType, "Could not find methods type");
+		}
+
+		T lookup<T>(T def, string errorMessage) where T : MemberReference {
+			return DeobUtils.lookup(module, def, errorMessage);
+		}
+
+		public void find() {
+			var cctor = DotNetUtils.getModuleTypeCctor(module);
+			if (cctor == null)
+				return;
+
+			var instrs = cctor.Body.Instructions;
+			for (int i = 0; i < instrs.Count - 2; i++) {
+				var ldci4_1 = instrs[i];
+				if (!DotNetUtils.isLdcI4(ldci4_1))
+					continue;
+
+				var ldci4_2 = instrs[i + 1];
+				if (!DotNetUtils.isLdcI4(ldci4_2))
+					continue;
+
+				var call = instrs[i + 2];
+				if (call.OpCode.Code != Code.Call)
+					continue;
+				var initMethod = call.Operand as MethodDefinition;
+				if (!checkInitMethod(initMethod))
+					continue;
+				if (!checkMethodsType(initMethod.DeclaringType))
+					continue;
+
+				methodsType = initMethod.DeclaringType;
+				break;
+			}
+		}
+
+		bool checkInitMethod(MethodDefinition initMethod) {
+			if (initMethod == null)
+				return false;
+
+			if (initMethod.Body == null)
+				return false;
+			if (!initMethod.IsStatic)
+				return false;
+			if (!DotNetUtils.isMethod(initMethod, "System.Void", "(System.Boolean,System.Boolean)"))
+				return false;
+			if (!hasCodeString(initMethod, "E_FullTrust"))
+				return false;
+
+			return true;
+		}
+
+		static bool hasCodeString(MethodDefinition method, string str) {
+			foreach (var s in DotNetUtils.getCodeStrings(method)) {
+				if (s == str)
+					return true;
+			}
+			return false;
+		}
+
+		bool checkMethodsType(TypeDefinition type) {
+			var fields = getRvaFields(type);
+			if (fields.Count < 2)
+				return false;
+
+			rvas = new List<int>(fields.Count);
+			foreach (var field in fields)
+				rvas.Add(field.RVA);
+			return true;
+		}
+
+		static List<FieldDefinition> getRvaFields(TypeDefinition type) {
+			var fields = new List<FieldDefinition>();
+			foreach (var field in type.Fields) {
+				if (field.FieldType.EType == ElementType.U1 && field.RVA != 0)
+					fields.Add(field);
+			}
+			return fields;
+		}
+
+		public bool decrypt(byte[] fileData, ref Dictionary<uint, DumpedMethod> dumpedMethods) {
+			if (methodsType == null)
+				return false;
+
+			var peImage = new PeImage(fileData);
+			if (peImage.Sections.Length <= 0)
+				return false;
+
+			var methodsData = findMethodsData(peImage, fileData);
+			if (methodsData == null)
+				return false;
+
+			dumpedMethods = createDumpedMethods(peImage, fileData, methodsData);
+			if (dumpedMethods == null)
+				return false;
+
+			return true;
+		}
+
+		Dictionary<uint, DumpedMethod> createDumpedMethods(PeImage peImage, byte[] fileData, byte[] methodsData) {
+			var dumpedMethods = new Dictionary<uint, DumpedMethod>();
+
+			var methodsDataReader = new BinaryReader(new MemoryStream(methodsData));
+			var fileDataReader = new BinaryReader(new MemoryStream(fileData));
+
+			var metadataTables = peImage.Cor20Header.createMetadataTables();
+			var methodDef = metadataTables.getMetadataType(MetadataIndex.iMethodDef);
+			uint methodDefOffset = methodDef.fileOffset;
+			for (int i = 0; i < methodDef.rows; i++, methodDefOffset += methodDef.totalSize) {
+				uint token = (uint)(0x06000001 + i);
+				uint bodyRva = peImage.offsetReadUInt32(methodDefOffset);
+				if (bodyRva == 0)
+					continue;
+				uint bodyOffset = peImage.rvaToOffset(bodyRva);
+
+				var dm = new DumpedMethod();
+				dm.mdImplFlags = peImage.offsetReadUInt16(methodDefOffset + (uint)methodDef.fields[1].offset);
+				dm.mdFlags = peImage.offsetReadUInt16(methodDefOffset + (uint)methodDef.fields[2].offset);
+				dm.mdName = peImage.offsetRead(methodDefOffset + (uint)methodDef.fields[3].offset, methodDef.fields[3].size);
+				dm.mdSignature = peImage.offsetRead(methodDefOffset + (uint)methodDef.fields[4].offset, methodDef.fields[4].size);
+				dm.mdParamList = peImage.offsetRead(methodDefOffset + (uint)methodDef.fields[5].offset, methodDef.fields[5].size);
+
+				byte b = peImage.offsetReadByte(bodyOffset);
+				uint codeOffset;
+				if ((b & 3) == 2) {
+					if (b != 2)
+						continue;	// not zero byte code size
+
+					dm.mhFlags = 2;
+					dm.mhMaxStack = 8;
+					dm.mhLocalVarSigTok = 0;
+					codeOffset = bodyOffset + 1;
+				}
+				else {
+					if (peImage.offsetReadUInt32(bodyOffset + 4) != 0)
+						continue;	// not zero byte code size
+
+					dm.mhFlags = peImage.offsetReadUInt16(bodyOffset);
+					dm.mhMaxStack = peImage.offsetReadUInt16(bodyOffset + 2);
+					dm.mhLocalVarSigTok = peImage.offsetReadUInt32(bodyOffset + 8);
+					codeOffset = bodyOffset + (uint)(dm.mhFlags >> 12) * 4;
+				}
+				fileDataReader.BaseStream.Position = codeOffset;
+				if (fileDataReader.ReadByte() != 0x2A)
+					continue;	// Not a RET
+				int methodsDataOffset = readVariableLengthInteger(fileDataReader);
+				methodsDataReader.BaseStream.Position = methodsDataOffset;
+
+				dm.mhCodeSize = (uint)readVariableLengthInteger(methodsDataReader);
+				dm.code = methodsDataReader.ReadBytes((int)dm.mhCodeSize);
+				if ((dm.mhFlags & 8) != 0)
+					dm.extraSections = readExtraSections(methodsDataReader);
+
+				dumpedMethods[token] = dm;
+			}
+
+			return dumpedMethods;
+		}
+
+		static void align(BinaryReader reader, int alignment) {
+			reader.BaseStream.Position = (reader.BaseStream.Position + alignment - 1) & ~(alignment - 1);
+		}
+
+		static byte[] readExtraSections(BinaryReader reader) {
+			align(reader, 4);
+			int startPos = (int)reader.BaseStream.Position;
+			parseSection(reader);
+			int size = (int)reader.BaseStream.Position - startPos;
+			reader.BaseStream.Position = startPos;
+			return reader.ReadBytes(size);
+		}
+
+		static void parseSection(BinaryReader reader) {
+			byte flags;
+			do {
+				align(reader, 4);
+
+				flags = reader.ReadByte();
+				if ((flags & 1) == 0)
+					throw new ApplicationException("Not an exception section");
+				if ((flags & 0x3E) != 0)
+					throw new ApplicationException("Invalid bits set");
+
+				if ((flags & 0x40) != 0) {
+					reader.BaseStream.Position--;
+					int num = (int)(reader.ReadUInt32() >> 8) / 24;
+					reader.BaseStream.Position += num * 24;
+				}
+				else {
+					int num = reader.ReadByte() / 12;
+					reader.BaseStream.Position += 2 + num * 12;
+				}
+			} while ((flags & 0x80) != 0);
+		}
+
+		// xor eax, eax / inc eax / pop esi edi edx ecx ebx / leave / ret 0Ch
+		static byte[] initializeMethodEnd = new byte[] {
+			0x33, 0xC0, 0x40, 0x5E, 0x5F, 0x5A, 0x59, 0x5B, 0xC9, 0xC2, 0x0C, 0x00,
+		};
+		byte[] findMethodsData(PeImage peImage, byte[] fileData) {
+			var section = peImage.Sections[0];
+
+			var reader = new BinaryReader(new MemoryStream(fileData));
+
+			const int RVA_EXECUTIVE_OFFSET = 1 * 4;
+			const int ENC_CODE_OFFSET = 6 * 4;
+			for (int offset = 0; offset < section.sizeOfRawData - (ENC_CODE_OFFSET + 4 - 1); ) {
+				offset = findSig(fileData, offset, initializeMethodEnd);
+				if (offset < 0)
+					return null;
+				offset += initializeMethodEnd.Length;
+
+				int rva = BitConverter.ToInt32(fileData, offset + RVA_EXECUTIVE_OFFSET);
+				if (rvas.IndexOf(rva) < 0)
+					continue;
+
+				int relOffs = BitConverter.ToInt32(fileData, offset + ENC_CODE_OFFSET);
+				if (relOffs < 0 || relOffs >= section.sizeOfRawData)
+					continue;
+				reader.BaseStream.Position = section.pointerToRawData + relOffs;
+
+				int size = readVariableLengthInteger(reader);
+				int endOffset = relOffs + size;
+				if (endOffset < relOffs || endOffset > section.sizeOfRawData)
+					continue;
+
+				return reader.ReadBytes(size);
+			}
+
+			return null;
+		}
+
+		static int readVariableLengthInteger(BinaryReader reader) {
+			byte b = reader.ReadByte();
+			if ((b & 0x80) == 0)
+				return b;
+			if ((b & 0x40) == 0)
+				return (((int)b & 0x3F) << 8) + reader.ReadByte();
+			return (((int)b & 0x3F) << 24) +
+					((int)reader.ReadByte() << 16) +
+					((int)reader.ReadByte() << 8) +
+					reader.ReadByte();
+		}
+
+		static int findSig(byte[] fileData, int offset, byte[] sig) {
+			for (int i = offset; i < fileData.Length - sig.Length + 1; i++) {
+				if (fileData[i] != sig[0])
+					continue;
+				if (compare(fileData, i + 1, sig, 1, sig.Length - 1))
+					return i;
+			}
+			return -1;
+		}
+
+		static bool compare(byte[] a1, int i1, byte[] a2, int i2, int len) {
+			for (int i = 0; i < len; i++) {
+				if (a1[i1++] != a2[i2++])
+					return false;
+			}
+			return true;
+		}
+	}
+}
diff --git a/de4dot.code/deobfuscators/Unknown/Deobfuscator.cs b/de4dot.code/deobfuscators/Unknown/Deobfuscator.cs
index 38674c07..0d5a909b 100644
--- a/de4dot.code/deobfuscators/Unknown/Deobfuscator.cs
+++ b/de4dot.code/deobfuscators/Unknown/Deobfuscator.cs
@@ -99,8 +99,6 @@ namespace de4dot.code.deobfuscators.Unknown {
 			foreach (var type in module.Types) {
 				if (type.Namespace == "___codefort")
 					return "CodeFort";
-				if (type.FullName == "____KILL")
-					return "DeployLX CodeVeil";
 				if (type.FullName == "ZYXDNGuarder")
 					return "DNGuard HVM";
 				if (type.FullName == "InfaceMaxtoCode")
diff --git a/de4dot.cui/Program.cs b/de4dot.cui/Program.cs
index 7bce4173..a9b6fa54 100644
--- a/de4dot.cui/Program.cs
+++ b/de4dot.cui/Program.cs
@@ -32,6 +32,7 @@ namespace de4dot.cui {
 				new de4dot.code.deobfuscators.Unknown.DeobfuscatorInfo(),
 				new de4dot.code.deobfuscators.Babel_NET.DeobfuscatorInfo(),
 				new de4dot.code.deobfuscators.CliSecure.DeobfuscatorInfo(),
+				new de4dot.code.deobfuscators.CodeVeil.DeobfuscatorInfo(),
 				new de4dot.code.deobfuscators.CryptoObfuscator.DeobfuscatorInfo(),
 				new de4dot.code.deobfuscators.DeepSea.DeobfuscatorInfo(),
 				new de4dot.code.deobfuscators.Dotfuscator.DeobfuscatorInfo(),

From 29c5cfc9c800dd2741a49021cde897e0a4850ae2 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Sun, 5 Feb 2012 18:45:04 +0100
Subject: [PATCH 04/78] Don't stop if 2nd instr is also a store

---
 de4dot.code/deobfuscators/ArrayFinder.cs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/de4dot.code/deobfuscators/ArrayFinder.cs b/de4dot.code/deobfuscators/ArrayFinder.cs
index 85d905a4..9a31d549 100644
--- a/de4dot.code/deobfuscators/ArrayFinder.cs
+++ b/de4dot.code/deobfuscators/ArrayFinder.cs
@@ -153,7 +153,7 @@ namespace de4dot.code.deobfuscators {
 				case Code.Starg_S:
 				case Code.Stsfld:
 				case Code.Stfld:
-					if (emulator.peek() == theArray && i != newarrIndex + 1)
+					if (emulator.peek() == theArray && i != newarrIndex + 1 && i != newarrIndex + 2)
 						goto done;
 					break;
 				}

From 0b43c77fdb27fcf4fdc51b8dd9a221d5927620ec Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Sun, 5 Feb 2012 18:45:41 +0100
Subject: [PATCH 05/78] Add missing call to removeNewlines()

---
 de4dot.code/renamer/Renamer.cs | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/de4dot.code/renamer/Renamer.cs b/de4dot.code/renamer/Renamer.cs
index 6c70465b..0310f20a 100644
--- a/de4dot.code/renamer/Renamer.cs
+++ b/de4dot.code/renamer/Renamer.cs
@@ -239,7 +239,10 @@ namespace de4dot.code.renamer {
 				if (!fieldInfo.gotNewName())
 					continue;
 				fieldDef.FieldDefinition.Name = fieldInfo.newName;
-				Log.v("Field: {0} ({1:X8}) => {2}", Utils.removeNewlines(fieldInfo.oldFullName), fieldDef.FieldDefinition.MetadataToken.ToUInt32(), fieldDef.FieldDefinition.FullName);
+				Log.v("Field: {0} ({1:X8}) => {2}",
+							Utils.removeNewlines(fieldInfo.oldFullName),
+							fieldDef.FieldDefinition.MetadataToken.ToUInt32(),
+							Utils.removeNewlines(fieldDef.FieldDefinition.FullName));
 			}
 		}
 
@@ -251,7 +254,10 @@ namespace de4dot.code.renamer {
 				if (!propInfo.gotNewName())
 					continue;
 				propDef.PropertyDefinition.Name = propInfo.newName;
-				Log.v("Property: {0} ({1:X8}) => {2}", Utils.removeNewlines(propInfo.oldFullName), propDef.PropertyDefinition.MetadataToken.ToUInt32(), propDef.PropertyDefinition.FullName);
+				Log.v("Property: {0} ({1:X8}) => {2}",
+							Utils.removeNewlines(propInfo.oldFullName),
+							propDef.PropertyDefinition.MetadataToken.ToUInt32(),
+							Utils.removeNewlines(propDef.PropertyDefinition.FullName));
 			}
 		}
 
@@ -263,7 +269,10 @@ namespace de4dot.code.renamer {
 				if (!eventInfo.gotNewName())
 					continue;
 				eventDef.EventDefinition.Name = eventInfo.newName;
-				Log.v("Event: {0} ({1:X8}) => {2}", Utils.removeNewlines(eventInfo.oldFullName), eventDef.EventDefinition.MetadataToken.ToUInt32(), eventDef.EventDefinition.FullName);
+				Log.v("Event: {0} ({1:X8}) => {2}",
+							Utils.removeNewlines(eventInfo.oldFullName),
+							eventDef.EventDefinition.MetadataToken.ToUInt32(),
+							Utils.removeNewlines(eventDef.EventDefinition.FullName));
 			}
 		}
 

From 029c049bf68ca8f26d1832cf67139aa2216019f5 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Sun, 5 Feb 2012 18:46:14 +0100
Subject: [PATCH 06/78] Move readVariableLengthInteger() to DeobUtils

---
 .../deobfuscators/CodeVeil/MethodsDecrypter.cs | 18 +++---------------
 de4dot.code/deobfuscators/DeobUtils.cs         | 12 ++++++++++++
 2 files changed, 15 insertions(+), 15 deletions(-)

diff --git a/de4dot.code/deobfuscators/CodeVeil/MethodsDecrypter.cs b/de4dot.code/deobfuscators/CodeVeil/MethodsDecrypter.cs
index 135507e2..d56c91e7 100644
--- a/de4dot.code/deobfuscators/CodeVeil/MethodsDecrypter.cs
+++ b/de4dot.code/deobfuscators/CodeVeil/MethodsDecrypter.cs
@@ -189,10 +189,10 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 				fileDataReader.BaseStream.Position = codeOffset;
 				if (fileDataReader.ReadByte() != 0x2A)
 					continue;	// Not a RET
-				int methodsDataOffset = readVariableLengthInteger(fileDataReader);
+				int methodsDataOffset = DeobUtils.readVariableLengthInteger(fileDataReader);
 				methodsDataReader.BaseStream.Position = methodsDataOffset;
 
-				dm.mhCodeSize = (uint)readVariableLengthInteger(methodsDataReader);
+				dm.mhCodeSize = (uint)DeobUtils.readVariableLengthInteger(methodsDataReader);
 				dm.code = methodsDataReader.ReadBytes((int)dm.mhCodeSize);
 				if ((dm.mhFlags & 8) != 0)
 					dm.extraSections = readExtraSections(methodsDataReader);
@@ -265,7 +265,7 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 					continue;
 				reader.BaseStream.Position = section.pointerToRawData + relOffs;
 
-				int size = readVariableLengthInteger(reader);
+				int size = DeobUtils.readVariableLengthInteger(reader);
 				int endOffset = relOffs + size;
 				if (endOffset < relOffs || endOffset > section.sizeOfRawData)
 					continue;
@@ -276,18 +276,6 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 			return null;
 		}
 
-		static int readVariableLengthInteger(BinaryReader reader) {
-			byte b = reader.ReadByte();
-			if ((b & 0x80) == 0)
-				return b;
-			if ((b & 0x40) == 0)
-				return (((int)b & 0x3F) << 8) + reader.ReadByte();
-			return (((int)b & 0x3F) << 24) +
-					((int)reader.ReadByte() << 16) +
-					((int)reader.ReadByte() << 8) +
-					reader.ReadByte();
-		}
-
 		static int findSig(byte[] fileData, int offset, byte[] sig) {
 			for (int i = offset; i < fileData.Length - sig.Length + 1; i++) {
 				if (fileData[i] != sig[0])
diff --git a/de4dot.code/deobfuscators/DeobUtils.cs b/de4dot.code/deobfuscators/DeobUtils.cs
index 904d216d..8ba839a8 100644
--- a/de4dot.code/deobfuscators/DeobUtils.cs
+++ b/de4dot.code/deobfuscators/DeobUtils.cs
@@ -129,5 +129,17 @@ namespace de4dot.code.deobfuscators {
 			}
 			return null;
 		}
+
+		public static int readVariableLengthInteger(BinaryReader reader) {
+			byte b = reader.ReadByte();
+			if ((b & 0x80) == 0)
+				return b;
+			if ((b & 0x40) == 0)
+				return (((int)b & 0x3F) << 8) + reader.ReadByte();
+			return (((int)b & 0x3F) << 24) +
+					((int)reader.ReadByte() << 16) +
+					((int)reader.ReadByte() << 8) +
+					reader.ReadByte();
+		}
 	}
 }

From d6ff8b515d170824d458eaaabcf83f202e7284fa Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Sun, 5 Feb 2012 18:47:31 +0100
Subject: [PATCH 07/78] Add string decrypter

---
 de4dot.code/de4dot.code.csproj                |   1 +
 .../deobfuscators/CodeVeil/Deobfuscator.cs    |  17 +-
 .../deobfuscators/CodeVeil/StringDecrypter.cs | 232 ++++++++++++++++++
 3 files changed, 249 insertions(+), 1 deletion(-)
 create mode 100644 de4dot.code/deobfuscators/CodeVeil/StringDecrypter.cs

diff --git a/de4dot.code/de4dot.code.csproj b/de4dot.code/de4dot.code.csproj
index 3aaaa13f..92845367 100644
--- a/de4dot.code/de4dot.code.csproj
+++ b/de4dot.code/de4dot.code.csproj
@@ -81,6 +81,7 @@
     <Compile Include="deobfuscators\CliSecure\StringDecrypter.cs" />
     <Compile Include="deobfuscators\CodeVeil\Deobfuscator.cs" />
     <Compile Include="deobfuscators\CodeVeil\MethodsDecrypter.cs" />
+    <Compile Include="deobfuscators\CodeVeil\StringDecrypter.cs" />
     <Compile Include="deobfuscators\CryptoObfuscator\AntiDebugger.cs" />
     <Compile Include="deobfuscators\CryptoObfuscator\AssemblyResolver.cs" />
     <Compile Include="deobfuscators\CryptoObfuscator\Deobfuscator.cs" />
diff --git a/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs b/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs
index 33c041c5..df81ce96 100644
--- a/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs
+++ b/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs
@@ -57,6 +57,7 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 		bool foundKillType = false;
 
 		MethodsDecrypter methodsDecrypter;
+		StringDecrypter stringDecrypter;
 
 		internal class Options : OptionsBase {
 		}
@@ -82,7 +83,8 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 			int val = 0;
 
 			int sum = toInt32(foundKillType) +
-					toInt32(methodsDecrypter.Detected);
+					toInt32(methodsDecrypter.Detected) +
+					toInt32(stringDecrypter.Detected);
 			if (sum > 0)
 				val += 100 + 10 * (sum - 1);
 
@@ -93,12 +95,15 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 			findKillType();
 			methodsDecrypter = new MethodsDecrypter(module);
 			methodsDecrypter.find();
+			stringDecrypter = new StringDecrypter(module);
+			stringDecrypter.find();
 		}
 
 		void findKillType() {
 			foreach (var type in module.Types) {
 				if (type.FullName == "____KILL") {
 					addTypeToBeRemoved(type, "KILL type");
+					foundKillType = true;
 					break;
 				}
 			}
@@ -120,12 +125,22 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 			var newOne = new Deobfuscator(options);
 			newOne.setModule(module);
 			newOne.methodsDecrypter = new MethodsDecrypter(module, methodsDecrypter);
+			newOne.stringDecrypter = new StringDecrypter(module, stringDecrypter);
 			return newOne;
 		}
 
 		public override void deobfuscateBegin() {
 			base.deobfuscateBegin();
 
+
+			if (Operations.DecryptStrings != OpDecryptString.None) {
+				stringDecrypter.initialize();
+				staticStringInliner.add(stringDecrypter.DecryptMethod, (method, args) => {
+					return stringDecrypter.decrypt((int)args[0]);
+				});
+				DeobfuscatedFile.stringDecryptersAdded();
+			}
+
 			//TODO:
 		}
 
diff --git a/de4dot.code/deobfuscators/CodeVeil/StringDecrypter.cs b/de4dot.code/deobfuscators/CodeVeil/StringDecrypter.cs
new file mode 100644
index 00000000..1bfeb566
--- /dev/null
+++ b/de4dot.code/deobfuscators/CodeVeil/StringDecrypter.cs
@@ -0,0 +1,232 @@
+/*
+    Copyright (C) 2011-2012 de4dot@gmail.com
+
+    This file is part of de4dot.
+
+    de4dot is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    de4dot is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with de4dot.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+using System;
+using System.IO;
+using Mono.Cecil;
+using Mono.Cecil.Cil;
+using de4dot.blocks;
+
+namespace de4dot.code.deobfuscators.CodeVeil {
+	class StringDecrypter {
+		ModuleDefinition module;
+		TypeDefinition decrypterType;
+		FieldDefinition stringDataField;
+		MethodDefinition initMethod;
+		MethodDefinition decrypterMethod;
+		string[] decryptedStrings;
+
+		public bool Detected {
+			get { return decrypterType != null; }
+		}
+
+		public MethodDefinition DecryptMethod {
+			get { return decrypterMethod; }
+		}
+
+		public StringDecrypter(ModuleDefinition module) {
+			this.module = module;
+		}
+
+		public StringDecrypter(ModuleDefinition module, StringDecrypter oldOne) {
+			this.module = module;
+			this.decrypterType = lookup(oldOne.decrypterType, "Could not find string decrypter type");
+			this.stringDataField = lookup(oldOne.stringDataField, "Could not find string data field");
+			this.initMethod = lookup(oldOne.initMethod, "Could not find string decrypter init method");
+			this.decrypterMethod = lookup(oldOne.decrypterMethod, "Could not find string decrypter method");
+		}
+
+		T lookup<T>(T def, string errorMessage) where T : MemberReference {
+			return DeobUtils.lookup(module, def, errorMessage);
+		}
+
+		public void find() {
+			var cctor = DotNetUtils.getModuleTypeCctor(module);
+			if (cctor == null)
+				return;
+
+			var instrs = cctor.Body.Instructions;
+			for (int i = 0; i < instrs.Count; i++) {
+				var call = instrs[i];
+				if (call.OpCode.Code != Code.Call)
+					continue;
+				var initMethodTmp = call.Operand as MethodDefinition;
+				if (initMethodTmp == null || initMethodTmp.Body == null || !initMethodTmp.IsStatic)
+					continue;
+				if (!DotNetUtils.isMethod(initMethodTmp, "System.Void", "()"))
+					continue;
+				if (!checkType(initMethodTmp.DeclaringType))
+					continue;
+
+				decrypterType = initMethodTmp.DeclaringType;
+				initMethod = initMethodTmp;
+				break;
+			}
+		}
+
+		bool checkType(TypeDefinition type) {
+			if (!type.HasNestedTypes)
+				return false;
+
+			var stringDataFieldTmp = checkFields(type);
+			if (stringDataFieldTmp == null)
+				return false;
+			var fieldType = DotNetUtils.getType(module, stringDataFieldTmp.FieldType);
+			if (fieldType == null || type.NestedTypes.IndexOf(fieldType) < 0)
+				return false;
+
+			var decrypterMethodTmp = getDecrypterMethod(type);
+			if (decrypterMethodTmp == null)
+				return false;
+
+			stringDataField = stringDataFieldTmp;
+			decrypterMethod = decrypterMethodTmp;
+			return true;
+		}
+
+		static MethodDefinition getDecrypterMethod(TypeDefinition type) {
+			MethodDefinition foundMethod = null;
+			foreach (var method in type.Methods) {
+				if (method.Body == null || !method.IsStatic)
+					continue;
+				if (!DotNetUtils.isMethod(method, "System.String", "(System.Int32)"))
+					continue;
+				if (foundMethod != null)
+					return null;
+				foundMethod = method;
+			}
+			return foundMethod;
+		}
+
+		static string[] requiredFields = new string[] {
+			"System.Byte[]",
+			"System.Int32",
+			"System.Int32[]",
+			"System.String[]",
+			"System.UInt32[]",
+		};
+		FieldDefinition checkFields(TypeDefinition type) {
+			if (!new FieldTypes(type).all(requiredFields))
+				return null;
+
+			FieldDefinition stringData = null;
+			foreach (var field in type.Fields) {
+				if (field.RVA != 0) {
+					if (stringData != null)
+						return null;
+					stringData = field;
+					continue;
+				}
+			}
+
+			if (stringData == null)
+				return null;
+
+			var data = stringData.InitialValue;
+			if (data == null || data.Length == 0 || data.Length % 4 != 0)
+				return null;
+
+			return stringData;
+		}
+
+		public void initialize() {
+			if (stringDataField == null)
+				return;
+
+			var key = getKey(initMethod);
+			if (key == null)
+				throw new ApplicationException("Could not find string decrypter key");
+
+			decryptStrings(key);
+		}
+
+		static uint[] getKey(MethodDefinition method) {
+			var instrs = method.Body.Instructions;
+			for (int i = 0; i < instrs.Count - 1; i++) {
+				var ldci4 = instrs[i];
+				if (!DotNetUtils.isLdcI4(ldci4))
+					continue;
+				if (DotNetUtils.getLdcI4Value(ldci4) != 4)
+					continue;
+
+				if (instrs[i + 1].OpCode.Code != Code.Newarr)
+					continue;
+
+				i++;
+				var ary = ArrayFinder.getInitializedInt32Array(4, method, ref i);
+				if (ary == null)
+					continue;
+
+				var key = new uint[4];
+				for (int j = 0; j < key.Length; j++)
+					key[j] = (uint)ary[j];
+				return key;
+			}
+			return null;
+		}
+
+		void decryptStrings(uint[] key) {
+			var data = stringDataField.InitialValue;
+
+			var encryptedData = new uint[data.Length / 4];
+			Buffer.BlockCopy(data, 0, encryptedData, 0, data.Length);
+			decryptXxtea(encryptedData, encryptedData.Length, key);
+			var decryptedData = new byte[data.Length];
+			Buffer.BlockCopy(encryptedData, 0, decryptedData, 0, data.Length);
+
+			var inflated = DeobUtils.inflate(decryptedData, 0, decryptedData.Length, true);
+			var reader = new BinaryReader(new MemoryStream(inflated));
+			int deflatedLength = DeobUtils.readVariableLengthInteger(reader);
+			int numStrings = DeobUtils.readVariableLengthInteger(reader);
+			decryptedStrings = new string[numStrings];
+			var offsets = new int[numStrings];
+			for (int i = 0; i < numStrings; i++)
+				offsets[i] = DeobUtils.readVariableLengthInteger(reader);
+			int startOffset = (int)reader.BaseStream.Position;
+			for (int i = 0; i < numStrings; i++) {
+				reader.BaseStream.Position = startOffset + offsets[i];
+				decryptedStrings[i] = reader.ReadString();
+			}
+		}
+
+		// Code converted from C implementation @ http://en.wikipedia.org/wiki/XXTEA (btea() func)
+		static void decryptXxtea(uint[] v, int n, uint[] key) {
+			const uint DELTA = 0x9E3779B9;
+			uint rounds = (uint)(6 + 52 / n);
+			uint sum = rounds * DELTA;
+			uint y = v[0];
+			uint z;
+			//#define MX (((z >> 5 ^ y << 2) + (y >> 3 ^ z << 4)) ^ ((sum ^ y) + (key[(p & 3) ^ e] ^ z)))
+			do {
+				int e = (int)((sum >> 2) & 3);
+				int p;
+				for (p = n - 1; p > 0; p--) {
+					z = v[p - 1];
+					y = v[p] -= (((z >> 5 ^ y << 2) + (y >> 3 ^ z << 4)) ^ ((sum ^ y) + (key[(p & 3) ^ e] ^ z)));
+				}
+				z = v[n - 1];
+				y = v[0] -= (((z >> 5 ^ y << 2) + (y >> 3 ^ z << 4)) ^ ((sum ^ y) + (key[(p & 3) ^ e] ^ z)));
+			} while ((sum -= DELTA) != 0);
+		}
+
+		public string decrypt(int index) {
+			return decryptedStrings[index];
+		}
+	}
+}

From c8c4e3341c4ab27b9f25647c7832c685802881e9 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Sun, 5 Feb 2012 18:55:48 +0100
Subject: [PATCH 08/78] Add getInitializedUInt32Array() method

---
 de4dot.code/deobfuscators/ArrayFinder.cs | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/de4dot.code/deobfuscators/ArrayFinder.cs b/de4dot.code/deobfuscators/ArrayFinder.cs
index 9a31d549..712917b6 100644
--- a/de4dot.code/deobfuscators/ArrayFinder.cs
+++ b/de4dot.code/deobfuscators/ArrayFinder.cs
@@ -123,6 +123,17 @@ namespace de4dot.code.deobfuscators {
 			return resultArray;
 		}
 
+		public static uint[] getInitializedUInt32Array(int arraySize, MethodDefinition method, ref int newarrIndex) {
+			var resultArray = getInitializedInt32Array(arraySize, method, ref newarrIndex);
+			if (resultArray == null)
+				return null;
+
+			var ary = new uint[resultArray.Length];
+			for (int i = 0; i < ary.Length; i++)
+				ary[i] = (uint)resultArray[i];
+			return ary;
+		}
+
 		public static Value[] getInitializedArray(int arraySize, MethodDefinition method, ref int newarrIndex, Code stelemOpCode) {
 			var resultValueArray = new Value[arraySize];
 

From 191fbb84b03ca04624d1e2ff31a40115e0faa399 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Sun, 5 Feb 2012 18:56:05 +0100
Subject: [PATCH 09/78] Use new getInitializedUInt32Array() method

---
 de4dot.code/deobfuscators/CodeVeil/StringDecrypter.cs | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/de4dot.code/deobfuscators/CodeVeil/StringDecrypter.cs b/de4dot.code/deobfuscators/CodeVeil/StringDecrypter.cs
index 1bfeb566..50a06edf 100644
--- a/de4dot.code/deobfuscators/CodeVeil/StringDecrypter.cs
+++ b/de4dot.code/deobfuscators/CodeVeil/StringDecrypter.cs
@@ -169,13 +169,10 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 					continue;
 
 				i++;
-				var ary = ArrayFinder.getInitializedInt32Array(4, method, ref i);
-				if (ary == null)
+				var key = ArrayFinder.getInitializedUInt32Array(4, method, ref i);
+				if (key == null)
 					continue;
 
-				var key = new uint[4];
-				for (int j = 0; j < key.Length; j++)
-					key[j] = (uint)ary[j];
 				return key;
 			}
 			return null;

From 9e4b29034fe22beda9528390a126f6a8fd3212bc Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Sun, 5 Feb 2012 18:59:29 +0100
Subject: [PATCH 10/78] Finish getStringDecrypterMethods() method

---
 de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs b/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs
index df81ce96..a034cea0 100644
--- a/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs
+++ b/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs
@@ -152,7 +152,8 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 
 		public override IEnumerable<string> getStringDecrypterMethods() {
 			var list = new List<string>();
-			//TODO:
+			if (stringDecrypter.DecryptMethod != null)
+				list.Add(stringDecrypter.DecryptMethod.MetadataToken.ToInt32().ToString("X8"));
 			return list;
 		}
 	}

From 1903cf860750e8a390ba8eb65e5590c1bdb36776 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Sun, 5 Feb 2012 19:01:49 +0100
Subject: [PATCH 11/78] KILL type is only worth 10 points

---
 de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs b/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs
index a034cea0..65e345d1 100644
--- a/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs
+++ b/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs
@@ -82,11 +82,12 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 		protected override int detectInternal() {
 			int val = 0;
 
-			int sum = toInt32(foundKillType) +
-					toInt32(methodsDecrypter.Detected) +
+			int sum = toInt32(methodsDecrypter.Detected) +
 					toInt32(stringDecrypter.Detected);
 			if (sum > 0)
 				val += 100 + 10 * (sum - 1);
+			if (foundKillType)
+				val += 10;
 
 			return val;
 		}
@@ -132,7 +133,6 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 		public override void deobfuscateBegin() {
 			base.deobfuscateBegin();
 
-
 			if (Operations.DecryptStrings != OpDecryptString.None) {
 				stringDecrypter.initialize();
 				staticStringInliner.add(stringDecrypter.DecryptMethod, (method, args) => {

From d5c3a6964b899f9265eede3b25a36bed619bc30b Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Sun, 5 Feb 2012 21:27:36 +0100
Subject: [PATCH 12/78] Support 4.0 methods decrypter

---
 de4dot.code/deobfuscators/CodeVeil/MethodsDecrypter.cs | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/de4dot.code/deobfuscators/CodeVeil/MethodsDecrypter.cs b/de4dot.code/deobfuscators/CodeVeil/MethodsDecrypter.cs
index d56c91e7..ce0423a7 100644
--- a/de4dot.code/deobfuscators/CodeVeil/MethodsDecrypter.cs
+++ b/de4dot.code/deobfuscators/CodeVeil/MethodsDecrypter.cs
@@ -118,8 +118,12 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 		static List<FieldDefinition> getRvaFields(TypeDefinition type) {
 			var fields = new List<FieldDefinition>();
 			foreach (var field in type.Fields) {
-				if (field.FieldType.EType == ElementType.U1 && field.RVA != 0)
-					fields.Add(field);
+				if (field.FieldType.EType != ElementType.U1 && field.FieldType.EType != ElementType.U4)
+					continue;
+				if (field.RVA == 0)
+					continue;
+
+				fields.Add(field);
 			}
 			return fields;
 		}

From 542c6bb2130339e509671493fafbcd3f9b59025c Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Sun, 5 Feb 2012 22:49:10 +0100
Subject: [PATCH 13/78] Support 3.2 methods decrypter

---
 de4dot.code/deobfuscators/CodeVeil/MethodsDecrypter.cs | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/de4dot.code/deobfuscators/CodeVeil/MethodsDecrypter.cs b/de4dot.code/deobfuscators/CodeVeil/MethodsDecrypter.cs
index ce0423a7..40c0887d 100644
--- a/de4dot.code/deobfuscators/CodeVeil/MethodsDecrypter.cs
+++ b/de4dot.code/deobfuscators/CodeVeil/MethodsDecrypter.cs
@@ -90,7 +90,8 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 				return false;
 			if (!DotNetUtils.isMethod(initMethod, "System.Void", "(System.Boolean,System.Boolean)"))
 				return false;
-			if (!hasCodeString(initMethod, "E_FullTrust"))
+			if (!hasCodeString(initMethod, "E_FullTrust") &&		// 4.0 / 4.1
+				!hasCodeString(initMethod, "Full Trust Required"))	// 3.2
 				return false;
 
 			return true;

From 18f020912dbf95d831569b72841025d81c121132 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Sun, 5 Feb 2012 22:52:34 +0100
Subject: [PATCH 14/78] Make sure method operand isn't null

---
 blocks/DotNetUtils.cs | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/blocks/DotNetUtils.cs b/blocks/DotNetUtils.cs
index c8abfb86..6c019794 100644
--- a/blocks/DotNetUtils.cs
+++ b/blocks/DotNetUtils.cs
@@ -623,6 +623,8 @@ namespace de4dot.blocks {
 					if (call.OpCode.Code != Code.Call && call.OpCode.Code != Code.Callvirt)
 						continue;
 					var methodRef = call.Operand as MethodReference;
+					if (methodRef == null)
+						continue;
 					var type = DotNetUtils.getType(module, methodRef.DeclaringType);
 					var methodDef = DotNetUtils.getMethod(type, methodRef);
 					if (methodDef != null) {

From b3750f9d4c083cb1abdba55fd959320ffe6d993c Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Sun, 5 Feb 2012 23:04:24 +0100
Subject: [PATCH 15/78] Initialize its token field

---
 de4dot.code/deobfuscators/CodeVeil/MethodsDecrypter.cs | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/de4dot.code/deobfuscators/CodeVeil/MethodsDecrypter.cs b/de4dot.code/deobfuscators/CodeVeil/MethodsDecrypter.cs
index 40c0887d..c31ac619 100644
--- a/de4dot.code/deobfuscators/CodeVeil/MethodsDecrypter.cs
+++ b/de4dot.code/deobfuscators/CodeVeil/MethodsDecrypter.cs
@@ -158,13 +158,13 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 			var methodDef = metadataTables.getMetadataType(MetadataIndex.iMethodDef);
 			uint methodDefOffset = methodDef.fileOffset;
 			for (int i = 0; i < methodDef.rows; i++, methodDefOffset += methodDef.totalSize) {
-				uint token = (uint)(0x06000001 + i);
 				uint bodyRva = peImage.offsetReadUInt32(methodDefOffset);
 				if (bodyRva == 0)
 					continue;
 				uint bodyOffset = peImage.rvaToOffset(bodyRva);
 
 				var dm = new DumpedMethod();
+				dm.token = (uint)(0x06000001 + i);
 				dm.mdImplFlags = peImage.offsetReadUInt16(methodDefOffset + (uint)methodDef.fields[1].offset);
 				dm.mdFlags = peImage.offsetReadUInt16(methodDefOffset + (uint)methodDef.fields[2].offset);
 				dm.mdName = peImage.offsetRead(methodDefOffset + (uint)methodDef.fields[3].offset, methodDef.fields[3].size);
@@ -202,7 +202,7 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 				if ((dm.mhFlags & 8) != 0)
 					dm.extraSections = readExtraSections(methodsDataReader);
 
-				dumpedMethods[token] = dm;
+				dumpedMethods[dm.token] = dm;
 			}
 
 			return dumpedMethods;

From b867301797edd2789bf5324ff727e0684ba7710a Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Mon, 6 Feb 2012 08:20:04 +0100
Subject: [PATCH 16/78] Update valid name regex

---
 de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs b/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs
index 65e345d1..9eba9ea8 100644
--- a/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs
+++ b/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs
@@ -26,9 +26,10 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 	public class DeobfuscatorInfo : DeobfuscatorInfoBase {
 		public const string THE_NAME = "CodeVeil";
 		public const string THE_TYPE = "cv";
+		const string DEFAULT_REGEX = @"!^[A-Za-z]{1,2}$&" + DeobfuscatorBase.DEFAULT_VALID_NAME_REGEX;
 
 		public DeobfuscatorInfo()
-			: base() {
+			: base(DEFAULT_REGEX) {
 		}
 
 		public override string Name {

From da3a28f0a892161e9cef00b9f5c62e8e1fec29dc Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Mon, 6 Feb 2012 08:22:55 +0100
Subject: [PATCH 17/78] Move (and rename) XXTEA decrypt func to DeobUtils

---
 .../deobfuscators/CodeVeil/StringDecrypter.cs | 22 +------------------
 de4dot.code/deobfuscators/DeobUtils.cs        | 20 +++++++++++++++++
 2 files changed, 21 insertions(+), 21 deletions(-)

diff --git a/de4dot.code/deobfuscators/CodeVeil/StringDecrypter.cs b/de4dot.code/deobfuscators/CodeVeil/StringDecrypter.cs
index 50a06edf..a2978332 100644
--- a/de4dot.code/deobfuscators/CodeVeil/StringDecrypter.cs
+++ b/de4dot.code/deobfuscators/CodeVeil/StringDecrypter.cs
@@ -183,7 +183,7 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 
 			var encryptedData = new uint[data.Length / 4];
 			Buffer.BlockCopy(data, 0, encryptedData, 0, data.Length);
-			decryptXxtea(encryptedData, encryptedData.Length, key);
+			DeobUtils.xxteaDecrypt(encryptedData, encryptedData.Length, key);
 			var decryptedData = new byte[data.Length];
 			Buffer.BlockCopy(encryptedData, 0, decryptedData, 0, data.Length);
 
@@ -202,26 +202,6 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 			}
 		}
 
-		// Code converted from C implementation @ http://en.wikipedia.org/wiki/XXTEA (btea() func)
-		static void decryptXxtea(uint[] v, int n, uint[] key) {
-			const uint DELTA = 0x9E3779B9;
-			uint rounds = (uint)(6 + 52 / n);
-			uint sum = rounds * DELTA;
-			uint y = v[0];
-			uint z;
-			//#define MX (((z >> 5 ^ y << 2) + (y >> 3 ^ z << 4)) ^ ((sum ^ y) + (key[(p & 3) ^ e] ^ z)))
-			do {
-				int e = (int)((sum >> 2) & 3);
-				int p;
-				for (p = n - 1; p > 0; p--) {
-					z = v[p - 1];
-					y = v[p] -= (((z >> 5 ^ y << 2) + (y >> 3 ^ z << 4)) ^ ((sum ^ y) + (key[(p & 3) ^ e] ^ z)));
-				}
-				z = v[n - 1];
-				y = v[0] -= (((z >> 5 ^ y << 2) + (y >> 3 ^ z << 4)) ^ ((sum ^ y) + (key[(p & 3) ^ e] ^ z)));
-			} while ((sum -= DELTA) != 0);
-		}
-
 		public string decrypt(int index) {
 			return decryptedStrings[index];
 		}
diff --git a/de4dot.code/deobfuscators/DeobUtils.cs b/de4dot.code/deobfuscators/DeobUtils.cs
index 8ba839a8..36455f2f 100644
--- a/de4dot.code/deobfuscators/DeobUtils.cs
+++ b/de4dot.code/deobfuscators/DeobUtils.cs
@@ -90,6 +90,26 @@ namespace de4dot.code.deobfuscators {
 			}
 		}
 
+		// Code converted from C implementation @ http://en.wikipedia.org/wiki/XXTEA (btea() func)
+		public static void xxteaDecrypt(uint[] v, int n, uint[] key) {
+			const uint DELTA = 0x9E3779B9;
+			uint rounds = (uint)(6 + 52 / n);
+			uint sum = rounds * DELTA;
+			uint y = v[0];
+			uint z;
+			//#define MX (((z >> 5 ^ y << 2) + (y >> 3 ^ z << 4)) ^ ((sum ^ y) + (key[(p & 3) ^ e] ^ z)))
+			do {
+				int e = (int)((sum >> 2) & 3);
+				int p;
+				for (p = n - 1; p > 0; p--) {
+					z = v[p - 1];
+					y = v[p] -= (((z >> 5 ^ y << 2) + (y >> 3 ^ z << 4)) ^ ((sum ^ y) + (key[(p & 3) ^ e] ^ z)));
+				}
+				z = v[n - 1];
+				y = v[0] -= (((z >> 5 ^ y << 2) + (y >> 3 ^ z << 4)) ^ ((sum ^ y) + (key[(p & 3) ^ e] ^ z)));
+			} while ((sum -= DELTA) != 0);
+		}
+
 		public static string getExtension(ModuleKind kind) {
 			switch (kind) {
 			case ModuleKind.Dll:

From 0d6542e3835ac81621b3208b50a558def23cb673 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Mon, 6 Feb 2012 15:47:10 +0100
Subject: [PATCH 18/78] Move v3-v4 code to a sub dir

---
 de4dot.code/de4dot.code.csproj                              | 6 +++---
 .../deobfuscators/CodeVeil/{ => v3_v4}/Deobfuscator.cs      | 4 ++--
 .../deobfuscators/CodeVeil/{ => v3_v4}/MethodsDecrypter.cs  | 2 +-
 .../deobfuscators/CodeVeil/{ => v3_v4}/StringDecrypter.cs   | 2 +-
 de4dot.cui/Program.cs                                       | 2 +-
 5 files changed, 8 insertions(+), 8 deletions(-)
 rename de4dot.code/deobfuscators/CodeVeil/{ => v3_v4}/Deobfuscator.cs (97%)
 rename de4dot.code/deobfuscators/CodeVeil/{ => v3_v4}/MethodsDecrypter.cs (99%)
 rename de4dot.code/deobfuscators/CodeVeil/{ => v3_v4}/StringDecrypter.cs (99%)

diff --git a/de4dot.code/de4dot.code.csproj b/de4dot.code/de4dot.code.csproj
index 92845367..12f041bb 100644
--- a/de4dot.code/de4dot.code.csproj
+++ b/de4dot.code/de4dot.code.csproj
@@ -79,9 +79,9 @@
     <Compile Include="deobfuscators\CliSecure\ResourceDecrypter.cs" />
     <Compile Include="deobfuscators\CliSecure\StackFrameHelper.cs" />
     <Compile Include="deobfuscators\CliSecure\StringDecrypter.cs" />
-    <Compile Include="deobfuscators\CodeVeil\Deobfuscator.cs" />
-    <Compile Include="deobfuscators\CodeVeil\MethodsDecrypter.cs" />
-    <Compile Include="deobfuscators\CodeVeil\StringDecrypter.cs" />
+    <Compile Include="deobfuscators\CodeVeil\v3_v4\Deobfuscator.cs" />
+    <Compile Include="deobfuscators\CodeVeil\v3_v4\MethodsDecrypter.cs" />
+    <Compile Include="deobfuscators\CodeVeil\v3_v4\StringDecrypter.cs" />
     <Compile Include="deobfuscators\CryptoObfuscator\AntiDebugger.cs" />
     <Compile Include="deobfuscators\CryptoObfuscator\AssemblyResolver.cs" />
     <Compile Include="deobfuscators\CryptoObfuscator\Deobfuscator.cs" />
diff --git a/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs b/de4dot.code/deobfuscators/CodeVeil/v3_v4/Deobfuscator.cs
similarity index 97%
rename from de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs
rename to de4dot.code/deobfuscators/CodeVeil/v3_v4/Deobfuscator.cs
index 9eba9ea8..6dc094a5 100644
--- a/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs
+++ b/de4dot.code/deobfuscators/CodeVeil/v3_v4/Deobfuscator.cs
@@ -22,10 +22,10 @@ using Mono.Cecil;
 using Mono.MyStuff;
 using de4dot.blocks.cflow;
 
-namespace de4dot.code.deobfuscators.CodeVeil {
+namespace de4dot.code.deobfuscators.CodeVeil.v3_v4 {
 	public class DeobfuscatorInfo : DeobfuscatorInfoBase {
 		public const string THE_NAME = "CodeVeil";
-		public const string THE_TYPE = "cv";
+		public const string THE_TYPE = "cv4";
 		const string DEFAULT_REGEX = @"!^[A-Za-z]{1,2}$&" + DeobfuscatorBase.DEFAULT_VALID_NAME_REGEX;
 
 		public DeobfuscatorInfo()
diff --git a/de4dot.code/deobfuscators/CodeVeil/MethodsDecrypter.cs b/de4dot.code/deobfuscators/CodeVeil/v3_v4/MethodsDecrypter.cs
similarity index 99%
rename from de4dot.code/deobfuscators/CodeVeil/MethodsDecrypter.cs
rename to de4dot.code/deobfuscators/CodeVeil/v3_v4/MethodsDecrypter.cs
index c31ac619..b6adea40 100644
--- a/de4dot.code/deobfuscators/CodeVeil/MethodsDecrypter.cs
+++ b/de4dot.code/deobfuscators/CodeVeil/v3_v4/MethodsDecrypter.cs
@@ -27,7 +27,7 @@ using Mono.MyStuff;
 using de4dot.blocks;
 using de4dot.code.PE;
 
-namespace de4dot.code.deobfuscators.CodeVeil {
+namespace de4dot.code.deobfuscators.CodeVeil.v3_v4 {
 	// The code isn't currently encrypted at all! But let's keep this class name.
 	class MethodsDecrypter {
 		ModuleDefinition module;
diff --git a/de4dot.code/deobfuscators/CodeVeil/StringDecrypter.cs b/de4dot.code/deobfuscators/CodeVeil/v3_v4/StringDecrypter.cs
similarity index 99%
rename from de4dot.code/deobfuscators/CodeVeil/StringDecrypter.cs
rename to de4dot.code/deobfuscators/CodeVeil/v3_v4/StringDecrypter.cs
index a2978332..9ef17e32 100644
--- a/de4dot.code/deobfuscators/CodeVeil/StringDecrypter.cs
+++ b/de4dot.code/deobfuscators/CodeVeil/v3_v4/StringDecrypter.cs
@@ -23,7 +23,7 @@ using Mono.Cecil;
 using Mono.Cecil.Cil;
 using de4dot.blocks;
 
-namespace de4dot.code.deobfuscators.CodeVeil {
+namespace de4dot.code.deobfuscators.CodeVeil.v3_v4 {
 	class StringDecrypter {
 		ModuleDefinition module;
 		TypeDefinition decrypterType;
diff --git a/de4dot.cui/Program.cs b/de4dot.cui/Program.cs
index a9b6fa54..f8d0fb74 100644
--- a/de4dot.cui/Program.cs
+++ b/de4dot.cui/Program.cs
@@ -32,7 +32,7 @@ namespace de4dot.cui {
 				new de4dot.code.deobfuscators.Unknown.DeobfuscatorInfo(),
 				new de4dot.code.deobfuscators.Babel_NET.DeobfuscatorInfo(),
 				new de4dot.code.deobfuscators.CliSecure.DeobfuscatorInfo(),
-				new de4dot.code.deobfuscators.CodeVeil.DeobfuscatorInfo(),
+				new de4dot.code.deobfuscators.CodeVeil.v3_v4.DeobfuscatorInfo(),
 				new de4dot.code.deobfuscators.CryptoObfuscator.DeobfuscatorInfo(),
 				new de4dot.code.deobfuscators.DeepSea.DeobfuscatorInfo(),
 				new de4dot.code.deobfuscators.Dotfuscator.DeobfuscatorInfo(),

From b39725f12f7e5205ec6349810cbcc897c87643fe Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Mon, 6 Feb 2012 15:52:19 +0100
Subject: [PATCH 19/78] Remove useless 'using'

---
 de4dot.code/deobfuscators/CodeVeil/v3_v4/Deobfuscator.cs | 1 -
 1 file changed, 1 deletion(-)

diff --git a/de4dot.code/deobfuscators/CodeVeil/v3_v4/Deobfuscator.cs b/de4dot.code/deobfuscators/CodeVeil/v3_v4/Deobfuscator.cs
index 6dc094a5..8080ce63 100644
--- a/de4dot.code/deobfuscators/CodeVeil/v3_v4/Deobfuscator.cs
+++ b/de4dot.code/deobfuscators/CodeVeil/v3_v4/Deobfuscator.cs
@@ -20,7 +20,6 @@
 using System.Collections.Generic;
 using Mono.Cecil;
 using Mono.MyStuff;
-using de4dot.blocks.cflow;
 
 namespace de4dot.code.deobfuscators.CodeVeil.v3_v4 {
 	public class DeobfuscatorInfo : DeobfuscatorInfoBase {

From 26bf21a84e4c93de29c8868d642de07ac8799521 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Mon, 6 Feb 2012 15:55:14 +0100
Subject: [PATCH 20/78] Show obfuscator version

---
 de4dot.code/deobfuscators/CodeVeil/v3_v4/Deobfuscator.cs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/de4dot.code/deobfuscators/CodeVeil/v3_v4/Deobfuscator.cs b/de4dot.code/deobfuscators/CodeVeil/v3_v4/Deobfuscator.cs
index 8080ce63..35cf2f05 100644
--- a/de4dot.code/deobfuscators/CodeVeil/v3_v4/Deobfuscator.cs
+++ b/de4dot.code/deobfuscators/CodeVeil/v3_v4/Deobfuscator.cs
@@ -53,7 +53,7 @@ namespace de4dot.code.deobfuscators.CodeVeil.v3_v4 {
 
 	class Deobfuscator : DeobfuscatorBase {
 		Options options;
-		string obfuscatorName = DeobfuscatorInfo.THE_NAME;
+		string obfuscatorName = DeobfuscatorInfo.THE_NAME + " 3.x - 4.x";
 		bool foundKillType = false;
 
 		MethodsDecrypter methodsDecrypter;

From 2ccb35afb097495c937180c387d4127d0823a2df Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Mon, 6 Feb 2012 15:55:35 +0100
Subject: [PATCH 21/78] Add CV5 files

---
 de4dot.code/de4dot.code.csproj                |   1 +
 .../deobfuscators/CodeVeil/v5/Deobfuscator.cs | 109 ++++++++++++++++++
 de4dot.cui/Program.cs                         |   1 +
 3 files changed, 111 insertions(+)
 create mode 100644 de4dot.code/deobfuscators/CodeVeil/v5/Deobfuscator.cs

diff --git a/de4dot.code/de4dot.code.csproj b/de4dot.code/de4dot.code.csproj
index 12f041bb..e05470d9 100644
--- a/de4dot.code/de4dot.code.csproj
+++ b/de4dot.code/de4dot.code.csproj
@@ -82,6 +82,7 @@
     <Compile Include="deobfuscators\CodeVeil\v3_v4\Deobfuscator.cs" />
     <Compile Include="deobfuscators\CodeVeil\v3_v4\MethodsDecrypter.cs" />
     <Compile Include="deobfuscators\CodeVeil\v3_v4\StringDecrypter.cs" />
+    <Compile Include="deobfuscators\CodeVeil\v5\Deobfuscator.cs" />
     <Compile Include="deobfuscators\CryptoObfuscator\AntiDebugger.cs" />
     <Compile Include="deobfuscators\CryptoObfuscator\AssemblyResolver.cs" />
     <Compile Include="deobfuscators\CryptoObfuscator\Deobfuscator.cs" />
diff --git a/de4dot.code/deobfuscators/CodeVeil/v5/Deobfuscator.cs b/de4dot.code/deobfuscators/CodeVeil/v5/Deobfuscator.cs
new file mode 100644
index 00000000..7d50a6f6
--- /dev/null
+++ b/de4dot.code/deobfuscators/CodeVeil/v5/Deobfuscator.cs
@@ -0,0 +1,109 @@
+/*
+    Copyright (C) 2011-2012 de4dot@gmail.com
+
+    This file is part of de4dot.
+
+    de4dot is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    de4dot is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with de4dot.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+using System.Collections.Generic;
+using Mono.Cecil;
+
+namespace de4dot.code.deobfuscators.CodeVeil.v5 {
+	public class DeobfuscatorInfo : DeobfuscatorInfoBase {
+		public const string THE_NAME = "CodeVeil";
+		public const string THE_TYPE = "cv5";
+		const string DEFAULT_REGEX = @"!^[A-Za-z]{1,2}$&" + DeobfuscatorBase.DEFAULT_VALID_NAME_REGEX;
+
+		public DeobfuscatorInfo()
+			: base(DEFAULT_REGEX) {
+		}
+
+		public override string Name {
+			get { return THE_NAME; }
+		}
+
+		public override string Type {
+			get { return THE_TYPE; }
+		}
+
+		public override IDeobfuscator createDeobfuscator() {
+			return new Deobfuscator(new Deobfuscator.Options {
+				ValidNameRegex = validNameRegex.get(),
+			});
+		}
+
+		protected override IEnumerable<Option> getOptionsInternal() {
+			return new List<Option>() {
+			};
+		}
+	}
+
+	class Deobfuscator : DeobfuscatorBase {
+		Options options;
+		string obfuscatorName = DeobfuscatorInfo.THE_NAME + " 5.x";
+
+		internal class Options : OptionsBase {
+		}
+
+		public override string Type {
+			get { return DeobfuscatorInfo.THE_TYPE; }
+		}
+
+		public override string TypeLong {
+			get { return DeobfuscatorInfo.THE_NAME; }
+		}
+
+		public override string Name {
+			get { return obfuscatorName; }
+		}
+
+		public Deobfuscator(Options options)
+			: base(options) {
+			this.options = options;
+		}
+
+		protected override int detectInternal() {
+			int val = 0;
+
+			int sum = 0;
+			if (sum > 0)
+				val += 100 + 10 * (sum - 1);
+
+			return val;
+		}
+
+		protected override void scanForObfuscator() {
+			//TODO:
+		}
+
+		public override void deobfuscateBegin() {
+			base.deobfuscateBegin();
+
+			//TODO:
+		}
+
+		public override void deobfuscateEnd() {
+			//TODO:
+
+			base.deobfuscateEnd();
+		}
+
+		public override IEnumerable<string> getStringDecrypterMethods() {
+			var list = new List<string>();
+			//TODO:
+			return list;
+		}
+	}
+}
diff --git a/de4dot.cui/Program.cs b/de4dot.cui/Program.cs
index f8d0fb74..283e6432 100644
--- a/de4dot.cui/Program.cs
+++ b/de4dot.cui/Program.cs
@@ -33,6 +33,7 @@ namespace de4dot.cui {
 				new de4dot.code.deobfuscators.Babel_NET.DeobfuscatorInfo(),
 				new de4dot.code.deobfuscators.CliSecure.DeobfuscatorInfo(),
 				new de4dot.code.deobfuscators.CodeVeil.v3_v4.DeobfuscatorInfo(),
+				new de4dot.code.deobfuscators.CodeVeil.v5.DeobfuscatorInfo(),
 				new de4dot.code.deobfuscators.CryptoObfuscator.DeobfuscatorInfo(),
 				new de4dot.code.deobfuscators.DeepSea.DeobfuscatorInfo(),
 				new de4dot.code.deobfuscators.Dotfuscator.DeobfuscatorInfo(),

From ad8a5078fe568b588ee3f5ae3489ac790e4fc356 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Tue, 7 Feb 2012 00:42:32 +0100
Subject: [PATCH 22/78] Rename method

---
 .../deobfuscators/CodeVeil/v3_v4/MethodsDecrypter.cs        | 6 +++---
 de4dot.code/deobfuscators/CodeVeil/v3_v4/StringDecrypter.cs | 6 +++---
 de4dot.code/deobfuscators/DeobUtils.cs                      | 2 +-
 3 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/de4dot.code/deobfuscators/CodeVeil/v3_v4/MethodsDecrypter.cs b/de4dot.code/deobfuscators/CodeVeil/v3_v4/MethodsDecrypter.cs
index b6adea40..c7566cb3 100644
--- a/de4dot.code/deobfuscators/CodeVeil/v3_v4/MethodsDecrypter.cs
+++ b/de4dot.code/deobfuscators/CodeVeil/v3_v4/MethodsDecrypter.cs
@@ -194,10 +194,10 @@ namespace de4dot.code.deobfuscators.CodeVeil.v3_v4 {
 				fileDataReader.BaseStream.Position = codeOffset;
 				if (fileDataReader.ReadByte() != 0x2A)
 					continue;	// Not a RET
-				int methodsDataOffset = DeobUtils.readVariableLengthInteger(fileDataReader);
+				int methodsDataOffset = DeobUtils.readVariableLengthInt32(fileDataReader);
 				methodsDataReader.BaseStream.Position = methodsDataOffset;
 
-				dm.mhCodeSize = (uint)DeobUtils.readVariableLengthInteger(methodsDataReader);
+				dm.mhCodeSize = (uint)DeobUtils.readVariableLengthInt32(methodsDataReader);
 				dm.code = methodsDataReader.ReadBytes((int)dm.mhCodeSize);
 				if ((dm.mhFlags & 8) != 0)
 					dm.extraSections = readExtraSections(methodsDataReader);
@@ -270,7 +270,7 @@ namespace de4dot.code.deobfuscators.CodeVeil.v3_v4 {
 					continue;
 				reader.BaseStream.Position = section.pointerToRawData + relOffs;
 
-				int size = DeobUtils.readVariableLengthInteger(reader);
+				int size = DeobUtils.readVariableLengthInt32(reader);
 				int endOffset = relOffs + size;
 				if (endOffset < relOffs || endOffset > section.sizeOfRawData)
 					continue;
diff --git a/de4dot.code/deobfuscators/CodeVeil/v3_v4/StringDecrypter.cs b/de4dot.code/deobfuscators/CodeVeil/v3_v4/StringDecrypter.cs
index 9ef17e32..9ca98548 100644
--- a/de4dot.code/deobfuscators/CodeVeil/v3_v4/StringDecrypter.cs
+++ b/de4dot.code/deobfuscators/CodeVeil/v3_v4/StringDecrypter.cs
@@ -189,12 +189,12 @@ namespace de4dot.code.deobfuscators.CodeVeil.v3_v4 {
 
 			var inflated = DeobUtils.inflate(decryptedData, 0, decryptedData.Length, true);
 			var reader = new BinaryReader(new MemoryStream(inflated));
-			int deflatedLength = DeobUtils.readVariableLengthInteger(reader);
-			int numStrings = DeobUtils.readVariableLengthInteger(reader);
+			int deflatedLength = DeobUtils.readVariableLengthInt32(reader);
+			int numStrings = DeobUtils.readVariableLengthInt32(reader);
 			decryptedStrings = new string[numStrings];
 			var offsets = new int[numStrings];
 			for (int i = 0; i < numStrings; i++)
-				offsets[i] = DeobUtils.readVariableLengthInteger(reader);
+				offsets[i] = DeobUtils.readVariableLengthInt32(reader);
 			int startOffset = (int)reader.BaseStream.Position;
 			for (int i = 0; i < numStrings; i++) {
 				reader.BaseStream.Position = startOffset + offsets[i];
diff --git a/de4dot.code/deobfuscators/DeobUtils.cs b/de4dot.code/deobfuscators/DeobUtils.cs
index 36455f2f..89c46ed7 100644
--- a/de4dot.code/deobfuscators/DeobUtils.cs
+++ b/de4dot.code/deobfuscators/DeobUtils.cs
@@ -150,7 +150,7 @@ namespace de4dot.code.deobfuscators {
 			return null;
 		}
 
-		public static int readVariableLengthInteger(BinaryReader reader) {
+		public static int readVariableLengthInt32(BinaryReader reader) {
 			byte b = reader.ReadByte();
 			if ((b & 0x80) == 0)
 				return b;

From c2313110b8a0af645d7bc7238b05840f345229d7 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Tue, 7 Feb 2012 02:02:49 +0100
Subject: [PATCH 23/78] Add getDelegateTypes() and fix findProxyCall()

---
 .../deobfuscators/ProxyDelegateFinderBase.cs  | 30 ++++++++++++-------
 1 file changed, 20 insertions(+), 10 deletions(-)

diff --git a/de4dot.code/deobfuscators/ProxyDelegateFinderBase.cs b/de4dot.code/deobfuscators/ProxyDelegateFinderBase.cs
index 54e87d75..c26bf35a 100644
--- a/de4dot.code/deobfuscators/ProxyDelegateFinderBase.cs
+++ b/de4dot.code/deobfuscators/ProxyDelegateFinderBase.cs
@@ -82,14 +82,21 @@ namespace de4dot.code.deobfuscators {
 			return false;
 		}
 
+		protected virtual IEnumerable<TypeDefinition> getDelegateTypes() {
+			foreach (var type in module.Types) {
+				if (type.BaseType == null || type.BaseType.FullName != "System.MulticastDelegate")
+					continue;
+
+				yield return type;
+			}
+		}
+
 		public void find() {
 			if (delegateCreatorMethods.Count == 0)
 				return;
 
 			Log.v("Finding all proxy delegates");
-			foreach (var type in module.Types) {
-				if (type.BaseType == null || type.BaseType.FullName != "System.MulticastDelegate")
-					continue;
+			foreach (var type in getDelegateTypes()) {
 				var cctor = DotNetUtils.getMethod(type, ".cctor");
 				if (cctor == null || !cctor.HasBody)
 					continue;
@@ -263,15 +270,18 @@ namespace de4dot.code.deobfuscators {
 				if (stack < 0)
 					return null;
 
-				if (instr.OpCode != OpCodes.Call && instr.OpCode != OpCodes.Callvirt)
+				if (instr.OpCode != OpCodes.Call && instr.OpCode != OpCodes.Callvirt) {
+					if (stack <= 0)
+						return null;
 					continue;
-				var method = DotNetUtils.getMethod(module, instr.Operand as MethodReference);
-				if (method == null)
-					continue;
-				if (stack != (DotNetUtils.hasReturnValue(method) ? 1 : 0))
-					continue;
-				if (method.DeclaringType != di.field.DeclaringType)
+				}
+				var calledMethod = instr.Operand as MethodReference;
+				if (calledMethod == null)
+					return null;
+				if (stack != (DotNetUtils.hasReturnValue(calledMethod) ? 1 : 0))
 					continue;
+				if (calledMethod.Name != "Invoke")
+					return null;
 
 				return new BlockInstr {
 					Block = block,

From d512889833b078b5359ac00d13eaeeca3d5751bc Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Tue, 7 Feb 2012 02:05:42 +0100
Subject: [PATCH 24/78] Fix 'shadow calls' obfuscation

---
 de4dot.code/de4dot.code.csproj                |   1 +
 .../deobfuscators/CodeVeil/v5/Deobfuscator.cs |  18 +-
 .../CodeVeil/v5/ProxyDelegateFinder.cs        | 190 ++++++++++++++++++
 3 files changed, 204 insertions(+), 5 deletions(-)
 create mode 100644 de4dot.code/deobfuscators/CodeVeil/v5/ProxyDelegateFinder.cs

diff --git a/de4dot.code/de4dot.code.csproj b/de4dot.code/de4dot.code.csproj
index e05470d9..a61cff67 100644
--- a/de4dot.code/de4dot.code.csproj
+++ b/de4dot.code/de4dot.code.csproj
@@ -83,6 +83,7 @@
     <Compile Include="deobfuscators\CodeVeil\v3_v4\MethodsDecrypter.cs" />
     <Compile Include="deobfuscators\CodeVeil\v3_v4\StringDecrypter.cs" />
     <Compile Include="deobfuscators\CodeVeil\v5\Deobfuscator.cs" />
+    <Compile Include="deobfuscators\CodeVeil\v5\ProxyDelegateFinder.cs" />
     <Compile Include="deobfuscators\CryptoObfuscator\AntiDebugger.cs" />
     <Compile Include="deobfuscators\CryptoObfuscator\AssemblyResolver.cs" />
     <Compile Include="deobfuscators\CryptoObfuscator\Deobfuscator.cs" />
diff --git a/de4dot.code/deobfuscators/CodeVeil/v5/Deobfuscator.cs b/de4dot.code/deobfuscators/CodeVeil/v5/Deobfuscator.cs
index 7d50a6f6..f7802554 100644
--- a/de4dot.code/deobfuscators/CodeVeil/v5/Deobfuscator.cs
+++ b/de4dot.code/deobfuscators/CodeVeil/v5/Deobfuscator.cs
@@ -54,6 +54,8 @@ namespace de4dot.code.deobfuscators.CodeVeil.v5 {
 		Options options;
 		string obfuscatorName = DeobfuscatorInfo.THE_NAME + " 5.x";
 
+		ProxyDelegateFinder proxyDelegateFinder;
+
 		internal class Options : OptionsBase {
 		}
 
@@ -77,7 +79,7 @@ namespace de4dot.code.deobfuscators.CodeVeil.v5 {
 		protected override int detectInternal() {
 			int val = 0;
 
-			int sum = 0;
+			int sum = toInt32(proxyDelegateFinder.Detected);
 			if (sum > 0)
 				val += 100 + 10 * (sum - 1);
 
@@ -85,18 +87,24 @@ namespace de4dot.code.deobfuscators.CodeVeil.v5 {
 		}
 
 		protected override void scanForObfuscator() {
-			//TODO:
+			proxyDelegateFinder = new ProxyDelegateFinder(module);
+			proxyDelegateFinder.findDelegateCreator();
 		}
 
 		public override void deobfuscateBegin() {
 			base.deobfuscateBegin();
 
-			//TODO:
+			proxyDelegateFinder.initialize();
+			proxyDelegateFinder.find();
+		}
+
+		public override void deobfuscateMethodEnd(blocks.Blocks blocks) {
+			proxyDelegateFinder.deobfuscate(blocks);
+			base.deobfuscateMethodEnd(blocks);
 		}
 
 		public override void deobfuscateEnd() {
-			//TODO:
-
+			removeProxyDelegates(proxyDelegateFinder, false);	//TODO: Should be 'true'
 			base.deobfuscateEnd();
 		}
 
diff --git a/de4dot.code/deobfuscators/CodeVeil/v5/ProxyDelegateFinder.cs b/de4dot.code/deobfuscators/CodeVeil/v5/ProxyDelegateFinder.cs
new file mode 100644
index 00000000..b717b5e4
--- /dev/null
+++ b/de4dot.code/deobfuscators/CodeVeil/v5/ProxyDelegateFinder.cs
@@ -0,0 +1,190 @@
+/*
+    Copyright (C) 2011-2012 de4dot@gmail.com
+
+    This file is part of de4dot.
+
+    de4dot is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    de4dot is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with de4dot.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+using System;
+using System.Collections.Generic;
+using System.IO;
+using Mono.Cecil;
+using Mono.Cecil.Cil;
+using de4dot.blocks;
+
+namespace de4dot.code.deobfuscators.CodeVeil.v5 {
+	class ProxyDelegateFinder : ProxyDelegateFinderBase {
+		Info info = new Info();
+		BinaryReader reader;
+
+		class Info {
+			public TypeDefinition mainType;
+			public TypeDefinition proxyType;
+			public MethodDefinition initMethod;
+			public FieldDefinition dataField;
+		}
+
+		class Context {
+			public int offset;
+
+			public Context(int offset) {
+				this.offset = offset;
+			}
+		}
+
+		public ProxyDelegateFinder(ModuleDefinition module)
+			: base(module) {
+		}
+
+		protected override object checkCctor(TypeDefinition type, MethodDefinition cctor) {
+			var instrs = cctor.Body.Instructions;
+			for (int i = 0; i < instrs.Count - 1; i++) {
+				var ldci4 = instrs[i];
+				if (!DotNetUtils.isLdcI4(ldci4))
+					continue;
+
+				var call = instrs[i + 1];
+				if (call.OpCode.Code != Code.Call)
+					continue;
+				if (call.Operand != info.initMethod)
+					continue;
+
+				int offset = DotNetUtils.getLdcI4Value(ldci4);
+				reader.BaseStream.Position = offset;
+				int rid = DeobUtils.readVariableLengthInt32(reader);
+				if (rid != type.MetadataToken.RID)
+					throw new ApplicationException("Invalid RID");
+				return string.Empty;	// It's non-null
+			}
+			return null;
+		}
+
+		protected override void onFoundProxyDelegate(TypeDefinition type) {
+		}
+
+		protected override void getCallInfo(object context, FieldDefinition field, out MethodReference calledMethod, out OpCode callOpcode) {
+			byte flags = reader.ReadByte();
+
+			int methodToken = 0x06000000 + ((flags & 0x3F) << 24) + DeobUtils.readVariableLengthInt32(reader);
+			int genericTypeToken = (flags & 0x40) == 0 ? -1 : 0x1B000000 + DeobUtils.readVariableLengthInt32(reader);
+			callOpcode = (flags & 0x80) != 0 ? OpCodes.Callvirt : OpCodes.Call;
+
+			calledMethod = module.LookupToken(methodToken) as MethodReference;
+			if (calledMethod == null)
+				throw new ApplicationException("Could not find method");
+			if (genericTypeToken != -1 && calledMethod.DeclaringType.MetadataToken.ToInt32() != genericTypeToken)
+				throw new ApplicationException("Invalid declaring type token");
+		}
+
+		public void findDelegateCreator() {
+			var moduleCctor = DotNetUtils.getModuleTypeCctor(module);
+			if (moduleCctor == null)
+				return;
+			foreach (var call in DotNetUtils.getCalledMethods(module, moduleCctor)) {
+				if (!call.Item2.IsStatic)
+					continue;
+				if (!DotNetUtils.isMethod(call.Item2, "System.Void", "(System.Boolean,System.Boolean)"))
+					continue;
+				var infoTmp = new Info();
+				if (!initializeInfo(infoTmp, call.Item1))
+					continue;
+
+				info = infoTmp;
+				setDelegateCreatorMethod(info.initMethod);
+				return;
+			}
+		}
+
+		bool initializeInfo(Info infoTmp, TypeDefinition type) {
+			foreach (var dtype in type.NestedTypes) {
+				var cctor = DotNetUtils.getMethod(dtype, ".cctor");
+				if (cctor == null)
+					continue;
+				if (!initProxyType(infoTmp, cctor))
+					continue;
+
+				infoTmp.mainType = type;
+				return true;
+			}
+
+			return false;
+		}
+
+		bool initProxyType(Info infoTmp, MethodDefinition method) {
+			foreach (var call in DotNetUtils.getCalledMethods(module, method)) {
+				if (!call.Item2.IsStatic)
+					continue;
+				if (!DotNetUtils.isMethod(call.Item2, "System.Void", "(System.Int32)"))
+					continue;
+				if (!checkProxyType(infoTmp, call.Item1))
+					continue;
+
+				infoTmp.proxyType = call.Item1;
+				infoTmp.initMethod = call.Item2;
+				return true;
+			}
+			return false;
+		}
+
+		static string[] requiredFields = new string[] {
+			"System.Byte[]",
+			"System.Int32",
+			"System.ModuleHandle",
+			"System.Reflection.Emit.OpCode",
+			"System.Reflection.Emit.OpCode[]",
+		};
+		bool checkProxyType(Info infoTmp, TypeDefinition type) {
+			if (type.NestedTypes.Count != 1)
+				return false;
+
+			if (!new FieldTypes(type).all(requiredFields))
+				return false;
+
+			var fields = getRvaFields(type);
+			if (fields.Count != 1)
+				return false;
+			var field = fields[0];
+			var fieldType = DotNetUtils.getType(module, field.FieldType);
+			if (type.NestedTypes.IndexOf(fieldType) < 0)
+				return false;
+			if (field.InitialValue == null || field.InitialValue.Length == 0)
+				return false;
+
+			infoTmp.dataField = field;
+			return true;
+		}
+
+		static List<FieldDefinition> getRvaFields(TypeDefinition type) {
+			var fields = new List<FieldDefinition>();
+			foreach (var field in type.Fields) {
+				if (field.RVA != 0)
+					fields.Add(field);
+			}
+			return fields;
+		}
+
+		protected override IEnumerable<TypeDefinition> getDelegateTypes() {
+			return info.mainType.NestedTypes;
+		}
+
+		public void initialize() {
+			if (info.dataField == null)
+				return;
+
+			var decompressed = DeobUtils.inflate(info.dataField.InitialValue, true);
+			reader = new BinaryReader(new MemoryStream(decompressed));
+		}
+	}
+}

From 8f9cc6d290b2ebc69367bd7ce0550abe59fbedc4 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Tue, 7 Feb 2012 03:03:49 +0100
Subject: [PATCH 25/78] Re-use v3-v4 string decrypter

---
 de4dot.code/de4dot.code.csproj                |  2 +-
 .../CodeVeil/{v3_v4 => }/StringDecrypter.cs   | 30 ++++++++++++++++++-
 .../deobfuscators/CodeVeil/v5/Deobfuscator.cs | 18 +++++++++--
 3 files changed, 45 insertions(+), 5 deletions(-)
 rename de4dot.code/deobfuscators/CodeVeil/{v3_v4 => }/StringDecrypter.cs (91%)

diff --git a/de4dot.code/de4dot.code.csproj b/de4dot.code/de4dot.code.csproj
index a61cff67..73f6676a 100644
--- a/de4dot.code/de4dot.code.csproj
+++ b/de4dot.code/de4dot.code.csproj
@@ -81,7 +81,7 @@
     <Compile Include="deobfuscators\CliSecure\StringDecrypter.cs" />
     <Compile Include="deobfuscators\CodeVeil\v3_v4\Deobfuscator.cs" />
     <Compile Include="deobfuscators\CodeVeil\v3_v4\MethodsDecrypter.cs" />
-    <Compile Include="deobfuscators\CodeVeil\v3_v4\StringDecrypter.cs" />
+    <Compile Include="deobfuscators\CodeVeil\StringDecrypter.cs" />
     <Compile Include="deobfuscators\CodeVeil\v5\Deobfuscator.cs" />
     <Compile Include="deobfuscators\CodeVeil\v5\ProxyDelegateFinder.cs" />
     <Compile Include="deobfuscators\CryptoObfuscator\AntiDebugger.cs" />
diff --git a/de4dot.code/deobfuscators/CodeVeil/v3_v4/StringDecrypter.cs b/de4dot.code/deobfuscators/CodeVeil/StringDecrypter.cs
similarity index 91%
rename from de4dot.code/deobfuscators/CodeVeil/v3_v4/StringDecrypter.cs
rename to de4dot.code/deobfuscators/CodeVeil/StringDecrypter.cs
index 9ca98548..fa049494 100644
--- a/de4dot.code/deobfuscators/CodeVeil/v3_v4/StringDecrypter.cs
+++ b/de4dot.code/deobfuscators/CodeVeil/StringDecrypter.cs
@@ -23,7 +23,7 @@ using Mono.Cecil;
 using Mono.Cecil.Cil;
 using de4dot.blocks;
 
-namespace de4dot.code.deobfuscators.CodeVeil.v3_v4 {
+namespace de4dot.code.deobfuscators.CodeVeil {
 	class StringDecrypter {
 		ModuleDefinition module;
 		TypeDefinition decrypterType;
@@ -80,6 +80,34 @@ namespace de4dot.code.deobfuscators.CodeVeil.v3_v4 {
 			}
 		}
 
+		public void find2() {
+			foreach (var type in module.Types) {
+				if (!checkType(type))
+					continue;
+				var initMethodTmp = findInitMethod(type);
+				if (initMethodTmp == null)
+					continue;
+
+				decrypterType = type;
+				initMethod = initMethodTmp;
+				return;
+			}
+		}
+
+		MethodDefinition findInitMethod(TypeDefinition type) {
+			foreach (var method in type.Methods) {
+				if (!method.IsStatic || method.Body == null)
+					continue;
+				var key = getKey(method);
+				if (key == null)
+					continue;
+
+				return method;
+			}
+
+			return null;
+		}
+
 		bool checkType(TypeDefinition type) {
 			if (!type.HasNestedTypes)
 				return false;
diff --git a/de4dot.code/deobfuscators/CodeVeil/v5/Deobfuscator.cs b/de4dot.code/deobfuscators/CodeVeil/v5/Deobfuscator.cs
index f7802554..47ba7fc3 100644
--- a/de4dot.code/deobfuscators/CodeVeil/v5/Deobfuscator.cs
+++ b/de4dot.code/deobfuscators/CodeVeil/v5/Deobfuscator.cs
@@ -55,6 +55,7 @@ namespace de4dot.code.deobfuscators.CodeVeil.v5 {
 		string obfuscatorName = DeobfuscatorInfo.THE_NAME + " 5.x";
 
 		ProxyDelegateFinder proxyDelegateFinder;
+		StringDecrypter stringDecrypter;
 
 		internal class Options : OptionsBase {
 		}
@@ -79,7 +80,8 @@ namespace de4dot.code.deobfuscators.CodeVeil.v5 {
 		protected override int detectInternal() {
 			int val = 0;
 
-			int sum = toInt32(proxyDelegateFinder.Detected);
+			int sum = toInt32(proxyDelegateFinder.Detected) +
+					toInt32(stringDecrypter.Detected);
 			if (sum > 0)
 				val += 100 + 10 * (sum - 1);
 
@@ -89,18 +91,28 @@ namespace de4dot.code.deobfuscators.CodeVeil.v5 {
 		protected override void scanForObfuscator() {
 			proxyDelegateFinder = new ProxyDelegateFinder(module);
 			proxyDelegateFinder.findDelegateCreator();
+			stringDecrypter = new StringDecrypter(module);
+			stringDecrypter.find2();
 		}
 
 		public override void deobfuscateBegin() {
 			base.deobfuscateBegin();
 
+			if (Operations.DecryptStrings != OpDecryptString.None) {
+				stringDecrypter.initialize();
+				staticStringInliner.add(stringDecrypter.DecryptMethod, (method, args) => {
+					return stringDecrypter.decrypt((int)args[0]);
+				});
+				DeobfuscatedFile.stringDecryptersAdded();
+			}
+
 			proxyDelegateFinder.initialize();
 			proxyDelegateFinder.find();
 		}
 
-		public override void deobfuscateMethodEnd(blocks.Blocks blocks) {
+		public override void deobfuscateMethodBegin(blocks.Blocks blocks) {
 			proxyDelegateFinder.deobfuscate(blocks);
-			base.deobfuscateMethodEnd(blocks);
+			base.deobfuscateMethodBegin(blocks);
 		}
 
 		public override void deobfuscateEnd() {

From f1a1188409ab48d41d3d43c8b6611a269999d48e Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Tue, 7 Feb 2012 04:45:04 +0100
Subject: [PATCH 26/78] Add a new ctor to copy values from old instance

---
 .../deobfuscators/ProxyDelegateFinderBase.cs  | 25 +++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/de4dot.code/deobfuscators/ProxyDelegateFinderBase.cs b/de4dot.code/deobfuscators/ProxyDelegateFinderBase.cs
index c26bf35a..1cb21d2c 100644
--- a/de4dot.code/deobfuscators/ProxyDelegateFinderBase.cs
+++ b/de4dot.code/deobfuscators/ProxyDelegateFinderBase.cs
@@ -68,6 +68,31 @@ namespace de4dot.code.deobfuscators {
 			this.module = module;
 		}
 
+		public ProxyDelegateFinderBase(ModuleDefinition module, ProxyDelegateFinderBase oldOne) {
+			this.module = module;
+			foreach (var method in oldOne.delegateCreatorMethods)
+				delegateCreatorMethods.Add(lookup(method, "Could not find delegate creator method"));
+			foreach (var kv in oldOne.delegateTypesDict)
+				delegateTypesDict[lookup(kv.Key, "Could not find delegate type")] = kv.Value;
+			foreach (var key in oldOne.fieldToDelegateInfo.getKeys())
+				fieldToDelegateInfo.add(lookup(key, "Could not find field"), copy(oldOne.fieldToDelegateInfo.find(key)));
+			foreach (var kv in oldOne.proxyMethodToField) {
+				var key = lookup(kv.Key, "Could not find proxy method");
+				var value = lookup(kv.Value, "Could not find proxy field");
+				proxyMethodToField[key] = value;
+			}
+		}
+
+		DelegateInfo copy(DelegateInfo di) {
+			var method = lookup(di.methodRef, "Could not find method ref");
+			var field = lookup(di.field, "Could not find delegate field");
+			return new DelegateInfo(field, method, di.callOpcode);
+		}
+
+		T lookup<T>(T def, string errorMessage) where T : MemberReference {
+			return DeobUtils.lookup(module, def, errorMessage);
+		}
+
 		public void setDelegateCreatorMethod(MethodDefinition delegateCreatorMethod) {
 			if (delegateCreatorMethod == null)
 				return;

From 0aeee176ccd3566b3e85fe09267e0760ad424209 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Tue, 7 Feb 2012 04:45:59 +0100
Subject: [PATCH 27/78] Merge v3-v4 and v5 code

---
 de4dot.code/de4dot.code.csproj                |   7 +-
 .../CodeVeil/{v3_v4 => }/Deobfuscator.cs      |  24 +++-
 .../CodeVeil/{v3_v4 => }/MethodsDecrypter.cs  |   2 +-
 .../CodeVeil/{v5 => }/ProxyDelegateFinder.cs  |   6 +-
 .../deobfuscators/CodeVeil/StringDecrypter.cs |   6 +-
 .../deobfuscators/CodeVeil/v5/Deobfuscator.cs | 129 ------------------
 de4dot.cui/Program.cs                         |   3 +-
 7 files changed, 31 insertions(+), 146 deletions(-)
 rename de4dot.code/deobfuscators/CodeVeil/{v3_v4 => }/Deobfuscator.cs (84%)
 rename de4dot.code/deobfuscators/CodeVeil/{v3_v4 => }/MethodsDecrypter.cs (99%)
 rename de4dot.code/deobfuscators/CodeVeil/{v5 => }/ProxyDelegateFinder.cs (97%)
 delete mode 100644 de4dot.code/deobfuscators/CodeVeil/v5/Deobfuscator.cs

diff --git a/de4dot.code/de4dot.code.csproj b/de4dot.code/de4dot.code.csproj
index 73f6676a..3a8a3e13 100644
--- a/de4dot.code/de4dot.code.csproj
+++ b/de4dot.code/de4dot.code.csproj
@@ -79,11 +79,10 @@
     <Compile Include="deobfuscators\CliSecure\ResourceDecrypter.cs" />
     <Compile Include="deobfuscators\CliSecure\StackFrameHelper.cs" />
     <Compile Include="deobfuscators\CliSecure\StringDecrypter.cs" />
-    <Compile Include="deobfuscators\CodeVeil\v3_v4\Deobfuscator.cs" />
-    <Compile Include="deobfuscators\CodeVeil\v3_v4\MethodsDecrypter.cs" />
+    <Compile Include="deobfuscators\CodeVeil\MethodsDecrypter.cs" />
     <Compile Include="deobfuscators\CodeVeil\StringDecrypter.cs" />
-    <Compile Include="deobfuscators\CodeVeil\v5\Deobfuscator.cs" />
-    <Compile Include="deobfuscators\CodeVeil\v5\ProxyDelegateFinder.cs" />
+    <Compile Include="deobfuscators\CodeVeil\Deobfuscator.cs" />
+    <Compile Include="deobfuscators\CodeVeil\ProxyDelegateFinder.cs" />
     <Compile Include="deobfuscators\CryptoObfuscator\AntiDebugger.cs" />
     <Compile Include="deobfuscators\CryptoObfuscator\AssemblyResolver.cs" />
     <Compile Include="deobfuscators\CryptoObfuscator\Deobfuscator.cs" />
diff --git a/de4dot.code/deobfuscators/CodeVeil/v3_v4/Deobfuscator.cs b/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs
similarity index 84%
rename from de4dot.code/deobfuscators/CodeVeil/v3_v4/Deobfuscator.cs
rename to de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs
index 35cf2f05..b1280d4a 100644
--- a/de4dot.code/deobfuscators/CodeVeil/v3_v4/Deobfuscator.cs
+++ b/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs
@@ -21,10 +21,10 @@ using System.Collections.Generic;
 using Mono.Cecil;
 using Mono.MyStuff;
 
-namespace de4dot.code.deobfuscators.CodeVeil.v3_v4 {
+namespace de4dot.code.deobfuscators.CodeVeil {
 	public class DeobfuscatorInfo : DeobfuscatorInfoBase {
 		public const string THE_NAME = "CodeVeil";
-		public const string THE_TYPE = "cv4";
+		public const string THE_TYPE = "cv";
 		const string DEFAULT_REGEX = @"!^[A-Za-z]{1,2}$&" + DeobfuscatorBase.DEFAULT_VALID_NAME_REGEX;
 
 		public DeobfuscatorInfo()
@@ -53,10 +53,11 @@ namespace de4dot.code.deobfuscators.CodeVeil.v3_v4 {
 
 	class Deobfuscator : DeobfuscatorBase {
 		Options options;
-		string obfuscatorName = DeobfuscatorInfo.THE_NAME + " 3.x - 4.x";
+		string obfuscatorName = DeobfuscatorInfo.THE_NAME;
 		bool foundKillType = false;
 
 		MethodsDecrypter methodsDecrypter;
+		ProxyDelegateFinder proxyDelegateFinder;
 		StringDecrypter stringDecrypter;
 
 		internal class Options : OptionsBase {
@@ -83,7 +84,8 @@ namespace de4dot.code.deobfuscators.CodeVeil.v3_v4 {
 			int val = 0;
 
 			int sum = toInt32(methodsDecrypter.Detected) +
-					toInt32(stringDecrypter.Detected);
+					toInt32(stringDecrypter.Detected) +
+					toInt32(proxyDelegateFinder.Detected);
 			if (sum > 0)
 				val += 100 + 10 * (sum - 1);
 			if (foundKillType)
@@ -94,6 +96,8 @@ namespace de4dot.code.deobfuscators.CodeVeil.v3_v4 {
 
 		protected override void scanForObfuscator() {
 			findKillType();
+			proxyDelegateFinder = new ProxyDelegateFinder(module);
+			proxyDelegateFinder.findDelegateCreator();
 			methodsDecrypter = new MethodsDecrypter(module);
 			methodsDecrypter.find();
 			stringDecrypter = new StringDecrypter(module);
@@ -127,6 +131,7 @@ namespace de4dot.code.deobfuscators.CodeVeil.v3_v4 {
 			newOne.setModule(module);
 			newOne.methodsDecrypter = new MethodsDecrypter(module, methodsDecrypter);
 			newOne.stringDecrypter = new StringDecrypter(module, stringDecrypter);
+			newOne.proxyDelegateFinder = new ProxyDelegateFinder(module, proxyDelegateFinder);
 			return newOne;
 		}
 
@@ -141,12 +146,17 @@ namespace de4dot.code.deobfuscators.CodeVeil.v3_v4 {
 				DeobfuscatedFile.stringDecryptersAdded();
 			}
 
-			//TODO:
+			proxyDelegateFinder.initialize();
+			proxyDelegateFinder.find();
+		}
+
+		public override void deobfuscateMethodBegin(blocks.Blocks blocks) {
+			proxyDelegateFinder.deobfuscate(blocks);
+			base.deobfuscateMethodBegin(blocks);
 		}
 
 		public override void deobfuscateEnd() {
-			//TODO:
-
+			removeProxyDelegates(proxyDelegateFinder, false);	//TODO: Should be 'true'
 			base.deobfuscateEnd();
 		}
 
diff --git a/de4dot.code/deobfuscators/CodeVeil/v3_v4/MethodsDecrypter.cs b/de4dot.code/deobfuscators/CodeVeil/MethodsDecrypter.cs
similarity index 99%
rename from de4dot.code/deobfuscators/CodeVeil/v3_v4/MethodsDecrypter.cs
rename to de4dot.code/deobfuscators/CodeVeil/MethodsDecrypter.cs
index c7566cb3..5db193ae 100644
--- a/de4dot.code/deobfuscators/CodeVeil/v3_v4/MethodsDecrypter.cs
+++ b/de4dot.code/deobfuscators/CodeVeil/MethodsDecrypter.cs
@@ -27,7 +27,7 @@ using Mono.MyStuff;
 using de4dot.blocks;
 using de4dot.code.PE;
 
-namespace de4dot.code.deobfuscators.CodeVeil.v3_v4 {
+namespace de4dot.code.deobfuscators.CodeVeil {
 	// The code isn't currently encrypted at all! But let's keep this class name.
 	class MethodsDecrypter {
 		ModuleDefinition module;
diff --git a/de4dot.code/deobfuscators/CodeVeil/v5/ProxyDelegateFinder.cs b/de4dot.code/deobfuscators/CodeVeil/ProxyDelegateFinder.cs
similarity index 97%
rename from de4dot.code/deobfuscators/CodeVeil/v5/ProxyDelegateFinder.cs
rename to de4dot.code/deobfuscators/CodeVeil/ProxyDelegateFinder.cs
index b717b5e4..840d9b3c 100644
--- a/de4dot.code/deobfuscators/CodeVeil/v5/ProxyDelegateFinder.cs
+++ b/de4dot.code/deobfuscators/CodeVeil/ProxyDelegateFinder.cs
@@ -24,7 +24,7 @@ using Mono.Cecil;
 using Mono.Cecil.Cil;
 using de4dot.blocks;
 
-namespace de4dot.code.deobfuscators.CodeVeil.v5 {
+namespace de4dot.code.deobfuscators.CodeVeil {
 	class ProxyDelegateFinder : ProxyDelegateFinderBase {
 		Info info = new Info();
 		BinaryReader reader;
@@ -48,6 +48,10 @@ namespace de4dot.code.deobfuscators.CodeVeil.v5 {
 			: base(module) {
 		}
 
+		public ProxyDelegateFinder(ModuleDefinition module, ProxyDelegateFinder oldOne)
+			: base(module, oldOne) {
+		}
+
 		protected override object checkCctor(TypeDefinition type, MethodDefinition cctor) {
 			var instrs = cctor.Body.Instructions;
 			for (int i = 0; i < instrs.Count - 1; i++) {
diff --git a/de4dot.code/deobfuscators/CodeVeil/StringDecrypter.cs b/de4dot.code/deobfuscators/CodeVeil/StringDecrypter.cs
index fa049494..591c865b 100644
--- a/de4dot.code/deobfuscators/CodeVeil/StringDecrypter.cs
+++ b/de4dot.code/deobfuscators/CodeVeil/StringDecrypter.cs
@@ -78,9 +78,11 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 				initMethod = initMethodTmp;
 				break;
 			}
+
+			find2();
 		}
 
-		public void find2() {
+		void find2() {
 			foreach (var type in module.Types) {
 				if (!checkType(type))
 					continue;
@@ -174,7 +176,7 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 		}
 
 		public void initialize() {
-			if (stringDataField == null)
+			if (initMethod == null || stringDataField == null)
 				return;
 
 			var key = getKey(initMethod);
diff --git a/de4dot.code/deobfuscators/CodeVeil/v5/Deobfuscator.cs b/de4dot.code/deobfuscators/CodeVeil/v5/Deobfuscator.cs
deleted file mode 100644
index 47ba7fc3..00000000
--- a/de4dot.code/deobfuscators/CodeVeil/v5/Deobfuscator.cs
+++ /dev/null
@@ -1,129 +0,0 @@
-/*
-    Copyright (C) 2011-2012 de4dot@gmail.com
-
-    This file is part of de4dot.
-
-    de4dot is free software: you can redistribute it and/or modify
-    it under the terms of the GNU General Public License as published by
-    the Free Software Foundation, either version 3 of the License, or
-    (at your option) any later version.
-
-    de4dot is distributed in the hope that it will be useful,
-    but WITHOUT ANY WARRANTY; without even the implied warranty of
-    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-    GNU General Public License for more details.
-
-    You should have received a copy of the GNU General Public License
-    along with de4dot.  If not, see <http://www.gnu.org/licenses/>.
-*/
-
-using System.Collections.Generic;
-using Mono.Cecil;
-
-namespace de4dot.code.deobfuscators.CodeVeil.v5 {
-	public class DeobfuscatorInfo : DeobfuscatorInfoBase {
-		public const string THE_NAME = "CodeVeil";
-		public const string THE_TYPE = "cv5";
-		const string DEFAULT_REGEX = @"!^[A-Za-z]{1,2}$&" + DeobfuscatorBase.DEFAULT_VALID_NAME_REGEX;
-
-		public DeobfuscatorInfo()
-			: base(DEFAULT_REGEX) {
-		}
-
-		public override string Name {
-			get { return THE_NAME; }
-		}
-
-		public override string Type {
-			get { return THE_TYPE; }
-		}
-
-		public override IDeobfuscator createDeobfuscator() {
-			return new Deobfuscator(new Deobfuscator.Options {
-				ValidNameRegex = validNameRegex.get(),
-			});
-		}
-
-		protected override IEnumerable<Option> getOptionsInternal() {
-			return new List<Option>() {
-			};
-		}
-	}
-
-	class Deobfuscator : DeobfuscatorBase {
-		Options options;
-		string obfuscatorName = DeobfuscatorInfo.THE_NAME + " 5.x";
-
-		ProxyDelegateFinder proxyDelegateFinder;
-		StringDecrypter stringDecrypter;
-
-		internal class Options : OptionsBase {
-		}
-
-		public override string Type {
-			get { return DeobfuscatorInfo.THE_TYPE; }
-		}
-
-		public override string TypeLong {
-			get { return DeobfuscatorInfo.THE_NAME; }
-		}
-
-		public override string Name {
-			get { return obfuscatorName; }
-		}
-
-		public Deobfuscator(Options options)
-			: base(options) {
-			this.options = options;
-		}
-
-		protected override int detectInternal() {
-			int val = 0;
-
-			int sum = toInt32(proxyDelegateFinder.Detected) +
-					toInt32(stringDecrypter.Detected);
-			if (sum > 0)
-				val += 100 + 10 * (sum - 1);
-
-			return val;
-		}
-
-		protected override void scanForObfuscator() {
-			proxyDelegateFinder = new ProxyDelegateFinder(module);
-			proxyDelegateFinder.findDelegateCreator();
-			stringDecrypter = new StringDecrypter(module);
-			stringDecrypter.find2();
-		}
-
-		public override void deobfuscateBegin() {
-			base.deobfuscateBegin();
-
-			if (Operations.DecryptStrings != OpDecryptString.None) {
-				stringDecrypter.initialize();
-				staticStringInliner.add(stringDecrypter.DecryptMethod, (method, args) => {
-					return stringDecrypter.decrypt((int)args[0]);
-				});
-				DeobfuscatedFile.stringDecryptersAdded();
-			}
-
-			proxyDelegateFinder.initialize();
-			proxyDelegateFinder.find();
-		}
-
-		public override void deobfuscateMethodBegin(blocks.Blocks blocks) {
-			proxyDelegateFinder.deobfuscate(blocks);
-			base.deobfuscateMethodBegin(blocks);
-		}
-
-		public override void deobfuscateEnd() {
-			removeProxyDelegates(proxyDelegateFinder, false);	//TODO: Should be 'true'
-			base.deobfuscateEnd();
-		}
-
-		public override IEnumerable<string> getStringDecrypterMethods() {
-			var list = new List<string>();
-			//TODO:
-			return list;
-		}
-	}
-}
diff --git a/de4dot.cui/Program.cs b/de4dot.cui/Program.cs
index 283e6432..a9b6fa54 100644
--- a/de4dot.cui/Program.cs
+++ b/de4dot.cui/Program.cs
@@ -32,8 +32,7 @@ namespace de4dot.cui {
 				new de4dot.code.deobfuscators.Unknown.DeobfuscatorInfo(),
 				new de4dot.code.deobfuscators.Babel_NET.DeobfuscatorInfo(),
 				new de4dot.code.deobfuscators.CliSecure.DeobfuscatorInfo(),
-				new de4dot.code.deobfuscators.CodeVeil.v3_v4.DeobfuscatorInfo(),
-				new de4dot.code.deobfuscators.CodeVeil.v5.DeobfuscatorInfo(),
+				new de4dot.code.deobfuscators.CodeVeil.DeobfuscatorInfo(),
 				new de4dot.code.deobfuscators.CryptoObfuscator.DeobfuscatorInfo(),
 				new de4dot.code.deobfuscators.DeepSea.DeobfuscatorInfo(),
 				new de4dot.code.deobfuscators.Dotfuscator.DeobfuscatorInfo(),

From 3276f433c980653c4e41297f3c07bc862648163a Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Tue, 7 Feb 2012 05:08:02 +0100
Subject: [PATCH 28/78] Add code to detect V5 methods decrypter

---
 .../CodeVeil/MethodsDecrypter.cs              | 37 +++++++++++++++++--
 1 file changed, 33 insertions(+), 4 deletions(-)

diff --git a/de4dot.code/deobfuscators/CodeVeil/MethodsDecrypter.cs b/de4dot.code/deobfuscators/CodeVeil/MethodsDecrypter.cs
index 5db193ae..e4000ab6 100644
--- a/de4dot.code/deobfuscators/CodeVeil/MethodsDecrypter.cs
+++ b/de4dot.code/deobfuscators/CodeVeil/MethodsDecrypter.cs
@@ -33,6 +33,14 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 		ModuleDefinition module;
 		TypeDefinition methodsType;
 		List<int> rvas;	// _stub and _executive
+		TypeVersion typeVersion = TypeVersion.Unknown;
+
+		enum TypeVersion {
+			Unknown,
+			V3,
+			V4,
+			V5,
+		}
 
 		public bool Detected {
 			get { return methodsType != null; }
@@ -80,6 +88,11 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 			}
 		}
 
+		static string[] fieldTypesV5 = new string[] {
+			"System.Byte[]",
+			"System.Collections.Generic.List`1<System.Delegate>",
+			"System.Runtime.InteropServices.GCHandle",
+		};
 		bool checkInitMethod(MethodDefinition initMethod) {
 			if (initMethod == null)
 				return false;
@@ -90,8 +103,14 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 				return false;
 			if (!DotNetUtils.isMethod(initMethod, "System.Void", "(System.Boolean,System.Boolean)"))
 				return false;
-			if (!hasCodeString(initMethod, "E_FullTrust") &&		// 4.0 / 4.1
-				!hasCodeString(initMethod, "Full Trust Required"))	// 3.2
+
+			if (hasCodeString(initMethod, "E_FullTrust"))
+				typeVersion = TypeVersion.V4;
+			else if (hasCodeString(initMethod, "Full Trust Required"))
+				typeVersion = TypeVersion.V3;
+			else if (initMethod.DeclaringType.HasNestedTypes && new FieldTypes(initMethod.DeclaringType).all(fieldTypesV5))
+				typeVersion = TypeVersion.V5;
+			else
 				return false;
 
 			return true;
@@ -141,6 +160,11 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 			if (methodsData == null)
 				return false;
 
+			if (typeVersion == TypeVersion.V5) {
+				methodsData = DeobUtils.inflate(methodsData, true);
+				throw new NotImplementedException();	//TODO:
+			}
+
 			dumpedMethods = createDumpedMethods(peImage, fileData, methodsData);
 			if (dumpedMethods == null)
 				return false;
@@ -244,9 +268,9 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 			} while ((flags & 0x80) != 0);
 		}
 
-		// xor eax, eax / inc eax / pop esi edi edx ecx ebx / leave / ret 0Ch
+		// xor eax, eax / inc eax / pop esi edi edx ecx ebx / leave / ret 0Ch or 10h
 		static byte[] initializeMethodEnd = new byte[] {
-			0x33, 0xC0, 0x40, 0x5E, 0x5F, 0x5A, 0x59, 0x5B, 0xC9, 0xC2, 0x0C, 0x00,
+			0x33, 0xC0, 0x40, 0x5E, 0x5F, 0x5A, 0x59, 0x5B, 0xC9, 0xC2,
 		};
 		byte[] findMethodsData(PeImage peImage, byte[] fileData) {
 			var section = peImage.Sections[0];
@@ -261,6 +285,11 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 					return null;
 				offset += initializeMethodEnd.Length;
 
+				short retImm16 = BitConverter.ToInt16(fileData, offset);
+				if (retImm16 != 0x0C && retImm16 != 0x10)
+					continue;
+				offset += 2;
+
 				int rva = BitConverter.ToInt32(fileData, offset + RVA_EXECUTIVE_OFFSET);
 				if (rvas.IndexOf(rva) < 0)
 					continue;

From 97d09c4c65e21281fe5840c900f1bbdaa4c929bd Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Tue, 7 Feb 2012 14:53:34 +0100
Subject: [PATCH 29/78] Make method accessible by sub classes

---
 de4dot.code/deobfuscators/ProxyDelegateFinderBase.cs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/de4dot.code/deobfuscators/ProxyDelegateFinderBase.cs b/de4dot.code/deobfuscators/ProxyDelegateFinderBase.cs
index 1cb21d2c..5ae6da04 100644
--- a/de4dot.code/deobfuscators/ProxyDelegateFinderBase.cs
+++ b/de4dot.code/deobfuscators/ProxyDelegateFinderBase.cs
@@ -89,7 +89,7 @@ namespace de4dot.code.deobfuscators {
 			return new DelegateInfo(field, method, di.callOpcode);
 		}
 
-		T lookup<T>(T def, string errorMessage) where T : MemberReference {
+		protected T lookup<T>(T def, string errorMessage) where T : MemberReference {
 			return DeobUtils.lookup(module, def, errorMessage);
 		}
 

From f11c51830fafc16f5fccb455746ac75b692c4f6b Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Tue, 7 Feb 2012 14:53:58 +0100
Subject: [PATCH 30/78] Make sure info is copied

---
 de4dot.code/deobfuscators/CodeVeil/ProxyDelegateFinder.cs | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/de4dot.code/deobfuscators/CodeVeil/ProxyDelegateFinder.cs b/de4dot.code/deobfuscators/CodeVeil/ProxyDelegateFinder.cs
index 840d9b3c..668c4207 100644
--- a/de4dot.code/deobfuscators/CodeVeil/ProxyDelegateFinder.cs
+++ b/de4dot.code/deobfuscators/CodeVeil/ProxyDelegateFinder.cs
@@ -50,6 +50,10 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 
 		public ProxyDelegateFinder(ModuleDefinition module, ProxyDelegateFinder oldOne)
 			: base(module, oldOne) {
+			info.mainType = lookup(oldOne.info.mainType, "Could not find mainType");
+			info.proxyType = lookup(oldOne.info.proxyType, "Could not find proxyType");
+			info.initMethod = lookup(oldOne.info.initMethod, "Could not find initMethod");
+			info.dataField = lookup(oldOne.info.dataField, "Could not find dataField");
 		}
 
 		protected override object checkCctor(TypeDefinition type, MethodDefinition cctor) {

From 6ab0748bdda3edf733117fb1221d243debcd776c Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Tue, 7 Feb 2012 14:55:20 +0100
Subject: [PATCH 31/78] Decrypt V5 encrypted methods

---
 .../CodeVeil/MethodsDecrypter.cs              | 167 ++++++++++++------
 1 file changed, 114 insertions(+), 53 deletions(-)

diff --git a/de4dot.code/deobfuscators/CodeVeil/MethodsDecrypter.cs b/de4dot.code/deobfuscators/CodeVeil/MethodsDecrypter.cs
index e4000ab6..f99c70de 100644
--- a/de4dot.code/deobfuscators/CodeVeil/MethodsDecrypter.cs
+++ b/de4dot.code/deobfuscators/CodeVeil/MethodsDecrypter.cs
@@ -28,12 +28,11 @@ using de4dot.blocks;
 using de4dot.code.PE;
 
 namespace de4dot.code.deobfuscators.CodeVeil {
-	// The code isn't currently encrypted at all! But let's keep this class name.
 	class MethodsDecrypter {
 		ModuleDefinition module;
 		TypeDefinition methodsType;
 		List<int> rvas;	// _stub and _executive
-		TypeVersion typeVersion = TypeVersion.Unknown;
+		IDecrypter decrypter;
 
 		enum TypeVersion {
 			Unknown,
@@ -42,6 +41,113 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 			V5,
 		}
 
+		interface IDecrypter {
+			TypeVersion TypeVersion { get; }
+			void initialize(byte[] methodsData);
+			bool decrypt(BinaryReader fileDataReader, DumpedMethod dm);
+		}
+
+		class Decrypter : IDecrypter {
+			TypeVersion typeVersion;
+			BinaryReader methodsDataReader;
+
+			public TypeVersion TypeVersion {
+				get { return typeVersion; }
+			}
+
+			public Decrypter(TypeVersion typeVersion) {
+				this.typeVersion = typeVersion;
+			}
+
+			public virtual void initialize(byte[] methodsData) {
+				methodsDataReader = new BinaryReader(new MemoryStream(methodsData));
+			}
+
+			public virtual bool decrypt(BinaryReader fileDataReader, DumpedMethod dm) {
+				if (fileDataReader.ReadByte() != 0x2A)
+					return false;	// Not a RET
+				int methodsDataOffset = DeobUtils.readVariableLengthInt32(fileDataReader);
+				methodsDataReader.BaseStream.Position = methodsDataOffset;
+
+				dm.mhCodeSize = (uint)DeobUtils.readVariableLengthInt32(methodsDataReader);
+				dm.code = methodsDataReader.ReadBytes((int)dm.mhCodeSize);
+				if ((dm.mhFlags & 8) != 0)
+					dm.extraSections = readExtraSections(methodsDataReader);
+
+				if (!decryptCode(dm))
+					return false;
+
+				return true;
+			}
+
+			protected virtual bool decryptCode(DumpedMethod dm) {
+				return true;
+			}
+
+			static void align(BinaryReader reader, int alignment) {
+				reader.BaseStream.Position = (reader.BaseStream.Position + alignment - 1) & ~(alignment - 1);
+			}
+
+			static byte[] readExtraSections(BinaryReader reader) {
+				align(reader, 4);
+				int startPos = (int)reader.BaseStream.Position;
+				parseSection(reader);
+				int size = (int)reader.BaseStream.Position - startPos;
+				reader.BaseStream.Position = startPos;
+				return reader.ReadBytes(size);
+			}
+
+			static void parseSection(BinaryReader reader) {
+				byte flags;
+				do {
+					align(reader, 4);
+
+					flags = reader.ReadByte();
+					if ((flags & 1) == 0)
+						throw new ApplicationException("Not an exception section");
+					if ((flags & 0x3E) != 0)
+						throw new ApplicationException("Invalid bits set");
+
+					if ((flags & 0x40) != 0) {
+						reader.BaseStream.Position--;
+						int num = (int)(reader.ReadUInt32() >> 8) / 24;
+						reader.BaseStream.Position += num * 24;
+					}
+					else {
+						int num = reader.ReadByte() / 12;
+						reader.BaseStream.Position += 2 + num * 12;
+					}
+				} while ((flags & 0x80) != 0);
+			}
+		}
+
+		class DecrypterV5 : Decrypter {
+			byte[] decryptKey;
+
+			public DecrypterV5()
+				: base(TypeVersion.V5) {
+			}
+
+			public override void initialize(byte[] methodsData) {
+				var data = DeobUtils.inflate(methodsData, true);
+				decryptKey = BitConverter.GetBytes(BitConverter.ToUInt32(data, 0));
+
+				var newMethodsData = new byte[data.Length - 4];
+				Array.Copy(data, 4, newMethodsData, 0, newMethodsData.Length);
+				base.initialize(newMethodsData);
+			}
+
+			protected override bool decryptCode(DumpedMethod dm) {
+				var code = dm.code;
+				for (int i = 0; i < code.Length; i++) {
+					for (int j = 0; j < 4 && i + j < code.Length; j++)
+						code[i + j] ^= decryptKey[j];
+				}
+
+				return true;
+			}
+		}
+
 		public bool Detected {
 			get { return methodsType != null; }
 		}
@@ -105,11 +211,11 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 				return false;
 
 			if (hasCodeString(initMethod, "E_FullTrust"))
-				typeVersion = TypeVersion.V4;
+				decrypter = new Decrypter(TypeVersion.V4);
 			else if (hasCodeString(initMethod, "Full Trust Required"))
-				typeVersion = TypeVersion.V3;
+				decrypter = new Decrypter(TypeVersion.V3);
 			else if (initMethod.DeclaringType.HasNestedTypes && new FieldTypes(initMethod.DeclaringType).all(fieldTypesV5))
-				typeVersion = TypeVersion.V5;
+				decrypter = new DecrypterV5();
 			else
 				return false;
 
@@ -160,10 +266,7 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 			if (methodsData == null)
 				return false;
 
-			if (typeVersion == TypeVersion.V5) {
-				methodsData = DeobUtils.inflate(methodsData, true);
-				throw new NotImplementedException();	//TODO:
-			}
+			decrypter.initialize(methodsData);
 
 			dumpedMethods = createDumpedMethods(peImage, fileData, methodsData);
 			if (dumpedMethods == null)
@@ -216,15 +319,9 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 					codeOffset = bodyOffset + (uint)(dm.mhFlags >> 12) * 4;
 				}
 				fileDataReader.BaseStream.Position = codeOffset;
-				if (fileDataReader.ReadByte() != 0x2A)
-					continue;	// Not a RET
-				int methodsDataOffset = DeobUtils.readVariableLengthInt32(fileDataReader);
-				methodsDataReader.BaseStream.Position = methodsDataOffset;
 
-				dm.mhCodeSize = (uint)DeobUtils.readVariableLengthInt32(methodsDataReader);
-				dm.code = methodsDataReader.ReadBytes((int)dm.mhCodeSize);
-				if ((dm.mhFlags & 8) != 0)
-					dm.extraSections = readExtraSections(methodsDataReader);
+				if (!decrypter.decrypt(fileDataReader, dm))
+					continue;
 
 				dumpedMethods[dm.token] = dm;
 			}
@@ -232,42 +329,6 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 			return dumpedMethods;
 		}
 
-		static void align(BinaryReader reader, int alignment) {
-			reader.BaseStream.Position = (reader.BaseStream.Position + alignment - 1) & ~(alignment - 1);
-		}
-
-		static byte[] readExtraSections(BinaryReader reader) {
-			align(reader, 4);
-			int startPos = (int)reader.BaseStream.Position;
-			parseSection(reader);
-			int size = (int)reader.BaseStream.Position - startPos;
-			reader.BaseStream.Position = startPos;
-			return reader.ReadBytes(size);
-		}
-
-		static void parseSection(BinaryReader reader) {
-			byte flags;
-			do {
-				align(reader, 4);
-
-				flags = reader.ReadByte();
-				if ((flags & 1) == 0)
-					throw new ApplicationException("Not an exception section");
-				if ((flags & 0x3E) != 0)
-					throw new ApplicationException("Invalid bits set");
-
-				if ((flags & 0x40) != 0) {
-					reader.BaseStream.Position--;
-					int num = (int)(reader.ReadUInt32() >> 8) / 24;
-					reader.BaseStream.Position += num * 24;
-				}
-				else {
-					int num = reader.ReadByte() / 12;
-					reader.BaseStream.Position += 2 + num * 12;
-				}
-			} while ((flags & 0x80) != 0);
-		}
-
 		// xor eax, eax / inc eax / pop esi edi edx ecx ebx / leave / ret 0Ch or 10h
 		static byte[] initializeMethodEnd = new byte[] {
 			0x33, 0xC0, 0x40, 0x5E, 0x5F, 0x5A, 0x59, 0x5B, 0xC9, 0xC2,

From 1076218a8136bcc95da5dbc2f042c3d939f4fea3 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Tue, 7 Feb 2012 15:05:27 +0100
Subject: [PATCH 32/78] Detect CV version

---
 .../deobfuscators/CodeVeil/Deobfuscator.cs    | 26 +++++++++++++++++++
 .../CodeVeil/MethodsDecrypter.cs              | 17 +++++++++---
 2 files changed, 39 insertions(+), 4 deletions(-)

diff --git a/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs b/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs
index b1280d4a..19ae1ca1 100644
--- a/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs
+++ b/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs
@@ -17,6 +17,7 @@
     along with de4dot.  If not, see <http://www.gnu.org/licenses/>.
 */
 
+using System;
 using System.Collections.Generic;
 using Mono.Cecil;
 using Mono.MyStuff;
@@ -102,6 +103,31 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 			methodsDecrypter.find();
 			stringDecrypter = new StringDecrypter(module);
 			stringDecrypter.find();
+			var version = detectVersion();
+			if (!string.IsNullOrEmpty(version))
+				obfuscatorName = obfuscatorName + " " + version;
+		}
+
+		string detectVersion() {
+			switch (methodsDecrypter.Version) {
+			case MethodsDecrypter.TypeVersion.Unknown:
+				return null;
+
+			case MethodsDecrypter.TypeVersion.V3:
+				return "3.x";
+
+			case MethodsDecrypter.TypeVersion.V4_0:
+				return "4.0";
+
+			case MethodsDecrypter.TypeVersion.V4_1:
+				return "4.1";
+
+			case MethodsDecrypter.TypeVersion.V5:
+				return "5.x";
+
+			default:
+				throw new ApplicationException("Unknown version");
+			}
 		}
 
 		void findKillType() {
diff --git a/de4dot.code/deobfuscators/CodeVeil/MethodsDecrypter.cs b/de4dot.code/deobfuscators/CodeVeil/MethodsDecrypter.cs
index f99c70de..49eab8ab 100644
--- a/de4dot.code/deobfuscators/CodeVeil/MethodsDecrypter.cs
+++ b/de4dot.code/deobfuscators/CodeVeil/MethodsDecrypter.cs
@@ -34,13 +34,18 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 		List<int> rvas;	// _stub and _executive
 		IDecrypter decrypter;
 
-		enum TypeVersion {
+		public enum TypeVersion {
 			Unknown,
 			V3,
-			V4,
+			V4_0,
+			V4_1,
 			V5,
 		}
 
+		public TypeVersion Version {
+			get { return decrypter == null ? TypeVersion.Unknown : decrypter.TypeVersion; }
+		}
+
 		interface IDecrypter {
 			TypeVersion TypeVersion { get; }
 			void initialize(byte[] methodsData);
@@ -210,8 +215,12 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 			if (!DotNetUtils.isMethod(initMethod, "System.Void", "(System.Boolean,System.Boolean)"))
 				return false;
 
-			if (hasCodeString(initMethod, "E_FullTrust"))
-				decrypter = new Decrypter(TypeVersion.V4);
+			if (hasCodeString(initMethod, "E_FullTrust")) {
+				if (DotNetUtils.getPInvokeMethod(initMethod.DeclaringType, "user32", "CallWindowProcW") != null)
+					decrypter = new Decrypter(TypeVersion.V4_1);
+				else
+					decrypter = new Decrypter(TypeVersion.V4_0);
+			}
 			else if (hasCodeString(initMethod, "Full Trust Required"))
 				decrypter = new Decrypter(TypeVersion.V3);
 			else if (initMethod.DeclaringType.HasNestedTypes && new FieldTypes(initMethod.DeclaringType).all(fieldTypesV5))

From 776fd7f69f40e879ea03434aa43f3c73edb2630f Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Tue, 7 Feb 2012 15:17:41 +0100
Subject: [PATCH 33/78] Speed up finding V5 methods decrypter type

---
 .../deobfuscators/CodeVeil/StringDecrypter.cs | 53 ++++++++++---------
 1 file changed, 28 insertions(+), 25 deletions(-)

diff --git a/de4dot.code/deobfuscators/CodeVeil/StringDecrypter.cs b/de4dot.code/deobfuscators/CodeVeil/StringDecrypter.cs
index 591c865b..952e31db 100644
--- a/de4dot.code/deobfuscators/CodeVeil/StringDecrypter.cs
+++ b/de4dot.code/deobfuscators/CodeVeil/StringDecrypter.cs
@@ -61,7 +61,18 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 			if (cctor == null)
 				return;
 
-			var instrs = cctor.Body.Instructions;
+			// V3-V4 calls string decrypter init method in <Module>::.cctor().
+			if (find(cctor))
+				return;
+
+			find_V5(cctor);
+		}
+
+		bool find(MethodDefinition method) {
+			if (method == null || method.Body == null || !method.IsStatic)
+				return false;
+
+			var instrs = method.Body.Instructions;
 			for (int i = 0; i < instrs.Count; i++) {
 				var call = instrs[i];
 				if (call.OpCode.Code != Code.Call)
@@ -76,40 +87,32 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 
 				decrypterType = initMethodTmp.DeclaringType;
 				initMethod = initMethodTmp;
-				break;
+				return true;
 			}
 
-			find2();
+			return false;
 		}
 
-		void find2() {
-			foreach (var type in module.Types) {
-				if (!checkType(type))
+		// The main decrypter type calls the string decrypter init method inside its init method
+		void find_V5(MethodDefinition method) {
+			var instrs = method.Body.Instructions;
+			for (int i = 0; i < instrs.Count; i++) {
+				var call = instrs[i];
+				if (call.OpCode.Code != Code.Call)
 					continue;
-				var initMethodTmp = findInitMethod(type);
-				if (initMethodTmp == null)
+				var mainTypeInitMethod = call.Operand as MethodDefinition;
+				if (mainTypeInitMethod == null || mainTypeInitMethod.Body == null || !mainTypeInitMethod.IsStatic)
+					continue;
+				if (!DotNetUtils.isMethod(mainTypeInitMethod, "System.Void", "(System.Boolean,System.Boolean)"))
 					continue;
 
-				decrypterType = type;
-				initMethod = initMethodTmp;
-				return;
+				foreach (var info in DotNetUtils.getCalledMethods(module, mainTypeInitMethod)) {
+					if (find(info.Item2))
+						return;
+				}
 			}
 		}
 
-		MethodDefinition findInitMethod(TypeDefinition type) {
-			foreach (var method in type.Methods) {
-				if (!method.IsStatic || method.Body == null)
-					continue;
-				var key = getKey(method);
-				if (key == null)
-					continue;
-
-				return method;
-			}
-
-			return null;
-		}
-
 		bool checkType(TypeDefinition type) {
 			if (!type.HasNestedTypes)
 				return false;

From 0e89c0fc35102dc6b1a05c64527231c8a24f2afd Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Wed, 8 Feb 2012 08:50:36 +0100
Subject: [PATCH 34/78] Only check Version property if methods decrypter was
 found

---
 .../deobfuscators/CodeVeil/Deobfuscator.cs    | 30 +++++++++++--------
 1 file changed, 17 insertions(+), 13 deletions(-)

diff --git a/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs b/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs
index 19ae1ca1..d0e24170 100644
--- a/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs
+++ b/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs
@@ -109,25 +109,29 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 		}
 
 		string detectVersion() {
-			switch (methodsDecrypter.Version) {
-			case MethodsDecrypter.TypeVersion.Unknown:
-				return null;
+			if (methodsDecrypter.Detected) {
+				switch (methodsDecrypter.Version) {
+				case MethodsDecrypter.TypeVersion.Unknown:
+					return null;
 
-			case MethodsDecrypter.TypeVersion.V3:
-				return "3.x";
+				case MethodsDecrypter.TypeVersion.V3:
+					return "3.x";
 
-			case MethodsDecrypter.TypeVersion.V4_0:
-				return "4.0";
+				case MethodsDecrypter.TypeVersion.V4_0:
+					return "4.0";
 
-			case MethodsDecrypter.TypeVersion.V4_1:
-				return "4.1";
+				case MethodsDecrypter.TypeVersion.V4_1:
+					return "4.1";
 
-			case MethodsDecrypter.TypeVersion.V5:
-				return "5.x";
+				case MethodsDecrypter.TypeVersion.V5:
+					return "5.0";
 
-			default:
-				throw new ApplicationException("Unknown version");
+				default:
+					throw new ApplicationException("Unknown version");
+				}
 			}
+
+			return null;
 		}
 
 		void findKillType() {

From a8d4b38c790fe8cce9b259d2c65b6f1b4e9972f0 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Wed, 8 Feb 2012 08:55:45 +0100
Subject: [PATCH 35/78] Mover version info to a new ObfuscatorVersion enum

---
 de4dot.code/de4dot.code.csproj                |  1 +
 .../deobfuscators/CodeVeil/Deobfuscator.cs    | 10 +++---
 .../CodeVeil/MethodsDecrypter.cs              | 32 +++++++------------
 .../CodeVeil/ObfuscatorVersion.cs             | 28 ++++++++++++++++
 4 files changed, 46 insertions(+), 25 deletions(-)
 create mode 100644 de4dot.code/deobfuscators/CodeVeil/ObfuscatorVersion.cs

diff --git a/de4dot.code/de4dot.code.csproj b/de4dot.code/de4dot.code.csproj
index 3a8a3e13..a1737896 100644
--- a/de4dot.code/de4dot.code.csproj
+++ b/de4dot.code/de4dot.code.csproj
@@ -80,6 +80,7 @@
     <Compile Include="deobfuscators\CliSecure\StackFrameHelper.cs" />
     <Compile Include="deobfuscators\CliSecure\StringDecrypter.cs" />
     <Compile Include="deobfuscators\CodeVeil\MethodsDecrypter.cs" />
+    <Compile Include="deobfuscators\CodeVeil\ObfuscatorVersion.cs" />
     <Compile Include="deobfuscators\CodeVeil\StringDecrypter.cs" />
     <Compile Include="deobfuscators\CodeVeil\Deobfuscator.cs" />
     <Compile Include="deobfuscators\CodeVeil\ProxyDelegateFinder.cs" />
diff --git a/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs b/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs
index d0e24170..c854a2b0 100644
--- a/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs
+++ b/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs
@@ -111,19 +111,19 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 		string detectVersion() {
 			if (methodsDecrypter.Detected) {
 				switch (methodsDecrypter.Version) {
-				case MethodsDecrypter.TypeVersion.Unknown:
+				case ObfuscatorVersion.Unknown:
 					return null;
 
-				case MethodsDecrypter.TypeVersion.V3:
+				case ObfuscatorVersion.V3:
 					return "3.x";
 
-				case MethodsDecrypter.TypeVersion.V4_0:
+				case ObfuscatorVersion.V4_0:
 					return "4.0";
 
-				case MethodsDecrypter.TypeVersion.V4_1:
+				case ObfuscatorVersion.V4_1:
 					return "4.1";
 
-				case MethodsDecrypter.TypeVersion.V5:
+				case ObfuscatorVersion.V5_0:
 					return "5.0";
 
 				default:
diff --git a/de4dot.code/deobfuscators/CodeVeil/MethodsDecrypter.cs b/de4dot.code/deobfuscators/CodeVeil/MethodsDecrypter.cs
index 49eab8ab..365dd50b 100644
--- a/de4dot.code/deobfuscators/CodeVeil/MethodsDecrypter.cs
+++ b/de4dot.code/deobfuscators/CodeVeil/MethodsDecrypter.cs
@@ -34,34 +34,26 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 		List<int> rvas;	// _stub and _executive
 		IDecrypter decrypter;
 
-		public enum TypeVersion {
-			Unknown,
-			V3,
-			V4_0,
-			V4_1,
-			V5,
-		}
-
-		public TypeVersion Version {
-			get { return decrypter == null ? TypeVersion.Unknown : decrypter.TypeVersion; }
+		public ObfuscatorVersion Version {
+			get { return decrypter == null ? ObfuscatorVersion.Unknown : decrypter.Version; }
 		}
 
 		interface IDecrypter {
-			TypeVersion TypeVersion { get; }
+			ObfuscatorVersion Version { get; }
 			void initialize(byte[] methodsData);
 			bool decrypt(BinaryReader fileDataReader, DumpedMethod dm);
 		}
 
 		class Decrypter : IDecrypter {
-			TypeVersion typeVersion;
+			ObfuscatorVersion obfuscatorVersion;
 			BinaryReader methodsDataReader;
 
-			public TypeVersion TypeVersion {
-				get { return typeVersion; }
+			public ObfuscatorVersion Version {
+				get { return obfuscatorVersion; }
 			}
 
-			public Decrypter(TypeVersion typeVersion) {
-				this.typeVersion = typeVersion;
+			public Decrypter(ObfuscatorVersion obfuscatorVersion) {
+				this.obfuscatorVersion = obfuscatorVersion;
 			}
 
 			public virtual void initialize(byte[] methodsData) {
@@ -130,7 +122,7 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 			byte[] decryptKey;
 
 			public DecrypterV5()
-				: base(TypeVersion.V5) {
+				: base(ObfuscatorVersion.V5_0) {
 			}
 
 			public override void initialize(byte[] methodsData) {
@@ -217,12 +209,12 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 
 			if (hasCodeString(initMethod, "E_FullTrust")) {
 				if (DotNetUtils.getPInvokeMethod(initMethod.DeclaringType, "user32", "CallWindowProcW") != null)
-					decrypter = new Decrypter(TypeVersion.V4_1);
+					decrypter = new Decrypter(ObfuscatorVersion.V4_1);
 				else
-					decrypter = new Decrypter(TypeVersion.V4_0);
+					decrypter = new Decrypter(ObfuscatorVersion.V4_0);
 			}
 			else if (hasCodeString(initMethod, "Full Trust Required"))
-				decrypter = new Decrypter(TypeVersion.V3);
+				decrypter = new Decrypter(ObfuscatorVersion.V3);
 			else if (initMethod.DeclaringType.HasNestedTypes && new FieldTypes(initMethod.DeclaringType).all(fieldTypesV5))
 				decrypter = new DecrypterV5();
 			else
diff --git a/de4dot.code/deobfuscators/CodeVeil/ObfuscatorVersion.cs b/de4dot.code/deobfuscators/CodeVeil/ObfuscatorVersion.cs
new file mode 100644
index 00000000..8a51ce83
--- /dev/null
+++ b/de4dot.code/deobfuscators/CodeVeil/ObfuscatorVersion.cs
@@ -0,0 +1,28 @@
+/*
+    Copyright (C) 2011-2012 de4dot@gmail.com
+
+    This file is part of de4dot.
+
+    de4dot is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    de4dot is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with de4dot.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+namespace de4dot.code.deobfuscators.CodeVeil {
+	enum ObfuscatorVersion {
+		Unknown,
+		V3,
+		V4_0,
+		V4_1,
+		V5_0,
+	}
+}

From 09e840923d5c31212f215345841cc4945c077f19 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Wed, 8 Feb 2012 09:29:49 +0100
Subject: [PATCH 36/78] Search for sig starting from _stub RVA

---
 .../CodeVeil/MethodsDecrypter.cs              | 21 +++++++++++++++----
 1 file changed, 17 insertions(+), 4 deletions(-)

diff --git a/de4dot.code/deobfuscators/CodeVeil/MethodsDecrypter.cs b/de4dot.code/deobfuscators/CodeVeil/MethodsDecrypter.cs
index 365dd50b..03b245a5 100644
--- a/de4dot.code/deobfuscators/CodeVeil/MethodsDecrypter.cs
+++ b/de4dot.code/deobfuscators/CodeVeil/MethodsDecrypter.cs
@@ -341,8 +341,9 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 
 			const int RVA_EXECUTIVE_OFFSET = 1 * 4;
 			const int ENC_CODE_OFFSET = 6 * 4;
-			for (int offset = 0; offset < section.sizeOfRawData - (ENC_CODE_OFFSET + 4 - 1); ) {
-				offset = findSig(fileData, offset, initializeMethodEnd);
+			int lastOffset = (int)(section.pointerToRawData + section.sizeOfRawData);
+			for (int offset = getStartOffset(peImage); offset < lastOffset; ) {
+				offset = findSig(fileData, offset, lastOffset, initializeMethodEnd);
 				if (offset < 0)
 					return null;
 				offset += initializeMethodEnd.Length;
@@ -351,6 +352,8 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 				if (retImm16 != 0x0C && retImm16 != 0x10)
 					continue;
 				offset += 2;
+				if (offset + ENC_CODE_OFFSET + 4 > lastOffset)
+					return null;
 
 				int rva = BitConverter.ToInt32(fileData, offset + RVA_EXECUTIVE_OFFSET);
 				if (rvas.IndexOf(rva) < 0)
@@ -372,8 +375,18 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 			return null;
 		}
 
-		static int findSig(byte[] fileData, int offset, byte[] sig) {
-			for (int i = offset; i < fileData.Length - sig.Length + 1; i++) {
+		int getStartOffset(PeImage peImage) {
+			int minOffset = int.MaxValue;
+			foreach (var rva in rvas) {
+				int rvaOffs = (int)peImage.rvaToOffset((uint)rva);
+				if (rvaOffs < minOffset)
+					minOffset = rvaOffs;
+			}
+			return minOffset == int.MaxValue ? 0 : minOffset;
+		}
+
+		static int findSig(byte[] fileData, int offset, int lastOffset, byte[] sig) {
+			for (int i = offset; i < lastOffset - sig.Length + 1; i++) {
 				if (fileData[i] != sig[0])
 					continue;
 				if (compare(fileData, i + 1, sig, 1, sig.Length - 1))

From 1e3daf3b45a40ad7d02a60e250b04619b4b79220 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Wed, 8 Feb 2012 12:06:14 +0100
Subject: [PATCH 37/78] Dump embedded assemblies

---
 de4dot.code/de4dot.code.csproj                |   1 +
 .../CodeVeil/AssemblyResolver.cs              | 191 ++++++++++++++++++
 .../deobfuscators/CodeVeil/Deobfuscator.cs    |  12 ++
 3 files changed, 204 insertions(+)
 create mode 100644 de4dot.code/deobfuscators/CodeVeil/AssemblyResolver.cs

diff --git a/de4dot.code/de4dot.code.csproj b/de4dot.code/de4dot.code.csproj
index a1737896..543a3756 100644
--- a/de4dot.code/de4dot.code.csproj
+++ b/de4dot.code/de4dot.code.csproj
@@ -79,6 +79,7 @@
     <Compile Include="deobfuscators\CliSecure\ResourceDecrypter.cs" />
     <Compile Include="deobfuscators\CliSecure\StackFrameHelper.cs" />
     <Compile Include="deobfuscators\CliSecure\StringDecrypter.cs" />
+    <Compile Include="deobfuscators\CodeVeil\AssemblyResolver.cs" />
     <Compile Include="deobfuscators\CodeVeil\MethodsDecrypter.cs" />
     <Compile Include="deobfuscators\CodeVeil\ObfuscatorVersion.cs" />
     <Compile Include="deobfuscators\CodeVeil\StringDecrypter.cs" />
diff --git a/de4dot.code/deobfuscators/CodeVeil/AssemblyResolver.cs b/de4dot.code/deobfuscators/CodeVeil/AssemblyResolver.cs
new file mode 100644
index 00000000..6d33f062
--- /dev/null
+++ b/de4dot.code/deobfuscators/CodeVeil/AssemblyResolver.cs
@@ -0,0 +1,191 @@
+/*
+    Copyright (C) 2011-2012 de4dot@gmail.com
+
+    This file is part of de4dot.
+
+    de4dot is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    de4dot is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with de4dot.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+using System.Collections.Generic;
+using System.IO;
+using System.Xml;
+using Mono.Cecil;
+using de4dot.blocks;
+
+namespace de4dot.code.deobfuscators.CodeVeil {
+	class AssemblyResolver {
+		ModuleDefinition module;
+		EmbeddedResource bundleData;
+		EmbeddedResource bundleXmlFile;
+		TypeDefinition bundleType;
+		List<AssemblyInfo> infos = new List<AssemblyInfo>();
+
+		public class AssemblyInfo {
+			public string fullName;
+			public string simpleName;
+			public string extension;
+			public byte[] data;
+
+			public AssemblyInfo(string fullName, string extension, byte[] data) {
+				this.fullName = fullName;
+				this.simpleName = Utils.getAssemblySimpleName(fullName);
+				this.extension = extension;
+				this.data = data;
+			}
+
+			public override string ToString() {
+				return fullName;
+			}
+		}
+
+		public IEnumerable<AssemblyInfo> AssemblyInfos {
+			get { return infos; }
+		}
+
+		public EmbeddedResource BundleDataResource {
+			get { return bundleData; }
+		}
+
+		public EmbeddedResource BundleXmlFileResource {
+			get { return bundleXmlFile; }
+		}
+
+		public AssemblyResolver(ModuleDefinition module) {
+			this.module = module;
+		}
+
+		public void initialize() {
+			if (!findTypeAndResources())
+				return;
+
+			findEmbeddedAssemblies();
+		}
+
+		bool findTypeAndResources() {
+			var bundleDataTmp = DotNetUtils.getResource(module, ".bundle.dat") as EmbeddedResource;
+			var bundleXmlFileTmp = DotNetUtils.getResource(module, ".bundle.manifest") as EmbeddedResource;
+			if (bundleDataTmp == null || bundleXmlFileTmp == null)
+				return false;
+
+			var bundleTypeTmp = findBundleType();
+			if (bundleTypeTmp == null)
+				return false;
+
+			bundleData = bundleDataTmp;
+			bundleXmlFile = bundleXmlFileTmp;
+			bundleType = bundleTypeTmp;
+			return true;
+		}
+
+		void findEmbeddedAssemblies() {
+			var data = bundleData.GetResourceData();
+
+			var doc = new XmlDocument();
+			doc.Load(XmlReader.Create(bundleXmlFile.GetResourceStream()));
+			var manifest = doc.DocumentElement;
+			if (manifest.Name.ToLowerInvariant() != "manifest") {
+				Log.w("Could not find Manifest element");
+				return;
+			}
+			foreach (var tmp in manifest.ChildNodes) {
+				var assemblyElem = tmp as XmlElement;
+				if (assemblyElem == null)
+					continue;
+
+				if (assemblyElem.Name.ToLowerInvariant() != "assembly") {
+					Log.w("Unknown element: {0}", assemblyElem.Name);
+					continue;
+				}
+
+				int offset = getAttributeValueUInt32(assemblyElem, "offset");
+				if (offset < 0) {
+					Log.w("Could not find offset attribute");
+					continue;
+				}
+
+				var assemblyData = DeobUtils.inflate(data, offset, data.Length - offset, true);
+				var mod = ModuleDefinition.ReadModule(new MemoryStream(assemblyData));
+				infos.Add(new AssemblyInfo(mod.Assembly.FullName, DeobUtils.getExtension(mod.Kind), assemblyData));
+			}
+		}
+
+		static int getAttributeValueUInt32(XmlElement elem, string attrName) {
+			var str = elem.GetAttribute(attrName);
+			if (string.IsNullOrEmpty(str))
+				return -1;
+
+			int value;
+			if (!int.TryParse(str, out value))
+				return -1;
+
+			return value;
+		}
+
+		TypeDefinition findBundleType() {
+			foreach (var type in module.Types) {
+				if (type.Namespace != "")
+					continue;
+				if (type.Fields.Count != 2)
+					continue;
+
+				var ctor = DotNetUtils.getMethod(type, ".ctor");
+				if (ctor == null || !ctor.IsPrivate)
+					continue;
+				if (!DotNetUtils.isMethod(ctor, "System.Void", "(System.Reflection.Assembly)"))
+					continue;
+
+				var initMethodTmp = findInitMethod(type);
+				if (initMethodTmp == null)
+					continue;
+				var getTempFilenameMethod = findGetTempFilenameMethod(type);
+				if (getTempFilenameMethod == null)
+					continue;
+
+				return type;
+			}
+
+			return null;
+		}
+
+		MethodDefinition findInitMethod(TypeDefinition type) {
+			foreach (var method in type.Methods) {
+				if (!method.IsStatic || method.Body == null)
+					continue;
+				if (!method.IsPublic && !method.IsAssembly)
+					continue;
+				if (!DotNetUtils.isMethod(method, "System.Void", "(System.Reflection.Assembly)"))
+					continue;
+
+				return method;
+			}
+
+			return null;
+		}
+
+		MethodDefinition findGetTempFilenameMethod(TypeDefinition type) {
+			foreach (var method in type.Methods) {
+				if (method.IsStatic || method.Body == null)
+					continue;
+				if (!method.IsPublic && !method.IsAssembly)
+					continue;
+				if (!DotNetUtils.isMethod(method, "System.String", "(System.String)"))
+					continue;
+
+				return method;
+			}
+
+			return null;
+		}
+	}
+}
diff --git a/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs b/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs
index c854a2b0..5f4b160d 100644
--- a/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs
+++ b/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs
@@ -60,6 +60,7 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 		MethodsDecrypter methodsDecrypter;
 		ProxyDelegateFinder proxyDelegateFinder;
 		StringDecrypter stringDecrypter;
+		AssemblyResolver assemblyResolver;
 
 		internal class Options : OptionsBase {
 		}
@@ -176,10 +177,21 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 				DeobfuscatedFile.stringDecryptersAdded();
 			}
 
+			assemblyResolver = new AssemblyResolver(module);
+			assemblyResolver.initialize();
+			dumpEmbeddedAssemblies();
+
 			proxyDelegateFinder.initialize();
 			proxyDelegateFinder.find();
 		}
 
+		void dumpEmbeddedAssemblies() {
+			foreach (var info in assemblyResolver.AssemblyInfos)
+				DeobfuscatedFile.createAssemblyFile(info.data, info.simpleName, info.extension);
+			addResourceToBeRemoved(assemblyResolver.BundleDataResource, "Embedded assemblies resource");
+			addResourceToBeRemoved(assemblyResolver.BundleXmlFileResource, "Embedded assemblies XML file resource");
+		}
+
 		public override void deobfuscateMethodBegin(blocks.Blocks blocks) {
 			proxyDelegateFinder.deobfuscate(blocks);
 			base.deobfuscateMethodBegin(blocks);

From bb89ce2983ea5d255db903cb8218bb444b2b3730 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Wed, 8 Feb 2012 15:19:45 +0100
Subject: [PATCH 38/78] Remove method since base class now has the same method

---
 de4dot.code/deobfuscators/CliSecure/ProxyDelegateFinder.cs | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/de4dot.code/deobfuscators/CliSecure/ProxyDelegateFinder.cs b/de4dot.code/deobfuscators/CliSecure/ProxyDelegateFinder.cs
index ebcd0d0c..f239f4eb 100644
--- a/de4dot.code/deobfuscators/CliSecure/ProxyDelegateFinder.cs
+++ b/de4dot.code/deobfuscators/CliSecure/ProxyDelegateFinder.cs
@@ -37,10 +37,6 @@ namespace de4dot.code.deobfuscators.CliSecure {
 				setDelegateCreatorMethod(lookup(method, "Could not find delegate creator method"));
 		}
 
-		T lookup<T>(T def, string errorMessage) where T : MemberReference {
-			return DeobUtils.lookup(module, def, errorMessage);
-		}
-
 		public void findDelegateCreator() {
 			foreach (var type in module.Types) {
 				var methodName = "System.Void " + type.FullName + "::icgd(System.Int32)";

From fa6b0d4054a02b8b1cfea67c9e3b43ecb5137629 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Wed, 8 Feb 2012 15:40:11 +0100
Subject: [PATCH 39/78] Move detection of CV main type to its own class

---
 de4dot.code/de4dot.code.csproj                |   1 +
 .../deobfuscators/CodeVeil/Deobfuscator.cs    |  23 ++-
 .../deobfuscators/CodeVeil/MainType.cs        | 169 ++++++++++++++++++
 .../CodeVeil/MethodsDecrypter.cs              | 137 +++-----------
 .../CodeVeil/ProxyDelegateFinder.cs           |  33 ++--
 .../deobfuscators/CodeVeil/StringDecrypter.cs |  27 ++-
 6 files changed, 229 insertions(+), 161 deletions(-)
 create mode 100644 de4dot.code/deobfuscators/CodeVeil/MainType.cs

diff --git a/de4dot.code/de4dot.code.csproj b/de4dot.code/de4dot.code.csproj
index 543a3756..6a56f669 100644
--- a/de4dot.code/de4dot.code.csproj
+++ b/de4dot.code/de4dot.code.csproj
@@ -80,6 +80,7 @@
     <Compile Include="deobfuscators\CliSecure\StackFrameHelper.cs" />
     <Compile Include="deobfuscators\CliSecure\StringDecrypter.cs" />
     <Compile Include="deobfuscators\CodeVeil\AssemblyResolver.cs" />
+    <Compile Include="deobfuscators\CodeVeil\MainType.cs" />
     <Compile Include="deobfuscators\CodeVeil\MethodsDecrypter.cs" />
     <Compile Include="deobfuscators\CodeVeil\ObfuscatorVersion.cs" />
     <Compile Include="deobfuscators\CodeVeil\StringDecrypter.cs" />
diff --git a/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs b/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs
index 5f4b160d..bb4741fa 100644
--- a/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs
+++ b/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs
@@ -57,6 +57,7 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 		string obfuscatorName = DeobfuscatorInfo.THE_NAME;
 		bool foundKillType = false;
 
+		MainType mainType;
 		MethodsDecrypter methodsDecrypter;
 		ProxyDelegateFinder proxyDelegateFinder;
 		StringDecrypter stringDecrypter;
@@ -85,7 +86,8 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 		protected override int detectInternal() {
 			int val = 0;
 
-			int sum = toInt32(methodsDecrypter.Detected) +
+			int sum = toInt32(mainType.Detected) +
+					toInt32(methodsDecrypter.Detected) +
 					toInt32(stringDecrypter.Detected) +
 					toInt32(proxyDelegateFinder.Detected);
 			if (sum > 0)
@@ -98,11 +100,13 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 
 		protected override void scanForObfuscator() {
 			findKillType();
-			proxyDelegateFinder = new ProxyDelegateFinder(module);
+			mainType = new MainType(module);
+			mainType.find();
+			proxyDelegateFinder = new ProxyDelegateFinder(module, mainType);
 			proxyDelegateFinder.findDelegateCreator();
-			methodsDecrypter = new MethodsDecrypter(module);
+			methodsDecrypter = new MethodsDecrypter(mainType);
 			methodsDecrypter.find();
-			stringDecrypter = new StringDecrypter(module);
+			stringDecrypter = new StringDecrypter(module, mainType);
 			stringDecrypter.find();
 			var version = detectVersion();
 			if (!string.IsNullOrEmpty(version))
@@ -110,8 +114,8 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 		}
 
 		string detectVersion() {
-			if (methodsDecrypter.Detected) {
-				switch (methodsDecrypter.Version) {
+			if (mainType.Detected) {
+				switch (mainType.Version) {
 				case ObfuscatorVersion.Unknown:
 					return null;
 
@@ -160,9 +164,10 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 		public override IDeobfuscator moduleReloaded(ModuleDefinition module) {
 			var newOne = new Deobfuscator(options);
 			newOne.setModule(module);
-			newOne.methodsDecrypter = new MethodsDecrypter(module, methodsDecrypter);
-			newOne.stringDecrypter = new StringDecrypter(module, stringDecrypter);
-			newOne.proxyDelegateFinder = new ProxyDelegateFinder(module, proxyDelegateFinder);
+			newOne.mainType = new MainType(module, mainType);
+			newOne.methodsDecrypter = new MethodsDecrypter(mainType, methodsDecrypter);
+			newOne.stringDecrypter = new StringDecrypter(module, newOne.mainType, stringDecrypter);
+			newOne.proxyDelegateFinder = new ProxyDelegateFinder(module, newOne.mainType, proxyDelegateFinder);
 			return newOne;
 		}
 
diff --git a/de4dot.code/deobfuscators/CodeVeil/MainType.cs b/de4dot.code/deobfuscators/CodeVeil/MainType.cs
new file mode 100644
index 00000000..e4f0a8fb
--- /dev/null
+++ b/de4dot.code/deobfuscators/CodeVeil/MainType.cs
@@ -0,0 +1,169 @@
+/*
+    Copyright (C) 2011-2012 de4dot@gmail.com
+
+    This file is part of de4dot.
+
+    de4dot is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    de4dot is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with de4dot.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+using System.Collections.Generic;
+using Mono.Cecil;
+using Mono.Cecil.Cil;
+using Mono.Cecil.Metadata;
+using de4dot.blocks;
+
+namespace de4dot.code.deobfuscators.CodeVeil {
+	// Detects the type CV adds to the assembly that gets called from <Module>::.cctor.
+	class MainType {
+		ModuleDefinition module;
+		TypeDefinition theType;
+		MethodDefinition initMethod;
+		ObfuscatorVersion obfuscatorVersion = ObfuscatorVersion.Unknown;
+		List<int> rvas;	// _stub and _executive
+
+		public bool Detected {
+			get { return theType != null; }
+		}
+
+		public ObfuscatorVersion Version {
+			get { return obfuscatorVersion; }
+		}
+
+		public TypeDefinition Type {
+			get { return theType; }
+		}
+
+		public MethodDefinition InitMethod {
+			get { return initMethod; }
+		}
+
+		public List<int> Rvas {
+			get { return rvas; }
+		}
+
+		public MainType(ModuleDefinition module) {
+			this.module = module;
+		}
+
+		public MainType(ModuleDefinition module, MainType oldOne) {
+			this.module = module;
+			this.theType = lookup(oldOne.theType, "Could not find main type");
+			this.initMethod = lookup(oldOne.initMethod, "Could not find main type init method");
+			this.obfuscatorVersion = oldOne.obfuscatorVersion;
+			this.rvas = oldOne.rvas;
+		}
+
+		T lookup<T>(T def, string errorMessage) where T : MemberReference {
+			return DeobUtils.lookup(module, def, errorMessage);
+		}
+
+		public void find() {
+			var cctor = DotNetUtils.getModuleTypeCctor(module);
+			if (cctor == null)
+				return;
+
+			var instrs = cctor.Body.Instructions;
+			for (int i = 0; i < instrs.Count - 2; i++) {
+				var ldci4_1 = instrs[i];
+				if (!DotNetUtils.isLdcI4(ldci4_1))
+					continue;
+
+				var ldci4_2 = instrs[i + 1];
+				if (!DotNetUtils.isLdcI4(ldci4_2))
+					continue;
+
+				var call = instrs[i + 2];
+				if (call.OpCode.Code != Code.Call)
+					continue;
+				var initMethodTmp = call.Operand as MethodDefinition;
+				ObfuscatorVersion obfuscatorVersionTmp;
+				if (!checkInitMethod(initMethodTmp, out obfuscatorVersionTmp))
+					continue;
+				if (!checkMethodsType(initMethodTmp.DeclaringType))
+					continue;
+
+				obfuscatorVersion = obfuscatorVersionTmp;
+				theType = initMethodTmp.DeclaringType;
+				initMethod = initMethodTmp;
+				break;
+			}
+		}
+
+		static string[] fieldTypesV5 = new string[] {
+			"System.Byte[]",
+			"System.Collections.Generic.List`1<System.Delegate>",
+			"System.Runtime.InteropServices.GCHandle",
+		};
+		bool checkInitMethod(MethodDefinition initMethod, out ObfuscatorVersion obfuscatorVersionTmp) {
+			obfuscatorVersionTmp = ObfuscatorVersion.Unknown;
+
+			if (initMethod == null)
+				return false;
+
+			if (initMethod.Body == null)
+				return false;
+			if (!initMethod.IsStatic)
+				return false;
+			if (!DotNetUtils.isMethod(initMethod, "System.Void", "(System.Boolean,System.Boolean)"))
+				return false;
+
+			if (hasCodeString(initMethod, "E_FullTrust")) {
+				if (DotNetUtils.getPInvokeMethod(initMethod.DeclaringType, "user32", "CallWindowProcW") != null)
+					obfuscatorVersionTmp = ObfuscatorVersion.V4_1;
+				else
+					obfuscatorVersionTmp = ObfuscatorVersion.V4_0;
+			}
+			else if (hasCodeString(initMethod, "Full Trust Required"))
+				obfuscatorVersionTmp = ObfuscatorVersion.V3;
+			else if (initMethod.DeclaringType.HasNestedTypes && new FieldTypes(initMethod.DeclaringType).all(fieldTypesV5))
+				obfuscatorVersionTmp = ObfuscatorVersion.V5_0;
+			else
+				return false;
+
+			return true;
+		}
+
+		static bool hasCodeString(MethodDefinition method, string str) {
+			foreach (var s in DotNetUtils.getCodeStrings(method)) {
+				if (s == str)
+					return true;
+			}
+			return false;
+		}
+
+		bool checkMethodsType(TypeDefinition type) {
+			var fields = getRvaFields(type);
+			if (fields.Count < 2)	// RVAs for executive and stub are always present if encrypted methods
+				return true;
+
+			rvas = new List<int>(fields.Count);
+			foreach (var field in fields)
+				rvas.Add(field.RVA);
+			return true;
+		}
+
+		static List<FieldDefinition> getRvaFields(TypeDefinition type) {
+			var fields = new List<FieldDefinition>();
+			foreach (var field in type.Fields) {
+				if (field.FieldType.EType != ElementType.U1 && field.FieldType.EType != ElementType.U4)
+					continue;
+				if (field.RVA == 0)
+					continue;
+
+				fields.Add(field);
+			}
+			return fields;
+		}
+	}
+}
diff --git a/de4dot.code/deobfuscators/CodeVeil/MethodsDecrypter.cs b/de4dot.code/deobfuscators/CodeVeil/MethodsDecrypter.cs
index 03b245a5..e31fc580 100644
--- a/de4dot.code/deobfuscators/CodeVeil/MethodsDecrypter.cs
+++ b/de4dot.code/deobfuscators/CodeVeil/MethodsDecrypter.cs
@@ -29,33 +29,17 @@ using de4dot.code.PE;
 
 namespace de4dot.code.deobfuscators.CodeVeil {
 	class MethodsDecrypter {
-		ModuleDefinition module;
-		TypeDefinition methodsType;
-		List<int> rvas;	// _stub and _executive
+		MainType mainType;
 		IDecrypter decrypter;
 
-		public ObfuscatorVersion Version {
-			get { return decrypter == null ? ObfuscatorVersion.Unknown : decrypter.Version; }
-		}
-
 		interface IDecrypter {
-			ObfuscatorVersion Version { get; }
 			void initialize(byte[] methodsData);
 			bool decrypt(BinaryReader fileDataReader, DumpedMethod dm);
 		}
 
 		class Decrypter : IDecrypter {
-			ObfuscatorVersion obfuscatorVersion;
 			BinaryReader methodsDataReader;
 
-			public ObfuscatorVersion Version {
-				get { return obfuscatorVersion; }
-			}
-
-			public Decrypter(ObfuscatorVersion obfuscatorVersion) {
-				this.obfuscatorVersion = obfuscatorVersion;
-			}
-
 			public virtual void initialize(byte[] methodsData) {
 				methodsDataReader = new BinaryReader(new MemoryStream(methodsData));
 			}
@@ -121,10 +105,6 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 		class DecrypterV5 : Decrypter {
 			byte[] decryptKey;
 
-			public DecrypterV5()
-				: base(ObfuscatorVersion.V5_0) {
-			}
-
 			public override void initialize(byte[] methodsData) {
 				var data = DeobUtils.inflate(methodsData, true);
 				decryptKey = BitConverter.GetBytes(BitConverter.ToUInt32(data, 0));
@@ -146,117 +126,42 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 		}
 
 		public bool Detected {
-			get { return methodsType != null; }
+			get { return decrypter != null; }
 		}
 
-		public MethodsDecrypter(ModuleDefinition module) {
-			this.module = module;
+		public MethodsDecrypter(MainType mainType) {
+			this.mainType = mainType;
 		}
 
-		public MethodsDecrypter(ModuleDefinition module, MethodsDecrypter oldOne) {
-			this.module = module;
-			this.methodsType = lookup(oldOne.methodsType, "Could not find methods type");
-		}
-
-		T lookup<T>(T def, string errorMessage) where T : MemberReference {
-			return DeobUtils.lookup(module, def, errorMessage);
+		public MethodsDecrypter(MainType mainType, MethodsDecrypter oldOne) {
+			this.mainType = mainType;
 		}
 
 		public void find() {
-			var cctor = DotNetUtils.getModuleTypeCctor(module);
-			if (cctor == null)
+			if (!mainType.Detected)
 				return;
 
-			var instrs = cctor.Body.Instructions;
-			for (int i = 0; i < instrs.Count - 2; i++) {
-				var ldci4_1 = instrs[i];
-				if (!DotNetUtils.isLdcI4(ldci4_1))
-					continue;
-
-				var ldci4_2 = instrs[i + 1];
-				if (!DotNetUtils.isLdcI4(ldci4_2))
-					continue;
-
-				var call = instrs[i + 2];
-				if (call.OpCode.Code != Code.Call)
-					continue;
-				var initMethod = call.Operand as MethodDefinition;
-				if (!checkInitMethod(initMethod))
-					continue;
-				if (!checkMethodsType(initMethod.DeclaringType))
-					continue;
-
-				methodsType = initMethod.DeclaringType;
+			switch (mainType.Version) {
+			case ObfuscatorVersion.Unknown:
 				break;
-			}
-		}
 
-		static string[] fieldTypesV5 = new string[] {
-			"System.Byte[]",
-			"System.Collections.Generic.List`1<System.Delegate>",
-			"System.Runtime.InteropServices.GCHandle",
-		};
-		bool checkInitMethod(MethodDefinition initMethod) {
-			if (initMethod == null)
-				return false;
+			case ObfuscatorVersion.V3:
+			case ObfuscatorVersion.V4_0:
+			case ObfuscatorVersion.V4_1:
+				decrypter = new Decrypter();
+				break;
 
-			if (initMethod.Body == null)
-				return false;
-			if (!initMethod.IsStatic)
-				return false;
-			if (!DotNetUtils.isMethod(initMethod, "System.Void", "(System.Boolean,System.Boolean)"))
-				return false;
-
-			if (hasCodeString(initMethod, "E_FullTrust")) {
-				if (DotNetUtils.getPInvokeMethod(initMethod.DeclaringType, "user32", "CallWindowProcW") != null)
-					decrypter = new Decrypter(ObfuscatorVersion.V4_1);
-				else
-					decrypter = new Decrypter(ObfuscatorVersion.V4_0);
-			}
-			else if (hasCodeString(initMethod, "Full Trust Required"))
-				decrypter = new Decrypter(ObfuscatorVersion.V3);
-			else if (initMethod.DeclaringType.HasNestedTypes && new FieldTypes(initMethod.DeclaringType).all(fieldTypesV5))
+			case ObfuscatorVersion.V5_0:
 				decrypter = new DecrypterV5();
-			else
-				return false;
+				break;
 
-			return true;
-		}
-
-		static bool hasCodeString(MethodDefinition method, string str) {
-			foreach (var s in DotNetUtils.getCodeStrings(method)) {
-				if (s == str)
-					return true;
+			default:
+				throw new ApplicationException("Unknown version");
 			}
-			return false;
-		}
-
-		bool checkMethodsType(TypeDefinition type) {
-			var fields = getRvaFields(type);
-			if (fields.Count < 2)
-				return false;
-
-			rvas = new List<int>(fields.Count);
-			foreach (var field in fields)
-				rvas.Add(field.RVA);
-			return true;
-		}
-
-		static List<FieldDefinition> getRvaFields(TypeDefinition type) {
-			var fields = new List<FieldDefinition>();
-			foreach (var field in type.Fields) {
-				if (field.FieldType.EType != ElementType.U1 && field.FieldType.EType != ElementType.U4)
-					continue;
-				if (field.RVA == 0)
-					continue;
-
-				fields.Add(field);
-			}
-			return fields;
 		}
 
 		public bool decrypt(byte[] fileData, ref Dictionary<uint, DumpedMethod> dumpedMethods) {
-			if (methodsType == null)
+			if (decrypter == null)
 				return false;
 
 			var peImage = new PeImage(fileData);
@@ -356,7 +261,7 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 					return null;
 
 				int rva = BitConverter.ToInt32(fileData, offset + RVA_EXECUTIVE_OFFSET);
-				if (rvas.IndexOf(rva) < 0)
+				if (mainType.Rvas.IndexOf(rva) < 0)
 					continue;
 
 				int relOffs = BitConverter.ToInt32(fileData, offset + ENC_CODE_OFFSET);
@@ -377,7 +282,7 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 
 		int getStartOffset(PeImage peImage) {
 			int minOffset = int.MaxValue;
-			foreach (var rva in rvas) {
+			foreach (var rva in mainType.Rvas) {
 				int rvaOffs = (int)peImage.rvaToOffset((uint)rva);
 				if (rvaOffs < minOffset)
 					minOffset = rvaOffs;
diff --git a/de4dot.code/deobfuscators/CodeVeil/ProxyDelegateFinder.cs b/de4dot.code/deobfuscators/CodeVeil/ProxyDelegateFinder.cs
index 668c4207..a0d02b9a 100644
--- a/de4dot.code/deobfuscators/CodeVeil/ProxyDelegateFinder.cs
+++ b/de4dot.code/deobfuscators/CodeVeil/ProxyDelegateFinder.cs
@@ -26,11 +26,11 @@ using de4dot.blocks;
 
 namespace de4dot.code.deobfuscators.CodeVeil {
 	class ProxyDelegateFinder : ProxyDelegateFinderBase {
+		MainType mainType;
 		Info info = new Info();
 		BinaryReader reader;
 
 		class Info {
-			public TypeDefinition mainType;
 			public TypeDefinition proxyType;
 			public MethodDefinition initMethod;
 			public FieldDefinition dataField;
@@ -44,13 +44,14 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 			}
 		}
 
-		public ProxyDelegateFinder(ModuleDefinition module)
+		public ProxyDelegateFinder(ModuleDefinition module, MainType mainType)
 			: base(module) {
+			this.mainType = mainType;
 		}
 
-		public ProxyDelegateFinder(ModuleDefinition module, ProxyDelegateFinder oldOne)
+		public ProxyDelegateFinder(ModuleDefinition module, MainType mainType, ProxyDelegateFinder oldOne)
 			: base(module, oldOne) {
-			info.mainType = lookup(oldOne.info.mainType, "Could not find mainType");
+			this.mainType = mainType;
 			info.proxyType = lookup(oldOne.info.proxyType, "Could not find proxyType");
 			info.initMethod = lookup(oldOne.info.initMethod, "Could not find initMethod");
 			info.dataField = lookup(oldOne.info.dataField, "Could not find dataField");
@@ -97,22 +98,15 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 		}
 
 		public void findDelegateCreator() {
-			var moduleCctor = DotNetUtils.getModuleTypeCctor(module);
-			if (moduleCctor == null)
+			if (!mainType.Detected)
 				return;
-			foreach (var call in DotNetUtils.getCalledMethods(module, moduleCctor)) {
-				if (!call.Item2.IsStatic)
-					continue;
-				if (!DotNetUtils.isMethod(call.Item2, "System.Void", "(System.Boolean,System.Boolean)"))
-					continue;
-				var infoTmp = new Info();
-				if (!initializeInfo(infoTmp, call.Item1))
-					continue;
 
-				info = infoTmp;
-				setDelegateCreatorMethod(info.initMethod);
+			var infoTmp = new Info();
+			if (!initializeInfo(infoTmp, mainType.Type))
 				return;
-			}
+
+			info = infoTmp;
+			setDelegateCreatorMethod(info.initMethod);
 		}
 
 		bool initializeInfo(Info infoTmp, TypeDefinition type) {
@@ -123,7 +117,6 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 				if (!initProxyType(infoTmp, cctor))
 					continue;
 
-				infoTmp.mainType = type;
 				return true;
 			}
 
@@ -184,7 +177,9 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 		}
 
 		protected override IEnumerable<TypeDefinition> getDelegateTypes() {
-			return info.mainType.NestedTypes;
+			if (!mainType.Detected)
+				return new List<TypeDefinition>();
+			return mainType.Type.NestedTypes;
 		}
 
 		public void initialize() {
diff --git a/de4dot.code/deobfuscators/CodeVeil/StringDecrypter.cs b/de4dot.code/deobfuscators/CodeVeil/StringDecrypter.cs
index 952e31db..e745536a 100644
--- a/de4dot.code/deobfuscators/CodeVeil/StringDecrypter.cs
+++ b/de4dot.code/deobfuscators/CodeVeil/StringDecrypter.cs
@@ -26,6 +26,7 @@ using de4dot.blocks;
 namespace de4dot.code.deobfuscators.CodeVeil {
 	class StringDecrypter {
 		ModuleDefinition module;
+		MainType mainType;
 		TypeDefinition decrypterType;
 		FieldDefinition stringDataField;
 		MethodDefinition initMethod;
@@ -40,12 +41,14 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 			get { return decrypterMethod; }
 		}
 
-		public StringDecrypter(ModuleDefinition module) {
+		public StringDecrypter(ModuleDefinition module, MainType mainType) {
 			this.module = module;
+			this.mainType = mainType;
 		}
 
-		public StringDecrypter(ModuleDefinition module, StringDecrypter oldOne) {
+		public StringDecrypter(ModuleDefinition module, MainType mainType, StringDecrypter oldOne) {
 			this.module = module;
+			this.mainType = mainType;
 			this.decrypterType = lookup(oldOne.decrypterType, "Could not find string decrypter type");
 			this.stringDataField = lookup(oldOne.stringDataField, "Could not find string data field");
 			this.initMethod = lookup(oldOne.initMethod, "Could not find string decrypter init method");
@@ -95,21 +98,11 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 
 		// The main decrypter type calls the string decrypter init method inside its init method
 		void find_V5(MethodDefinition method) {
-			var instrs = method.Body.Instructions;
-			for (int i = 0; i < instrs.Count; i++) {
-				var call = instrs[i];
-				if (call.OpCode.Code != Code.Call)
-					continue;
-				var mainTypeInitMethod = call.Operand as MethodDefinition;
-				if (mainTypeInitMethod == null || mainTypeInitMethod.Body == null || !mainTypeInitMethod.IsStatic)
-					continue;
-				if (!DotNetUtils.isMethod(mainTypeInitMethod, "System.Void", "(System.Boolean,System.Boolean)"))
-					continue;
-
-				foreach (var info in DotNetUtils.getCalledMethods(module, mainTypeInitMethod)) {
-					if (find(info.Item2))
-						return;
-				}
+			if (!mainType.Detected)
+				return;
+			foreach (var info in DotNetUtils.getCalledMethods(module, mainType.InitMethod)) {
+				if (find(info.Item2))
+					return;
 			}
 		}
 

From 780da4a0ad9f0cd0a368fcd4bab7d7c812a3e7b6 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Wed, 8 Feb 2012 15:45:18 +0100
Subject: [PATCH 40/78] Update detection of encrypted methods data

---
 .../deobfuscators/CodeVeil/MethodsDecrypter.cs      | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/de4dot.code/deobfuscators/CodeVeil/MethodsDecrypter.cs b/de4dot.code/deobfuscators/CodeVeil/MethodsDecrypter.cs
index e31fc580..4c977ca4 100644
--- a/de4dot.code/deobfuscators/CodeVeil/MethodsDecrypter.cs
+++ b/de4dot.code/deobfuscators/CodeVeil/MethodsDecrypter.cs
@@ -246,6 +246,8 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 
 			const int RVA_EXECUTIVE_OFFSET = 1 * 4;
 			const int ENC_CODE_OFFSET = 6 * 4;
+			const int MAGIC1_OFFSET = 7 * 4;
+			const int MAGIC2_OFFSET = 8 * 4;
 			int lastOffset = (int)(section.pointerToRawData + section.sizeOfRawData);
 			for (int offset = getStartOffset(peImage); offset < lastOffset; ) {
 				offset = findSig(fileData, offset, lastOffset, initializeMethodEnd);
@@ -257,15 +259,20 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 				if (retImm16 != 0x0C && retImm16 != 0x10)
 					continue;
 				offset += 2;
-				if (offset + ENC_CODE_OFFSET + 4 > lastOffset)
+				if (offset + MAGIC2_OFFSET + 4 > lastOffset)
 					return null;
 
+				// rva is 0 when the assembly has been embedded
 				int rva = BitConverter.ToInt32(fileData, offset + RVA_EXECUTIVE_OFFSET);
-				if (mainType.Rvas.IndexOf(rva) < 0)
+				if (rva != 0 && mainType.Rvas.IndexOf(rva) < 0)
+					continue;
+				if (BitConverter.ToInt32(fileData, offset + MAGIC1_OFFSET) != -1)
+					continue;
+				if (BitConverter.ToInt32(fileData, offset + MAGIC2_OFFSET) != -1)
 					continue;
 
 				int relOffs = BitConverter.ToInt32(fileData, offset + ENC_CODE_OFFSET);
-				if (relOffs < 0 || relOffs >= section.sizeOfRawData)
+				if (relOffs <= 0 || relOffs >= section.sizeOfRawData)
 					continue;
 				reader.BaseStream.Position = section.pointerToRawData + relOffs;
 

From 1583552825b5bbd07cc889d0232b11ead8650f79 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Wed, 8 Feb 2012 16:14:07 +0100
Subject: [PATCH 41/78] Make sure rvas list is never null

---
 de4dot.code/deobfuscators/CodeVeil/MainType.cs | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/de4dot.code/deobfuscators/CodeVeil/MainType.cs b/de4dot.code/deobfuscators/CodeVeil/MainType.cs
index e4f0a8fb..661eefdd 100644
--- a/de4dot.code/deobfuscators/CodeVeil/MainType.cs
+++ b/de4dot.code/deobfuscators/CodeVeil/MainType.cs
@@ -30,7 +30,7 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 		TypeDefinition theType;
 		MethodDefinition initMethod;
 		ObfuscatorVersion obfuscatorVersion = ObfuscatorVersion.Unknown;
-		List<int> rvas;	// _stub and _executive
+		List<int> rvas = new List<int>();	// _stub and _executive
 
 		public bool Detected {
 			get { return theType != null; }
@@ -143,11 +143,12 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 		}
 
 		bool checkMethodsType(TypeDefinition type) {
+			rvas = new List<int>();
+
 			var fields = getRvaFields(type);
 			if (fields.Count < 2)	// RVAs for executive and stub are always present if encrypted methods
 				return true;
 
-			rvas = new List<int>(fields.Count);
 			foreach (var field in fields)
 				rvas.Add(field.RVA);
 			return true;

From 98c8ea49e9f23f20ad551693f1f9fa0cdd446e2c Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Wed, 8 Feb 2012 18:40:24 +0100
Subject: [PATCH 42/78] Remove tamper detection code

---
 de4dot.code/de4dot.code.csproj                |   1 +
 .../deobfuscators/CodeVeil/Deobfuscator.cs    |  13 ++
 .../deobfuscators/CodeVeil/MainType.cs        |  23 ++++
 .../deobfuscators/CodeVeil/TamperDetection.cs | 124 ++++++++++++++++++
 4 files changed, 161 insertions(+)
 create mode 100644 de4dot.code/deobfuscators/CodeVeil/TamperDetection.cs

diff --git a/de4dot.code/de4dot.code.csproj b/de4dot.code/de4dot.code.csproj
index 6a56f669..9ce9308a 100644
--- a/de4dot.code/de4dot.code.csproj
+++ b/de4dot.code/de4dot.code.csproj
@@ -86,6 +86,7 @@
     <Compile Include="deobfuscators\CodeVeil\StringDecrypter.cs" />
     <Compile Include="deobfuscators\CodeVeil\Deobfuscator.cs" />
     <Compile Include="deobfuscators\CodeVeil\ProxyDelegateFinder.cs" />
+    <Compile Include="deobfuscators\CodeVeil\TamperDetection.cs" />
     <Compile Include="deobfuscators\CryptoObfuscator\AntiDebugger.cs" />
     <Compile Include="deobfuscators\CryptoObfuscator\AssemblyResolver.cs" />
     <Compile Include="deobfuscators\CryptoObfuscator\Deobfuscator.cs" />
diff --git a/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs b/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs
index bb4741fa..6cc9b45e 100644
--- a/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs
+++ b/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs
@@ -81,6 +81,7 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 		public Deobfuscator(Options options)
 			: base(options) {
 			this.options = options;
+			StringFeatures = StringFeatures.AllowStaticDecryption | StringFeatures.AllowDynamicDecryption;
 		}
 
 		protected override int detectInternal() {
@@ -174,6 +175,8 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 		public override void deobfuscateBegin() {
 			base.deobfuscateBegin();
 
+			mainType.initialize();
+
 			if (Operations.DecryptStrings != OpDecryptString.None) {
 				stringDecrypter.initialize();
 				staticStringInliner.add(stringDecrypter.DecryptMethod, (method, args) => {
@@ -186,10 +189,20 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 			assemblyResolver.initialize();
 			dumpEmbeddedAssemblies();
 
+			removeTamperDetection();
+
 			proxyDelegateFinder.initialize();
 			proxyDelegateFinder.find();
 		}
 
+		void removeTamperDetection() {
+			var tamperDetection = new TamperDetection(module, mainType);
+			tamperDetection.initialize();
+			foreach (var tamperDetectionMethod in tamperDetection.Methods)
+				addCctorInitCallToBeRemoved(tamperDetectionMethod);
+			addTypeToBeRemoved(tamperDetection.Type, "Tamper detection type");
+		}
+
 		void dumpEmbeddedAssemblies() {
 			foreach (var info in assemblyResolver.AssemblyInfos)
 				DeobfuscatedFile.createAssemblyFile(info.data, info.simpleName, info.extension);
diff --git a/de4dot.code/deobfuscators/CodeVeil/MainType.cs b/de4dot.code/deobfuscators/CodeVeil/MainType.cs
index 661eefdd..60d56693 100644
--- a/de4dot.code/deobfuscators/CodeVeil/MainType.cs
+++ b/de4dot.code/deobfuscators/CodeVeil/MainType.cs
@@ -29,6 +29,7 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 		ModuleDefinition module;
 		TypeDefinition theType;
 		MethodDefinition initMethod;
+		MethodDefinition tamperCheckMethod;
 		ObfuscatorVersion obfuscatorVersion = ObfuscatorVersion.Unknown;
 		List<int> rvas = new List<int>();	// _stub and _executive
 
@@ -48,6 +49,10 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 			get { return initMethod; }
 		}
 
+		public MethodDefinition TamperCheckMethod {
+			get { return tamperCheckMethod; }
+		}
+
 		public List<int> Rvas {
 			get { return rvas; }
 		}
@@ -60,6 +65,7 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 			this.module = module;
 			this.theType = lookup(oldOne.theType, "Could not find main type");
 			this.initMethod = lookup(oldOne.initMethod, "Could not find main type init method");
+			this.tamperCheckMethod = lookup(oldOne.tamperCheckMethod, "Could not find tamper detection method");
 			this.obfuscatorVersion = oldOne.obfuscatorVersion;
 			this.rvas = oldOne.rvas;
 		}
@@ -166,5 +172,22 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 			}
 			return fields;
 		}
+
+		public void initialize() {
+			tamperCheckMethod = findTamperCheckMethod();
+		}
+
+		MethodDefinition findTamperCheckMethod() {
+			foreach (var method in theType.Methods) {
+				if (!method.IsStatic || method.Body == null)
+					continue;
+				if (!DotNetUtils.isMethod(method, "System.Void", "(System.Reflection.Assembly,System.UInt64)"))
+					continue;
+
+				return method;
+			}
+
+			return null;
+		}
 	}
 }
diff --git a/de4dot.code/deobfuscators/CodeVeil/TamperDetection.cs b/de4dot.code/deobfuscators/CodeVeil/TamperDetection.cs
new file mode 100644
index 00000000..1393eea8
--- /dev/null
+++ b/de4dot.code/deobfuscators/CodeVeil/TamperDetection.cs
@@ -0,0 +1,124 @@
+/*
+    Copyright (C) 2011-2012 de4dot@gmail.com
+
+    This file is part of de4dot.
+
+    de4dot is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    de4dot is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with de4dot.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+using System.Collections.Generic;
+using Mono.Cecil;
+using Mono.Cecil.Metadata;
+using de4dot.blocks;
+
+namespace de4dot.code.deobfuscators.CodeVeil {
+	class TamperDetection {
+		ModuleDefinition module;
+		MainType mainType;
+		TypeDefinition tamperDetectionType;
+		List<MethodDefinition> tamperDetectionMethods = new List<MethodDefinition>();
+
+		public TypeDefinition Type {
+			get { return tamperDetectionType; }
+		}
+
+		public List<MethodDefinition> Methods {
+			get { return tamperDetectionMethods; }
+		}
+
+		public TamperDetection(ModuleDefinition module, MainType mainType) {
+			this.module = module;
+			this.mainType = mainType;
+		}
+
+		public void initialize() {
+			if (!mainType.Detected)
+				return;
+
+			if (mainType.TamperCheckMethod == null)
+				return;
+
+			findTamperDetectionTypes();
+		}
+
+		void findTamperDetectionTypes() {
+			foreach (var type in module.Types) {
+				if (!type.HasNestedTypes)
+					continue;
+				if ((type.Attributes & ~TypeAttributes.Sealed) != 0)
+					continue;
+
+				if (!checkTamperDetectionClasses(type.NestedTypes))
+					continue;
+
+				tamperDetectionType = type;
+				findTamperDetectionMethods();
+				return;
+			}
+		}
+
+		void findTamperDetectionMethods() {
+			foreach (var type in tamperDetectionType.NestedTypes) {
+				foreach (var method in type.Methods) {
+					if (!method.IsStatic || method.Body == null)
+						continue;
+					if (method.Name == ".cctor")
+						continue;
+					if (DotNetUtils.isMethod(method, "System.Void", "()"))
+						tamperDetectionMethods.Add(method);
+				}
+			}
+		}
+
+		bool checkTamperDetectionClasses(IEnumerable<TypeDefinition> types) {
+			foreach (var type in types) {
+				if (!isTamperDetectionClass(type))
+					return false;
+			}
+			return true;
+		}
+
+		bool isTamperDetectionClass(TypeDefinition type) {
+			if (type.BaseType == null || type.BaseType.EType != ElementType.Object)
+				return false;
+			if ((type.Attributes & ~TypeAttributes.Sealed) != TypeAttributes.NestedAssembly)
+				return false;
+
+			MethodDefinition cctor = null, initMethod = null;
+			foreach (var method in type.Methods) {
+				if (!method.IsStatic || method.Body == null)
+					return false;
+				if (method.Name == ".cctor")
+					cctor = method;
+				else if (DotNetUtils.isMethod(method, "System.Void", "()"))
+					initMethod = method;
+			}
+			if (cctor == null || initMethod == null)
+				return false;
+
+			if (!callsMainTypeTamperCheckMethod(cctor))
+				return false;
+
+			return true;
+		}
+
+		bool callsMainTypeTamperCheckMethod(MethodDefinition method) {
+			foreach (var info in DotNetUtils.getCalledMethods(module, method)) {
+				if (info.Item2 == mainType.TamperCheckMethod)
+					return true;
+			}
+			return false;
+		}
+	}
+}

From c7571393570368150a06a538b8385f9e7b7fef78 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Wed, 8 Feb 2012 18:58:06 +0100
Subject: [PATCH 43/78] Remove string decrypter type

---
 .../deobfuscators/CodeVeil/Deobfuscator.cs    |  3 +++
 .../deobfuscators/CodeVeil/MainType.cs        | 23 +++++++++++++++++++
 .../deobfuscators/CodeVeil/StringDecrypter.cs | 11 +++++++++
 3 files changed, 37 insertions(+)

diff --git a/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs b/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs
index 6cc9b45e..42ef268a 100644
--- a/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs
+++ b/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs
@@ -183,6 +183,9 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 					return stringDecrypter.decrypt((int)args[0]);
 				});
 				DeobfuscatedFile.stringDecryptersAdded();
+				addModuleCctorInitCallToBeRemoved(stringDecrypter.InitMethod);
+				addCallToBeRemoved(mainType.getInitStringDecrypterMethod(stringDecrypter.InitMethod), stringDecrypter.InitMethod);
+				addTypeToBeRemoved(stringDecrypter.Type, "String decrypter type");
 			}
 
 			assemblyResolver = new AssemblyResolver(module);
diff --git a/de4dot.code/deobfuscators/CodeVeil/MainType.cs b/de4dot.code/deobfuscators/CodeVeil/MainType.cs
index 60d56693..df8f5e33 100644
--- a/de4dot.code/deobfuscators/CodeVeil/MainType.cs
+++ b/de4dot.code/deobfuscators/CodeVeil/MainType.cs
@@ -189,5 +189,28 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 
 			return null;
 		}
+
+		public MethodDefinition getInitStringDecrypterMethod(MethodDefinition stringDecrypterInitMethod) {
+			if (stringDecrypterInitMethod == null)
+				return null;
+			if (theType == null)
+				return null;
+
+			foreach (var method in theType.Methods) {
+				if (!method.IsStatic || method.Body == null)
+					continue;
+				if (callsMethod(method, stringDecrypterInitMethod))
+					return method;
+			}
+			return null;
+		}
+
+		bool callsMethod(MethodDefinition methodToCheck, MethodDefinition calledMethod) {
+			foreach (var info in DotNetUtils.getCalledMethods(module, methodToCheck)) {
+				if (info.Item2 == calledMethod)
+					return true;
+			}
+			return false;
+		}
 	}
 }
diff --git a/de4dot.code/deobfuscators/CodeVeil/StringDecrypter.cs b/de4dot.code/deobfuscators/CodeVeil/StringDecrypter.cs
index e745536a..a5c7dadf 100644
--- a/de4dot.code/deobfuscators/CodeVeil/StringDecrypter.cs
+++ b/de4dot.code/deobfuscators/CodeVeil/StringDecrypter.cs
@@ -37,6 +37,14 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 			get { return decrypterType != null; }
 		}
 
+		public TypeDefinition Type {
+			get { return decrypterType; }
+		}
+
+		public MethodDefinition InitMethod {
+			get { return initMethod; }
+		}
+
 		public MethodDefinition DecryptMethod {
 			get { return decrypterMethod; }
 		}
@@ -180,6 +188,9 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 				throw new ApplicationException("Could not find string decrypter key");
 
 			decryptStrings(key);
+
+			stringDataField.FieldType = module.TypeSystem.Byte;
+			stringDataField.InitialValue = new byte[1];
 		}
 
 		static uint[] getKey(MethodDefinition method) {

From 04247b55336f30de89527915e993e4a67dfdbf09 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Wed, 8 Feb 2012 19:20:55 +0100
Subject: [PATCH 44/78] Remove most calls to main CV type

---
 .../deobfuscators/CodeVeil/Deobfuscator.cs    | 10 ++++
 .../deobfuscators/CodeVeil/MainType.cs        | 51 +++++++++++++++++++
 2 files changed, 61 insertions(+)

diff --git a/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs b/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs
index 42ef268a..f4aa03e0 100644
--- a/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs
+++ b/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs
@@ -176,6 +176,11 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 			base.deobfuscateBegin();
 
 			mainType.initialize();
+			if (mainType.Version >= ObfuscatorVersion.V5_0) {
+				//TODO: addTypeToBeRemoved(mainType.Type, "Main CV type");
+			}
+			foreach (var initMethod in mainType.OtherInitMethods)
+				addCctorInitCallToBeRemoved(initMethod);
 
 			if (Operations.DecryptStrings != OpDecryptString.None) {
 				stringDecrypter.initialize();
@@ -218,6 +223,11 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 			base.deobfuscateMethodBegin(blocks);
 		}
 
+		public override void deobfuscateMethodEnd(blocks.Blocks blocks) {
+			mainType.removeInitCall(blocks);
+			base.deobfuscateMethodEnd(blocks);
+		}
+
 		public override void deobfuscateEnd() {
 			removeProxyDelegates(proxyDelegateFinder, false);	//TODO: Should be 'true'
 			base.deobfuscateEnd();
diff --git a/de4dot.code/deobfuscators/CodeVeil/MainType.cs b/de4dot.code/deobfuscators/CodeVeil/MainType.cs
index df8f5e33..ff174f5a 100644
--- a/de4dot.code/deobfuscators/CodeVeil/MainType.cs
+++ b/de4dot.code/deobfuscators/CodeVeil/MainType.cs
@@ -32,6 +32,7 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 		MethodDefinition tamperCheckMethod;
 		ObfuscatorVersion obfuscatorVersion = ObfuscatorVersion.Unknown;
 		List<int> rvas = new List<int>();	// _stub and _executive
+		List<MethodDefinition> otherInitMethods = new List<MethodDefinition>();
 
 		public bool Detected {
 			get { return theType != null; }
@@ -49,6 +50,10 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 			get { return initMethod; }
 		}
 
+		public List<MethodDefinition> OtherInitMethods {
+			get { return otherInitMethods; }
+		}
+
 		public MethodDefinition TamperCheckMethod {
 			get { return tamperCheckMethod; }
 		}
@@ -174,7 +179,11 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 		}
 
 		public void initialize() {
+			if (theType == null)
+				return;
+
 			tamperCheckMethod = findTamperCheckMethod();
+			otherInitMethods = findOtherInitMethods();
 		}
 
 		MethodDefinition findTamperCheckMethod() {
@@ -190,6 +199,21 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 			return null;
 		}
 
+		List<MethodDefinition> findOtherInitMethods() {
+			var list = new List<MethodDefinition>();
+			foreach (var method in theType.Methods) {
+				if (!method.IsStatic)
+					continue;
+				if (method.Name == ".cctor")
+					continue;
+				if (!DotNetUtils.isMethod(method, "System.Void", "()"))
+					continue;
+
+				list.Add(method);
+			}
+			return list;
+		}
+
 		public MethodDefinition getInitStringDecrypterMethod(MethodDefinition stringDecrypterInitMethod) {
 			if (stringDecrypterInitMethod == null)
 				return null;
@@ -212,5 +236,32 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 			}
 			return false;
 		}
+
+		public void removeInitCall(Blocks blocks) {
+			if (initMethod == null || theType == null)
+				return;
+			if (blocks.Method.Name != ".cctor")
+				return;
+			if (blocks.Method.DeclaringType != DotNetUtils.getModuleType(module))
+				return;
+
+			foreach (var block in blocks.MethodBlocks.getAllBlocks()) {
+				var instrs = block.Instructions;
+				for (int i = 0; i < instrs.Count - 2; i++) {
+					if (!instrs[i].isLdcI4())
+						continue;
+					if (!instrs[i + 1].isLdcI4())
+						continue;
+					var call = instrs[i + 2];
+					if (call.OpCode.Code != Code.Call)
+						continue;
+					if (call.Operand != initMethod)
+						continue;
+
+					block.remove(i, 3);
+					return;
+				}
+			}
+		}
 	}
 }

From a8d6aac306ba152ac6cac3ba34b41866b5aad69d Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Wed, 8 Feb 2012 19:36:58 +0100
Subject: [PATCH 45/78] Update detection of tamper detection types when proxy
 calls are enabled

---
 .../deobfuscators/CodeVeil/TamperDetection.cs | 27 +++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/de4dot.code/deobfuscators/CodeVeil/TamperDetection.cs b/de4dot.code/deobfuscators/CodeVeil/TamperDetection.cs
index 1393eea8..36162e22 100644
--- a/de4dot.code/deobfuscators/CodeVeil/TamperDetection.cs
+++ b/de4dot.code/deobfuscators/CodeVeil/TamperDetection.cs
@@ -19,6 +19,7 @@
 
 using System.Collections.Generic;
 using Mono.Cecil;
+using Mono.Cecil.Cil;
 using Mono.Cecil.Metadata;
 using de4dot.blocks;
 
@@ -118,7 +119,33 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 				if (info.Item2 == mainType.TamperCheckMethod)
 					return true;
 			}
+
+			var instructions = method.Body.Instructions;
+			for (int i = 0; i < instructions.Count; i++) {
+				var instrs = DotNetUtils.getInstructions(instructions, i, OpCodes.Ldtoken, OpCodes.Call, OpCodes.Call, OpCodes.Ldc_I8, OpCodes.Call);
+				if (instrs == null)
+					continue;
+
+				if (!checkInvokeCall(instrs[1], "System.Type", "(System.RuntimeTypeHandle)"))
+					continue;
+				if (!checkInvokeCall(instrs[2], "System.Reflection.Assembly", "(System.Object)"))
+					continue;
+				if (!checkInvokeCall(instrs[4], "System.Void", "(System.Reflection.Assembly,System.UInt64)"))
+					continue;
+
+				return true;
+			}
+
 			return false;
 		}
+
+		static bool checkInvokeCall(Instruction instr, string returnType, string parameters) {
+			var method = instr.Operand as MethodDefinition;
+			if (method == null)
+				return false;
+			if (method.Name != "Invoke")
+				return false;
+			return DotNetUtils.isMethod(method, returnType, parameters);
+		}
 	}
 }

From b5c8a89b3275642d448cc1fc8d2bec0d5dd25994 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Wed, 8 Feb 2012 19:40:17 +0100
Subject: [PATCH 46/78] Remove init method calls called from .ctors

---
 de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs b/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs
index f4aa03e0..90271bfa 100644
--- a/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs
+++ b/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs
@@ -179,8 +179,10 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 			if (mainType.Version >= ObfuscatorVersion.V5_0) {
 				//TODO: addTypeToBeRemoved(mainType.Type, "Main CV type");
 			}
-			foreach (var initMethod in mainType.OtherInitMethods)
+			foreach (var initMethod in mainType.OtherInitMethods) {
 				addCctorInitCallToBeRemoved(initMethod);
+				addCtorInitCallToBeRemoved(initMethod);
+			}
 
 			if (Operations.DecryptStrings != OpDecryptString.None) {
 				stringDecrypter.initialize();

From d5089fa8889963c44e7f44c1c45afa8f5cb4eeb8 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Wed, 8 Feb 2012 19:54:05 +0100
Subject: [PATCH 47/78] Remove kill type in deobfuscateBegin()

---
 de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs b/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs
index 90271bfa..021e6d11 100644
--- a/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs
+++ b/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs
@@ -55,13 +55,13 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 	class Deobfuscator : DeobfuscatorBase {
 		Options options;
 		string obfuscatorName = DeobfuscatorInfo.THE_NAME;
-		bool foundKillType = false;
 
 		MainType mainType;
 		MethodsDecrypter methodsDecrypter;
 		ProxyDelegateFinder proxyDelegateFinder;
 		StringDecrypter stringDecrypter;
 		AssemblyResolver assemblyResolver;
+		TypeDefinition killType;
 
 		internal class Options : OptionsBase {
 		}
@@ -93,7 +93,7 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 					toInt32(proxyDelegateFinder.Detected);
 			if (sum > 0)
 				val += 100 + 10 * (sum - 1);
-			if (foundKillType)
+			if (killType != null)
 				val += 10;
 
 			return val;
@@ -143,8 +143,7 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 		void findKillType() {
 			foreach (var type in module.Types) {
 				if (type.FullName == "____KILL") {
-					addTypeToBeRemoved(type, "KILL type");
-					foundKillType = true;
+					killType = type;
 					break;
 				}
 			}
@@ -169,12 +168,15 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 			newOne.methodsDecrypter = new MethodsDecrypter(mainType, methodsDecrypter);
 			newOne.stringDecrypter = new StringDecrypter(module, newOne.mainType, stringDecrypter);
 			newOne.proxyDelegateFinder = new ProxyDelegateFinder(module, newOne.mainType, proxyDelegateFinder);
+			newOne.killType = DeobUtils.lookup(module, killType, "Could not find KILL type");
 			return newOne;
 		}
 
 		public override void deobfuscateBegin() {
 			base.deobfuscateBegin();
 
+			addTypeToBeRemoved(killType, "KILL type");
+
 			mainType.initialize();
 			if (mainType.Version >= ObfuscatorVersion.V5_0) {
 				//TODO: addTypeToBeRemoved(mainType.Type, "Main CV type");

From 15713a2b382c65a7ffae16e6206463f761831faf Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Wed, 8 Feb 2012 22:01:10 +0100
Subject: [PATCH 48/78] Check assembly for null (it could be a netmodule)

---
 de4dot.code/deobfuscators/DeepSea/StringDecrypter.cs | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/de4dot.code/deobfuscators/DeepSea/StringDecrypter.cs b/de4dot.code/deobfuscators/DeepSea/StringDecrypter.cs
index e0151f16..ad0993a7 100644
--- a/de4dot.code/deobfuscators/DeepSea/StringDecrypter.cs
+++ b/de4dot.code/deobfuscators/DeepSea/StringDecrypter.cs
@@ -222,6 +222,8 @@ namespace de4dot.code.deobfuscators.DeepSea {
 			}
 
 			short[] findKey() {
+				if (cctor.Module.Assembly == null)
+					return null;
 				var pkt = cctor.Module.Assembly.Name.PublicKeyToken;
 				if (pkt != null && pkt.Length > 0)
 					return getPublicKeyTokenKey(pkt);
@@ -302,7 +304,7 @@ namespace de4dot.code.deobfuscators.DeepSea {
 					return false;
 
 				key = findKey();
-				if (key.Length == 0)
+				if (key == null || key.Length == 0)
 					return false;
 
 				return true;
@@ -339,6 +341,8 @@ namespace de4dot.code.deobfuscators.DeepSea {
 			}
 
 			short[] findKey() {
+				if (cctor.Module.Assembly == null)
+					return null;
 				var pkt = cctor.Module.Assembly.Name.PublicKeyToken;
 				if (pkt != null && pkt.Length > 0)
 					return getPublicKeyTokenKey(pkt);
@@ -433,6 +437,9 @@ namespace de4dot.code.deobfuscators.DeepSea {
 		}
 
 		public void find(ISimpleDeobfuscator simpleDeobfuscator) {
+			if (module.Assembly == null)
+				return;
+
 			bool hasPublicKeyToken = module.Assembly.Name.PublicKeyToken != null && module.Assembly.Name.PublicKeyToken.Length != 0;
 			foreach (var type in module.GetTypes()) {
 				if (!checkFields(type.Fields))

From 51b21c9f9f605e738e542fdba55cc79141137268 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Wed, 8 Feb 2012 22:01:47 +0100
Subject: [PATCH 49/78] Check for invalid locals index

---
 blocks/DotNetUtils.cs | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/blocks/DotNetUtils.cs b/blocks/DotNetUtils.cs
index 6c019794..5441e20f 100644
--- a/blocks/DotNetUtils.cs
+++ b/blocks/DotNetUtils.cs
@@ -224,6 +224,7 @@ namespace de4dot.blocks {
 		// Returns the variable or null if it's not a ldloc/stloc instruction. It does not return
 		// a local variable if it's a ldloca/ldloca.s instruction.
 		public static VariableDefinition getLocalVar(IList<VariableDefinition> locals, Instruction instr) {
+			int index;
 			switch (instr.OpCode.Code) {
 			case Code.Ldloc:
 			case Code.Ldloc_S:
@@ -235,17 +236,23 @@ namespace de4dot.blocks {
 			case Code.Ldloc_1:
 			case Code.Ldloc_2:
 			case Code.Ldloc_3:
-				return locals[instr.OpCode.Code - Code.Ldloc_0];
+				index = instr.OpCode.Code - Code.Ldloc_0;
+				break;
 
 			case Code.Stloc_0:
 			case Code.Stloc_1:
 			case Code.Stloc_2:
 			case Code.Stloc_3:
-				return locals[instr.OpCode.Code - Code.Stloc_0];
+				index = instr.OpCode.Code - Code.Stloc_0;
+				break;
 
 			default:
 				return null;
 			}
+
+			if (index < locals.Count)
+				return locals[index];
+			return null;
 		}
 
 		public static bool isConditionalBranch(Code code) {

From 45bf016a2e07b8aca30ad688ec7e068e2babff97 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Thu, 9 Feb 2012 10:14:08 +0100
Subject: [PATCH 50/78] Rename method

---
 de4dot.code/deobfuscators/CodeVeil/AssemblyResolver.cs | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/de4dot.code/deobfuscators/CodeVeil/AssemblyResolver.cs b/de4dot.code/deobfuscators/CodeVeil/AssemblyResolver.cs
index 6d33f062..399ad26e 100644
--- a/de4dot.code/deobfuscators/CodeVeil/AssemblyResolver.cs
+++ b/de4dot.code/deobfuscators/CodeVeil/AssemblyResolver.cs
@@ -108,7 +108,7 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 					continue;
 				}
 
-				int offset = getAttributeValueUInt32(assemblyElem, "offset");
+				int offset = getAttributeValueInt32(assemblyElem, "offset");
 				if (offset < 0) {
 					Log.w("Could not find offset attribute");
 					continue;
@@ -120,7 +120,7 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 			}
 		}
 
-		static int getAttributeValueUInt32(XmlElement elem, string attrName) {
+		static int getAttributeValueInt32(XmlElement elem, string attrName) {
 			var str = elem.GetAttribute(attrName);
 			if (string.IsNullOrEmpty(str))
 				return -1;

From ba399609c76172ca59c76379d07c7b0b1ac45787 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Thu, 9 Feb 2012 10:14:29 +0100
Subject: [PATCH 51/78] Initialize otherInitMethods in 2nd ctor

---
 de4dot.code/deobfuscators/CodeVeil/MainType.cs | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/de4dot.code/deobfuscators/CodeVeil/MainType.cs b/de4dot.code/deobfuscators/CodeVeil/MainType.cs
index ff174f5a..8c311cdf 100644
--- a/de4dot.code/deobfuscators/CodeVeil/MainType.cs
+++ b/de4dot.code/deobfuscators/CodeVeil/MainType.cs
@@ -73,6 +73,8 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 			this.tamperCheckMethod = lookup(oldOne.tamperCheckMethod, "Could not find tamper detection method");
 			this.obfuscatorVersion = oldOne.obfuscatorVersion;
 			this.rvas = oldOne.rvas;
+			foreach (var otherInitMethod in otherInitMethods)
+				otherInitMethods.Add(lookup(otherInitMethod, "Could not find otherInitMethod"));
 		}
 
 		T lookup<T>(T def, string errorMessage) where T : MemberReference {
@@ -121,7 +123,6 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 
 			if (initMethod == null)
 				return false;
-
 			if (initMethod.Body == null)
 				return false;
 			if (!initMethod.IsStatic)

From ae97752d9c1f2aafded49389224e53173f2993f0 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Thu, 9 Feb 2012 10:14:59 +0100
Subject: [PATCH 52/78] Set data field to a 1-byte array

---
 de4dot.code/deobfuscators/CodeVeil/ProxyDelegateFinder.cs | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/de4dot.code/deobfuscators/CodeVeil/ProxyDelegateFinder.cs b/de4dot.code/deobfuscators/CodeVeil/ProxyDelegateFinder.cs
index a0d02b9a..333d42bf 100644
--- a/de4dot.code/deobfuscators/CodeVeil/ProxyDelegateFinder.cs
+++ b/de4dot.code/deobfuscators/CodeVeil/ProxyDelegateFinder.cs
@@ -188,6 +188,8 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 
 			var decompressed = DeobUtils.inflate(info.dataField.InitialValue, true);
 			reader = new BinaryReader(new MemoryStream(decompressed));
+			info.dataField.FieldType = module.TypeSystem.Byte;
+			info.dataField.InitialValue = new byte[1];
 		}
 	}
 }

From fe78852b2634c7f9f7d1c0ed8343233ceaf13a17 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Fri, 10 Feb 2012 16:20:40 +0100
Subject: [PATCH 53/78] Pretty much any type of exception can occur so catch
 'em all

---
 de4dot.cui/FilesDeobfuscator.cs | 16 ++--------------
 1 file changed, 2 insertions(+), 14 deletions(-)

diff --git a/de4dot.cui/FilesDeobfuscator.cs b/de4dot.cui/FilesDeobfuscator.cs
index c7a534dd..3188365b 100644
--- a/de4dot.cui/FilesDeobfuscator.cs
+++ b/de4dot.cui/FilesDeobfuscator.cs
@@ -192,20 +192,8 @@ namespace de4dot.cui {
 				catch (BadImageFormatException) {
 					return false;	// Not a .NET file
 				}
-				catch (ArgumentOutOfRangeException) {
-					Log.w("Could not load file (argument out of range): {0}", file.Filename);
-					return false;
-				}
-				catch (UnauthorizedAccessException) {
-					Log.w("Could not load file (not authorized): {0}", file.Filename);
-					return false;
-				}
-				catch (NullReferenceException) {
-					Log.w("Could not load file (null ref): {0}", file.Filename);
-					return false;
-				}
-				catch (IOException) {
-					Log.w("Could not load file (io exception): {0}", file.Filename);
+				catch (Exception ex) {
+					Log.w("Could not load file ({0}): {1}", ex.GetType(), file.Filename);
 					return false;
 				}
 

From c815592f10133433fc78ba6b811bddbda93684af Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Fri, 10 Feb 2012 16:43:35 +0100
Subject: [PATCH 54/78] Add updated cecil submodule

---
 cecil | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cecil b/cecil
index 9d3c2ac9..8a859530 160000
--- a/cecil
+++ b/cecil
@@ -1 +1 @@
-Subproject commit 9d3c2ac91cfcbdce0e2c389a4229ae9b3abfba7c
+Subproject commit 8a859530c807717c0f61ab8b9feddd57f41d3b85

From 76d9e87c3c8283aca67acef6a4568a37a7289e11 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Sat, 11 Feb 2012 16:43:53 +0100
Subject: [PATCH 55/78] Add code to write .resources files

---
 de4dot.code/de4dot.code.csproj               |  10 +
 de4dot.code/resources/BuiltInResourceData.cs | 118 ++++++++++
 de4dot.code/resources/IResourceData.cs       |  28 +++
 de4dot.code/resources/ResourceDataCreator.cs | 226 +++++++++++++++++++
 de4dot.code/resources/ResourceElement.cs     |  25 ++
 de4dot.code/resources/ResourceElementSet.cs  |  39 ++++
 de4dot.code/resources/ResourceTypeCode.cs    |  42 ++++
 de4dot.code/resources/ResourceWriter.cs      | 154 +++++++++++++
 de4dot.code/resources/UserResourceData.cs    |  97 ++++++++
 de4dot.code/resources/UserResourceType.cs    |  42 ++++
 10 files changed, 781 insertions(+)
 create mode 100644 de4dot.code/resources/BuiltInResourceData.cs
 create mode 100644 de4dot.code/resources/IResourceData.cs
 create mode 100644 de4dot.code/resources/ResourceDataCreator.cs
 create mode 100644 de4dot.code/resources/ResourceElement.cs
 create mode 100644 de4dot.code/resources/ResourceElementSet.cs
 create mode 100644 de4dot.code/resources/ResourceTypeCode.cs
 create mode 100644 de4dot.code/resources/ResourceWriter.cs
 create mode 100644 de4dot.code/resources/UserResourceData.cs
 create mode 100644 de4dot.code/resources/UserResourceType.cs

diff --git a/de4dot.code/de4dot.code.csproj b/de4dot.code/de4dot.code.csproj
index 9ce9308a..5c5ce3c5 100644
--- a/de4dot.code/de4dot.code.csproj
+++ b/de4dot.code/de4dot.code.csproj
@@ -44,6 +44,7 @@
       <HintPath>..\ICSharpCode.SharpZipLib.dll</HintPath>
     </Reference>
     <Reference Include="System" />
+    <Reference Include="System.Drawing" />
     <Reference Include="System.Runtime.Remoting" />
     <Reference Include="System.XML" />
   </ItemGroup>
@@ -230,6 +231,15 @@
     <Compile Include="renamer\TypeNames.cs" />
     <Compile Include="renamer\TypeRenamerState.cs" />
     <Compile Include="renamer\VariableNameState.cs" />
+    <Compile Include="resources\BuiltInResourceData.cs" />
+    <Compile Include="resources\IResourceData.cs" />
+    <Compile Include="resources\ResourceElement.cs" />
+    <Compile Include="resources\ResourceElementSet.cs" />
+    <Compile Include="resources\ResourceTypeCode.cs" />
+    <Compile Include="resources\ResourceDataCreator.cs" />
+    <Compile Include="resources\ResourceWriter.cs" />
+    <Compile Include="resources\UserResourceData.cs" />
+    <Compile Include="resources\UserResourceType.cs" />
     <Compile Include="StringInliner.cs" />
     <Compile Include="UserException.cs" />
     <Compile Include="Utils.cs" />
diff --git a/de4dot.code/resources/BuiltInResourceData.cs b/de4dot.code/resources/BuiltInResourceData.cs
new file mode 100644
index 00000000..d13489fc
--- /dev/null
+++ b/de4dot.code/resources/BuiltInResourceData.cs
@@ -0,0 +1,118 @@
+/*
+    Copyright (C) 2011-2012 de4dot@gmail.com
+
+    This file is part of de4dot.
+
+    de4dot is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    de4dot is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with de4dot.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+using System;
+using System.IO;
+using System.Runtime.Serialization;
+
+namespace de4dot.code.resources {
+	class BuiltInResourceData : IResourceData {
+		readonly ResourceTypeCode code;
+		readonly object data;
+
+		public ResourceTypeCode Code {
+			get { return code; }
+		}
+
+		public BuiltInResourceData(ResourceTypeCode code, object data) {
+			this.code = code;
+			this.data = data;
+		}
+
+		public void writeData(BinaryWriter writer, IFormatter formatter) {
+			switch (code) {
+			case ResourceTypeCode.Null:
+				return;
+
+			case ResourceTypeCode.String:
+				writer.Write((string)data);
+				break;
+
+			case ResourceTypeCode.Boolean:
+				writer.Write((bool)data);
+				break;
+
+			case ResourceTypeCode.Char:
+				writer.Write((ushort)(char)data);
+				break;
+
+			case ResourceTypeCode.Byte:
+				writer.Write((byte)data);
+				break;
+
+			case ResourceTypeCode.SByte:
+				writer.Write((sbyte)data);
+				break;
+
+			case ResourceTypeCode.Int16:
+				writer.Write((short)data);
+				break;
+
+			case ResourceTypeCode.UInt16:
+				writer.Write((ushort)data);
+				break;
+
+			case ResourceTypeCode.Int32:
+				writer.Write((int)data);
+				break;
+
+			case ResourceTypeCode.UInt32:
+				writer.Write((uint)data);
+				break;
+
+			case ResourceTypeCode.Int64:
+				writer.Write((long)data);
+				break;
+
+			case ResourceTypeCode.UInt64:
+				writer.Write((ulong)data);
+				break;
+
+			case ResourceTypeCode.Single:
+				writer.Write((float)data);
+				break;
+
+			case ResourceTypeCode.Double:
+				writer.Write((double)data);
+				break;
+
+			case ResourceTypeCode.Decimal:
+				writer.Write((decimal)data);
+				break;
+
+			case ResourceTypeCode.DateTime:
+				writer.Write(((DateTime)data).ToBinary());
+				break;
+
+			case ResourceTypeCode.TimeSpan:
+				writer.Write(((TimeSpan)data).Ticks);
+				break;
+
+			case ResourceTypeCode.ByteArray:
+				var ary = (byte[])data;
+				writer.Write(ary.Length);
+				writer.Write(ary);
+				break;
+
+			default:
+				throw new ApplicationException("Unknown resource type code");
+			}
+		}
+	}
+}
diff --git a/de4dot.code/resources/IResourceData.cs b/de4dot.code/resources/IResourceData.cs
new file mode 100644
index 00000000..04eff9b6
--- /dev/null
+++ b/de4dot.code/resources/IResourceData.cs
@@ -0,0 +1,28 @@
+/*
+    Copyright (C) 2011-2012 de4dot@gmail.com
+
+    This file is part of de4dot.
+
+    de4dot is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    de4dot is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with de4dot.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+using System.IO;
+using System.Runtime.Serialization;
+
+namespace de4dot.code.resources {
+	interface IResourceData {
+		ResourceTypeCode Code { get; }
+		void writeData(BinaryWriter writer, IFormatter formatter);
+	}
+}
diff --git a/de4dot.code/resources/ResourceDataCreator.cs b/de4dot.code/resources/ResourceDataCreator.cs
new file mode 100644
index 00000000..db832045
--- /dev/null
+++ b/de4dot.code/resources/ResourceDataCreator.cs
@@ -0,0 +1,226 @@
+/*
+    Copyright (C) 2011-2012 de4dot@gmail.com
+
+    This file is part of de4dot.
+
+    de4dot is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    de4dot is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with de4dot.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+using System;
+using System.Collections.Generic;
+using System.IO;
+using System.Runtime.Serialization;
+using System.Runtime.Serialization.Formatters.Binary;
+using Mono.Cecil;
+
+namespace de4dot.code.resources {
+	class ResourceDataCreator {
+		ModuleDefinition module;
+		Dictionary<string, UserResourceType> dict = new Dictionary<string, UserResourceType>(StringComparer.Ordinal);
+		Dictionary<string, string> asmNameToAsmFullName = new Dictionary<string, string>(StringComparer.Ordinal);
+
+		public ResourceDataCreator(ModuleDefinition module) {
+			this.module = module;
+		}
+
+		public int Count {
+			get { return dict.Count; }
+		}
+
+		public BuiltInResourceData createNull() {
+			return new BuiltInResourceData(ResourceTypeCode.Null, null);
+		}
+
+		public BuiltInResourceData create(string value) {
+			return new BuiltInResourceData(ResourceTypeCode.String, value);
+		}
+
+		public BuiltInResourceData create(bool value) {
+			return new BuiltInResourceData(ResourceTypeCode.Boolean, value);
+		}
+
+		public BuiltInResourceData create(char value) {
+			return new BuiltInResourceData(ResourceTypeCode.Char, value);
+		}
+
+		public BuiltInResourceData create(byte value) {
+			return new BuiltInResourceData(ResourceTypeCode.Byte, value);
+		}
+
+		public BuiltInResourceData create(sbyte value) {
+			return new BuiltInResourceData(ResourceTypeCode.SByte, value);
+		}
+
+		public BuiltInResourceData create(short value) {
+			return new BuiltInResourceData(ResourceTypeCode.Int16, value);
+		}
+
+		public BuiltInResourceData create(ushort value) {
+			return new BuiltInResourceData(ResourceTypeCode.UInt16, value);
+		}
+
+		public BuiltInResourceData create(int value) {
+			return new BuiltInResourceData(ResourceTypeCode.Int32, value);
+		}
+
+		public BuiltInResourceData create(uint value) {
+			return new BuiltInResourceData(ResourceTypeCode.UInt32, value);
+		}
+
+		public BuiltInResourceData create(long value) {
+			return new BuiltInResourceData(ResourceTypeCode.Int64, value);
+		}
+
+		public BuiltInResourceData create(ulong value) {
+			return new BuiltInResourceData(ResourceTypeCode.UInt64, value);
+		}
+
+		public BuiltInResourceData create(float value) {
+			return new BuiltInResourceData(ResourceTypeCode.Single, value);
+		}
+
+		public BuiltInResourceData create(double value) {
+			return new BuiltInResourceData(ResourceTypeCode.Double, value);
+		}
+
+		public BuiltInResourceData create(decimal value) {
+			return new BuiltInResourceData(ResourceTypeCode.Decimal, value);
+		}
+
+		public BuiltInResourceData create(DateTime value) {
+			return new BuiltInResourceData(ResourceTypeCode.DateTime, value);
+		}
+
+		public BuiltInResourceData create(TimeSpan value) {
+			return new BuiltInResourceData(ResourceTypeCode.TimeSpan, value);
+		}
+
+		public BuiltInResourceData create(byte[] value) {
+			return new BuiltInResourceData(ResourceTypeCode.ByteArray, value);
+		}
+
+		public CharArrayResourceData create(char[] value) {
+			return new CharArrayResourceData(createUserResourceType(CharArrayResourceData.typeName), value);
+		}
+
+		public IconResourceData createIcon(byte[] value) {
+			return new IconResourceData(createUserResourceType(IconResourceData.typeName), value);
+		}
+
+		public ImageResourceData createImage(byte[] value) {
+			return new ImageResourceData(createUserResourceType(ImageResourceData.typeName), value);
+		}
+
+		public BinaryResourceData createSerialized(byte[] value) {
+			string assemblyName, typeName;
+			if (!getSerializedTypeAndAssemblyName(value, out assemblyName, out typeName))
+				throw new ApplicationException("Could not get serialized type name");
+			string fullName = string.Format("{0},{1}", typeName, assemblyName);
+			return new BinaryResourceData(createUserResourceType(fullName), value);
+		}
+
+		class MyBinder : SerializationBinder {
+			public string assemblyName;
+			public string typeName;
+
+			public class OkException : Exception {
+			}
+
+			public override Type BindToType(string assemblyName, string typeName) {
+				this.assemblyName = assemblyName;
+				this.typeName = typeName;
+				throw new OkException();
+			}
+		}
+
+		bool getSerializedTypeAndAssemblyName(byte[] value, out string assemblyName, out string typeName) {
+			var binder = new MyBinder();
+			try {
+				var formatter = new BinaryFormatter();
+				formatter.Binder = binder;
+				formatter.Deserialize(new MemoryStream(value));
+			}
+			catch (MyBinder.OkException) {
+				assemblyName = binder.assemblyName;
+				typeName = binder.typeName;
+				return true;
+			}
+			catch {
+			}
+
+			assemblyName = null;
+			typeName = null;
+			return false;
+		}
+
+		public UserResourceType createUserResourceType(string fullName) {
+			UserResourceType type;
+			if (dict.TryGetValue(fullName, out type))
+				return type;
+
+			var newFullName = fullName;
+			string typeName, assemblyName;
+			splitTypeFullName(fullName, out typeName, out assemblyName);
+			if (!string.IsNullOrEmpty(assemblyName)) {
+				string newAsmName;
+				if (!asmNameToAsmFullName.TryGetValue(assemblyName, out newAsmName))
+					asmNameToAsmFullName[assemblyName] = newAsmName = getRealAssemblyName(assemblyName);
+				assemblyName = newAsmName;
+			}
+			if (!string.IsNullOrEmpty(assemblyName))
+				newFullName = string.Format("{0}, {1}", typeName, assemblyName);
+
+			type = new UserResourceType(newFullName, ResourceTypeCode.UserTypes + dict.Count);
+			dict[fullName] = type;
+			dict[newFullName] = type;
+			return type;
+		}
+
+		static void splitTypeFullName(string fullName, out string typeName, out string assemblyName) {
+			int index = fullName.IndexOf(',');
+			if (index < 0) {
+				typeName = fullName;
+				assemblyName = null;
+			}
+			else {
+				typeName = fullName.Substring(0, index);
+				assemblyName = fullName.Substring(index + 1).Trim();
+			}
+		}
+
+		string getRealAssemblyName(string assemblyName) {
+			var simpleName = Utils.getAssemblySimpleName(assemblyName);
+
+			foreach (var asmRef in module.AssemblyReferences) {
+				if (asmRef.Name == simpleName)
+					return asmRef.FullName;
+			}
+
+			try {
+				return AssemblyResolver.Instance.Resolve(simpleName).FullName;
+			}
+			catch (ResolutionException) {
+			}
+			catch (AssemblyResolutionException) {
+			}
+			return null;
+		}
+
+		public List<UserResourceType> getSortedTypes() {
+			var list = new List<UserResourceType>(dict.Values);
+			list.Sort((a, b) => Utils.compareInt32((int)a.Code, (int)b.Code));
+			return list;
+		}
+	}
+}
diff --git a/de4dot.code/resources/ResourceElement.cs b/de4dot.code/resources/ResourceElement.cs
new file mode 100644
index 00000000..f80ed9c9
--- /dev/null
+++ b/de4dot.code/resources/ResourceElement.cs
@@ -0,0 +1,25 @@
+/*
+    Copyright (C) 2011-2012 de4dot@gmail.com
+
+    This file is part of de4dot.
+
+    de4dot is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    de4dot is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with de4dot.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+namespace de4dot.code.resources {
+	class ResourceElement {
+		public string Name { get; set; }
+		public IResourceData ResourceData { get; set; }
+	}
+}
diff --git a/de4dot.code/resources/ResourceElementSet.cs b/de4dot.code/resources/ResourceElementSet.cs
new file mode 100644
index 00000000..19a820c0
--- /dev/null
+++ b/de4dot.code/resources/ResourceElementSet.cs
@@ -0,0 +1,39 @@
+/*
+    Copyright (C) 2011-2012 de4dot@gmail.com
+
+    This file is part of de4dot.
+
+    de4dot is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    de4dot is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with de4dot.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+using System;
+using System.Collections.Generic;
+
+namespace de4dot.code.resources {
+	class ResourceElementSet {
+		Dictionary<string, ResourceElement> dict = new Dictionary<string, ResourceElement>(StringComparer.Ordinal);
+
+		public int Count {
+			get { return dict.Count; }
+		}
+
+		public IEnumerable<ResourceElement> ResourceElements {
+			get { return dict.Values; }
+		}
+
+		public void add(ResourceElement elem) {
+			dict[elem.Name] = elem;
+		}
+	}
+}
diff --git a/de4dot.code/resources/ResourceTypeCode.cs b/de4dot.code/resources/ResourceTypeCode.cs
new file mode 100644
index 00000000..4644074e
--- /dev/null
+++ b/de4dot.code/resources/ResourceTypeCode.cs
@@ -0,0 +1,42 @@
+/*
+    Copyright (C) 2011-2012 de4dot@gmail.com
+
+    This file is part of de4dot.
+
+    de4dot is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    de4dot is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with de4dot.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+namespace de4dot.code.resources {
+	enum ResourceTypeCode {
+		Null,
+		String,
+		Boolean,
+		Char,
+		Byte,
+		SByte,
+		Int16,
+		UInt16,
+		Int32,
+		UInt32,
+		Int64,
+		UInt64,
+		Single,
+		Double,
+		Decimal,
+		DateTime,
+		TimeSpan,
+		ByteArray = 0x20,
+		UserTypes = 0x40,
+	}
+}
diff --git a/de4dot.code/resources/ResourceWriter.cs b/de4dot.code/resources/ResourceWriter.cs
new file mode 100644
index 00000000..49db069d
--- /dev/null
+++ b/de4dot.code/resources/ResourceWriter.cs
@@ -0,0 +1,154 @@
+/*
+    Copyright (C) 2011-2012 de4dot@gmail.com
+
+    This file is part of de4dot.
+
+    de4dot is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    de4dot is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with de4dot.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+using System;
+using System.Collections.Generic;
+using System.IO;
+using System.Runtime.Serialization;
+using System.Runtime.Serialization.Formatters.Binary;
+using System.Text;
+using Mono.Cecil;
+
+namespace de4dot.code.resources {
+	class ResourceWriter {
+		ModuleDefinition module;
+		BinaryWriter writer;
+		ResourceElementSet resources;
+		ResourceDataCreator typeCreator;
+		Dictionary<UserResourceData, UserResourceType> dataToNewType = new Dictionary<UserResourceData, UserResourceType>();
+
+		ResourceWriter(ModuleDefinition module, Stream stream, ResourceElementSet resources) {
+			this.module = module;
+			this.typeCreator = new ResourceDataCreator(module);
+			this.writer = new BinaryWriter(stream);
+			this.resources = resources;
+		}
+
+		public static void write(ModuleDefinition module, Stream stream, ResourceElementSet resources) {
+			new ResourceWriter(module, stream, resources).write();
+		}
+
+		void write() {
+			initializeUserTypes();
+
+			writer.Write(0xBEEFCACE);
+			writer.Write(1);
+			writeReaderType();
+			writer.Write(2);
+			writer.Write(resources.Count);
+			writer.Write(typeCreator.Count);
+			foreach (var userType in typeCreator.getSortedTypes())
+				writer.Write(userType.Name);
+			int extraBytes = 8 - ((int)writer.BaseStream.Position & 7);
+			if (extraBytes != 8) {
+				for (int i = 0; i < extraBytes; i++)
+					writer.Write((byte)'X');
+			}
+
+			var nameOffsetStream = new MemoryStream();
+			var nameOffsetWriter = new BinaryWriter(nameOffsetStream, Encoding.Unicode);
+			var dataStream = new MemoryStream();
+			var dataWriter = new BinaryWriter(dataStream);
+			var hashes = new int[resources.Count];
+			var offsets = new int[resources.Count];
+			var formatter = new BinaryFormatter(null, new StreamingContext(StreamingContextStates.File | StreamingContextStates.Persistence));
+			int index = 0;
+			foreach (var info in resources.ResourceElements) {
+				offsets[index] = (int)nameOffsetWriter.BaseStream.Position;
+				hashes[index] = (int)hash(info.Name);
+				index++;
+				nameOffsetWriter.Write(info.Name);
+				nameOffsetWriter.Write((int)dataWriter.BaseStream.Position);
+				writeData(dataWriter, info, formatter);
+			}
+
+			Array.Sort(hashes, offsets);
+			foreach (var hash in hashes)
+				writer.Write(hash);
+			foreach (var offset in offsets)
+				writer.Write(offset);
+			writer.Write((int)writer.BaseStream.Position + (int)nameOffsetStream.Length + 4);
+			writer.Write(nameOffsetStream.ToArray());
+			writer.Write(dataStream.ToArray());
+		}
+
+		void writeData(BinaryWriter writer, ResourceElement info, IFormatter formatter) {
+			var code = getResourceType(info.ResourceData);
+			writeUInt32(writer, (uint)code);
+			info.ResourceData.writeData(writer, formatter);
+		}
+
+		static void writeUInt32(BinaryWriter writer, uint value) {
+			while (value >= 0x80) {
+				writer.Write((byte)(value | 0x80));
+				value >>= 7;
+			}
+			writer.Write((byte)value);
+		}
+
+		ResourceTypeCode getResourceType(IResourceData data) {
+			if (data is BuiltInResourceData)
+				return data.Code;
+
+			var userData = (UserResourceData)data;
+			return dataToNewType[userData].Code;
+		}
+
+		static uint hash(string key) {
+			uint val = 0x1505;
+			foreach (var c in key)
+				val = ((val << 5) + val) ^ (uint)c;
+			return val;
+		}
+
+		void initializeUserTypes() {
+			foreach (var resource in resources.ResourceElements) {
+				var data = resource.ResourceData as UserResourceData;
+				if (data == null)
+					continue;
+				var newType = typeCreator.createUserResourceType(data.TypeName);
+				dataToNewType[data] = newType;
+			}
+		}
+
+		void writeReaderType() {
+			var memStream = new MemoryStream();
+			var headerWriter = new BinaryWriter(memStream);
+			var mscorlibFullName = getMscorlibFullname();
+			headerWriter.Write("System.Resources.ResourceReader, " + mscorlibFullName);
+			headerWriter.Write("System.Resources.RuntimeResourceSet");
+			writer.Write((int)memStream.Position);
+			writer.Write(memStream.ToArray());
+		}
+
+		string getMscorlibFullname() {
+			AssemblyNameReference mscorlibRef = null;
+			foreach (var asmRef in module.AssemblyReferences) {
+				if (asmRef.Name != "mscorlib")
+					continue;
+				if (mscorlibRef == null || mscorlibRef.Version == null || asmRef.Version >= mscorlibRef.Version)
+					mscorlibRef = asmRef;
+			}
+			if (mscorlibRef != null)
+				return mscorlibRef.FullName;
+
+			return "mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089";
+		}
+	}
+}
diff --git a/de4dot.code/resources/UserResourceData.cs b/de4dot.code/resources/UserResourceData.cs
new file mode 100644
index 00000000..367ca549
--- /dev/null
+++ b/de4dot.code/resources/UserResourceData.cs
@@ -0,0 +1,97 @@
+/*
+    Copyright (C) 2011-2012 de4dot@gmail.com
+
+    This file is part of de4dot.
+
+    de4dot is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    de4dot is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with de4dot.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+using System.Drawing;
+using System.IO;
+using System.Runtime.Serialization;
+
+namespace de4dot.code.resources {
+	abstract class UserResourceData : IResourceData {
+		readonly UserResourceType type;
+
+		public string TypeName {
+			get { return type.Name; }
+		}
+
+		public ResourceTypeCode Code {
+			get { return type.Code; }
+		}
+
+		public UserResourceData(UserResourceType type) {
+			this.type = type;
+		}
+
+		public abstract void writeData(BinaryWriter writer, IFormatter formatter);
+	}
+
+	class CharArrayResourceData : UserResourceData {
+		public static readonly string typeName = "System.Char[],mscorlib";
+		char[] data;
+
+		public CharArrayResourceData(UserResourceType type, char[] data)
+			: base(type) {
+			this.data = data;
+		}
+
+		public override void writeData(BinaryWriter writer, IFormatter formatter) {
+			formatter.Serialize(writer.BaseStream, data);
+		}
+	}
+
+	class IconResourceData : UserResourceData {
+		public static readonly string typeName = "System.Drawing.Icon,System.Drawing";
+		Icon icon;
+
+		public IconResourceData(UserResourceType type, byte[] data)
+			: base(type) {
+			icon = new Icon(new MemoryStream(data));
+		}
+
+		public override void writeData(BinaryWriter writer, IFormatter formatter) {
+			formatter.Serialize(writer.BaseStream, icon);
+		}
+	}
+
+	class ImageResourceData : UserResourceData {
+		public static readonly string typeName = "System.Drawing.Bitmap,System.Drawing";
+		Bitmap bitmap;
+
+		public ImageResourceData(UserResourceType type, byte[] data)
+			: base(type) {
+			bitmap = new Bitmap(Image.FromStream(new MemoryStream(data)));
+		}
+
+		public override void writeData(BinaryWriter writer, IFormatter formatter) {
+			formatter.Serialize(writer.BaseStream, bitmap);
+		}
+	}
+
+	class BinaryResourceData : UserResourceData {
+		byte[] data;
+
+		public BinaryResourceData(UserResourceType type, byte[] data)
+			: base(type) {
+			this.data = data;
+		}
+
+		public override void writeData(BinaryWriter writer, IFormatter formatter) {
+			writer.Write(data);
+		}
+	}
+}
diff --git a/de4dot.code/resources/UserResourceType.cs b/de4dot.code/resources/UserResourceType.cs
new file mode 100644
index 00000000..1e38442f
--- /dev/null
+++ b/de4dot.code/resources/UserResourceType.cs
@@ -0,0 +1,42 @@
+/*
+    Copyright (C) 2011-2012 de4dot@gmail.com
+
+    This file is part of de4dot.
+
+    de4dot is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    de4dot is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with de4dot.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+namespace de4dot.code.resources {
+	class UserResourceType {
+		readonly string name;
+		readonly ResourceTypeCode code;
+
+		public string Name {
+			get { return name; }
+		}
+
+		public ResourceTypeCode Code {
+			get { return code; }
+		}
+
+		public UserResourceType(string name, ResourceTypeCode code) {
+			this.name = name;
+			this.code = code;
+		}
+
+		public override string ToString() {
+			return string.Format("{0:X2} {1}", (int)code, name);
+		}
+	}
+}

From 6400a9327694eb89008f91b338e04fdaaa15e916 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Sat, 11 Feb 2012 16:44:41 +0100
Subject: [PATCH 56/78] Add updated cecil submodule

---
 cecil | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cecil b/cecil
index 8a859530..d168993c 160000
--- a/cecil
+++ b/cecil
@@ -1 +1 @@
-Subproject commit 8a859530c807717c0f61ab8b9feddd57f41d3b85
+Subproject commit d168993c52f46069f113bc2a85cef60da0834c68

From e5a72396c2e6cff4d69941ad34ef61ba2f4811f8 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Sat, 11 Feb 2012 16:46:02 +0100
Subject: [PATCH 57/78] Remove length parameter from xxxteaDecrypt()

---
 de4dot.code/deobfuscators/CodeVeil/StringDecrypter.cs | 2 +-
 de4dot.code/deobfuscators/DeobUtils.cs                | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/de4dot.code/deobfuscators/CodeVeil/StringDecrypter.cs b/de4dot.code/deobfuscators/CodeVeil/StringDecrypter.cs
index a5c7dadf..893fb6cb 100644
--- a/de4dot.code/deobfuscators/CodeVeil/StringDecrypter.cs
+++ b/de4dot.code/deobfuscators/CodeVeil/StringDecrypter.cs
@@ -220,7 +220,7 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 
 			var encryptedData = new uint[data.Length / 4];
 			Buffer.BlockCopy(data, 0, encryptedData, 0, data.Length);
-			DeobUtils.xxteaDecrypt(encryptedData, encryptedData.Length, key);
+			DeobUtils.xxteaDecrypt(encryptedData, key);
 			var decryptedData = new byte[data.Length];
 			Buffer.BlockCopy(encryptedData, 0, decryptedData, 0, data.Length);
 
diff --git a/de4dot.code/deobfuscators/DeobUtils.cs b/de4dot.code/deobfuscators/DeobUtils.cs
index 89c46ed7..6335934a 100644
--- a/de4dot.code/deobfuscators/DeobUtils.cs
+++ b/de4dot.code/deobfuscators/DeobUtils.cs
@@ -91,8 +91,9 @@ namespace de4dot.code.deobfuscators {
 		}
 
 		// Code converted from C implementation @ http://en.wikipedia.org/wiki/XXTEA (btea() func)
-		public static void xxteaDecrypt(uint[] v, int n, uint[] key) {
+		public static void xxteaDecrypt(uint[] v, uint[] key) {
 			const uint DELTA = 0x9E3779B9;
+			int n = v.Length;
 			uint rounds = (uint)(6 + 52 / n);
 			uint sum = rounds * DELTA;
 			uint y = v[0];

From ccd7d2ac79e9f9da21a9583920352e266b10fc57 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Sat, 11 Feb 2012 16:46:39 +0100
Subject: [PATCH 58/78] Decrypt .resources files

---
 de4dot.code/de4dot.code.csproj                |   4 +
 .../deobfuscators/CodeVeil/Deobfuscator.cs    |   2 +
 .../CodeVeil/ResourceConverter.cs             | 149 ++++++++++++++++++
 .../CodeVeil/ResourceDecrypter.cs             |  70 ++++++++
 .../deobfuscators/CodeVeil/ResourceInfo.cs    |  41 +++++
 .../deobfuscators/CodeVeil/ResourceReader.cs  | 128 +++++++++++++++
 6 files changed, 394 insertions(+)
 create mode 100644 de4dot.code/deobfuscators/CodeVeil/ResourceConverter.cs
 create mode 100644 de4dot.code/deobfuscators/CodeVeil/ResourceDecrypter.cs
 create mode 100644 de4dot.code/deobfuscators/CodeVeil/ResourceInfo.cs
 create mode 100644 de4dot.code/deobfuscators/CodeVeil/ResourceReader.cs

diff --git a/de4dot.code/de4dot.code.csproj b/de4dot.code/de4dot.code.csproj
index 5c5ce3c5..18f3ec07 100644
--- a/de4dot.code/de4dot.code.csproj
+++ b/de4dot.code/de4dot.code.csproj
@@ -84,6 +84,10 @@
     <Compile Include="deobfuscators\CodeVeil\MainType.cs" />
     <Compile Include="deobfuscators\CodeVeil\MethodsDecrypter.cs" />
     <Compile Include="deobfuscators\CodeVeil\ObfuscatorVersion.cs" />
+    <Compile Include="deobfuscators\CodeVeil\ResourceConverter.cs" />
+    <Compile Include="deobfuscators\CodeVeil\ResourceDecrypter.cs" />
+    <Compile Include="deobfuscators\CodeVeil\ResourceInfo.cs" />
+    <Compile Include="deobfuscators\CodeVeil\ResourceReader.cs" />
     <Compile Include="deobfuscators\CodeVeil\StringDecrypter.cs" />
     <Compile Include="deobfuscators\CodeVeil\Deobfuscator.cs" />
     <Compile Include="deobfuscators\CodeVeil\ProxyDelegateFinder.cs" />
diff --git a/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs b/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs
index 021e6d11..b09a34fb 100644
--- a/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs
+++ b/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs
@@ -205,6 +205,8 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 
 			proxyDelegateFinder.initialize();
 			proxyDelegateFinder.find();
+
+			new ResourceDecrypter(module).decrypt();
 		}
 
 		void removeTamperDetection() {
diff --git a/de4dot.code/deobfuscators/CodeVeil/ResourceConverter.cs b/de4dot.code/deobfuscators/CodeVeil/ResourceConverter.cs
new file mode 100644
index 00000000..2c79c9f9
--- /dev/null
+++ b/de4dot.code/deobfuscators/CodeVeil/ResourceConverter.cs
@@ -0,0 +1,149 @@
+/*
+    Copyright (C) 2011-2012 de4dot@gmail.com
+
+    This file is part of de4dot.
+
+    de4dot is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    de4dot is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with de4dot.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+using System;
+using System.IO;
+using Mono.Cecil;
+using de4dot.code.resources;
+
+namespace de4dot.code.deobfuscators.CodeVeil {
+	class ResourceConverter {
+		ModuleDefinition module;
+		ResourceInfo[] infos;
+		ResourceDataCreator dataCreator;
+
+		public ResourceConverter(ModuleDefinition module, ResourceInfo[] infos) {
+			this.module = module;
+			this.dataCreator = new ResourceDataCreator(module);
+			this.infos = infos;
+		}
+
+		public byte[] convert() {
+			var resources = new ResourceElementSet();
+			foreach (var info in infos)
+				resources.add(convert(info));
+
+			var memStream = new MemoryStream();
+			ResourceWriter.write(module, memStream, resources);
+			return memStream.ToArray();
+		}
+
+		ResourceElement convert(ResourceInfo info) {
+			var reader = info.dataReader;
+			reader.BaseStream.Position = info.offset;
+
+			IResourceData resourceData;
+			int type = (info.flags & 0x7F);
+			switch (type) {
+			case 1:		// bool
+				resourceData = dataCreator.create(reader.ReadBoolean());
+				break;
+
+			case 2:		// byte
+				resourceData = dataCreator.create(reader.ReadByte());
+				break;
+
+			case 3:		// byte[]
+				resourceData = dataCreator.create(reader.ReadBytes(info.length));
+				break;
+
+			case 4:		// char[]
+				resourceData = dataCreator.create(reader.ReadChars(info.length));
+				break;
+
+			case 5:		// sbyte
+				resourceData = dataCreator.create(reader.ReadSByte());
+				break;
+
+			case 6:		// char
+				resourceData = dataCreator.create(reader.ReadChar());
+				break;
+
+			case 7:		// decimal
+				resourceData = dataCreator.create(reader.ReadDecimal());
+				break;
+
+			case 8:		// double
+				resourceData = dataCreator.create(reader.ReadDouble());
+				break;
+
+			case 9:		// short
+				resourceData = dataCreator.create(reader.ReadInt16());
+				break;
+
+			case 10:	// int
+				resourceData = dataCreator.create(reader.ReadInt32());
+				break;
+
+			case 11:	// long
+				resourceData = dataCreator.create(reader.ReadInt64());
+				break;
+
+			case 12:	// float
+				resourceData = dataCreator.create(reader.ReadSingle());
+				break;
+
+			case 13:	// string
+				resourceData = dataCreator.create(reader.ReadString());
+				break;
+
+			case 14:	// ushort
+				resourceData = dataCreator.create(reader.ReadUInt16());
+				break;
+
+			case 15:	// uint
+				resourceData = dataCreator.create(reader.ReadUInt32());
+				break;
+
+			case 16:	// ulong
+				resourceData = dataCreator.create(reader.ReadUInt64());
+				break;
+
+			case 17:	// DateTime
+				resourceData = dataCreator.create(DateTime.FromBinary(reader.ReadInt64()));
+				break;
+
+			case 18:	// TimeSpan
+				resourceData = dataCreator.create(TimeSpan.FromTicks(reader.ReadInt64()));
+				break;
+
+			case 19:	// Icon
+				resourceData = dataCreator.createIcon(reader.ReadBytes(info.length));
+				break;
+
+			case 20:	// Image
+				resourceData = dataCreator.createImage(reader.ReadBytes(info.length));
+				break;
+
+			case 31:	// binary
+				resourceData = dataCreator.createSerialized(reader.ReadBytes(info.length));
+				break;
+
+			case 21:	// Point (CV doesn't restore this type)
+			default:
+				throw new Exception("Unknown type");
+			}
+
+			return new ResourceElement() {
+				Name = info.name,
+				ResourceData = resourceData,
+			};
+		}
+	}
+}
diff --git a/de4dot.code/deobfuscators/CodeVeil/ResourceDecrypter.cs b/de4dot.code/deobfuscators/CodeVeil/ResourceDecrypter.cs
new file mode 100644
index 00000000..49c62ac9
--- /dev/null
+++ b/de4dot.code/deobfuscators/CodeVeil/ResourceDecrypter.cs
@@ -0,0 +1,70 @@
+/*
+    Copyright (C) 2011-2012 de4dot@gmail.com
+
+    This file is part of de4dot.
+
+    de4dot is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    de4dot is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with de4dot.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+using System;
+using System.IO;
+using Mono.Cecil;
+
+namespace de4dot.code.deobfuscators.CodeVeil {
+	class ResourceDecrypter {
+		ModuleDefinition module;
+
+		public ResourceDecrypter(ModuleDefinition module) {
+			this.module = module;
+		}
+
+		public void decrypt() {
+			for (int i = 0; i < module.Resources.Count; i++) {
+				var resource = module.Resources[i] as EmbeddedResource;
+				if (resource == null)
+					continue;
+
+				var decrypted = decrypt(resource.GetResourceStream());
+				if (decrypted == null)
+					continue;
+
+				module.Resources[i] = new EmbeddedResource(resource.Name, resource.Attributes, decrypted);
+			}
+		}
+
+		byte[] decrypt(Stream stream) {
+			try {
+				stream.Position = 0;
+				var reader = new BinaryReader(stream);
+				uint sig = reader.ReadUInt32();
+				if (sig == 0xBEEFCACE)
+					return decryptBeefcace(reader);
+				//TODO: Decrypt the other type
+				return null;
+			}
+			catch (ApplicationException) {
+				return null;
+			}
+			catch (Exception ex) {
+				Log.w("Got an exception when decrypting resources: {0}", ex.GetType());
+				return null;
+			}
+		}
+
+		byte[] decryptBeefcace(BinaryReader reader) {
+			var resourceReader = new ResourceReader(reader);
+			return new ResourceConverter(module, resourceReader.read()).convert();
+		}
+	}
+}
diff --git a/de4dot.code/deobfuscators/CodeVeil/ResourceInfo.cs b/de4dot.code/deobfuscators/CodeVeil/ResourceInfo.cs
new file mode 100644
index 00000000..291c5765
--- /dev/null
+++ b/de4dot.code/deobfuscators/CodeVeil/ResourceInfo.cs
@@ -0,0 +1,41 @@
+/*
+    Copyright (C) 2011-2012 de4dot@gmail.com
+
+    This file is part of de4dot.
+
+    de4dot is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    de4dot is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with de4dot.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+using System;
+using System.IO;
+
+namespace de4dot.code.deobfuscators.CodeVeil {
+	class ResourceInfo {
+		public string name;
+		public byte flags;
+		public int offset;
+		public int length;
+		public BinaryReader dataReader;
+		public ResourceInfo(string name, byte flags, int offset, int length) {
+			this.name = name;
+			this.flags = flags;
+			this.offset = offset;
+			this.length = length;
+		}
+
+		public override string ToString() {
+			return string.Format("{0:X2} {1:X8} {2} {3}", flags, offset, length, name);
+		}
+	}
+}
diff --git a/de4dot.code/deobfuscators/CodeVeil/ResourceReader.cs b/de4dot.code/deobfuscators/CodeVeil/ResourceReader.cs
new file mode 100644
index 00000000..f8e4d198
--- /dev/null
+++ b/de4dot.code/deobfuscators/CodeVeil/ResourceReader.cs
@@ -0,0 +1,128 @@
+/*
+    Copyright (C) 2011-2012 de4dot@gmail.com
+
+    This file is part of de4dot.
+
+    de4dot is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    de4dot is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with de4dot.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+using System;
+using System.Collections.Generic;
+using System.IO;
+using System.Text;
+
+namespace de4dot.code.deobfuscators.CodeVeil {
+	class ResourceReader {
+		BinaryReader reader;
+		string resourceReader;
+		string resourceSet;
+
+		public string ResourceReaderName {
+			get { return resourceReader; }
+		}
+
+		public string ResourceSetName {
+			get { return resourceSet; }
+		}
+
+		public ResourceReader(Stream stream) {
+			stream.Position = 0;
+			reader = new BinaryReader(stream);
+		}
+
+		public ResourceReader(BinaryReader reader) {
+			reader.BaseStream.Position = 0;
+			this.reader = reader;
+		}
+
+		public ResourceInfo[] read() {
+			if (reader.ReadUInt32() != 0xBEEFCACE)
+				throw new ApplicationException("Invalid magic");
+			if (reader.ReadUInt32() <= 0)
+				throw new ApplicationException("Invalid number");
+			reader.ReadUInt32();
+			resourceReader = reader.ReadString();
+			resourceSet = reader.ReadString();
+			if (reader.ReadByte() != 1)
+				throw new ApplicationException("Invalid version");
+
+			int flags = reader.ReadByte();
+			if ((flags & 0xFC) != 0)
+				throw new ApplicationException("Invalid flags");
+			bool inflateData = (flags & 1) != 0;
+			bool encrypted = (flags & 2) != 0;
+
+			int numResources = reader.ReadInt32();
+			if (numResources < 0)
+				throw new ApplicationException("Invalid number of resources");
+
+			var infos = new ResourceInfo[numResources];
+			for (int i = 0; i < numResources; i++) {
+				var resourceName = readResourceName(reader, encrypted);
+				int offset = reader.ReadInt32();
+				byte resourceFlags = reader.ReadByte();
+				int resourceLength = (resourceFlags & 0x80) == 0 ? -1 : reader.ReadInt32();
+				infos[i] = new ResourceInfo(resourceName, resourceFlags, offset, resourceLength);
+			}
+
+			var dataReader = reader;
+			if (encrypted) {
+				var key = new uint[4];
+				key[0] = dataReader.ReadUInt32();
+				key[1] = dataReader.ReadUInt32();
+				int numDwords = dataReader.ReadInt32();
+				if (numDwords < 0 || numDwords >= 0x40000000)
+					throw new ApplicationException("Invalid number of encrypted dwords");
+				var encryptedData = new uint[numDwords];
+				for (int i = 0; i < numDwords; i++)
+					encryptedData[i] = dataReader.ReadUInt32();
+				key[2] = dataReader.ReadUInt32();
+				key[3] = dataReader.ReadUInt32();
+				DeobUtils.xxteaDecrypt(encryptedData, key);
+				byte[] decryptedData = new byte[encryptedData.Length * 4];
+				Buffer.BlockCopy(encryptedData, 0, decryptedData, 0, decryptedData.Length);
+				dataReader = new BinaryReader(new MemoryStream(decryptedData));
+			}
+
+			if (inflateData) {
+				var data = dataReader.ReadBytes((int)(dataReader.BaseStream.Length - dataReader.BaseStream.Position));
+				data = DeobUtils.inflate(data, true);
+				dataReader = new BinaryReader(new MemoryStream(data));
+			}
+
+			foreach (var info in infos)
+				info.dataReader = dataReader;
+
+			return infos;
+		}
+
+		static string readResourceName(BinaryReader reader, bool encrypted) {
+			if (!encrypted)
+				return reader.ReadString();
+
+			int len = reader.ReadInt32();
+			if (len < 0)
+				throw new ApplicationException("Invalid string length");
+			var sb = new StringBuilder(len);
+			for (int i = 0; i < len; i++)
+				sb.Append((char)rol3(reader.ReadChar()));
+			return sb.ToString();
+		}
+
+		static char rol3(char c) {
+			ushort s = (ushort)c;
+			return (char)((s << 3) | (s >> (16 - 3)));
+		}
+	}
+}

From 9050af8a03f6470d0c60275d0d1499b102f40797 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Sat, 11 Feb 2012 19:34:07 +0100
Subject: [PATCH 59/78] Refactor method

---
 de4dot.code/resources/ResourceDataCreator.cs | 33 +++++++++++++-------
 1 file changed, 21 insertions(+), 12 deletions(-)

diff --git a/de4dot.code/resources/ResourceDataCreator.cs b/de4dot.code/resources/ResourceDataCreator.cs
index db832045..ba30c6b0 100644
--- a/de4dot.code/resources/ResourceDataCreator.cs
+++ b/de4dot.code/resources/ResourceDataCreator.cs
@@ -169,18 +169,7 @@ namespace de4dot.code.resources {
 			if (dict.TryGetValue(fullName, out type))
 				return type;
 
-			var newFullName = fullName;
-			string typeName, assemblyName;
-			splitTypeFullName(fullName, out typeName, out assemblyName);
-			if (!string.IsNullOrEmpty(assemblyName)) {
-				string newAsmName;
-				if (!asmNameToAsmFullName.TryGetValue(assemblyName, out newAsmName))
-					asmNameToAsmFullName[assemblyName] = newAsmName = getRealAssemblyName(assemblyName);
-				assemblyName = newAsmName;
-			}
-			if (!string.IsNullOrEmpty(assemblyName))
-				newFullName = string.Format("{0}, {1}", typeName, assemblyName);
-
+			var newFullName = getRealTypeFullName(fullName);
 			type = new UserResourceType(newFullName, ResourceTypeCode.UserTypes + dict.Count);
 			dict[fullName] = type;
 			dict[newFullName] = type;
@@ -199,7 +188,27 @@ namespace de4dot.code.resources {
 			}
 		}
 
+		string getRealTypeFullName(string fullName) {
+			var newFullName = fullName;
+
+			string typeName, assemblyName;
+			splitTypeFullName(fullName, out typeName, out assemblyName);
+			if (!string.IsNullOrEmpty(assemblyName))
+				assemblyName = getRealAssemblyName(assemblyName);
+			if (!string.IsNullOrEmpty(assemblyName))
+				newFullName = string.Format("{0}, {1}", typeName, assemblyName);
+
+			return newFullName;
+		}
+
 		string getRealAssemblyName(string assemblyName) {
+			string newAsmName;
+			if (!asmNameToAsmFullName.TryGetValue(assemblyName, out newAsmName))
+				asmNameToAsmFullName[assemblyName] = newAsmName = tryGetRealAssemblyName(assemblyName);
+			return newAsmName;
+		}
+
+		string tryGetRealAssemblyName(string assemblyName) {
 			var simpleName = Utils.getAssemblySimpleName(assemblyName);
 
 			foreach (var asmRef in module.AssemblyReferences) {

From cd7d3724c383b930467180d8b482baf7b7bcf5bc Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Sat, 11 Feb 2012 21:30:54 +0100
Subject: [PATCH 60/78] Move fields from binder to exception

---
 de4dot.code/resources/ResourceDataCreator.cs | 21 ++++++++++----------
 1 file changed, 10 insertions(+), 11 deletions(-)

diff --git a/de4dot.code/resources/ResourceDataCreator.cs b/de4dot.code/resources/ResourceDataCreator.cs
index ba30c6b0..a00278da 100644
--- a/de4dot.code/resources/ResourceDataCreator.cs
+++ b/de4dot.code/resources/ResourceDataCreator.cs
@@ -131,29 +131,28 @@ namespace de4dot.code.resources {
 		}
 
 		class MyBinder : SerializationBinder {
-			public string assemblyName;
-			public string typeName;
-
 			public class OkException : Exception {
+				public string AssemblyName { get; set; }
+				public string TypeName { get; set; }
 			}
 
 			public override Type BindToType(string assemblyName, string typeName) {
-				this.assemblyName = assemblyName;
-				this.typeName = typeName;
-				throw new OkException();
+				throw new OkException {
+					AssemblyName = assemblyName,
+					TypeName = typeName,
+				};
 			}
 		}
 
 		bool getSerializedTypeAndAssemblyName(byte[] value, out string assemblyName, out string typeName) {
-			var binder = new MyBinder();
 			try {
 				var formatter = new BinaryFormatter();
-				formatter.Binder = binder;
+				formatter.Binder = new MyBinder();
 				formatter.Deserialize(new MemoryStream(value));
 			}
-			catch (MyBinder.OkException) {
-				assemblyName = binder.assemblyName;
-				typeName = binder.typeName;
+			catch (MyBinder.OkException ex) {
+				assemblyName = ex.AssemblyName;
+				typeName = ex.TypeName;
 				return true;
 			}
 			catch {

From 8b2ef5d6bb60c254d4e94b863c0223af5dcb31e2 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Sat, 11 Feb 2012 21:43:26 +0100
Subject: [PATCH 61/78] Update if expression

---
 de4dot.code/resources/ResourceWriter.cs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/de4dot.code/resources/ResourceWriter.cs b/de4dot.code/resources/ResourceWriter.cs
index 49db069d..b3e60f30 100644
--- a/de4dot.code/resources/ResourceWriter.cs
+++ b/de4dot.code/resources/ResourceWriter.cs
@@ -142,7 +142,7 @@ namespace de4dot.code.resources {
 			foreach (var asmRef in module.AssemblyReferences) {
 				if (asmRef.Name != "mscorlib")
 					continue;
-				if (mscorlibRef == null || mscorlibRef.Version == null || asmRef.Version >= mscorlibRef.Version)
+				if (mscorlibRef == null || mscorlibRef.Version == null || (asmRef.Version != null && asmRef.Version >= mscorlibRef.Version))
 					mscorlibRef = asmRef;
 			}
 			if (mscorlibRef != null)

From 57b947a3da886976466b9258508092be605525f0 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Sat, 11 Feb 2012 21:49:22 +0100
Subject: [PATCH 62/78] Add InvalidDataException

---
 de4dot.code/de4dot.code.csproj                |  1 +
 .../CodeVeil/InvalidDataException.cs          | 29 +++++++++++++++++++
 .../CodeVeil/ResourceDecrypter.cs             |  5 +++-
 .../deobfuscators/CodeVeil/ResourceReader.cs  |  4 +--
 4 files changed, 36 insertions(+), 3 deletions(-)
 create mode 100644 de4dot.code/deobfuscators/CodeVeil/InvalidDataException.cs

diff --git a/de4dot.code/de4dot.code.csproj b/de4dot.code/de4dot.code.csproj
index 18f3ec07..3b346e49 100644
--- a/de4dot.code/de4dot.code.csproj
+++ b/de4dot.code/de4dot.code.csproj
@@ -81,6 +81,7 @@
     <Compile Include="deobfuscators\CliSecure\StackFrameHelper.cs" />
     <Compile Include="deobfuscators\CliSecure\StringDecrypter.cs" />
     <Compile Include="deobfuscators\CodeVeil\AssemblyResolver.cs" />
+    <Compile Include="deobfuscators\CodeVeil\InvalidDataException.cs" />
     <Compile Include="deobfuscators\CodeVeil\MainType.cs" />
     <Compile Include="deobfuscators\CodeVeil\MethodsDecrypter.cs" />
     <Compile Include="deobfuscators\CodeVeil\ObfuscatorVersion.cs" />
diff --git a/de4dot.code/deobfuscators/CodeVeil/InvalidDataException.cs b/de4dot.code/deobfuscators/CodeVeil/InvalidDataException.cs
new file mode 100644
index 00000000..4d81acda
--- /dev/null
+++ b/de4dot.code/deobfuscators/CodeVeil/InvalidDataException.cs
@@ -0,0 +1,29 @@
+/*
+    Copyright (C) 2011-2012 de4dot@gmail.com
+
+    This file is part of de4dot.
+
+    de4dot is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    de4dot is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with de4dot.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+using System;
+
+namespace de4dot.code.deobfuscators.CodeVeil {
+	[Serializable]
+	class InvalidDataException : Exception {
+		public InvalidDataException(string msg)
+			: base(msg) {
+		}
+	}
+}
diff --git a/de4dot.code/deobfuscators/CodeVeil/ResourceDecrypter.cs b/de4dot.code/deobfuscators/CodeVeil/ResourceDecrypter.cs
index 49c62ac9..cd48320d 100644
--- a/de4dot.code/deobfuscators/CodeVeil/ResourceDecrypter.cs
+++ b/de4dot.code/deobfuscators/CodeVeil/ResourceDecrypter.cs
@@ -53,7 +53,10 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 				//TODO: Decrypt the other type
 				return null;
 			}
-			catch (ApplicationException) {
+			catch (InvalidDataException) {
+				return null;
+			}
+			catch (IOException) {
 				return null;
 			}
 			catch (Exception ex) {
diff --git a/de4dot.code/deobfuscators/CodeVeil/ResourceReader.cs b/de4dot.code/deobfuscators/CodeVeil/ResourceReader.cs
index f8e4d198..c9ccfc44 100644
--- a/de4dot.code/deobfuscators/CodeVeil/ResourceReader.cs
+++ b/de4dot.code/deobfuscators/CodeVeil/ResourceReader.cs
@@ -48,9 +48,9 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 
 		public ResourceInfo[] read() {
 			if (reader.ReadUInt32() != 0xBEEFCACE)
-				throw new ApplicationException("Invalid magic");
+				throw new InvalidDataException("Invalid magic");
 			if (reader.ReadUInt32() <= 0)
-				throw new ApplicationException("Invalid number");
+				throw new InvalidDataException("Invalid number");
 			reader.ReadUInt32();
 			resourceReader = reader.ReadString();
 			resourceSet = reader.ReadString();

From d44db9871e716be49504de415685f25b905c48c0 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Sat, 11 Feb 2012 21:51:48 +0100
Subject: [PATCH 63/78] Add log message that we have decrypted a resource

---
 de4dot.code/deobfuscators/CodeVeil/ResourceDecrypter.cs | 1 +
 1 file changed, 1 insertion(+)

diff --git a/de4dot.code/deobfuscators/CodeVeil/ResourceDecrypter.cs b/de4dot.code/deobfuscators/CodeVeil/ResourceDecrypter.cs
index cd48320d..37672f4b 100644
--- a/de4dot.code/deobfuscators/CodeVeil/ResourceDecrypter.cs
+++ b/de4dot.code/deobfuscators/CodeVeil/ResourceDecrypter.cs
@@ -39,6 +39,7 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 				if (decrypted == null)
 					continue;
 
+				Log.v("Decrypted resource {0}", Utils.toCsharpString(resource.Name));
 				module.Resources[i] = new EmbeddedResource(resource.Name, resource.Attributes, decrypted);
 			}
 		}

From bffbe419d571a7ea0b3bf5d035872131ec4c5ea9 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Sat, 11 Feb 2012 23:11:41 +0100
Subject: [PATCH 64/78] Add hasInteger() method

---
 de4dot.code/deobfuscators/DeobUtils.cs | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/de4dot.code/deobfuscators/DeobUtils.cs b/de4dot.code/deobfuscators/DeobUtils.cs
index 6335934a..4332f8a7 100644
--- a/de4dot.code/deobfuscators/DeobUtils.cs
+++ b/de4dot.code/deobfuscators/DeobUtils.cs
@@ -162,5 +162,19 @@ namespace de4dot.code.deobfuscators {
 					((int)reader.ReadByte() << 8) +
 					reader.ReadByte();
 		}
+
+		public static bool hasInteger(MethodDefinition method, uint value) {
+			return hasInteger(method, (int)value);
+		}
+
+		public static bool hasInteger(MethodDefinition method, int value) {
+			foreach (var instr in method.Body.Instructions) {
+				if (!DotNetUtils.isLdcI4(instr))
+					continue;
+				if (DotNetUtils.getLdcI4Value(instr) == value)
+					return true;
+			}
+			return false;
+		}
 	}
 }

From c18bed7d69df2bcc2353ef145f5b19f98ed190a2 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Sat, 11 Feb 2012 23:11:54 +0100
Subject: [PATCH 65/78] Add namespace

---
 de4dot.code/deobfuscators/DeepSea/Deobfuscator.cs | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/de4dot.code/deobfuscators/DeepSea/Deobfuscator.cs b/de4dot.code/deobfuscators/DeepSea/Deobfuscator.cs
index da23eba2..f28810d6 100644
--- a/de4dot.code/deobfuscators/DeepSea/Deobfuscator.cs
+++ b/de4dot.code/deobfuscators/DeepSea/Deobfuscator.cs
@@ -19,6 +19,7 @@
 
 using System.Collections.Generic;
 using Mono.Cecil;
+using de4dot.blocks;
 using de4dot.blocks.cflow;
 
 namespace de4dot.code.deobfuscators.DeepSea {
@@ -224,7 +225,7 @@ done:
 			addMethodToBeRemoved(assemblyResolver.HandlerMethod, "Assembly resolver handler method");
 		}
 
-		public override void deobfuscateMethodEnd(blocks.Blocks blocks) {
+		public override void deobfuscateMethodEnd(Blocks blocks) {
 			if (options.RestoreFields)
 				fieldsRestorer.deobfuscate(blocks);
 			base.deobfuscateMethodEnd(blocks);

From 91f7d2cb515c4b847de3b3cff32ca360d0f2d9fb Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Sat, 11 Feb 2012 23:12:42 +0100
Subject: [PATCH 66/78] Find and remove resource decrypter types

---
 .../deobfuscators/CodeVeil/Deobfuscator.cs    |  19 +-
 .../CodeVeil/ResourceDecrypter.cs             | 312 +++++++++++++++++-
 2 files changed, 327 insertions(+), 4 deletions(-)

diff --git a/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs b/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs
index b09a34fb..30d9926c 100644
--- a/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs
+++ b/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs
@@ -21,6 +21,7 @@ using System;
 using System.Collections.Generic;
 using Mono.Cecil;
 using Mono.MyStuff;
+using de4dot.blocks;
 
 namespace de4dot.code.deobfuscators.CodeVeil {
 	public class DeobfuscatorInfo : DeobfuscatorInfoBase {
@@ -62,6 +63,7 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 		StringDecrypter stringDecrypter;
 		AssemblyResolver assemblyResolver;
 		TypeDefinition killType;
+		ResourceDecrypter resourceDecrypter;
 
 		internal class Options : OptionsBase {
 		}
@@ -206,7 +208,17 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 			proxyDelegateFinder.initialize();
 			proxyDelegateFinder.find();
 
-			new ResourceDecrypter(module).decrypt();
+			resourceDecrypter = new ResourceDecrypter(module);
+			resourceDecrypter.initialize();
+			resourceDecrypter.decrypt();
+			if (resourceDecrypter.CanRemoveTypes) {
+				addTypeToBeRemoved(resourceDecrypter.ResourceFlagsType, "Obfuscator ResourceFlags type");
+				addTypeToBeRemoved(resourceDecrypter.ResType, "Obfuscator Res type");
+				addTypeToBeRemoved(resourceDecrypter.ResourceEnumeratorType, "Obfuscator ResourceEnumerator type");
+				addTypeToBeRemoved(resourceDecrypter.EncryptedResourceReaderType, "Obfuscator EncryptedResourceReader type");
+				addTypeToBeRemoved(resourceDecrypter.EncryptedResourceSetType, "Obfuscator EncryptedResourceSet type");
+				addTypeToBeRemoved(resourceDecrypter.EncryptedResourceStreamType, "Obfuscator EncryptedResourceStream type");
+			}
 		}
 
 		void removeTamperDetection() {
@@ -224,13 +236,14 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 			addResourceToBeRemoved(assemblyResolver.BundleXmlFileResource, "Embedded assemblies XML file resource");
 		}
 
-		public override void deobfuscateMethodBegin(blocks.Blocks blocks) {
+		public override void deobfuscateMethodBegin(Blocks blocks) {
 			proxyDelegateFinder.deobfuscate(blocks);
 			base.deobfuscateMethodBegin(blocks);
 		}
 
-		public override void deobfuscateMethodEnd(blocks.Blocks blocks) {
+		public override void deobfuscateMethodEnd(Blocks blocks) {
 			mainType.removeInitCall(blocks);
+			resourceDecrypter.deobfuscate(blocks);
 			base.deobfuscateMethodEnd(blocks);
 		}
 
diff --git a/de4dot.code/deobfuscators/CodeVeil/ResourceDecrypter.cs b/de4dot.code/deobfuscators/CodeVeil/ResourceDecrypter.cs
index 37672f4b..24738b78 100644
--- a/de4dot.code/deobfuscators/CodeVeil/ResourceDecrypter.cs
+++ b/de4dot.code/deobfuscators/CodeVeil/ResourceDecrypter.cs
@@ -20,15 +20,301 @@
 using System;
 using System.IO;
 using Mono.Cecil;
+using Mono.Cecil.Cil;
+using Mono.Cecil.Metadata;
+using de4dot.blocks;
 
 namespace de4dot.code.deobfuscators.CodeVeil {
 	class ResourceDecrypter {
 		ModuleDefinition module;
+		TypeDefinition encryptedResourceStreamType;
+		MethodDefinition getManifestResourceStreamMethod1;
+		MethodDefinition getManifestResourceStreamMethod2;
+		TypeDefinition encryptedResourceSetType;
+		MethodDefinition encryptedResourceSet_GetDefaultReader;
+		TypeDefinition encryptedResourceReaderType;
+		GenericInstanceType encryptedResourceReaderTypeDict;
+		TypeDefinition resType;
+		MethodDefinition resTypeCtor;
+		TypeDefinition resourceFlagsType;
+		TypeDefinition resourceEnumeratorType;
+		MethodReference Assembly_GetManifestResourceStream1;
+		MethodReference Assembly_GetManifestResourceStream2;
+
+		public bool CanRemoveTypes {
+			get {
+				return EncryptedResourceStreamType != null &&
+					EncryptedResourceSetType != null &&
+					EncryptedResourceReaderType != null &&
+					ResType != null &&
+					ResourceFlagsType != null &&
+					ResourceEnumeratorType != null;
+			}
+		}
+
+		public TypeDefinition EncryptedResourceStreamType {
+			get { return encryptedResourceStreamType; }
+		}
+
+		public TypeDefinition EncryptedResourceSetType {
+			get { return encryptedResourceSetType; }
+		}
+
+		public TypeDefinition EncryptedResourceReaderType {
+			get { return encryptedResourceReaderType; }
+		}
+
+		public TypeDefinition ResType {
+			get { return resType; }
+		}
+
+		public TypeDefinition ResourceFlagsType {
+			get { return resourceFlagsType; }
+		}
+
+		public TypeDefinition ResourceEnumeratorType {
+			get { return resourceEnumeratorType; }
+		}
 
 		public ResourceDecrypter(ModuleDefinition module) {
 			this.module = module;
 		}
 
+		public void initialize() {
+			initGetManifestMethods();
+			findEncryptedResourceStreamType();
+			findEncryptedResourceSet();
+			findEncryptedResourceReader();
+			findResType();
+			findResourceFlags();
+			findResourceEnumerator();
+		}
+
+		void initGetManifestMethods() {
+			var assemblyType = new TypeReference("System.Reflection", "Assembly", module, module.TypeSystem.Corlib);
+			var typeType = new TypeReference("System", "Type", module, module.TypeSystem.Corlib);
+			var streamType = new TypeReference("System.IO", "Stream", module, module.TypeSystem.Corlib);
+			Assembly_GetManifestResourceStream1 = new MethodReference("GetManifestResourceStream", streamType, assemblyType);
+			Assembly_GetManifestResourceStream1.HasThis = true;
+			Assembly_GetManifestResourceStream1.Parameters.Add(new ParameterDefinition(module.TypeSystem.String));
+			Assembly_GetManifestResourceStream2 = new MethodReference("GetManifestResourceStream", streamType, assemblyType);
+			Assembly_GetManifestResourceStream2.HasThis = true;
+			Assembly_GetManifestResourceStream2.Parameters.Add(new ParameterDefinition(typeType));
+			Assembly_GetManifestResourceStream2.Parameters.Add(new ParameterDefinition(module.TypeSystem.String));
+		}
+
+		void findResourceEnumerator() {
+			if (encryptedResourceReaderType == null)
+				return;
+
+			var resourceEnumeratorType_fields = new string[] {
+				"System.Collections.DictionaryEntry",
+				"System.Collections.IDictionaryEnumerator",
+				"System.Boolean",
+				encryptedResourceReaderType.FullName,
+			};
+			foreach (var type in module.Types) {
+				if (type.Namespace != "")
+					continue;
+				if (type.BaseType == null || type.BaseType.EType != ElementType.Object)
+					continue;
+				if (!hasInterface(type, "System.Collections.IDictionaryEnumerator"))
+					continue;
+				if (!new FieldTypes(type).all(resourceEnumeratorType_fields))
+					continue;
+				var ctor = DotNetUtils.getMethod(type, ".ctor");
+				if (ctor == null)
+					continue;
+				if (ctor.Parameters.Count != 1)
+					continue;
+				if (ctor.Parameters[0].ParameterType != encryptedResourceReaderType)
+					continue;
+
+				resourceEnumeratorType = type;
+				return;
+			}
+		}
+
+		void findResourceFlags() {
+			if (resTypeCtor == null || resTypeCtor.Parameters.Count != 4)
+				return;
+			var type = resTypeCtor.Parameters[2].ParameterType as TypeDefinition;
+			if (type == null || !type.IsEnum)
+				return;
+
+			resourceFlagsType = type;
+		}
+
+		static string[] resType_fields = new string[] {
+			"System.Int32",
+			"System.Object",
+			"System.String",
+		};
+		void findResType() {
+			if (encryptedResourceReaderTypeDict == null)
+				return;
+			var type = encryptedResourceReaderTypeDict.GenericArguments[1] as TypeDefinition;
+			if (type == null)
+				return;
+			if (type.BaseType == null || type.BaseType.EType != ElementType.Object)
+				return;
+			var ctor = DotNetUtils.getMethod(type, ".ctor");
+			if (ctor == null || ctor.Parameters.Count != 4)
+				return;
+
+			resTypeCtor = ctor;
+			resType = type;
+		}
+
+		static string[] encryptedResourceReaderType_fields = new string[] {
+			"System.Boolean",
+			"System.Int32",
+			"System.Int64",
+			"System.IO.BinaryReader",
+			"System.Runtime.Serialization.Formatters.Binary.BinaryFormatter",
+		};
+		void findEncryptedResourceReader() {
+			var type = getTypeFromCode(encryptedResourceSet_GetDefaultReader);
+			if (type == null)
+				return;
+			if (type.BaseType == null || !hasInterface(type, "System.Resources.IResourceReader"))
+				return;
+			if (!new FieldTypes(type).all(encryptedResourceReaderType_fields))
+				return;
+			var dictType = getDlxResDict(type);
+			if (dictType == null)
+				return;
+			if (findXxteaMethod(type) == null)
+				return;
+
+			encryptedResourceReaderType = type;
+			encryptedResourceReaderTypeDict = dictType;
+		}
+
+		static bool hasInterface(TypeDefinition type, string interfaceFullName) {
+			foreach (var iface in type.Interfaces) {
+				if (iface.FullName == interfaceFullName)
+					return true;
+			}
+			return false;
+		}
+
+		static GenericInstanceType getDlxResDict(TypeDefinition type) {
+			foreach (var field in type.Fields) {
+				var fieldType = field.FieldType as GenericInstanceType;
+				if (fieldType == null)
+					continue;
+				if (fieldType.ElementType.FullName != "System.Collections.Generic.Dictionary`2")
+					continue;
+				if (fieldType.GenericArguments.Count != 2)
+					continue;
+				if (fieldType.GenericArguments[0].FullName != "System.String")
+					continue;
+				if (!(fieldType.GenericArguments[1] is TypeDefinition))
+					continue;
+				return fieldType;
+			}
+			return null;
+		}
+
+		static TypeDefinition getTypeFromCode(MethodDefinition method) {
+			if (method == null || method.Body == null)
+				return null;
+			foreach (var instr in method.Body.Instructions) {
+				if (instr.OpCode.Code != Code.Ldtoken)
+					continue;
+				var type = instr.Operand as TypeDefinition;
+				if (type != null)
+					return type;
+			}
+
+			return null;
+		}
+
+		void findEncryptedResourceSet() {
+			foreach (var type in module.Types) {
+				if (type.Namespace != "")
+					continue;
+				if (type.BaseType == null || type.BaseType.FullName != "System.Resources.ResourceSet")
+					continue;
+				var ctor = DotNetUtils.getMethod(type, ".ctor");
+				if (!DotNetUtils.isMethod(ctor, "System.Void", "(System.Resources.IResourceReader)"))
+					continue;
+				var method = DotNetUtils.getMethod(type, "GetDefaultReader");
+				if (!DotNetUtils.isMethod(method, "System.Type", "()"))
+					continue;
+				if (method.Body == null || method.IsStatic || !method.IsVirtual)
+					continue;
+
+				encryptedResourceSet_GetDefaultReader = method;
+				encryptedResourceSetType = type;
+				return;
+			}
+		}
+
+		static string[] encryptedResourceStreamType_fields = new string[] {
+			"System.Byte",
+			"System.Byte[]",
+			"System.Boolean",
+			"System.Int32",
+			"System.Int64",
+			"System.IO.MemoryStream",
+			"System.IO.Stream",
+			"System.UInt32[]",
+		};
+		void findEncryptedResourceStreamType() {
+			foreach (var type in module.Types) {
+				if (type.Namespace != "")
+					continue;
+				if (type.BaseType == null || type.BaseType.FullName != "System.IO.Stream")
+					continue;
+				var ctor = DotNetUtils.getMethod(type, ".ctor");
+				if (!DotNetUtils.isMethod(ctor, "System.Void", "(System.IO.Stream)"))
+					continue;
+				if (!new FieldTypes(type).all(encryptedResourceStreamType_fields))
+					continue;
+				if (findXxteaMethod(type) == null)
+					continue;
+
+				MethodDefinition getManifestResourceStreamMethodTmp1, getManifestResourceStreamMethodTmp2;
+				if (!findManifestResourceStreamMethods(type, out getManifestResourceStreamMethodTmp1, out getManifestResourceStreamMethodTmp2))
+					continue;
+
+				getManifestResourceStreamMethod1 = getManifestResourceStreamMethodTmp1;
+				getManifestResourceStreamMethod2 = getManifestResourceStreamMethodTmp2;
+				encryptedResourceStreamType = type;
+				return;
+			}
+		}
+
+		static MethodDefinition findXxteaMethod(TypeDefinition type) {
+			foreach (var method in type.Methods) {
+				if (!method.IsPrivate || method.IsStatic || method.Body == null)
+					continue;
+				if (!DotNetUtils.isMethod(method, "System.Void", "(System.UInt32[],System.UInt32[])"))
+					continue;
+				if (!DeobUtils.hasInteger(method, 0x9E3779B9))
+					continue;
+				if (!DeobUtils.hasInteger(method, 52))
+					continue;
+
+				return method;
+			}
+			return null;
+		}
+
+		static bool findManifestResourceStreamMethods(TypeDefinition type, out MethodDefinition getManifestResourceStreamMethodTmp1, out MethodDefinition getManifestResourceStreamMethodTmp2) {
+			getManifestResourceStreamMethodTmp1 = null;
+			getManifestResourceStreamMethodTmp2 = null;
+			foreach (var method in type.Methods) {
+				if (DotNetUtils.isMethod(method, "System.IO.Stream", "(System.Reflection.Assembly,System.String)"))
+					getManifestResourceStreamMethodTmp1 = method;
+				else if (DotNetUtils.isMethod(method, "System.IO.Stream", "(System.Reflection.Assembly,System.Type,System.String)"))
+					getManifestResourceStreamMethodTmp2 = method;
+			}
+			return getManifestResourceStreamMethodTmp1 != null && getManifestResourceStreamMethodTmp2 != null;
+		}
+
 		public void decrypt() {
 			for (int i = 0; i < module.Resources.Count; i++) {
 				var resource = module.Resources[i] as EmbeddedResource;
@@ -61,7 +347,7 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 				return null;
 			}
 			catch (Exception ex) {
-				Log.w("Got an exception when decrypting resources: {0}", ex.GetType());
+				Log.w("Got an exception when decrypting resources: {0} - {1}", ex.GetType(), ex.Message);
 				return null;
 			}
 		}
@@ -70,5 +356,29 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 			var resourceReader = new ResourceReader(reader);
 			return new ResourceConverter(module, resourceReader.read()).convert();
 		}
+
+		public void deobfuscate(Blocks blocks) {
+			foreach (var block in blocks.MethodBlocks.getAllBlocks()) {
+				var instrs = block.Instructions;
+				for (int i = 0; i < instrs.Count; i++) {
+					var call = instrs[i];
+					if (call.OpCode.Code != Code.Call)
+						continue;
+					var calledMethod = call.Operand as MethodDefinition;
+					if (calledMethod == null)
+						continue;
+
+					MethodReference newMethod = null;
+					if (calledMethod == getManifestResourceStreamMethod1)
+						newMethod = Assembly_GetManifestResourceStream1;
+					else if (calledMethod == getManifestResourceStreamMethod2)
+						newMethod = Assembly_GetManifestResourceStream2;
+					if (newMethod == null)
+						continue;
+
+					instrs[i] = new Instr(Instruction.Create(OpCodes.Callvirt, newMethod));
+				}
+			}
+		}
 	}
 }

From 070acc59f14c2c812abf20d51a793cb9262ce777 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Sat, 11 Feb 2012 23:23:51 +0100
Subject: [PATCH 67/78] Bail out earlier if not encrypted

---
 de4dot.code/deobfuscators/CodeVeil/ResourceReader.cs | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/de4dot.code/deobfuscators/CodeVeil/ResourceReader.cs b/de4dot.code/deobfuscators/CodeVeil/ResourceReader.cs
index c9ccfc44..3253e0e3 100644
--- a/de4dot.code/deobfuscators/CodeVeil/ResourceReader.cs
+++ b/de4dot.code/deobfuscators/CodeVeil/ResourceReader.cs
@@ -53,6 +53,8 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 				throw new InvalidDataException("Invalid number");
 			reader.ReadUInt32();
 			resourceReader = reader.ReadString();
+			if (Utils.StartsWith(resourceReader, "System.Resources.ResourceReader", StringComparison.Ordinal))
+				throw new InvalidDataException("Resource isn't encrypted");
 			resourceSet = reader.ReadString();
 			if (reader.ReadByte() != 1)
 				throw new ApplicationException("Invalid version");

From 18cd71ecdc3288dbd13c1b35a18643bd2a340917 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Sat, 11 Feb 2012 23:39:37 +0100
Subject: [PATCH 68/78] Update detection (v5.0)

---
 .../deobfuscators/CodeVeil/ResourceDecrypter.cs       | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/de4dot.code/deobfuscators/CodeVeil/ResourceDecrypter.cs b/de4dot.code/deobfuscators/CodeVeil/ResourceDecrypter.cs
index 24738b78..4c492267 100644
--- a/de4dot.code/deobfuscators/CodeVeil/ResourceDecrypter.cs
+++ b/de4dot.code/deobfuscators/CodeVeil/ResourceDecrypter.cs
@@ -291,9 +291,14 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 			foreach (var method in type.Methods) {
 				if (!method.IsPrivate || method.IsStatic || method.Body == null)
 					continue;
-				if (!DotNetUtils.isMethod(method, "System.Void", "(System.UInt32[],System.UInt32[])"))
-					continue;
-				if (!DeobUtils.hasInteger(method, 0x9E3779B9))
+				if (DotNetUtils.isMethod(method, "System.Void", "(System.UInt32[],System.UInt32[])")) {
+					if (!DeobUtils.hasInteger(method, 0x9E3779B9))
+						continue;
+				}
+				else if (DotNetUtils.isMethod(method, "System.Void", "(System.UInt32[],System.UInt32[],System.UInt32,System.UInt32,System.UInt32,System.UInt32,System.UInt32,System.UInt32,System.UInt32,System.UInt32,System.UInt32)")) {
+					// Here if 5.0. 0x9E3779B9 is passed to it as the last arg.
+				}
+				else
 					continue;
 				if (!DeobUtils.hasInteger(method, 52))
 					continue;

From 80d338637e354aabb0d628d8e51018442b895665 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Sun, 12 Feb 2012 11:35:18 +0100
Subject: [PATCH 69/78] Add method to remove classes with no base type

---
 de4dot.code/deobfuscators/DeobfuscatorBase.cs | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/de4dot.code/deobfuscators/DeobfuscatorBase.cs b/de4dot.code/deobfuscators/DeobfuscatorBase.cs
index 00038d5b..a2829177 100644
--- a/de4dot.code/deobfuscators/DeobfuscatorBase.cs
+++ b/de4dot.code/deobfuscators/DeobfuscatorBase.cs
@@ -180,10 +180,14 @@ namespace de4dot.code.deobfuscators {
 			restoreBaseType();
 		}
 
+		static bool isTypeWithInvalidBaseType(TypeDefinition moduleType, TypeDefinition type) {
+			return type.BaseType == null && !type.IsInterface && type != moduleType;
+		}
+
 		void restoreBaseType() {
 			var moduleType = DotNetUtils.getModuleType(module);
 			foreach (var type in module.GetTypes()) {
-				if (type.BaseType != null || type.IsInterface || type == moduleType)
+				if (!isTypeWithInvalidBaseType(moduleType, type))
 					continue;
 				Log.v("Adding System.Object as base type: {0} ({1:X8})",
 							Utils.removeNewlines(type),
@@ -192,6 +196,15 @@ namespace de4dot.code.deobfuscators {
 			}
 		}
 
+		protected void removeTypesWithInvalidBaseTypes() {
+			var moduleType = DotNetUtils.getModuleType(module);
+			foreach (var type in module.GetTypes()) {
+				if (!isTypeWithInvalidBaseType(moduleType, type))
+					continue;
+				addTypeToBeRemoved(type, "Invalid type with no base type (anti-reflection)");
+			}
+		}
+
 		public virtual IEnumerable<string> getStringDecrypterMethods() {
 			return new List<string>();
 		}

From d6327b401eafb189da5f0056d26f493565c9306f Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Sun, 12 Feb 2012 11:39:00 +0100
Subject: [PATCH 70/78] Remove all anti-reflection types

---
 de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs | 1 +
 1 file changed, 1 insertion(+)

diff --git a/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs b/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs
index 30d9926c..93f89174 100644
--- a/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs
+++ b/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs
@@ -248,6 +248,7 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 		}
 
 		public override void deobfuscateEnd() {
+			removeTypesWithInvalidBaseTypes();
 			removeProxyDelegates(proxyDelegateFinder, false);	//TODO: Should be 'true'
 			base.deobfuscateEnd();
 		}

From 42f66c3948eba024bc7b67d5d24b70ab0da6ce5f Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Sun, 12 Feb 2012 12:03:55 +0100
Subject: [PATCH 71/78] Fix detection; 3.2 doesn't have those extra fields

---
 de4dot.code/deobfuscators/CodeVeil/MethodsDecrypter.cs | 8 +-------
 1 file changed, 1 insertion(+), 7 deletions(-)

diff --git a/de4dot.code/deobfuscators/CodeVeil/MethodsDecrypter.cs b/de4dot.code/deobfuscators/CodeVeil/MethodsDecrypter.cs
index 4c977ca4..c1249b54 100644
--- a/de4dot.code/deobfuscators/CodeVeil/MethodsDecrypter.cs
+++ b/de4dot.code/deobfuscators/CodeVeil/MethodsDecrypter.cs
@@ -246,8 +246,6 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 
 			const int RVA_EXECUTIVE_OFFSET = 1 * 4;
 			const int ENC_CODE_OFFSET = 6 * 4;
-			const int MAGIC1_OFFSET = 7 * 4;
-			const int MAGIC2_OFFSET = 8 * 4;
 			int lastOffset = (int)(section.pointerToRawData + section.sizeOfRawData);
 			for (int offset = getStartOffset(peImage); offset < lastOffset; ) {
 				offset = findSig(fileData, offset, lastOffset, initializeMethodEnd);
@@ -259,17 +257,13 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 				if (retImm16 != 0x0C && retImm16 != 0x10)
 					continue;
 				offset += 2;
-				if (offset + MAGIC2_OFFSET + 4 > lastOffset)
+				if (offset + ENC_CODE_OFFSET + 4 > lastOffset)
 					return null;
 
 				// rva is 0 when the assembly has been embedded
 				int rva = BitConverter.ToInt32(fileData, offset + RVA_EXECUTIVE_OFFSET);
 				if (rva != 0 && mainType.Rvas.IndexOf(rva) < 0)
 					continue;
-				if (BitConverter.ToInt32(fileData, offset + MAGIC1_OFFSET) != -1)
-					continue;
-				if (BitConverter.ToInt32(fileData, offset + MAGIC2_OFFSET) != -1)
-					continue;
 
 				int relOffs = BitConverter.ToInt32(fileData, offset + ENC_CODE_OFFSET);
 				if (relOffs <= 0 || relOffs >= section.sizeOfRawData)

From 8999eb8e0f888d6cbdaaa464938c6e4a19407ca7 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Sun, 12 Feb 2012 12:08:46 +0100
Subject: [PATCH 72/78] Remove CV main type methods if < v5.0

---
 de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs b/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs
index 93f89174..a5dc2179 100644
--- a/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs
+++ b/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs
@@ -180,9 +180,15 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 			addTypeToBeRemoved(killType, "KILL type");
 
 			mainType.initialize();
-			if (mainType.Version >= ObfuscatorVersion.V5_0) {
+			if (!mainType.Detected) {
+			}
+			else if (mainType.Version >= ObfuscatorVersion.V5_0) {
 				//TODO: addTypeToBeRemoved(mainType.Type, "Main CV type");
 			}
+			else {
+				foreach (var method in mainType.Type.Methods)
+					addMethodToBeRemoved(method, "CV main type method");
+			}
 			foreach (var initMethod in mainType.OtherInitMethods) {
 				addCctorInitCallToBeRemoved(initMethod);
 				addCtorInitCallToBeRemoved(initMethod);

From ff55be46b69947e6f59db5c54c98d858b81dc889 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Sun, 12 Feb 2012 12:53:36 +0100
Subject: [PATCH 73/78] Rename getField() to getFieldByName() and add a real
 getField() method

---
 blocks/DotNetUtils.cs                               | 12 +++++++++++-
 de4dot.code/deobfuscators/Babel_NET/Deobfuscator.cs |  2 +-
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/blocks/DotNetUtils.cs b/blocks/DotNetUtils.cs
index 5441e20f..bc89adc9 100644
--- a/blocks/DotNetUtils.cs
+++ b/blocks/DotNetUtils.cs
@@ -472,7 +472,17 @@ namespace de4dot.blocks {
 			return null;
 		}
 
-		public static FieldDefinition getField(TypeDefinition type, string name) {
+		public static FieldDefinition getField(TypeDefinition type, string typeFullName) {
+			if (type == null)
+				return null;
+			foreach (var field in type.Fields) {
+				if (field.FieldType.FullName == typeFullName)
+					return field;
+			}
+			return null;
+		}
+
+		public static FieldDefinition getFieldByName(TypeDefinition type, string name) {
 			if (type == null)
 				return null;
 			foreach (var field in type.Fields) {
diff --git a/de4dot.code/deobfuscators/Babel_NET/Deobfuscator.cs b/de4dot.code/deobfuscators/Babel_NET/Deobfuscator.cs
index 0677f8d7..cfa2b9f3 100644
--- a/de4dot.code/deobfuscators/Babel_NET/Deobfuscator.cs
+++ b/de4dot.code/deobfuscators/Babel_NET/Deobfuscator.cs
@@ -156,7 +156,7 @@ namespace de4dot.code.deobfuscators.Babel_NET {
 		}
 
 		void checkVersion(TypeDefinition attr) {
-			var versionField = DotNetUtils.getField(attr, "Version");
+			var versionField = DotNetUtils.getFieldByName(attr, "Version");
 			if (versionField != null && versionField.IsLiteral && versionField.Constant != null && versionField.Constant is string) {
 				var val = Regex.Match((string)versionField.Constant, @"^(\d+\.\d+\.\d+\.\d+)$");
 				if (val.Groups.Count < 2)

From ded45dcb7a689633ab60cfd9874134e037ec09c6 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Sun, 12 Feb 2012 13:00:38 +0100
Subject: [PATCH 74/78] Remove proxy method types and main type

---
 .../deobfuscators/CodeVeil/Deobfuscator.cs    | 31 +++++--
 .../CodeVeil/ProxyDelegateFinder.cs           | 91 +++++++++++++++++++
 2 files changed, 112 insertions(+), 10 deletions(-)

diff --git a/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs b/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs
index a5dc2179..c6f1b27a 100644
--- a/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs
+++ b/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs
@@ -180,15 +180,6 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 			addTypeToBeRemoved(killType, "KILL type");
 
 			mainType.initialize();
-			if (!mainType.Detected) {
-			}
-			else if (mainType.Version >= ObfuscatorVersion.V5_0) {
-				//TODO: addTypeToBeRemoved(mainType.Type, "Main CV type");
-			}
-			else {
-				foreach (var method in mainType.Type.Methods)
-					addMethodToBeRemoved(method, "CV main type method");
-			}
 			foreach (var initMethod in mainType.OtherInitMethods) {
 				addCctorInitCallToBeRemoved(initMethod);
 				addCtorInitCallToBeRemoved(initMethod);
@@ -254,8 +245,28 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 		}
 
 		public override void deobfuscateEnd() {
+			bool canRemoveProxyTypes = proxyDelegateFinder.CanRemoveTypes;
+
+			if (!mainType.Detected) {
+			}
+			else if (mainType.Version >= ObfuscatorVersion.V5_0) {
+				if (!proxyDelegateFinder.FoundProxyType || canRemoveProxyTypes)
+					addTypeToBeRemoved(mainType.Type, "Main CV type");
+			}
+			else {
+				foreach (var method in mainType.Type.Methods)
+					addMethodToBeRemoved(method, "CV main type method");
+			}
+
 			removeTypesWithInvalidBaseTypes();
-			removeProxyDelegates(proxyDelegateFinder, false);	//TODO: Should be 'true'
+
+			removeProxyDelegates(proxyDelegateFinder, canRemoveProxyTypes);
+			if (canRemoveProxyTypes) {
+				addTypeToBeRemoved(proxyDelegateFinder.IlGeneratorType, "Obfuscator proxy method ILGenerator type");
+				addTypeToBeRemoved(proxyDelegateFinder.FieldInfoType, "Obfuscator proxy method FieldInfo type");
+				addTypeToBeRemoved(proxyDelegateFinder.MethodInfoType, "Obfuscator proxy method MethodInfo type");
+			}
+
 			base.deobfuscateEnd();
 		}
 
diff --git a/de4dot.code/deobfuscators/CodeVeil/ProxyDelegateFinder.cs b/de4dot.code/deobfuscators/CodeVeil/ProxyDelegateFinder.cs
index 333d42bf..d61e5a72 100644
--- a/de4dot.code/deobfuscators/CodeVeil/ProxyDelegateFinder.cs
+++ b/de4dot.code/deobfuscators/CodeVeil/ProxyDelegateFinder.cs
@@ -22,6 +22,7 @@ using System.Collections.Generic;
 using System.IO;
 using Mono.Cecil;
 using Mono.Cecil.Cil;
+using Mono.Cecil.Metadata;
 using de4dot.blocks;
 
 namespace de4dot.code.deobfuscators.CodeVeil {
@@ -34,6 +35,9 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 			public TypeDefinition proxyType;
 			public MethodDefinition initMethod;
 			public FieldDefinition dataField;
+			public TypeDefinition ilgeneratorType;
+			public TypeDefinition fieldInfoType;
+			public TypeDefinition methodInfoType;
 		}
 
 		class Context {
@@ -44,6 +48,31 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 			}
 		}
 
+		public bool FoundProxyType {
+			get { return info.proxyType != null; }
+		}
+
+		public bool CanRemoveTypes {
+			get {
+				return info.proxyType != null &&
+					info.ilgeneratorType != null &&
+					info.fieldInfoType != null &&
+					info.methodInfoType != null;
+			}
+		}
+
+		public TypeDefinition IlGeneratorType {
+			get { return info.ilgeneratorType; }
+		}
+
+		public TypeDefinition FieldInfoType {
+			get { return info.fieldInfoType; }
+		}
+
+		public TypeDefinition MethodInfoType {
+			get { return info.methodInfoType; }
+		}
+
 		public ProxyDelegateFinder(ModuleDefinition module, MainType mainType)
 			: base(module) {
 			this.mainType = mainType;
@@ -55,6 +84,9 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 			info.proxyType = lookup(oldOne.info.proxyType, "Could not find proxyType");
 			info.initMethod = lookup(oldOne.info.initMethod, "Could not find initMethod");
 			info.dataField = lookup(oldOne.info.dataField, "Could not find dataField");
+			info.ilgeneratorType = lookup(oldOne.info.ilgeneratorType, "Could not find ilgeneratorType");
+			info.fieldInfoType = lookup(oldOne.info.fieldInfoType, "Could not find fieldInfoType");
+			info.methodInfoType = lookup(oldOne.info.methodInfoType, "Could not find methodInfoType");
 		}
 
 		protected override object checkCctor(TypeDefinition type, MethodDefinition cctor) {
@@ -186,10 +218,69 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 			if (info.dataField == null)
 				return;
 
+			findOtherTypes();
+
 			var decompressed = DeobUtils.inflate(info.dataField.InitialValue, true);
 			reader = new BinaryReader(new MemoryStream(decompressed));
 			info.dataField.FieldType = module.TypeSystem.Byte;
 			info.dataField.InitialValue = new byte[1];
 		}
+
+		void findOtherTypes() {
+			if (info.proxyType == null)
+				return;
+
+			foreach (var method in info.proxyType.Methods) {
+				if (method.Parameters.Count != 4)
+					continue;
+
+				if (method.Parameters[2].ParameterType.FullName != "System.Type[]")
+					continue;
+				var methodType = method.Parameters[0].ParameterType as TypeDefinition;
+				var fieldType = method.Parameters[1].ParameterType as TypeDefinition;
+				var ilgType = method.Parameters[3].ParameterType as TypeDefinition;
+				if (!checkMethodType(methodType))
+					continue;
+				if (!checkFieldType(fieldType))
+					continue;
+				if (!checkIlGeneratorType(ilgType))
+					continue;
+
+				info.ilgeneratorType = ilgType;
+				info.methodInfoType = methodType;
+				info.fieldInfoType = fieldType;
+			}
+		}
+
+		bool checkMethodType(TypeDefinition type) {
+			if (type == null || type.BaseType == null || type.BaseType.EType != ElementType.Object)
+				return false;
+			if (type.Fields.Count != 1)
+				return false;
+			if (DotNetUtils.getField(type, "System.Reflection.MethodInfo") == null)
+				return false;
+
+			return true;
+		}
+
+		bool checkFieldType(TypeDefinition type) {
+			if (type == null || type.BaseType == null || type.BaseType.EType != ElementType.Object)
+				return false;
+			if (DotNetUtils.getField(type, "System.Reflection.FieldInfo") == null)
+				return false;
+
+			return true;
+		}
+
+		bool checkIlGeneratorType(TypeDefinition type) {
+			if (type == null || type.BaseType == null || type.BaseType.EType != ElementType.Object)
+				return false;
+			if (type.Fields.Count != 1)
+				return false;
+			if (DotNetUtils.getField(type, "System.Reflection.Emit.ILGenerator") == null)
+				return false;
+
+			return true;
+		}
 	}
 }

From 9a6bd53cb95120205f091f669584c67df1c7c3f3 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Sun, 12 Feb 2012 13:38:23 +0100
Subject: [PATCH 75/78] Remove obfuscator obfuscator bundle types

---
 .../CodeVeil/AssemblyResolver.cs              | 123 ++++++++++++++++++
 .../deobfuscators/CodeVeil/Deobfuscator.cs    |   1 +
 2 files changed, 124 insertions(+)

diff --git a/de4dot.code/deobfuscators/CodeVeil/AssemblyResolver.cs b/de4dot.code/deobfuscators/CodeVeil/AssemblyResolver.cs
index 399ad26e..04d8ccd2 100644
--- a/de4dot.code/deobfuscators/CodeVeil/AssemblyResolver.cs
+++ b/de4dot.code/deobfuscators/CodeVeil/AssemblyResolver.cs
@@ -21,6 +21,7 @@ using System.Collections.Generic;
 using System.IO;
 using System.Xml;
 using Mono.Cecil;
+using Mono.Cecil.Cil;
 using de4dot.blocks;
 
 namespace de4dot.code.deobfuscators.CodeVeil {
@@ -29,6 +30,11 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 		EmbeddedResource bundleData;
 		EmbeddedResource bundleXmlFile;
 		TypeDefinition bundleType;
+		TypeDefinition assemblyManagerType;
+		TypeDefinition bundleStreamProviderIFace;
+		TypeDefinition xmlParserType;
+		TypeDefinition bundledAssemblyType;
+		TypeDefinition streamProviderType;
 		List<AssemblyInfo> infos = new List<AssemblyInfo>();
 
 		public class AssemblyInfo {
@@ -49,6 +55,34 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 			}
 		}
 
+		public bool CanRemoveTypes {
+			get {
+				return bundleType != null &&
+					assemblyManagerType != null &&
+					bundleStreamProviderIFace != null &&
+					xmlParserType != null &&
+					bundledAssemblyType != null &&
+					streamProviderType != null;
+			}
+		}
+
+		public IEnumerable<TypeDefinition> BundleTypes {
+			get {
+				var list = new List<TypeDefinition>();
+				if (!CanRemoveTypes)
+					return list;
+
+				list.Add(bundleType);
+				list.Add(assemblyManagerType);
+				list.Add(bundleStreamProviderIFace);
+				list.Add(xmlParserType);
+				list.Add(bundledAssemblyType);
+				list.Add(streamProviderType);
+
+				return list;
+			}
+		}
+
 		public IEnumerable<AssemblyInfo> AssemblyInfos {
 			get { return infos; }
 		}
@@ -85,6 +119,7 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 			bundleData = bundleDataTmp;
 			bundleXmlFile = bundleXmlFileTmp;
 			bundleType = bundleTypeTmp;
+			findOtherTypes();
 			return true;
 		}
 
@@ -187,5 +222,93 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 
 			return null;
 		}
+
+		void findOtherTypes() {
+			findAssemblyManagerType();
+			findXmlParserType();
+			findStreamProviderType();
+		}
+
+		void findAssemblyManagerType() {
+			if (bundleType == null)
+				return;
+
+			foreach (var field in bundleType.Fields) {
+				var type = field.FieldType as TypeDefinition;
+				if (type == null)
+					continue;
+				if (type == bundleType)
+					continue;
+				if (type.Fields.Count != 2)
+					continue;
+
+				var ctor = DotNetUtils.getMethod(type, ".ctor");
+				if (ctor == null || ctor.Parameters.Count != 2)
+					continue;
+				var iface = ctor.Parameters[1].ParameterType as TypeDefinition;
+				if (iface == null || !iface.IsInterface)
+					continue;
+
+				assemblyManagerType = type;
+				bundleStreamProviderIFace = iface;
+				return;
+			}
+		}
+
+		void findXmlParserType() {
+			if (assemblyManagerType == null)
+				return;
+			foreach (var field in assemblyManagerType.Fields) {
+				var type = field.FieldType as TypeDefinition;
+				if (type == null || type.IsInterface)
+					continue;
+				var ctor = DotNetUtils.getMethod(type, ".ctor");
+				if (!DotNetUtils.isMethod(ctor, "System.Void", "()"))
+					continue;
+				if (type.Fields.Count != 1)
+					continue;
+				var git = type.Fields[0].FieldType as GenericInstanceType;
+				if (git == null)
+					continue;
+				if (git.ElementType.FullName != "System.Collections.Generic.List`1")
+					continue;
+				if (git.GenericArguments.Count != 1)
+					continue;
+				var type2 = git.GenericArguments[0] as TypeDefinition;
+				if (type2 == null)
+					continue;
+
+				xmlParserType = type;
+				bundledAssemblyType = type2;
+				return;
+			}
+		}
+
+		void findStreamProviderType() {
+			if (bundleType == null)
+				return;
+			var ctor = DotNetUtils.getMethod(bundleType, ".ctor");
+			if (!DotNetUtils.isMethod(ctor, "System.Void", "(System.Reflection.Assembly)"))
+				return;
+			foreach (var instr in ctor.Body.Instructions) {
+				if (instr.OpCode.Code != Code.Newobj)
+					continue;
+				var newobjCtor = instr.Operand as MethodDefinition;
+				if (newobjCtor == null)
+					continue;
+				if (newobjCtor.DeclaringType == assemblyManagerType)
+					continue;
+				if (!DotNetUtils.isMethod(newobjCtor, "System.Void", "(System.Reflection.Assembly,System.String)"))
+					continue;
+				var type = newobjCtor.DeclaringType;
+				if (type.Interfaces.Count != 1)
+					continue;
+				if (type.Interfaces[0] != bundleStreamProviderIFace)
+					continue;
+
+				streamProviderType = type;
+				return;
+			}
+		}
 	}
 }
diff --git a/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs b/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs
index c6f1b27a..2a806a6d 100644
--- a/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs
+++ b/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs
@@ -231,6 +231,7 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 				DeobfuscatedFile.createAssemblyFile(info.data, info.simpleName, info.extension);
 			addResourceToBeRemoved(assemblyResolver.BundleDataResource, "Embedded assemblies resource");
 			addResourceToBeRemoved(assemblyResolver.BundleXmlFileResource, "Embedded assemblies XML file resource");
+			addTypesToBeRemoved(assemblyResolver.BundleTypes, "Obfuscator assembly bundle types");
 		}
 
 		public override void deobfuscateMethodBegin(Blocks blocks) {

From 037cb5bc68eaa5d3ea1cc79cfaa9a530cbc3d223 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Sun, 12 Feb 2012 14:28:53 +0100
Subject: [PATCH 76/78] Decrypt the remaining (EREX) resources

---
 de4dot.code/de4dot.code.csproj                |  1 +
 .../CodeVeil/ErexResourceReader.cs            | 88 +++++++++++++++++++
 .../CodeVeil/ResourceDecrypter.cs             |  8 +-
 3 files changed, 96 insertions(+), 1 deletion(-)
 create mode 100644 de4dot.code/deobfuscators/CodeVeil/ErexResourceReader.cs

diff --git a/de4dot.code/de4dot.code.csproj b/de4dot.code/de4dot.code.csproj
index 3b346e49..3fdcb213 100644
--- a/de4dot.code/de4dot.code.csproj
+++ b/de4dot.code/de4dot.code.csproj
@@ -81,6 +81,7 @@
     <Compile Include="deobfuscators\CliSecure\StackFrameHelper.cs" />
     <Compile Include="deobfuscators\CliSecure\StringDecrypter.cs" />
     <Compile Include="deobfuscators\CodeVeil\AssemblyResolver.cs" />
+    <Compile Include="deobfuscators\CodeVeil\ErexResourceReader.cs" />
     <Compile Include="deobfuscators\CodeVeil\InvalidDataException.cs" />
     <Compile Include="deobfuscators\CodeVeil\MainType.cs" />
     <Compile Include="deobfuscators\CodeVeil\MethodsDecrypter.cs" />
diff --git a/de4dot.code/deobfuscators/CodeVeil/ErexResourceReader.cs b/de4dot.code/deobfuscators/CodeVeil/ErexResourceReader.cs
new file mode 100644
index 00000000..49ddba94
--- /dev/null
+++ b/de4dot.code/deobfuscators/CodeVeil/ErexResourceReader.cs
@@ -0,0 +1,88 @@
+/*
+    Copyright (C) 2011-2012 de4dot@gmail.com
+
+    This file is part of de4dot.
+
+    de4dot is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    de4dot is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with de4dot.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+using System;
+using System.IO;
+
+namespace de4dot.code.deobfuscators.CodeVeil {
+	class ErexResourceReader {
+		BinaryReader reader;
+		uint[] key;
+
+		public ErexResourceReader(Stream stream) {
+			reader = new BinaryReader(stream);
+		}
+
+		public byte[] decrypt() {
+			if (reader.ReadUInt32() != 0x58455245)
+				throw new InvalidDataException("Invalid EREX sig");
+			if (reader.ReadInt32() > 1)
+				throw new ApplicationException("Invalid EREX file");
+
+			byte flags = reader.ReadByte();
+			bool isEncrypted = (flags & 1) != 0;
+			bool isDeflated = (flags & 2) != 0;
+
+			int length = reader.ReadInt32();
+			if (length < 0)
+				throw new ApplicationException("Invalid length");
+
+			if (isEncrypted)
+				readKey();
+
+			if (isDeflated)
+				reader = new BinaryReader(inflate(length));
+
+			if (isEncrypted)
+				reader = new BinaryReader(decrypt(length));
+
+			return reader.ReadBytes(length);
+		}
+
+		void readKey() {
+			key = new uint[reader.ReadByte()];
+			for (int i = 0; i < key.Length; i++)
+				key[i] = reader.ReadUInt32();
+		}
+
+		Stream inflate(int length) {
+			var data = reader.ReadBytes((int)(reader.BaseStream.Length - reader.BaseStream.Position));
+			return new MemoryStream(DeobUtils.inflate(data, true));
+		}
+
+		Stream decrypt(int length) {
+			var block = new uint[4];
+			var decrypted = new byte[16];
+
+			var outStream = new MemoryStream(length);
+			while (reader.BaseStream.Position < reader.BaseStream.Length) {
+				block[0] = reader.ReadUInt32();
+				block[1] = reader.ReadUInt32();
+				block[2] = reader.ReadUInt32();
+				block[3] = reader.ReadUInt32();
+				DeobUtils.xxteaDecrypt(block, key);
+				Buffer.BlockCopy(block, 0, decrypted, 0, decrypted.Length);
+				outStream.Write(decrypted, 0, decrypted.Length);
+			}
+
+			outStream.Position = 0;
+			return outStream;
+		}
+	}
+}
diff --git a/de4dot.code/deobfuscators/CodeVeil/ResourceDecrypter.cs b/de4dot.code/deobfuscators/CodeVeil/ResourceDecrypter.cs
index 4c492267..2deb7cc6 100644
--- a/de4dot.code/deobfuscators/CodeVeil/ResourceDecrypter.cs
+++ b/de4dot.code/deobfuscators/CodeVeil/ResourceDecrypter.cs
@@ -340,9 +340,11 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 				stream.Position = 0;
 				var reader = new BinaryReader(stream);
 				uint sig = reader.ReadUInt32();
+				stream.Position = 0;
 				if (sig == 0xBEEFCACE)
 					return decryptBeefcace(reader);
-				//TODO: Decrypt the other type
+				if (sig == 0x58455245)
+					return decryptErex(reader);
 				return null;
 			}
 			catch (InvalidDataException) {
@@ -362,6 +364,10 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 			return new ResourceConverter(module, resourceReader.read()).convert();
 		}
 
+		byte[] decryptErex(BinaryReader reader) {
+			return new ErexResourceReader(reader.BaseStream).decrypt();
+		}
+
 		public void deobfuscate(Blocks blocks) {
 			foreach (var block in blocks.MethodBlocks.getAllBlocks()) {
 				var instrs = block.Instructions;

From 5ce1f74263a218468a08c6d5a3302f768313ef22 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Sun, 12 Feb 2012 14:29:11 +0100
Subject: [PATCH 77/78] Position has already been set to 0

---
 de4dot.code/deobfuscators/CodeVeil/ResourceReader.cs | 1 -
 1 file changed, 1 deletion(-)

diff --git a/de4dot.code/deobfuscators/CodeVeil/ResourceReader.cs b/de4dot.code/deobfuscators/CodeVeil/ResourceReader.cs
index 3253e0e3..84b33378 100644
--- a/de4dot.code/deobfuscators/CodeVeil/ResourceReader.cs
+++ b/de4dot.code/deobfuscators/CodeVeil/ResourceReader.cs
@@ -42,7 +42,6 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 		}
 
 		public ResourceReader(BinaryReader reader) {
-			reader.BaseStream.Position = 0;
 			this.reader = reader;
 		}
 

From c73fcfc1d0196e3a10f969f217859bdf18aab8c7 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Sun, 12 Feb 2012 14:35:40 +0100
Subject: [PATCH 78/78] Remove CV type if it is empty

---
 de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs b/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs
index 2a806a6d..133b2e48 100644
--- a/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs
+++ b/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs
@@ -255,8 +255,13 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 					addTypeToBeRemoved(mainType.Type, "Main CV type");
 			}
 			else {
-				foreach (var method in mainType.Type.Methods)
-					addMethodToBeRemoved(method, "CV main type method");
+				var type = mainType.Type;
+				if (!type.HasNestedTypes && !type.HasProperties && !type.HasEvents && !type.HasFields)
+					addTypeToBeRemoved(type, "Main CV type");
+				else {
+					foreach (var method in type.Methods)
+						addMethodToBeRemoved(method, "CV main type method");
+				}
 			}
 
 			removeTypesWithInvalidBaseTypes();