Port SmartAssembly deobfuscator

2012-11-18 17:07:02 +01:00 · 2012-11-18 17:07:02 +01:00 · c5f2043a6e
commit c5f2043a6e
parent cca8eba9ed
16 changed files with 138 additions and 143 deletions
--- a/blocks/DotNetUtils.cs
+++ b/blocks/DotNetUtils.cs
@ -375,18 +375,18 @@ namespace de4dot.blocks {
 			return type.FindMethod(methodRef.Name, methodRef.MethodSig);
 		}

-#if PORT
-		public static IEnumerable<MethodDef> getNormalMethods(TypeDefinition type) {
+		public static IEnumerable<MethodDef> getNormalMethods(TypeDef type) {
 			foreach (var method in type.Methods) {
-				if (method.HasPInvokeInfo)
+				if (method.HasImplMap)
 					continue;
-				if (method.Name == ".ctor" || method.Name == ".cctor")
+				if (method.IsConstructor)
 					continue;

 				yield return method;
 			}
 		}

+#if PORT
 		public static TypeDefinition getType(ModuleDefinition module, TypeReference typeReference) {
 			if (typeReference == null)
 				return null;
@ -394,15 +394,15 @@ namespace de4dot.blocks {
 				return (TypeDefinition)typeReference;
 			return typeCaches.lookup(module, typeReference);
 		}
+#endif

-		public static FieldDefinition getField(ModuleDefinition module, FieldReference field) {
+		public static FieldDef getField(ModuleDef module, IField field) {
 			if (field == null)
 				return null;
-			if (field is FieldDefinition)
-				return (FieldDefinition)field;
+			if (field is FieldDef)
+				return (FieldDef)field;
 			return getField(getType(module, field.DeclaringType), field);
 		}
-#endif

 		public static FieldDef getField(TypeDef type, IField fieldReference) {
 			if (type == null || fieldReference == null)
@ -432,12 +432,13 @@ namespace de4dot.blocks {
 			}
 			return null;
 		}
+#endif

-		public static IEnumerable<MethodReference> getMethodCalls(MethodDef method) {
-			var list = new List<MethodReference>();
+		public static IEnumerable<IMethod> getMethodCalls(MethodDef method) {
+			var list = new List<IMethod>();
 			if (method.HasBody) {
 				foreach (var instr in method.Body.Instructions) {
-					var calledMethod = instr.Operand as MethodReference;
+					var calledMethod = instr.Operand as IMethod;
 					if (calledMethod != null)
 						list.Add(calledMethod);
 				}
@ -445,6 +446,7 @@ namespace de4dot.blocks {
 			return list;
 		}

+#if PORT
 		public static MethodCalls getMethodCallCounts(MethodDef method) {
 			var methodCalls = new MethodCalls();
 			methodCalls.addMethodCalls(method);
--- a/de4dot.code/de4dot.code.csproj
+++ b/de4dot.code/de4dot.code.csproj
@ -56,7 +56,6 @@
    <Compile Include="AssemblyModule.cs" />
    <Compile Include="AssemblyResolver.cs" />
    <Compile Include="DeobfuscatorContext.cs" />
-    <Compile Include="deobfuscators\ArrayFinder.cs" />
    <Compile Include="deobfuscators\Agile_NET\CliSecureRtType.cs" />
    <Compile Include="deobfuscators\Agile_NET\CsBlowfish.cs" />
    <Compile Include="deobfuscators\Agile_NET\Deobfuscator.cs" />
@ -76,6 +75,7 @@
    <Compile Include="deobfuscators\Agile_NET\vm\UnknownHandlerInfo.cs" />
    <Compile Include="deobfuscators\Agile_NET\vm\VmOpCodeHandlerDetector.cs" />
    <Compile Include="deobfuscators\Agile_NET\vm\VmOperands.cs" />
+    <Compile Include="deobfuscators\ArrayFinder.cs" />
    <Compile Include="deobfuscators\Babel_NET\AssemblyResolver.cs" />
    <Compile Include="deobfuscators\Babel_NET\BabelInflater.cs" />
    <Compile Include="deobfuscators\Babel_NET\BabelMethodCallInliner.cs" />
@ -235,22 +235,22 @@
    <Compile Include="deobfuscators\Skater_NET\Deobfuscator.cs" />
    <Compile Include="deobfuscators\Skater_NET\EnumClassFinder.cs" />
    <Compile Include="deobfuscators\Skater_NET\StringDecrypter.cs" />
-    <None Include="deobfuscators\SmartAssembly\AssemblyResolver.cs" />
-    <None Include="deobfuscators\SmartAssembly\AssemblyResolverInfo.cs" />
-    <None Include="deobfuscators\SmartAssembly\AutomatedErrorReportingFinder.cs" />
-    <None Include="deobfuscators\SmartAssembly\Deobfuscator.cs" />
-    <None Include="deobfuscators\SmartAssembly\MemoryManagerInfo.cs" />
-    <None Include="deobfuscators\SmartAssembly\ProxyCallFixer.cs" />
-    <None Include="deobfuscators\SmartAssembly\ResolverInfoBase.cs" />
-    <None Include="deobfuscators\SmartAssembly\ResourceDecrypter.cs" />
-    <None Include="deobfuscators\SmartAssembly\ResourceDecrypterInfo.cs" />
-    <None Include="deobfuscators\SmartAssembly\ResourceResolver.cs" />
-    <None Include="deobfuscators\SmartAssembly\ResourceResolverInfo.cs" />
-    <None Include="deobfuscators\SmartAssembly\SimpleZipInfo.cs" />
-    <None Include="deobfuscators\SmartAssembly\StringDecrypter.cs" />
-    <None Include="deobfuscators\SmartAssembly\StringDecrypterInfo.cs" />
-    <None Include="deobfuscators\SmartAssembly\StringEncoderClassFinder.cs" />
-    <None Include="deobfuscators\SmartAssembly\TamperProtectionRemover.cs" />
+    <Compile Include="deobfuscators\SmartAssembly\AssemblyResolver.cs" />
+    <Compile Include="deobfuscators\SmartAssembly\AssemblyResolverInfo.cs" />
+    <Compile Include="deobfuscators\SmartAssembly\AutomatedErrorReportingFinder.cs" />
+    <Compile Include="deobfuscators\SmartAssembly\Deobfuscator.cs" />
+    <Compile Include="deobfuscators\SmartAssembly\MemoryManagerInfo.cs" />
+    <Compile Include="deobfuscators\SmartAssembly\ProxyCallFixer.cs" />
+    <Compile Include="deobfuscators\SmartAssembly\ResolverInfoBase.cs" />
+    <Compile Include="deobfuscators\SmartAssembly\ResourceDecrypter.cs" />
+    <Compile Include="deobfuscators\SmartAssembly\ResourceDecrypterInfo.cs" />
+    <Compile Include="deobfuscators\SmartAssembly\ResourceResolver.cs" />
+    <Compile Include="deobfuscators\SmartAssembly\ResourceResolverInfo.cs" />
+    <Compile Include="deobfuscators\SmartAssembly\SimpleZipInfo.cs" />
+    <Compile Include="deobfuscators\SmartAssembly\StringDecrypter.cs" />
+    <Compile Include="deobfuscators\SmartAssembly\StringDecrypterInfo.cs" />
+    <Compile Include="deobfuscators\SmartAssembly\StringEncoderClassFinder.cs" />
+    <Compile Include="deobfuscators\SmartAssembly\TamperProtectionRemover.cs" />
    <Compile Include="deobfuscators\Spices_Net\Deobfuscator.cs" />
    <Compile Include="deobfuscators\Spices_Net\QclzDecompressor.cs" />
    <Compile Include="deobfuscators\Spices_Net\ResourceNamesRestorer.cs" />
@ -264,10 +264,10 @@
    <Compile Include="deobfuscators\ValueInlinerBase.cs" />
    <Compile Include="deobfuscators\Xenocode\Deobfuscator.cs" />
    <Compile Include="deobfuscators\Xenocode\StringDecrypter.cs" />
+    <Compile Include="DumpedMethodsRestorer.cs" />
    <Compile Include="IDeobfuscatorContext.cs" />
    <Compile Include="IObfuscatedFile.cs" />
    <Compile Include="Logger.cs" />
-    <Compile Include="DumpedMethodsRestorer.cs" />
    <Compile Include="MethodPrinter.cs" />
    <Compile Include="MethodReturnValueInliner.cs" />
    <Compile Include="NameRegexes.cs" />
--- a/de4dot.code/deobfuscators/SmartAssembly/AssemblyResolverInfo.cs
+++ b/de4dot.code/deobfuscators/SmartAssembly/AssemblyResolverInfo.cs
@ -38,7 +38,7 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
 			return assemblyName ?? base.ToString();
 		}

-		public static EmbeddedAssemblyInfo create(ModuleDefinition module, string encName, string rsrcName) {
+		public static EmbeddedAssemblyInfo create(ModuleDefMD module, string encName, string rsrcName) {
 			var info = new EmbeddedAssemblyInfo();

 			try {
@ -82,7 +82,7 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
 			get { return embeddedAssemblyInfos; }
 		}

-		public AssemblyResolverInfo(ModuleDefinition module, ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob)
+		public AssemblyResolverInfo(ModuleDefMD module, ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob)
 			: base(module, simpleDeobfuscator, deob) {
 		}

@ -160,7 +160,7 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
 			foreach (var call in method.Body.Instructions) {
 				if (call.OpCode.Code != Code.Call)
 					continue;
-				var calledMethod = call.Operand as MethodReference;
+				var calledMethod = call.Operand as IMethod;
 				if (calledMethod == null)
 					continue;
 				if (!SimpleZipInfo.isSimpleZipDecryptMethod_QuickCheck(module, calledMethod, out simpleZipTypeMethod))
--- a/de4dot.code/deobfuscators/SmartAssembly/AutomatedErrorReportingFinder.cs
+++ b/de4dot.code/deobfuscators/SmartAssembly/AutomatedErrorReportingFinder.cs
@ -25,18 +25,18 @@ using de4dot.blocks;

 namespace de4dot.code.deobfuscators.SmartAssembly {
 	class AutomatedErrorReportingFinder : ExceptionLoggerRemover {
-		ModuleDefinition module;
+		ModuleDefMD module;
 		bool enabled;

 		protected override bool HasExceptionLoggers {
 			get { return enabled; }
 		}

-		public AutomatedErrorReportingFinder(ModuleDefinition module) {
+		public AutomatedErrorReportingFinder(ModuleDefMD module) {
 			this.module = module;
 		}

-		protected override bool isExceptionLogger(MethodReference method) {
+		protected override bool isExceptionLogger(IMethod method) {
 			return isExceptionLoggerMethod(method);
 		}

@ -80,14 +80,14 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
 			return isExceptionLoggerMethod(exceptionMethod);
 		}

-		MethodReference checkHandler(IList<Instruction> instrs, int start, int end) {
-			MethodReference calledMethod = null;
+		IMethod checkHandler(IList<Instruction> instrs, int start, int end) {
+			IMethod calledMethod = null;
 			for (int i = start; i < end; i++) {
 				var instr = instrs[i];
 				if (instr.OpCode.Code == Code.Call || instr.OpCode.Code == Code.Callvirt) {
 					if (calledMethod != null)
 						return null;
-					var method = instr.Operand as MethodReference;
+					var method = instr.Operand as IMethod;
 					if (method == null)
 						return null;
 					calledMethod = method;
@ -97,24 +97,24 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
 			return calledMethod;
 		}

-		static bool isExceptionLoggerMethod(MethodReference method) {
+		static bool isExceptionLoggerMethod(IMethod method) {
 			if (method.Name == ".ctor" || method.Name == ".cctor")
 				return false;

-			var parameters = method.Parameters;
-			if (parameters.Count < 1)
+			var sig = method.MethodSig;
+			if (sig == null || sig.Params.Count < 1)
 				return false;

-			var rtype = method.MethodReturnType.ReturnType.FullName;
-			var type0 = parameters[0].ParameterType.FullName;
-			var type1 = parameters.Count < 2 ? "" : parameters[1].ParameterType.FullName;
+			var rtype = sig.RetType.GetFullName();
+			var type0 = sig.Params[0].GetFullName();
+			var type1 = sig.Params.Count < 2 ? "" : sig.Params[1].GetFullName();
 			int index;
 			if (rtype == "System.Void") {
 				if (type0 == "System.Exception" && type1 == "System.Int32")
 					index = 2;
 				else if (type0 == "System.Object[]" && type1 == "System.Exception")
 					return true;
-				else if (parameters.Count == 2 && type0 == "System.Int32" && type1 == "System.Object[]")
+				else if (sig.Params.Count == 2 && type0 == "System.Int32" && type1 == "System.Object[]")
 					return true;
 				else if (type0 == "System.Exception")
 					index = 1;
@ -126,7 +126,7 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
 					index = 2;
 				else if (type0 == "System.Int32" && type1 == "System.Exception")
 					index = 2;
-				else if (parameters.Count == 2 && type0 == "System.Int32" && type1 == "System.Object[]")
+				else if (sig.Params.Count == 2 && type0 == "System.Int32" && type1 == "System.Object[]")
 					return true;
 				else if (type0 == "System.Exception")
 					index = 1;
@ -136,11 +136,11 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
 			else
 				return false;

-			if (index + 1 == parameters.Count && parameters[index].ParameterType.FullName == "System.Object[]")
+			if (index + 1 == sig.Params.Count && sig.Params[index].GetFullName() == "System.Object[]")
 				return true;

-			for (int i = index; i < parameters.Count; i++) {
-				if (parameters[i].ParameterType.FullName != "System.Object")
+			for (int i = index; i < sig.Params.Count; i++) {
+				if (sig.Params[i].GetElementType() != ElementType.Object)
 					return false;
 			}

--- a/de4dot.code/deobfuscators/SmartAssembly/Deobfuscator.cs
+++ b/de4dot.code/deobfuscators/SmartAssembly/Deobfuscator.cs
@ -25,9 +25,6 @@ using dot10.DotNet;
 using dot10.DotNet.Emit;
 using de4dot.blocks;

-// SmartAssembly can add so much junk that it's very difficult to find and remove all of it.
-// I remove some safe types that are almost guaranteed not to have any references in the code.
-
 namespace de4dot.code.deobfuscators.SmartAssembly {
 	public class DeobfuscatorInfo : DeobfuscatorInfoBase {
 		public const string THE_NAME = "SmartAssembly";
@ -123,7 +120,7 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
 			StringFeatures = StringFeatures.AllowStaticDecryption;
 		}

-		public override void init(ModuleDefinition module) {
+		public override void init(ModuleDefMD module) {
 			base.init(module);
 		}

@ -241,7 +238,7 @@ namespace de4dot.code.deobfuscators.SmartAssembly {

 				var attrs2 = new Dictionary<TypeDef, bool>();
 				foreach (var cattr in cattrs) {
-					if (!DotNetUtils.isMethod(cattr.Constructor, "System.Void", "(System.Int32)"))
+					if (!DotNetUtils.isMethod(cattr.Constructor as IMethod, "System.Void", "(System.Int32)"))
 						continue;
 					var attrType = cattr.AttributeType as TypeDef;
 					if (attrType == null)
@ -275,7 +272,7 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
 			foreach (var type in module.Types) {
 				if (type == moduleType)
 					continue;
-				var ns = type.Namespace;
+				var ns = type.Namespace.String;
 				if (!namespaces.ContainsKey(ns))
 					namespaces[ns] = 0;
 				if (type.Name != "" || type.IsPublic || type.HasFields || type.HasMethods || type.HasProperties || type.HasEvents)
@ -417,8 +414,9 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
 			Logger.v("Adding string decrypter. Resource: {0}", Utils.toCsharpString(info.StringsResource.Name));
 			var decrypter = new StringDecrypter(info);
 			if (decrypter.CanDecrypt) {
-				staticStringInliner.add(DotNetUtils.getMethod(info.GetStringDelegate, "Invoke"), (method, gim, args) => {
-					var fieldDefinition = DotNetUtils.getField(module, (FieldReference)args[0]);
+				var invokeMethod = info.GetStringDelegate == null ? null : info.GetStringDelegate.FindMethod("Invoke");
+				staticStringInliner.add(invokeMethod, (method, gim, args) => {
+					var fieldDefinition = DotNetUtils.getField(module, (IField)args[0]);
 					return decrypter.decrypt(fieldDefinition.MDToken.ToInt32(), (int)args[1]);
 				});
 				staticStringInliner.add(info.StringDecrypterMethod, (method, gim, args) => {
--- a/de4dot.code/deobfuscators/SmartAssembly/MemoryManagerInfo.cs
+++ b/de4dot.code/deobfuscators/SmartAssembly/MemoryManagerInfo.cs
@ -22,7 +22,7 @@ using de4dot.blocks;

 namespace de4dot.code.deobfuscators.SmartAssembly {
 	class MemoryManagerInfo {
-		ModuleDefinition module;
+		ModuleDefMD module;
 		TypeDef memoryManagerType;
 		MethodDef attachAppMethod;

@ -38,7 +38,7 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
 			get { return attachAppMethod; }
 		}

-		public MemoryManagerInfo(ModuleDefinition module) {
+		public MemoryManagerInfo(ModuleDefMD module) {
 			this.module = module;
 		}

@ -72,7 +72,7 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
 			// Only two fields: itself and a long
 			int fields = 0;
 			foreach (var field in type.Fields) {
-				if (MemberReferenceHelper.compareTypes(field.FieldType, type) ||
+				if (new SigComparer().Equals(field.FieldType, type) ||
 					field.FieldType.FullName == "System.Int64") {
 					fields++;
 					continue;
--- a/de4dot.code/deobfuscators/SmartAssembly/ProxyCallFixer.cs
+++ b/de4dot.code/deobfuscators/SmartAssembly/ProxyCallFixer.cs
@ -37,7 +37,6 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
 			'\x9E', '\x9F',
 		};

-		IList<MemberReference> memberReferences;
 		ISimpleDeobfuscator simpleDeobfuscator;

 		static ProxyCallFixer() {
@ -45,9 +44,8 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
 				specialCharsDict[specialChars[i]] = i;
 		}

-		public ProxyCallFixer(ModuleDefinition module, ISimpleDeobfuscator simpleDeobfuscator)
+		public ProxyCallFixer(ModuleDefMD module, ISimpleDeobfuscator simpleDeobfuscator)
 			: base(module) {
-			this.memberReferences = new List<MemberReference>(module.GetMemberReferences());
 			this.simpleDeobfuscator = simpleDeobfuscator;
 		}

@ -59,14 +57,14 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
 				simpleDeobfuscator.deobfuscate(cctor);
 			if (instrs.Count != 3)
 				return null;
-			if (!DotNetUtils.isLdcI4(instrs[0].OpCode.Code))
+			if (!instrs[0].IsLdcI4())
 				return null;
 			if (instrs[1].OpCode != OpCodes.Call || !isDelegateCreatorMethod(instrs[1].Operand as MethodDef))
 				return null;
 			if (instrs[2].OpCode != OpCodes.Ret)
 				return null;

-			int delegateToken = 0x02000001 + DotNetUtils.getLdcI4Value(instrs[0]);
+			int delegateToken = 0x02000001 + instrs[0].GetLdcI4Value();
 			if (type.MDToken.ToInt32() != delegateToken) {
 				Logger.w("Delegate token is not current type");
 				return null;
@ -75,11 +73,11 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
 			return new object();
 		}

-		protected override void getCallInfo(object context, FieldDef field, out MethodReference calledMethod, out OpCode callOpcode) {
+		protected override void getCallInfo(object context, FieldDef field, out IMethod calledMethod, out OpCode callOpcode) {
 			callOpcode = OpCodes.Call;
-			string name = field.Name;
+			string name = field.Name.String;

-			int methodIndex = 0;
+			uint memberRefRid = 0;
 			for (int i = name.Length - 1; i >= 0; i--) {
 				char c = name[i];
 				if (c == '~') {
@ -89,24 +87,21 @@ namespace de4dot.code.deobfuscators.SmartAssembly {

 				int val;
 				if (specialCharsDict.TryGetValue(c, out val))
-					methodIndex = methodIndex * specialChars.Length + val;
+					memberRefRid = memberRefRid * (uint)specialChars.Length + (uint)val;
 			}
+			memberRefRid++;

-			if (methodIndex >= memberReferences.Count) {
-				Logger.w("Ignoring invalid methodIndex: {0:X8}, field: {1:X8}", methodIndex, field.MDToken.ToInt32());
-				calledMethod = null;
-				return;
-			}
-
-			calledMethod = memberReferences[methodIndex] as MethodReference;
+			calledMethod = module.ResolveMemberRef(memberRefRid);
+			if (calledMethod == null)
+				Logger.w("Ignoring invalid method RID: {0:X8}, field: {1:X8}", memberRefRid, field.MDToken.ToInt32());
 		}

-		public void findDelegateCreator(ModuleDefinition module) {
+		public void findDelegateCreator(ModuleDefMD module) {
 			var callCounter = new CallCounter();
 			foreach (var type in module.Types) {
 				if (type.Namespace != "" || !DotNetUtils.derivesFromDelegate(type))
 					continue;
-				var cctor = DotNetUtils.getMethod(type, ".cctor");
+				var cctor = type.FindStaticConstructor();
 				if (cctor == null)
 					continue;
 				foreach (var method in DotNetUtils.getMethodCalls(cctor))
--- a/de4dot.code/deobfuscators/SmartAssembly/ResolverInfoBase.cs
+++ b/de4dot.code/deobfuscators/SmartAssembly/ResolverInfoBase.cs
@ -24,7 +24,7 @@ using de4dot.blocks;

 namespace de4dot.code.deobfuscators.SmartAssembly {
 	abstract class ResolverInfoBase {
-		protected ModuleDefinition module;
+		protected ModuleDefMD module;
 		ISimpleDeobfuscator simpleDeobfuscator;
 		IDeobfuscator deob;
 		TypeDef resolverType;
@ -48,7 +48,7 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
 			get { return callResolverMethod; }
 		}

-		public ResolverInfoBase(ModuleDefinition module, ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) {
+		public ResolverInfoBase(ModuleDefMD module, ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) {
 			this.module = module;
 			this.simpleDeobfuscator = simpleDeobfuscator;
 			this.deob = deob;
@ -163,7 +163,7 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
 			foreach (var instr in resolveHandler.Body.Instructions) {
 				if (instr.OpCode.Code != Code.Ldsfld && instr.OpCode.Code != Code.Stsfld)
 					continue;
-				var field = DotNetUtils.getField(module, instr.Operand as FieldReference);
+				var field = DotNetUtils.getField(module, instr.Operand as IField);
 				if (field == null)
 					continue;
 				if (!checkResolverType(field.DeclaringType))
@ -190,20 +190,20 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
 					continue;

 				var call = instrs[0];
-				if (!DotNetUtils.isMethod(call.Operand as MethodReference, "System.AppDomain", "()"))
+				if (!DotNetUtils.isMethod(call.Operand as IMethod, "System.AppDomain", "()"))
 					continue;

 				var ldftn = instrs[2];
-				var handlerDef = DotNetUtils.getMethod(module, ldftn.Operand as MethodReference);
+				var handlerDef = DotNetUtils.getMethod(module, ldftn.Operand as IMethod);
 				if (handlerDef == null)
 					continue;

 				var newobj = instrs[3];
-				if (!DotNetUtils.isMethod(newobj.Operand as MethodReference, "System.Void", "(System.Object,System.IntPtr)"))
+				if (!DotNetUtils.isMethod(newobj.Operand as IMethod, "System.Void", "(System.Object,System.IntPtr)"))
 					continue;

 				var callvirt = instrs[4];
-				if (!DotNetUtils.isMethod(callvirt.Operand as MethodReference, "System.Void", "(System.ResolveEventHandler)"))
+				if (!DotNetUtils.isMethod(callvirt.Operand as IMethod, "System.Void", "(System.ResolveEventHandler)"))
 					continue;

 				numHandlers++;
--- a/de4dot.code/deobfuscators/SmartAssembly/ResourceDecrypterInfo.cs
+++ b/de4dot.code/deobfuscators/SmartAssembly/ResourceDecrypterInfo.cs
@ -24,7 +24,7 @@ using de4dot.blocks;

 namespace de4dot.code.deobfuscators.SmartAssembly {
 	class ResourceDecrypterInfo {
-		ModuleDefinition module;
+		ModuleDefMD module;
 		MethodDef simpleZipTypeDecryptMethod;

 		public byte[] DES_Key { get; private set; }
@ -36,11 +36,11 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
 			get { return simpleZipTypeDecryptMethod != null; }
 		}

-		public ResourceDecrypterInfo(ModuleDefinition module) {
+		public ResourceDecrypterInfo(ModuleDefMD module) {
 			this.module = module;
 		}

-		public ResourceDecrypterInfo(ModuleDefinition module, MethodDef simpleZipTypeDecryptMethod, ISimpleDeobfuscator simpleDeobfuscator)
+		public ResourceDecrypterInfo(ModuleDefMD module, MethodDef simpleZipTypeDecryptMethod, ISimpleDeobfuscator simpleDeobfuscator)
 			: this(module) {
 			setSimpleZipType(simpleZipTypeDecryptMethod, simpleDeobfuscator);
 		}
@ -62,7 +62,7 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
 				var ldtoken = instructions[i];
 				if (ldtoken.OpCode.Code != Code.Ldtoken)
 					continue;
-				var field = DotNetUtils.getField(module, ldtoken.Operand as FieldReference);
+				var field = DotNetUtils.getField(module, ldtoken.Operand as IField);
 				if (field == null)
 					continue;
 				if (field.InitialValue == null)
@ -71,7 +71,7 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
 				var call = instructions[i + 1];
 				if (call.OpCode.Code != Code.Call)
 					continue;
-				var calledMethod = call.Operand as MethodReference;
+				var calledMethod = call.Operand as IMethod;
 				if (!DotNetUtils.isMethod(calledMethod, "System.Void", "(System.Array,System.RuntimeFieldHandle)"))
 					continue;

--- a/de4dot.code/deobfuscators/SmartAssembly/ResourceResolver.cs
+++ b/de4dot.code/deobfuscators/SmartAssembly/ResourceResolver.cs
@ -24,12 +24,12 @@ using de4dot.blocks;

 namespace de4dot.code.deobfuscators.SmartAssembly {
 	class ResourceResolver {
-		ModuleDefinition module;
+		ModuleDefMD module;
 		AssemblyResolver assemblyResolver;
 		ResourceResolverInfo resourceResolverInfo;
 		bool mergedIt = false;

-		public ResourceResolver(ModuleDefinition module, AssemblyResolver assemblyResolver, ResourceResolverInfo resourceResolverInfo) {
+		public ResourceResolver(ModuleDefMD module, AssemblyResolver assemblyResolver, ResourceResolverInfo resourceResolverInfo) {
 			this.module = module;
 			this.assemblyResolver = assemblyResolver;
 			this.resourceResolverInfo = resourceResolverInfo;
--- a/de4dot.code/deobfuscators/SmartAssembly/ResourceResolverInfo.cs
+++ b/de4dot.code/deobfuscators/SmartAssembly/ResourceResolverInfo.cs
@ -30,7 +30,7 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
 			get { return resourceInfo; }
 		}

-		public ResourceResolverInfo(ModuleDefinition module, ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob, AssemblyResolverInfo assemblyResolverInfo)
+		public ResourceResolverInfo(ModuleDefMD module, ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob, AssemblyResolverInfo assemblyResolverInfo)
 			: base(module, simpleDeobfuscator, deob) {
 			this.assemblyResolverInfo = assemblyResolverInfo;
 		}
@ -51,7 +51,7 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
 					continue;

 				var s = instrs[0].Operand as string;
-				var calledMethod = instrs[1].Operand as MethodReference;
+				var calledMethod = instrs[1].Operand as IMethod;
 				if (s == null || calledMethod == null)
 					continue;

--- a/de4dot.code/deobfuscators/SmartAssembly/SimpleZipInfo.cs
+++ b/de4dot.code/deobfuscators/SmartAssembly/SimpleZipInfo.cs
@ -23,7 +23,7 @@ using de4dot.blocks;
 namespace de4dot.code.deobfuscators.SmartAssembly {
 	class SimpleZipInfo {

-		public static bool isSimpleZipDecryptMethod_QuickCheck(ModuleDefinition module, MethodReference method, out MethodDef simpleZipTypeMethod) {
+		public static bool isSimpleZipDecryptMethod_QuickCheck(ModuleDefMD module, IMethod method, out MethodDef simpleZipTypeMethod) {
 			simpleZipTypeMethod = null;

 			if (!DotNetUtils.isMethod(method, "System.Byte[]", "(System.Byte[])"))
--- a/de4dot.code/deobfuscators/SmartAssembly/StringDecrypterInfo.cs
+++ b/de4dot.code/deobfuscators/SmartAssembly/StringDecrypterInfo.cs
@ -33,7 +33,7 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
 	}

 	class StringDecrypterInfo {
-		ModuleDefinition module;
+		ModuleDefMD module;
 		ResourceDecrypter resourceDecrypter;
 		TypeDef stringsEncodingClass;
 		EmbeddedResource stringsResource;
@ -78,7 +78,7 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
 			get { return stringDecrypterMethod; }
 		}

-		public StringDecrypterInfo(ModuleDefinition module, TypeDef stringsEncodingClass) {
+		public StringDecrypterInfo(ModuleDefMD module, TypeDef stringsEncodingClass) {
 			this.module = module;
 			this.stringsEncodingClass = stringsEncodingClass;
 		}
@ -103,7 +103,7 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
 		}

 		public bool init(IDeobfuscator deob, ISimpleDeobfuscator simpleDeobfuscator) {
-			var cctor = DotNetUtils.getMethod(stringsEncodingClass, ".cctor");
+			var cctor = stringsEncodingClass.FindStaticConstructor();
 			if (cctor != null)
 				simpleDeobfuscator.deobfuscate(cctor);

@ -127,10 +127,10 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
 				stringOffset = 0;
 				if (decrypterVersion != StringDecrypterVersion.V1) {
 					if (callsGetPublicKeyToken(initMethod)) {
-						var pkt = module.Assembly.Name.PublicKeyToken;
-						if (pkt != null) {
-							for (int i = 0; i < pkt.Length - 1; i += 2)
-								stringOffset ^= ((int)pkt[i] << 8) + pkt[i + 1];
+						var pkt = PublicKeyBase.ToPublicKeyToken(module.Assembly.PublicKeyToken);
+						if (!PublicKeyBase.IsNullOrEmpty2(pkt)) {
+							for (int i = 0; i < pkt.Data.Length - 1; i += 2)
+								stringOffset ^= ((int)pkt.Data[i] << 8) + pkt.Data[i + 1];
 						}
 					}

@ -168,7 +168,7 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
 				return true;

 			if (decrypterVersion <= StringDecrypterVersion.V3) {
-				stringsResource = DotNetUtils.getResource(module, module.Mvid.ToString("B")) as EmbeddedResource;
+				stringsResource = DotNetUtils.getResource(module, (module.Mvid ?? Guid.NewGuid()).ToString("B")) as EmbeddedResource;
 				if (stringsResource != null)
 					return true;
 			}
@ -217,7 +217,7 @@ namespace de4dot.code.deobfuscators.SmartAssembly {

 		// Find the string decrypter string offset value or null if none found
 		int? findOffsetValue(MethodDef method) {
-			var fieldDict = new FieldDefinitionAndDeclaringTypeDict<FieldReference>();
+			var fieldDict = new FieldDefinitionAndDeclaringTypeDict<IField>();
 			foreach (var field in method.DeclaringType.Fields)
 				fieldDict.add(field, field);

@ -228,22 +228,22 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
 			return findOffsetValue(method, (FieldDef)fieldDict.find(offsetField), fieldDict);
 		}

-		FieldReference findOffsetField(MethodDef method) {
+		IField findOffsetField(MethodDef method) {
 			var instructions = method.Body.Instructions;
 			for (int i = 0; i <= instructions.Count - 2; i++) {
 				var ldsfld = instructions[i];
 				if (ldsfld.OpCode.Code != Code.Ldsfld)
 					continue;
-				var field = ldsfld.Operand as FieldReference;
-				if (field == null || field.FieldType.FullName != "System.String")
+				var field = ldsfld.Operand as IField;
+				if (field == null || field.FieldSig.GetFieldType().GetElementType() != ElementType.String)
 					continue;
-				if (!MemberReferenceHelper.compareTypes(stringsEncodingClass, field.DeclaringType))
+				if (!new SigComparer().Equals(stringsEncodingClass, field.DeclaringType))
 					continue;

 				var call = instructions[i + 1];
 				if (call.OpCode.Code != Code.Call)
 					continue;
-				var calledMethod = call.Operand as MethodReference;
+				var calledMethod = call.Operand as IMethod;
 				if (!DotNetUtils.isMethod(calledMethod, "System.Int32", "(System.String)"))
 					continue;

@ -253,7 +253,7 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
 			return null;
 		}

-		int? findOffsetValue(MethodDef method, FieldDef offsetField, FieldDefinitionAndDeclaringTypeDict<FieldReference> fields) {
+		int? findOffsetValue(MethodDef method, FieldDef offsetField, FieldDefinitionAndDeclaringTypeDict<IField> fields) {
 			var instructions = method.Body.Instructions;
 			for (int i = 0; i <= instructions.Count - 2; i++) {
 				var ldstr = instructions[i];
@ -266,7 +266,7 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
 				var stsfld = instructions[i + 1];
 				if (stsfld.OpCode.Code != Code.Stsfld)
 					continue;
-				var field = stsfld.Operand as FieldReference;
+				var field = stsfld.Operand as IField;
 				if (field == null || fields.find(field) != offsetField)
 					continue;

@ -309,10 +309,10 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
 				var stsfld = instructions[i + 1];
 				if (stsfld.OpCode.Code != Code.Stsfld)
 					continue;
-				var field = stsfld.Operand as FieldReference;
-				if (field == null || field.FieldType.FullName != "System.Byte[]")
+				var field = stsfld.Operand as IField;
+				if (field == null || field.FieldSig.GetFieldType().GetFullName() != "System.Byte[]")
 					continue;
-				if (!MemberReferenceHelper.compareTypes(stringsEncodingClass, field.DeclaringType))
+				if (!new SigComparer().Equals(stringsEncodingClass, field.DeclaringType))
 					continue;

 				return calledMethod;
@ -322,9 +322,11 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
 		}

 		public IEnumerable<FieldDef> getAllStringDelegateFields() {
+			if (GetStringDelegate == null)
+				yield break;
 			foreach (var type in module.GetTypes()) {
 				foreach (var field in type.Fields) {
-					if (field.FieldType == GetStringDelegate)
+					if (field.FieldType.TryGetTypeDef() == GetStringDelegate)
 						yield return field;
 				}
 			}
@ -347,8 +349,8 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
 					var call = instructions[i];
 					if (call.OpCode != OpCodes.Call)
 						continue;
-					var method = call.Operand as MethodReference;
-					if (!MemberReferenceHelper.compareMethodReferenceAndDeclaringType(method, CreateStringDelegateMethod))
+					var method = call.Operand as IMethod;
+					if (!MethodEqualityComparer.CompareDeclaringTypes.Equals(method, CreateStringDelegateMethod))
 						continue;

 					block.remove(i, 1);
@ -364,21 +366,21 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
 					var ldtoken = instructions[i];
 					if (ldtoken.OpCode != OpCodes.Ldtoken)
 						continue;
-					if (!MemberReferenceHelper.compareTypes(blocks.Method.DeclaringType, ldtoken.Operand as TypeReference))
+					if (!new SigComparer().Equals(blocks.Method.DeclaringType, ldtoken.Operand as ITypeDefOrRef))
 						continue;

 					var call1 = instructions[i + 1];
 					if (call1.OpCode != OpCodes.Call)
 						continue;
-					var method1 = call1.Operand as MethodReference;
+					var method1 = call1.Operand as IMethod;
 					if (method1 == null || method1.ToString() != "System.Type System.Type::GetTypeFromHandle(System.RuntimeTypeHandle)")
 						continue;

 					var call2 = instructions[i + 2];
 					if (call2.OpCode != OpCodes.Call)
 						continue;
-					var method2 = call2.Operand as MethodReference;
-					if (!MemberReferenceHelper.compareMethodReferenceAndDeclaringType(method2, CreateStringDelegateMethod))
+					var method2 = call2.Operand as IMethod;
+					if (!MethodEqualityComparer.CompareDeclaringTypes.Equals(method2, CreateStringDelegateMethod))
 						continue;

 					block.remove(i, 3);
--- a/de4dot.code/deobfuscators/SmartAssembly/StringEncoderClassFinder.cs
+++ b/de4dot.code/deobfuscators/SmartAssembly/StringEncoderClassFinder.cs
@ -35,7 +35,7 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
 	}

 	class StringEncoderClassFinder {
-		ModuleDefinition module;
+		ModuleDefMD module;
 		ISimpleDeobfuscator simpleDeobfuscator;
 		IList<StringsEncoderInfo> stringsEncoderInfos = new List<StringsEncoderInfo>();

@ -43,12 +43,12 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
 			get { return stringsEncoderInfos; }
 		}

-		public StringEncoderClassFinder(ModuleDefinition module, ISimpleDeobfuscator simpleDeobfuscator) {
+		public StringEncoderClassFinder(ModuleDefMD module, ISimpleDeobfuscator simpleDeobfuscator) {
 			this.module = module;
 			this.simpleDeobfuscator = simpleDeobfuscator;
 		}

-		TypeDef getType(TypeReference typeReference) {
+		TypeDef getType(ITypeDefOrRef typeReference) {
 			return DotNetUtils.getType(module, typeReference);
 		}

@ -113,13 +113,13 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
 			foreach (var ldtoken in stringsCreateDelegateMethod.Body.Instructions) {
 				if (ldtoken.OpCode.Code != Code.Ldtoken)
 					continue;
-				var typeToken = ldtoken.Operand as TypeReference;
+				var typeToken = ldtoken.Operand as ITypeDefOrRef;
 				if (typeToken == null)
 					continue;
 				var delegateType = getType(typeToken);
 				if (!DotNetUtils.derivesFromDelegate(delegateType))
 					continue;
-				var invoke = DotNetUtils.getMethod(delegateType, "Invoke");
+				var invoke = delegateType.FindMethod("Invoke");
 				if (invoke == null || !DotNetUtils.isMethod(invoke, "System.String", "(System.Int32)"))
 					continue;

@ -139,7 +139,7 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
 			foreach (var ldtoken in stringsCreateDelegateMethod.Body.Instructions) {
 				if (ldtoken.OpCode.Code != Code.Ldtoken)
 					continue;
-				var typeToken = ldtoken.Operand as TypeReference;
+				var typeToken = ldtoken.Operand as ITypeDefOrRef;
 				if (typeToken == null)
 					continue;
 				var type = getType(typeToken);
@ -186,7 +186,7 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
 			if (fields.exists("System.Collections.Hashtable") ||
 				fields.exists("System.Collections.Generic.Dictionary`2<System.Int32,System.String>") ||
 				fields.exactly(fields3x)) {
-				if (DotNetUtils.getMethod(type, ".cctor") == null)
+				if (type.FindStaticConstructor() == null)
 					return false;
 			}
 			else if (fields.exactly(fields1x) || fields.exactly(fields2x)) {
--- a/de4dot.code/deobfuscators/SmartAssembly/TamperProtectionRemover.cs
+++ b/de4dot.code/deobfuscators/SmartAssembly/TamperProtectionRemover.cs
@ -25,7 +25,7 @@ using de4dot.blocks;

 namespace de4dot.code.deobfuscators.SmartAssembly {
 	class TamperProtectionRemover {
-		ModuleDefinition module;
+		ModuleDefMD module;
 		List<MethodDef> pinvokeMethods = new List<MethodDef>();

 		enum Type {
@ -37,7 +37,7 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
 			get { return pinvokeMethods; }
 		}

-		public TamperProtectionRemover(ModuleDefinition module) {
+		public TamperProtectionRemover(ModuleDefMD module) {
 			this.module = module;
 		}

@ -89,7 +89,7 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
 			return tamperBlocks;
 		}

-		bool findFirstBlocks(TamperBlocks tamperBlocks, IList<Block> allBlocks, IList<VariableDefinition> locals) {
+		bool findFirstBlocks(TamperBlocks tamperBlocks, IList<Block> allBlocks, IList<Local> locals) {
 			foreach (var b in allBlocks) {
 				try {
 					if (findFirstBlocks(b, tamperBlocks, allBlocks, locals))
@ -103,14 +103,14 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
 			return false;
 		}

-		static int findCallMethod(Block block, int index, bool keepLooking, Func<MethodReference, bool> func) {
+		static int findCallMethod(Block block, int index, bool keepLooking, Func<IMethod, bool> func) {
 			var instrs = block.Instructions;
 			for (int i = index; i < instrs.Count; i++) {
 				var instr = instrs[i];
 				if (instr.OpCode.Code != Code.Call && instr.OpCode.Code != Code.Callvirt)
 					continue;

-				var calledMethod = instr.Operand as MethodReference;
+				var calledMethod = instr.Operand as IMethod;
 				if (calledMethod != null && func(calledMethod))
 					return i;
 				if (!keepLooking)
@ -119,7 +119,7 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
 			return -1;
 		}

-		bool findFirstBlocks(Block block, TamperBlocks tamperBlocks, IList<Block> allBlocks, IList<VariableDefinition> locals) {
+		bool findFirstBlocks(Block block, TamperBlocks tamperBlocks, IList<Block> allBlocks, IList<Local> locals) {
 			if (!block.LastInstr.isBrfalse())
 				return false;

@ -146,7 +146,7 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
 			var instrs = block.Instructions;
 			int end = instrs.Count - 1;
 			Instr instr;
-			MethodReference method;
+			IMethod method;
 			tamperBlocks.type = Type.V1;

 			int index = 0;
@ -223,8 +223,8 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
 			instr = instrs[end++];
 			if (instr.OpCode != OpCodes.Callvirt)
 				return false;
-			method = (MethodReference)instr.Operand;
-			if (method.ToString() != "System.String System.Reflection.Assembly::get_FullName()")
+			method = instr.Operand as IMethod;
+			if (method == null || method.ToString() != "System.String System.Reflection.Assembly::get_FullName()")
 				return false;

 			instr = instrs[end++];
@ -234,8 +234,8 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
 			instr = instrs[end++];
 			if (instr.OpCode != OpCodes.Callvirt)
 				return false;
-			method = (MethodReference)instr.Operand;
-			if (method.ToString() != "System.Boolean System.String::EndsWith(System.String)")
+			method = instr.Operand as IMethod;
+			if (method == null || method.ToString() != "System.Boolean System.String::EndsWith(System.String)")
 				return false;

 			instr = instrs[end++];
@ -274,8 +274,8 @@ namespace de4dot.code.deobfuscators.SmartAssembly {
 			instr = instrs[end++];
 			if (instr.OpCode != OpCodes.Newobj)
 				return null;
-			var method = (MethodReference)instr.Operand;
-			if (method.ToString() != "System.Void System.Security.SecurityException::.ctor(System.String)")
+			var method = instr.Operand as IMethod;
+			if (method == null || method.ToString() != "System.Void System.Security.SecurityException::.ctor(System.String)")
 				return null;

 			instr = instrs[end++];
--- a/de4dot.cui/Program.cs
+++ b/de4dot.cui/Program.cs
@ -55,9 +55,7 @@ namespace de4dot.cui {
 				new de4dot.code.deobfuscators.MPRESS.DeobfuscatorInfo(),
 				new de4dot.code.deobfuscators.Rummage.DeobfuscatorInfo(),
 				new de4dot.code.deobfuscators.Skater_NET.DeobfuscatorInfo(),
-#if PORT
 				new de4dot.code.deobfuscators.SmartAssembly.DeobfuscatorInfo(),
-#endif
 				new de4dot.code.deobfuscators.Spices_Net.DeobfuscatorInfo(),
 				new de4dot.code.deobfuscators.Xenocode.DeobfuscatorInfo(),
 			};