From c7571393570368150a06a538b8385f9e7b7fef78 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Wed, 8 Feb 2012 18:58:06 +0100
Subject: [PATCH] Remove string decrypter type

---
 .../deobfuscators/CodeVeil/Deobfuscator.cs    |  3 +++
 .../deobfuscators/CodeVeil/MainType.cs        | 23 +++++++++++++++++++
 .../deobfuscators/CodeVeil/StringDecrypter.cs | 11 +++++++++
 3 files changed, 37 insertions(+)

diff --git a/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs b/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs
index 6cc9b45e..42ef268a 100644
--- a/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs
+++ b/de4dot.code/deobfuscators/CodeVeil/Deobfuscator.cs
@@ -183,6 +183,9 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 					return stringDecrypter.decrypt((int)args[0]);
 				});
 				DeobfuscatedFile.stringDecryptersAdded();
+				addModuleCctorInitCallToBeRemoved(stringDecrypter.InitMethod);
+				addCallToBeRemoved(mainType.getInitStringDecrypterMethod(stringDecrypter.InitMethod), stringDecrypter.InitMethod);
+				addTypeToBeRemoved(stringDecrypter.Type, "String decrypter type");
 			}
 
 			assemblyResolver = new AssemblyResolver(module);
diff --git a/de4dot.code/deobfuscators/CodeVeil/MainType.cs b/de4dot.code/deobfuscators/CodeVeil/MainType.cs
index 60d56693..df8f5e33 100644
--- a/de4dot.code/deobfuscators/CodeVeil/MainType.cs
+++ b/de4dot.code/deobfuscators/CodeVeil/MainType.cs
@@ -189,5 +189,28 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 
 			return null;
 		}
+
+		public MethodDefinition getInitStringDecrypterMethod(MethodDefinition stringDecrypterInitMethod) {
+			if (stringDecrypterInitMethod == null)
+				return null;
+			if (theType == null)
+				return null;
+
+			foreach (var method in theType.Methods) {
+				if (!method.IsStatic || method.Body == null)
+					continue;
+				if (callsMethod(method, stringDecrypterInitMethod))
+					return method;
+			}
+			return null;
+		}
+
+		bool callsMethod(MethodDefinition methodToCheck, MethodDefinition calledMethod) {
+			foreach (var info in DotNetUtils.getCalledMethods(module, methodToCheck)) {
+				if (info.Item2 == calledMethod)
+					return true;
+			}
+			return false;
+		}
 	}
 }
diff --git a/de4dot.code/deobfuscators/CodeVeil/StringDecrypter.cs b/de4dot.code/deobfuscators/CodeVeil/StringDecrypter.cs
index e745536a..a5c7dadf 100644
--- a/de4dot.code/deobfuscators/CodeVeil/StringDecrypter.cs
+++ b/de4dot.code/deobfuscators/CodeVeil/StringDecrypter.cs
@@ -37,6 +37,14 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 			get { return decrypterType != null; }
 		}
 
+		public TypeDefinition Type {
+			get { return decrypterType; }
+		}
+
+		public MethodDefinition InitMethod {
+			get { return initMethod; }
+		}
+
 		public MethodDefinition DecryptMethod {
 			get { return decrypterMethod; }
 		}
@@ -180,6 +188,9 @@ namespace de4dot.code.deobfuscators.CodeVeil {
 				throw new ApplicationException("Could not find string decrypter key");
 
 			decryptStrings(key);
+
+			stringDataField.FieldType = module.TypeSystem.Byte;
+			stringDataField.InitialValue = new byte[1];
 		}
 
 		static uint[] getKey(MethodDefinition method) {