From c9e5b8e91efc2498163bbd75bf6f1cce3f2e799f Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Mon, 9 Jan 2012 05:50:32 +0100
Subject: [PATCH] Update code to handle v3.5 obfuscated assemblies

---
 .../Babel_NET/ResourceDecrypter.cs            |  6 ++++-
 .../Babel_NET/StringDecrypter.cs              | 26 ++++++++++++++++---
 2 files changed, 27 insertions(+), 5 deletions(-)

diff --git a/de4dot.code/deobfuscators/Babel_NET/ResourceDecrypter.cs b/de4dot.code/deobfuscators/Babel_NET/ResourceDecrypter.cs
index c76cd1b2..ca1bb8c8 100644
--- a/de4dot.code/deobfuscators/Babel_NET/ResourceDecrypter.cs
+++ b/de4dot.code/deobfuscators/Babel_NET/ResourceDecrypter.cs
@@ -58,7 +58,11 @@ namespace de4dot.code.deobfuscators.Babel_NET {
 
 		bool getKeyIv(byte[] headerData, out byte[] key, out byte[] iv) {
 			var reader = new BinaryReader(new MemoryStream(headerData));
-			var license = reader.ReadString();
+
+			// 3.5 doesn't have this field
+			if (headerData[(int)reader.BaseStream.Position] != 8) {
+				var license = reader.ReadString();
+			}
 
 			// 4.2 (and earlier?) always compress the data
 			bool isCompressed = true;
diff --git a/de4dot.code/deobfuscators/Babel_NET/StringDecrypter.cs b/de4dot.code/deobfuscators/Babel_NET/StringDecrypter.cs
index 3e77a87f..016cb101 100644
--- a/de4dot.code/deobfuscators/Babel_NET/StringDecrypter.cs
+++ b/de4dot.code/deobfuscators/Babel_NET/StringDecrypter.cs
@@ -76,12 +76,30 @@ namespace de4dot.code.deobfuscators.Babel_NET {
 			var nested = type.NestedTypes[0];
 			if (nested.HasProperties || nested.HasEvents)
 				return false;
-			if (nested.Fields.Count != 1)
-				return false;
-			if (!MemberReferenceHelper.compareTypes(nested.Fields[0].FieldType, nested))
+
+			if (nested.Fields.Count == 1) {
+				// 4.2+ (maybe 4.0+)
+
+				if (!MemberReferenceHelper.compareTypes(nested.Fields[0].FieldType, nested))
+					return false;
+
+				if (DotNetUtils.getMethod(nested, "System.Reflection.Emit.MethodBuilder", "(System.Reflection.Emit.TypeBuilder)") == null)
+					return false;
+			}
+			else if (nested.Fields.Count == 2) {
+				// 3.5 and maybe earlier
+
+				var field1 = nested.Fields[0];
+				var field2 = nested.Fields[1];
+				if (field1.FieldType.FullName != "System.Collections.Hashtable" && field2.FieldType.FullName != "System.Collections.Hashtable")
+					return false;
+				if (!MemberReferenceHelper.compareTypes(field1.FieldType, nested) && !MemberReferenceHelper.compareTypes(field2.FieldType, nested))
+					return false;
+			}
+			else
 				return false;
 
-			if (DotNetUtils.getMethod(nested, "System.Reflection.Emit.MethodBuilder", "(System.Reflection.Emit.TypeBuilder)") == null)
+			if (DotNetUtils.getMethod(nested, ".ctor") == null)
 				return false;
 			if (DotNetUtils.getMethod(nested, "System.String", "(System.Int32)") == null)
 				return false;