.NET Reactor: Fix MethodsDecrypter for newer versions

meck-gd · meck-gd · commit e6591fee56ab · 2026-04-17T16:33:39.000+02:00
diff --git a/de4dot.code/deobfuscators/dotNET_Reactor/v4/Deobfuscator.cs b/de4dot.code/deobfuscators/dotNET_Reactor/v4/Deobfuscator.cs
@@ -446,7 +446,8 @@ public override IDeobfuscator ModuleReloaded(ModuleDefMD module) {
 			newOne.peImage = new MyPEImage(fileData);
 			newOne.methodsDecrypter = new MethodsDecrypter(module, methodsDecrypter);
 			newOne.proxyCallFixer = new ProxyCallFixer(module, proxyCallFixer);
-			newOne.devirtualizer = new Devirtualizer(module, devirtualizer);
+			newOne.devirtualizer = new Devirtualizer(DeobfuscatedFile, module);
+			newOne.devirtualizer.Find();
 			newOne.stringDecrypter = new StringDecrypter(module, stringDecrypter);
 			newOne.booleanDecrypter = new BooleanDecrypter(module, booleanDecrypter);
 			newOne.assemblyResolver = new AssemblyResolver(module, assemblyResolver);
diff --git a/de4dot.code/deobfuscators/dotNET_Reactor/v4/MethodsDecrypter.cs b/de4dot.code/deobfuscators/dotNET_Reactor/v4/MethodsDecrypter.cs
@@ -20,6 +20,7 @@ You should have received a copy of the GNU General Public License
 using System;
 using System.Collections.Generic;
 using System.IO;
+using System.Linq;
 using dnlib.IO;
 using dnlib.DotNet;
 using dnlib.DotNet.MD;
@@ -126,15 +127,23 @@ public bool Decrypt(MyPEImage peImage, ISimpleDeobfuscator simpleDeobfuscator, r
 
 			var methodsDataReader = ByteArrayDataReaderFactory.CreateReader(methodsData);
 
-			int tmp = methodsDataReader.ReadInt32();
-			if ((tmp & 0xFF000000) == 0x06000000)
-				methodsDataReader.ReadInt32();
-			else
-				methodsDataReader.Position -= 4;
+			int tmp;
+			if (FindBinaryReaderMethod(simpleDeobfuscator, out var popCallsCount) && popCallsCount > 3)
+				for (var i = 0; i < popCallsCount; i++)
+					methodsDataReader.ReadInt32();
+			else {
+				tmp = methodsDataReader.ReadInt32();
+				if ((tmp & 0xFF000000) == 0x06000000)
+					methodsDataReader.ReadInt32();
+				else
+					methodsDataReader.Position -= 4;
+			}
 
 			int patchCount = methodsDataReader.ReadInt32();
-			int mode = methodsDataReader.ReadInt32();
+			if (patchCount > methodsDataReader.BytesLeft / 8)
+				patchCount = methodsDataReader.ReadInt32();
 
+			int mode = methodsDataReader.ReadInt32();
 			tmp = methodsDataReader.ReadInt32();
 			methodsDataReader.Position -= 4;
 			if ((tmp & 0xFF000000) == 0x06000000) {
@@ -253,6 +262,53 @@ public bool Decrypt(MyPEImage peImage, ISimpleDeobfuscator simpleDeobfuscator, r
 			return true;
 		}
 
+		// Adapted from SychicBoy's NETReactorSlayer
+		private bool FindBinaryReaderMethod(ISimpleDeobfuscator simpleDeobfuscator, out int popCallsCount) {
+            popCallsCount = 0;
+            var decrypterMethod = encryptedResource.Method;
+            var calls = decrypterMethod.Body.Instructions
+                .Where(x => x.OpCode == OpCodes.Callvirt && x.Operand is MethodDef md && md.MethodSig.RetType.FullName == "System.Int32")
+                .Select(x => x.Operand)
+                .Cast<MethodDef>();
+            foreach (var method in calls)
+                try {
+                    simpleDeobfuscator.Deobfuscate(method);
+                    if (method.Body.Instructions.Count != 4)
+                        continue;
+
+                    if (!method.Body.Instructions[0].IsLdarg()
+                        || method.Body.Instructions[1].OpCode != OpCodes.Ldfld
+                        || method.Body.Instructions[2].OpCode.Code is not (Code.Callvirt or Code.Call)
+                        || method.Body.Instructions[3].OpCode != OpCodes.Ret)
+                        continue;
+
+                    if (!method.Body.Instructions[2].Operand.ToString()!.Contains("System.Int32"))
+                        continue;
+
+                    for (var i = 0; i < decrypterMethod.Body.Instructions.Count; i++)
+                        try {
+                            if (!decrypterMethod.Body.Instructions[i].IsLdloc()
+                                || decrypterMethod.Body.Instructions[i + 1].OpCode != OpCodes.Callvirt
+                                || decrypterMethod.Body.Instructions[i + 1].Operand is not MethodDef calledMethod
+                                || decrypterMethod.Body.Instructions[i + 2].OpCode != OpCodes.Pop)
+                                continue;
+
+                            if (MethodEqualityComparer.CompareDeclaringTypes.Equals(calledMethod, method))
+                                popCallsCount++;
+                        }
+                        catch {
+	                        // ignored
+                        }
+
+                    return true;
+                }
+                catch {
+	                // ignored
+                }
+
+            return false;
+        }
+
 		public static bool IsNewer45Decryption(MethodDef method) {
 			if (method == null || method.Body == null)
 				return false;
diff --git a/de4dot.code/deobfuscators/dotNET_Reactor/v4/vm/Devirtualizer.cs b/de4dot.code/deobfuscators/dotNET_Reactor/v4/vm/Devirtualizer.cs
@@ -47,15 +47,6 @@ public Devirtualizer(ISimpleDeobfuscator deobfuscator, ModuleDefMD module) {
 		_module = module;
 	}
 
-	public Devirtualizer(ModuleDefMD module, Devirtualizer oldOne) {
-		_module = module;
-		_deobfuscator = oldOne._deobfuscator;
-		_vmType = DeobUtils.Lookup(module, oldOne._vmType, "Could not find VM type");
-		if (oldOne._resource != null)
-			_resource = DotNetUtils.GetResource(module, oldOne._resource.Name.String) as EmbeddedResource;
-		StreamHasPrependedByte = oldOne.StreamHasPrependedByte;
-	}
-
 	public void Find() {
 		_vmType = _module.Types.FirstOrDefault(type =>
 			type.Methods.Any(method =>
