tl;dr

  • Mixed mode assembly (a feature of .NET binaries), involving both C# as well as C++ code in the same executable
  • Code flow jumps between both C#/C++ frequently to make analysis harder
  • SEH mechanism triggered in C++ code, which uses SEH trampoline to make debugging harder
  • SEH triggered once again in C#, which is handled by C++
  • VM bytecode is decrypted loaded by C#
  • VM checks input in 4 ways: CRC32 hash (2 byte pairs), RC4 encryption, rolling XOR and byte by byte checks