1. Remove ConfuserEx-esque proxies in the runtime dll using cawk's unpacker
2. Run de4dot on it to rename to somewhat readable names.
3. Set breakpoint on the method that suspiciously looks like a button click event handler (private void _B(object A_1, EventArgs A_2), token: 0x06000003).
4. Step into the Entry.Run
5. Notice that the "Nope" messagebox occurs after the first method call. Set bp on this method (0x0600004E) and rerun.
6. Notice that the "Nope" messagebox occurs after the call to 0x060000B6. Set bp on this method and rerun.
7. Method looks suspiciously like a VM dispatcher using a dictionary (case 10). A quick peek into the methods called here reveals that this line can be refactored to something like:
8. Setting a breakpoint on this line, and repeatedly running this, while inspecting the virtual stack reveals exactly what the code does. No need for devirtualization.