Beispiel #1
0
        public static void Execute(ModuleDefMD module)
        {
            Write("Removing the Anti De4dot...");

            RemoveNops.Execute(module);
            var removed = 0;

            foreach (TypeDef type in module.Types.ToList().Where(t => t.HasInterfaces))
            {
                foreach (InterfaceImpl currentInterface in type.Interfaces)
                {
                    if (!currentInterface.Interface.Name.Contains(type.Name) &&
                        !type.Name.Contains(currentInterface.Interface.Name))
                    {
                        continue;
                    }

                    module.Types.Remove(type);

                    removed++;
                    Write($"Removed: {type.Name}", Type.Debug);
                }
            }

            Write(removed == 0 ? "No Anti De4dot found !" :
                  removed == 1 ? "Anti De4dot removed !" :
                  removed > 1 ? $"Fixed {removed} anti de4dot methods !" : "", Type.Success);
        }
        public static void Execute(ModuleDefMD module)
        {
            Write("Removing the Anti Debug...");

            RemoveNops.Execute(module);
            var removed = 0;

            foreach (Instruction instr in module.GlobalType.FindOrCreateStaticConstructor().Body.Instructions.Where(i => i.OpCode == OpCodes.Call))
            {
                if (instr.OpCode != OpCodes.Call || !(instr.Operand is MethodDef debuggerMethod) ||
                    !debuggerMethod.DeclaringType.IsGlobalModuleType ||
                    debuggerMethod.FindInstructionsNumber(OpCodes.Ldstr, "ENABLE_PROFILING") != 1 ||
                    debuggerMethod.FindInstructionsNumber(OpCodes.Ldstr, "GetEnvironmentVariable") != 1 ||
                    debuggerMethod.FindInstructionsNumber(OpCodes.Ldstr, "COR") != 1 ||
                    debuggerMethod.FindInstructionsNumber(OpCodes.Call,
                                                          "System.Environment::FailFast(System.String)") != 1)
                {
                    continue;
                }

                instr.OpCode = OpCodes.Nop;
                Write($"Removed an Anti Debug call at offset: {instr.Offset}", Type.Debug);

                module.GlobalType.Remove(debuggerMethod);

                removed++;

                Write($"Removed an Anti Debug method: {debuggerMethod.Name}", Type.Debug);
            }
            foreach (MethodDef method in module.GlobalType.Methods.Where(m => m.HasBody))
            {
                if (method.FindInstructionsNumber(OpCodes.Ldc_I4, 500) != 1 ||
                    method.FindInstructionsNumber(OpCodes.Ldc_I4, 1000) != 1 ||
                    method.FindInstructionsNumber(OpCodes.Call, "System.Environment::FailFast(System.String)") <= 1 ||
                    method.Attributes !=
                    (MethodAttributes.Private | MethodAttributes.Static | MethodAttributes.HideBySig))
                {
                    continue;
                }

                module.GlobalType.Remove(method);

                removed++;

                Write($"Removed an Anti Debug method: {method.Name}", Type.Debug);
            }

            Write(removed == 0 ? "No Anti Debug found !" :
                  removed == 1 ? "Removed Anti Debug !" :
                  removed > 1 ? $"Removed {removed} Anti Debug methods !" : "", Type.Success);
        }
        public static void Execute(ModuleDefMD module)
        {
            Write("Removing the Anti VM...");

            RemoveNops.Execute(module);
            var removed = 0;

            foreach (Instruction instruction in module.GlobalType.FindOrCreateStaticConstructor().Body.Instructions.Where(i => i.OpCode == OpCodes.Call))
            {
                var method = instruction.Operand as MethodDef;
                if (method == null)
                {
                    continue;
                }
                IList <Instruction> instr = method.Body.Instructions;

                if (instr[0].OpCode != OpCodes.Call || !instr[1].IsStloc() || !instr[2].IsLdloc() ||
                    !instr[3].IsBrfalse() || instr[4].OpCode != OpCodes.Ldstr ||
                    instr[4].Operand.ToString() != "VirtualMachine detected. Exiting..." ||
                    instr[5].OpCode != OpCodes.Ldstr || instr[5].Operand.ToString() != "Rzy Protector" ||
                    !instr[6].IsLdcI4() || !instr[7].IsLdcI4() || (int)instr[7].Operand != 0x40 ||
                    instr[8].OpCode != OpCodes.Call ||
                    instr[8].Operand.ToString() !=
                    "valuetype [System.Windows.Forms]System.Windows.Forms.DialogResult [System.Windows.Forms]System.Windows.Forms.MessageBox::Show(string, string, valuetype [System.Windows.Forms]System.Windows.Forms.MessageBoxButtons, valuetype [System.Windows.Forms]System.Windows.Forms.MessageBoxIcon)" ||
                    instr[9].OpCode != OpCodes.Pop || instr[10].OpCode != OpCodes.Call ||
                    instr[10].Operand.ToString() !=
                    "class [System]System.Diagnostics.Process [System]System.Diagnostics.Process::GetCurrentProcess()" ||
                    instr[11].OpCode != OpCodes.Callvirt ||
                    instr[11].Operand.ToString() != "instance void [System]System.Diagnostics.Process::Kill()" ||
                    instr[12].OpCode != OpCodes.Ret)
                {
                    continue;
                }

                instruction.OpCode = OpCodes.Nop;
                Write($"Removed an Anti VM call at offset: {instruction.Offset}", Type.Debug);

                for (var i = 0; i < instr.Count; i++)
                {
                    instr.RemoveAt(i);
                }

                removed++;
                Write($"Removed an Anti VM method: {method.Name}", Type.Debug);
            }

            Write(removed == 0 ? "No Anti VM found !" :
                  removed == 1 ? "Removed Anti VM !" :
                  removed > 1 ? $"Removed {removed} Anti VM methods !" : "", Type.Success);
        }
Beispiel #4
0
        public static void Execute(ModuleDefMD module)
        {
            Write("Removing the Anti DnSpy...");

            RemoveNops.Execute(module);
            var removed = 0;

            foreach (Instruction instruction in module.GlobalType.FindOrCreateStaticConstructor().Body.Instructions.Where(i => i.OpCode == OpCodes.Call))
            {
                var method = instruction.Operand as MethodDef;
                if (method == null)
                {
                    continue;
                }
                IList <Instruction> instr = method.Body.Instructions;

                if (instr.Count != 1 || instr[0].OpCode != OpCodes.Call ||
                    !instr[0].Operand.ToString().Contains("::Read"))
                {
                    continue;
                }

                var antiDnSpyMethod = instr[0].Operand as MethodDef;
                if (antiDnSpyMethod == null)
                {
                    continue;
                }
                instr[0].OpCode    = OpCodes.Nop;
                instruction.OpCode = OpCodes.Nop;
                Write($"Removed an Anti Dump call at offset: {instruction.Offset}", Type.Debug);

                for (var i = 0; i < antiDnSpyMethod.Body.Instructions.Count; i++)
                {
                    antiDnSpyMethod.Body.Instructions.RemoveAt(i);
                }

                removed++;

                Write($"Removed an Anti DnSpy method: {method.Name}", Type.Debug);
            }

            Write(removed == 0 ? "No Anti DnSpy found !" :
                  removed == 1 ? "Removed Anti DnSpy !" :
                  removed > 1 ? $"Removed {removed} Anti DnSpy methods !" : "", Type.Success);
        }
Beispiel #5
0
        public static void Execute(ModuleDefMD module)
        {
            Write("Removing the Anti Dump...");

            RemoveNops.Execute(module);
            var removed = 0;

            foreach (Instruction instruction in module.GlobalType.FindOrCreateStaticConstructor().Body.Instructions.Where(i => i.OpCode == OpCodes.Call))
            {
                var method = instruction.Operand as MethodDef;
                if (method == null)
                {
                    continue;
                }
                IList <Instruction> instr = method.Body.Instructions;

                if (instr.Count <= 140 || instr.Count >= 160 ||
                    method.FindInstructionsNumber(OpCodes.Call,
                                                  "native int [mscorlib]System.Runtime.InteropServices.Marshal::GetHINSTANCE(class [mscorlib]System.Reflection.Module)") !=
                    1 || method.FindInstructionsNumber(OpCodes.Call,
                                                       "::VirtualProtect(uint8*, int32, uint32, uint32&)") != 1)
                {
                    continue;
                }

                instruction.OpCode = OpCodes.Nop;
                Write($"Removed an Anti Dump call at offset: {instruction.Offset}", Type.Debug);

                for (var i = 0; i < instr.Count; i++)
                {
                    instr.RemoveAt(0);
                }

                removed++;

                Write($"Removed an Anti Dump method: {method.Name}", Type.Debug);
            }

            Write(removed == 0 ? "No Anti Dump found !" :
                  removed == 1 ? "Removed Anti Dump !" :
                  removed > 1 ? $"Removed {removed} Anti Dump methods !" : "", Type.Success);
        }
        static void Main(string[] args)
        {
            #region Initialize

            Console.Title = "Rzy Protector V2 Unpacker - by illuZion#9999";
            WriteTitle();

            if (args.Length != 1)
            {
                Write("Please, drag 'n' drop the file to unpack!", Type.Error);
                Leave();
            }

            string directory = args[0];
            try
            {
                Module = ModuleDefMD.Load(directory);
            }
            catch
            {
                Write("Not a .NET Assembly...", Type.Error);
                Leave();
            }

            #endregion Initialize

            #region Unpack

            HideMethods.Execute(Module);
            CallToCalli.Execute(Module);
            EmptyTypes.Execute(Module);
            Maths(Module);
            LocalToField.Execute(Module);
            Constants.Execute(Module);
            Maths(Module);
            StringProtection.Execute(Module);

            FakeObfuscator.Execute(Module);
            AntiIlDasm.Execute(Module);
            AntiDe4dot.Execute(Module);
            AntiDnspy.Execute(Module);
            AntiVm.Execute(Module);
            AntiDebug.Execute(Module);
            AntiDump.Execute(Module);

            RemoveNops.Execute(Module);

            #endregion Unpack

            #region Save the file

            Write("Saving the unpacked file...");

            string text = Path.GetDirectoryName(directory);
            if (text == null)
            {
                Leave();
            }
            // We can disable the possible null exception as the Leave method closes the program (but Resharper does not detect it).
            // ReSharper disable once PossibleNullReferenceException
            text += !text.EndsWith("\\") ? "\\" : null;
            string filename =
                $"{text}{Path.GetFileNameWithoutExtension(directory)}-Unpacked{Path.GetExtension(directory)}";

            var writerOptions = new ModuleWriterOptions(Module);
            writerOptions.MetadataOptions.Flags |= MetadataFlags.PreserveAll;
            writerOptions.Logger = DummyLogger.NoThrowInstance;

            var nativewriterOptions = new NativeModuleWriterOptions(Module, true);
            nativewriterOptions.MetadataOptions.Flags |= MetadataFlags.PreserveAll;
            nativewriterOptions.Logger = DummyLogger.NoThrowInstance;

            if (Module.IsILOnly)
            {
                Module.Write(filename, writerOptions);
            }
            else
            {
                Module.NativeWrite(filename, nativewriterOptions);
            }

            Write($"File saved at: {filename}", Type.Success);
            Leave();

            #endregion Save the file
        }