public static void Execute(ModuleDefMD module) { Write("Removing the Anti De4dot..."); RemoveNops.Execute(module); var removed = 0; foreach (TypeDef type in module.Types.ToList().Where(t => t.HasInterfaces)) { foreach (InterfaceImpl currentInterface in type.Interfaces) { if (!currentInterface.Interface.Name.Contains(type.Name) && !type.Name.Contains(currentInterface.Interface.Name)) { continue; } module.Types.Remove(type); removed++; Write($"Removed: {type.Name}", Type.Debug); } } Write(removed == 0 ? "No Anti De4dot found !" : removed == 1 ? "Anti De4dot removed !" : removed > 1 ? $"Fixed {removed} anti de4dot methods !" : "", Type.Success); }
public static void Execute(ModuleDefMD module) { Write("Removing the Anti Debug..."); RemoveNops.Execute(module); var removed = 0; foreach (Instruction instr in module.GlobalType.FindOrCreateStaticConstructor().Body.Instructions.Where(i => i.OpCode == OpCodes.Call)) { if (instr.OpCode != OpCodes.Call || !(instr.Operand is MethodDef debuggerMethod) || !debuggerMethod.DeclaringType.IsGlobalModuleType || debuggerMethod.FindInstructionsNumber(OpCodes.Ldstr, "ENABLE_PROFILING") != 1 || debuggerMethod.FindInstructionsNumber(OpCodes.Ldstr, "GetEnvironmentVariable") != 1 || debuggerMethod.FindInstructionsNumber(OpCodes.Ldstr, "COR") != 1 || debuggerMethod.FindInstructionsNumber(OpCodes.Call, "System.Environment::FailFast(System.String)") != 1) { continue; } instr.OpCode = OpCodes.Nop; Write($"Removed an Anti Debug call at offset: {instr.Offset}", Type.Debug); module.GlobalType.Remove(debuggerMethod); removed++; Write($"Removed an Anti Debug method: {debuggerMethod.Name}", Type.Debug); } foreach (MethodDef method in module.GlobalType.Methods.Where(m => m.HasBody)) { if (method.FindInstructionsNumber(OpCodes.Ldc_I4, 500) != 1 || method.FindInstructionsNumber(OpCodes.Ldc_I4, 1000) != 1 || method.FindInstructionsNumber(OpCodes.Call, "System.Environment::FailFast(System.String)") <= 1 || method.Attributes != (MethodAttributes.Private | MethodAttributes.Static | MethodAttributes.HideBySig)) { continue; } module.GlobalType.Remove(method); removed++; Write($"Removed an Anti Debug method: {method.Name}", Type.Debug); } Write(removed == 0 ? "No Anti Debug found !" : removed == 1 ? "Removed Anti Debug !" : removed > 1 ? $"Removed {removed} Anti Debug methods !" : "", Type.Success); }
public static void Execute(ModuleDefMD module) { Write("Removing the Anti VM..."); RemoveNops.Execute(module); var removed = 0; foreach (Instruction instruction in module.GlobalType.FindOrCreateStaticConstructor().Body.Instructions.Where(i => i.OpCode == OpCodes.Call)) { var method = instruction.Operand as MethodDef; if (method == null) { continue; } IList <Instruction> instr = method.Body.Instructions; if (instr[0].OpCode != OpCodes.Call || !instr[1].IsStloc() || !instr[2].IsLdloc() || !instr[3].IsBrfalse() || instr[4].OpCode != OpCodes.Ldstr || instr[4].Operand.ToString() != "VirtualMachine detected. Exiting..." || instr[5].OpCode != OpCodes.Ldstr || instr[5].Operand.ToString() != "Rzy Protector" || !instr[6].IsLdcI4() || !instr[7].IsLdcI4() || (int)instr[7].Operand != 0x40 || instr[8].OpCode != OpCodes.Call || instr[8].Operand.ToString() != "valuetype [System.Windows.Forms]System.Windows.Forms.DialogResult [System.Windows.Forms]System.Windows.Forms.MessageBox::Show(string, string, valuetype [System.Windows.Forms]System.Windows.Forms.MessageBoxButtons, valuetype [System.Windows.Forms]System.Windows.Forms.MessageBoxIcon)" || instr[9].OpCode != OpCodes.Pop || instr[10].OpCode != OpCodes.Call || instr[10].Operand.ToString() != "class [System]System.Diagnostics.Process [System]System.Diagnostics.Process::GetCurrentProcess()" || instr[11].OpCode != OpCodes.Callvirt || instr[11].Operand.ToString() != "instance void [System]System.Diagnostics.Process::Kill()" || instr[12].OpCode != OpCodes.Ret) { continue; } instruction.OpCode = OpCodes.Nop; Write($"Removed an Anti VM call at offset: {instruction.Offset}", Type.Debug); for (var i = 0; i < instr.Count; i++) { instr.RemoveAt(i); } removed++; Write($"Removed an Anti VM method: {method.Name}", Type.Debug); } Write(removed == 0 ? "No Anti VM found !" : removed == 1 ? "Removed Anti VM !" : removed > 1 ? $"Removed {removed} Anti VM methods !" : "", Type.Success); }
public static void Execute(ModuleDefMD module) { Write("Removing the Anti DnSpy..."); RemoveNops.Execute(module); var removed = 0; foreach (Instruction instruction in module.GlobalType.FindOrCreateStaticConstructor().Body.Instructions.Where(i => i.OpCode == OpCodes.Call)) { var method = instruction.Operand as MethodDef; if (method == null) { continue; } IList <Instruction> instr = method.Body.Instructions; if (instr.Count != 1 || instr[0].OpCode != OpCodes.Call || !instr[0].Operand.ToString().Contains("::Read")) { continue; } var antiDnSpyMethod = instr[0].Operand as MethodDef; if (antiDnSpyMethod == null) { continue; } instr[0].OpCode = OpCodes.Nop; instruction.OpCode = OpCodes.Nop; Write($"Removed an Anti Dump call at offset: {instruction.Offset}", Type.Debug); for (var i = 0; i < antiDnSpyMethod.Body.Instructions.Count; i++) { antiDnSpyMethod.Body.Instructions.RemoveAt(i); } removed++; Write($"Removed an Anti DnSpy method: {method.Name}", Type.Debug); } Write(removed == 0 ? "No Anti DnSpy found !" : removed == 1 ? "Removed Anti DnSpy !" : removed > 1 ? $"Removed {removed} Anti DnSpy methods !" : "", Type.Success); }
public static void Execute(ModuleDefMD module) { Write("Removing the Anti Dump..."); RemoveNops.Execute(module); var removed = 0; foreach (Instruction instruction in module.GlobalType.FindOrCreateStaticConstructor().Body.Instructions.Where(i => i.OpCode == OpCodes.Call)) { var method = instruction.Operand as MethodDef; if (method == null) { continue; } IList <Instruction> instr = method.Body.Instructions; if (instr.Count <= 140 || instr.Count >= 160 || method.FindInstructionsNumber(OpCodes.Call, "native int [mscorlib]System.Runtime.InteropServices.Marshal::GetHINSTANCE(class [mscorlib]System.Reflection.Module)") != 1 || method.FindInstructionsNumber(OpCodes.Call, "::VirtualProtect(uint8*, int32, uint32, uint32&)") != 1) { continue; } instruction.OpCode = OpCodes.Nop; Write($"Removed an Anti Dump call at offset: {instruction.Offset}", Type.Debug); for (var i = 0; i < instr.Count; i++) { instr.RemoveAt(0); } removed++; Write($"Removed an Anti Dump method: {method.Name}", Type.Debug); } Write(removed == 0 ? "No Anti Dump found !" : removed == 1 ? "Removed Anti Dump !" : removed > 1 ? $"Removed {removed} Anti Dump methods !" : "", Type.Success); }
static void Main(string[] args) { #region Initialize Console.Title = "Rzy Protector V2 Unpacker - by illuZion#9999"; WriteTitle(); if (args.Length != 1) { Write("Please, drag 'n' drop the file to unpack!", Type.Error); Leave(); } string directory = args[0]; try { Module = ModuleDefMD.Load(directory); } catch { Write("Not a .NET Assembly...", Type.Error); Leave(); } #endregion Initialize #region Unpack HideMethods.Execute(Module); CallToCalli.Execute(Module); EmptyTypes.Execute(Module); Maths(Module); LocalToField.Execute(Module); Constants.Execute(Module); Maths(Module); StringProtection.Execute(Module); FakeObfuscator.Execute(Module); AntiIlDasm.Execute(Module); AntiDe4dot.Execute(Module); AntiDnspy.Execute(Module); AntiVm.Execute(Module); AntiDebug.Execute(Module); AntiDump.Execute(Module); RemoveNops.Execute(Module); #endregion Unpack #region Save the file Write("Saving the unpacked file..."); string text = Path.GetDirectoryName(directory); if (text == null) { Leave(); } // We can disable the possible null exception as the Leave method closes the program (but Resharper does not detect it). // ReSharper disable once PossibleNullReferenceException text += !text.EndsWith("\\") ? "\\" : null; string filename = $"{text}{Path.GetFileNameWithoutExtension(directory)}-Unpacked{Path.GetExtension(directory)}"; var writerOptions = new ModuleWriterOptions(Module); writerOptions.MetadataOptions.Flags |= MetadataFlags.PreserveAll; writerOptions.Logger = DummyLogger.NoThrowInstance; var nativewriterOptions = new NativeModuleWriterOptions(Module, true); nativewriterOptions.MetadataOptions.Flags |= MetadataFlags.PreserveAll; nativewriterOptions.Logger = DummyLogger.NoThrowInstance; if (Module.IsILOnly) { Module.Write(filename, writerOptions); } else { Module.NativeWrite(filename, nativewriterOptions); } Write($"File saved at: {filename}", Type.Success); Leave(); #endregion Save the file }