public static void Execute(ModuleDefMD module)
{
Write("Removing the Anti De4dot...");
RemoveNops.Execute(module);
var removed = 0;
foreach (TypeDef type in module.Types.ToList().Where(t => t.HasInterfaces))
{
foreach (InterfaceImpl currentInterface in type.Interfaces)
{
if (!currentInterface.Interface.Name.Contains(type.Name) &&
!type.Name.Contains(currentInterface.Interface.Name))
{
continue;
}
module.Types.Remove(type);
removed++;
Write($"Removed: {type.Name}", Type.Debug);
}
}
Write(removed == 0 ? "No Anti De4dot found !" :
removed == 1 ? "Anti De4dot removed !" :
removed > 1 ? $"Fixed {removed} anti de4dot methods !" : "", Type.Success);
}
public static void Execute(ModuleDefMD module)
{
Write("Removing the Anti Debug...");
RemoveNops.Execute(module);
var removed = 0;
foreach (Instruction instr in module.GlobalType.FindOrCreateStaticConstructor().Body.Instructions.Where(i => i.OpCode == OpCodes.Call))
{
if (instr.OpCode != OpCodes.Call || !(instr.Operand is MethodDef debuggerMethod) ||
!debuggerMethod.DeclaringType.IsGlobalModuleType ||
debuggerMethod.FindInstructionsNumber(OpCodes.Ldstr, "ENABLE_PROFILING") != 1 ||
debuggerMethod.FindInstructionsNumber(OpCodes.Ldstr, "GetEnvironmentVariable") != 1 ||
debuggerMethod.FindInstructionsNumber(OpCodes.Ldstr, "COR") != 1 ||
debuggerMethod.FindInstructionsNumber(OpCodes.Call,
"System.Environment::FailFast(System.String)") != 1)
{
continue;
}
instr.OpCode = OpCodes.Nop;
Write($"Removed an Anti Debug call at offset: {instr.Offset}", Type.Debug);
module.GlobalType.Remove(debuggerMethod);
removed++;
Write($"Removed an Anti Debug method: {debuggerMethod.Name}", Type.Debug);
}
foreach (MethodDef method in module.GlobalType.Methods.Where(m => m.HasBody))
{
if (method.FindInstructionsNumber(OpCodes.Ldc_I4, 500) != 1 ||
method.FindInstructionsNumber(OpCodes.Ldc_I4, 1000) != 1 ||
method.FindInstructionsNumber(OpCodes.Call, "System.Environment::FailFast(System.String)") <= 1 ||
method.Attributes !=
(MethodAttributes.Private | MethodAttributes.Static | MethodAttributes.HideBySig))
{
continue;
}
module.GlobalType.Remove(method);
removed++;
Write($"Removed an Anti Debug method: {method.Name}", Type.Debug);
}
Write(removed == 0 ? "No Anti Debug found !" :
removed == 1 ? "Removed Anti Debug !" :
removed > 1 ? $"Removed {removed} Anti Debug methods !" : "", Type.Success);
}
public static void Execute(ModuleDefMD module)
{
Write("Removing the Anti VM...");
RemoveNops.Execute(module);
var removed = 0;
foreach (Instruction instruction in module.GlobalType.FindOrCreateStaticConstructor().Body.Instructions.Where(i => i.OpCode == OpCodes.Call))
{
var method = instruction.Operand as MethodDef;
if (method == null)
{
continue;
}
IList <Instruction> instr = method.Body.Instructions;
if (instr[0].OpCode != OpCodes.Call || !instr[1].IsStloc() || !instr[2].IsLdloc() ||
!instr[3].IsBrfalse() || instr[4].OpCode != OpCodes.Ldstr ||
instr[4].Operand.ToString() != "VirtualMachine detected. Exiting..." ||
instr[5].OpCode != OpCodes.Ldstr || instr[5].Operand.ToString() != "Rzy Protector" ||
!instr[6].IsLdcI4() || !instr[7].IsLdcI4() || (int)instr[7].Operand != 0x40 ||
instr[8].OpCode != OpCodes.Call ||
instr[8].Operand.ToString() !=
"valuetype [System.Windows.Forms]System.Windows.Forms.DialogResult [System.Windows.Forms]System.Windows.Forms.MessageBox::Show(string, string, valuetype [System.Windows.Forms]System.Windows.Forms.MessageBoxButtons, valuetype [System.Windows.Forms]System.Windows.Forms.MessageBoxIcon)" ||
instr[9].OpCode != OpCodes.Pop || instr[10].OpCode != OpCodes.Call ||
instr[10].Operand.ToString() !=
"class [System]System.Diagnostics.Process [System]System.Diagnostics.Process::GetCurrentProcess()" ||
instr[11].OpCode != OpCodes.Callvirt ||
instr[11].Operand.ToString() != "instance void [System]System.Diagnostics.Process::Kill()" ||
instr[12].OpCode != OpCodes.Ret)
{
continue;
}
instruction.OpCode = OpCodes.Nop;
Write($"Removed an Anti VM call at offset: {instruction.Offset}", Type.Debug);
for (var i = 0; i < instr.Count; i++)
{
instr.RemoveAt(i);
}
removed++;
Write($"Removed an Anti VM method: {method.Name}", Type.Debug);
}
Write(removed == 0 ? "No Anti VM found !" :
removed == 1 ? "Removed Anti VM !" :
removed > 1 ? $"Removed {removed} Anti VM methods !" : "", Type.Success);
}
public static void Execute(ModuleDefMD module)
{
Write("Removing the Anti DnSpy...");
RemoveNops.Execute(module);
var removed = 0;
foreach (Instruction instruction in module.GlobalType.FindOrCreateStaticConstructor().Body.Instructions.Where(i => i.OpCode == OpCodes.Call))
{
var method = instruction.Operand as MethodDef;
if (method == null)
{
continue;
}
IList <Instruction> instr = method.Body.Instructions;
if (instr.Count != 1 || instr[0].OpCode != OpCodes.Call ||
!instr[0].Operand.ToString().Contains("::Read"))
{
continue;
}
var antiDnSpyMethod = instr[0].Operand as MethodDef;
if (antiDnSpyMethod == null)
{
continue;
}
instr[0].OpCode = OpCodes.Nop;
instruction.OpCode = OpCodes.Nop;
Write($"Removed an Anti Dump call at offset: {instruction.Offset}", Type.Debug);
for (var i = 0; i < antiDnSpyMethod.Body.Instructions.Count; i++)
{
antiDnSpyMethod.Body.Instructions.RemoveAt(i);
}
removed++;
Write($"Removed an Anti DnSpy method: {method.Name}", Type.Debug);
}
Write(removed == 0 ? "No Anti DnSpy found !" :
removed == 1 ? "Removed Anti DnSpy !" :
removed > 1 ? $"Removed {removed} Anti DnSpy methods !" : "", Type.Success);
}
public static void Execute(ModuleDefMD module)
{
Write("Removing the Anti Dump...");
RemoveNops.Execute(module);
var removed = 0;
foreach (Instruction instruction in module.GlobalType.FindOrCreateStaticConstructor().Body.Instructions.Where(i => i.OpCode == OpCodes.Call))
{
var method = instruction.Operand as MethodDef;
if (method == null)
{
continue;
}
IList <Instruction> instr = method.Body.Instructions;
if (instr.Count <= 140 || instr.Count >= 160 ||
method.FindInstructionsNumber(OpCodes.Call,
"native int [mscorlib]System.Runtime.InteropServices.Marshal::GetHINSTANCE(class [mscorlib]System.Reflection.Module)") !=
1 || method.FindInstructionsNumber(OpCodes.Call,
"::VirtualProtect(uint8*, int32, uint32, uint32&)") != 1)
{
continue;
}
instruction.OpCode = OpCodes.Nop;
Write($"Removed an Anti Dump call at offset: {instruction.Offset}", Type.Debug);
for (var i = 0; i < instr.Count; i++)
{
instr.RemoveAt(0);
}
removed++;
Write($"Removed an Anti Dump method: {method.Name}", Type.Debug);
}
Write(removed == 0 ? "No Anti Dump found !" :
removed == 1 ? "Removed Anti Dump !" :
removed > 1 ? $"Removed {removed} Anti Dump methods !" : "", Type.Success);
}
static void Main(string[] args)
{
#region Initialize
Console.Title = "Rzy Protector V2 Unpacker - by illuZion#9999";
WriteTitle();
if (args.Length != 1)
{
Write("Please, drag 'n' drop the file to unpack!", Type.Error);
Leave();
}
string directory = args[0];
try
{
Module = ModuleDefMD.Load(directory);
}
catch
{
Write("Not a .NET Assembly...", Type.Error);
Leave();
}
#endregion Initialize
#region Unpack
HideMethods.Execute(Module);
CallToCalli.Execute(Module);
EmptyTypes.Execute(Module);
Maths(Module);
LocalToField.Execute(Module);
Constants.Execute(Module);
Maths(Module);
StringProtection.Execute(Module);
FakeObfuscator.Execute(Module);
AntiIlDasm.Execute(Module);
AntiDe4dot.Execute(Module);
AntiDnspy.Execute(Module);
AntiVm.Execute(Module);
AntiDebug.Execute(Module);
AntiDump.Execute(Module);
RemoveNops.Execute(Module);
#endregion Unpack
#region Save the file
Write("Saving the unpacked file...");
string text = Path.GetDirectoryName(directory);
if (text == null)
{
Leave();
}
// We can disable the possible null exception as the Leave method closes the program (but Resharper does not detect it).
// ReSharper disable once PossibleNullReferenceException
text += !text.EndsWith("\\") ? "\\" : null;
string filename =
$"{text}{Path.GetFileNameWithoutExtension(directory)}-Unpacked{Path.GetExtension(directory)}";
var writerOptions = new ModuleWriterOptions(Module);
writerOptions.MetadataOptions.Flags |= MetadataFlags.PreserveAll;
writerOptions.Logger = DummyLogger.NoThrowInstance;
var nativewriterOptions = new NativeModuleWriterOptions(Module, true);
nativewriterOptions.MetadataOptions.Flags |= MetadataFlags.PreserveAll;
nativewriterOptions.Logger = DummyLogger.NoThrowInstance;
if (Module.IsILOnly)
{
Module.Write(filename, writerOptions);
}
else
{
Module.NativeWrite(filename, nativewriterOptions);
}
Write($"File saved at: {filename}", Type.Success);
Leave();
#endregion Save the file
}