static void Main(string[] args)
{
Console.Title = "AntiRE.Example";
Console.ForegroundColor = ConsoleColor.DarkYellow;
Console.WriteLine(@"
_ _ _____ ______ _____ _ _
/\ | | (_) __ \| ____| | __ \ | | (_)
/ \ _ __ | |_ _| |__) | |__ | |__) | _ _ __ | |_ _ _ __ ___ ___
/ /\ \ | '_ \| __| | _ /| __| | _ / | | | '_ \| __| | '_ ` _ \ / _ \
/ ____ \| | | | |_| | | \ \| |____ _| | \ \ |_| | | | | |_| | | | | | | __/
/_/ \_\_| |_|\__|_|_| \_\______(_)_| \_\__,_|_| |_|\__|_|_| |_| |_|\___|
");
var CurrentProcess = Process.GetCurrentProcess();
bool SelfDelete = false;
bool ShowAlert = true;
bool Aggressive = false;
//Alert settings
Alert.NotepadStyle = true;
Alert.AutoClose = false;
Alert.AutoCloseTime = 2;
Alert.NotepadPath = "readme.txt";
//Prevent assembly being dumped from memory
AntiDump.Parse(typeof(Program /* or this.GetType() */));
//Prevent application start under sandbox tools
AntiSandBox.SelfDelete = SelfDelete;
AntiSandBox.ShowAlert = ShowAlert;
AntiSandBox.Parse(CurrentProcess);
//Prevent application start under virtual machine
AntiVirtualMachine.SelfDelete = SelfDelete;
AntiVirtualMachine.ShowAlert = ShowAlert;
AntiVirtualMachine.Parse(CurrentProcess);
//Prevent from network being monitored
AntiSniff.SelfDelete = SelfDelete;
AntiSniff.ShowAlert = ShowAlert;
AntiSniff.Parse(CurrentProcess);
//Prevents reverse engineering tools from running in the system
AntiReverserTools.SelfDelete = SelfDelete;
AntiReverserTools.ShowAlert = ShowAlert;
AntiReverserTools.Aggressive = Aggressive;
AntiReverserTools.IgnoreCase = true;
AntiReverserTools.KeepAlive = true;
AntiReverserTools.WhiteList.Add("notepad");
AntiReverserTools.BlackList.Add("dnspy");
AntiReverserTools.Start(CurrentProcess);
//Anti debugger
AntiDebugger.SelfDelete = SelfDelete;
AntiDebugger.ShowAlert = ShowAlert;
AntiDebugger.Aggressive = Aggressive;
AntiDebugger.KeepAlive = true;
AntiDebugger.Start(CurrentProcess);
//Detect if dnspy installed on system
AntiDnspy.SelfDelete = SelfDelete;
AntiDnspy.ShowAlert = ShowAlert;
AntiDnspy.Parse(CurrentProcess);
Console.ForegroundColor = ConsoleColor.Gray;
Console.WriteLine("\r\n [#] Application started successfully\r\n [#] Press any key to exit...");
Console.ReadKey();
}
static void Main(string[] args)
{
Debug.Assert(args.Length > 0);
ModuleDefMD targetModule = ModuleDefMD.Load(args[0]);
ModuleDefMD runtimeModule = ModuleDefMD.Load("Confuser.Runtime.dll");
ClarifierContext ctx = new ClarifierContext
{
CurrentModule = targetModule,
WriterListener = new MWListener(),
//ILLanguage = il
};
AntiDump antiDump = new AntiDump();
AntiDebug antiDebug = new AntiDebug();
Constants constants = new Constants();
AntiTamper antiTamper = new AntiTamper();
Inliner inliner = new Inliner();
inliner.PerformIdentification(ctx);
inliner.PerformRemoval(ctx);
antiTamper.Initialize();
antiTamper.PerformIdentification(ctx);
antiTamper.PerformRemoval(ctx);
antiDump.Initialize(ctx);
antiDump.PerformIdentification(ctx);
antiDump.PerformRemoval(ctx);
antiDebug.Initialize(ctx);
antiDebug.PerformIdentification(ctx);
antiDebug.PerformRemoval(ctx);
constants.Initialize(ctx);
constants.PerformIdentification(ctx);
constants.PerformRemoval(ctx);
int lastBackslash = args[0].LastIndexOf('\\');
string targetExecutable = args[0].Substring(lastBackslash + 1, args[0].Length - 1 - lastBackslash);
string parentDir = Directory.GetParent(Directory.GetParent(args[0]).FullName).FullName;
parentDir = Path.Combine(parentDir, "Deobfuscated");
string destinationFile = Path.Combine(parentDir, targetExecutable);
targetModule.Write(destinationFile);
return;
}
static void Main(string[] args)
{
Console.Title = "DeConfuser - The De-Obfuscator for confuser v1.6";
Console.WriteLine("Copyright © DragonHunter - 2012");
Console.WriteLine("This deobfuscator might not work at every confused assembly, still BETA");
Console.WriteLine("Checkout this project at http://deconfuser.codeplex.com");
Console.WriteLine("Thanks also to Mono.Cecil there was no DeConfuser without Mono.Cecil");
Console.WriteLine("This version of Mono.Cecil is modded by DragonHunter to do some evil shit");
//hardcoded path atm...
string inputPath = @"H:\DeConfuser\ConfuseMe\bin\Debug\confused\ConfuseMe.exe";
string outputPath = @"H:\DeConfuser\ConfuseMe\bin\Debug\confused\ConfuseMe_cleaned.exe";
//load assembly
AssemblyDefinition asm = AssemblyFactory.GetAssembly(inputPath);
#region Anti-Debug remover
AntiDebug debug = new AntiDebug();
TypeDefinition AntiType = null;
MethodDefinition AntiMethod = null;
Console.WriteLine("-------------------------------------------------------");
if (debug.FindAntiDebug(asm, ref AntiType, ref AntiMethod))
{
Console.WriteLine("[Anti-Debugger] Anti-Debugger detected, removing...");
debug.RemoveAntiDebug(asm, AntiType, AntiMethod);
Console.WriteLine("[Anti-Debugger] Removed anti-debugger");
}
else
{
Console.WriteLine("This assembly is not protected with anti-debugging");
}
Console.WriteLine("-------------------------------------------------------");
#endregion
#region String Decryptor
StringDecrypter decrypter = new StringDecrypter();
TypeDefinition DecryptType = null;
MethodDefinition DecryptMethod = null;
if (decrypter.FindMethod(asm, ref DecryptType, ref DecryptMethod))
{
Console.WriteLine("[String Decryptor] Found string decryptor, decrypting strings...");
byte[] StringData = decrypter.GetStringResource(asm, inputPath, DecryptMethod);
decrypter.DecryptAllStrings(asm, DecryptMethod, StringData);
decrypter.RemoveDecryptMethod(asm, DecryptType, DecryptMethod);
Console.WriteLine("[String Decryptor] Removed the decrypt method");
}
else
{
Console.WriteLine("This assembly is not protected with encrypted strings");
}
Console.WriteLine("-------------------------------------------------------");
#endregion
#region Anti-Dump remover
AntiDump dump = new AntiDump();
TypeDefinition AntiDumpType = null;
MethodDefinition AntiDumpMethod = null;
if (dump.FindAntiDump(asm, ref AntiDumpType, ref AntiDumpMethod))
{
Console.WriteLine("[Anti-Dump] Anti-Dump detected, removing...");
dump.RemoveAntiDump(asm, AntiDumpType, AntiDumpMethod);
Console.WriteLine("[Anti-Dump] Removed anti-dump");
}
else
{
Console.WriteLine("This assembly is not protected with anti-dump");
}
Console.WriteLine("-------------------------------------------------------");
#endregion
#region Resource Decryptor
ResourceDecrypter resourceDecrypter = new ResourceDecrypter();
TypeDefinition ResourceType = null;
MethodDefinition ResourceMethod = null;
if (resourceDecrypter.FindMethod(asm, ref ResourceType, ref ResourceMethod))
{
Console.WriteLine("[Resource-Decrypter] Resource-Decrypter, decrypting");
resourceDecrypter.DecryptAllResources(asm, inputPath, ResourceType, ResourceMethod);
}
else
{
Console.WriteLine("This assembly is not protected with encrypted resources");
}
Console.WriteLine("-------------------------------------------------------");
#endregion
AssemblyFactory.SaveAssembly(asm, outputPath);
Console.WriteLine("File dumped to \"" + outputPath + "\"");
Console.WriteLine("Thanks for using DeConfuser :)");
Process.GetCurrentProcess().WaitForExit();
}
private void Button_Click(object sender, RoutedEventArgs e)
{
var time = DateTime.Now.ToString("hh:mm:ss");
ModuleContext modCtx = ModuleDef.CreateModuleContext();
var module = ModuleDefMD.Load(Program.Text, modCtx);
ConsoleLog.Foreground = Brushes.Black;
ConsoleLog.AppendText($"{time} Starting obfuscation{Environment.NewLine}");
if (String_Encryption.IsChecked == true)
{
StringEncPhase.Execute(module);
ConsoleLog.AppendText($"{time} Processing string encryption{Environment.NewLine}");
}
if (Online_Decryption.IsChecked == true)
{
OnlinePhase.Execute(module);
ConsoleLog.AppendText($"{time} Processing online decryption{Environment.NewLine}");
}
if (Cflow.IsChecked == true)
{
ControlFlowObfuscation.Execute(module);
ConsoleLog.AppendText($"{time} Processing control flow{Environment.NewLine}");
}
if (IntConf.IsChecked == true)
{
AddIntPhase.Execute2(module);
ConsoleLog.AppendText($"{time} Processing integer confusion{Environment.NewLine}");
}
if (SUC.IsChecked == true)
{
StackUnfConfusion.Execute(module);
ConsoleLog.AppendText($"{time} Processing stack confusion{Environment.NewLine}");
}
if (Ahri.IsChecked == true)
{
Arithmetic.Execute(module);
ConsoleLog.AppendText($"{time} Processing math calculations{Environment.NewLine}");
}
if (LF.IsChecked == true)
{
L2F.Execute(module);
ConsoleLog.AppendText($"{time} Processing constant fields{Environment.NewLine}");
}
if (LFV2.IsChecked == true)
{
L2FV2.Execute(module);
ConsoleLog.AppendText($"{time} Processing local fields{Environment.NewLine}");
}
if (Calli_.IsChecked == true)
{
Calli.Execute(module);
ConsoleLog.AppendText($"{time} Processing calli conversion{Environment.NewLine}");
}
if (Proxy_String.IsChecked == true)
{
ProxyString.Execute(module);
ConsoleLog.AppendText($"{time} Processing proxy strings{Environment.NewLine}");
}
if (ProxyConstants.IsChecked == true)
{
ProxyINT.Execute(module);
ConsoleLog.AppendText($"{time} Processing proxy constants{Environment.NewLine}");
}
if (Proxy_Meth.IsChecked == true)
{
ProxyMeth.Execute(module);
ConsoleLog.AppendText($"{time} Processing proxy methods{Environment.NewLine}");
}
if (Anti_De4dot.IsChecked == true)
{
AntiDecompile.Execute(module.Assembly);
ConsoleLog.AppendText($"{time} Processing anti-decompile{Environment.NewLine}");
}
if (JumpCflow.IsChecked == true)
{
JumpCFlow.Execute(module);
ConsoleLog.AppendText($"{time} Processing flow conversion{Environment.NewLine}");
}
if (AntiDebug.IsChecked == true)
{
Anti_Debug.Execute(module);
ConsoleLog.AppendText($"{time} Processing anti-debug{Environment.NewLine}");
}
if (Anti_Dump.IsChecked == true)
{
AntiDump.Execute(module);
ConsoleLog.AppendText($"{time} Processing anti-dump{Environment.NewLine}");
}
if (AntiTamper.IsChecked == true)
{
Protection.Software.AntiTamper.Execute(module);
ConsoleLog.AppendText($"{time} Processing anti-tamper{Environment.NewLine}");
}
if (InvalidMD.IsChecked == true)
{
InvalidMDPhase.Execute(module.Assembly);
ConsoleLog.AppendText($"{time} Processing invalid metadata{Environment.NewLine}");
}
var text2 = Path.GetDirectoryName(Program.Text);
if (text2 != null && !text2.EndsWith("\\"))
{
text2 += "\\";
}
var path = $"{text2}{Path.GetFileNameWithoutExtension(Program.Text)}_protected{Path.GetExtension(Program.Text)}";
module.Write(path,
new ModuleWriterOptions(module)
{
PEHeadersOptions = { NumberOfRvaAndSizes = 13 }, Logger = DummyLogger.NoThrowInstance
});
ConsoleLog.AppendText($"{time} File: {path}{Environment.NewLine}{Environment.NewLine}");
if (AntiTamper.IsChecked == true)
{
Protection.Software.AntiTamper.Sha256(path);
}
}
static void Main(string[] args)
{
Console.Title = "DeConfuser - The De-Obfuscator for confuser v1.6";
Console.WriteLine("Copyright © DragonHunter - 2012");
Console.WriteLine("This deobfuscator might not work at every confused assembly, still BETA");
Console.WriteLine("Checkout this project at http://deconfuser.codeplex.com");
Console.WriteLine("Thanks also to Mono.Cecil there was no DeConfuser without Mono.Cecil");
Console.WriteLine("This version of Mono.Cecil is modded by DragonHunter to do some evil shit");
//hardcoded path atm...
string inputPath = @"H:\DeConfuser\ConfuseMe\bin\Debug\confused\ConfuseMe.exe";
string outputPath = @"H:\DeConfuser\ConfuseMe\bin\Debug\confused\ConfuseMe_cleaned.exe";
//load assembly
AssemblyDefinition asm = AssemblyFactory.GetAssembly(inputPath);
#region Anti-Debug remover
AntiDebug debug = new AntiDebug();
TypeDefinition AntiType = null;
MethodDefinition AntiMethod = null;
Console.WriteLine("-------------------------------------------------------");
if (debug.FindAntiDebug(asm, ref AntiType, ref AntiMethod))
{
Console.WriteLine("[Anti-Debugger] Anti-Debugger detected, removing...");
debug.RemoveAntiDebug(asm, AntiType, AntiMethod);
Console.WriteLine("[Anti-Debugger] Removed anti-debugger");
}
else
{
Console.WriteLine("This assembly is not protected with anti-debugging");
}
Console.WriteLine("-------------------------------------------------------");
#endregion
#region String Decryptor
StringDecrypter decrypter = new StringDecrypter();
TypeDefinition DecryptType = null;
MethodDefinition DecryptMethod = null;
if (decrypter.FindMethod(asm, ref DecryptType, ref DecryptMethod))
{
Console.WriteLine("[String Decryptor] Found string decryptor, decrypting strings...");
byte[] StringData = decrypter.GetStringResource(asm, inputPath, DecryptMethod);
decrypter.DecryptAllStrings(asm, DecryptMethod, StringData);
decrypter.RemoveDecryptMethod(asm, DecryptType, DecryptMethod);
Console.WriteLine("[String Decryptor] Removed the decrypt method");
}
else
{
Console.WriteLine("This assembly is not protected with encrypted strings");
}
Console.WriteLine("-------------------------------------------------------");
#endregion
#region Anti-Dump remover
AntiDump dump = new AntiDump();
TypeDefinition AntiDumpType = null;
MethodDefinition AntiDumpMethod = null;
if (dump.FindAntiDump(asm, ref AntiDumpType, ref AntiDumpMethod))
{
Console.WriteLine("[Anti-Dump] Anti-Dump detected, removing...");
dump.RemoveAntiDump(asm, AntiDumpType, AntiDumpMethod);
Console.WriteLine("[Anti-Dump] Removed anti-dump");
}
else
{
Console.WriteLine("This assembly is not protected with anti-dump");
}
Console.WriteLine("-------------------------------------------------------");
#endregion
#region Resource Decryptor
ResourceDecrypter resourceDecrypter = new ResourceDecrypter();
TypeDefinition ResourceType = null;
MethodDefinition ResourceMethod = null;
if (resourceDecrypter.FindMethod(asm, ref ResourceType, ref ResourceMethod))
{
Console.WriteLine("[Resource-Decrypter] Resource-Decrypter, decrypting");
resourceDecrypter.DecryptAllResources(asm, inputPath, ResourceType, ResourceMethod);
}
else
{
Console.WriteLine("This assembly is not protected with encrypted resources");
}
Console.WriteLine("-------------------------------------------------------");
#endregion
AssemblyFactory.SaveAssembly(asm, outputPath);
Console.WriteLine("File dumped to \"" + outputPath + "\"");
Console.WriteLine("Thanks for using DeConfuser :)");
Process.GetCurrentProcess().WaitForExit();
}
private void Button_Click(object sender, RoutedEventArgs e)
{
var time = DateTime.Now.ToString("hh:mm:ss");
var module = ModuleDefMD.Load(LoadBox.Text);
if (StringEnc.IsChecked == true)
{
StringEncPhase.Execute(module);
ConsoleLog.Foreground = Brushes.Aqua;
ConsoleLog.AppendText($"{time} Processing String Encryption{Environment.NewLine}");
}
if (SOD.IsChecked == true)
{
OnlinePhase.Execute(module);
ConsoleLog.AppendText($"{time} Processing Online Decryption{Environment.NewLine}");
}
if (Cflow.IsChecked == true)
{
ControlFlowObfuscation.Execute(module);
ConsoleLog.AppendText($"{time} Processing Control Flow{Environment.NewLine}");
}
if (IntConf.IsChecked == true)
{
AddIntPhase.Execute2(module);
ConsoleLog.AppendText($"{time} Processing Int Confusion{Environment.NewLine}");
}
if (SUC.IsChecked == true)
{
StackUnfConfusion.Execute(module);
ConsoleLog.AppendText($"{time} Processing StackUnfConfusion{Environment.NewLine}");
}
if (Ahri.IsChecked == true)
{
Arithmetic.Execute(module);
ConsoleLog.AppendText($"{time} Processing Arithmetic{Environment.NewLine}");
}
if (LF.IsChecked == true)
{
L2F.Execute(module);
ConsoleLog.AppendText($"{time} Processing Local Field{Environment.NewLine}");
}
if (LFV2.IsChecked == true)
{
L2FV2.Execute(module);
ConsoleLog.AppendText($"{time} Processing Local Field V2{Environment.NewLine}");
}
if (Calli_.IsChecked == true)
{
Calli.Execute(module);
ConsoleLog.AppendText($"{time} Processing Call To Calli{Environment.NewLine}");
}
if (Proxy_String.IsChecked == true)
{
ProxyString.Execute(module);
ConsoleLog.AppendText($"{time} Processing Proxy Strings{Environment.NewLine}");
}
if (ProxyConstants.IsChecked == true)
{
ProxyINT.Execute(module);
ConsoleLog.AppendText($"{time} Processing Proxy Constants{Environment.NewLine}");
}
if (Proxy_Meth.IsChecked == true)
{
ProxyMeth.Execute(module);
ConsoleLog.AppendText($"{time} Processing Proxy Methods{Environment.NewLine}");
}
if (Renamer.IsChecked == true)
{
RenamerPhase.Execute(module);
ConsoleLog.AppendText($"{time} Processing Renaming{Environment.NewLine}");
}
if (Anti_De4dot.IsChecked == true)
{
AntiDe4dot.Execute(module.Assembly);
ConsoleLog.AppendText($"{time} Processing Anti De4dot{Environment.NewLine}");
}
if (JumpCflow.IsChecked == true)
{
JumpCFlow.Execute(module);
ConsoleLog.AppendText($"{time} Processing Jump Control flow{Environment.NewLine}");
}
if (AntiDebug.IsChecked == true)
{
Anti_Debug.Execute(module);
ConsoleLog.AppendText($"{time} Processing Anti Debug{Environment.NewLine}");
}
if (Anti_Dump.IsChecked == true)
{
AntiDump.Execute(module);
ConsoleLog.AppendText($"{time} Processing Anti Dump{Environment.NewLine}");
}
if (AntiTamper.IsChecked == true)
{
Protection.Anti.AntiTamper.Execute(module);
ConsoleLog.AppendText($"{time} Processing Anti Tamper{Environment.NewLine}");
}
if (InvalidMD.IsChecked == true)
{
InvalidMDPhase.Execute(module.Assembly);
ConsoleLog.AppendText($"{time} Processing Invalid MetaData{Environment.NewLine}");
}
var text2 = Path.GetDirectoryName(LoadBox.Text);
if (text2 != null && !text2.EndsWith("\\"))
{
text2 += "\\";
}
var path = $"{text2}{Path.GetFileNameWithoutExtension(LoadBox.Text)}_protected{Path.GetExtension(LoadBox.Text)}";
module.Write(path,
new ModuleWriterOptions(module)
{
PEHeadersOptions = { NumberOfRvaAndSizes = 13 }, Logger = DummyLogger.NoThrowInstance
});
ConsoleLog.AppendText($"{time} {path}");
if (AntiTamper.IsChecked == true)
{
Protection.Anti.AntiTamper.Sha256(path);
}
}
static void Main(string[] args)
{
Console.Title = "AntiRE.Example";
Console.ForegroundColor = ConsoleColor.DarkYellow;
Console.WriteLine(@"
_ _ _____ ______ _____ _ _
/\ | | (_) __ \| ____| | __ \ | | (_)
/ \ _ __ | |_ _| |__) | |__ | |__) | _ _ __ | |_ _ _ __ ___ ___
/ /\ \ | '_ \| __| | _ /| __| | _ / | | | '_ \| __| | '_ ` _ \ / _ \
/ ____ \| | | | |_| | | \ \| |____ _| | \ \ |_| | | | | |_| | | | | | | __/
/_/ \_\_| |_|\__|_|_| \_\______(_)_| \_\__,_|_| |_|\__|_|_| |_| |_|\___|
");
var CurrentProcess = Process.GetCurrentProcess();
bool SelfDelete = false;
bool ShowAlert = true;
//Alert settings
Alert.NotepadStyle = true;
Alert.AutoClose = false;
Alert.AutoCloseTime = 2;
Alert.NotepadPath = "readme.txt";
//Prevent assembly being dumped from memory
AntiDump.Parse(typeof(Program /* or this.GetType() */));
//Prevent application start under sandbox tools
AntiSandBox.SelfDelete = SelfDelete;
AntiSandBox.ShowAlert = ShowAlert;
AntiSandBox.Parse(CurrentProcess);
//Prevent application start under virtual machine
AntiVirtualMachine.SelfDelete = SelfDelete;
AntiVirtualMachine.ShowAlert = ShowAlert;
AntiVirtualMachine.Parse(CurrentProcess);
//Prevent from network being monitored
AntiSniff.SelfDelete = SelfDelete;
AntiSniff.ShowAlert = ShowAlert;
AntiSniff.Parse(CurrentProcess);
//Prevents reverse engineering tools from running in the system
AntiReverserTools.SelfDelete = SelfDelete;
AntiReverserTools.ShowAlert = ShowAlert;
AntiReverserTools.IgnoreCase = true;
AntiReverserTools.KeepAlive = true;
AntiReverserTools.WhiteList.Add("notepad");
AntiReverserTools.BlackList.Add("dnspy");
AntiReverserTools.Start(CurrentProcess);
//Anti debugger
AntiDebugger.SelfDelete = SelfDelete;
AntiDebugger.ShowAlert = ShowAlert;
AntiDebugger.KeepAlive = true;
AntiDebugger.Start(CurrentProcess);
//Detect if dnspy installed on system
AntiDnspy.SelfDelete = SelfDelete;
AntiDnspy.ShowAlert = ShowAlert;
AntiDnspy.Parse(CurrentProcess);
//Send anti sniff request to server
try
{
HttpWebRequest req = (HttpWebRequest)WebRequest.Create("https://google.com");
req.ContinueTimeout = 10000;
req.ReadWriteTimeout = 10000;
req.Timeout = 10000;
req.KeepAlive = true;
req.UserAgent = "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36";
req.Accept = "*/*";
req.Method = "GET";
req.Headers.Add("Accept-Language", "en-US,en;q=0.9,fa;q=0.8");
req.Headers.Add("Accept-Encoding", "gzip, deflate");
req.AutomaticDecompression = DecompressionMethods.GZip;
req.ServerCertificateValidationCallback = AntiSniff.ValidationCallback;
req.ServicePoint.Expect100Continue = false;
using (HttpWebResponse response = req.GetResponse() as HttpWebResponse)
{
if (response.StatusCode != HttpStatusCode.OK)
{
Alert.Show("NETWORK CONNECTION ERROR, CHECK YOUR INTERNET CONNECTION OR CLOSE SNIFFER SOFTWARES");
Environment.Exit(0);
return;
}
}
}
catch
{
Alert.Show("NETWORK CONNECTION ERROR, CHECK YOUR INTERNET CONNECTION OR CLOSE SNIFFER SOFTWARES");
Environment.Exit(0);
return;
}
Console.ForegroundColor = ConsoleColor.Gray;
Console.WriteLine("\r\n [#] Application started successfully\r\n [#] Press any key to exit...");
Console.ReadKey();
}
static void Main(string[] args)
{
#region Initialize
Console.Title = "Rzy Protector V2 Unpacker - by illuZion#9999";
WriteTitle();
if (args.Length != 1)
{
Write("Please, drag 'n' drop the file to unpack!", Type.Error);
Leave();
}
string directory = args[0];
try
{
Module = ModuleDefMD.Load(directory);
}
catch
{
Write("Not a .NET Assembly...", Type.Error);
Leave();
}
#endregion Initialize
#region Unpack
HideMethods.Execute(Module);
CallToCalli.Execute(Module);
EmptyTypes.Execute(Module);
Maths(Module);
LocalToField.Execute(Module);
Constants.Execute(Module);
Maths(Module);
StringProtection.Execute(Module);
FakeObfuscator.Execute(Module);
AntiIlDasm.Execute(Module);
AntiDe4dot.Execute(Module);
AntiDnspy.Execute(Module);
AntiVm.Execute(Module);
AntiDebug.Execute(Module);
AntiDump.Execute(Module);
RemoveNops.Execute(Module);
#endregion Unpack
#region Save the file
Write("Saving the unpacked file...");
string text = Path.GetDirectoryName(directory);
if (text == null)
{
Leave();
}
// We can disable the possible null exception as the Leave method closes the program (but Resharper does not detect it).
// ReSharper disable once PossibleNullReferenceException
text += !text.EndsWith("\\") ? "\\" : null;
string filename =
$"{text}{Path.GetFileNameWithoutExtension(directory)}-Unpacked{Path.GetExtension(directory)}";
var writerOptions = new ModuleWriterOptions(Module);
writerOptions.MetadataOptions.Flags |= MetadataFlags.PreserveAll;
writerOptions.Logger = DummyLogger.NoThrowInstance;
var nativewriterOptions = new NativeModuleWriterOptions(Module, true);
nativewriterOptions.MetadataOptions.Flags |= MetadataFlags.PreserveAll;
nativewriterOptions.Logger = DummyLogger.NoThrowInstance;
if (Module.IsILOnly)
{
Module.Write(filename, writerOptions);
}
else
{
Module.NativeWrite(filename, nativewriterOptions);
}
Write($"File saved at: {filename}", Type.Success);
Leave();
#endregion Save the file
}
// Token: 0x060000FE RID: 254 RVA: 0x00015024 File Offset: 0x00013224
private void metroButton2_Click(object sender, EventArgs e)
{
ModuleDef moduleDef = ModuleDefMD.Load(this.metroTextBox1.Text);
bool numberToString = Settings.NumberToString;
if (numberToString)
{
Constants__numbers_.ObfuscateNumbers(moduleDef);
}
bool stackUnderflow = Settings.StackUnderflow;
if (stackUnderflow)
{
Stack_Underflow.StackUnderflow(moduleDef);
}
bool sizeOf = Settings.SizeOf;
if (sizeOf)
{
SizeOf.Sizeof(moduleDef);
}
bool disConstants = Settings.DisConstants;
if (disConstants)
{
Distant_Constants.DisConstants(moduleDef);
}
bool refProxy = Settings.RefProxy;
if (refProxy)
{
Method_Wiper.Execute(moduleDef);
}
bool constants = Settings.Constants;
if (constants)
{
Constants__numbers_.Inject(moduleDef);
}
bool localToFields = Settings.LocalToFields;
if (localToFields)
{
LocalToFields.Protect(moduleDef);
}
bool renamer = Settings.Renamer;
if (renamer)
{
Renamer.Execute(moduleDef);
}
bool controlFlow = Settings.ControlFlow;
if (controlFlow)
{
Control_Flow.Encrypt(moduleDef);
Constants__numbers_.Execute(moduleDef);
}
bool constant_Mutation = Settings.Constant_Mutation;
if (constant_Mutation)
{
Constant_Mutation.Execute(moduleDef);
}
bool antiDe4dot = Settings.AntiDe4dot;
if (antiDe4dot)
{
Anti_De4dot.RemoveDe4dot(moduleDef);
}
bool antiILdasm = Settings.AntiILdasm;
if (antiILdasm)
{
Anti_ILDasm.Anti(moduleDef);
}
bool koiVMFakeSig = Settings.KoiVMFakeSig;
if (koiVMFakeSig)
{
KoiVM_Fake_Watermark.Execute(moduleDef);
}
bool antiDump = Settings.AntiDump;
if (antiDump)
{
AntiDump.Inject(moduleDef);
}
bool invalidMetadata = Settings.InvalidMetadata;
if (invalidMetadata)
{
Invalid_Metadata.InvalidMD(moduleDef);
}
bool calli = Settings.Calli;
if (calli)
{
Calli.Execute(moduleDef);
}
bool antiHTTPDebugger = Settings.AntiHTTPDebugger;
if (antiHTTPDebugger)
{
Anti_Http_Debugger.Execute(moduleDef);
}
bool antiFiddler = Settings.AntiFiddler;
if (antiFiddler)
{
Anti_Fiddler.Execute(moduleDef);
}
bool stringEncryption = Settings.StringEncryption;
if (stringEncryption)
{
String_Encryption.Inject(moduleDef);
}
Watermark.Execute(moduleDef);
ModuleDef manifestModule = moduleDef.Assembly.ManifestModule;
moduleDef.EntryPoint.Name = "BlinkRE";
moduleDef.Mvid = new Guid?(Guid.NewGuid());
bool strong = Settings.Strong;
if (strong)
{
Protection.Protect(moduleDef);
Inject.ProtectValue(moduleDef);
Inject.DoubleProtect(moduleDef);
Inject.Triple(moduleDef);
Inject.Triple(moduleDef);
Method_Wiper.Execute(moduleDef);
Assembly.MarkAssembly(moduleDef);
Locals.Protect(moduleDef);
}
Directory.CreateDirectory(".\\AtomicProtected");
moduleDef.Write(".\\AtomicProtected\\" + Path.GetFileName(this.metroTextBox1.Text), new ModuleWriterOptions(moduleDef)
{
PEHeadersOptions =
{
NumberOfRvaAndSizes = new uint?(13U)
},
MetaDataOptions =
{
TablesHeapOptions =
{
ExtraData = new uint?(4919U)
}
},
Logger = DummyLogger.NoThrowInstance
});
Process.Start(".\\AtomicProtected");
MessageBox.Show("Obfuscation complete! Restart to obfuscate again");
Environment.Exit(0);
}
