public static void Execute(ModuleDefMD module)
{
Write($"Fixing the Call To Calli protection..", Type.Info);
Remove_Nops.Execute(module);
var callsFixed = 0;
foreach (var type in module.GetTypes().Where(t => t.HasMethods))
{
foreach (var method in type.Methods.Where(m => m.HasBody && m.Body.HasInstructions))
{
var instr = method.Body.Instructions;
for (var i = 0; i < instr.Count; i++)
{
if (instr[i].OpCode == OpCodes.Ldftn && instr[i + 1].OpCode == OpCodes.Calli)
{
instr[i + 1].OpCode = OpCodes.Nop;
instr[i].OpCode = OpCodes.Call;
callsFixed++;
Write($"Fixed the call in method: {method.Name} at offset: {instr[i].Offset}", Type.Debug);
}
}
}
}
Write(callsFixed == 0 ? "No Call To Calli found !" :
callsFixed == 1 ? $"Fixed {callsFixed} call !" :
callsFixed > 1 ? $"Fixed {callsFixed} calls !" : "", Type.Success);
}
public static void Execute(ModuleDefMD module)
{
Write("Fixing the local to field...", Type.Info);
Remove_Nops.Execute(module);
localsFixed = 0;
try
{
GrabFieldValues(module);
if (proxyInt != null)
{
ReplaceProxyInt(module);
}
else
{
Write("Could not find fields values ! Aborting...", Type.Error);
}
}
catch { }
Write(localsFixed == 0 ? "No Local to Field found !" :
localsFixed == 1 ? $"Fixed {localsFixed} local !" :
localsFixed > 1 ? $"Fixed {localsFixed} locals !" : "", Type.Success);
}
public static void Execute(ModuleDefMD module)
{
Write($"Fixing the Empty Types protection..", Type.Info);
Remove_Nops.Execute(module);
var emptyTypesFixed = 0;
foreach (var type in module.GetTypes().Where(t => t.HasMethods))
{
foreach (var method in type.Methods.Where(m => m.HasBody && m.Body.HasInstructions))
{
var instr = method.Body.Instructions;
for (var i = 0; i < instr.Count; i++)
{
if (instr[i].OpCode == OpCodes.Ldsfld && instr[i].Operand.ToString().Contains("System.Type::EmptyTypes") && instr[i + 1].OpCode == OpCodes.Ldlen)
{
instr[i + 1].OpCode = OpCodes.Nop;
instr[i].OpCode = OpCodes.Ldc_I4;
instr[i].Operand = 0;
emptyTypesFixed++;
Write($"Fixed the empty types in method: {method.Name} at offset: {instr[i].Offset}", Type.Debug);
}
}
}
}
Write(emptyTypesFixed == 0 ? "No Empty Types found !" : $"Fixed {emptyTypesFixed} empty types protection !", Type.Success);
}
public static void Execute(ModuleDefMD module)
{
Write("Decrypting the constants...", Type.Info);
Remove_Nops.Execute(module);
var decrypted = 0;
MethodDef decryptionMethod = null;
foreach (var type in module.GetTypes().Where(t => t.HasMethods))
{
foreach (var method in type.Methods.Where(m => m.HasBody && m.Body.HasInstructions))
{
var instr = method.Body.Instructions;
for (var i = 0; i < instr.Count; i++)
{
if (instr[i].OpCode == OpCodes.Ldc_I4 && instr[i + 1].OpCode == OpCodes.Ldc_I4 && instr[i + 2].OpCode == OpCodes.Call)
{
var callMethod = instr[i + 2].Operand as MethodDef;
if (callMethod != null)
{
if (callMethod.DeclaringType == module.GlobalType)
{
decryptionMethod = instr[i + 2].Operand as MethodDef;
int decodedInt = (int)instr[i].Operand ^ (int)instr[i + 1].Operand;
instr[i].OpCode = OpCodes.Nop;
instr[i + 1].OpCode = OpCodes.Nop;
instr[i + 2].OpCode = OpCodes.Ldc_I4;
instr[i + 2].Operand = decodedInt;
decrypted++;
Write($"Decrypted: {decodedInt.ToString()} in method: {method.Name} at offset: {instr[i + 2].Offset}", Type.Debug);
}
}
}
}
}
}
if (decryptionMethod != null)
{
module.GlobalType.Remove(decryptionMethod);
Write("Removed the decryption method", Type.Success);
}
Write(decrypted == 0 ? "No constants protection found !" :
decrypted == 1 ? $"Decrypted {decrypted} constant !" :
decrypted > 1 ? $"Decrypted {decrypted} constants !" : "", Type.Success);
}
public static void Execute(ModuleDefMD module)
{
Write("Fixing the Hide Methods..", Type.Info);
Remove_Nops.Execute(module);
var methodsFixed = 0;
if (module.EntryPoint.HasBody && module.EntryPoint.Body.HasInstructions)
{
var instr = module.EntryPoint.Body.Instructions;
for (var i = 0; i < instr.Count; i++)
{
if (instr[0].IsLdcI4() &&
instr[1].IsStloc() &&
instr[2].IsBr() &&
instr[3].IsLdloc() &&
instr[4].IsLdcI4() &&
instr[5].OpCode == OpCodes.Ceq &&
instr[6].IsLdcI4() &&
instr[7].OpCode == OpCodes.Ceq &&
instr[8].IsStloc() &&
instr[9].IsLdloc() &&
instr[10].IsBrtrue() &&
instr[11].OpCode == OpCodes.Ret &&
instr[12].OpCode == OpCodes.Calli &&
instr[13].OpCode == OpCodes.Sizeof)
{
for (var j = 0; j < 4; j++)
{
instr.RemoveAt(instr.Count - 1);
}
for (var j = 0; j < 13; j++)
{
instr.RemoveAt(0);
}
methodsFixed++;
}
}
}
Write(methodsFixed == 1 ? "Fixed Hide Method !" : "No Hide Methods found !", Type.Success);
}
public static void Execute(ModuleDefMD module)
{
Write($"Decrypting the strings..", Type.Info);
Remove_Nops.Execute(module);
var decrypted = 0;
foreach (var type in module.GetTypes().Where(t => t.HasMethods))
{
foreach (var method in type.Methods.Where(m => m.HasBody && m.Body.HasInstructions))
{
var instr = method.Body.Instructions;
for (var i = 0; i < instr.Count; i++)
{
if (instr[i].OpCode == OpCodes.Call &&
instr[i].Operand.ToString().Contains("get_UTF8") &&
instr[i + 1].OpCode == OpCodes.Ldstr &&
instr[i + 2].OpCode == OpCodes.Call &&
instr[i + 2].Operand.ToString().Contains("FromBase64String") &&
instr[i + 3].OpCode == OpCodes.Callvirt &&
instr[i + 3].Operand.ToString().Contains("GetString"))
{
string decryptedString = Encoding.UTF8.GetString(Convert.FromBase64String((string)instr[i + 1].Operand));
instr[i].OpCode = OpCodes.Nop;
instr[i + 1].OpCode = OpCodes.Nop;
instr[i + 2].OpCode = OpCodes.Nop;
instr[i + 3].OpCode = OpCodes.Ldstr;
instr[i + 3].Operand = decryptedString;
decrypted++;
Write($"Decrypted: {decryptedString} in method: {method.Name} at offset: {instr[i + 3].Offset}", Type.Debug);
}
}
}
}
Write(decrypted == 0 ? "No String Protection found !" :
decrypted == 1 ? $"Decrypted {decrypted} string !" :
decrypted > 1 ? $"Decrypted {decrypted} strings !" : "", Type.Success);
}
public static void Execute(ModuleDefMD module)
{
Write($"Removing the Double.Parse..", Type.Info);
Remove_Nops.Execute(module);
var mutationsFixed = 0;
foreach (var type in module.GetTypes().Where(t => t.HasMethods))
{
foreach (var method in type.Methods.Where(m => m.HasBody && m.Body.HasInstructions))
{
var instr = method.Body.Instructions;
for (var i = 0; i < instr.Count; i++)
{
if (instr[i].OpCode == OpCodes.Ldstr &&
instr[i].Operand.ToString().Contains(",") &&
instr[i + 1].OpCode == OpCodes.Call &&
instr[i + 1].Operand.ToString().Contains("System.Double::Parse") &&
instr[i + 2].OpCode == OpCodes.Conv_I4)
{
int result = (int)double.Parse(instr[i].Operand.ToString());
instr[i].OpCode = OpCodes.Ldc_I4;
instr[i].Operand = result;
instr[i + 1].OpCode = OpCodes.Nop;
instr[i + 2].OpCode = OpCodes.Nop;
mutationsFixed++;
Write($"Removed a Double.Parse in method: {method.Name} at offset: {instr[i].Offset}", Type.Debug);
}
}
}
}
Write(mutationsFixed == 0 ? "No Double.Parse found !" :
mutationsFixed == 1 ? $"Fixed {mutationsFixed} Double.Parse !" :
mutationsFixed > 1 ? $"Fixed {mutationsFixed} Double.Parse !" : "", Type.Success);
}
public static void Execute(ModuleDefMD module)
{
Write("Removing the Fake Obfuscators...", Type.Info);
Remove_Nops.Execute(module);
var removed = 0;
foreach (var type in module.Types.ToList())
{
if (fakeObfuscators.Contains(type.Name))
{
module.Types.Remove(type);
removed++;
Write($"Removed the fake obfuscator type: {type.Name}", Type.Debug);
}
}
Write(removed == 0 ? "No Fake Obfscators found !" :
removed == 1 ? $"Removed {removed} fake obfuscator type !" :
removed > 1 ? $"Removed {removed} fake obfuscator types !" : "", Type.Success);
}
public static void Execute(ModuleDefMD module)
{
Write("Removing the Constants Mutate...", Type.Info);
Remove_Nops.Execute(module);
var removed = 0;
foreach (var type in module.Types.Where(t => t.HasMethods))
{
foreach (var method in type.Methods.Where(m => m.HasBody && m.Body.HasInstructions))
{
var instr = method.Body.Instructions;
for (var i = 0; i < instr.Count; ++i)
{
if (instr[i].OpCode == OpCodes.Add && instr[i - 1].IsLdcI4() && instr[i - 2].IsLdcI4())
{
int num = instr[i - 2].GetLdcI4Value() + instr[i - 1].GetLdcI4Value();
instr[i].OpCode = OpCodes.Ldc_I4;
instr[i].Operand = num;
instr[i - 2].OpCode = OpCodes.Nop;
instr[i - 1].OpCode = OpCodes.Nop;
removed++;
Write($"Removed a constant mutate [ADD] in method: {method.Name} at offset: {instr[i].Offset}", Type.Debug);
}
else if (instr[i].OpCode == OpCodes.Sub && instr[i - 1].IsLdcI4() && instr[i - 2].IsLdcI4())
{
int num = instr[i - 2].GetLdcI4Value() - instr[i - 1].GetLdcI4Value();
instr[i].OpCode = OpCodes.Ldc_I4;
instr[i].Operand = num;
instr[i - 2].OpCode = OpCodes.Nop;
instr[i - 1].OpCode = OpCodes.Nop;
removed++;
Write($"Removed a constant mutate [SUB] in method: {method.Name} at offset: {instr[i].Offset}", Type.Debug);
}
else if (instr[i].OpCode == OpCodes.Mul && instr[i - 1].IsLdcI4() && instr[i - 2].IsLdcI4())
{
int num = instr[i - 2].GetLdcI4Value() * instr[i - 1].GetLdcI4Value();
instr[i].OpCode = OpCodes.Ldc_I4;
instr[i].Operand = num;
instr[i - 2].OpCode = OpCodes.Nop;
instr[i - 1].OpCode = OpCodes.Nop;
removed++;
Write($"Removed a constant mutate [MUL] in method: {method.Name} at offset: {instr[i].Offset}", Type.Debug);
}
else if (instr[i].OpCode == OpCodes.Div && instr[i - 1].IsLdcI4() && instr[i - 2].IsLdcI4())
{
int num = instr[i - 2].GetLdcI4Value() / instr[i - 1].GetLdcI4Value();
instr[i].OpCode = OpCodes.Ldc_I4;
instr[i].Operand = num;
instr[i - 2].OpCode = OpCodes.Nop;
instr[i - 1].OpCode = OpCodes.Nop;
removed++;
Write($"Removed a constant mutate [DIV] in method: {method.Name} at offset: {instr[i].Offset}", Type.Debug);
}
}
}
}
Write(removed == 0 ? "No Constants Mutate found !" :
removed == 1 ? $"Removed {removed} constant mutate" :
removed > 1 ? $"Removed {removed} constants mutate !" : "", Type.Success);
}
