public static void Execute(ModuleDefMD module)
{
Write("Fixing the local to field...");
RemoveNops.Execute(module);
LocalsFixed = 0;
try
{
GrabFieldValues(module);
if (ProxyInt != null)
{
ReplaceProxyInt(module);
}
else
{
Write("Could not find fields values ! Aborting...", Type.Error);
}
}
catch
{
// Ignored.
}
Write(LocalsFixed == 0 ? "No Local to Field found !" :
LocalsFixed == 1 ? $"Fixed {LocalsFixed} local !" :
LocalsFixed > 1 ? $"Fixed {LocalsFixed} locals !" : "", Type.Success);
}
public static void Execute(ModuleDefMD module)
{
Write("Fixing the Empty Types protection..");
RemoveNops.Execute(module);
var emptyTypesFixed = 0;
foreach (TypeDef type in module.GetTypes().Where(t => t.HasMethods))
{
foreach (MethodDef method in type.Methods.Where(m => m.HasBody && m.Body.HasInstructions))
{
IList <Instruction> instr = method.Body.Instructions;
for (var i = 1; i < instr.Count; i++)
{
if (instr[i].OpCode != OpCodes.Ldlen || instr[i - 1].OpCode != OpCodes.Ldsfld)
{
continue;
}
if (!(instr[i - 1].Operand is MemberRef memberRef) || memberRef.Name != "EmptyTypes")
{
continue;
}
instr[i - 1] = Instruction.Create(OpCodes.Nop);
instr[i] = Instruction.Create(OpCodes.Ldc_I4_0);
emptyTypesFixed++;
Write($"Fixed the empty types in method: {method.Name} at offset: {instr[i].Offset}", Type.Debug);
}
}
}
Write(emptyTypesFixed == 0 ? "No Empty Types found !" : $"Fixed {emptyTypesFixed} empty types protection !", Type.Success);
}
public static void Execute(ModuleDefMD module)
{
Write("Fixing the Call To Calli protection..");
RemoveNops.Execute(module);
var callsFixed = 0;
foreach (TypeDef type in module.GetTypes().Where(t => t.HasMethods))
{
foreach (MethodDef method in type.Methods.Where(m => m.HasBody && m.Body.HasInstructions))
{
IList <Instruction> instr = method.Body.Instructions;
for (var i = 0; i < instr.Count; i++)
{
if (instr[i].OpCode != OpCodes.Ldftn || instr[i + 1].OpCode != OpCodes.Calli)
{
continue;
}
instr[i + 1].OpCode = OpCodes.Nop;
instr[i].OpCode = OpCodes.Call;
callsFixed++;
Write($"Fixed the call in method: {method.Name} at offset: {instr[i].Offset}", Type.Debug);
}
}
}
Write(callsFixed == 0 ? "No Call To Calli found !" :
callsFixed == 1 ? $"Fixed {callsFixed} call !" :
callsFixed > 1 ? $"Fixed {callsFixed} calls !" : "", Type.Success);
}
public static void Execute(ModuleDefMD module)
{
Write("Decrypting the constants...");
RemoveNops.Execute(module);
var decrypted = 0;
MethodDef decryptionMethod = null;
foreach (TypeDef type in module.GetTypes().Where(t => t.HasMethods))
{
foreach (MethodDef method in type.Methods.Where(m => m.HasBody && m.Body.HasInstructions))
{
IList <Instruction> instr = method.Body.Instructions;
for (var i = 0; i < instr.Count; i++)
{
if (instr[i].OpCode != OpCodes.Ldc_I4 || instr[i + 1].OpCode != OpCodes.Ldc_I4 ||
instr[i + 2].OpCode != OpCodes.Call)
{
continue;
}
decryptionMethod = instr[i + 2].Operand as MethodDef;
if (decryptionMethod == null)
{
continue;
}
if (decryptionMethod.DeclaringType != module.GlobalType)
{
continue;
}
int decodedInt = (int)instr[i].Operand ^ (int)instr[i + 1].Operand;
instr[i].OpCode = OpCodes.Nop;
instr[i + 1].OpCode = OpCodes.Nop;
instr[i + 2] = Instruction.CreateLdcI4(decodedInt);
decrypted++;
Write($"Decrypted: {decodedInt.ToString()} in method: {method.Name} at offset: {instr[i + 2].Offset}", Type.Debug);
}
}
}
if (decryptionMethod != null)
{
module.GlobalType.Remove(decryptionMethod);
Write("Removed the decryption method", Type.Success);
}
Write(decrypted == 0 ? "No constants protection found !" :
decrypted == 1 ? $"Decrypted {decrypted} constant !" :
decrypted > 1 ? $"Decrypted {decrypted} constants !" : "", Type.Success);
}
public static void Execute(ModuleDefMD module)
{
Write("Removing the Fake Obfuscators...");
RemoveNops.Execute(module);
var removed = 0;
foreach (TypeDef type in module.Types.ToList().Where(t => FakeObfuscators.Contains(t.Name)))
{
module.Types.Remove(type);
removed++;
Write($"Removed the fake obfuscator type: {type.Name}", Type.Debug);
}
Write(removed == 0 ? "No Fake Obfscators found !" :
removed == 1 ? $"Removed {removed} fake obfuscator type !" :
removed > 1 ? $"Removed {removed} fake obfuscator types !" : "", Type.Success);
}
public static void Execute(ModuleDefMD module)
{
Write("Decrypting the strings..");
RemoveNops.Execute(module);
var decrypted = 0;
foreach (TypeDef type in module.GetTypes().Where(t => t.HasMethods))
{
foreach (MethodDef method in type.Methods.Where(m => m.HasBody && m.Body.HasInstructions))
{
IList <Instruction> instr = method.Body.Instructions;
for (var i = 0; i < instr.Count; i++)
{
if (instr[i].OpCode != OpCodes.Call || !instr[i].Operand.ToString().Contains("get_UTF8") ||
instr[i + 1].OpCode != OpCodes.Ldstr || instr[i + 2].OpCode != OpCodes.Call ||
!instr[i + 2].Operand.ToString().Contains("FromBase64String") ||
instr[i + 3].OpCode != OpCodes.Callvirt ||
!instr[i + 3].Operand.ToString().Contains("GetString"))
{
continue;
}
string decryptedString = Encoding.UTF8.GetString(Convert.FromBase64String((string)instr[i + 1].Operand));
instr[i].OpCode = OpCodes.Nop;
instr[i + 1].OpCode = OpCodes.Nop;
instr[i + 2].OpCode = OpCodes.Nop;
instr[i + 3] = Instruction.Create(OpCodes.Ldstr, decryptedString);
decrypted++;
Write($"Decrypted: {decryptedString} in method: {method.Name} at offset: {instr[i + 3].Offset}", Type.Debug);
}
}
}
Write(decrypted == 0 ? "No String Protection found !" :
decrypted == 1 ? $"Decrypted {decrypted} string !" :
decrypted > 1 ? $"Decrypted {decrypted} strings !" : "", Type.Success);
}
public static void Execute(ModuleDefMD module)
{
Write("Removing the Double.Parse..");
RemoveNops.Execute(module);
var mutationsFixed = 0;
foreach (TypeDef type in module.GetTypes().Where(t => t.HasMethods))
{
foreach (MethodDef method in type.Methods.Where(m => m.HasBody && m.Body.HasInstructions))
{
IList <Instruction> instr = method.Body.Instructions;
for (var i = 0; i < instr.Count; i++)
{
if (instr[i].OpCode != OpCodes.Ldstr || !instr[i].Operand.ToString().Contains(",") ||
instr[i + 1].OpCode != OpCodes.Call ||
!instr[i + 1].Operand.ToString().Contains("System.Double::Parse") ||
instr[i + 2].OpCode != OpCodes.Conv_I4)
{
continue;
}
var result = (int)double.Parse(instr[i].Operand.ToString());
instr[i] = Instruction.CreateLdcI4(result);
instr[i + 1].OpCode = OpCodes.Nop;
instr[i + 2].OpCode = OpCodes.Nop;
mutationsFixed++;
Write($"Removed a Double.Parse in method: {method.Name} at offset: {instr[i].Offset}", Type.Debug);
}
}
}
Write(mutationsFixed == 0 ? "No Double.Parse found !" :
mutationsFixed == 1 ? $"Fixed {mutationsFixed} Double.Parse !" :
mutationsFixed > 1 ? $"Fixed {mutationsFixed} Double.Parse !" : "", Type.Success);
}
public static void Execute(ModuleDefMD module)
{
Write("Fixing the Hide Methods..");
RemoveNops.Execute(module);
var methodsFixed = 0;
if (module.EntryPoint.HasBody && module.EntryPoint.Body.HasInstructions)
{
IList <Instruction> instr = module.EntryPoint.Body.Instructions;
for (var i = 0; i < instr.Count; i++)
{
if (!instr[0].IsLdcI4() || !instr[1].IsStloc() || !instr[2].IsBr() || !instr[3].IsLdloc() ||
!instr[4].IsLdcI4() || instr[5].OpCode != OpCodes.Ceq || !instr[6].IsLdcI4() ||
instr[7].OpCode != OpCodes.Ceq || !instr[8].IsStloc() || !instr[9].IsLdloc() ||
!instr[10].IsBrtrue() || instr[11].OpCode != OpCodes.Ret || instr[12].OpCode != OpCodes.Calli ||
instr[13].OpCode != OpCodes.Sizeof)
{
continue;
}
for (var j = 0; j < 4; j++)
{
instr.RemoveAt(instr.Count - 1);
}
for (var j = 0; j < 13; j++)
{
instr.RemoveAt(0);
}
methodsFixed++;
}
}
Write(methodsFixed == 1 ? "Fixed Hide Method !" : "No Hide Methods found !", Type.Success);
}
public static void Execute(ModuleDefMD module)
{
Write("Removing the Constants Mutate...");
RemoveNops.Execute(module);
var removed = 0;
foreach (TypeDef type in module.Types.Where(t => t.HasMethods))
{
foreach (MethodDef method in type.Methods.Where(m => m.HasBody && m.Body.HasInstructions))
{
IList <Instruction> instr = method.Body.Instructions;
for (var i = 0; i < instr.Count; ++i)
{
if (instr[i].OpCode == OpCodes.Add && instr[i - 1].IsLdcI4() && instr[i - 2].IsLdcI4())
{
int num = instr[i - 2].GetLdcI4Value() + instr[i - 1].GetLdcI4Value();
instr[i] = Instruction.CreateLdcI4(num);
instr[i - 2].OpCode = OpCodes.Nop;
instr[i - 1].OpCode = OpCodes.Nop;
removed++;
Write($"Removed a constant mutate [ADD] in method: {method.Name} at offset: {instr[i].Offset}", Type.Debug);
}
else if (instr[i].OpCode == OpCodes.Sub && instr[i - 1].IsLdcI4() && instr[i - 2].IsLdcI4())
{
int num = instr[i - 2].GetLdcI4Value() - instr[i - 1].GetLdcI4Value();
instr[i] = Instruction.CreateLdcI4(num);
instr[i - 2].OpCode = OpCodes.Nop;
instr[i - 1].OpCode = OpCodes.Nop;
removed++;
Write($"Removed a constant mutate [SUB] in method: {method.Name} at offset: {instr[i].Offset}", Type.Debug);
}
else if (instr[i].OpCode == OpCodes.Mul && instr[i - 1].IsLdcI4() && instr[i - 2].IsLdcI4())
{
int num = instr[i - 2].GetLdcI4Value() * instr[i - 1].GetLdcI4Value();
instr[i] = Instruction.CreateLdcI4(num);
instr[i - 2].OpCode = OpCodes.Nop;
instr[i - 1].OpCode = OpCodes.Nop;
removed++;
Write($"Removed a constant mutate [MUL] in method: {method.Name} at offset: {instr[i].Offset}", Type.Debug);
}
else if (instr[i].OpCode == OpCodes.Div && instr[i - 1].IsLdcI4() && instr[i - 2].IsLdcI4())
{
int num = instr[i - 2].GetLdcI4Value() / instr[i - 1].GetLdcI4Value();
instr[i].OpCode = OpCodes.Ldc_I4;
instr[i].Operand = num;
instr[i - 2].OpCode = OpCodes.Nop;
instr[i - 1].OpCode = OpCodes.Nop;
removed++;
Write($"Removed a constant mutate [DIV] in method: {method.Name} at offset: {instr[i].Offset}", Type.Debug);
}
}
}
}
Write(removed == 0 ? "No Constants Mutate found !" :
removed == 1 ? $"Removed {removed} constant mutate" :
removed > 1 ? $"Removed {removed} constants mutate !" : "", Type.Success);
}
