public static void Execute(ModuleDefMD module) { Write($"Fixing the Call To Calli protection..", Type.Info); Remove_Nops.Execute(module); var callsFixed = 0; foreach (var type in module.GetTypes().Where(t => t.HasMethods)) { foreach (var method in type.Methods.Where(m => m.HasBody && m.Body.HasInstructions)) { var instr = method.Body.Instructions; for (var i = 0; i < instr.Count; i++) { if (instr[i].OpCode == OpCodes.Ldftn && instr[i + 1].OpCode == OpCodes.Calli) { instr[i + 1].OpCode = OpCodes.Nop; instr[i].OpCode = OpCodes.Call; callsFixed++; Write($"Fixed the call in method: {method.Name} at offset: {instr[i].Offset}", Type.Debug); } } } } Write(callsFixed == 0 ? "No Call To Calli found !" : callsFixed == 1 ? $"Fixed {callsFixed} call !" : callsFixed > 1 ? $"Fixed {callsFixed} calls !" : "", Type.Success); }
public static void Execute(ModuleDefMD module) { Write("Fixing the local to field...", Type.Info); Remove_Nops.Execute(module); localsFixed = 0; try { GrabFieldValues(module); if (proxyInt != null) { ReplaceProxyInt(module); } else { Write("Could not find fields values ! Aborting...", Type.Error); } } catch { } Write(localsFixed == 0 ? "No Local to Field found !" : localsFixed == 1 ? $"Fixed {localsFixed} local !" : localsFixed > 1 ? $"Fixed {localsFixed} locals !" : "", Type.Success); }
public static void Execute(ModuleDefMD module) { Write($"Fixing the Empty Types protection..", Type.Info); Remove_Nops.Execute(module); var emptyTypesFixed = 0; foreach (var type in module.GetTypes().Where(t => t.HasMethods)) { foreach (var method in type.Methods.Where(m => m.HasBody && m.Body.HasInstructions)) { var instr = method.Body.Instructions; for (var i = 0; i < instr.Count; i++) { if (instr[i].OpCode == OpCodes.Ldsfld && instr[i].Operand.ToString().Contains("System.Type::EmptyTypes") && instr[i + 1].OpCode == OpCodes.Ldlen) { instr[i + 1].OpCode = OpCodes.Nop; instr[i].OpCode = OpCodes.Ldc_I4; instr[i].Operand = 0; emptyTypesFixed++; Write($"Fixed the empty types in method: {method.Name} at offset: {instr[i].Offset}", Type.Debug); } } } } Write(emptyTypesFixed == 0 ? "No Empty Types found !" : $"Fixed {emptyTypesFixed} empty types protection !", Type.Success); }
public static void Execute(ModuleDefMD module) { Write("Decrypting the constants...", Type.Info); Remove_Nops.Execute(module); var decrypted = 0; MethodDef decryptionMethod = null; foreach (var type in module.GetTypes().Where(t => t.HasMethods)) { foreach (var method in type.Methods.Where(m => m.HasBody && m.Body.HasInstructions)) { var instr = method.Body.Instructions; for (var i = 0; i < instr.Count; i++) { if (instr[i].OpCode == OpCodes.Ldc_I4 && instr[i + 1].OpCode == OpCodes.Ldc_I4 && instr[i + 2].OpCode == OpCodes.Call) { var callMethod = instr[i + 2].Operand as MethodDef; if (callMethod != null) { if (callMethod.DeclaringType == module.GlobalType) { decryptionMethod = instr[i + 2].Operand as MethodDef; int decodedInt = (int)instr[i].Operand ^ (int)instr[i + 1].Operand; instr[i].OpCode = OpCodes.Nop; instr[i + 1].OpCode = OpCodes.Nop; instr[i + 2].OpCode = OpCodes.Ldc_I4; instr[i + 2].Operand = decodedInt; decrypted++; Write($"Decrypted: {decodedInt.ToString()} in method: {method.Name} at offset: {instr[i + 2].Offset}", Type.Debug); } } } } } } if (decryptionMethod != null) { module.GlobalType.Remove(decryptionMethod); Write("Removed the decryption method", Type.Success); } Write(decrypted == 0 ? "No constants protection found !" : decrypted == 1 ? $"Decrypted {decrypted} constant !" : decrypted > 1 ? $"Decrypted {decrypted} constants !" : "", Type.Success); }
public static void Execute(ModuleDefMD module) { Write("Fixing the Hide Methods..", Type.Info); Remove_Nops.Execute(module); var methodsFixed = 0; if (module.EntryPoint.HasBody && module.EntryPoint.Body.HasInstructions) { var instr = module.EntryPoint.Body.Instructions; for (var i = 0; i < instr.Count; i++) { if (instr[0].IsLdcI4() && instr[1].IsStloc() && instr[2].IsBr() && instr[3].IsLdloc() && instr[4].IsLdcI4() && instr[5].OpCode == OpCodes.Ceq && instr[6].IsLdcI4() && instr[7].OpCode == OpCodes.Ceq && instr[8].IsStloc() && instr[9].IsLdloc() && instr[10].IsBrtrue() && instr[11].OpCode == OpCodes.Ret && instr[12].OpCode == OpCodes.Calli && instr[13].OpCode == OpCodes.Sizeof) { for (var j = 0; j < 4; j++) { instr.RemoveAt(instr.Count - 1); } for (var j = 0; j < 13; j++) { instr.RemoveAt(0); } methodsFixed++; } } } Write(methodsFixed == 1 ? "Fixed Hide Method !" : "No Hide Methods found !", Type.Success); }
public static void Execute(ModuleDefMD module) { Write($"Decrypting the strings..", Type.Info); Remove_Nops.Execute(module); var decrypted = 0; foreach (var type in module.GetTypes().Where(t => t.HasMethods)) { foreach (var method in type.Methods.Where(m => m.HasBody && m.Body.HasInstructions)) { var instr = method.Body.Instructions; for (var i = 0; i < instr.Count; i++) { if (instr[i].OpCode == OpCodes.Call && instr[i].Operand.ToString().Contains("get_UTF8") && instr[i + 1].OpCode == OpCodes.Ldstr && instr[i + 2].OpCode == OpCodes.Call && instr[i + 2].Operand.ToString().Contains("FromBase64String") && instr[i + 3].OpCode == OpCodes.Callvirt && instr[i + 3].Operand.ToString().Contains("GetString")) { string decryptedString = Encoding.UTF8.GetString(Convert.FromBase64String((string)instr[i + 1].Operand)); instr[i].OpCode = OpCodes.Nop; instr[i + 1].OpCode = OpCodes.Nop; instr[i + 2].OpCode = OpCodes.Nop; instr[i + 3].OpCode = OpCodes.Ldstr; instr[i + 3].Operand = decryptedString; decrypted++; Write($"Decrypted: {decryptedString} in method: {method.Name} at offset: {instr[i + 3].Offset}", Type.Debug); } } } } Write(decrypted == 0 ? "No String Protection found !" : decrypted == 1 ? $"Decrypted {decrypted} string !" : decrypted > 1 ? $"Decrypted {decrypted} strings !" : "", Type.Success); }
public static void Execute(ModuleDefMD module) { Write($"Removing the Double.Parse..", Type.Info); Remove_Nops.Execute(module); var mutationsFixed = 0; foreach (var type in module.GetTypes().Where(t => t.HasMethods)) { foreach (var method in type.Methods.Where(m => m.HasBody && m.Body.HasInstructions)) { var instr = method.Body.Instructions; for (var i = 0; i < instr.Count; i++) { if (instr[i].OpCode == OpCodes.Ldstr && instr[i].Operand.ToString().Contains(",") && instr[i + 1].OpCode == OpCodes.Call && instr[i + 1].Operand.ToString().Contains("System.Double::Parse") && instr[i + 2].OpCode == OpCodes.Conv_I4) { int result = (int)double.Parse(instr[i].Operand.ToString()); instr[i].OpCode = OpCodes.Ldc_I4; instr[i].Operand = result; instr[i + 1].OpCode = OpCodes.Nop; instr[i + 2].OpCode = OpCodes.Nop; mutationsFixed++; Write($"Removed a Double.Parse in method: {method.Name} at offset: {instr[i].Offset}", Type.Debug); } } } } Write(mutationsFixed == 0 ? "No Double.Parse found !" : mutationsFixed == 1 ? $"Fixed {mutationsFixed} Double.Parse !" : mutationsFixed > 1 ? $"Fixed {mutationsFixed} Double.Parse !" : "", Type.Success); }
public static void Execute(ModuleDefMD module) { Write("Removing the Fake Obfuscators...", Type.Info); Remove_Nops.Execute(module); var removed = 0; foreach (var type in module.Types.ToList()) { if (fakeObfuscators.Contains(type.Name)) { module.Types.Remove(type); removed++; Write($"Removed the fake obfuscator type: {type.Name}", Type.Debug); } } Write(removed == 0 ? "No Fake Obfscators found !" : removed == 1 ? $"Removed {removed} fake obfuscator type !" : removed > 1 ? $"Removed {removed} fake obfuscator types !" : "", Type.Success); }
public static void Execute(ModuleDefMD module) { Write("Removing the Constants Mutate...", Type.Info); Remove_Nops.Execute(module); var removed = 0; foreach (var type in module.Types.Where(t => t.HasMethods)) { foreach (var method in type.Methods.Where(m => m.HasBody && m.Body.HasInstructions)) { var instr = method.Body.Instructions; for (var i = 0; i < instr.Count; ++i) { if (instr[i].OpCode == OpCodes.Add && instr[i - 1].IsLdcI4() && instr[i - 2].IsLdcI4()) { int num = instr[i - 2].GetLdcI4Value() + instr[i - 1].GetLdcI4Value(); instr[i].OpCode = OpCodes.Ldc_I4; instr[i].Operand = num; instr[i - 2].OpCode = OpCodes.Nop; instr[i - 1].OpCode = OpCodes.Nop; removed++; Write($"Removed a constant mutate [ADD] in method: {method.Name} at offset: {instr[i].Offset}", Type.Debug); } else if (instr[i].OpCode == OpCodes.Sub && instr[i - 1].IsLdcI4() && instr[i - 2].IsLdcI4()) { int num = instr[i - 2].GetLdcI4Value() - instr[i - 1].GetLdcI4Value(); instr[i].OpCode = OpCodes.Ldc_I4; instr[i].Operand = num; instr[i - 2].OpCode = OpCodes.Nop; instr[i - 1].OpCode = OpCodes.Nop; removed++; Write($"Removed a constant mutate [SUB] in method: {method.Name} at offset: {instr[i].Offset}", Type.Debug); } else if (instr[i].OpCode == OpCodes.Mul && instr[i - 1].IsLdcI4() && instr[i - 2].IsLdcI4()) { int num = instr[i - 2].GetLdcI4Value() * instr[i - 1].GetLdcI4Value(); instr[i].OpCode = OpCodes.Ldc_I4; instr[i].Operand = num; instr[i - 2].OpCode = OpCodes.Nop; instr[i - 1].OpCode = OpCodes.Nop; removed++; Write($"Removed a constant mutate [MUL] in method: {method.Name} at offset: {instr[i].Offset}", Type.Debug); } else if (instr[i].OpCode == OpCodes.Div && instr[i - 1].IsLdcI4() && instr[i - 2].IsLdcI4()) { int num = instr[i - 2].GetLdcI4Value() / instr[i - 1].GetLdcI4Value(); instr[i].OpCode = OpCodes.Ldc_I4; instr[i].Operand = num; instr[i - 2].OpCode = OpCodes.Nop; instr[i - 1].OpCode = OpCodes.Nop; removed++; Write($"Removed a constant mutate [DIV] in method: {method.Name} at offset: {instr[i].Offset}", Type.Debug); } } } } Write(removed == 0 ? "No Constants Mutate found !" : removed == 1 ? $"Removed {removed} constant mutate" : removed > 1 ? $"Removed {removed} constants mutate !" : "", Type.Success); }