public static void Execute(ModuleDefMD module)
{
Write("Removing the Anti De4dot...", Type.Info);
Remove_Nops.Execute(module);
int removed = 0;
foreach (var type in module.Types.ToList().Where(t => t.HasInterfaces))
{
for (var i = 0; i < type.Interfaces.Count; i++)
{
if (type.Interfaces[i].Interface.Name.Contains(type.Name) || type.Name.Contains(type.Interfaces[i].Interface.Name)) // si c'est un anti de4dot
{
module.Types.Remove(type);
removed++;
Write($"Removed: {type.Name}", Type.Debug);
}
}
}
Write(removed == 0 ? "No Anti De4dot found !" :
removed == 1 ? "Anti De4dot removed !" :
removed > 1 ? $"Fixed {removed} anti de4dot methods !" : "", Type.Success);
}
public static void Execute(ModuleDefMD module)
{
Write("Removing the Anti Dump...", Type.Info);
Remove_Nops.Execute(module);
var removed = 0;
foreach (var instruction in module.GlobalType.FindOrCreateStaticConstructor().Body.Instructions.Where(i => i.OpCode == OpCodes.Call))
{
var method = instruction.Operand as MethodDef;
var instr = method.Body.Instructions;
if (instr.Count > 140 && instr.Count < 160 &&
Utils.FindInstructionNumber(method, OpCodes.Call, "native int [mscorlib]System.Runtime.InteropServices.Marshal::GetHINSTANCE(class [mscorlib]System.Reflection.Module)") == 1 &&
Utils.FindInstructionNumber(method, OpCodes.Call, "::VirtualProtect(uint8*, int32, uint32, uint32&)") == 1)
{
instruction.OpCode = OpCodes.Nop;
Write($"Removed an Anti Dump call at offset: {instruction.Offset}", Type.Debug);
for (var i = 0; i < instr.Count; i++)
{
instr.RemoveAt(0);
}
removed++;
Write($"Removed an Anti Dump method: {method.Name}", Type.Debug);
}
}
Write(removed == 0 ? "No Anti Dump found !" :
removed == 1 ? $"Removed Anti Dump !" :
removed > 1 ? $"Removed {removed} Anti Dump methods !" : "", Type.Success);
}
public static void Execute(ModuleDefMD module)
{
Write("Removing the Anti VM...", Type.Info);
Remove_Nops.Execute(module);
var removed = 0;
foreach (var instruction in module.GlobalType.FindOrCreateStaticConstructor().Body.Instructions.Where(i => i.OpCode == OpCodes.Call))
{
var method = instruction.Operand as MethodDef;
var instr = method.Body.Instructions;
if (instr[0].OpCode == OpCodes.Call &&
instr[1].IsStloc() &&
instr[2].IsLdloc() &&
instr[3].IsBrfalse() &&
instr[4].OpCode == OpCodes.Ldstr &&
instr[4].Operand.ToString() == "VirtualMachine detected. Exiting..." &&
instr[5].OpCode == OpCodes.Ldstr &&
instr[5].Operand.ToString() == "Rzy Protector" &&
instr[6].IsLdcI4() &&
instr[7].IsLdcI4() &&
(int)instr[7].Operand == 0x40 &&
instr[8].OpCode == OpCodes.Call &&
instr[8].Operand.ToString() == "valuetype [System.Windows.Forms]System.Windows.Forms.DialogResult [System.Windows.Forms]System.Windows.Forms.MessageBox::Show(string, string, valuetype [System.Windows.Forms]System.Windows.Forms.MessageBoxButtons, valuetype [System.Windows.Forms]System.Windows.Forms.MessageBoxIcon)" &&
instr[9].OpCode == OpCodes.Pop &&
instr[10].OpCode == OpCodes.Call &&
instr[10].Operand.ToString() == "class [System]System.Diagnostics.Process [System]System.Diagnostics.Process::GetCurrentProcess()" &&
instr[11].OpCode == OpCodes.Callvirt &&
instr[11].Operand.ToString() == "instance void [System]System.Diagnostics.Process::Kill()" &&
instr[12].OpCode == OpCodes.Ret)
{
instruction.OpCode = OpCodes.Nop;
Write($"Removed an Anti VM call at offset: {instruction.Offset}", Type.Debug);
for (var i = 0; i < instr.Count; i++)
{
instr.RemoveAt(i);
}
removed++;
Write($"Removed an Anti VM method: {method.Name}", Type.Debug);
}
}
Write(removed == 0 ? "No Anti VM found !" :
removed == 1 ? $"Removed Anti VM !" :
removed > 1 ? $"Removed {removed} Anti VM methods !" : "", Type.Success);
}
public static void Execute(ModuleDefMD module)
{
Write("Removing the Anti Debug...", Type.Info);
Remove_Nops.Execute(module);
var removed = 0;
foreach (var instr in module.GlobalType.FindOrCreateStaticConstructor().Body.Instructions.Where(i => i.OpCode == OpCodes.Call))
{
var debuggerMethod = instr.Operand as MethodDef;
if (instr.OpCode == OpCodes.Call &&
debuggerMethod != null &&
debuggerMethod.DeclaringType.IsGlobalModuleType &&
Utils.FindInstructionNumber(debuggerMethod, OpCodes.Ldstr, "ENABLE_PROFILING") == 1 &&
Utils.FindInstructionNumber(debuggerMethod, OpCodes.Ldstr, "GetEnvironmentVariable") == 1 &&
Utils.FindInstructionNumber(debuggerMethod, OpCodes.Ldstr, "COR") == 1 &&
Utils.FindInstructionNumber(debuggerMethod, OpCodes.Call, "System.Environment::FailFast(System.String)") == 1)
{
instr.OpCode = OpCodes.Nop;
Write($"Removed an Anti Debug call at offset: {instr.Offset}", Type.Debug);
module.GlobalType.Remove(debuggerMethod);
removed++;
Write($"Removed an Anti Debug method: {debuggerMethod.Name}", Type.Debug);
}
}
foreach (MethodDef method in module.GlobalType.Methods.Where(m => m.HasBody))
{
if (Utils.FindInstructionNumber(method, OpCodes.Ldc_I4, 500) == 1 &&
Utils.FindInstructionNumber(method, OpCodes.Ldc_I4, 1000) == 1 &&
Utils.FindInstructionNumber(method, OpCodes.Call, "System.Environment::FailFast(System.String)") > 1 &&
method.Attributes == (MethodAttributes.Private | MethodAttributes.Static | MethodAttributes.HideBySig))
{
module.GlobalType.Remove(method);
removed++;
Write($"Removed an Anti Debug method: {method.Name}", Type.Debug);
}
}
Write(removed == 0 ? "No Anti Debug found !" :
removed == 1 ? $"Removed Anti Debug !" :
removed > 1 ? $"Removed {removed} Anti Debug methods !" : "", Type.Success);
}
public static void Execute(ModuleDefMD module)
{
Write("Removing the Anti DnSpy...", Type.Info);
Remove_Nops.Execute(module);
var removed = 0;
foreach (var instruction in module.GlobalType.FindOrCreateStaticConstructor().Body.Instructions.Where(i => i.OpCode == OpCodes.Call))
{
var method = instruction.Operand as MethodDef;
var instr = method.Body.Instructions;
if (instr.Count == 1 &&
instr[0].OpCode == OpCodes.Call &&
instr[0].Operand.ToString().Contains("::Read"))
{
var antiDnSpyMethod = instr[0].Operand as MethodDef;
instr[0].OpCode = OpCodes.Nop;
instruction.OpCode = OpCodes.Nop;
Write($"Removed an Anti Dump call at offset: {instruction.Offset}", Type.Debug);
for (var i = 0; i < antiDnSpyMethod.Body.Instructions.Count; i++)
{
antiDnSpyMethod.Body.Instructions.RemoveAt(i);
}
removed++;
Write($"Removed an Anti DnSpy method: {method.Name}", Type.Debug);
}
}
Write(removed == 0 ? "No Anti DnSpy found !" :
removed == 1 ? $"Removed Anti DnSpy !" :
removed > 1 ? $"Removed {removed} Anti DnSpy methods !" : "", Type.Success);
}
static void Main(string[] args)
{
#region Initialize
Console.Title = "Rzy Protector V2 Unpacker - by illuZion#9999";
WriteTitle();
if (args.Length != 1)
{
Write("Please, drag 'n' drop the file to unpack!", Type.Error);
Leave();
}
string directory = args[0];
try { module = ModuleDefMD.Load(directory); assembly = AssemblyDef.Load(directory); filePath = directory; }
catch { Write("Not a .NET Assembly...", Type.Error); Leave(); }
#endregion Initialize
#region Unpack
Hide_Methods.Execute(module);
Call_to_Calli.Execute(module);
Empty_Types.Execute(module);
Maths(module);
Local_To_Field.Execute(module);
Constants.Execute(module);
Maths(module);
String_Protection.Execute(module);
Fake_Obfuscator.Execute(module);
Anti_ILDasm.Execute(module);
Anti_De4dot.Execute(module);
Anti_Dnspy.Execute(module);
Anti_VM.Execute(module);
Anti_Debug.Execute(module);
Anti_Dump.Execute(module);
Remove_Nops.Execute(module);
#endregion Unpack
#region Save the file
Write("Saving the unpacked file...", Type.Info);
string text = Path.GetDirectoryName(directory);
if (!text.EndsWith("\\"))
{
text += "\\";
}
string filename = string.Format("{0}{1}-Unpacked{2}", text, Path.GetFileNameWithoutExtension(directory), Path.GetExtension(directory));
ModuleWriterOptions writerOptions = new ModuleWriterOptions(module);
writerOptions.MetadataOptions.Flags |= MetadataFlags.PreserveAll;
writerOptions.Logger = DummyLogger.NoThrowInstance;
NativeModuleWriterOptions NativewriterOptions = new NativeModuleWriterOptions(module, true);
NativewriterOptions.MetadataOptions.Flags |= MetadataFlags.PreserveAll;
NativewriterOptions.Logger = DummyLogger.NoThrowInstance;
if (module.IsILOnly)
{
module.Write(filename, writerOptions);
}
else
{
module.NativeWrite(filename, NativewriterOptions);
}
Write($"File saved at: {filename}", Type.Success);
Leave();
#endregion Save the file
}
