public static void Execute(ModuleDefMD module) { Write("Removing the Anti De4dot...", Type.Info); Remove_Nops.Execute(module); int removed = 0; foreach (var type in module.Types.ToList().Where(t => t.HasInterfaces)) { for (var i = 0; i < type.Interfaces.Count; i++) { if (type.Interfaces[i].Interface.Name.Contains(type.Name) || type.Name.Contains(type.Interfaces[i].Interface.Name)) // si c'est un anti de4dot { module.Types.Remove(type); removed++; Write($"Removed: {type.Name}", Type.Debug); } } } Write(removed == 0 ? "No Anti De4dot found !" : removed == 1 ? "Anti De4dot removed !" : removed > 1 ? $"Fixed {removed} anti de4dot methods !" : "", Type.Success); }
public static void Execute(ModuleDefMD module) { Write("Removing the Anti Dump...", Type.Info); Remove_Nops.Execute(module); var removed = 0; foreach (var instruction in module.GlobalType.FindOrCreateStaticConstructor().Body.Instructions.Where(i => i.OpCode == OpCodes.Call)) { var method = instruction.Operand as MethodDef; var instr = method.Body.Instructions; if (instr.Count > 140 && instr.Count < 160 && Utils.FindInstructionNumber(method, OpCodes.Call, "native int [mscorlib]System.Runtime.InteropServices.Marshal::GetHINSTANCE(class [mscorlib]System.Reflection.Module)") == 1 && Utils.FindInstructionNumber(method, OpCodes.Call, "::VirtualProtect(uint8*, int32, uint32, uint32&)") == 1) { instruction.OpCode = OpCodes.Nop; Write($"Removed an Anti Dump call at offset: {instruction.Offset}", Type.Debug); for (var i = 0; i < instr.Count; i++) { instr.RemoveAt(0); } removed++; Write($"Removed an Anti Dump method: {method.Name}", Type.Debug); } } Write(removed == 0 ? "No Anti Dump found !" : removed == 1 ? $"Removed Anti Dump !" : removed > 1 ? $"Removed {removed} Anti Dump methods !" : "", Type.Success); }
public static void Execute(ModuleDefMD module) { Write("Removing the Anti VM...", Type.Info); Remove_Nops.Execute(module); var removed = 0; foreach (var instruction in module.GlobalType.FindOrCreateStaticConstructor().Body.Instructions.Where(i => i.OpCode == OpCodes.Call)) { var method = instruction.Operand as MethodDef; var instr = method.Body.Instructions; if (instr[0].OpCode == OpCodes.Call && instr[1].IsStloc() && instr[2].IsLdloc() && instr[3].IsBrfalse() && instr[4].OpCode == OpCodes.Ldstr && instr[4].Operand.ToString() == "VirtualMachine detected. Exiting..." && instr[5].OpCode == OpCodes.Ldstr && instr[5].Operand.ToString() == "Rzy Protector" && instr[6].IsLdcI4() && instr[7].IsLdcI4() && (int)instr[7].Operand == 0x40 && instr[8].OpCode == OpCodes.Call && instr[8].Operand.ToString() == "valuetype [System.Windows.Forms]System.Windows.Forms.DialogResult [System.Windows.Forms]System.Windows.Forms.MessageBox::Show(string, string, valuetype [System.Windows.Forms]System.Windows.Forms.MessageBoxButtons, valuetype [System.Windows.Forms]System.Windows.Forms.MessageBoxIcon)" && instr[9].OpCode == OpCodes.Pop && instr[10].OpCode == OpCodes.Call && instr[10].Operand.ToString() == "class [System]System.Diagnostics.Process [System]System.Diagnostics.Process::GetCurrentProcess()" && instr[11].OpCode == OpCodes.Callvirt && instr[11].Operand.ToString() == "instance void [System]System.Diagnostics.Process::Kill()" && instr[12].OpCode == OpCodes.Ret) { instruction.OpCode = OpCodes.Nop; Write($"Removed an Anti VM call at offset: {instruction.Offset}", Type.Debug); for (var i = 0; i < instr.Count; i++) { instr.RemoveAt(i); } removed++; Write($"Removed an Anti VM method: {method.Name}", Type.Debug); } } Write(removed == 0 ? "No Anti VM found !" : removed == 1 ? $"Removed Anti VM !" : removed > 1 ? $"Removed {removed} Anti VM methods !" : "", Type.Success); }
public static void Execute(ModuleDefMD module) { Write("Removing the Anti Debug...", Type.Info); Remove_Nops.Execute(module); var removed = 0; foreach (var instr in module.GlobalType.FindOrCreateStaticConstructor().Body.Instructions.Where(i => i.OpCode == OpCodes.Call)) { var debuggerMethod = instr.Operand as MethodDef; if (instr.OpCode == OpCodes.Call && debuggerMethod != null && debuggerMethod.DeclaringType.IsGlobalModuleType && Utils.FindInstructionNumber(debuggerMethod, OpCodes.Ldstr, "ENABLE_PROFILING") == 1 && Utils.FindInstructionNumber(debuggerMethod, OpCodes.Ldstr, "GetEnvironmentVariable") == 1 && Utils.FindInstructionNumber(debuggerMethod, OpCodes.Ldstr, "COR") == 1 && Utils.FindInstructionNumber(debuggerMethod, OpCodes.Call, "System.Environment::FailFast(System.String)") == 1) { instr.OpCode = OpCodes.Nop; Write($"Removed an Anti Debug call at offset: {instr.Offset}", Type.Debug); module.GlobalType.Remove(debuggerMethod); removed++; Write($"Removed an Anti Debug method: {debuggerMethod.Name}", Type.Debug); } } foreach (MethodDef method in module.GlobalType.Methods.Where(m => m.HasBody)) { if (Utils.FindInstructionNumber(method, OpCodes.Ldc_I4, 500) == 1 && Utils.FindInstructionNumber(method, OpCodes.Ldc_I4, 1000) == 1 && Utils.FindInstructionNumber(method, OpCodes.Call, "System.Environment::FailFast(System.String)") > 1 && method.Attributes == (MethodAttributes.Private | MethodAttributes.Static | MethodAttributes.HideBySig)) { module.GlobalType.Remove(method); removed++; Write($"Removed an Anti Debug method: {method.Name}", Type.Debug); } } Write(removed == 0 ? "No Anti Debug found !" : removed == 1 ? $"Removed Anti Debug !" : removed > 1 ? $"Removed {removed} Anti Debug methods !" : "", Type.Success); }
public static void Execute(ModuleDefMD module) { Write("Removing the Anti DnSpy...", Type.Info); Remove_Nops.Execute(module); var removed = 0; foreach (var instruction in module.GlobalType.FindOrCreateStaticConstructor().Body.Instructions.Where(i => i.OpCode == OpCodes.Call)) { var method = instruction.Operand as MethodDef; var instr = method.Body.Instructions; if (instr.Count == 1 && instr[0].OpCode == OpCodes.Call && instr[0].Operand.ToString().Contains("::Read")) { var antiDnSpyMethod = instr[0].Operand as MethodDef; instr[0].OpCode = OpCodes.Nop; instruction.OpCode = OpCodes.Nop; Write($"Removed an Anti Dump call at offset: {instruction.Offset}", Type.Debug); for (var i = 0; i < antiDnSpyMethod.Body.Instructions.Count; i++) { antiDnSpyMethod.Body.Instructions.RemoveAt(i); } removed++; Write($"Removed an Anti DnSpy method: {method.Name}", Type.Debug); } } Write(removed == 0 ? "No Anti DnSpy found !" : removed == 1 ? $"Removed Anti DnSpy !" : removed > 1 ? $"Removed {removed} Anti DnSpy methods !" : "", Type.Success); }
static void Main(string[] args) { #region Initialize Console.Title = "Rzy Protector V2 Unpacker - by illuZion#9999"; WriteTitle(); if (args.Length != 1) { Write("Please, drag 'n' drop the file to unpack!", Type.Error); Leave(); } string directory = args[0]; try { module = ModuleDefMD.Load(directory); assembly = AssemblyDef.Load(directory); filePath = directory; } catch { Write("Not a .NET Assembly...", Type.Error); Leave(); } #endregion Initialize #region Unpack Hide_Methods.Execute(module); Call_to_Calli.Execute(module); Empty_Types.Execute(module); Maths(module); Local_To_Field.Execute(module); Constants.Execute(module); Maths(module); String_Protection.Execute(module); Fake_Obfuscator.Execute(module); Anti_ILDasm.Execute(module); Anti_De4dot.Execute(module); Anti_Dnspy.Execute(module); Anti_VM.Execute(module); Anti_Debug.Execute(module); Anti_Dump.Execute(module); Remove_Nops.Execute(module); #endregion Unpack #region Save the file Write("Saving the unpacked file...", Type.Info); string text = Path.GetDirectoryName(directory); if (!text.EndsWith("\\")) { text += "\\"; } string filename = string.Format("{0}{1}-Unpacked{2}", text, Path.GetFileNameWithoutExtension(directory), Path.GetExtension(directory)); ModuleWriterOptions writerOptions = new ModuleWriterOptions(module); writerOptions.MetadataOptions.Flags |= MetadataFlags.PreserveAll; writerOptions.Logger = DummyLogger.NoThrowInstance; NativeModuleWriterOptions NativewriterOptions = new NativeModuleWriterOptions(module, true); NativewriterOptions.MetadataOptions.Flags |= MetadataFlags.PreserveAll; NativewriterOptions.Logger = DummyLogger.NoThrowInstance; if (module.IsILOnly) { module.Write(filename, writerOptions); } else { module.NativeWrite(filename, NativewriterOptions); } Write($"File saved at: {filename}", Type.Success); Leave(); #endregion Save the file }