.NET JIT Unpacking Guide and Tool Source

This article introduces techniques for encrypting and unpacking at the JIT layer in .NET, including IL code, Tokens, exception handling clauses, and local variables. It also provides a basic JIT unpacking framework source code. The content of this article is applicable to all versions of the .NET Framework, .NET Core 1.0-3.1, and .NET 5+. If not otherwise specified, “.NET” in this article refers to the “.NET Framework”.


.NET Control Flow Analysis (II) - Deobfuscation

After understanding the basic knowledge of control flow, this article will continue to introduce some methods for deobfuscating control flow obfuscation, and provide an example of a deobfuscator for ConfuserEx’s control flow obfuscation.


.NET Control Flow Analysis (I) - Get Started

For some complex obfuscation techniques, control flow analysis is necessary to restore them. This article introduces the basic knowledge of .NET control flow analysis. Understanding these is enough to restore most obfuscations that require control flow analysis.


.NET Dynamic Decryption and Countermeasures

Reflection is an important feature in .NET. Based on this feature, we often don’t need to fully analyze the encryption algorithm itself. We can simply use reflection APIs to complete decryption. This article will introduce dynamic decryption techniques in .NET and their corresponding countermeasures.


Inside ILProtector and Writing an Unpacker

The core protection principle of ILProtector is dynamic method. This article provides a detailed introduction to the protection details of ILProtector and specifically writes out the unpacker targeting it.


Inside ConfuserEx's Anti-tamper and Anti-dumping

Many people know that using a series of tools such as dnSpy then dump, and CodeCracker’s can be used to remove the ConfuserEx obfuscator. There are many tutorials available online, but there is no article explaining the underlying principles. This article will explain in detail the Anti Tamper and Anti Dump protections of ConfuserEx.