This article introduces the mutation protection of VMProtect in .NET assembly protection and how to restore it using control flow analysis techniques.

This article introduces techniques for encrypting and unpacking at the JIT layer in .NET, including IL code, Tokens, exception handling clauses, and local variables. It also provides a basic JIT unpacking framework source code. The content of this article is applicable to all versions of the .NET Framework, .NET Core 1.0-3.1, and .NET 5+. If not otherwise specified, “.NET” in this article refers to the “.NET Framework”.

After understanding the basic knowledge of control flow, this article will continue to introduce some methods for deobfuscating control flow obfuscation, and provide an example of a deobfuscator for ConfuserEx’s control flow obfuscation.

For some complex obfuscation techniques, control flow analysis is necessary to restore them. This article introduces the basic knowledge of .NET control flow analysis. Understanding these is enough to restore most obfuscations that require control flow analysis.

Reflection is an important feature in .NET. Based on this feature, we often don’t need to fully analyze the encryption algorithm itself. We can simply use reflection APIs to complete decryption. This article will introduce dynamic decryption techniques in .NET and their corresponding countermeasures.

The core protection principle of ILProtector is dynamic method. This article provides a detailed introduction to the protection details of ILProtector and specifically writes out the unpacker targeting it.

Many people know that using a series of tools such as dnSpy then dump, and CodeCracker’s can be used to remove the ConfuserEx obfuscator. There are many tutorials available online, but there is no article explaining the underlying principles. This article will explain in detail the Anti Tamper and Anti Dump protections of ConfuserEx.