.NET Assembly Protector & Obfuscator
Developed by MasonGroup (Freemasonry) Team: Battal Alqhtani & Turki Alotibi
EIYM Protector is an advanced .NET assembly protector built with dnlib. It applies multiple layers of obfuscation and protection to your .NET executables and libraries, making reverse engineering extremely difficult.
Simply select your .exe or .dll, choose your protections, and click Protect. You can also drag and drop files directly onto the application.
Encrypts all hardcoded strings using XOR with per-string random keys. Strings are decrypted at runtime.
Before:
computerInfo.OSFullName.Replace("Microsoft", null),After:
computerInfo.OSFullName.Replace(g\u0348\u0318\u0329\u0341\u031B\u0345\u0334\u035C\u0303\u031B\u030618.\u0310\u0353\u0347\u0332\u032F\u032F\u030E\u0345\u0344\u0315\u034B\u034A67("^\u0096huT||", "\u0001\u0017", \u0345\u0310\u031B\u030D\u0340\u0318\u0322\u033C\u0331\u0335\u0301\u03257.\u0300\u0316\u0314\u033Bj\u0357S\u0309\u0325\u0325\u0344\u032015(730685 ^ 730730, 631441 ^ 631453)), null),Replaces integer constants with mathematical expressions using 4 methods: XOR, ADD, SUB, and double-XOR.
Before:
int port = 8080;After:
int port = 95847 ^ 87767;Inserts fake conditional branches at method entry points. Real code always executes, but decompilers show confusing junk paths.
Multi-layered debugger detection system:
- Debugger.IsAttached — managed debugger check
- Debugger.IsLogging — logging-based detection
- Process scanning — detects debugger tools by process name (dnSpy, x64dbg, OllyDbg, IDA, etc.)
- Timing checks — detects single-stepping via GetTickCount measurements
- Entry point guard — additional check at program start
- Background thread monitor — continuous loop checking for debugger attachment
- Scattered checks — anti-debug checks injected randomly throughout user methods
- Multiple exit strategies — Environment.Exit with random codes, infinite loops
Detects analysis VMs using WMI hardware queries:
- VMware (manufacturer check)
- VirtualBox (model check)
- Hyper-V (Microsoft Corporation + VIRTUAL model)
If a VM is detected, the application exits immediately.
Injects compiler-styled trap types (<>c__AntiDump, <>f__DumpTrap, etc.) that break memory dumping tools like MegaDumper and ExtremeDumper. Trap types use <> naming convention so they appear as compiler-generated code.
Dual integrity verification at runtime:
- Size check — verifies the file size hasn't been modified
- Checksum verification — computes and validates a hash of the assembly bytes
If tampering is detected, the application exits.
Injects decoy types, interfaces, and attributes that crash de4dot (the popular .NET deobfuscator) when it tries to process the assembly.
Multi-layer resource encryption:
- Resources are wrapped in satellite assemblies
- Compressed with DeflateStream
- Encrypted with 3-layer XOR (positional key + rolling key + NOT + secondary key)
- 16-byte header stores encryption keys
- Resources are renamed to obfuscated names
- Runtime resolver automatically decrypts resources when accessed
- 15-30 decoy resources added with fake headers (PNG, BMP, ICO, BAML, zlib, .resources magic)
Redirects method calls through dynamically generated proxy delegate methods, hiding the real call targets from static analysis.
Applies decompiler-confusing attributes to methods, making them harder to analyze in tools like dnSpy and ILSpy.
Adds misleading .NET attributes to types and methods (e.g., fake CompilerGenerated, DebuggerHidden, Obfuscation attributes).
Embeds an encrypted build stamp with:
- UTC timestamp (XOR-encoded)
- Unique build ID
- Encrypted signature string
- Dummy fields for noise
Converts method bodies into custom virtual machine bytecode. Methods are interpreted at runtime by an injected VM engine, making static analysis of the original IL nearly impossible.
Replaces direct call instructions with indirect calli instructions using function pointers. This breaks most decompilers and static analysis tools.
Converts method local variables to static fields in <Module>, scattering data across the assembly and confusing decompilers.
Adds mathematical mutations to integer operations — wrapping simple math in nested XOR/ADD/SUB layers that produce the same result but are much harder to analyze.
Injects fake classes with fake methods, fields, and properties. Configurable count (default: 50, max: 500). Each junk class contains:
- 3-10 random fields
- 5-15 methods with random math operations
- 2-5 properties
Injects anti-debug checks (Debugger.IsAttached / IsLogging) randomly throughout existing user methods. ~30% of eligible methods get a check at their entry point.
Corrupts assembly metadata to break analysis tools and decompilers while keeping the runtime functional.
The most advanced protection layer in the entire suite — method bodies are encrypted at build time using AES-256-CBC and replaced with lightweight stubs. The original IL code is completely removed from the assembly metadata.
At runtime, a custom dispatcher intercepts calls, decrypts the original IL bytecode, and reconstructs the method using System.Reflection.Emit.DynamicMethod. The rebuilt method executes from memory only — it never exists on disk in its original form and is invisible to static analysis tools.
Architecture:
- AES-256-CBC Decryptor — dedicated decryption engine with per-assembly random key and IV
- IL Rebuilder — full instruction-by-instruction reconstruction engine supporting all .NET opcodes, branches, locals, exception handlers, and token resolution
- Delegate Cache — each method is rebuilt once and cached as a delegate for near-native performance on subsequent calls
- Compact Storage — encrypted bodies stored via
RuntimeHelpers.InitializeArraywith FieldRVA for minimal PE overhead
Before (original IL visible in dnSpy / ILSpy):
public static int Multiply(int x, int y)
{
return x * y;
}
public static string DoWork(int a, int b)
{
int sum = a + b;
string grade = GetGrade(sum);
return "Sum=" + sum + " Grade=" + grade;
}
public static int Fibonacci(int n)
{
if (n <= 1) return n;
int a = 0, b = 1;
for (int i = 2; i <= n; i++)
{
int temp = a + b;
a = b;
b = temp;
}
return b;
}After (method bodies replaced — only stubs visible):
public static int Multiply(int x, int y)
{
// Original code is GONE — replaced with encrypted dispatcher call
return (int)VmybbmOtgN1.UXerZObhCpDJ18(
729982902 ^ 729982903, // XOR-obfuscated method index
new object[] { x, y } // parameters packed as object array
);
}
public static string DoWork(int a, int b)
{
return (string)VmybbmOtgN1.UXerZObhCpDJ18(
767991271 ^ 767991271,
new object[] { a, b }
);
}
public static int Fibonacci(int n)
{
return (int)VmybbmOtgN1.UXerZObhCpDJ18(
848283082 ^ 848283087,
new object[] { n }
);
}What an attacker sees in dnSpy:
- Every protected method contains only a stub that calls the dispatcher
- The original IL bytecode exists nowhere in the PE file — it is AES-encrypted in opaque byte arrays
- Even memory dumps cannot recover the original code in readable form since DynamicMethod is invisible to reflection
- The dispatcher, rebuilder, and all helper methods use obfuscated names
Protection scope: All eligible static methods are encrypted. Constructors, Main, virtual methods, and generic methods are excluded for CLR compatibility.
Disabled by default. When enabled, renames code elements to random strings.
| Option | What it renames |
|---|---|
| Namespaces | All namespace names |
| Types | Classes, structs, enums |
| Methods | Methods (skips constructors, Main, virtual, InitializeComponent) |
| Fields | Field names |
| Properties | Property names |
| Events | Event names |
Settings:
- Length: Random name length (5-50 chars)
- Prefix: Prepended to each name (default:
$MASON~) - Chars: Character set for random names
Safety: Automatically skips entry points, constructors, virtual/abstract methods, WinForms InitializeComponent, property accessors, event handlers, runtime special names, serializable fields, and resource-related types.
- Browse or drag and drop your
.exe/.dllfile - Check the protections you want (or use Select All)
- Configure the renamer if needed
- Click Protect
- Choose where to save the protected file
| Feature | v1 (Old) | v2 (New) |
|---|---|---|
| Anti Debug | Single Debugger.IsAttached check |
8-layer system: managed checks, process scanning, timing detection, background thread, scattered checks |
| Anti Dump | Basic trap types | Compiler-styled trap types (<>c__) that survive metadata confusion |
| Anti Tamper | Not available | Dual verification: file size + checksum |
| Anti De4dot | Not available | Decoy types/interfaces that crash de4dot |
| Resources Encoding | Simple XOR with random key | Satellite assembly wrapping + DeflateStream compression + 3-layer XOR encryption + runtime resolver + 15-30 decoy resources |
| VM Obfuscation | Not available | Full custom VM interpreter for method bodies |
| Calli Conversion | Not available | Indirect call instruction replacement |
| Local to Field | Not available | Local-to-static-field conversion |
| Mutation Encoding | Not available | Mathematical mutation layers on integer ops |
| Proxy Calls | Not available | Delegate-based call proxying |
| Hide Methods | Not available | Decompiler-confusing method attributes |
| Fake Attributes | Not available | Misleading .NET attributes |
| Scattered Anti-Debug | Not available | Anti-debug checks spread across user methods |
| Metadata Confusion | Not available | Metadata corruption for tool resistance |
| Runtime Encryption | Not available | AES-256 method body encryption + DynamicMethod rebuild at runtime |
| Drag & Drop | Not available | Drag and drop files onto the app |
| Renamer Safety | Could break WinForms/resources | Smart skipping of WinForms, serializable, resources |
| Stability | P/Invoke crashes on some systems | All managed code, no native P/Invoke crashes |
| Protections Total | 7 | 21 |
- .NET Framework 4.7.2+
- dnlib 4.5.0 (included via NuGet)
Open MasonProtector.sln in Visual Studio
Build → Rebuild Solution (Debug or Release)
MIT License — See LICENSE for details.
MasonGroup (Freemasonry) — Battal Alqhtani & Turki Alotibi