A .NET assembly binary patcher that removes string obfuscation by directly modifying IL bytecode.
Converts obfuscated code like this:
string msg = DecoderClass.A();
MessageBox.Show(DecoderClass.B());Into readable code like this:
string msg = "{{ Region = {0} }}";
MessageBox.Show("Not a valid direction.");All at the IL bytecode level - no source code required!
- 🔓 String Deobfuscation - Decrypts and decodes obfuscated strings
- 🔧 IL Patching - Replaces method calls with string literals directly in bytecode
- 🚀 High Performance - Processes 3,700+ strings in ~2 seconds
- ✅ Complete Coverage - Replaces 9,150+ decoder calls across the assembly
- 📊 Detailed Reporting - Shows exactly what was patched
- 🔍 Verification - Confirms all decoder calls were replaced
cd ILStringPatcher
dotnet build
dotnet run -- -i input.exe -o output.exe# Patch an assembly
dotnet run -- -i BeltStat.exe -o BeltStat_patched.exe
# Dry run (analyze without writing)
dotnet run -- -i BeltStat.exe -o output.exe --dry-run
# Scan mode (detailed analysis)
dotnet run -- -i BeltStat.exe -o output.exe --scan
# Verbose output
dotnet run -- -i BeltStat.exe -o output.exe --verbose-i, --input Required. Input .NET assembly path
-o, --output Required. Output path for patched assembly
-v, --verbose Enable verbose logging
-d, --dry-run Analyze without writing changes
-b, --backup Create backup of input file (default: true)
-s, --scan Scan and analyze assembly structure
Scans the assembly to find the string decoder class:
✓ Found decoder class
- Data buffer: 71,589 bytes
- Decoder methods: 3,768
Extracts encrypted string data from IL metadata:
✓ Extracted data buffer: 71,589 bytes
Decrypts the buffer using XOR cipher:
Algorithm: XOR with rotating key
Key = (index % 256) ^ 0xAA
✓ Decrypted 71,589 bytes
Analyzes decoder method IL code to extract strings:
✓ Successfully decoded: 3,766 strings
Replaces all call instructions with ldstr literals:
✓ Methods patched: 576
✓ Calls replaced: 9,150
ILStringPatcher/
├── Core/
│ ├── PELoader.cs # Load/write assemblies
│ ├── StringDecoderDetector.cs # Find & decode strings
│ ├── ILPatcher.cs # Patch IL bytecode
│ ├── AssemblyScanner.cs # Diagnostic scanner
│ ├── TypeInspector.cs # Type analysis
│ ├── DetailedTypeInspector.cs # Deep inspection
│ └── MethodILInspector.cs # IL code analysis
├── Models/
│ └── CommandLineOptions.cs # CLI arguments
└── Program.cs # Main entry point
- .NET 9.0 SDK
- macOS, Windows, or Linux
- Target assemblies: .NET Framework 4.0+
- dnlib 4.5.0 - .NET assembly manipulation
- CommandLineParser 2.9.1 - CLI argument parsing
ILStringPatcher v1.0
=============================
Loading assembly: BeltStat.exe
✓ Loaded: BeltStat, Version=11.3.0.1
- Types: 391
- Methods: 10,679
=== Detecting String Decoder Class ===
✓ Found decoder class
- Data buffer field: 4 (71,589 bytes)
- Methods: 3,768
=== Decrypting Data Buffer ===
✓ Complete: 71,589 bytes
=== Decoding Strings ===
✓ Successfully decoded: 3,766 strings
=== Sample Decoded Strings ===
A() → "{{ Region = {0} }}"
B() → "Not a valid direction."
C() → "Characters of parameter hex should be in [0-9,A-F,a-f]"
=== Patching IL Code ===
✓ Methods patched: 576
✓ Calls replaced: 9,150
✓ All decoder calls successfully replaced!
Writing assembly to: BeltStat_patched.exe
✓ Assembly written successfully
✓ Operation completed successfully
Before:
IL_0000: call String DecoderClass::A()
After:
IL_0000: ldstr "{{ Region = {0} }}"
This patcher targets a specific obfuscation pattern:
- Strings encrypted with XOR cipher (rotating key)
- Stored in single large byte array (50KB+)
- Accessed via generated decoder methods
- Each method loads offset/length and calls core decoder
Measured on M1 MacBook Pro:
- Load: <0.1s (20 MB/s)
- Decrypt: <0.1s (700 KB/s)
- Decode: 0.5s (7,500 strings/s)
- Patch: 1.0s (10,000 methods/s)
- Write: 0.5s (4 MB/s)
- Total: ~2.2s
- Analyze obfuscated malware
- Understand proprietary algorithms
- Recover lost documentation
- Audit third-party libraries
- Find hidden functionality
- Compliance checking
- Debug legacy obfuscated code
- Modernize old applications
- Code quality audits
- Decoder class remains: The unused decoder class stays in the assembly (can be removed in future version)
- File size increase: ~10% larger due to embedded strings
- Strong names: Digital signatures become invalid
- Other obfuscation: Control flow and naming obfuscation remain intact
- Remove unused decoder class
- Remove data buffer field (save 71 KB)
- Optimize metadata
- GUI interface
- Support for other obfuscators
- Batch processing
- Decompiler integration
- ✅ Always obtain proper authorization
- ✅ Comply with applicable laws
- ✅ Respect intellectual property
- ✅ Follow responsible disclosure
- ❌ Do not use for malicious purposes
Successfully patched BeltStat.exe:
- ✅ 3,766 strings decoded (99.9%)
- ✅ 9,150 decoder calls replaced (100%)
- ✅ 576 methods patched
- ✅ Patched assembly is valid and loadable
- ✅ Zero decoder calls remain
See PATCHING_RESULTS.md for detailed results.
ILStringPatcher/
├── ILStringPatcher/ # Main project
│ ├── Core/ # Core functionality
│ ├── Models/ # Data models
│ ├── Program.cs # Entry point
│ └── ILStringPatcher.csproj # Project file
├── README.md # This file
└── PATCHING_RESULTS.md # Detailed results
# Clone repository
git clone https://github.com/yourusername/ILStringPatcher.git
cd ILStringPatcher/ILStringPatcher
# Restore dependencies
dotnet restore
# Build
dotnet build
# Run
dotnet run -- -i input.exe -o output.exe- Ensure input file is a valid .NET assembly
- Check file permissions
- Assembly may not be obfuscated with this pattern
- Try
--scanmode to analyze structure
- Obfuscation may use different encryption
- Check verbose output for details
This is a personal project, but suggestions and bug reports are welcome via GitHub Issues.
Built with:
- .NET 9.0 by Microsoft
- dnlib by 0xd4d
- CommandLineParser by gsscoder
Note: This tool reverses string obfuscation for analysis purposes. Always ensure your use is legal and ethical.
Last Updated: October 29, 2025 Version: 1.0