A .NET assembly binary patcher that removes string obfuscation by directly modifying IL bytecode.
Converts obfuscated code like this:
string msg = DecoderClass.A();
MessageBox.Show(DecoderClass.B());Into readable code like this:
string msg = "{{ Region = {0} }}";
MessageBox.Show("Not a valid direction.");All at the IL bytecode level - no source code required!
- π String Deobfuscation - Decrypts and decodes obfuscated strings
- π§ IL Patching - Replaces method calls with string literals directly in bytecode
- π High Performance - Processes 3,700+ strings in ~2 seconds
- β Complete Coverage - Replaces 9,150+ decoder calls across the assembly
- π Detailed Reporting - Shows exactly what was patched
- π Verification - Confirms all decoder calls were replaced
cd ILStringPatcher
dotnet build
dotnet run -- -i input.exe -o output.exe# Patch an assembly
dotnet run -- -i BeltStat.exe -o BeltStat_patched.exe
# Dry run (analyze without writing)
dotnet run -- -i BeltStat.exe -o output.exe --dry-run
# Scan mode (detailed analysis)
dotnet run -- -i BeltStat.exe -o output.exe --scan
# Verbose output
dotnet run -- -i BeltStat.exe -o output.exe --verbose-i, --input Required. Input .NET assembly path
-o, --output Required. Output path for patched assembly
-v, --verbose Enable verbose logging
-d, --dry-run Analyze without writing changes
-b, --backup Create backup of input file (default: true)
-s, --scan Scan and analyze assembly structure
Scans the assembly to find the string decoder class:
β Found decoder class
- Data buffer: 71,589 bytes
- Decoder methods: 3,768
Extracts encrypted string data from IL metadata:
β Extracted data buffer: 71,589 bytes
Decrypts the buffer using XOR cipher:
Algorithm: XOR with rotating key
Key = (index % 256) ^ 0xAA
β Decrypted 71,589 bytes
Analyzes decoder method IL code to extract strings:
β Successfully decoded: 3,766 strings
Replaces all call instructions with ldstr literals:
β Methods patched: 576
β Calls replaced: 9,150
ILStringPatcher/
βββ Core/
β βββ PELoader.cs # Load/write assemblies
β βββ StringDecoderDetector.cs # Find & decode strings
β βββ ILPatcher.cs # Patch IL bytecode
β βββ AssemblyScanner.cs # Diagnostic scanner
β βββ TypeInspector.cs # Type analysis
β βββ DetailedTypeInspector.cs # Deep inspection
β βββ MethodILInspector.cs # IL code analysis
βββ Models/
β βββ CommandLineOptions.cs # CLI arguments
βββ Program.cs # Main entry point
- .NET 9.0 SDK
- macOS, Windows, or Linux
- Target assemblies: .NET Framework 4.0+
- dnlib 4.5.0 - .NET assembly manipulation
- CommandLineParser 2.9.1 - CLI argument parsing
ILStringPatcher v1.0
=============================
Loading assembly: BeltStat.exe
β Loaded: BeltStat, Version=11.3.0.1
- Types: 391
- Methods: 10,679
=== Detecting String Decoder Class ===
β Found decoder class
- Data buffer field: 4 (71,589 bytes)
- Methods: 3,768
=== Decrypting Data Buffer ===
β Complete: 71,589 bytes
=== Decoding Strings ===
β Successfully decoded: 3,766 strings
=== Sample Decoded Strings ===
A() β "{{ Region = {0} }}"
B() β "Not a valid direction."
C() β "Characters of parameter hex should be in [0-9,A-F,a-f]"
=== Patching IL Code ===
β Methods patched: 576
β Calls replaced: 9,150
β All decoder calls successfully replaced!
Writing assembly to: BeltStat_patched.exe
β Assembly written successfully
β Operation completed successfully
Before:
IL_0000: call String DecoderClass::A()
After:
IL_0000: ldstr "{{ Region = {0} }}"
This patcher targets a specific obfuscation pattern:
- Strings encrypted with XOR cipher (rotating key)
- Stored in single large byte array (50KB+)
- Accessed via generated decoder methods
- Each method loads offset/length and calls core decoder
Measured on M1 MacBook Pro:
- Load: <0.1s (20 MB/s)
- Decrypt: <0.1s (700 KB/s)
- Decode: 0.5s (7,500 strings/s)
- Patch: 1.0s (10,000 methods/s)
- Write: 0.5s (4 MB/s)
- Total: ~2.2s
- Analyze obfuscated malware
- Understand proprietary algorithms
- Recover lost documentation
- Audit third-party libraries
- Find hidden functionality
- Compliance checking
- Debug legacy obfuscated code
- Modernize old applications
- Code quality audits
- Decoder class remains: The unused decoder class stays in the assembly (can be removed in future version)
- File size increase: ~10% larger due to embedded strings
- Strong names: Digital signatures become invalid
- Other obfuscation: Control flow and naming obfuscation remain intact
- Remove unused decoder class
- Remove data buffer field (save 71 KB)
- Optimize metadata
- GUI interface
- Support for other obfuscators
- Batch processing
- Decompiler integration
- β Always obtain proper authorization
- β Comply with applicable laws
- β Respect intellectual property
- β Follow responsible disclosure
- β Do not use for malicious purposes
Successfully patched BeltStat.exe:
- β 3,766 strings decoded (99.9%)
- β 9,150 decoder calls replaced (100%)
- β 576 methods patched
- β Patched assembly is valid and loadable
- β Zero decoder calls remain
See PATCHING_RESULTS.md for detailed results.
ILStringPatcher/
βββ ILStringPatcher/ # Main project
β βββ Core/ # Core functionality
β βββ Models/ # Data models
β βββ Program.cs # Entry point
β βββ ILStringPatcher.csproj # Project file
βββ README.md # This file
βββ PATCHING_RESULTS.md # Detailed results
# Clone repository
git clone https://github.com/yourusername/ILStringPatcher.git
cd ILStringPatcher/ILStringPatcher
# Restore dependencies
dotnet restore
# Build
dotnet build
# Run
dotnet run -- -i input.exe -o output.exe- Ensure input file is a valid .NET assembly
- Check file permissions
- Assembly may not be obfuscated with this pattern
- Try
--scanmode to analyze structure
- Obfuscation may use different encryption
- Check verbose output for details
This is a personal project, but suggestions and bug reports are welcome via GitHub Issues.
Built with:
- .NET 9.0 by Microsoft
- dnlib by 0xd4d
- CommandLineParser by gsscoder
Note: This tool reverses string obfuscation for analysis purposes. Always ensure your use is legal and ethical.
Last Updated: October 29, 2025 Version: 1.0