.NET Reactor devirtualizer continuation focused on producing a runnable devirtualized output, not only a disassembly report.
This repository is based on the original work by PeterG75:
- Upstream: https://github.com/PeterG75/Krypton
Huge credit to the upstream project for the foundation. This fork extends the pipeline, runtime stability, and build workflow for modern net8.0 usage.
Krypton processes a virtualized assembly and reconstructs virtualized methods back into regular IL:
ResourceParsing- locates VM payload and decodes layout (operands, strings, method keys).OpcodeMapping- finds the handler switch method and maps VM byte -> semantic opcode via pattern matching.MethodDisassembling- disassembles VM methods into an intermediate model.SemanticValidation- runs a lightweight VM semantic validator (CFG + stack effects) and adjusts unsafe low-confidence mappings.MethodRecompiling- translates VM model back into compilable CIL.MethodReplacing- replaces virtualized method bodies with recompiled ones.
- Main projects migrated to
net8.0. - Dependency updates:
AsmResolver.DotNet->5.5.1Colorful.Console->1.2.15
- Hardened build script (
build-all.ps1) for robust execution from any directory and proper fail-fast behavior.
- Explicit exception handler reconstruction (
try/catch/finally/filter/fault). - Protected-region branch normalization:
bris upgraded toleavewhen jumping out of protected regions.
VMOpCode.Leaveis translated asendfinallyfor virtualized finally-handler semantics.- Better local type inference and improved translation for
ldobj/stobj, calls, arrays, and switch flows.
- Safer write pipeline with fallback strategy:
- donor rewrite + controlled patching,
- preservation of critical metadata indices,
- invalid type-ref scope repair,
- malformed custom-attribute cleanup when needed.
- Reactor/WinForms stabilization enabled by default:
Hashtable::.ctor(int)capacity sanitization,- WinForms entry guard bypass (pattern-based),
- anti-manipulation method neutralization (string/API heuristics),
- shared bootstrap worker neutralization (generic heuristic).
- Detailed per-method report generation:
- total/mapped/unknown instruction counts,
- unknown VM bytes,
- handler snippets for unmapped opcodes.
- Safety behavior for unknown opcodes:
- methods with unresolved opcodes are skipped for recompilation,
- output is written only if at least one method was recompiled successfully.
This fork targets a devirtualized output that:
- preserves original runtime behavior,
- starts without native runtime crashes,
- remains executable after method replacement.
- Windows x64 (tested/recommended)
.NET SDK 8.0 or newer
From repository root:
powershell -ExecutionPolicy Bypass -File .\build-all.ps1 -Configuration ReleaseThe script performs:
- restore for main projects,
- build for
Krypton.CoreandKrypton.Pipeline, - serial build for
Kryptonlauncher (to avoid intermittent static-graph MSBuild restore/build edge cases).
dotnet build .\Krypton.Core\Krypton.Core.csproj -c Release -t:Rebuild
dotnet build .\Krypton.Pipeline\Krypton.Pipeline.csproj -c Release -t:Rebuild
dotnet msbuild .\Krypton\Krypton.csproj /t:Rebuild /p:Configuration=Release /m:1One-liner equivalent:
dotnet build .\Krypton.Core\Krypton.Core.csproj -c Release -t:Rebuild; dotnet build .\Krypton.Pipeline\Krypton.Pipeline.csproj -c Release -t:Rebuild; dotnet msbuild .\Krypton\Krypton.csproj /t:Rebuild /p:Configuration=Release /m:1dotnet .\Krypton\bin\Release\net8.0\Krypton.dll <input-assembly.exe> --no-pauseor:
.\Krypton\bin\Release\net8.0\Krypton.exe <input-assembly.exe> --no-pauseYou can drag a target .exe (or .dll) file directly onto Krypton.exe.
Krypton receives the dropped file path as argument and runs devirtualization for that input.
For sample.exe:
- patched output:
sample-Devirtualized.exe - report:
sample-Devirtualized-report.txt
KRYPTON_NO_PAUSE=1KRYPTON_LOG_VM_MAP=1KRYPTON_LOG_LOCAL_TYPES=1KRYPTON_LOG_EXCEPTIONS=1
KRYPTON_ENABLE_AGGRESSIVE_LAST_RESORT=1(enables aggressive tie-breaks in rare-opcode inference; default is strict/safety-first)
KRYPTON_DISABLE_HASHTABLE_SANITIZE=1KRYPTON_DISABLE_WINFORMS_GUARD_BYPASS=1KRYPTON_DISABLE_STRING_ANTI_MANIPULATION_PATCH=1KRYPTON_DISABLE_SHARED_BOOTSTRAP_NEUTRALIZE=1KRYPTON_DISABLE_STARTUP_GUARD=1KRYPTON_DISABLE_ALL_BOOTSTRAP_CCTORS=1
KRYPTON_ALLOW_PARTIAL_OUTPUT=1(allows writing when some VM opcodes remain unresolved)KRYPTON_ALLOW_STABILIZATION_ONLY_OUTPUT=1(allows output even with zero recompiled methods, applying only stabilization patches)KRYPTON_USE_INPLACE_PATCH=1(forces in-place patch mode instead of default rewrite mode)KRYPTON_STRIP_MALFORMED_ATTRIBUTES=1
The repository includes helper utilities for pattern and runtime investigation:
PatternProbeHandlerDumpMethodFullDumpRuntimeProbeFieldDump
These tools help during opcode mapping extension and regression analysis.
- Not all Reactor families are fully covered; mapping still depends on observable handler patterns.
- If unknown VM bytes remain, affected methods are intentionally skipped (safety-first).
- Some Reactor patterns still use semantic hints from internal calls; further generalization toward signature + data-flow matching is possible.
- Fully generalize pattern verification (less name-based hints, more signature/data-flow based matching).
- Extend coverage for remaining opcodes in very large methods (for example
<Module>and complex UI flows). - Add automated multi-sample test matrix (build + devirt + smoke-run).
- Add before/after metrics export for objective validation.
This project is intended for research, interoperability, and technical understanding of virtualized/obfuscated code in lawful contexts.