Skip to content

Releases: ALMASONYH/MasonProtector

Download

18 May 12:47
@ALMASONYH ALMASONYH
Release
3e60fd7
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Download Latest
Latest

MASON PROTECTOR — RELEASE NOTES

Version 4.0. MasonGroup, 2026.

Mason Protector

A NOTE ON THE NAME

This project went through three releases under the name EIYM-Protector. The fourth release carries a different name. The reason is personal. Years ago I started a small protector and called it MasonProte. The work stopped halfway. When EIYM reached the point where its old habits no longer answered the questions a modern obfuscator must answer, the chance to finish what MasonProte was meant to be presented itself. The project was renamed. The third name returns the work to its original intent.

This is not a polished EIYM v4. It is a different program. The shell was rewritten. The pipeline runs on a background thread. The renamer was reworked twice. Protections were added that have no counterpart in any earlier release. Protections that fire false positives on real user machines were taken off the default panic stack. Each of those changes is documented in the reference manual.

WHAT IS NEW

CodeEncryption wraps every newobj and every call against a static method in a generated helper whose first instruction is Debug.Assert(true). Decompilers render the wrapper as Debug.Assert(true); return new X(args);, which is the exact shape of the original MasonProte output and the reason the project carries its present name. The wrapper refuses to wrap value-type constructors, which removes a TypeLoadException class seen against applications that build with Guna2, DevExpress, or Telerik.

Dynamic is a new call-indirection layer. Direct calls in user code are rewritten as a calli through a cached function pointer. The decompiler sees a calli against a signature with no name attached.

HideDesignerCode handles the InitializeComponent body in WinForms-derived types. DesignerSplit cuts the body into randomly named submethods. DesignerHider injects decoy initialization that reads plausibly but allocates to dead variables. The control hierarchy of a form is no longer recoverable from inspection.

AntiCrack is a four-pathed response subsystem that fires when AntiTamper or AntiDebug accumulates a threshold of detections. MessageBox shows a configurable warning to the end user. Webhook posts to a Discord URL with optional screenshot and system-information attachments. RemoteFile downloads and executes a file from a configured URL. SelfDestruct deletes the protected binary and exits. Each path is independent and can be enabled alone or together.

ExportCodeToDll relocates the protected logic to a separate DLL (MasonCore.dll by default, configurable). The original executable becomes a thin loader that resolves the DLL through AppDomain.AssemblyResolve at first reference.

MergeLibraries does the reverse for project dependencies. Selected DLLs from the input directory are merged into the output under an encrypted lazy-load scheme. The deployed binary no longer needs to ship its dependencies.

MaximumEncryption is a single toggle that enables the conservative panic stack — every protection that has been verified not to cause user-visible failures on real machines. It also activates MaximumEncryptionAmplifier, which wraps every integer literal in the assembly through seven to twelve sequential arithmetic transforms. The amplifier respects two guards: it skips InitializeComponent on WinForms-derived types entirely, and it skips method bodies larger than 2,500 instructions; bodies between 600 and 2,500 instructions receive a reduced amplification to keep output linear.

HideEncryption is the stealth counterpart. It activates only the protections that do their work without leaving visible markers, and disables the ones that announce themselves. The result reads as ordinary compiled code on inspection while remaining substantially protected at runtime.

DecompilerPoison injects IL patterns that disrupt modern decompiler parsers without affecting the JIT.

The user interface is now an HTML document rendered through WebView, with its own dark theme and a custom titlebar. The protect pipeline runs on a background STA thread. The window does not freeze; Windows does not mark the application as not responding. A single-flight guard suppresses concurrent protect runs.

SECURITY ADJUSTMENTS

AntiTamper in version 3 placed a single init call in the module cctor. A working bypass was demonstrated: a cracker who NOPs that call disables the entire protection. The current implementation injects both the init call and the background-verifier start into four to fourteen random user methods, in addition to the cctor entry. Removing the cctor calls no longer disables protection. The distribution changes on every build.

CodeEncryption and ProxyCalls were observed to attempt to wrap value-type constructors, which produced TypeLoadException at JIT time against applications that use System.Windows.Forms.Padding heavily in InitializeComponent (most notably Guna2-based UIs). Both protections now share a conservative classifier — IsConfirmedReferenceTypeCtor — that refuses to wrap unless the target's reference-type status can be proven from metadata.

MaximumEncryptionAmplifier could grow large method bodies past JIT-acceptable size on WinForms designer code. The amplifier now respects body-size guards as described above. The protector no longer hangs on large designer methods.

Identifier generation under MaximumEncryption previously ignored the RandomChars setting and forced digit-only output. That has been corrected. Identifiers are produced 50 to 90 characters long from the configured character set (or the default Latin alphabet if RandomChars is empty).

The MaximumEncryption default panic stack no longer includes InvalidMetadata, TokenConfusion, TypeScrambler, StackUnderflow, AntiVM, AntiHook, AntiHttp, or AntiMemoryDump. These remain available as individual toggles but trip false positives on real user machines (third-party WinForms libraries, corporate proxies, Windows Defender, Windows 11 22H2 quirks) and are no longer enabled by default.

EMPIRICAL TESTS

de4dot 3.1 was run against the output under four configurations: default, --preserve-tokens --preserve-us --preserve-strings, --only-cflow-deob, and detect-only. Every configuration reported Detected Unknown Obfuscator and produced 2,559 errors. The output runs but is not de-obfuscated.

DIE (Detect It Easy) was unable to identify the protector by signature. With heuristics on, DIE reports generic obfuscation only; it does not name the protector.

readpe's pescan reported normal section entropies. pepack reported Microsoft Visual C# / Basic .NET. peldd reported mscoree.dll as the only PE-level import. The PE signature surface is indistinguishable from a clean managed assembly.

Four custom attack tools were written in C# against dnlib for this audit. AntiTamperBypass identified and NOPped the cctor calls, but the protection survived because the same calls were injected into user methods. StringMassDecrypt walked every decryptor call site, extracted byte[] arguments, and recovered zero strings — the encryption pattern does not use the inline byte[] shape the attack expects. DeepAnalyzer counted 720 types and 5,087 methods in the protected output of a sample input that originally had ten types and thirty methods. MemDump captured a full minidump and confirmed the known limit: strings that are used during the dump window appear in the heap in decrypted form; strings that are not used remain encrypted.

Reflection.Assembly.LoadFrom on the protected output raises ReflectionTypeLoadException when GetTypes is called. A single-byte modification anywhere in .text produces BadImageFormatException at load.

REGRESSION

The release passes 33 of 35 scenarios across three regression suites: Matrix (22 scenarios), Stress (6 scenarios), ResxFull (7 scenarios). The two failing scenarios both enable AntiDebug explicitly and fail because AntiDebug detects the sandbox in which the regression suite runs and terminates the process. Both scenarios succeed when run outside the sandbox.

REQUIREMENTS

.NET Framework 4.7.2 or above. WebView2 Runtime, which ships with Windows 11 and recent Windows 10 updates. dnlib 4.5.0, included under the packages directory.

FILES

MasonProtector.exe — the protector binary.

dnlib.dll — the engine dependency.

AppPage.html — the user interface, embedded as a resource.

docs/MasonBook.pdf — the full reference manual.

docs/README.md — the source of the reference manual.

LICENSE

MIT License. Authors: Battal Alqhtani and Turki Alotibi, MasonGroup.

Assets 3
Loading