Thank you! I recommend the book ".NET IL Assembler". You can also use the specification but the book is easier to grasp: www.ecma-international.org/publications-and-standards/standards/ecma-335/ Karsten

@@MalwareAnalysisForHedgehogs thanks 🤝

Hi. Yes you will need to bypass it. It helps to learn various anti-debug techniques and understand how they work. Encrypted code is usually there because the sample is packed. You'll need to unpack it. The anti-debug can be in both, the unpacking stub of the packed sample, or the payload after unpacking. So it depends what you need to do first. But often you can unpack without using a debugger at all. For .NET samples I recommend MegaDumper. Just run the sample and then dump it with MegaDumper. Works most of the time. For native samples you can use Hasherezade's mal_unpack.

Yes, go to File -> Save Module

Hi. This is not tied to a malware family, but rather to usage of ConfuserEx and similar protectors which apply those modifications automatically. In ConfuserEx it is the "AntiTamper" that does this: github.com/yck1509/ConfuserEx/wiki/Anti-Tamper-Protection