=========================================================== .___ __ __ _________________ __ __ __| _/|__|/ |_ / ___\_` __ \__ \ | | \/ __ | | \\_ __\ / /_/ > | \// __ \| | / /_/ | | || | \___ /|__| (____ /____/\____ | |__||__| /_____/ \/ \/ grep rough audit - static analysis tool v2.8 written by @Wireghoul =================================[justanotherhacker.com]=== de4dot-3.1.41592.3405/AssemblyData/methodsrewriter/Resolver.cs-50- foreach (var mm in modules.Values) { de4dot-3.1.41592.3405/AssemblyData/methodsrewriter/Resolver.cs:51: var asm = mm.moduleDef.Assembly; de4dot-3.1.41592.3405/AssemblyData/methodsrewriter/Resolver.cs:52: if (asm != null && asm.FullName == asmRef.FullName) de4dot-3.1.41592.3405/AssemblyData/methodsrewriter/Resolver.cs-53- return mm; ############################################## de4dot-3.1.41592.3405/README.md-145- de4dot-3.1.41592.3405/README.md:146:Although `de4dot` supports a lot of obfuscators, there's still some it doesn't support. To decrypt strings, you'll first need to figure out which method or methods decrypt strings. To get the method token of these string decrypters, you can use ILDASM with the 'show metadata tokens' option enabled. A method token is a 32-bit number and begins with 06, eg. 06012345. de4dot-3.1.41592.3405/README.md-147- ############################################## de4dot-3.1.41592.3405/de4dot.blocks/Blocks.cs-143- continue; de4dot-3.1.41592.3405/de4dot.blocks/Blocks.cs:144: var defAsm = local.Type.DefinitionAssembly; de4dot-3.1.41592.3405/de4dot.blocks/Blocks.cs:145: if (defAsm == null) de4dot-3.1.41592.3405/de4dot.blocks/Blocks.cs-146- continue; // eg. fnptr de4dot-3.1.41592.3405/de4dot.blocks/Blocks.cs:147: if (defAsm == method.DeclaringType.Module.Assembly) de4dot-3.1.41592.3405/de4dot.blocks/Blocks.cs-148- continue; // this assembly is always loaded ############################################## de4dot-3.1.41592.3405/de4dot.blocks/DotNetUtils.cs-232- if (tr != null) { de4dot-3.1.41592.3405/de4dot.blocks/DotNetUtils.cs:233: var trAsm = tr.DefinitionAssembly; de4dot-3.1.41592.3405/de4dot.blocks/DotNetUtils.cs:234: var modAsm = module.Assembly; de4dot-3.1.41592.3405/de4dot.blocks/DotNetUtils.cs:235: if (trAsm != null && modAsm != null && trAsm.Name == modAsm.Name) de4dot-3.1.41592.3405/de4dot.blocks/DotNetUtils.cs-236- td = tr.Resolve(); ############################################## de4dot-3.1.41592.3405/de4dot.blocks/MemberDefDict.cs-483- case ScopeType.ModuleDef: de4dot-3.1.41592.3405/de4dot.blocks/MemberDefDict.cs:484: var asm = ((ModuleDef)a).Assembly; de4dot-3.1.41592.3405/de4dot.blocks/MemberDefDict.cs:485: if (asm != null) de4dot-3.1.41592.3405/de4dot.blocks/MemberDefDict.cs-486- return asm.Name.String; ############################################## de4dot-3.1.41592.3405/de4dot.blocks/cflow/AccessChecker.cs-284- return true; de4dot-3.1.41592.3405/de4dot.blocks/cflow/AccessChecker.cs:285: var userAsm = userModule.Assembly; de4dot-3.1.41592.3405/de4dot.blocks/cflow/AccessChecker.cs:286: var modAsm = module.Assembly; de4dot-3.1.41592.3405/de4dot.blocks/cflow/AccessChecker.cs-287- if (IsSameAssembly(userAsm, modAsm)) de4dot-3.1.41592.3405/de4dot.blocks/cflow/AccessChecker.cs-288- return true; de4dot-3.1.41592.3405/de4dot.blocks/cflow/AccessChecker.cs:289: if (userAsm != null && userAsm.IsFriendAssemblyOf(modAsm)) de4dot-3.1.41592.3405/de4dot.blocks/cflow/AccessChecker.cs-290- return true; ############################################## de4dot-3.1.41592.3405/de4dot.blocks/cflow/AccessChecker.cs-578- return null; de4dot-3.1.41592.3405/de4dot.blocks/cflow/AccessChecker.cs:579: var userAsm = userModule.Assembly; de4dot-3.1.41592.3405/de4dot.blocks/cflow/AccessChecker.cs-580- if (!IsSameAssembly(userAsm, mod.Module.Assembly)) de4dot-3.1.41592.3405/de4dot.blocks/cflow/AccessChecker.cs-581- return false; de4dot-3.1.41592.3405/de4dot.blocks/cflow/AccessChecker.cs:582: if (userAsm == null) de4dot-3.1.41592.3405/de4dot.blocks/cflow/AccessChecker.cs-583- return false; ############################################## de4dot-3.1.41592.3405/de4dot.code/deobfuscators/Agile_NET/vm/v2/SigCreator.cs-530- de4dot-3.1.41592.3405/de4dot.code/deobfuscators/Agile_NET/vm/v2/SigCreator.cs:531: bool canWriteAsm = IsNonObfuscatedAssembly(asmRef); de4dot-3.1.41592.3405/de4dot.code/deobfuscators/Agile_NET/vm/v2/SigCreator.cs:532: hasher.Hash(canWriteAsm ? 1 : 0); de4dot-3.1.41592.3405/de4dot.code/deobfuscators/Agile_NET/vm/v2/SigCreator.cs-533- if (canWriteAsm) { ############################################## de4dot-3.1.41592.3405/de4dot.code/deobfuscators/Agile_NET/vm/v2/SigCreator.cs-582- static bool IsNonObfuscatedAssembly(IAssembly asm) { de4dot-3.1.41592.3405/de4dot.code/deobfuscators/Agile_NET/vm/v2/SigCreator.cs:583: if (asm == null) de4dot-3.1.41592.3405/de4dot.code/deobfuscators/Agile_NET/vm/v2/SigCreator.cs-584- return false; de4dot-3.1.41592.3405/de4dot.code/deobfuscators/Agile_NET/vm/v2/SigCreator.cs-585- de4dot-3.1.41592.3405/de4dot.code/deobfuscators/Agile_NET/vm/v2/SigCreator.cs:586: // The only external asm refs it uses... de4dot-3.1.41592.3405/de4dot.code/deobfuscators/Agile_NET/vm/v2/SigCreator.cs-587- if (asm.Name != "mscorlib" && asm.Name != "System") ############################################## de4dot-3.1.41592.3405/de4dot.code/deobfuscators/CodeVeil/ResourceConverter.cs-39- protected override string GetAssemblyFullName(string simpleName) { de4dot-3.1.41592.3405/de4dot.code/deobfuscators/CodeVeil/ResourceConverter.cs:40: var asm = TheAssemblyResolver.Instance.Resolve(new AssemblyNameInfo(simpleName), Module); de4dot-3.1.41592.3405/de4dot.code/deobfuscators/CodeVeil/ResourceConverter.cs:41: return asm == null ? null : asm.FullName; de4dot-3.1.41592.3405/de4dot.code/deobfuscators/CodeVeil/ResourceConverter.cs-42- } ############################################## de4dot-3.1.41592.3405/de4dot.code/deobfuscators/CodeWall/Deobfuscator.cs-35- dumpEmbeddedAssemblies = new BoolOption(null, MakeArgName("embedded"), "Dump embedded assemblies", true); de4dot-3.1.41592.3405/de4dot.code/deobfuscators/CodeWall/Deobfuscator.cs:36: decryptMainAsm = new BoolOption(null, MakeArgName("decrypt-main"), "Decrypt main embedded assembly", true); de4dot-3.1.41592.3405/de4dot.code/deobfuscators/CodeWall/Deobfuscator.cs-37- } ############################################## de4dot-3.1.41592.3405/de4dot.code/deobfuscators/CodeWall/Deobfuscator.cs-50- DumpEmbeddedAssemblies = dumpEmbeddedAssemblies.Get(), de4dot-3.1.41592.3405/de4dot.code/deobfuscators/CodeWall/Deobfuscator.cs:51: DecryptMainAsm = decryptMainAsm.Get(), de4dot-3.1.41592.3405/de4dot.code/deobfuscators/CodeWall/Deobfuscator.cs-52- }); ############################################## de4dot-3.1.41592.3405/de4dot.code/deobfuscators/CodeWall/Deobfuscator.cs-71- public bool DumpEmbeddedAssemblies { get; set; } de4dot-3.1.41592.3405/de4dot.code/deobfuscators/CodeWall/Deobfuscator.cs:72: public bool DecryptMainAsm { get; set; } de4dot-3.1.41592.3405/de4dot.code/deobfuscators/CodeWall/Deobfuscator.cs-73- } ############################################## de4dot-3.1.41592.3405/de4dot.code/deobfuscators/CodeWall/Deobfuscator.cs-147- de4dot-3.1.41592.3405/de4dot.code/deobfuscators/CodeWall/Deobfuscator.cs:148: if (options.DecryptMainAsm && (decryptState & DecryptState.CanGetMainAssembly) != 0) { de4dot-3.1.41592.3405/de4dot.code/deobfuscators/CodeWall/Deobfuscator.cs-149- newFileData = GetMainAssemblyBytes(); ############################################## de4dot-3.1.41592.3405/de4dot.code/deobfuscators/CodeWall/Deobfuscator.cs-183- de4dot-3.1.41592.3405/de4dot.code/deobfuscators/CodeWall/Deobfuscator.cs:184: var asm = module.Assembly; de4dot-3.1.41592.3405/de4dot.code/deobfuscators/CodeWall/Deobfuscator.cs:185: if (asm == null || assemblyDecrypter == null) de4dot-3.1.41592.3405/de4dot.code/deobfuscators/CodeWall/Deobfuscator.cs-186- return null; ############################################## de4dot-3.1.41592.3405/de4dot.code/deobfuscators/Confuser/Deobfuscator.cs-39- removeAntiDump = new BoolOption(null, MakeArgName("antidump"), "Remove anti dump code", true); de4dot-3.1.41592.3405/de4dot.code/deobfuscators/Confuser/Deobfuscator.cs:40: decryptMainAsm = new BoolOption(null, MakeArgName("decrypt-main"), "Decrypt main embedded assembly", true); de4dot-3.1.41592.3405/de4dot.code/deobfuscators/Confuser/Deobfuscator.cs-41- } ############################################## de4dot-3.1.41592.3405/de4dot.code/deobfuscators/Confuser/Deobfuscator.cs-55- RemoveAntiDump = removeAntiDump.Get(), de4dot-3.1.41592.3405/de4dot.code/deobfuscators/Confuser/Deobfuscator.cs:56: DecryptMainAsm = decryptMainAsm.Get(), de4dot-3.1.41592.3405/de4dot.code/deobfuscators/Confuser/Deobfuscator.cs-57- }); ############################################## de4dot-3.1.41592.3405/de4dot.code/deobfuscators/Confuser/Deobfuscator.cs-97- public bool RemoveAntiDump { get; set; } de4dot-3.1.41592.3405/de4dot.code/deobfuscators/Confuser/Deobfuscator.cs:98: public bool DecryptMainAsm { get; set; } de4dot-3.1.41592.3405/de4dot.code/deobfuscators/Confuser/Deobfuscator.cs-99- } ############################################## de4dot-3.1.41592.3405/de4dot.code/deobfuscators/Confuser/Deobfuscator.cs-405- if (mainAsmInfo != null) { de4dot-3.1.41592.3405/de4dot.code/deobfuscators/Confuser/Deobfuscator.cs:406: var asm = module.Assembly; de4dot-3.1.41592.3405/de4dot.code/deobfuscators/Confuser/Deobfuscator.cs:407: var name = (asm == null ? module.Name : asm.Name).String; de4dot-3.1.41592.3405/de4dot.code/deobfuscators/Confuser/Deobfuscator.cs-408- DeobfuscatedFile.CreateAssemblyFile(mainAsmInfo.data, name + "_real", mainAsmInfo.extension); ############################################## de4dot-3.1.41592.3405/de4dot.code/deobfuscators/Confuser/ProxyCallFixer.cs-158- if (module.Assembly == null) de4dot-3.1.41592.3405/de4dot.code/deobfuscators/Confuser/ProxyCallFixer.cs:159: ourAsm = " -1-1-1-1-1- , Version=1.2.3.4, Culture=neutral, PublicKeyToken=null"; de4dot-3.1.41592.3405/de4dot.code/deobfuscators/Confuser/ProxyCallFixer.cs-160- else de4dot-3.1.41592.3405/de4dot.code/deobfuscators/Confuser/ProxyCallFixer.cs:161: ourAsm = module.Assembly.FullName; de4dot-3.1.41592.3405/de4dot.code/deobfuscators/Confuser/ProxyCallFixer.cs-162- } ############################################## de4dot-3.1.41592.3405/de4dot.code/deobfuscators/Confuser/ProxyCallFixer.cs-432- IMethod CreateMethodReference(AssemblyRef asmRef, uint methodToken) { de4dot-3.1.41592.3405/de4dot.code/deobfuscators/Confuser/ProxyCallFixer.cs:433: var asm = module.Context.AssemblyResolver.Resolve(asmRef, module); de4dot-3.1.41592.3405/de4dot.code/deobfuscators/Confuser/ProxyCallFixer.cs:434: if (asm == null) de4dot-3.1.41592.3405/de4dot.code/deobfuscators/Confuser/ProxyCallFixer.cs-435- return null; ############################################## de4dot-3.1.41592.3405/de4dot.code/deobfuscators/Confuser/Unpacker.cs-436- de4dot-3.1.41592.3405/de4dot.code/deobfuscators/Confuser/Unpacker.cs:437: var asm = module.Assembly; de4dot-3.1.41592.3405/de4dot.code/deobfuscators/Confuser/Unpacker.cs:438: if (createAssembly && asm != null && entryPointToken != 0 && info.kind == ModuleKind.NetModule) { de4dot-3.1.41592.3405/de4dot.code/deobfuscators/Confuser/Unpacker.cs-439- info.extension = DeobUtils.GetExtension(module.Kind); ############################################## de4dot-3.1.41592.3405/de4dot.code/deobfuscators/Confuser/Unpacker.cs-441- de4dot-3.1.41592.3405/de4dot.code/deobfuscators/Confuser/Unpacker.cs:442: var realAsm = module.UpdateRowId(new AssemblyDefUser(asm.Name, new Version(0, 0, 0, 0))); de4dot-3.1.41592.3405/de4dot.code/deobfuscators/Confuser/Unpacker.cs-443- info.realAssemblyInfo = new RealAssemblyInfo(realAsm, entryPointToken, info.kind); ############################################## de4dot-3.1.41592.3405/de4dot.code/deobfuscators/CryptoObfuscator/Deobfuscator.cs-30- public const string THE_TYPE = "co"; de4dot-3.1.41592.3405/de4dot.code/deobfuscators/CryptoObfuscator/Deobfuscator.cs:31: const string DEFAULT_REGEX = @"!^(get_|set_|add_|remove_)?[A-Z]{1,3}(?:`\d+)?$&!^(get_|set_|add_|remove_)?c[0-9a-f]{32}(?:`\d+)?$&" + DeobfuscatorBase.DEFAULT_ASIAN_VALID_NAME_REGEX; de4dot-3.1.41592.3405/de4dot.code/deobfuscators/CryptoObfuscator/Deobfuscator.cs-32- BoolOption removeTamperProtection; ############################################## de4dot-3.1.41592.3405/de4dot.code/deobfuscators/DeepSea/AssemblyResolver.cs-481- AssemblyInfo GetAssemblyInfo(byte[] decryptedData, EmbeddedResource resource) { de4dot-3.1.41592.3405/de4dot.code/deobfuscators/DeepSea/AssemblyResolver.cs:482: var asm = AssemblyDef.Load(decryptedData); de4dot-3.1.41592.3405/de4dot.code/deobfuscators/DeepSea/AssemblyResolver.cs-483- var fullName = asm.FullName; ############################################## de4dot-3.1.41592.3405/de4dot.code/deobfuscators/ILProtector/DynamicMethodsDecrypter.cs-358- de4dot-3.1.41592.3405/de4dot.code/deobfuscators/ILProtector/DynamicMethodsDecrypter.cs:359: byte* p = (byte*)GetStateAddr(invoker.Target); de4dot-3.1.41592.3405/de4dot.code/deobfuscators/ILProtector/DynamicMethodsDecrypter.cs-360- p += IntPtr.Size * 3; ############################################## de4dot-3.1.41592.3405/de4dot.code/deobfuscators/ILProtector/DynamicMethodsDecrypter.cs-369- de4dot-3.1.41592.3405/de4dot.code/deobfuscators/ILProtector/DynamicMethodsDecrypter.cs:370: public static IntPtr GetStateAddr(object obj) { de4dot-3.1.41592.3405/de4dot.code/deobfuscators/ILProtector/DynamicMethodsDecrypter.cs-371- var flags = BindingFlags.DeclaredOnly | BindingFlags.Instance | BindingFlags.Public | BindingFlags.NonPublic; ############################################## de4dot-3.1.41592.3405/de4dot.code/deobfuscators/ILProtector/DynamicMethodsDecrypter.cs-469- de4dot-3.1.41592.3405/de4dot.code/deobfuscators/ILProtector/DynamicMethodsDecrypter.cs:470: byte* p = (byte*)DecrypterBaseV2_0_12_x.GetStateAddr(invoker.Target); de4dot-3.1.41592.3405/de4dot.code/deobfuscators/ILProtector/DynamicMethodsDecrypter.cs:471: byte* pis = GetAddr(*(byte**)p); de4dot-3.1.41592.3405/de4dot.code/deobfuscators/ILProtector/DynamicMethodsDecrypter.cs-472- p = *(byte**)pis; ############################################## de4dot-3.1.41592.3405/de4dot.code/deobfuscators/ILProtector/DynamicMethodsDecrypter.cs-501- de4dot-3.1.41592.3405/de4dot.code/deobfuscators/ILProtector/DynamicMethodsDecrypter.cs:502: static unsafe byte* GetAddr(byte* p) { de4dot-3.1.41592.3405/de4dot.code/deobfuscators/ILProtector/DynamicMethodsDecrypter.cs-503- if (IntPtr.Size == 4) { ############################################## de4dot-3.1.41592.3405/de4dot.code/deobfuscators/ILProtector/DynamicMethodsDecrypter.cs-718- static Assembly GetProtectAssembly() { de4dot-3.1.41592.3405/de4dot.code/deobfuscators/ILProtector/DynamicMethodsDecrypter.cs:719: foreach (var asm in AppDomain.CurrentDomain.GetAssemblies()) { de4dot-3.1.41592.3405/de4dot.code/deobfuscators/ILProtector/DynamicMethodsDecrypter.cs-720- if (!string.IsNullOrEmpty(asm.Location)) ############################################## de4dot-3.1.41592.3405/de4dot.code/renamer/asmmodules/Modules.cs-77- static string GetAssemblyName(IAssembly asm) { de4dot-3.1.41592.3405/de4dot.code/renamer/asmmodules/Modules.cs:78: if (asm == null) de4dot-3.1.41592.3405/de4dot.code/renamer/asmmodules/Modules.cs-79- return string.Empty; ############################################## de4dot-3.1.41592.3405/de4dot.code/renamer/asmmodules/Modules.cs-90- public void Add(Module module) { de4dot-3.1.41592.3405/de4dot.code/renamer/asmmodules/Modules.cs:91: var asm = module.ModuleDefMD.Assembly; de4dot-3.1.41592.3405/de4dot.code/renamer/asmmodules/Modules.cs:92: if (asm != null && ReferenceEquals(asm.ManifestModule, module.ModuleDefMD)) { de4dot-3.1.41592.3405/de4dot.code/renamer/asmmodules/Modules.cs-93- if (mainModule != null) { ############################################## de4dot-3.1.41592.3405/de4dot.code/renamer/asmmodules/Modules.cs-409- if (scopeType == ScopeType.ModuleRef || scopeType == ScopeType.ModuleDef) { de4dot-3.1.41592.3405/de4dot.code/renamer/asmmodules/Modules.cs:410: var asm = type.Module.Assembly; de4dot-3.1.41592.3405/de4dot.code/renamer/asmmodules/Modules.cs:411: if (asm == null) de4dot-3.1.41592.3405/de4dot.code/renamer/asmmodules/Modules.cs-412- return null; ############################################## de4dot-3.1.41592.3405/de4dot.mdecrypt/NativeCodeGenerator.cs-66- WriteByte(0xE8); de4dot-3.1.41592.3405/de4dot.mdecrypt/NativeCodeGenerator.cs:67: WriteBranchAddr(addr); de4dot-3.1.41592.3405/de4dot.mdecrypt/NativeCodeGenerator.cs-68- } de4dot-3.1.41592.3405/de4dot.mdecrypt/NativeCodeGenerator.cs-69- de4dot-3.1.41592.3405/de4dot.mdecrypt/NativeCodeGenerator.cs:70: public void WriteBranchAddr(IntPtr addr) { de4dot-3.1.41592.3405/de4dot.mdecrypt/NativeCodeGenerator.cs-71- offsetToBranchAddr.Add((int)memStream.Position, addr);