Hi Tony !
Thanks for your help
very interesting... so
Vectir.core2.dll
Vectir.core3.dll
Vectir.core4.dll those are created during deobfuscation by de4dot.
I would have to check if there were here originally (and overwritten), but i think there are purely created.
The remaining exe is way smaller so I just thought de4dot did "extract" some classes to put them in those external files.
Those files are located at least in 4 places : the one I gave in splash screen + 3 during those plugins initialization :
- keyboard.dll / <Modules> / <empty_name> routine
- btremote.dll / <Modules> / RegisterLogCallback
- networklib / <Modules> / .ctor
At least those are the calls I found so far.
So if this is just a "check" if present, I can go ahead and null this routine right ??? no harm to the main code done.
(the first will be rather simple to null, for the other 3 I'll have to see if i can find the correct place to skip it).
What do you mean by .NET remoting ?
If you're talking about the target yes it allows to control his PC from a smartphone
useful for kodi etc...
Now, the AES integrity checking, this gets me nervous.. don't know how to handle it for the moment.
Nice day bro