// Decompiled with JetBrains decompiler // Type: SmartAssembly.AssemblyResolver.AssemblyResolverHelper // Assembly: WinData, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null // MVID: 162322D2-FE3A-45B9-99E4-3519564A1D4D // Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Ransom.Win32.Blocker.kkro-82cd479bb60c59525668e5016b400a8cc48f04b14a5c6cad5e2c6046b301e79d.exe using SmartAssembly.Zip; using System; using System.Collections; using System.Diagnostics; using System.IO; using System.Reflection; using System.Runtime.InteropServices; using System.Text; namespace SmartAssembly.AssemblyResolver { internal sealed class AssemblyResolverHelper { internal const string BindList = "{71461f04-2faa-4bb9-a0dd-28a79101b599}"; private const int MOVEFILE_DELAY_UNTIL_REBOOT = 4; private static Hashtable hashtable = new Hashtable(); [DllImport("kernel32")] private static extern bool MoveFileEx(string existingFileName, string newFileName, int flags); internal static bool IsWebApplication { get { try { string lower = Process.GetCurrentProcess().MainModule.ModuleName.ToLower(); if (lower == "w3wp.exe") return true; if (lower == "aspnet_wp.exe") return true; } catch { } return false; } } internal static void Attach() { try { AppDomain.CurrentDomain.AssemblyResolve += new ResolveEventHandler(AssemblyResolverHelper.ResolveAssembly); } catch { } } internal static Assembly ResolveAssembly(object sender, ResolveEventArgs e) { AssemblyResolverHelper.AssemblyInfo assemblyInfo = new AssemblyResolverHelper.AssemblyInfo(e.Name); string base64String1 = Convert.ToBase64String(Encoding.UTF8.GetBytes(assemblyInfo.GetAssemblyFullName(false))); string[] strArray = "ezJkYzBkMzY3LTQ2MDEtNGJjNS04Y2Q0LWFlM2E2MGY1NzYwMH0sIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49M2U1NjM1MDY5M2Y3MzU1ZQ==,[z]{b9141284-224a-4b92-8f0a-8b542563c270},ezJkYzBkMzY3LTQ2MDEtNGJjNS04Y2Q0LWFlM2E2MGY1NzYwMH0=,[z]{b9141284-224a-4b92-8f0a-8b542563c270}".Split(','); string str1 = string.Empty; bool flag1 = false; bool flag2 = false; for (int index = 0; index < strArray.Length - 1; index += 2) { if (strArray[index] == base64String1) { str1 = strArray[index + 1]; break; } } if (str1.Length == 0 && assemblyInfo.PublicKeyToken.Length == 0) { string base64String2 = Convert.ToBase64String(Encoding.UTF8.GetBytes(assemblyInfo.Name)); for (int index = 0; index < strArray.Length - 1; index += 2) { if (strArray[index] == base64String2) { str1 = strArray[index + 1]; break; } } } if (str1.Length > 0) { if (str1[0] == '[') { int num = str1.IndexOf(']'); string str2 = str1.Substring(1, num - 1); flag1 = str2.IndexOf('z') >= 0; flag2 = str2.IndexOf('t') >= 0; str1 = str1.Substring(num + 1); } lock (AssemblyResolverHelper.hashtable) { if (AssemblyResolverHelper.hashtable.ContainsKey((object) str1)) return (Assembly) AssemblyResolverHelper.hashtable[(object) str1]; Stream manifestResourceStream = Assembly.GetExecutingAssembly().GetManifestResourceStream(str1); if (manifestResourceStream != null) { int length = (int) manifestResourceStream.Length; byte[] numArray = new byte[length]; manifestResourceStream.Read(numArray, 0, length); if (flag1) numArray = SimpleZip.Unzip(numArray); Assembly assembly = (Assembly) null; if (!flag2) { try { assembly = Assembly.Load(numArray); } catch (FileLoadException ex) { flag2 = true; } catch (BadImageFormatException ex) { flag2 = true; } } if (flag2) { try { string str3 = string.Format("{0}{1}\\", (object) Path.GetTempPath(), (object) str1); Directory.CreateDirectory(str3); string str4 = str3 + assemblyInfo.Name + ".dll"; if (!File.Exists(str4)) { FileStream fileStream = File.OpenWrite(str4); fileStream.Write(numArray, 0, numArray.Length); fileStream.Close(); AssemblyResolverHelper.MoveFileEx(str4, (string) null, 4); AssemblyResolverHelper.MoveFileEx(str3, (string) null, 4); } assembly = Assembly.LoadFile(str4); } catch { } } AssemblyResolverHelper.hashtable[(object) str1] = (object) assembly; return assembly; } } } return (Assembly) null; } internal struct AssemblyInfo { public string Name; public Version Version; public string Culture; public string PublicKeyToken; public string GetAssemblyFullName(bool includeVersion) { StringBuilder stringBuilder = new StringBuilder(); stringBuilder.Append(this.Name); if (includeVersion && this.Version != (Version) null) { stringBuilder.Append(", Version="); stringBuilder.Append((object) this.Version); } stringBuilder.Append(", Culture="); stringBuilder.Append(this.Culture.Length == 0 ? "neutral" : this.Culture); stringBuilder.Append(", PublicKeyToken="); stringBuilder.Append(this.PublicKeyToken.Length == 0 ? "null" : this.PublicKeyToken); return stringBuilder.ToString(); } public AssemblyInfo(string assemblyFullName) { this.Version = (Version) null; this.Culture = string.Empty; this.PublicKeyToken = string.Empty; this.Name = string.Empty; string str1 = assemblyFullName; char[] chArray = new char[1]{ ',' }; foreach (string str2 in str1.Split(chArray)) { string str3 = str2.Trim(); if (str3.StartsWith("Version=")) this.Version = new Version(str3.Substring(8)); else if (str3.StartsWith("Culture=")) { this.Culture = str3.Substring(8); if (this.Culture == "neutral") this.Culture = string.Empty; } else if (str3.StartsWith("PublicKeyToken=")) { this.PublicKeyToken = str3.Substring(15); if (this.PublicKeyToken == "null") this.PublicKeyToken = string.Empty; } else this.Name = str3; } } } } }