桃源企业文件管理系统挺好,想看看实现.晕重要程序集全被加密.Reflector拿它一点办法都没有.后来用IDA, 一下子IL代码就出来了. MaxtoCode上了解到,它的加密,还没有程序能够反编译经过它加密的程序. 牛都吹到天上去了!!这不费了老大劲把InfaceMaxtoCode类的源代码搞出来了.
以下代码仅供研究学习,有坏心眼的人就别看了!
public
class
InfaceMaxtoCode
... {
// Fields
private static string IInfaceMaxtoCode_interface_string;
private static bool started;
// Methods
static InfaceMaxtoCode();
public InfaceMaxtoCode();
private static string ByteToString(byte[] inbuf);
private static string ByteToString(byte[] inbuf, int Index, int Count);
[DllImport("mytaoyuan.dll", CharSet=CharSet.Unicode, SetLastError=true, ExactSpelling=true, PreserveSig=false)]
private static extern int CheckRuntime(IntPtr ImageBase);
[DllImport("kernel32.dll", PreserveSig=false)]
public static extern int CloseHandle(IntPtr hObject);
public static bool GetCurMachineofFramework(ref MachineClass mc);
[DllImport("kernel32.dll", PreserveSig=false)]
private static extern uint GetCurrentProcessId();
[DllImport("KERNEL32.DLL", CharSet=CharSet.Ansi, SetLastError=true, ExactSpelling=true, PreserveSig=false)]
private static extern IntPtr GetModuleHandleA(string lpModuleName);
private static string GetRuntimeName();
private static void LicenseHelper();
private static void LoadRuntimes();
[DllImport("mytaoyuan.dll", CharSet=CharSet.Ansi, SetLastError=true, ExactSpelling=true, PreserveSig=false)]
private static extern bool MainDLL(IntPtr RuntimeBase, IntPtr AppBase);
[DllImport("kernel32.dll", PreserveSig=false)]
public static extern IntPtr OpenProcess(uint dwDesiredAccess, int bInheritHandle, uint dwProcessId);
[DllImport("kernel32.dll", PreserveSig=false)]
public static extern int ReadProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] buffer, uint size, ref IntPtr lpNumberOfBytesRead);
[DllImport("KERNEL32.DLL", CharSet=CharSet.Ansi, SetLastError=true, ExactSpelling=true, PreserveSig=false)]
private static extern bool SetEnvironmentVariableA(string lpName, string lpValue);
public static void Startup();
private static string WarningString();
[DllImport("kernel32.dll", PreserveSig=false)]
public static extern int WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] buffer, uint size, ref IntPtr lpNumberOfBytesWritten);
}
... {
// Fields
private static string IInfaceMaxtoCode_interface_string;
private static bool started;
// Methods
static InfaceMaxtoCode();
public InfaceMaxtoCode();
private static string ByteToString(byte[] inbuf);
private static string ByteToString(byte[] inbuf, int Index, int Count);
[DllImport("mytaoyuan.dll", CharSet=CharSet.Unicode, SetLastError=true, ExactSpelling=true, PreserveSig=false)]
private static extern int CheckRuntime(IntPtr ImageBase);
[DllImport("kernel32.dll", PreserveSig=false)]
public static extern int CloseHandle(IntPtr hObject);
public static bool GetCurMachineofFramework(ref MachineClass mc);
[DllImport("kernel32.dll", PreserveSig=false)]
private static extern uint GetCurrentProcessId();
[DllImport("KERNEL32.DLL", CharSet=CharSet.Ansi, SetLastError=true, ExactSpelling=true, PreserveSig=false)]
private static extern IntPtr GetModuleHandleA(string lpModuleName);
private static string GetRuntimeName();
private static void LicenseHelper();
private static void LoadRuntimes();
[DllImport("mytaoyuan.dll", CharSet=CharSet.Ansi, SetLastError=true, ExactSpelling=true, PreserveSig=false)]
private static extern bool MainDLL(IntPtr RuntimeBase, IntPtr AppBase);
[DllImport("kernel32.dll", PreserveSig=false)]
public static extern IntPtr OpenProcess(uint dwDesiredAccess, int bInheritHandle, uint dwProcessId);
[DllImport("kernel32.dll", PreserveSig=false)]
public static extern int ReadProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] buffer, uint size, ref IntPtr lpNumberOfBytesRead);
[DllImport("KERNEL32.DLL", CharSet=CharSet.Ansi, SetLastError=true, ExactSpelling=true, PreserveSig=false)]
private static extern bool SetEnvironmentVariableA(string lpName, string lpValue);
public static void Startup();
private static string WarningString();
[DllImport("kernel32.dll", PreserveSig=false)]
public static extern int WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] buffer, uint size, ref IntPtr lpNumberOfBytesWritten);
}
public
class
InfaceMaxtoCode
... {
// Fields
private static string IInfaceMaxtoCode_interface_string;
private static bool started = false;
// Methods
private static string ByteToString(byte[] inbuf)
...{
return Encoding.ASCII.GetString(inbuf);
}
private static string ByteToString(byte[] inbuf, int Index, int Count)
...{
return Encoding.ASCII.GetString(inbuf, Index, Count);
}
[DllImport("mytaoyuan.dll", CharSet=CharSet.Unicode, SetLastError=true, ExactSpelling=true, PreserveSig=false)]
private static extern int CheckRuntime(IntPtr ImageBase);
[DllImport("kernel32.dll", PreserveSig=false)]
public static extern int CloseHandle(IntPtr hObject);
public static bool GetCurMachineofFramework(ref MachineClass mc)
...{
// This item is obfuscated and can not be translated.
OOl0lO1O00ll looll;
IntPtr zero = IntPtr.Zero;
IntPtr lpBaseAddress = IntPtr.Zero;
mc = (MachineClass) 0;
byte[] bytes = new byte[] ...{ 0x6d, 0x73, 0x63, 0x6f, 0x72, 0x77, 0x6b, 0x73, 0x2e, 100, 0x6c, 0x6c };
byte[] buffer2 = new byte[] ...{ 0x6d, 0x73, 0x63, 0x6f, 0x72, 0x73, 0x76, 0x72, 0x2e, 100, 0x6c, 0x6c };
byte[] buffer3 = new byte[] ...{ 0x6d, 0x73, 0x63, 0x6f, 0x72, 0x6a, 0x69, 0x74 };
lpBaseAddress = GetModuleHandleA(Encoding.ASCII.GetString(bytes));
if (lpBaseAddress == IntPtr.Zero)
...{
lpBaseAddress = GetModuleHandleA(Encoding.ASCII.GetString(buffer2));
}
if (lpBaseAddress == IntPtr.Zero)
...{
lpBaseAddress = GetModuleHandleA(Encoding.ASCII.GetString(buffer3));
}
byte[] buffer = new byte[0x2000];
zero = OpenProcess(0x18, 1, GetCurrentProcessId());
if (IntPtr.ToInt32() == 0)
...{
return false;
}
IntPtr lpNumberOfBytesRead = new IntPtr();
ReadProcessMemory(zero, lpBaseAddress, buffer, 0x2000, ref lpNumberOfBytesRead);
CloseHandle(zero);
looll.e_magic = buffer[0] + (buffer[1] * 0x100);
looll.e_lfanew = ((buffer[60] + (buffer[0x3d] * 0x100)) + (buffer[0x3e] * 0x10000)) + (buffer[0x3f] * 0x1000000);
if ((looll.e_lfanew + 6) >= 0x2000)
...{
return false;
}
looll.Signature = ((buffer[looll.e_lfanew] + (buffer[looll.e_lfanew + 1] * 0x100)) + (buffer[looll.e_lfanew + 2] * 0x10000)) + (buffer[looll.e_lfanew + 3] * 0x1000000);
looll.Machine = buffer[looll.e_lfanew + 4] + (buffer[looll.e_lfanew + 5] * 0x100);
if ((looll.e_magic != 0x5a4d) || (looll.Signature != 0x4550))
...{
return false;
}
switch (looll.Machine)
...{
case 0x14c:
mc = (MachineClass) 1;
return true;
case 0x200:
mc = (MachineClass) 3;
return true;
case 0x8664:
mc = (MachineClass) 2;
return true;
}
mc = (MachineClass) 0;
return true;
}
[DllImport("kernel32.dll", PreserveSig=false)]
private static extern uint GetCurrentProcessId();
[DllImport("KERNEL32.DLL", CharSet=CharSet.Ansi, SetLastError=true, ExactSpelling=true, PreserveSig=false)]
private static extern IntPtr GetModuleHandleA(string lpModuleName);
private static string GetRuntimeName()
...{
return ByteToString(new byte[] ...{ 0x6d, 0x79, 0x74, 0x61, 0x6f, 0x79, 0x75, 0x61, 110, 0x2e, 100, 0x6c, 0x6c });
}
private static void LicenseHelper()
...{
}
private static unsafe void LoadRuntimes()
...{
// This item is obfuscated and can not be translated.
byte[] inbuf = new byte[12];
inbuf[0] = 0x2f;
inbuf[1] = 0x3a;
inbuf[2] = 0x3b;
inbuf[3] = 0x5c;
inbuf[4] = 0x70;
inbuf[5] = 0x61;
inbuf[6] = 0x74;
inbuf[7] = 0x68;
inbuf[8] = 0;
IntPtr zero = IntPtr.Zero;
if (!started)
...{
string relativeSearchPath;
MachineClass class2;
started = true;
WarningString();
zero = GetModuleHandleA(Assembly.GetExecutingAssembly().Location);
string runtimeName = GetRuntimeName();
if (AppDomain.CurrentDomain.RelativeSearchPath != null)
...{
if (AppDomain.CurrentDomain.RelativeSearchPath.IndexOf(ByteToString(inbuf, 1, 1) + ByteToString(inbuf, 3, 1)) != -1)
...{
relativeSearchPath = AppDomain.CurrentDomain.RelativeSearchPath;
}
else
...{
relativeSearchPath = AppDomain.CurrentDomain.BaseDirectory + AppDomain.CurrentDomain.RelativeSearchPath;
}
}
else
...{
relativeSearchPath = AppDomain.CurrentDomain.BaseDirectory;
}
string environmentVariable = Environment.GetEnvironmentVariable(Encoding.ASCII.GetString(inbuf, 4, 4));
if (environmentVariable.IndexOf(relativeSearchPath) == -1)
...{
SetEnvironmentVariableA(ByteToString(inbuf, 4, 4), environmentVariable + ByteToString(inbuf, 2, 1) + relativeSearchPath.Replace(ByteToString(inbuf, 0, 1), ByteToString(inbuf, 3, 1)));
}
if (relativeSearchPath.Substring(relativeSearchPath.Length - 1, 1) == ByteToString(inbuf, 3, 1))
...{
relativeSearchPath = relativeSearchPath;
}
else
...{
relativeSearchPath = relativeSearchPath + ByteToString(inbuf, 3, 1);
}
if (environmentVariable.IndexOf(Path.GetTempPath()) == -1)
...{
SetEnvironmentVariableA(ByteToString(inbuf, 4, 4), environmentVariable + ByteToString(inbuf, 2, 1) + relativeSearchPath.Replace(ByteToString(inbuf, 0, 1), ByteToString(inbuf, 3, 1)) + ByteToString(inbuf, 2, 1) + Path.GetTempPath().Replace(ByteToString(inbuf, 0, 1), ByteToString(inbuf, 3, 1)));
}
if (File.Exists(relativeSearchPath + runtimeName) && !File.Exists(Path.GetTempPath() + runtimeName))
...{
File.Copy(relativeSearchPath + runtimeName, Path.GetTempPath() + runtimeName);
}
GetCurMachineofFramework(ref class2);
int num = 5;
if (class2 == ((MachineClass) 1))
...{
num = CheckRuntime(zero);
}
else
...{
num = CheckRuntime(zero);
}
if (num == 0)
...{
IntPtr moduleHandleA = GetModuleHandleA(runtimeName);
if (class2 == ((MachineClass) 1))
...{
started = MainDLL(moduleHandleA, zero);
}
else
...{
started = MainDLL(moduleHandleA, zero);
}
}
else
...{
byte[] buffer2 = new byte[] ...{ 0x55, 0x4e, 0x4b, 0x57, 0x4f, 0x4e, 0x20, 0x45, 0x52, 0x52, 0x4f, 0x52 };
byte[] buffer3 = new byte[] ...{
0x4e, 0x6f, 0x74, 0x20, 0x66, 0x69, 110, 100, 0x20, 70, 0x72, 0x61, 0x6d, 0x65, 0x77, 0x6f,
0x72, 0x6b, 0x20, 0x52, 0x75, 110, 0x74, 0x69, 0x6d, 0x65, 0x2c, 0x20, 80, 0x6c, 0x65, 0x61,
0x73, 0x65, 0x20, 0x63, 0x68, 0x65, 0x63, 0x6b, 0x20, 0x79, 0x6f, 0x75, 0x20, 70, 0x72, 0x61,
0x6d, 0x65, 0x77, 0x6f, 0x72, 0x6b, 0x21, 0x5c, 110, 0x5c, 0x72
};
byte[] buffer4 = new byte[] ...{
0x54, 0x68, 0x65, 0x20, 70, 0x72, 0x6d, 0x61, 0x65, 0x77, 0x6f, 0x72, 0x6b, 0x20, 0x76, 0x65,
0x72, 0x73, 0x69, 0x6f, 110, 0x20, 0x69, 0x73, 0x20, 110, 0x6f, 0x74, 0x20, 0x73, 0x75, 0x70,
0x70, 0x6f, 0x72, 0x74, 0x2c, 0x20, 0x70, 0x6c, 0x65, 0x61, 0x73, 0x65, 0x20, 0x75, 0x70, 100,
0x61, 0x74, 0x65, 0x20, 0x79, 0x6f, 0x75, 0x72, 0x20, 0x66, 0x72, 0x61, 0x6d, 0x65, 0x77, 0x6f,
0x72, 0x6b, 0x20, 0x6f, 0x72, 0x20, 0x72, 0x65, 0x73, 0x74, 0x61, 0x72, 0x74, 0x20, 0x73, 0x65,
0x74, 0x75, 0x70, 0x20, 0x2e, 0x4e, 0x45, 0x54, 0x20, 0x66, 0x72, 0x61, 0x6d, 0x65, 0x77, 0x6f,
0x72, 0x6b, 0x5c, 110, 0x5c, 0x72, 80, 0x6c, 0x65, 0x61, 0x73, 0x65, 0x20, 0x67, 0x65, 0x74,
0x20, 0x61, 0x20, 110, 0x65, 0x77, 0x20, 0x72, 0x75, 110, 0x74, 0x69, 0x6d, 0x65, 0x20, 0x73,
0x75, 0x70, 0x70, 0x6f, 0x72, 0x74, 0x20, 0x74, 0x6f, 0x20, 0x77, 0x65, 0x62, 0x73, 0x69, 0x74,
0x65, 0x20, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x6d, 0x61, 120,
0x74, 0x6f, 0x63, 0x6f, 100, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 70, 0x72, 0x61, 0x6d, 0x65,
0x77, 0x6f, 0x72, 0x6b, 0x53, 0x75, 0x70, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x68, 0x74, 0x6d, 0x6c,
0x5c, 110, 0x5c, 0x72
};
byte[] buffer5 = new byte[] ...{
0x54, 0x68, 0x65, 0x20, 70, 0x72, 0x6d, 0x61, 0x65, 0x77, 0x6f, 0x72, 0x6b, 0x20, 0x76, 0x65,
0x72, 0x73, 0x69, 0x6f, 110, 0x20, 0x69, 0x73, 0x20, 110, 0x6f, 0x74, 0x20, 0x73, 0x75, 0x70,
0x70, 0x6f, 0x72, 0x74, 0x2c, 0x20, 0x70, 0x6c, 0x65, 0x61, 0x73, 0x65, 0x20, 0x75, 0x70, 100,
0x61, 0x74, 0x65, 0x20, 0x79, 0x6f, 0x75, 0x72, 0x20, 0x66, 0x72, 0x61, 0x6d, 0x65, 0x77, 0x6f,
0x72, 0x6b, 0x20, 0x6f, 0x72, 0x20, 0x72, 0x65, 0x73, 0x74, 0x61, 0x72, 0x74, 0x20, 0x73, 0x65,
0x74, 0x75, 0x70, 0x20, 0x2e, 0x4e, 0x45, 0x54, 0x20, 0x66, 0x72, 0x61, 0x6d, 0x65, 0x77, 0x6f,
0x72, 0x6b, 0x5c, 110, 0x5c, 0x72, 80, 0x6c, 0x65, 0x61, 0x73, 0x65, 0x20, 0x67, 0x65, 0x74,
0x20, 0x61, 0x20, 110, 0x65, 0x77, 0x20, 0x72, 0x75, 110, 0x74, 0x69, 0x6d, 0x65, 0x20, 0x73,
0x75, 0x70, 0x70, 0x6f, 0x72, 0x74, 0x20, 0x74, 0x6f, 0x20, 0x77, 0x65, 0x62, 0x73, 0x69, 0x74,
0x65, 0x20, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x6d, 0x61, 120,
0x74, 0x6f, 0x63, 0x6f, 100, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 70, 0x72, 0x61, 0x6d, 0x65,
0x77, 0x6f, 0x72, 0x6b, 0x53, 0x75, 0x70, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x68, 0x74, 0x6d, 0x6c,
0x5c, 110, 0x5c, 0x72, 0x45, 0x72, 0x72, 0x6f, 0x72, 0x20, 0x43, 0x6f, 100, 0x65, 0x20, 0x3a,
0x20, 0x30, 120, 0x30, 0x30, 0x30, 0x33, 0x5c, 110, 0x5c, 0x72
};
byte[] buffer6 = new byte[] ...{
0x4d, 0x61, 0x6b, 0x65, 0x72, 0x20, 0x44, 0x65, 0x63, 0x6f, 100, 0x65, 0x72, 0x20, 0x45, 0x72,
0x72, 0x6f, 0x72, 0x5c, 110, 0x5c, 0x72
};
byte[] buffer7 = new byte[0x20];
buffer7[0] = 0x49;
buffer7[1] = 0x6d;
buffer7[2] = 0x70;
buffer7[3] = 0x6f;
buffer7[4] = 0x72;
buffer7[5] = 0x74;
buffer7[6] = 0x73;
buffer7[7] = 0x20;
buffer7[8] = 0x52;
buffer7[9] = 0x75;
buffer7[10] = 110;
buffer7[11] = 0x74;
buffer7[12] = 0x69;
buffer7[13] = 0x6d;
buffer7[14] = 0x65;
buffer7[15] = 0x20;
buffer7[0x10] = 0x44;
buffer7[0x11] = 0x4c;
buffer7[0x12] = 0x4c;
buffer7[0x13] = 0x20;
buffer7[20] = 0x69;
buffer7[0x15] = 0x73;
buffer7[0x16] = 0x20;
buffer7[0x17] = 0x45;
buffer7[0x18] = 0x72;
buffer7[0x19] = 0x72;
buffer7[0x1a] = 0x6f;
buffer7[0x1b] = 0x72;
buffer7[0x1c] = 0x5c;
byte[] buffer8 = new byte[] ...{ 0x52, 0x75, 110, 0x74, 0x69, 0x6d, 0x65, 0x45, 0x72, 0x72, 0x6f, 0x72, 0x2e, 0x6c, 0x6f, 0x67 };
byte[] buffer9 = new byte[] ...{ 0x20 };
byte[] buffer10 = new byte[] ...{
0x20, 0x20, 0x45, 120, 0x63, 0x70, 0x74, 0x69, 0x6f, 110, 0x5c, 110, 0x5c, 0x72, 0x5c, 110,
0x5c, 0x72
};
byte[] buffer11 = new byte[0x5f];
buffer11[0] = 0x2d;
buffer11[1] = 0x2d;
buffer11[2] = 0x2d;
buffer11[3] = 0x2d;
buffer11[4] = 0x2d;
buffer11[5] = 0x2d;
buffer11[6] = 0x2d;
buffer11[7] = 0x2d;
buffer11[8] = 0x2d;
buffer11[9] = 0x2d;
buffer11[10] = 0x2d;
buffer11[11] = 0x2d;
buffer11[12] = 0x2d;
buffer11[13] = 0x2d;
buffer11[14] = 0x2d;
buffer11[15] = 0x2d;
buffer11[0x10] = 0x2d;
buffer11[0x11] = 0x2d;
buffer11[0x12] = 0x2d;
buffer11[0x13] = 0x2d;
buffer11[20] = 0x2d;
buffer11[0x15] = 0x2d;
buffer11[0x16] = 0x2d;
buffer11[0x17] = 0x2d;
buffer11[0x18] = 0x2d;
buffer11[0x19] = 0x2d;
buffer11[0x1a] = 0x2d;
buffer11[0x1b] = 0x2d;
buffer11[0x1c] = 0x2d;
byte[] buffer12 = new byte[] ...{
0x5c, 110, 0x5c, 0x72, 0x5c, 110, 0x5c, 0x72, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x5c,
110, 0x5c, 0x72, 0x5c, 110, 0x5c, 0x72
};
string s = ByteToString(buffer2);
switch (num)
...{
case 1:
s = ByteToString(buffer3);
break;
case 2:
s = ByteToString(buffer4);
break;
case 3:
s = ByteToString(buffer5);
break;
case 4:
s = ByteToString(buffer6);
break;
case 5:
s = ByteToString(buffer7);
break;
}
FileStream stream = new FileStream(relativeSearchPath + ByteToString(buffer8), FileMode.Append, FileAccess.Write);
string str5 = ByteToString(buffer9) + ((string) &DateTime.Now) + DateTime.ToShortTimeString() + ByteToString(buffer10);
stream.Write(Encoding.ASCII.GetBytes(str5), 0, str5.Length);
str5 = ByteToString(buffer11);
stream.Write(Encoding.ASCII.GetBytes(str5), 0, str5.Length);
stream.Write(Encoding.ASCII.GetBytes(s), 0, s.Length);
str5 = ByteToString(buffer12);
stream.Write(Encoding.ASCII.GetBytes(str5), 0, str5.Length);
stream.Close();
}
}
}
[DllImport("mytaoyuan.dll", CharSet=CharSet.Ansi, SetLastError=true, ExactSpelling=true, PreserveSig=false)]
private static extern bool MainDLL(IntPtr RuntimeBase, IntPtr AppBase);
[DllImport("kernel32.dll", PreserveSig=false)]
public static extern IntPtr OpenProcess(uint dwDesiredAccess, int bInheritHandle, uint dwProcessId);
[DllImport("kernel32.dll", PreserveSig=false)]
public static extern int ReadProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] buffer, uint size, ref IntPtr lpNumberOfBytesRead);
[DllImport("KERNEL32.DLL", CharSet=CharSet.Ansi, SetLastError=true, ExactSpelling=true, PreserveSig=false)]
private static extern bool SetEnvironmentVariableA(string lpName, string lpValue);
public static void Startup()
...{
if (!started)
...{
try
...{
LoadRuntimes();
}
finally
...{
LicenseHelper();
}
}
}
private static string WarningString()
...{
byte[] bytes = new byte[] ...{ 0xe4, 0xb8, 0xad, 0xe5, 0x9b, 0xbd, 0x61, 0x62, 0x63, 0 };
return Encoding.UTF8.GetString(bytes);
}
[DllImport("kernel32.dll", PreserveSig=false)]
public static extern int WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] buffer, uint size, ref IntPtr lpNumberOfBytesWritten);
}
Collapse Methods
... {
// Fields
private static string IInfaceMaxtoCode_interface_string;
private static bool started = false;
// Methods
private static string ByteToString(byte[] inbuf)
...{
return Encoding.ASCII.GetString(inbuf);
}
private static string ByteToString(byte[] inbuf, int Index, int Count)
...{
return Encoding.ASCII.GetString(inbuf, Index, Count);
}
[DllImport("mytaoyuan.dll", CharSet=CharSet.Unicode, SetLastError=true, ExactSpelling=true, PreserveSig=false)]
private static extern int CheckRuntime(IntPtr ImageBase);
[DllImport("kernel32.dll", PreserveSig=false)]
public static extern int CloseHandle(IntPtr hObject);
public static bool GetCurMachineofFramework(ref MachineClass mc)
...{
// This item is obfuscated and can not be translated.
OOl0lO1O00ll looll;
IntPtr zero = IntPtr.Zero;
IntPtr lpBaseAddress = IntPtr.Zero;
mc = (MachineClass) 0;
byte[] bytes = new byte[] ...{ 0x6d, 0x73, 0x63, 0x6f, 0x72, 0x77, 0x6b, 0x73, 0x2e, 100, 0x6c, 0x6c };
byte[] buffer2 = new byte[] ...{ 0x6d, 0x73, 0x63, 0x6f, 0x72, 0x73, 0x76, 0x72, 0x2e, 100, 0x6c, 0x6c };
byte[] buffer3 = new byte[] ...{ 0x6d, 0x73, 0x63, 0x6f, 0x72, 0x6a, 0x69, 0x74 };
lpBaseAddress = GetModuleHandleA(Encoding.ASCII.GetString(bytes));
if (lpBaseAddress == IntPtr.Zero)
...{
lpBaseAddress = GetModuleHandleA(Encoding.ASCII.GetString(buffer2));
}
if (lpBaseAddress == IntPtr.Zero)
...{
lpBaseAddress = GetModuleHandleA(Encoding.ASCII.GetString(buffer3));
}
byte[] buffer = new byte[0x2000];
zero = OpenProcess(0x18, 1, GetCurrentProcessId());
if (IntPtr.ToInt32() == 0)
...{
return false;
}
IntPtr lpNumberOfBytesRead = new IntPtr();
ReadProcessMemory(zero, lpBaseAddress, buffer, 0x2000, ref lpNumberOfBytesRead);
CloseHandle(zero);
looll.e_magic = buffer[0] + (buffer[1] * 0x100);
looll.e_lfanew = ((buffer[60] + (buffer[0x3d] * 0x100)) + (buffer[0x3e] * 0x10000)) + (buffer[0x3f] * 0x1000000);
if ((looll.e_lfanew + 6) >= 0x2000)
...{
return false;
}
looll.Signature = ((buffer[looll.e_lfanew] + (buffer[looll.e_lfanew + 1] * 0x100)) + (buffer[looll.e_lfanew + 2] * 0x10000)) + (buffer[looll.e_lfanew + 3] * 0x1000000);
looll.Machine = buffer[looll.e_lfanew + 4] + (buffer[looll.e_lfanew + 5] * 0x100);
if ((looll.e_magic != 0x5a4d) || (looll.Signature != 0x4550))
...{
return false;
}
switch (looll.Machine)
...{
case 0x14c:
mc = (MachineClass) 1;
return true;
case 0x200:
mc = (MachineClass) 3;
return true;
case 0x8664:
mc = (MachineClass) 2;
return true;
}
mc = (MachineClass) 0;
return true;
}
[DllImport("kernel32.dll", PreserveSig=false)]
private static extern uint GetCurrentProcessId();
[DllImport("KERNEL32.DLL", CharSet=CharSet.Ansi, SetLastError=true, ExactSpelling=true, PreserveSig=false)]
private static extern IntPtr GetModuleHandleA(string lpModuleName);
private static string GetRuntimeName()
...{
return ByteToString(new byte[] ...{ 0x6d, 0x79, 0x74, 0x61, 0x6f, 0x79, 0x75, 0x61, 110, 0x2e, 100, 0x6c, 0x6c });
}
private static void LicenseHelper()
...{
}
private static unsafe void LoadRuntimes()
...{
// This item is obfuscated and can not be translated.
byte[] inbuf = new byte[12];
inbuf[0] = 0x2f;
inbuf[1] = 0x3a;
inbuf[2] = 0x3b;
inbuf[3] = 0x5c;
inbuf[4] = 0x70;
inbuf[5] = 0x61;
inbuf[6] = 0x74;
inbuf[7] = 0x68;
inbuf[8] = 0;
IntPtr zero = IntPtr.Zero;
if (!started)
...{
string relativeSearchPath;
MachineClass class2;
started = true;
WarningString();
zero = GetModuleHandleA(Assembly.GetExecutingAssembly().Location);
string runtimeName = GetRuntimeName();
if (AppDomain.CurrentDomain.RelativeSearchPath != null)
...{
if (AppDomain.CurrentDomain.RelativeSearchPath.IndexOf(ByteToString(inbuf, 1, 1) + ByteToString(inbuf, 3, 1)) != -1)
...{
relativeSearchPath = AppDomain.CurrentDomain.RelativeSearchPath;
}
else
...{
relativeSearchPath = AppDomain.CurrentDomain.BaseDirectory + AppDomain.CurrentDomain.RelativeSearchPath;
}
}
else
...{
relativeSearchPath = AppDomain.CurrentDomain.BaseDirectory;
}
string environmentVariable = Environment.GetEnvironmentVariable(Encoding.ASCII.GetString(inbuf, 4, 4));
if (environmentVariable.IndexOf(relativeSearchPath) == -1)
...{
SetEnvironmentVariableA(ByteToString(inbuf, 4, 4), environmentVariable + ByteToString(inbuf, 2, 1) + relativeSearchPath.Replace(ByteToString(inbuf, 0, 1), ByteToString(inbuf, 3, 1)));
}
if (relativeSearchPath.Substring(relativeSearchPath.Length - 1, 1) == ByteToString(inbuf, 3, 1))
...{
relativeSearchPath = relativeSearchPath;
}
else
...{
relativeSearchPath = relativeSearchPath + ByteToString(inbuf, 3, 1);
}
if (environmentVariable.IndexOf(Path.GetTempPath()) == -1)
...{
SetEnvironmentVariableA(ByteToString(inbuf, 4, 4), environmentVariable + ByteToString(inbuf, 2, 1) + relativeSearchPath.Replace(ByteToString(inbuf, 0, 1), ByteToString(inbuf, 3, 1)) + ByteToString(inbuf, 2, 1) + Path.GetTempPath().Replace(ByteToString(inbuf, 0, 1), ByteToString(inbuf, 3, 1)));
}
if (File.Exists(relativeSearchPath + runtimeName) && !File.Exists(Path.GetTempPath() + runtimeName))
...{
File.Copy(relativeSearchPath + runtimeName, Path.GetTempPath() + runtimeName);
}
GetCurMachineofFramework(ref class2);
int num = 5;
if (class2 == ((MachineClass) 1))
...{
num = CheckRuntime(zero);
}
else
...{
num = CheckRuntime(zero);
}
if (num == 0)
...{
IntPtr moduleHandleA = GetModuleHandleA(runtimeName);
if (class2 == ((MachineClass) 1))
...{
started = MainDLL(moduleHandleA, zero);
}
else
...{
started = MainDLL(moduleHandleA, zero);
}
}
else
...{
byte[] buffer2 = new byte[] ...{ 0x55, 0x4e, 0x4b, 0x57, 0x4f, 0x4e, 0x20, 0x45, 0x52, 0x52, 0x4f, 0x52 };
byte[] buffer3 = new byte[] ...{
0x4e, 0x6f, 0x74, 0x20, 0x66, 0x69, 110, 100, 0x20, 70, 0x72, 0x61, 0x6d, 0x65, 0x77, 0x6f,
0x72, 0x6b, 0x20, 0x52, 0x75, 110, 0x74, 0x69, 0x6d, 0x65, 0x2c, 0x20, 80, 0x6c, 0x65, 0x61,
0x73, 0x65, 0x20, 0x63, 0x68, 0x65, 0x63, 0x6b, 0x20, 0x79, 0x6f, 0x75, 0x20, 70, 0x72, 0x61,
0x6d, 0x65, 0x77, 0x6f, 0x72, 0x6b, 0x21, 0x5c, 110, 0x5c, 0x72
};
byte[] buffer4 = new byte[] ...{
0x54, 0x68, 0x65, 0x20, 70, 0x72, 0x6d, 0x61, 0x65, 0x77, 0x6f, 0x72, 0x6b, 0x20, 0x76, 0x65,
0x72, 0x73, 0x69, 0x6f, 110, 0x20, 0x69, 0x73, 0x20, 110, 0x6f, 0x74, 0x20, 0x73, 0x75, 0x70,
0x70, 0x6f, 0x72, 0x74, 0x2c, 0x20, 0x70, 0x6c, 0x65, 0x61, 0x73, 0x65, 0x20, 0x75, 0x70, 100,
0x61, 0x74, 0x65, 0x20, 0x79, 0x6f, 0x75, 0x72, 0x20, 0x66, 0x72, 0x61, 0x6d, 0x65, 0x77, 0x6f,
0x72, 0x6b, 0x20, 0x6f, 0x72, 0x20, 0x72, 0x65, 0x73, 0x74, 0x61, 0x72, 0x74, 0x20, 0x73, 0x65,
0x74, 0x75, 0x70, 0x20, 0x2e, 0x4e, 0x45, 0x54, 0x20, 0x66, 0x72, 0x61, 0x6d, 0x65, 0x77, 0x6f,
0x72, 0x6b, 0x5c, 110, 0x5c, 0x72, 80, 0x6c, 0x65, 0x61, 0x73, 0x65, 0x20, 0x67, 0x65, 0x74,
0x20, 0x61, 0x20, 110, 0x65, 0x77, 0x20, 0x72, 0x75, 110, 0x74, 0x69, 0x6d, 0x65, 0x20, 0x73,
0x75, 0x70, 0x70, 0x6f, 0x72, 0x74, 0x20, 0x74, 0x6f, 0x20, 0x77, 0x65, 0x62, 0x73, 0x69, 0x74,
0x65, 0x20, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x6d, 0x61, 120,
0x74, 0x6f, 0x63, 0x6f, 100, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 70, 0x72, 0x61, 0x6d, 0x65,
0x77, 0x6f, 0x72, 0x6b, 0x53, 0x75, 0x70, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x68, 0x74, 0x6d, 0x6c,
0x5c, 110, 0x5c, 0x72
};
byte[] buffer5 = new byte[] ...{
0x54, 0x68, 0x65, 0x20, 70, 0x72, 0x6d, 0x61, 0x65, 0x77, 0x6f, 0x72, 0x6b, 0x20, 0x76, 0x65,
0x72, 0x73, 0x69, 0x6f, 110, 0x20, 0x69, 0x73, 0x20, 110, 0x6f, 0x74, 0x20, 0x73, 0x75, 0x70,
0x70, 0x6f, 0x72, 0x74, 0x2c, 0x20, 0x70, 0x6c, 0x65, 0x61, 0x73, 0x65, 0x20, 0x75, 0x70, 100,
0x61, 0x74, 0x65, 0x20, 0x79, 0x6f, 0x75, 0x72, 0x20, 0x66, 0x72, 0x61, 0x6d, 0x65, 0x77, 0x6f,
0x72, 0x6b, 0x20, 0x6f, 0x72, 0x20, 0x72, 0x65, 0x73, 0x74, 0x61, 0x72, 0x74, 0x20, 0x73, 0x65,
0x74, 0x75, 0x70, 0x20, 0x2e, 0x4e, 0x45, 0x54, 0x20, 0x66, 0x72, 0x61, 0x6d, 0x65, 0x77, 0x6f,
0x72, 0x6b, 0x5c, 110, 0x5c, 0x72, 80, 0x6c, 0x65, 0x61, 0x73, 0x65, 0x20, 0x67, 0x65, 0x74,
0x20, 0x61, 0x20, 110, 0x65, 0x77, 0x20, 0x72, 0x75, 110, 0x74, 0x69, 0x6d, 0x65, 0x20, 0x73,
0x75, 0x70, 0x70, 0x6f, 0x72, 0x74, 0x20, 0x74, 0x6f, 0x20, 0x77, 0x65, 0x62, 0x73, 0x69, 0x74,
0x65, 0x20, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x6d, 0x61, 120,
0x74, 0x6f, 0x63, 0x6f, 100, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 70, 0x72, 0x61, 0x6d, 0x65,
0x77, 0x6f, 0x72, 0x6b, 0x53, 0x75, 0x70, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x68, 0x74, 0x6d, 0x6c,
0x5c, 110, 0x5c, 0x72, 0x45, 0x72, 0x72, 0x6f, 0x72, 0x20, 0x43, 0x6f, 100, 0x65, 0x20, 0x3a,
0x20, 0x30, 120, 0x30, 0x30, 0x30, 0x33, 0x5c, 110, 0x5c, 0x72
};
byte[] buffer6 = new byte[] ...{
0x4d, 0x61, 0x6b, 0x65, 0x72, 0x20, 0x44, 0x65, 0x63, 0x6f, 100, 0x65, 0x72, 0x20, 0x45, 0x72,
0x72, 0x6f, 0x72, 0x5c, 110, 0x5c, 0x72
};
byte[] buffer7 = new byte[0x20];
buffer7[0] = 0x49;
buffer7[1] = 0x6d;
buffer7[2] = 0x70;
buffer7[3] = 0x6f;
buffer7[4] = 0x72;
buffer7[5] = 0x74;
buffer7[6] = 0x73;
buffer7[7] = 0x20;
buffer7[8] = 0x52;
buffer7[9] = 0x75;
buffer7[10] = 110;
buffer7[11] = 0x74;
buffer7[12] = 0x69;
buffer7[13] = 0x6d;
buffer7[14] = 0x65;
buffer7[15] = 0x20;
buffer7[0x10] = 0x44;
buffer7[0x11] = 0x4c;
buffer7[0x12] = 0x4c;
buffer7[0x13] = 0x20;
buffer7[20] = 0x69;
buffer7[0x15] = 0x73;
buffer7[0x16] = 0x20;
buffer7[0x17] = 0x45;
buffer7[0x18] = 0x72;
buffer7[0x19] = 0x72;
buffer7[0x1a] = 0x6f;
buffer7[0x1b] = 0x72;
buffer7[0x1c] = 0x5c;
byte[] buffer8 = new byte[] ...{ 0x52, 0x75, 110, 0x74, 0x69, 0x6d, 0x65, 0x45, 0x72, 0x72, 0x6f, 0x72, 0x2e, 0x6c, 0x6f, 0x67 };
byte[] buffer9 = new byte[] ...{ 0x20 };
byte[] buffer10 = new byte[] ...{
0x20, 0x20, 0x45, 120, 0x63, 0x70, 0x74, 0x69, 0x6f, 110, 0x5c, 110, 0x5c, 0x72, 0x5c, 110,
0x5c, 0x72
};
byte[] buffer11 = new byte[0x5f];
buffer11[0] = 0x2d;
buffer11[1] = 0x2d;
buffer11[2] = 0x2d;
buffer11[3] = 0x2d;
buffer11[4] = 0x2d;
buffer11[5] = 0x2d;
buffer11[6] = 0x2d;
buffer11[7] = 0x2d;
buffer11[8] = 0x2d;
buffer11[9] = 0x2d;
buffer11[10] = 0x2d;
buffer11[11] = 0x2d;
buffer11[12] = 0x2d;
buffer11[13] = 0x2d;
buffer11[14] = 0x2d;
buffer11[15] = 0x2d;
buffer11[0x10] = 0x2d;
buffer11[0x11] = 0x2d;
buffer11[0x12] = 0x2d;
buffer11[0x13] = 0x2d;
buffer11[20] = 0x2d;
buffer11[0x15] = 0x2d;
buffer11[0x16] = 0x2d;
buffer11[0x17] = 0x2d;
buffer11[0x18] = 0x2d;
buffer11[0x19] = 0x2d;
buffer11[0x1a] = 0x2d;
buffer11[0x1b] = 0x2d;
buffer11[0x1c] = 0x2d;
byte[] buffer12 = new byte[] ...{
0x5c, 110, 0x5c, 0x72, 0x5c, 110, 0x5c, 0x72, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x5c,
110, 0x5c, 0x72, 0x5c, 110, 0x5c, 0x72
};
string s = ByteToString(buffer2);
switch (num)
...{
case 1:
s = ByteToString(buffer3);
break;
case 2:
s = ByteToString(buffer4);
break;
case 3:
s = ByteToString(buffer5);
break;
case 4:
s = ByteToString(buffer6);
break;
case 5:
s = ByteToString(buffer7);
break;
}
FileStream stream = new FileStream(relativeSearchPath + ByteToString(buffer8), FileMode.Append, FileAccess.Write);
string str5 = ByteToString(buffer9) + ((string) &DateTime.Now) + DateTime.ToShortTimeString() + ByteToString(buffer10);
stream.Write(Encoding.ASCII.GetBytes(str5), 0, str5.Length);
str5 = ByteToString(buffer11);
stream.Write(Encoding.ASCII.GetBytes(str5), 0, str5.Length);
stream.Write(Encoding.ASCII.GetBytes(s), 0, s.Length);
str5 = ByteToString(buffer12);
stream.Write(Encoding.ASCII.GetBytes(str5), 0, str5.Length);
stream.Close();
}
}
}
[DllImport("mytaoyuan.dll", CharSet=CharSet.Ansi, SetLastError=true, ExactSpelling=true, PreserveSig=false)]
private static extern bool MainDLL(IntPtr RuntimeBase, IntPtr AppBase);
[DllImport("kernel32.dll", PreserveSig=false)]
public static extern IntPtr OpenProcess(uint dwDesiredAccess, int bInheritHandle, uint dwProcessId);
[DllImport("kernel32.dll", PreserveSig=false)]
public static extern int ReadProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] buffer, uint size, ref IntPtr lpNumberOfBytesRead);
[DllImport("KERNEL32.DLL", CharSet=CharSet.Ansi, SetLastError=true, ExactSpelling=true, PreserveSig=false)]
private static extern bool SetEnvironmentVariableA(string lpName, string lpValue);
public static void Startup()
...{
if (!started)
...{
try
...{
LoadRuntimes();
}
finally
...{
LicenseHelper();
}
}
}
private static string WarningString()
...{
byte[] bytes = new byte[] ...{ 0xe4, 0xb8, 0xad, 0xe5, 0x9b, 0xbd, 0x61, 0x62, 0x63, 0 };
return Encoding.UTF8.GetString(bytes);
}
[DllImport("kernel32.dll", PreserveSig=false)]
public static extern int WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] buffer, uint size, ref IntPtr lpNumberOfBytesWritten);
}
Collapse Methods