Writeup: FlareOn 2022: 008 - backdoor
1. TLDR
2. Dane wejściowe
Plik z zadaniem znajduje się tutaj. Hasło: flare.
Przedmiotem zadania był pliki PE:
FlareOn.Backdoor.exe
3. Analiza wstępna
Zweryfikowałem typ pliku FlareOn.Backdoor.exe
:
$ file FlareOn.Backdoor.exe
FlareOn.Backdoor.exe: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Korzystając z dnSpyEx spróbowałem zdekompilować program. Niestety, nie udało się tego zrealizować dla każdej klasy i metody.
Przyczyną były błędne instrukcje kodu pośredniego. Po uruchomieniu program prawie natychmiast generował wyjątek InvalidProgramException: Common Language Runtime detected an invalid program
:
4. Analiza pliku .NET
Na początku ustaliłem entry point programu:
public static void Main(string[] args)
{
try
{
try
{
FLARE15.flare_74();
Program.flared_38(args);
}
catch (InvalidProgramException ex)
{
FLARE15.flare_70(ex, new object[] { args });
}
}
catch
{
}
}
Funkcja flare_74
inicjalizowała dostępne w programie kontenery danych.
Uruchomienie funkcji flared_38
powodowało wyrzucenie wyjątku i przejście do funkcji flare_70
:
public static object flare_70(InvalidProgramException e, object[] a)
{
object obj;
try
{
obj = FLARE15.flared_70(e, a);
}
catch (InvalidProgramException ex)
{
obj = FLARE15.flare_71(ex, new object[] { e, a }, FLARE15.wl_m, FLARE15.wl_b);
}
return obj;
}
Funkcja flare_71
była możliwa do zdekompilowania w dnSpyEx. Szybka analiza pozwoliła ujawnić, że odszyfrowywała on funkcję, która wyrzuciła wyjątek.
Była wykorzystywywana w programie jako generator funkcji flared_70
oraz generator kilku innych funkcji, np flare_69
:
public static byte[] flare_69(string h)
{
byte[] array;
try
{
array = FLARE15.flared_69(h);
}
catch (InvalidProgramException ex)
{
array = (byte[])FLARE15.flare_71(ex, new object[] { h }, FLARE15.gs_m, FLARE15.gs_b);
}
return array;
}
Funkcje flare_71
oraz flare_70
były wielokrotnie używane w programie.
5. Wstępne odszyfrowanie programu
Korzystając z narzędzia AsmResolver(https://github.com/Washi1337/AsmResolver) oraz implementacji funkcji flare_71
napisałem prosty dekryptor (który urósł w trakcie rozwiązywania zadania; fragmenty kodu przedstawiłem poniżej w treści artykułu).
5.1 Funkcja flared_70
Po odszyfrowaniu funkcji flared_70
otrzymałem kod w MS IL:
IL_0000: nop
IL_0001: ldarg.0
IL_0002: newobj System.Void System.Diagnostics.StackTrace::.ctor(System.Exception)
IL_0007: stloc.0
IL_0008: ldloc.0
IL_0009: ldc.i4.0
IL_000A: callvirt System.Diagnostics.StackFrame System.Diagnostics.StackTrace::GetFrame(System.Int32)
IL_000F: callvirt System.Reflection.MethodBase System.Diagnostics.StackFrame::GetMethod()
IL_0014: callvirt System.Int32 System.Reflection.MemberInfo::get_MetadataToken()
IL_0019: stloc.1
IL_001A: ldloc.1
IL_001B: call System.String FlareOn.Backdoor.FLARE15::flare_66(System.Int32)
IL_0020: stloc.2
IL_0021: ldloc.2
IL_0022: call System.Byte[] FlareOn.Backdoor.FLARE15::flare_69(System.String)
IL_0027: stloc.3
IL_0028: ldc.i4.4
IL_0029: newarr System.Byte
IL_002E: dup
IL_002F: ldtoken System.Int32 <PrivateImplementationDetails>::C91849C78D4D52D51AE27BD136F927AE1418705C0A2BC9066D6F38125967F602
IL_0034: call System.Void System.Runtime.CompilerServices.RuntimeHelpers::InitializeArray(System.Array, System.RuntimeFieldHandle)
IL_0039: ldloc.3
IL_003A: call System.Byte[] FlareOn.Backdoor.FLARE12::flare_46(System.Byte[], System.Byte[])
IL_003F: stloc.s V_4
IL_0041: ldloc.s V_4
IL_0043: ldloc.1
IL_0044: ldarg.1
IL_0045: call System.Object FlareOn.Backdoor.FLARE15::flare_67(System.Byte[], System.Int32, System.Object[])
IL_004A: stloc.s V_5
IL_004C: ldloc.s V_5
IL_004E: stloc.s V_6
IL_0050: br.s IL_0052
IL_0052: ldloc.s V_6
IL_0054: ret
Po zdekompilowaniu kodu MS IL funkcji flared_70
otrzymałem kod w C#:
public static object flared_70(InvalidProgramException e, object[] a)
{
var stackTrace = new StackTrace(e);
var frame = stackTrace.GetFrame(0);
var method = frame.GetMethod();
var metadataToken = method.MetadataToken;
var text = FLARE15.flare_66(metadataToken);
var array = FLARE15.flare_69(text);
byte[] array_2 = BitConverter.GetBytes(PrivateImplementationDetails
.C91849C78D4D52D51AE27BD136F927AE1418705C0A2BC9066D6F38125967F602);
byte[] array_3 = FLARE12.flare_46(array_2, array);
var result = FLARE15.flare_67(array_3, metadataToken, a);
return result;
}
Należało zatem zdekompilować funkcje:
flare_66
i uruchomianą przez niąflared_66
flare_69
i uruchomianą przez niąflared_69
flare_46
i uruchomianą przez niąflared_47
flare_67
i uruchomianą przez niąflared_67
5.2 Analiza funkcji flare_66
Po zdekompilowaniu, funkcja flare_66
wyglądała następująco:
public static string flare_66(int t)
{
string text;
try
{
text = FLARE15.flared_66(t);
}
catch (InvalidProgramException ex)
{
text = (string)FLARE15.flare_71(ex, new object[] { t }, FLARE15.gh_m, FLARE15.gh_b);
}
return text;
}
Po odszyfrowaniu funkcji flared_66
otrzymałem kod w MS IL:
IL_0000: nop
IL_0001: ldtoken FlareOn.Backdoor.Program
IL_0006: call System.Type System.Type::GetTypeFromHandle(System.RuntimeTypeHandle)
IL_000B: callvirt System.Reflection.Module System.Type::get_Module()
IL_0010: stloc.0
IL_0011: ldnull
IL_0012: stloc.1
IL_0013: ldnull
IL_0014: stloc.2
IL_0015: ldstr ""
IL_001A: stloc.3
IL_001B: ldstr ""
IL_0020: stloc.s V_4
IL_0022: ldloc.0
IL_0023: ldarg.0
IL_0024: callvirt System.Reflection.MethodBase System.Reflection.Module::ResolveMethod(System.Int32)
IL_0029: castclass System.Reflection.MethodInfo
IL_002E: stloc.1
IL_002F: ldloc.1
IL_0030: callvirt System.Reflection.MethodBody System.Reflection.MethodBase::GetMethodBody()
IL_0035: stloc.2
IL_0036: call System.Text.Encoding System.Text.Encoding::get_ASCII()
IL_003B: ldloc.1
IL_003C: callvirt System.Reflection.MethodAttributes System.Reflection.MethodBase::get_Attributes()
IL_0041: stloc.s V_15
IL_0043: ldloca.s V_15
IL_0045: constrained. System.Reflection.MethodAttributes
IL_004B: callvirt System.String System.Object::ToString()
IL_0050: callvirt System.Byte[] System.Text.Encoding::GetBytes(System.String)
IL_0055: stloc.s V_5
IL_0057: call System.Text.Encoding System.Text.Encoding::get_ASCII()
IL_005C: ldloc.1
IL_005D: callvirt System.Type System.Reflection.MethodInfo::get_ReturnType()
IL_0062: callvirt System.String System.Object::ToString()
IL_0067: callvirt System.Byte[] System.Text.Encoding::GetBytes(System.String)
IL_006C: stloc.s V_6
IL_006E: call System.Text.Encoding System.Text.Encoding::get_ASCII()
IL_0073: ldloc.1
IL_0074: callvirt System.Reflection.CallingConventions System.Reflection.MethodBase::get_CallingConvention()
IL_0079: stloc.s V_16
IL_007B: ldloca.s V_16
IL_007D: constrained. System.Reflection.CallingConventions
IL_0083: callvirt System.String System.Object::ToString()
IL_0088: callvirt System.Byte[] System.Text.Encoding::GetBytes(System.String)
IL_008D: stloc.s V_7
IL_008F: nop
IL_0090: ldloc.1
IL_0091: callvirt System.Reflection.ParameterInfo[] System.Reflection.MethodBase::GetParameters()
IL_0096: stloc.s V_17
IL_0098: ldc.i4.0
IL_0099: stloc.s V_18
IL_009B: br.s IL_00C8
IL_009D: ldloc.s V_17
IL_009F: ldloc.s V_18
IL_00A1: ldelem.ref
IL_00A2: stloc.s V_19
IL_00A4: nop
IL_00A5: ldloc.s V_4
IL_00A7: ldloc.s V_19
IL_00A9: callvirt System.Type System.Reflection.ParameterInfo::get_ParameterType()
IL_00AE: dup
IL_00AF: brtrue.s IL_00B5
IL_00B1: pop
IL_00B2: ldnull
IL_00B3: br.s IL_00BA
IL_00B5: callvirt System.String System.Object::ToString()
IL_00BA: call System.String System.String::Concat(System.String, System.String)
IL_00BF: stloc.s V_4
IL_00C1: nop
IL_00C2: ldloc.s V_18
IL_00C4: ldc.i4.1
IL_00C5: add
IL_00C6: stloc.s V_18
IL_00C8: ldloc.s V_18
IL_00CA: ldloc.s V_17
IL_00CC: ldlen
IL_00CD: conv.i4
IL_00CE: blt.s IL_009D
IL_00D0: call System.Text.Encoding System.Text.Encoding::get_ASCII()
IL_00D5: ldloc.2
IL_00D6: callvirt System.Int32 System.Reflection.MethodBody::get_MaxStackSize()
IL_00DB: stloc.s V_20
IL_00DD: ldloca.s V_20
IL_00DF: call System.String System.Int32::ToString()
IL_00E4: callvirt System.Byte[] System.Text.Encoding::GetBytes(System.String)
IL_00E9: stloc.s V_8
IL_00EB: ldloc.2
IL_00EC: callvirt System.Byte[] System.Reflection.MethodBody::GetILAsByteArray()
IL_00F1: ldlen
IL_00F2: conv.i4
IL_00F3: call System.Byte[] System.BitConverter::GetBytes(System.Int32)
IL_00F8: stloc.s V_9
IL_00FA: nop
IL_00FB: ldloc.2
IL_00FC: callvirt System.Collections.Generic.IList`1<System.Reflection.LocalVariableInfo> System.Reflection.MethodBody::get_LocalVariables()
IL_0101: callvirt System.Collections.Generic.IEnumerator`1<System.Reflection.LocalVariableInfo> System.Collections.Generic.IEnumerable`1<System.Reflection.LocalVariableInfo>::GetEnumerator()
IL_0106: stloc.s V_21
IL_0108: br.s IL_012F
IL_010A: ldloc.s V_21
IL_010C: callvirt System.Reflection.LocalVariableInfo System.Collections.Generic.IEnumerator`1<System.Reflection.LocalVariableInfo>::get_Current()
IL_0111: stloc.s V_22
IL_0113: nop
IL_0114: ldloc.3
IL_0115: ldloc.s V_22
IL_0117: callvirt System.Type System.Reflection.LocalVariableInfo::get_LocalType()
IL_011C: dup
IL_011D: brtrue.s IL_0123
IL_011F: pop
IL_0120: ldnull
IL_0121: br.s IL_0128
IL_0123: callvirt System.String System.Object::ToString()
IL_0128: call System.String System.String::Concat(System.String, System.String)
IL_012D: stloc.3
IL_012E: nop
IL_012F: ldloc.s V_21
IL_0131: callvirt System.Boolean System.Collections.IEnumerator::MoveNext()
IL_0136: brtrue.s IL_010A
IL_0138: leave.s IL_0147
IL_013A: ldloc.s V_21
IL_013C: brfalse.s IL_0146
IL_013E: ldloc.s V_21
IL_0140: callvirt System.Void System.IDisposable::Dispose()
IL_0145: nop
IL_0146: endfinally
IL_0147: call System.Text.Encoding System.Text.Encoding::get_ASCII()
IL_014C: ldloc.3
IL_014D: callvirt System.Byte[] System.Text.Encoding::GetBytes(System.String)
IL_0152: stloc.s V_10
IL_0154: call System.Text.Encoding System.Text.Encoding::get_ASCII()
IL_0159: ldloc.s V_4
IL_015B: callvirt System.Byte[] System.Text.Encoding::GetBytes(System.String)
IL_0160: stloc.s V_11
IL_0162: call System.Security.Cryptography.HashAlgorithmName System.Security.Cryptography.HashAlgorithmName::get_SHA256()
IL_0167: call System.Security.Cryptography.IncrementalHash System.Security.Cryptography.IncrementalHash::CreateHash(System.Security.Cryptography.HashAlgorithmName)
IL_016C: stloc.s V_12
IL_016E: ldloc.s V_12
IL_0170: ldloc.s V_9
IL_0172: callvirt System.Void System.Security.Cryptography.IncrementalHash::AppendData(System.Byte[])
IL_0177: nop
IL_0178: ldloc.s V_12
IL_017A: ldloc.s V_5
IL_017C: callvirt System.Void System.Security.Cryptography.IncrementalHash::AppendData(System.Byte[])
IL_0181: nop
IL_0182: ldloc.s V_12
IL_0184: ldloc.s V_6
IL_0186: callvirt System.Void System.Security.Cryptography.IncrementalHash::AppendData(System.Byte[])
IL_018B: nop
IL_018C: ldloc.s V_12
IL_018E: ldloc.s V_8
IL_0190: callvirt System.Void System.Security.Cryptography.IncrementalHash::AppendData(System.Byte[])
IL_0195: nop
IL_0196: ldloc.s V_12
IL_0198: ldloc.s V_10
IL_019A: callvirt System.Void System.Security.Cryptography.IncrementalHash::AppendData(System.Byte[])
IL_019F: nop
IL_01A0: ldloc.s V_12
IL_01A2: ldloc.s V_11
IL_01A4: callvirt System.Void System.Security.Cryptography.IncrementalHash::AppendData(System.Byte[])
IL_01A9: nop
IL_01AA: ldloc.s V_12
IL_01AC: ldloc.s V_7
IL_01AE: callvirt System.Void System.Security.Cryptography.IncrementalHash::AppendData(System.Byte[])
IL_01B3: nop
IL_01B4: ldloc.s V_12
IL_01B6: callvirt System.Byte[] System.Security.Cryptography.IncrementalHash::GetHashAndReset()
IL_01BB: stloc.s V_13
IL_01BD: ldloc.s V_13
IL_01BF: ldlen
IL_01C0: conv.i4
IL_01C1: ldc.i4.2
IL_01C2: mul
IL_01C3: newobj System.Void System.Text.StringBuilder::.ctor(System.Int32)
IL_01C8: stloc.s V_14
IL_01CA: ldc.i4.0
IL_01CB: stloc.s V_23
IL_01CD: br.s IL_01F0
IL_01CF: ldloc.s V_14
IL_01D1: ldloc.s V_13
IL_01D3: ldloc.s V_23
IL_01D5: ldelema System.Byte
IL_01DA: ldstr "x2"
IL_01DF: call System.String System.Byte::ToString(System.String)
IL_01E4: callvirt System.Text.StringBuilder System.Text.StringBuilder::Append(System.String)
IL_01E9: pop
IL_01EA: ldloc.s V_23
IL_01EC: ldc.i4.1
IL_01ED: add
IL_01EE: stloc.s V_23
IL_01F0: ldloc.s V_23
IL_01F2: ldloc.s V_13
IL_01F4: ldlen
IL_01F5: conv.i4
IL_01F6: clt
IL_01F8: stloc.s V_24
IL_01FA: ldloc.s V_24
IL_01FC: brtrue.s IL_01CF
IL_01FE: ldloc.s V_14
IL_0200: callvirt System.String System.Object::ToString()
IL_0205: stloc.s V_25
IL_0207: br.s IL_0209
IL_0209: ldloc.s V_25
IL_020B: ret
Po zdekompilowaniu kodu MS IL funkcji flared_66
otrzymałem kod w C#:
public static string flared_66(int t)
{
var module = typeof(FlareOn.Backdoor.Program).Module; //loc.0
var method = (MethodInfo)module.ResolveMethod(t); //loc.1
var methodBody = method.GetMethodBody(); //loc.2
var attributes = method.Attributes; // V_15
var attributesBytes = Encoding.ASCII.GetBytes(attributes.ToString()); //V_5
var returnType = method.ReturnType;
var returnTypeBytes = Encoding.ASCII.GetBytes(returnType.ToString()); //V_6
var callingConvention = method.CallingConvention; //V_16
var callingConventionBytes = Encoding.ASCII.GetBytes(callingConvention.ToString()); //V_7
var parameters = method.GetParameters(); //V_17
var parametersTypes = ""; //V_4
foreach (var parameter in parameters)
{
parametersTypes += parameter.ParameterType.ToString();
}
var parameterTypesBytes = Encoding.ASCII.GetBytes(parametersTypes); //V_11
var maxStackSize = methodBody.MaxStackSize; //V_20
var maxStackSizeBytes = Encoding.ASCII.GetBytes(maxStackSize.ToString()); //V_8
var methodBodyILByteArray = methodBody.GetILAsByteArray();
var methodBodyILByteArrayLengthBytes = BitConverter.GetBytes((int)methodBodyILByteArray.Length); //V_9
var variables = methodBody.LocalVariables;
var variablesTypes = "";
foreach (var variable in variables)
{
variablesTypes += variable.LocalType.ToString();
}
var variablesTypesBytes = Encoding.ASCII.GetBytes(variablesTypes); //V_10
//?????? GetBytes()
var hashAlgorithm = IncrementalHash.CreateHash(HashAlgorithmName.SHA256); //V_12
hashAlgorithm.AppendData(methodBodyILByteArrayLengthBytes);
hashAlgorithm.AppendData(attributesBytes);
hashAlgorithm.AppendData(returnTypeBytes);
hashAlgorithm.AppendData(maxStackSizeBytes);
hashAlgorithm.AppendData(variablesTypesBytes);
hashAlgorithm.AppendData(parameterTypesBytes);
hashAlgorithm.AppendData(callingConventionBytes);
var hash = hashAlgorithm.GetHashAndReset(); //V_13;
var stringBuilder = new StringBuilder(((int)hash.Length) * 2);
foreach (var b in hash)
{
stringBuilder.Append(b.ToString("x2"));
}
var result = stringBuilder.ToString();
return result;
}
5.3 Analiza funkcji flare_69
Po zdekompilowaniu, funkcja flare_69
wyglądała następująco:
public static byte[] flare_69(string h)
{
byte[] array;
try
{
array = FLARE15.flared_69(h);
}
catch (InvalidProgramException ex)
{
array = (byte[])FLARE15.flare_71(ex, new object[] { h }, FLARE15.gs_m, FLARE15.gs_b);
}
return array;
}
Po odszyfrowaniu funkcji flared_69
otrzymałem kod w MS IL:
IL_0000: nop
IL_0001: call System.Reflection.Assembly System.Reflection.Assembly::GetExecutingAssembly()
IL_0006: callvirt System.String System.Reflection.Assembly::get_Location()
IL_000B: stloc.0
IL_000C: newobj System.Void FlareOn.Backdoor.FLARE09::.ctor()
IL_0011: stloc.1
IL_0012: ldloc.0
IL_0013: call System.Void FlareOn.Backdoor.FLARE09::flare_37(System.String)
IL_0018: nop
IL_0019: ldnull
IL_001A: stloc.2
IL_001B: ldloc.0
IL_001C: ldc.i4.3
IL_001D: ldc.i4.1
IL_001E: newobj System.Void System.IO.FileStream::.ctor(System.String, System.IO.FileMode, System.IO.FileAccess)
IL_0023: stloc.3
IL_0024: nop
IL_0025: nop
IL_0026: ldloc.1
IL_0027: callvirt FlareOn.Backdoor.IMAGE_SECTION_HEADER[] FlareOn.Backdoor.FLARE09::get_ImageSectionHeaders()
IL_002C: stloc.s V_4
IL_002E: ldc.i4.0
IL_002F: stloc.s V_5
IL_0031: br.s IL_008E
IL_0033: ldloc.s V_4
IL_0035: ldloc.s V_5
IL_0037: ldelem FlareOn.Backdoor.IMAGE_SECTION_HEADER
IL_003C: stloc.s V_6
IL_003E: nop
IL_003F: ldarg.0
IL_0040: ldloc.s V_6
IL_0042: ldfld System.Char[] FlareOn.Backdoor.IMAGE_SECTION_HEADER::Name
IL_0047: newobj System.Void System.String::.ctor(System.Char[])
IL_004C: callvirt System.Boolean System.String::StartsWith(System.String)
IL_0051: stloc.s V_7
IL_0053: ldloc.s V_7
IL_0055: brfalse.s IL_0087
IL_0057: nop
IL_0058: ldloc.s V_6
IL_005A: ldfld System.UInt32 FlareOn.Backdoor.IMAGE_SECTION_HEADER::VirtualSize
IL_005F: newarr System.Byte
IL_0064: stloc.2
IL_0065: ldloc.3
IL_0066: ldloc.s V_6
IL_0068: ldfld System.UInt32 FlareOn.Backdoor.IMAGE_SECTION_HEADER::PointerToRawData
IL_006D: conv.u8
IL_006E: ldc.i4.0
IL_006F: callvirt System.Int64 System.IO.Stream::Seek(System.Int64, System.IO.SeekOrigin)
IL_0074: pop
IL_0075: ldloc.3
IL_0076: ldloc.2
IL_0077: ldc.i4.0
IL_0078: ldloc.s V_6
IL_007A: ldfld System.UInt32 FlareOn.Backdoor.IMAGE_SECTION_HEADER::VirtualSize
IL_007F: callvirt System.Int32 System.IO.Stream::Read(System.Byte[], System.Int32, System.Int32)
IL_0084: pop
IL_0085: br.s IL_0096
IL_0087: nop
IL_0088: ldloc.s V_5
IL_008A: ldc.i4.1
IL_008B: add
IL_008C: stloc.s V_5
IL_008E: ldloc.s V_5
IL_0090: ldloc.s V_4
IL_0092: ldlen
IL_0093: conv.i4
IL_0094: blt.s IL_0033
IL_0096: nop
IL_0097: leave.s IL_00A4
IL_0099: ldloc.3
IL_009A: brfalse.s IL_00A3
IL_009C: ldloc.3
IL_009D: callvirt System.Void System.IDisposable::Dispose()
IL_00A2: nop
IL_00A3: endfinally
IL_00A4: ldloc.2
IL_00A5: stloc.s V_8
IL_00A7: br.s IL_00A9
IL_00A9: ldloc.s V_8
IL_00AB: ret
Po zdekompilowaniu kodu MS IL funkcji flared_69
otrzymałem kod w C#:
public static byte[] flared_69(string h)
{
byte[] result = null;
var assembly = Assembly.GetExecutingAssembly();
var location = assembly.Location;
FLARE09.flare_37(location);
using (var fileStream = new FileStream(location, FileMode.Open, FileAccess.Read))
{
var imageSectionHeaders = FLARE09.imageSectionHeaders
foreach (var imageSectionHeader in imageSectionHeaders)
{
var sectionHeaderName = imageSectionHeader.Name;
var text = new string(sectionHeaderName);
if (h.StartsWith(text))
{
var virtualSize = imageSectionHeader.VirtualSize;
var array = new byte[virtualSize];
var pointerToRawData = imageSectionHeader.PointerToRawData;
fileStream.Seek(pointerToRawData, 0);
fileStream.Read(array, 0, (int)virtualSize);
result = array;
break;
}
}
}
return result;
}
Funkcja flared_69
wykorzystywała funkcję flare_37
, należało zatem również ją zdekompilować.
5.4 Analiza funkcji flare_37
Po zdekompilowaniu, funkcja flare_37
wyglądała następująco:
public static void flare_37(string f)
{
try
{
FLARE09.flared_35(f);
}
catch (InvalidProgramException ex)
{
FLARE15.flare_71(ex, new object[] { f }, FLARE15.pe_m, FLARE15.pe_b);
}
}
Po odszyfrowaniu funkcji flared_35
otrzymałem kod w MS IL:
IL_0000: nop
IL_0001: ldarg.0
IL_0002: ldc.i4.3
IL_0003: ldc.i4.1
IL_0004: newobj System.Void System.IO.FileStream::.ctor(System.String, System.IO.FileMode, System.IO.FileAccess)
IL_0009: stloc.0
IL_000A: nop
IL_000B: ldloc.0
IL_000C: newobj System.Void System.IO.BinaryReader::.ctor(System.IO.Stream)
IL_0011: stloc.1
IL_0012: ldloc.1
IL_0013: call !!0 FlareOn.Backdoor.FLARE09::FromBinaryReader<FlareOn.Backdoor.IMAGE_DOS_HEADER>(System.IO.BinaryReader)
IL_0018: stsfld FlareOn.Backdoor.IMAGE_DOS_HEADER FlareOn.Backdoor.FLARE09::dosHeader
IL_001D: ldloc.0
IL_001E: ldsflda FlareOn.Backdoor.IMAGE_DOS_HEADER FlareOn.Backdoor.FLARE09::dosHeader
IL_0023: ldfld System.UInt32 FlareOn.Backdoor.IMAGE_DOS_HEADER::e_lfanew
IL_0028: conv.u8
IL_0029: ldc.i4.0
IL_002A: callvirt System.Int64 System.IO.Stream::Seek(System.Int64, System.IO.SeekOrigin)
IL_002F: pop
IL_0030: ldloc.1
IL_0031: callvirt System.UInt32 System.IO.BinaryReader::ReadUInt32()
IL_0036: stloc.2
IL_0037: ldloc.1
IL_0038: call !!0 FlareOn.Backdoor.FLARE09::FromBinaryReader<FlareOn.Backdoor.IMAGE_FILE_HEADER>(System.IO.BinaryReader)
IL_003D: stsfld FlareOn.Backdoor.IMAGE_FILE_HEADER FlareOn.Backdoor.FLARE09::fileHeader
IL_0042: ldloc.1
IL_0043: call !!0 FlareOn.Backdoor.FLARE09::FromBinaryReader<FlareOn.Backdoor.IMAGE_OPTIONAL_HEADER32>(System.IO.BinaryReader)
IL_0048: stsfld FlareOn.Backdoor.IMAGE_OPTIONAL_HEADER32 FlareOn.Backdoor.FLARE09::optionalHeader32
IL_004D: ldsflda FlareOn.Backdoor.IMAGE_FILE_HEADER FlareOn.Backdoor.FLARE09::fileHeader
IL_0052: ldfld System.UInt16 FlareOn.Backdoor.IMAGE_FILE_HEADER::NumberOfSections
IL_0057: newarr FlareOn.Backdoor.IMAGE_SECTION_HEADER
IL_005C: stsfld FlareOn.Backdoor.IMAGE_SECTION_HEADER[] FlareOn.Backdoor.FLARE09::imageSectionHeaders
IL_0061: ldc.i4.0
IL_0062: stloc.3
IL_0063: br.s IL_007C
IL_0065: nop
IL_0066: ldsfld FlareOn.Backdoor.IMAGE_SECTION_HEADER[] FlareOn.Backdoor.FLARE09::imageSectionHeaders
IL_006B: ldloc.3
IL_006C: ldloc.1
IL_006D: call !!0 FlareOn.Backdoor.FLARE09::FromBinaryReader<FlareOn.Backdoor.IMAGE_SECTION_HEADER>(System.IO.BinaryReader)
IL_0072: stelem FlareOn.Backdoor.IMAGE_SECTION_HEADER
IL_0077: nop
IL_0078: ldloc.3
IL_0079: ldc.i4.1
IL_007A: add
IL_007B: stloc.3
IL_007C: ldloc.3
IL_007D: ldsfld FlareOn.Backdoor.IMAGE_SECTION_HEADER[] FlareOn.Backdoor.FLARE09::imageSectionHeaders
IL_0082: ldlen
IL_0083: conv.i4
IL_0084: clt
IL_0086: stloc.s V_4
IL_0088: ldloc.s V_4
IL_008A: brtrue.s IL_0065
IL_008C: nop
IL_008D: leave.s IL_009A
IL_008F: ldloc.0
IL_0090: brfalse.s IL_0099
IL_0092: ldloc.0
IL_0093: callvirt System.Void System.IDisposable::Dispose()
IL_0098: nop
IL_0099: endfinally
IL_009A: ret
Po zdekompilowaniu kodu MS IL funkcji flared_35
otrzymałem kod w C#:
public static void flared_35(string f)
{
using (var fileStream = new FileStream(f, FileMode.Open, FileAccess.Read)) //loc.0
{
using (var binaryReader = new BinaryReader(fileStream)) //loc.1
{
dosHeader = FromBinaryReader<IMAGE_DOS_HEADER>(binaryReader);
fileStream.Seek(dosHeader.e_lfanew, SeekOrigin.Begin);
var signature = binaryReader.ReadUInt32(); //loc.2
var imageFileHeader = FromBinaryReader<IMAGE_FILE_HEADER>(binaryReader);
fileHeader = imageFileHeader;
optionalHeader32 = FromBinaryReader<IMAGE_OPTIONAL_HEADER32>(binaryReader);
imageSectionHeaders = new IMAGE_SECTION_HEADER[fileHeader.NumberOfSections];
for (var i = 0; i < imageSectionHeaders.Length; i++)
{
imageSectionHeaders[i] = FromBinaryReader<IMAGE_SECTION_HEADER>(binaryReader);
}
}
}
}
5.5 Analiza funkcji flare_46
Po zdekompilowaniu, funkcja flare_46
wyglądała następująco:
public static byte[] flare_46(byte[] p, byte[] d)
{
byte[] array;
try
{
array = FLARE12.flared_47(p, d);
}
catch (InvalidProgramException ex)
{
array = (byte[])FLARE15.flare_71(ex, new object[] { p, d }, FLARE15.d_m, FLARE15.d_b);
}
return array;
}
Po odszyfrowaniu funkcji flared_47
otrzymałem kod w MS IL:
IL_0000: nop
IL_0001: ldc.i4 256
IL_0006: newarr System.Int32
IL_000B: stloc.s V_5
IL_000D: ldc.i4 256
IL_0012: newarr System.Int32
IL_0017: stloc.s V_6
IL_0019: ldarg.1
IL_001A: ldlen
IL_001B: conv.i4
IL_001C: newarr System.Byte
IL_0021: stloc.s V_7
IL_0023: ldc.i4.0
IL_0024: stloc.1
IL_0025: br.s IL_003D
IL_0027: nop
IL_0028: ldloc.s V_5
IL_002A: ldloc.1
IL_002B: ldarg.0
IL_002C: ldloc.1
IL_002D: ldarg.0
IL_002E: ldlen
IL_002F: conv.i4
IL_0030: rem
IL_0031: ldelem.u1
IL_0032: stelem.i4
IL_0033: ldloc.s V_6
IL_0035: ldloc.1
IL_0036: ldloc.1
IL_0037: stelem.i4
IL_0038: nop
IL_0039: ldloc.1
IL_003A: ldc.i4.1
IL_003B: add
IL_003C: stloc.1
IL_003D: ldloc.1
IL_003E: ldc.i4 256
IL_0043: clt
IL_0045: stloc.s V_8
IL_0047: ldloc.s V_8
IL_0049: brtrue.s IL_0027
IL_004B: ldc.i4.0
IL_004C: dup
IL_004D: stloc.1
IL_004E: stloc.2
IL_004F: br.s IL_007D
IL_0051: nop
IL_0052: ldloc.2
IL_0053: ldloc.s V_6
IL_0055: ldloc.1
IL_0056: ldelem.i4
IL_0057: add
IL_0058: ldloc.s V_5
IL_005A: ldloc.1
IL_005B: ldelem.i4
IL_005C: add
IL_005D: ldc.i4 256
IL_0062: rem
IL_0063: stloc.2
IL_0064: ldloc.s V_6
IL_0066: ldloc.1
IL_0067: ldelem.i4
IL_0068: stloc.s V_4
IL_006A: ldloc.s V_6
IL_006C: ldloc.1
IL_006D: ldloc.s V_6
IL_006F: ldloc.2
IL_0070: ldelem.i4
IL_0071: stelem.i4
IL_0072: ldloc.s V_6
IL_0074: ldloc.2
IL_0075: ldloc.s V_4
IL_0077: stelem.i4
IL_0078: nop
IL_0079: ldloc.1
IL_007A: ldc.i4.1
IL_007B: add
IL_007C: stloc.1
IL_007D: ldloc.1
IL_007E: ldc.i4 256
IL_0083: clt
IL_0085: stloc.s V_9
IL_0087: ldloc.s V_9
IL_0089: brtrue.s IL_0051
IL_008B: ldc.i4.0
IL_008C: dup
IL_008D: stloc.1
IL_008E: dup
IL_008F: stloc.2
IL_0090: stloc.0
IL_0091: br.s IL_00E5
IL_0093: nop
IL_0094: ldloc.0
IL_0095: ldc.i4.1
IL_0096: add
IL_0097: stloc.0
IL_0098: ldloc.0
IL_0099: ldc.i4 256
IL_009E: rem
IL_009F: stloc.0
IL_00A0: ldloc.2
IL_00A1: ldloc.s V_6
IL_00A3: ldloc.0
IL_00A4: ldelem.i4
IL_00A5: add
IL_00A6: stloc.2
IL_00A7: ldloc.2
IL_00A8: ldc.i4 256
IL_00AD: rem
IL_00AE: stloc.2
IL_00AF: ldloc.s V_6
IL_00B1: ldloc.0
IL_00B2: ldelem.i4
IL_00B3: stloc.s V_4
IL_00B5: ldloc.s V_6
IL_00B7: ldloc.0
IL_00B8: ldloc.s V_6
IL_00BA: ldloc.2
IL_00BB: ldelem.i4
IL_00BC: stelem.i4
IL_00BD: ldloc.s V_6
IL_00BF: ldloc.2
IL_00C0: ldloc.s V_4
IL_00C2: stelem.i4
IL_00C3: ldloc.s V_6
IL_00C5: ldloc.s V_6
IL_00C7: ldloc.0
IL_00C8: ldelem.i4
IL_00C9: ldloc.s V_6
IL_00CB: ldloc.2
IL_00CC: ldelem.i4
IL_00CD: add
IL_00CE: ldc.i4 256
IL_00D3: rem
IL_00D4: ldelem.i4
IL_00D5: stloc.3
IL_00D6: ldloc.s V_7
IL_00D8: ldloc.1
IL_00D9: ldarg.1
IL_00DA: ldloc.1
IL_00DB: ldelem.u1
IL_00DC: ldloc.3
IL_00DD: xor
IL_00DE: conv.u1
IL_00DF: stelem.i1
IL_00E0: nop
IL_00E1: ldloc.1
IL_00E2: ldc.i4.1
IL_00E3: add
IL_00E4: stloc.1
IL_00E5: ldloc.1
IL_00E6: ldarg.1
IL_00E7: ldlen
IL_00E8: conv.i4
IL_00E9: clt
IL_00EB: stloc.s V_10
IL_00ED: ldloc.s V_10
IL_00EF: brtrue.s IL_0093
IL_00F1: ldloc.s V_7
IL_00F3: stloc.s V_11
IL_00F5: br.s IL_00F7
IL_00F7: ldloc.s V_11
IL_00F9: ret
Po obecności charakterystycznych pętli oraz operacji xor rozpoznałem, że funkcja flared_47
realizuje szyfrowanie z wykorzystaniem algorytmu RC4.
5.6 Analiza funkcji flare_67
Po zdekompilowaniu, funkcja flare_67
wyglądała następująco:
public static object flare_67(byte[] b, int tk, object[] o)
{
object obj;
try
{
obj = FLARE15.flared_67(b, tk, o);
}
catch (InvalidProgramException ex)
{
obj = FLARE15.flare_71(ex, new object[] { b, tk, o }, FLARE15.cl_m, FLARE15.cl_b);
}
return obj;
}
Po odszyfrowaniu funkcji flared_67
otrzymałem kod w MS IL:
IL_0000: nop
IL_0001: newobj System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::.ctor()
IL_0006: dup
IL_0007: ldc.i4.s 88
IL_0009: ldc.i4.0
IL_000A: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_000F: nop
IL_0010: dup
IL_0011: ldc.i4 214
IL_0016: ldc.i4.0
IL_0017: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_001C: nop
IL_001D: dup
IL_001E: ldc.i4 215
IL_0023: ldc.i4.0
IL_0024: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_0029: nop
IL_002A: dup
IL_002B: ldc.i4.s 95
IL_002D: ldc.i4.0
IL_002E: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_0033: nop
IL_0034: dup
IL_0035: ldc.i4 65024
IL_003A: ldc.i4.0
IL_003B: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_0040: nop
IL_0041: dup
IL_0042: ldc.i4.s 59
IL_0044: ldc.i4.3
IL_0045: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_004A: nop
IL_004B: dup
IL_004C: ldc.i4.s 46
IL_004E: ldc.i4.2
IL_004F: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_0054: nop
IL_0055: dup
IL_0056: ldc.i4.s 60
IL_0058: ldc.i4.3
IL_0059: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_005E: nop
IL_005F: dup
IL_0060: ldc.i4.s 47
IL_0062: ldc.i4.2
IL_0063: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_0068: nop
IL_0069: dup
IL_006A: ldc.i4.s 65
IL_006C: ldc.i4.3
IL_006D: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_0072: nop
IL_0073: dup
IL_0074: ldc.i4.s 52
IL_0076: ldc.i4.2
IL_0077: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_007C: nop
IL_007D: dup
IL_007E: ldc.i4.s 61
IL_0080: ldc.i4.3
IL_0081: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_0086: nop
IL_0087: dup
IL_0088: ldc.i4.s 48
IL_008A: ldc.i4.2
IL_008B: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_0090: nop
IL_0091: dup
IL_0092: ldc.i4.s 66
IL_0094: ldc.i4.3
IL_0095: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_009A: nop
IL_009B: dup
IL_009C: ldc.i4.s 53
IL_009E: ldc.i4.2
IL_009F: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_00A4: nop
IL_00A5: dup
IL_00A6: ldc.i4.s 62
IL_00A8: ldc.i4.3
IL_00A9: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_00AE: nop
IL_00AF: dup
IL_00B0: ldc.i4.s 49
IL_00B2: ldc.i4.2
IL_00B3: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_00B8: nop
IL_00B9: dup
IL_00BA: ldc.i4.s 67
IL_00BC: ldc.i4.3
IL_00BD: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_00C2: nop
IL_00C3: dup
IL_00C4: ldc.i4.s 54
IL_00C6: ldc.i4.2
IL_00C7: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_00CC: nop
IL_00CD: dup
IL_00CE: ldc.i4.s 63
IL_00D0: ldc.i4.3
IL_00D1: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_00D6: nop
IL_00D7: dup
IL_00D8: ldc.i4.s 50
IL_00DA: ldc.i4.2
IL_00DB: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_00E0: nop
IL_00E1: dup
IL_00E2: ldc.i4.s 68
IL_00E4: ldc.i4.3
IL_00E5: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_00EA: nop
IL_00EB: dup
IL_00EC: ldc.i4.s 55
IL_00EE: ldc.i4.2
IL_00EF: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_00F4: nop
IL_00F5: dup
IL_00F6: ldc.i4.s 64
IL_00F8: ldc.i4.3
IL_00F9: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_00FE: nop
IL_00FF: dup
IL_0100: ldc.i4.s 51
IL_0102: ldc.i4.2
IL_0103: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_0108: nop
IL_0109: dup
IL_010A: ldc.i4 140
IL_010F: ldc.i4.1
IL_0110: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_0115: nop
IL_0116: dup
IL_0117: ldc.i4.s 56
IL_0119: ldc.i4.3
IL_011A: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_011F: nop
IL_0120: dup
IL_0121: ldc.i4.s 43
IL_0123: ldc.i4.2
IL_0124: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_0129: nop
IL_012A: dup
IL_012B: ldc.i4.1
IL_012C: ldc.i4.0
IL_012D: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_0132: nop
IL_0133: dup
IL_0134: ldc.i4.s 57
IL_0136: ldc.i4.3
IL_0137: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_013C: nop
IL_013D: dup
IL_013E: ldc.i4.s 44
IL_0140: ldc.i4.2
IL_0141: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_0146: nop
IL_0147: dup
IL_0148: ldc.i4.s 58
IL_014A: ldc.i4.3
IL_014B: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_0150: nop
IL_0151: dup
IL_0152: ldc.i4.s 45
IL_0154: ldc.i4.2
IL_0155: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_015A: nop
IL_015B: dup
IL_015C: ldc.i4.s 40
IL_015E: ldc.i4.1
IL_015F: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_0164: nop
IL_0165: dup
IL_0166: ldc.i4.s 41
IL_0168: ldc.i4.1
IL_0169: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_016E: nop
IL_016F: dup
IL_0170: ldc.i4.s 111
IL_0172: ldc.i4.1
IL_0173: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_0178: nop
IL_0179: dup
IL_017A: ldc.i4.s 116
IL_017C: ldc.i4.1
IL_017D: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_0182: nop
IL_0183: dup
IL_0184: ldc.i4 65025
IL_0189: ldc.i4.0
IL_018A: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_018F: nop
IL_0190: dup
IL_0191: ldc.i4 65026
IL_0196: ldc.i4.0
IL_0197: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_019C: nop
IL_019D: dup
IL_019E: ldc.i4 65027
IL_01A3: ldc.i4.0
IL_01A4: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_01A9: nop
IL_01AA: dup
IL_01AB: ldc.i4 195
IL_01B0: ldc.i4.0
IL_01B1: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_01B6: nop
IL_01B7: dup
IL_01B8: ldc.i4 65028
IL_01BD: ldc.i4.0
IL_01BE: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_01C3: nop
IL_01C4: dup
IL_01C5: ldc.i4 65029
IL_01CA: ldc.i4.0
IL_01CB: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_01D0: nop
IL_01D1: dup
IL_01D2: ldc.i4 65046
IL_01D7: ldc.i4.1
IL_01D8: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_01DD: nop
IL_01DE: dup
IL_01DF: ldc.i4 211
IL_01E4: ldc.i4.0
IL_01E5: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_01EA: nop
IL_01EB: dup
IL_01EC: ldc.i4.s 103
IL_01EE: ldc.i4.0
IL_01EF: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_01F4: nop
IL_01F5: dup
IL_01F6: ldc.i4.s 104
IL_01F8: ldc.i4.0
IL_01F9: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_01FE: nop
IL_01FF: dup
IL_0200: ldc.i4.s 105
IL_0202: ldc.i4.0
IL_0203: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_0208: nop
IL_0209: dup
IL_020A: ldc.i4.s 106
IL_020C: ldc.i4.0
IL_020D: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_0212: nop
IL_0213: dup
IL_0214: ldc.i4 212
IL_0219: ldc.i4.0
IL_021A: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_021F: nop
IL_0220: dup
IL_0221: ldc.i4 138
IL_0226: ldc.i4.0
IL_0227: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_022C: nop
IL_022D: dup
IL_022E: ldc.i4 179
IL_0233: ldc.i4.0
IL_0234: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_0239: nop
IL_023A: dup
IL_023B: ldc.i4 130
IL_0240: ldc.i4.0
IL_0241: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_0246: nop
IL_0247: dup
IL_0248: ldc.i4 181
IL_024D: ldc.i4.0
IL_024E: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_0253: nop
IL_0254: dup
IL_0255: ldc.i4 131
IL_025A: ldc.i4.0
IL_025B: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_0260: nop
IL_0261: dup
IL_0262: ldc.i4 183
IL_0267: ldc.i4.0
IL_0268: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_026D: nop
IL_026E: dup
IL_026F: ldc.i4 132
IL_0274: ldc.i4.0
IL_0275: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_027A: nop
IL_027B: dup
IL_027C: ldc.i4 185
IL_0281: ldc.i4.0
IL_0282: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_0287: nop
IL_0288: dup
IL_0289: ldc.i4 133
IL_028E: ldc.i4.0
IL_028F: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_0294: nop
IL_0295: dup
IL_0296: ldc.i4 213
IL_029B: ldc.i4.0
IL_029C: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_02A1: nop
IL_02A2: dup
IL_02A3: ldc.i4 139
IL_02A8: ldc.i4.0
IL_02A9: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_02AE: nop
IL_02AF: dup
IL_02B0: ldc.i4 180
IL_02B5: ldc.i4.0
IL_02B6: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_02BB: nop
IL_02BC: dup
IL_02BD: ldc.i4 134
IL_02C2: ldc.i4.0
IL_02C3: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_02C8: nop
IL_02C9: dup
IL_02CA: ldc.i4 182
IL_02CF: ldc.i4.0
IL_02D0: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_02D5: nop
IL_02D6: dup
IL_02D7: ldc.i4 135
IL_02DC: ldc.i4.0
IL_02DD: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_02E2: nop
IL_02E3: dup
IL_02E4: ldc.i4 184
IL_02E9: ldc.i4.0
IL_02EA: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_02EF: nop
IL_02F0: dup
IL_02F1: ldc.i4 136
IL_02F6: ldc.i4.0
IL_02F7: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_02FC: nop
IL_02FD: dup
IL_02FE: ldc.i4 186
IL_0303: ldc.i4.0
IL_0304: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_0309: nop
IL_030A: dup
IL_030B: ldc.i4 137
IL_0310: ldc.i4.0
IL_0311: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_0316: nop
IL_0317: dup
IL_0318: ldc.i4.s 118
IL_031A: ldc.i4.0
IL_031B: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_0320: nop
IL_0321: dup
IL_0322: ldc.i4.s 107
IL_0324: ldc.i4.0
IL_0325: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_032A: nop
IL_032B: dup
IL_032C: ldc.i4.s 108
IL_032E: ldc.i4.0
IL_032F: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_0334: nop
IL_0335: dup
IL_0336: ldc.i4 224
IL_033B: ldc.i4.0
IL_033C: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_0341: nop
IL_0342: dup
IL_0343: ldc.i4 210
IL_0348: ldc.i4.0
IL_0349: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_034E: nop
IL_034F: dup
IL_0350: ldc.i4 209
IL_0355: ldc.i4.0
IL_0356: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_035B: nop
IL_035C: dup
IL_035D: ldc.i4.s 109
IL_035F: ldc.i4.0
IL_0360: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_0365: nop
IL_0366: dup
IL_0367: ldc.i4.s 110
IL_0369: ldc.i4.0
IL_036A: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_036F: nop
IL_0370: dup
IL_0371: ldc.i4 65047
IL_0376: ldc.i4.0
IL_0377: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_037C: nop
IL_037D: dup
IL_037E: ldc.i4.s 112
IL_0380: ldc.i4.1
IL_0381: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_0386: nop
IL_0387: dup
IL_0388: ldc.i4.s 91
IL_038A: ldc.i4.0
IL_038B: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_0390: nop
IL_0391: dup
IL_0392: ldc.i4.s 92
IL_0394: ldc.i4.0
IL_0395: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_039A: nop
IL_039B: dup
IL_039C: ldc.i4.s 37
IL_039E: ldc.i4.0
IL_039F: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_03A4: nop
IL_03A5: dup
IL_03A6: ldc.i4 65041
IL_03AB: ldc.i4.0
IL_03AC: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_03B1: nop
IL_03B2: dup
IL_03B3: ldc.i4 220
IL_03B8: ldc.i4.0
IL_03B9: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_03BE: nop
IL_03BF: dup
IL_03C0: ldc.i4 65048
IL_03C5: ldc.i4.0
IL_03C6: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_03CB: nop
IL_03CC: dup
IL_03CD: ldc.i4 65045
IL_03D2: ldc.i4.1
IL_03D3: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_03D8: nop
IL_03D9: dup
IL_03DA: ldc.i4.s 117
IL_03DC: ldc.i4.1
IL_03DD: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_03E2: nop
IL_03E3: dup
IL_03E4: ldc.i4.s 39
IL_03E6: ldc.i4.1
IL_03E7: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_03EC: nop
IL_03ED: dup
IL_03EE: ldc.i4 65033
IL_03F3: ldc.i4.5
IL_03F4: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_03F9: nop
IL_03FA: dup
IL_03FB: ldc.i4.2
IL_03FC: ldc.i4.0
IL_03FD: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_0402: nop
IL_0403: dup
IL_0404: ldc.i4.3
IL_0405: ldc.i4.0
IL_0406: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_040B: nop
IL_040C: dup
IL_040D: ldc.i4.4
IL_040E: ldc.i4.0
IL_040F: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_0414: nop
IL_0415: dup
IL_0416: ldc.i4.5
IL_0417: ldc.i4.0
IL_0418: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_041D: nop
IL_041E: dup
IL_041F: ldc.i4.s 14
IL_0421: ldc.i4.4
IL_0422: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_0427: nop
IL_0428: dup
IL_0429: ldc.i4 65034
IL_042E: ldc.i4.5
IL_042F: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_0434: nop
IL_0435: dup
IL_0436: ldc.i4.s 15
IL_0438: ldc.i4.4
IL_0439: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_043E: nop
IL_043F: dup
IL_0440: ldc.i4.s 32
IL_0442: ldc.i4.6
IL_0443: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_0448: nop
IL_0449: dup
IL_044A: ldc.i4.s 22
IL_044C: ldc.i4.0
IL_044D: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_0452: nop
IL_0453: dup
IL_0454: ldc.i4.s 23
IL_0456: ldc.i4.0
IL_0457: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_045C: nop
IL_045D: dup
IL_045E: ldc.i4.s 24
IL_0460: ldc.i4.0
IL_0461: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_0466: nop
IL_0467: dup
IL_0468: ldc.i4.s 25
IL_046A: ldc.i4.0
IL_046B: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_0470: nop
IL_0471: dup
IL_0472: ldc.i4.s 26
IL_0474: ldc.i4.0
IL_0475: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_047A: nop
IL_047B: dup
IL_047C: ldc.i4.s 27
IL_047E: ldc.i4.0
IL_047F: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_0484: nop
IL_0485: dup
IL_0486: ldc.i4.s 28
IL_0488: ldc.i4.0
IL_0489: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_048E: nop
IL_048F: dup
IL_0490: ldc.i4.s 29
IL_0492: ldc.i4.0
IL_0493: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_0498: nop
IL_0499: dup
IL_049A: ldc.i4.s 30
IL_049C: ldc.i4.0
IL_049D: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_04A2: nop
IL_04A3: dup
IL_04A4: ldc.i4.s 21
IL_04A6: ldc.i4.0
IL_04A7: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_04AC: nop
IL_04AD: dup
IL_04AE: ldc.i4.s 31
IL_04B0: ldc.i4.4
IL_04B1: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_04B6: nop
IL_04B7: dup
IL_04B8: ldc.i4.s 33
IL_04BA: ldc.i4.7
IL_04BB: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_04C0: nop
IL_04C1: dup
IL_04C2: ldc.i4.s 34
IL_04C4: ldc.i4.6
IL_04C5: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_04CA: nop
IL_04CB: dup
IL_04CC: ldc.i4.s 35
IL_04CE: ldc.i4.7
IL_04CF: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_04D4: nop
IL_04D5: dup
IL_04D6: ldc.i4 163
IL_04DB: ldc.i4.1
IL_04DC: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_04E1: nop
IL_04E2: dup
IL_04E3: ldc.i4 151
IL_04E8: ldc.i4.0
IL_04E9: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_04EE: nop
IL_04EF: dup
IL_04F0: ldc.i4 144
IL_04F5: ldc.i4.0
IL_04F6: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_04FB: nop
IL_04FC: dup
IL_04FD: ldc.i4 146
IL_0502: ldc.i4.0
IL_0503: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_0508: nop
IL_0509: dup
IL_050A: ldc.i4 148
IL_050F: ldc.i4.0
IL_0510: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_0515: nop
IL_0516: dup
IL_0517: ldc.i4 150
IL_051C: ldc.i4.0
IL_051D: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_0522: nop
IL_0523: dup
IL_0524: ldc.i4 152
IL_0529: ldc.i4.0
IL_052A: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_052F: nop
IL_0530: dup
IL_0531: ldc.i4 153
IL_0536: ldc.i4.0
IL_0537: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_053C: nop
IL_053D: dup
IL_053E: ldc.i4 154
IL_0543: ldc.i4.0
IL_0544: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_0549: nop
IL_054A: dup
IL_054B: ldc.i4 145
IL_0550: ldc.i4.0
IL_0551: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_0556: nop
IL_0557: dup
IL_0558: ldc.i4 147
IL_055D: ldc.i4.0
IL_055E: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_0563: nop
IL_0564: dup
IL_0565: ldc.i4 149
IL_056A: ldc.i4.0
IL_056B: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_0570: nop
IL_0571: dup
IL_0572: ldc.i4 143
IL_0577: ldc.i4.1
IL_0578: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_057D: nop
IL_057E: dup
IL_057F: ldc.i4.s 123
IL_0581: ldc.i4.1
IL_0582: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_0587: nop
IL_0588: dup
IL_0589: ldc.i4.s 124
IL_058B: ldc.i4.1
IL_058C: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_0591: nop
IL_0592: dup
IL_0593: ldc.i4 65030
IL_0598: ldc.i4.1
IL_0599: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_059E: nop
IL_059F: dup
IL_05A0: ldc.i4.s 77
IL_05A2: ldc.i4.0
IL_05A3: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_05A8: nop
IL_05A9: dup
IL_05AA: ldc.i4.s 70
IL_05AC: ldc.i4.0
IL_05AD: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_05B2: nop
IL_05B3: dup
IL_05B4: ldc.i4.s 72
IL_05B6: ldc.i4.0
IL_05B7: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_05BC: nop
IL_05BD: dup
IL_05BE: ldc.i4.s 74
IL_05C0: ldc.i4.0
IL_05C1: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_05C6: nop
IL_05C7: dup
IL_05C8: ldc.i4.s 76
IL_05CA: ldc.i4.0
IL_05CB: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_05D0: nop
IL_05D1: dup
IL_05D2: ldc.i4.s 78
IL_05D4: ldc.i4.0
IL_05D5: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_05DA: nop
IL_05DB: dup
IL_05DC: ldc.i4.s 79
IL_05DE: ldc.i4.0
IL_05DF: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_05E4: nop
IL_05E5: dup
IL_05E6: ldc.i4.s 80
IL_05E8: ldc.i4.0
IL_05E9: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_05EE: nop
IL_05EF: dup
IL_05F0: ldc.i4.s 71
IL_05F2: ldc.i4.0
IL_05F3: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_05F8: nop
IL_05F9: dup
IL_05FA: ldc.i4.s 73
IL_05FC: ldc.i4.0
IL_05FD: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_0602: nop
IL_0603: dup
IL_0604: ldc.i4.s 75
IL_0606: ldc.i4.0
IL_0607: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_060C: nop
IL_060D: dup
IL_060E: ldc.i4 142
IL_0613: ldc.i4.0
IL_0614: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_0619: nop
IL_061A: dup
IL_061B: ldc.i4 65036
IL_0620: ldc.i4.5
IL_0621: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_0626: nop
IL_0627: dup
IL_0628: ldc.i4.6
IL_0629: ldc.i4.0
IL_062A: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_062F: nop
IL_0630: dup
IL_0631: ldc.i4.7
IL_0632: ldc.i4.0
IL_0633: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_0638: nop
IL_0639: dup
IL_063A: ldc.i4.8
IL_063B: ldc.i4.0
IL_063C: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_0641: nop
IL_0642: dup
IL_0643: ldc.i4.s 9
IL_0645: ldc.i4.0
IL_0646: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_064B: nop
IL_064C: dup
IL_064D: ldc.i4.s 17
IL_064F: ldc.i4.4
IL_0650: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_0655: nop
IL_0656: dup
IL_0657: ldc.i4 65037
IL_065C: ldc.i4.5
IL_065D: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_0662: nop
IL_0663: dup
IL_0664: ldc.i4.s 18
IL_0666: ldc.i4.4
IL_0667: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_066C: nop
IL_066D: dup
IL_066E: ldc.i4.s 20
IL_0670: ldc.i4.0
IL_0671: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_0676: nop
IL_0677: dup
IL_0678: ldc.i4.s 113
IL_067A: ldc.i4.1
IL_067B: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_0680: nop
IL_0681: dup
IL_0682: ldc.i4.s 126
IL_0684: ldc.i4.1
IL_0685: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_068A: nop
IL_068B: dup
IL_068C: ldc.i4.s 127
IL_068E: ldc.i4.1
IL_068F: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_0694: nop
IL_0695: dup
IL_0696: ldc.i4.s 114
IL_0698: ldc.i4.1
IL_0699: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_069E: nop
IL_069F: dup
IL_06A0: ldc.i4 208
IL_06A5: ldc.i4.1
IL_06A6: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_06AB: nop
IL_06AC: dup
IL_06AD: ldc.i4 65031
IL_06B2: ldc.i4.1
IL_06B3: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_06B8: nop
IL_06B9: dup
IL_06BA: ldc.i4 221
IL_06BF: ldc.i4.3
IL_06C0: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_06C5: nop
IL_06C6: dup
IL_06C7: ldc.i4 222
IL_06CC: ldc.i4.2
IL_06CD: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_06D2: nop
IL_06D3: dup
IL_06D4: ldc.i4 65039
IL_06D9: ldc.i4.0
IL_06DA: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_06DF: nop
IL_06E0: dup
IL_06E1: ldc.i4 198
IL_06E6: ldc.i4.1
IL_06E7: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_06EC: nop
IL_06ED: dup
IL_06EE: ldc.i4.s 90
IL_06F0: ldc.i4.0
IL_06F1: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_06F6: nop
IL_06F7: dup
IL_06F8: ldc.i4 216
IL_06FD: ldc.i4.0
IL_06FE: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_0703: nop
IL_0704: dup
IL_0705: ldc.i4 217
IL_070A: ldc.i4.0
IL_070B: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_0710: nop
IL_0711: dup
IL_0712: ldc.i4.s 101
IL_0714: ldc.i4.0
IL_0715: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_071A: nop
IL_071B: dup
IL_071C: ldc.i4 141
IL_0721: ldc.i4.1
IL_0722: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_0727: nop
IL_0728: dup
IL_0729: ldc.i4.s 115
IL_072B: ldc.i4.1
IL_072C: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_0731: nop
IL_0732: dup
IL_0733: ldc.i4 65049
IL_0738: ldc.i4.4
IL_0739: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_073E: nop
IL_073F: dup
IL_0740: ldc.i4.0
IL_0741: ldc.i4.0
IL_0742: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_0747: nop
IL_0748: dup
IL_0749: ldc.i4.s 102
IL_074B: ldc.i4.0
IL_074C: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_0751: nop
IL_0752: dup
IL_0753: ldc.i4.s 96
IL_0755: ldc.i4.0
IL_0756: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_075B: nop
IL_075C: dup
IL_075D: ldc.i4.s 38
IL_075F: ldc.i4.0
IL_0760: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_0765: nop
IL_0766: dup
IL_0767: ldc.i4 254
IL_076C: ldc.i4.0
IL_076D: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_0772: nop
IL_0773: dup
IL_0774: ldc.i4 253
IL_0779: ldc.i4.0
IL_077A: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_077F: nop
IL_0780: dup
IL_0781: ldc.i4 252
IL_0786: ldc.i4.0
IL_0787: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_078C: nop
IL_078D: dup
IL_078E: ldc.i4 251
IL_0793: ldc.i4.0
IL_0794: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_0799: nop
IL_079A: dup
IL_079B: ldc.i4 250
IL_07A0: ldc.i4.0
IL_07A1: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_07A6: nop
IL_07A7: dup
IL_07A8: ldc.i4 249
IL_07AD: ldc.i4.0
IL_07AE: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_07B3: nop
IL_07B4: dup
IL_07B5: ldc.i4 248
IL_07BA: ldc.i4.0
IL_07BB: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_07C0: nop
IL_07C1: dup
IL_07C2: ldc.i4 255
IL_07C7: ldc.i4.0
IL_07C8: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_07CD: nop
IL_07CE: dup
IL_07CF: ldc.i4 65054
IL_07D4: ldc.i4.0
IL_07D5: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_07DA: nop
IL_07DB: dup
IL_07DC: ldc.i4 65053
IL_07E1: ldc.i4.0
IL_07E2: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_07E7: nop
IL_07E8: dup
IL_07E9: ldc.i4 194
IL_07EE: ldc.i4.1
IL_07EF: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_07F4: nop
IL_07F5: dup
IL_07F6: ldc.i4.s 93
IL_07F8: ldc.i4.0
IL_07F9: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_07FE: nop
IL_07FF: dup
IL_0800: ldc.i4.s 94
IL_0802: ldc.i4.0
IL_0803: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_0808: nop
IL_0809: dup
IL_080A: ldc.i4.s 42
IL_080C: ldc.i4.0
IL_080D: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_0812: nop
IL_0813: dup
IL_0814: ldc.i4 65050
IL_0819: ldc.i4.0
IL_081A: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_081F: nop
IL_0820: dup
IL_0821: ldc.i4.s 98
IL_0823: ldc.i4.0
IL_0824: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_0829: nop
IL_082A: dup
IL_082B: ldc.i4.s 99
IL_082D: ldc.i4.0
IL_082E: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_0833: nop
IL_0834: dup
IL_0835: ldc.i4.s 100
IL_0837: ldc.i4.0
IL_0838: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_083D: nop
IL_083E: dup
IL_083F: ldc.i4 65052
IL_0844: ldc.i4.1
IL_0845: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_084A: nop
IL_084B: dup
IL_084C: ldc.i4 65035
IL_0851: ldc.i4.5
IL_0852: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_0857: nop
IL_0858: dup
IL_0859: ldc.i4.s 16
IL_085B: ldc.i4.4
IL_085C: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_0861: nop
IL_0862: dup
IL_0863: ldc.i4 164
IL_0868: ldc.i4.1
IL_0869: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_086E: nop
IL_086F: dup
IL_0870: ldc.i4 155
IL_0875: ldc.i4.0
IL_0876: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_087B: nop
IL_087C: dup
IL_087D: ldc.i4 156
IL_0882: ldc.i4.0
IL_0883: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_0888: nop
IL_0889: dup
IL_088A: ldc.i4 157
IL_088F: ldc.i4.0
IL_0890: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_0895: nop
IL_0896: dup
IL_0897: ldc.i4 158
IL_089C: ldc.i4.0
IL_089D: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_08A2: nop
IL_08A3: dup
IL_08A4: ldc.i4 159
IL_08A9: ldc.i4.0
IL_08AA: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_08AF: nop
IL_08B0: dup
IL_08B1: ldc.i4 160
IL_08B6: ldc.i4.0
IL_08B7: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_08BC: nop
IL_08BD: dup
IL_08BE: ldc.i4 161
IL_08C3: ldc.i4.0
IL_08C4: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_08C9: nop
IL_08CA: dup
IL_08CB: ldc.i4 162
IL_08D0: ldc.i4.0
IL_08D1: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_08D6: nop
IL_08D7: dup
IL_08D8: ldc.i4.s 125
IL_08DA: ldc.i4.1
IL_08DB: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_08E0: nop
IL_08E1: dup
IL_08E2: ldc.i4 223
IL_08E7: ldc.i4.0
IL_08E8: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_08ED: nop
IL_08EE: dup
IL_08EF: ldc.i4.s 82
IL_08F1: ldc.i4.0
IL_08F2: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_08F7: nop
IL_08F8: dup
IL_08F9: ldc.i4.s 83
IL_08FB: ldc.i4.0
IL_08FC: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_0901: nop
IL_0902: dup
IL_0903: ldc.i4.s 84
IL_0905: ldc.i4.0
IL_0906: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_090B: nop
IL_090C: dup
IL_090D: ldc.i4.s 85
IL_090F: ldc.i4.0
IL_0910: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_0915: nop
IL_0916: dup
IL_0917: ldc.i4.s 86
IL_0919: ldc.i4.0
IL_091A: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_091F: nop
IL_0920: dup
IL_0921: ldc.i4.s 87
IL_0923: ldc.i4.0
IL_0924: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_0929: nop
IL_092A: dup
IL_092B: ldc.i4.s 81
IL_092D: ldc.i4.0
IL_092E: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_0933: nop
IL_0934: dup
IL_0935: ldc.i4 65038
IL_093A: ldc.i4.5
IL_093B: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_0940: nop
IL_0941: dup
IL_0942: ldc.i4.s 10
IL_0944: ldc.i4.0
IL_0945: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_094A: nop
IL_094B: dup
IL_094C: ldc.i4.s 11
IL_094E: ldc.i4.0
IL_094F: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_0954: nop
IL_0955: dup
IL_0956: ldc.i4.s 12
IL_0958: ldc.i4.0
IL_0959: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_095E: nop
IL_095F: dup
IL_0960: ldc.i4.s 13
IL_0962: ldc.i4.0
IL_0963: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_0968: nop
IL_0969: dup
IL_096A: ldc.i4.s 19
IL_096C: ldc.i4.4
IL_096D: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_0972: nop
IL_0973: dup
IL_0974: ldc.i4 129
IL_0979: ldc.i4.1
IL_097A: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_097F: nop
IL_0980: dup
IL_0981: ldc.i4 128
IL_0986: ldc.i4.1
IL_0987: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_098C: nop
IL_098D: dup
IL_098E: ldc.i4.s 89
IL_0990: ldc.i4.0
IL_0991: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_0996: nop
IL_0997: dup
IL_0998: ldc.i4 218
IL_099D: ldc.i4.0
IL_099E: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_09A3: nop
IL_09A4: dup
IL_09A5: ldc.i4 219
IL_09AA: ldc.i4.0
IL_09AB: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_09B0: nop
IL_09B1: dup
IL_09B2: ldc.i4.s 69
IL_09B4: ldc.i4.8
IL_09B5: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_09BA: nop
IL_09BB: dup
IL_09BC: ldc.i4 65044
IL_09C1: ldc.i4.0
IL_09C2: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_09C7: nop
IL_09C8: dup
IL_09C9: ldc.i4.s 122
IL_09CB: ldc.i4.0
IL_09CC: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_09D1: nop
IL_09D2: dup
IL_09D3: ldc.i4 65042
IL_09D8: ldc.i4.4
IL_09D9: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_09DE: nop
IL_09DF: dup
IL_09E0: ldc.i4.s 121
IL_09E2: ldc.i4.1
IL_09E3: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_09E8: nop
IL_09E9: dup
IL_09EA: ldc.i4 165
IL_09EF: ldc.i4.1
IL_09F0: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_09F5: nop
IL_09F6: dup
IL_09F7: ldc.i4 65043
IL_09FC: ldc.i4.0
IL_09FD: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_0A02: nop
IL_0A03: dup
IL_0A04: ldc.i4.s 97
IL_0A06: ldc.i4.0
IL_0A07: callvirt System.Void System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::Add(!0, !1)
IL_0A0C: nop
IL_0A0D: stloc.0
IL_0A0E: ldc.i4.0
IL_0A0F: stloc.1
IL_0A10: ldc.i4.0
IL_0A11: stloc.2
IL_0A12: ldc.i4.0
IL_0A13: stloc.3
IL_0A14: ldtoken FlareOn.Backdoor.Program
IL_0A19: call System.Type System.Type::GetTypeFromHandle(System.RuntimeTypeHandle)
IL_0A1E: callvirt System.Reflection.Module System.Type::get_Module()
IL_0A23: stloc.s V_4
IL_0A25: ldloc.s V_4
IL_0A27: ldarg.1
IL_0A28: callvirt System.Reflection.MethodBase System.Reflection.Module::ResolveMethod(System.Int32)
IL_0A2D: stloc.s V_5
IL_0A2F: ldloc.s V_5
IL_0A31: castclass System.Reflection.MethodInfo
IL_0A36: stloc.s V_6
IL_0A38: ldloc.s V_6
IL_0A3A: callvirt System.Reflection.ParameterInfo[] System.Reflection.MethodBase::GetParameters()
IL_0A3F: stloc.s V_7
IL_0A41: ldloc.s V_7
IL_0A43: ldlen
IL_0A44: conv.i4
IL_0A45: newarr System.Type
IL_0A4A: stloc.s V_8
IL_0A4C: call System.Reflection.Emit.SignatureHelper System.Reflection.Emit.SignatureHelper::GetLocalVarSigHelper()
IL_0A51: stloc.s V_9
IL_0A53: ldc.i4.0
IL_0A54: stloc.s V_15
IL_0A56: br.s IL_0A6F
IL_0A58: nop
IL_0A59: ldloc.s V_8
IL_0A5B: ldloc.s V_15
IL_0A5D: ldloc.s V_7
IL_0A5F: ldloc.s V_15
IL_0A61: ldelem.ref
IL_0A62: callvirt System.Type System.Reflection.ParameterInfo::get_ParameterType()
IL_0A67: stelem.ref
IL_0A68: nop
IL_0A69: ldloc.s V_15
IL_0A6B: ldc.i4.1
IL_0A6C: add
IL_0A6D: stloc.s V_15
IL_0A6F: ldloc.s V_15
IL_0A71: ldloc.s V_8
IL_0A73: ldlen
IL_0A74: conv.i4
IL_0A75: clt
IL_0A77: stloc.s V_16
IL_0A79: ldloc.s V_16
IL_0A7B: brtrue.s IL_0A58
IL_0A7D: ldloc.s V_5
IL_0A7F: callvirt System.Type System.Reflection.MemberInfo::get_DeclaringType()
IL_0A84: stloc.s V_10
IL_0A86: ldstr ""
IL_0A8B: ldloc.s V_6
IL_0A8D: callvirt System.Type System.Reflection.MethodInfo::get_ReturnType()
IL_0A92: ldloc.s V_8
IL_0A94: ldloc.s V_10
IL_0A96: ldc.i4.1
IL_0A97: newobj System.Void System.Reflection.Emit.DynamicMethod::.ctor(System.String, System.Type, System.Type[], System.Type, System.Boolean)
IL_0A9C: stloc.s V_11
IL_0A9E: ldloc.s V_11
IL_0AA0: callvirt System.Reflection.Emit.DynamicILInfo System.Reflection.Emit.DynamicMethod::GetDynamicILInfo()
IL_0AA5: stloc.s V_12
IL_0AA7: ldloc.s V_6
IL_0AA9: callvirt System.Reflection.MethodBody System.Reflection.MethodBase::GetMethodBody()
IL_0AAE: stloc.s V_13
IL_0AB0: nop
IL_0AB1: ldloc.s V_13
IL_0AB3: callvirt System.Collections.Generic.IList`1<System.Reflection.LocalVariableInfo> System.Reflection.MethodBody::get_LocalVariables()
IL_0AB8: callvirt System.Collections.Generic.IEnumerator`1<System.Reflection.LocalVariableInfo> System.Collections.Generic.IEnumerable`1<System.Reflection.LocalVariableInfo>::GetEnumerator()
IL_0ABD: stloc.s V_17
IL_0ABF: br.s IL_0ADB
IL_0AC1: ldloc.s V_17
IL_0AC3: callvirt System.Reflection.LocalVariableInfo System.Collections.Generic.IEnumerator`1<System.Reflection.LocalVariableInfo>::get_Current()
IL_0AC8: stloc.s V_18
IL_0ACA: nop
IL_0ACB: ldloc.s V_9
IL_0ACD: ldloc.s V_18
IL_0ACF: callvirt System.Type System.Reflection.LocalVariableInfo::get_LocalType()
IL_0AD4: callvirt System.Void System.Reflection.Emit.SignatureHelper::AddArgument(System.Type)
IL_0AD9: nop
IL_0ADA: nop
IL_0ADB: ldloc.s V_17
IL_0ADD: callvirt System.Boolean System.Collections.IEnumerator::MoveNext()
IL_0AE2: brtrue.s IL_0AC1
IL_0AE4: leave.s IL_0AF3
IL_0AE6: ldloc.s V_17
IL_0AE8: brfalse.s IL_0AF2
IL_0AEA: ldloc.s V_17
IL_0AEC: callvirt System.Void System.IDisposable::Dispose()
IL_0AF1: nop
IL_0AF2: endfinally
IL_0AF3: ldloc.s V_9
IL_0AF5: callvirt System.Byte[] System.Reflection.Emit.SignatureHelper::GetSignature()
IL_0AFA: stloc.s V_14
IL_0AFC: ldloc.s V_12
IL_0AFE: ldloc.s V_14
IL_0B00: callvirt System.Void System.Reflection.Emit.DynamicILInfo::SetLocalSignature(System.Byte[])
IL_0B05: nop
IL_0B06: ldc.i4.0
IL_0B07: stloc.s V_19
IL_0B09: br IL_0DAC
IL_0B0E: nop
IL_0B0F: ldarg.0
IL_0B10: ldloc.s V_19
IL_0B12: ldelem.u1
IL_0B13: ldc.i4 254
IL_0B18: ceq
IL_0B1A: stloc.s V_21
IL_0B1C: ldloc.s V_21
IL_0B1E: brfalse.s IL_0B37
IL_0B20: nop
IL_0B21: ldc.i4 65024
IL_0B26: ldarg.0
IL_0B27: ldloc.s V_19
IL_0B29: ldc.i4.1
IL_0B2A: add
IL_0B2B: ldelem.u1
IL_0B2C: add
IL_0B2D: stloc.1
IL_0B2E: ldloc.s V_19
IL_0B30: ldc.i4.1
IL_0B31: add
IL_0B32: stloc.s V_19
IL_0B34: nop
IL_0B35: br.s IL_0B3E
IL_0B37: nop
IL_0B38: ldarg.0
IL_0B39: ldloc.s V_19
IL_0B3B: ldelem.u1
IL_0B3C: stloc.1
IL_0B3D: nop
IL_0B3E: ldloc.0
IL_0B3F: ldloc.1
IL_0B40: callvirt FlareOn.Backdoor.OT System.Collections.Generic.Dictionary`2<System.UInt32, FlareOn.Backdoor.OT>::get_Item(!0)
IL_0B45: stloc.s V_20
IL_0B47: ldloc.s V_19
IL_0B49: ldc.i4.1
IL_0B4A: add
IL_0B4B: stloc.s V_19
IL_0B4D: ldloc.s V_20
IL_0B4F: stloc.s V_23
IL_0B51: ldloc.s V_23
IL_0B53: stloc.s V_22
IL_0B55: ldloc.s V_22
IL_0B57: switch (IL_0B9B, IL_0BC1, IL_0B85, IL_0B90, IL_0B85, IL_0DA3, IL_0B90, IL_0BA0, IL_0BAB)
IL_0B80: br IL_0DAB
IL_0B85: ldloc.s V_19
IL_0B87: ldc.i4.1
IL_0B88: add
IL_0B89: stloc.s V_19
IL_0B8B: br IL_0DAB
IL_0B90: ldloc.s V_19
IL_0B92: ldc.i4.4
IL_0B93: add
IL_0B94: stloc.s V_19
IL_0B96: br IL_0DAB
IL_0B9B: br IL_0DAB
IL_0BA0: ldloc.s V_19
IL_0BA2: ldc.i4.8
IL_0BA3: add
IL_0BA4: stloc.s V_19
IL_0BA6: br IL_0DAB
IL_0BAB: ldloc.s V_19
IL_0BAD: ldc.i4.4
IL_0BAE: ldarg.0
IL_0BAF: ldloc.s V_19
IL_0BB1: call System.Int32 FlareOn.Backdoor.FLARE15::flare_68(System.Byte[], System.Int32)
IL_0BB6: ldc.i4.4
IL_0BB7: mul
IL_0BB8: add
IL_0BB9: add
IL_0BBA: stloc.s V_19
IL_0BBC: br IL_0DAB
IL_0BC1: ldarg.0
IL_0BC2: ldloc.s V_19
IL_0BC4: call System.Int32 FlareOn.Backdoor.FLARE15::flare_68(System.Byte[], System.Int32)
IL_0BC9: stloc.2
IL_0BCA: ldloc.2
IL_0BCB: ldc.i4 -1567054147
IL_0BD0: xor
IL_0BD1: stloc.2
IL_0BD2: ldloc.2
IL_0BD3: ldc.i4 1879048192
IL_0BD8: blt.un.s IL_0BE4
IL_0BDA: ldloc.2
IL_0BDB: ldc.i4 1879113727
IL_0BE0: clt.un
IL_0BE2: br.s IL_0BE5
IL_0BE4: ldc.i4.0
IL_0BE5: stloc.s V_24
IL_0BE7: ldloc.s V_24
IL_0BE9: brfalse.s IL_0C02
IL_0BEB: nop
IL_0BEC: ldloc.s V_12
IL_0BEE: ldloc.s V_4
IL_0BF0: ldloc.2
IL_0BF1: callvirt System.String System.Reflection.Module::ResolveString(System.Int32)
IL_0BF6: callvirt System.Int32 System.Reflection.Emit.DynamicILInfo::GetTokenFor(System.String)
IL_0BFB: stloc.3
IL_0BFC: nop
IL_0BFD: br IL_0D75
IL_0C02: nop
IL_0C03: ldloc.s V_6
IL_0C05: callvirt System.Type System.Reflection.MemberInfo::get_DeclaringType()
IL_0C0A: stloc.s V_25
IL_0C0C: ldnull
IL_0C0D: stloc.s V_26
IL_0C0F: ldnull
IL_0C10: stloc.s V_27
IL_0C12: ldloc.s V_25
IL_0C14: callvirt System.Boolean System.Type::get_IsGenericType()
IL_0C19: brtrue.s IL_0C24
IL_0C1B: ldloc.s V_25
IL_0C1D: callvirt System.Boolean System.Type::get_IsGenericTypeDefinition()
IL_0C22: br.s IL_0C25
IL_0C24: ldc.i4.1
IL_0C25: stloc.s V_29
IL_0C27: ldloc.s V_29
IL_0C29: brfalse.s IL_0C34
IL_0C2B: ldloc.s V_25
IL_0C2D: callvirt System.Type[] System.Type::GetGenericArguments()
IL_0C32: stloc.s V_26
IL_0C34: ldloc.s V_6
IL_0C36: callvirt System.Boolean System.Reflection.MethodBase::get_IsGenericMethod()
IL_0C3B: brtrue.s IL_0C46
IL_0C3D: ldloc.s V_6
IL_0C3F: callvirt System.Boolean System.Reflection.MethodBase::get_IsGenericMethodDefinition()
IL_0C44: br.s IL_0C47
IL_0C46: ldc.i4.1
IL_0C47: stloc.s V_30
IL_0C49: ldloc.s V_30
IL_0C4B: brfalse.s IL_0C56
IL_0C4D: ldloc.s V_6
IL_0C4F: callvirt System.Type[] System.Reflection.MethodBase::GetGenericArguments()
IL_0C54: stloc.s V_27
IL_0C56: ldloc.s V_25
IL_0C58: callvirt System.Reflection.Module System.Type::get_Module()
IL_0C5D: ldloc.2
IL_0C5E: ldloc.s V_26
IL_0C60: ldloc.s V_27
IL_0C62: callvirt System.Reflection.MemberInfo System.Reflection.Module::ResolveMember(System.Int32, System.Type[], System.Type[])
IL_0C67: stloc.s V_28
IL_0C69: ldloc.s V_28
IL_0C6B: callvirt System.Type System.Object::GetType()
IL_0C70: callvirt System.String System.Reflection.MemberInfo::get_Name()
IL_0C75: ldstr "RtFieldInfo"
IL_0C7A: call System.Boolean System.String::op_Equality(System.String, System.String)
IL_0C7F: stloc.s V_31
IL_0C81: ldloc.s V_31
IL_0C83: brfalse.s IL_0CB6
IL_0C85: nop
IL_0C86: ldloc.s V_12
IL_0C88: ldloc.s V_28
IL_0C8A: castclass System.Reflection.FieldInfo
IL_0C8F: callvirt System.RuntimeFieldHandle System.Reflection.FieldInfo::get_FieldHandle()
IL_0C94: ldloc.s V_28
IL_0C96: castclass System.Reflection.FieldInfo
IL_0C9B: callvirt System.Type System.Reflection.MemberInfo::get_DeclaringType()
IL_0CA0: castclass System.Reflection.TypeInfo
IL_0CA5: callvirt System.RuntimeTypeHandle System.Type::get_TypeHandle()
IL_0CAA: callvirt System.Int32 System.Reflection.Emit.DynamicILInfo::GetTokenFor(System.RuntimeFieldHandle, System.RuntimeTypeHandle)
IL_0CAF: stloc.3
IL_0CB0: nop
IL_0CB1: br IL_0D74
IL_0CB6: ldloc.s V_28
IL_0CB8: callvirt System.Type System.Object::GetType()
IL_0CBD: callvirt System.String System.Reflection.MemberInfo::get_Name()
IL_0CC2: ldstr "RuntimeType"
IL_0CC7: call System.Boolean System.String::op_Equality(System.String, System.String)
IL_0CCC: stloc.s V_32
IL_0CCE: ldloc.s V_32
IL_0CD0: brfalse.s IL_0CED
IL_0CD2: nop
IL_0CD3: ldloc.s V_12
IL_0CD5: ldloc.s V_28
IL_0CD7: castclass System.Reflection.TypeInfo
IL_0CDC: callvirt System.RuntimeTypeHandle System.Type::get_TypeHandle()
IL_0CE1: callvirt System.Int32 System.Reflection.Emit.DynamicILInfo::GetTokenFor(System.RuntimeTypeHandle)
IL_0CE6: stloc.3
IL_0CE7: nop
IL_0CE8: br IL_0D74
IL_0CED: ldloc.s V_28
IL_0CEF: callvirt System.String System.Reflection.MemberInfo::get_Name()
IL_0CF4: ldstr ".ctor"
IL_0CF9: call System.Boolean System.String::op_Equality(System.String, System.String)
IL_0CFE: brtrue.s IL_0D13
IL_0D00: ldloc.s V_28
IL_0D02: callvirt System.String System.Reflection.MemberInfo::get_Name()
IL_0D07: ldstr ".cctor"
IL_0D0C: call System.Boolean System.String::op_Equality(System.String, System.String)
IL_0D11: br.s IL_0D14
IL_0D13: ldc.i4.1
IL_0D14: stloc.s V_33
IL_0D16: ldloc.s V_33
IL_0D18: brfalse.s IL_0D48
IL_0D1A: nop
IL_0D1B: ldloc.s V_12
IL_0D1D: ldloc.s V_28
IL_0D1F: castclass System.Reflection.ConstructorInfo
IL_0D24: callvirt System.RuntimeMethodHandle System.Reflection.MethodBase::get_MethodHandle()
IL_0D29: ldloc.s V_28
IL_0D2B: castclass System.Reflection.ConstructorInfo
IL_0D30: callvirt System.Type System.Reflection.MemberInfo::get_DeclaringType()
IL_0D35: castclass System.Reflection.TypeInfo
IL_0D3A: callvirt System.RuntimeTypeHandle System.Type::get_TypeHandle()
IL_0D3F: callvirt System.Int32 System.Reflection.Emit.DynamicILInfo::GetTokenFor(System.RuntimeMethodHandle, System.RuntimeTypeHandle)
IL_0D44: stloc.3
IL_0D45: nop
IL_0D46: br.s IL_0D74
IL_0D48: nop
IL_0D49: ldloc.s V_12
IL_0D4B: ldloc.s V_28
IL_0D4D: castclass System.Reflection.MethodInfo
IL_0D52: callvirt System.RuntimeMethodHandle System.Reflection.MethodBase::get_MethodHandle()
IL_0D57: ldloc.s V_28
IL_0D59: castclass System.Reflection.MethodInfo
IL_0D5E: callvirt System.Type System.Reflection.MemberInfo::get_DeclaringType()
IL_0D63: castclass System.Reflection.TypeInfo
IL_0D68: callvirt System.RuntimeTypeHandle System.Type::get_TypeHandle()
IL_0D6D: callvirt System.Int32 System.Reflection.Emit.DynamicILInfo::GetTokenFor(System.RuntimeMethodHandle, System.RuntimeTypeHandle)
IL_0D72: stloc.3
IL_0D73: nop
IL_0D74: nop
IL_0D75: ldarg.0
IL_0D76: ldloc.s V_19
IL_0D78: ldloc.3
IL_0D79: conv.u1
IL_0D7A: stelem.i1
IL_0D7B: ldarg.0
IL_0D7C: ldloc.s V_19
IL_0D7E: ldc.i4.1
IL_0D7F: add
IL_0D80: ldloc.3
IL_0D81: ldc.i4.8
IL_0D82: shr
IL_0D83: conv.u1
IL_0D84: stelem.i1
IL_0D85: ldarg.0
IL_0D86: ldloc.s V_19
IL_0D88: ldc.i4.2
IL_0D89: add
IL_0D8A: ldloc.3
IL_0D8B: ldc.i4.s 16
IL_0D8D: shr
IL_0D8E: conv.u1
IL_0D8F: stelem.i1
IL_0D90: ldarg.0
IL_0D91: ldloc.s V_19
IL_0D93: ldc.i4.3
IL_0D94: add
IL_0D95: ldloc.3
IL_0D96: ldc.i4.s 24
IL_0D98: shr
IL_0D99: conv.u1
IL_0D9A: stelem.i1
IL_0D9B: ldloc.s V_19
IL_0D9D: ldc.i4.4
IL_0D9E: add
IL_0D9F: stloc.s V_19
IL_0DA1: br.s IL_0DAB
IL_0DA3: ldloc.s V_19
IL_0DA5: ldc.i4.2
IL_0DA6: add
IL_0DA7: stloc.s V_19
IL_0DA9: br.s IL_0DAB
IL_0DAB: nop
IL_0DAC: ldloc.s V_19
IL_0DAE: ldarg.0
IL_0DAF: ldlen
IL_0DB0: conv.i4
IL_0DB1: clt
IL_0DB3: stloc.s V_34
IL_0DB5: ldloc.s V_34
IL_0DB7: brtrue IL_0B0E
IL_0DBC: ldloc.s V_12
IL_0DBE: ldarg.0
IL_0DBF: ldloc.s V_13
IL_0DC1: callvirt System.Int32 System.Reflection.MethodBody::get_MaxStackSize()
IL_0DC6: callvirt System.Void System.Reflection.Emit.DynamicILInfo::SetCode(System.Byte[], System.Int32)
IL_0DCB: nop
IL_0DCC: ldloc.s V_11
IL_0DCE: ldnull
IL_0DCF: ldarg.2
IL_0DD0: callvirt System.Object System.Reflection.MethodBase::Invoke(System.Object, System.Object[])
IL_0DD5: stloc.s V_35
IL_0DD7: br.s IL_0DD9
IL_0DD9: ldloc.s V_35
IL_0DDB: ret
Po zdekompilowaniu kodu MS IL funkcji flared_67
otrzymałem kod w C#:
public static object flared_67(byte[] b, int tk, object[] a)
{
var dictionary = new Dictionary<uint, FLARE06.OT>(){ // loc.0
{88, FLARE06.OT.A}, {214, FLARE06.OT.A}, {215, FLARE06.OT.A}, {95, FLARE06.OT.A}, {65024, FLARE06.OT.A}, {59, FLARE06.OT.D}, {46, FLARE06.OT.C}, {60, FLARE06.OT.D}, {47, FLARE06.OT.C}, {65, FLARE06.OT.D}, {52, FLARE06.OT.C}, {61, FLARE06.OT.D}, {48, FLARE06.OT.C}, {66, FLARE06.OT.D}, {53, FLARE06.OT.C}, {62, FLARE06.OT.D}, {49, FLARE06.OT.C}, {67, FLARE06.OT.D}, {54, FLARE06.OT.C}, {63, FLARE06.OT.D}, {50, FLARE06.OT.C}, {68, FLARE06.OT.D}, {55, FLARE06.OT.C}, {64, FLARE06.OT.D}, {51, FLARE06.OT.C}, {140, FLARE06.OT.B}, {56, FLARE06.OT.D}, {43, FLARE06.OT.C}, {1, FLARE06.OT.A}, {57, FLARE06.OT.D}, {44, FLARE06.OT.C}, {58, FLARE06.OT.D}, {45, FLARE06.OT.C}, {40, FLARE06.OT.B}, {41, FLARE06.OT.B}, {111, FLARE06.OT.B}, {116, FLARE06.OT.B}, {65025, FLARE06.OT.A}, {65026, FLARE06.OT.A}, {65027, FLARE06.OT.A}, {195, FLARE06.OT.A}, {65028, FLARE06.OT.A}, {65029, FLARE06.OT.A}, {65046, FLARE06.OT.B}, {211, FLARE06.OT.A}, {103, FLARE06.OT.A}, {104, FLARE06.OT.A}, {105, FLARE06.OT.A}, {106, FLARE06.OT.A}, {212, FLARE06.OT.A}, {138, FLARE06.OT.A}, {179, FLARE06.OT.A}, {130, FLARE06.OT.A}, {181, FLARE06.OT.A}, {131, FLARE06.OT.A}, {183, FLARE06.OT.A}, {132, FLARE06.OT.A}, {185, FLARE06.OT.A}, {133, FLARE06.OT.A}, {213, FLARE06.OT.A}, {139, FLARE06.OT.A}, {180, FLARE06.OT.A}, {134, FLARE06.OT.A}, {182, FLARE06.OT.A}, {135, FLARE06.OT.A}, {184, FLARE06.OT.A}, {136, FLARE06.OT.A}, {186, FLARE06.OT.A}, {137, FLARE06.OT.A}, {118, FLARE06.OT.A}, {107, FLARE06.OT.A}, {108, FLARE06.OT.A}, {224, FLARE06.OT.A}, {210, FLARE06.OT.A}, {209, FLARE06.OT.A}, {109, FLARE06.OT.A}, {110, FLARE06.OT.A}, {65047, FLARE06.OT.A}, {112, FLARE06.OT.B}, {91, FLARE06.OT.A}, {92, FLARE06.OT.A}, {37, FLARE06.OT.A}, {65041, FLARE06.OT.A}, {220, FLARE06.OT.A}, {65048, FLARE06.OT.A}, {65045, FLARE06.OT.B}, {117, FLARE06.OT.B}, {39, FLARE06.OT.B}, {65033, FLARE06.OT.F}, {2, FLARE06.OT.A}, {3, FLARE06.OT.A}, {4, FLARE06.OT.A}, {5, FLARE06.OT.A}, {14, FLARE06.OT.E}, {65034, FLARE06.OT.F}, {15, FLARE06.OT.E}, {32, FLARE06.OT.G}, {22, FLARE06.OT.A}, {23, FLARE06.OT.A}, {24, FLARE06.OT.A}, {25, FLARE06.OT.A}, {26, FLARE06.OT.A}, {27, FLARE06.OT.A}, {28, FLARE06.OT.A}, {29, FLARE06.OT.A}, {30, FLARE06.OT.A}, {21, FLARE06.OT.A}, {31, FLARE06.OT.E}, {33, FLARE06.OT.H}, {34, FLARE06.OT.G}, {35, FLARE06.OT.H}, {163, FLARE06.OT.B}, {151, FLARE06.OT.A}, {144, FLARE06.OT.A}, {146, FLARE06.OT.A}, {148, FLARE06.OT.A}, {150, FLARE06.OT.A}, {152, FLARE06.OT.A}, {153, FLARE06.OT.A}, {154, FLARE06.OT.A}, {145, FLARE06.OT.A}, {147, FLARE06.OT.A}, {149, FLARE06.OT.A}, {143, FLARE06.OT.B}, {123, FLARE06.OT.B}, {124, FLARE06.OT.B}, {65030, FLARE06.OT.B}, {77, FLARE06.OT.A}, {70, FLARE06.OT.A}, {72, FLARE06.OT.A}, {74, FLARE06.OT.A}, {76, FLARE06.OT.A}, {78, FLARE06.OT.A}, {79, FLARE06.OT.A}, {80, FLARE06.OT.A}, {71, FLARE06.OT.A}, {73, FLARE06.OT.A}, {75, FLARE06.OT.A}, {142, FLARE06.OT.A}, {65036, FLARE06.OT.F}, {6, FLARE06.OT.A}, {7, FLARE06.OT.A}, {8, FLARE06.OT.A}, {9, FLARE06.OT.A}, {17, FLARE06.OT.E}, {65037, FLARE06.OT.F}, {18, FLARE06.OT.E}, {20, FLARE06.OT.A}, {113, FLARE06.OT.B}, {126, FLARE06.OT.B}, {127, FLARE06.OT.B}, {114, FLARE06.OT.B}, {208, FLARE06.OT.B}, {65031, FLARE06.OT.B}, {221, FLARE06.OT.D}, {222, FLARE06.OT.C}, {65039, FLARE06.OT.A}, {198, FLARE06.OT.B}, {90, FLARE06.OT.A}, {216, FLARE06.OT.A}, {217, FLARE06.OT.A}, {101, FLARE06.OT.A}, {141, FLARE06.OT.B}, {115, FLARE06.OT.B}, {65049, FLARE06.OT.E}, {0, FLARE06.OT.A}, {102, FLARE06.OT.A}, {96, FLARE06.OT.A}, {38, FLARE06.OT.A}, {254, FLARE06.OT.A}, {253, FLARE06.OT.A}, {252, FLARE06.OT.A}, {251, FLARE06.OT.A}, {250, FLARE06.OT.A}, {249, FLARE06.OT.A}, {248, FLARE06.OT.A}, {255, FLARE06.OT.A}, {65054, FLARE06.OT.A}, {65053, FLARE06.OT.A}, {194, FLARE06.OT.B}, {93, FLARE06.OT.A}, {94, FLARE06.OT.A}, {42, FLARE06.OT.A}, {65050, FLARE06.OT.A}, {98, FLARE06.OT.A}, {99, FLARE06.OT.A}, {100, FLARE06.OT.A}, {65052, FLARE06.OT.B}, {65035, FLARE06.OT.F}, {16, FLARE06.OT.E}, {164, FLARE06.OT.B}, {155, FLARE06.OT.A}, {156, FLARE06.OT.A}, {157, FLARE06.OT.A}, {158, FLARE06.OT.A}, {159, FLARE06.OT.A}, {160, FLARE06.OT.A}, {161, FLARE06.OT.A}, {162, FLARE06.OT.A}, {125, FLARE06.OT.B}, {223, FLARE06.OT.A}, {82, FLARE06.OT.A}, {83, FLARE06.OT.A}, {84, FLARE06.OT.A}, {85, FLARE06.OT.A}, {86, FLARE06.OT.A}, {87, FLARE06.OT.A}, {81, FLARE06.OT.A}, {65038, FLARE06.OT.F}, {10, FLARE06.OT.A}, {11, FLARE06.OT.A}, {12, FLARE06.OT.A}, {13, FLARE06.OT.A}, {19, FLARE06.OT.E}, {129, FLARE06.OT.B}, {128, FLARE06.OT.B}, {89, FLARE06.OT.A}, {218, FLARE06.OT.A}, {219, FLARE06.OT.A}, {69, FLARE06.OT.I}, {65044, FLARE06.OT.A}, {122, FLARE06.OT.A}, {65042, FLARE06.OT.E}, {121, FLARE06.OT.B}, {165, FLARE06.OT.B}, {65043, FLARE06.OT.A}, {97, FLARE06.OT.A}};
// loc.1 = 0
// loc.2 = 0
// loc.3 = 0
var module = typeof(FlareOn.Backdoor.Program).Module; // V_4
var methodBase = module.ResolveMethod(tk); // V_5
var methodInfo = (MethodInfo)methodBase; // V_6
var parameters = methodInfo.GetParameters(); // V_7
var parameterTypes = new Type[parameters.Length]; // V_8
var signatureHelper = SignatureHelper.GetLocalVarSigHelper(); // V_9
// V_15 = 0
for (var i = 0; i < parameters.Length; i++)
{
parameterTypes[i] = parameters[i].ParameterType;
}
var declaringType = methodBase.DeclaringType; // V_10
var dynamicMethod = new DynamicMethod("", methodInfo.ReturnType, parameterTypes, declaringType, true); // V_11
var dynamicIlInfo = dynamicMethod.GetDynamicILInfo(); // V_12
var methodBody = methodInfo.GetMethodBody(); // V_13
methodBody.LocalVariables.GetEnumerator(); // V_17
foreach (var localVariableInfo in methodBody.LocalVariables)
{
signatureHelper.AddArgument(localVariableInfo.LocalType);
}
var signature = signatureHelper.GetSignature(); // V_14
dynamicIlInfo.SetLocalSignature(signature);
// V_19 = 0
for (var i = 0; i < b.Length;) //V_19 (i)
{
int dict_index;
if (b[i] == 254)
{
dict_index = 65024 + b[i + 1];
i++;
}
else
{
dict_index = b[i];
}
FLARE06.OT value = dictionary[(uint)dict_index]; // V_20
i++;
switch (value)
{
case FLARE06.OT.A:
break;
case FLARE06.OT.B:
int token;
var result = flare_68(b, i);
var key_1 = -1567054147;
result ^= key_1;
if (result >= 0x70000000 || ((uint)result) < (uint)0x7000FFFF)
{
var resolvedString = module.ResolveString(result);
token = dynamicIlInfo.GetTokenFor(resolvedString);//loc.3
}
else
{
Type methodInfoDeclaringType = methodInfo.DeclaringType; // V_25;
Type[] methodDeclaringTypeGenericArguments = null; // V_26;
Type[] methodInfoGenericArguments = null; // V_27;
var isGenericType = methodInfoDeclaringType.IsGenericType || methodInfoDeclaringType.IsGenericTypeDefinition; // V_29
if (isGenericType)
{
methodDeclaringTypeGenericArguments = methodInfoDeclaringType.GetGenericArguments(); //V_26
}
var isGenericMethod = methodInfo.IsGenericMethod || methodInfo.IsGenericMethodDefinition; //V_30
if (isGenericMethod)
{
methodInfoGenericArguments = methodInfo.GetGenericArguments(); //V_27
}
var methodInfoDeclaringTypeModule = methodInfoDeclaringType.Module;
var memberInfo = methodInfoDeclaringTypeModule.ResolveMember(result, methodDeclaringTypeGenericArguments, methodInfoGenericArguments); // v_28
var memberInfoTypeName = memberInfo.GetType().Name;
if (memberInfoTypeName == "RtFieldInfo")
{
var fieldInfo = (FieldInfo)memberInfo;
var fieldInfoDeclaringType = (TypeInfo)fieldInfo.DeclaringType;
token = dynamicIlInfo.GetTokenFor(fieldInfo.FieldHandle, fieldInfoDeclaringType.TypeHandle); //loc.3;
}
else if (memberInfoTypeName == "RuntimeType")
{
var typeInfo = (TypeInfo)memberInfo;
token = dynamicIlInfo.GetTokenFor(typeInfo.TypeHandle); //loc.3;
}
else
{
if (memberInfo.Name == ".ctor" || memberInfo.Name == ".cctor")
{
var constructorInfo = (ConstructorInfo)memberInfo;
var constructorHandle = constructorInfo.MethodHandle;
var typeInfo = (TypeInfo)constructorInfo.DeclaringType;
var typeHandle = typeInfo.TypeHandle;
token = dynamicIlInfo.GetTokenFor(constructorHandle, typeHandle); // loc.3
}
else
{
var memberAsMethodInfo = (MethodInfo)memberInfo;
var typeInfo = (TypeInfo)memberAsMethodInfo.DeclaringType;
token = dynamicIlInfo.GetTokenFor(memberAsMethodInfo.MethodHandle, typeInfo.TypeHandle);
}
}
}
b[i] = (byte)token;
b[i + 1] = (byte)(token >> 8);
b[i + 2] = (byte)(token >> 16);
b[i + 3] = (byte)(token >> 24);
i += 4;
break;
case FLARE06.OT.C:
i++;
break;
case FLARE06.OT.D:
i += 4;
break;
case FLARE06.OT.E:
i++;
break;
case FLARE06.OT.F:
i += 2;
break;
case FLARE06.OT.G:
i += 4;
break;
case FLARE06.OT.H:
i += 8;
break;
case FLARE06.OT.I:
//i++;
var result2 = flare_68(b, i);
i = result2 * 4 + 4 + i;
break;
default:
throw new NotImplementedException();
}
}
var maxStackSize = methodBody.MaxStackSize;
dynamicIlInfo.SetCode(b, maxStackSize);
var dynamiMethodResult = dynamicMethod.Invoke(null, a);
return dynamiMethodResult;
}
Ze względu na fakt, że funkcja flared_67
wykorzystywała funkcję flare_68
, przystąpiłem do jej analizy.
5.6 Analiza funkcji flare_68
Po zdekompilowaniu, funkcja flare_68
wyglądała następująco:
public static int flare_68(byte[] b, int o)
{
int num;
try
{
num = FLARE15.flared_68(b, o);
}
catch (InvalidProgramException ex)
{
num = (int)FLARE15.flare_71(ex, new object[] { b, o }, new Dictionary<uint, int>(), FLARE15.rt_b);
}
return num;
}
Po odszyfrowaniu funkcji flared_68
otrzymałem kod w MS IL:
IL_0000: nop
IL_0001: ldc.i4.0
IL_0002: stloc.0
IL_0003: ldarg.0
IL_0004: ldarg.1
IL_0005: ldc.i4.3
IL_0006: add
IL_0007: ldelem.u1
IL_0008: ldc.i4 16777216
IL_000D: mul
IL_000E: stloc.0
IL_000F: ldloc.0
IL_0010: ldarg.0
IL_0011: ldarg.1
IL_0012: ldc.i4.2
IL_0013: add
IL_0014: ldelem.u1
IL_0015: ldc.i4 65536
IL_001A: mul
IL_001B: add
IL_001C: stloc.0
IL_001D: ldloc.0
IL_001E: ldarg.0
IL_001F: ldarg.1
IL_0020: ldc.i4.1
IL_0021: add
IL_0022: ldelem.u1
IL_0023: ldc.i4 256
IL_0028: mul
IL_0029: add
IL_002A: stloc.0
IL_002B: ldloc.0
IL_002C: ldarg.0
IL_002D: ldarg.1
IL_002E: ldelem.u1
IL_002F: add
IL_0030: stloc.0
IL_0031: ldloc.0
IL_0032: stloc.1
IL_0033: br.s IL_0035
IL_0035: ldloc.1
IL_0036: ret
Po zdekompilowaniu kodu MS IL funkcji flared_68
otrzymałem kod w C#:
public static int flared_68(byte[] b, int o)
{
int num = 0;
num = b[o + 3] << 24;
num += b[o + 2] << 16;
num += b[o + 1] << 8;
return num + b[o];
}
6. Odszyfrowanie kodu
Następnie przystąpiłem do kompletnego odszyfrowania kodu. W tym celu opracowałem kilka następujących funkcji:
private static void PatchFile(string path_input)
{
var module = ModuleDefinition.FromFile(path_input);
var methods = module.GetAllTypes()
.Where(p => p.IsClass)
.SelectMany(t => t.Methods)
.Where(m => m.FullName.Contains("flared"));
FLARE15.flare_74();
var patchTool = new PatchTool();
foreach (var method in methods)
{
var methodCallers = method.FindCallersInModule(module);
if (methodCallers.Any())
{
if (methodCallers.Count() > 1)
{
throw new NotImplementedException("Many callers");
}
var methodCaller = methodCallers.First();
var patch = patchTool.Decrypt(module, method, methodCaller);
patchTool.Patch(module, method, patch);
}
}
module.Write(path_patched);
}
public static IEnumerable<MethodDefinition> FindCallersInModule(this MethodDefinition methodDefinition, ModuleDefinition moduleDefinition)
{
var methodCallers = moduleDefinition.GetAllTypes().Where(type => type.IsClass)
.SelectMany(cl => cl.Methods).
Where(m =>
{
bool isReference;
try
{
m.CilMethodBody.ComputeMaxStack();
isReference = m.CilMethodBody.Instructions.Any(i =>
i.OpCode == CilOpCodes.Call && i.Operand.ToString().Equals(methodDefinition.FullName));
}
catch (Exception e)
{
isReference = false;
}
return isReference;
});
return methodCallers;
}
oraz klasę PatchTool
:
internal class PatchTool
{
public DynamicMethod Decrypt(ModuleDefinition moduleDefinition, MethodDefinition method, MethodDefinition methodCaller)
{
var mToken = method.MetadataToken.ToInt32();
Console.WriteLine("Token: " + mToken.ToString("X"));
DynamicMethod result = null;
var lookForUnpackCall = false;
foreach (var instruction in methodCaller.CilMethodBody.Instructions)
{
if (!lookForUnpackCall &&
(instruction.OpCode == CilOpCodes.Leave || instruction.OpCode == CilOpCodes.Leave_S))
{
lookForUnpackCall = true;
continue;
}
if (lookForUnpackCall && instruction.OpCode == CilOpCodes.Call)
{
if (instruction.Operand.ToString()
.Equals(
"System.Object FlareOn.Backdoor.FLARE15::flare_70(System.InvalidProgramException, System.Object[])"))
{
var args = method.GetDefaultParameters();
result = this.DecryptUsingFlare_70(moduleDefinition, mToken,
new object[] { new InvalidProgramException(), args });
break;
}
if (instruction.Operand.ToString()
.Equals(
"System.Object FlareOn.Backdoor.FLARE15::flare_71(System.InvalidProgramException, System.Object[], System.Collections.Generic.Dictionary`2<System.UInt32, System.Int32>, System.Byte[])"))
{
var callIndex = methodCaller.CilMethodBody.Instructions.IndexOf(instruction);
var param_a = methodCaller.CilMethodBody.Instructions[callIndex - 2];
var param_b = methodCaller.CilMethodBody.Instructions[callIndex - 1];
var param_a_field_info = param_a.GetOperandFieldInfo(moduleDefinition);
var param_b_field_info = param_b.GetOperandFieldInfo(moduleDefinition);
var param_a_value = param_a_field_info == null ? new Dictionary<uint, int>() : (Dictionary<uint, int>)param_a_field_info.GetValue(null);
var param_b_value = param_b_field_info == null ? new byte[] { } : (byte[])param_b_field_info.GetValue(null);
var args = method.GetDefaultParameters();
result = this.DecryptUsingFlare_71(mToken, args, param_a_value, param_b_value);
break;
}
throw new NotImplementedException($"I don't know what to do: {instruction.Operand.ToString()}");
}
}
return result;
}
public void Patch(ModuleDefinition moduleDefinition, MethodDefinition method, DynamicMethod patch)
{
var mToken = method.MetadataToken.ToInt32();
DynamicMethodDefinition dynamicMethodDefinition = new DynamicMethodDefinition(moduleDefinition, patch.GetDynamicILInfo());
var metadataToken = new MetadataToken((uint)mToken);
moduleDefinition.TryLookupMember(metadataToken, out var metadataMember);
var serializedMethodDefinition = (SerializedMethodDefinition)metadataMember;
serializedMethodDefinition.CilMethodBody = dynamicMethodDefinition.CilMethodBody;
serializedMethodDefinition.CilMethodBody.ComputeMaxStack();
}
7. Analiza przepływu sterowania
Po kompletnym odszyfrowaniu kodu, przystąpiłem do dalszej analizy.
Aplikacja generowała pseudolosowe zapytania DNS i była sterowana odpowiedziami (adresami IP).
[magic].[długość (liczba bajtów) na 3 oktetach]
[polecenie].[dane....]
Aplikacja wykorzystywała “magic bytes” do kodowania poleceń:
95 - create file (from raw data) - [filename][124][content]
96 - create file (from deflate data) - [filename][124][content]
71 - task (from deflate utf8 cmd)
70 - task (from utf8 cmd)
43 - task (from utf8 dict)
Przykładowe komendy:
A. Utworzenie pustego pliku o nazwie text (124 rozdziela nazwę pliku od zawartości):
128.0.0.6
95.116.101.120
116.124.0.0
B. Uruchomienia polecenia “19”
128.0.0.3
43.49.57.0
O kolejności ciągów decydowała funkcja:
public static void flared_55(int i, string s)
{
bool flag = FLARE15.c.Count != 0 && FLARE15.c[0] == (i ^ 248);
if (flag)
{
FLARE14.sh += s;
FLARE15.c.Remove(i ^ 248);
}
else
{
FLARE14.RunProcessFromEncryptedResource_Enabled = false;
}
}
Kolekcja FLARE15.c
miała zawrtość początkową:
250 242 240 235 243 249 247 245 238 232 253 244 237 251 234 233 236 246 241 255 252
Po odszyfrowaniu (xor 248) zawartość FLARE15.c
wyglądała jak poniżej:
2 10 8 19 11 1 15 13 22 16 5 12 21 3 18 17 20 14 9 7 4
Trzeba zatem było albo wygerować sekwencję odpowiedzi DNS, albo zasymulować odebranie takie sekwencji. Wybrałem drugi wariant.
8. Odczytanie flagi
W celu odszyfrowania flagi, zasymulowałem wykonanie kodu jako skutek odczytanej sekwencji odpowiedzi na zapytania DNS:
public void DumpDecryptedResource_flared_54()
{
FLARE14.sh = "";
List<Tuple> preparedData = new List<Tuple>()
{
new Tuple("d7d", FLARE02.RunPowershellProxy_flare_04("RwBlAHQALQBOAGUAdABOAGUAaQBnAGgAYgBvAHIAIAAtAEEAZABkAHIAZQBzAHMARgBhAG0AaQBsAHkAIABJAFAAdgA0ACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAiAEkAUABBAEQARAByAGUAcwBzACIA")), //2
new Tuple("f38", "hostname"), //10
new Tuple("2b7", FLARE02.RunPowershellProxy_flare_04("RwBlAHQALQBDAGgAaQBsAGQASQB0AGUAbQAgAC0AUABhAHQAaAAgACcAQwA6AFwAUAByAG8AZwByAGEAbQAgAEYAaQBsAGUAcwAgACgAeAA4ADYAKQAnACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIABOAGEAbQBlAA==")), //8
new Tuple("146", FLARE02.RunPowershellProxy_flare_04("JChwaW5nIC1uIDEgMTAuNjUuNDUuMyB8IGZpbmRzdHIgL2kgdHRsKSAtZXEgJG51bGw7JChwaW5nIC1uIDEgMTAuNjUuNC41MiB8IGZpbmRzdHIgL2kgdHRsKSAtZXEgJG51bGw7JChwaW5nIC1uIDEgMTAuNjUuMzEuMTU1IHwgZmluZHN0ciAvaSB0dGwpIC1lcSAkbnVsbDskKHBpbmcgLW4gMSBmbGFyZS1vbi5jb20gfCBmaW5kc3RyIC9pIHR0bCkgLWVxICRudWxs")), //19
new Tuple("818", FLARE02.RunPowershellProxy_flare_04("RwBlAHQALQBOAGUAdABUAEMAUABDAG8AbgBuAGUAYwB0AGkAbwBuACAAfAAgAFcAaABlAHIAZQAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBTAHQAYQB0AGUAIAAtAGUAcQAgACIARQBzAHQAYQBiAGwAaQBzAGgAZQBkACIAfQAgAHwAIABTAGUAbABlAGMAdAAtAE8AYgBqAGUAYwB0ACAAIgBMAG8AYwBhAGwAQQBkAGQAcgBlAHMAcwAiACwAIAAiAEwAbwBjAGEAbABQAG8AcgB0ACIALAAgACIAUgBlAG0AbwB0AGUAQQBkAGQAcgBlAHMAcwAiACwAIAAiAFIAZQBtAG8AdABlAFAAbwByAHQAIgA=")), //11
new Tuple("c2e", FLARE02.RunPowershellProxy_flare_04("RwBlAHQALQBOAGUAdABJAFAAQQBkAGQAcgBlAHMAcwAgAC0AQQBkAGQAcgBlAHMAcwBGAGEAbQBpAGwAeQAgAEkAUAB2ADQAIAB8ACAAUwBlAGwAZQBjAHQALQBPAGIAagBlAGMAdAAgAEkAUABBAGQAZAByAGUAcwBzAA==")), //1
new Tuple("197", FLARE02.RunPowershellProxy_flare_04("JAAoAHAAaQBuAGcAIAAtAG4AIAAxACAAMQAwAC4AMQAwAC4AMQAwAC4ANAAgAHwAIABmAGkAbgBkAHMAdAByACAALwBpACAAdAB0AGwAKQAgAC0AZQBxACAAJABuAHUAbABsADsAJAAoAHAAaQBuAGcAIAAtAG4AIAAxACAAMQAwAC4AMQAwAC4ANQAwAC4AMQAwACAAfAAgAGYAaQBuAGQAcwB0AHIAIAAvAGkAIAB0AHQAbAApACAALQBlAHEAIAAkAG4AdQBsAGwAOwAkACgAcABpAG4AZwAgAC0AbgAgADEAIAAxADAALgAxADAALgAyADIALgA1ADAAIAB8ACAAZgBpAG4AZABzAHQAcgAgAC8AaQAgAHQAdABsACkAIAAtAGUAcQAgACQAbgB1AGwAbAA7ACQAKABwAGkAbgBnACAALQBuACAAMQAgADEAMAAuADEAMAAuADQANQAuADEAOQAgAHwAIABmAGkAbgBkAHMAdAByACAALwBpACAAdAB0AGwAKQAgAC0AZQBxACAAJABuAHUAbABsAA==")), //15
new Tuple("e38", FLARE02.RunPowershellProxy_flare_04("bnNsb29rdXAgZmxhcmUtb24uY29tIHwgZmluZHN0ciAvaSBBZGRyZXNzO25zbG9va3VwIHdlYm1haWwuZmxhcmUtb24uY29tIHwgZmluZHN0ciAvaSBBZGRyZXNz")), // 13
new Tuple("709", "systeminfo | findstr /i \"Domain\""),//22
new Tuple("e87", FLARE02.RunPowershellProxy_flare_04("JAAoAHAAaQBuAGcAIAAtAG4AIAAxACAAMQAwAC4ANgA1AC4ANQAxAC4AMQAxACAAfAAgAGYAaQBuAGQAcwB0AHIAIAAvAGkAIAB0AHQAbAApACAALQBlAHEAIAAkAG4AdQBsAGwAOwAkACgAcABpAG4AZwAgAC0AbgAgADEAIAAxADAALgA2ADUALgA2AC4AMQAgAHwAIABmAGkAbgBkAHMAdAByACAALwBpACAAdAB0AGwAKQAgAC0AZQBxACAAJABuAHUAbABsADsAJAAoAHAAaQBuAGcAIAAtAG4AIAAxACAAMQAwAC4ANgA1AC4ANQAyAC4AMgAwADAAIAB8ACAAZgBpAG4AZABzAHQAcgAgAC8AaQAgAHQAdABsACkAIAAtAGUAcQAgACQAbgB1AGwAbAA7ACQAKABwAGkAbgBnACAALQBuACAAMQAgADEAMAAuADYANQAuADYALgAzACAAfAAgAGYAaQBuAGQAcwB0AHIAIAAvAGkAIAB0AHQAbAApACAALQBlAHEAIAAkAG4AdQBsAGwA")), //16
new Tuple("bfb", "net user"), //5
new Tuple("570", FLARE02.RunPowershellProxy_flare_04("JAAoAHAAaQBuAGcAIAAtAG4AIAAxACAAMQAwAC4ANgA1AC4ANAAuADUAMAAgAHwAIABmAGkAbgBkAHMAdAByACAALwBpACAAdAB0AGwAKQAgAC0AZQBxACAAJABuAHUAbABsADsAJAAoAHAAaQBuAGcAIAAtAG4AIAAxACAAMQAwAC4ANgA1AC4ANAAuADUAMQAgAHwAIABmAGkAbgBkAHMAdAByACAALwBpACAAdAB0AGwAKQAgAC0AZQBxACAAJABuAHUAbABsADsAJAAoAHAAaQBuAGcAIAAtAG4AIAAxACAAMQAwAC4ANgA1AC4ANgA1AC4ANgA1ACAAfAAgAGYAaQBuAGQAcwB0AHIAIAAvAGkAIAB0AHQAbAApACAALQBlAHEAIAAkAG4AdQBsAGwAOwAkACgAcABpAG4AZwAgAC0AbgAgADEAIAAxADAALgA2ADUALgA1ADMALgA1ADMAIAB8ACAAZgBpAG4AZABzAHQAcgAgAC8AaQAgAHQAdABsACkAIAAtAGUAcQAgACQAbgB1AGwAbAA7ACQAKABwAGkAbgBnACAALQBuACAAMQAgADEAMAAuADYANQAuADIAMQAuADIAMAAwACAAfAAgAGYAaQBuAGQAcwB0AHIAIAAvAGkAIAB0AHQAbAApACAALQBlAHEAIAAkAG4AdQBsAGwA")), //12
new Tuple("8e6", FLARE02.RunPowershellProxy_flare_04("RwBlAHQALQBEAG4AcwBDAGwAaQBlAG4AdABTAGUAcgB2AGUAcgBBAGQAZAByAGUAcwBzACAALQBBAGQAZAByAGUAcwBzAEYAYQBtAGkAbAB5ACAASQBQAHYANAAgAHwAIABTAGUAbABlAGMAdAAtAE8AYgBqAGUAYwB0ACAAUwBFAFIAVgBFAFIAQQBkAGQAcgBlAHMAcwBlAHMA")), //21
new Tuple("113", "whoami"), //3
new Tuple("939", FLARE02.RunPowershellProxy_flare_04("JAAoAHAAaQBuAGcAIAAtAG4AIAAxACAAMQAwAC4AMQAwAC4AMgAyAC4ANAAyACAAfAAgAGYAaQBuAGQAcwB0AHIAIAAvAGkAIAB0AHQAbAApACAALQBlAHEAIAAkAG4AdQBsAGwAOwAkACgAcABpAG4AZwAgAC0AbgAgADEAIAAxADAALgAxADAALgAyADMALgAyADAAMAAgAHwAIABmAGkAbgBkAHMAdAByACAALwBpACAAdAB0AGwAKQAgAC0AZQBxACAAJABuAHUAbABsADsAJAAoAHAAaQBuAGcAIAAtAG4AIAAxACAAMQAwAC4AMQAwAC4ANAA1AC4AMQA5ACAAfAAgAGYAaQBuAGQAcwB0AHIAIAAvAGkAIAB0AHQAbAApACAALQBlAHEAIAAkAG4AdQBsAGwAOwAkACgAcABpAG4AZwAgAC0AbgAgADEAIAAxADAALgAxADAALgAxADkALgA1ADAAIAB8ACAAZgBpAG4AZABzAHQAcgAgAC8AaQAgAHQAdABsACkAIAAtAGUAcQAgACQAbgB1AGwAbAA=")), //18
new Tuple("2e4", FLARE02.RunPowershellProxy_flare_04("JAAoAHAAaQBuAGcAIAAtAG4AIAAxACAAMQAwAC4ANgA1AC4ANAA1AC4AMQA4ACAAfAAgAGYAaQBuAGQAcwB0AHIAIAAvAGkAIAB0AHQAbAApACAALQBlAHEAIAAkAG4AdQBsAGwAOwAkACgAcABpAG4AZwAgAC0AbgAgADEAIAAxADAALgA2ADUALgAyADgALgA0ADEAIAB8ACAAZgBpAG4AZABzAHQAcgAgAC8AaQAgAHQAdABsACkAIAAtAGUAcQAgACQAbgB1AGwAbAA7ACQAKABwAGkAbgBnACAALQBuACAAMQAgADEAMAAuADYANQAuADMANgAuADEAMwAgAHwAIABmAGkAbgBkAHMAdAByACAALwBpACAAdAB0AGwAKQAgAC0AZQBxACAAJABuAHUAbABsADsAJAAoAHAAaQBuAGcAIAAtAG4AIAAxACAAMQAwAC4ANgA1AC4ANQAxAC4AMQAwACAAfAAgAGYAaQBuAGQAcwB0AHIAIAAvAGkAIAB0AHQAbAApACAALQBlAHEAIAAkAG4AdQBsAGwA")), //17
new Tuple("3c9974", FLARE02.RunPowershellProxy_flare_04("RwBlAHQALQBOAGUAdABJAFAAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAHwAIABGAG8AcgBlAGEAYwBoACAASQBQAHYANABEAGUAZgBhAHUAbAB0AEcAYQB0AGUAdwBhAHkAIAB8ACAAUwBlAGwAZQBjAHQALQBPAGIAagBlAGMAdAAgAE4AZQB4AHQASABvAHAA")), //20
new Tuple("3a7", FLARE02.RunPowershellProxy_flare_04("JAAoAHAAaQBuAGcAIAAtAG4AIAAxACAAMQAwAC4AMQAwAC4AMgAxAC4AMgAwADEAIAB8ACAAZgBpAG4AZABzAHQAcgAgAC8AaQAgAHQAdABsACkAIAAtAGUAcQAgACQAbgB1AGwAbAA7ACQAKABwAGkAbgBnACAALQBuACAAMQAgADEAMAAuADEAMAAuADEAOQAuADIAMAAxACAAfAAgAGYAaQBuAGQAcwB0AHIAIAAvAGkAIAB0AHQAbAApACAALQBlAHEAIAAkAG4AdQBsAGwAOwAkACgAcABpAG4AZwAgAC0AbgAgADEAIAAxADAALgAxADAALgAxADkALgAyADAAMgAgAHwAIABmAGkAbgBkAHMAdAByACAALwBpACAAdAB0AGwAKQAgAC0AZQBxACAAJABuAHUAbABsADsAJAAoAHAAaQBuAGcAIAAtAG4AIAAxACAAMQAwAC4AMQAwAC4AMgA0AC4AMgAwADAAIAB8ACAAZgBpAG4AZABzAHQAcgAgAC8AaQAgAHQAdABsACkAIAAtAGUAcQAgACQAbgB1AGwAbAA=")), //14
new Tuple("9b2", FLARE02.RunPowershellProxy_flare_04("RwBlAHQALQBDAGgAaQBsAGQASQB0AGUAbQAgAC0AUABhAHQAaAAgACcAQwA6ACcAIAB8ACAAUwBlAGwAZQBjAHQALQBPAGIAagBlAGMAdAAgAE4AYQBtAGUA")), // 9
new Tuple("b", FLARE02.RunPowershellProxy_flare_04("RwBlAHQALQBDAGgAaQBsAGQASQB0AGUAbQAgAC0AUABhAHQAaAAgACIAQwA6AFwAUAByAG8AZwByAGEAbQAgAEYAaQBsAGUAcwAiACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIABOAGEAbQBlAA==")), // 7
new Tuple("ea5", FLARE02.RunPowershellProxy_flare_04("WwBTAHkAcwB0AGUAbQAuAEUAbgB2AGkAcgBvAG4AbQBlAG4AdABdADoAOgBPAFMAVgBlAHIAcwBpAG8AbgAuAFYAZQByAHMAaQBvAG4AUwB0AHIAaQBuAGcA")) //4
};
for(var i = 0; i < preparedData.Count; i++)
{
FLARE14.sh += preparedData[i].Sh;
if (i < preparedData.Count - 1)
{
var stackTraceText = "System.Object InvokeMethod(System.Object, System.Object[], System.Signature, Boolean)System.Object Invoke(System.Object, System.Reflection.BindingFlags, System.Reflection.Binder, System.Object[], System.Globalization.CultureInfo)";
FLARE14.Sha256IncrementalHash.AppendData(Encoding.ASCII.GetBytes(stackTraceText + preparedData[i].Data));
}
}
byte[] imageSectionContent = FLARE15.GetImageSectionProxy_flare_69(FLARE14.ReverseStringProxy_flare_54(FLARE14.sh));
byte[] sha256HashValue = FLARE14.Sha256IncrementalHash.GetHashAndReset();
byte[] array2 = RC4Provider_FLARE12.RC4Proxy_flare_46(sha256HashValue, imageSectionContent);
string text = ".\\decrypted.bin";
FileStream fileStream = new FileStream(text, FileMode.Create, FileAccess.Write, FileShare.Read);
fileStream.Write(array2, 0, array2.Length);
}
Sprawdziłem typ zapisanego pliku:
$ file decrypted.bin
decrypted.bin: GIF image data, version 89a, 959 x 523
Podejrzenie grafiki umożliwiło odczytanie flagi:
W3_4re_Kn0wn_f0r_b31ng_Dyn4m1c@flare-on.com