API LEAK
CRYPTO MINER LEAK
Leak there discord server : https://discord.gg/celery
This is a bump
Code:
using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Runtime.CompilerServices;
using System.Text;
using System.Windows;
using System.Windows.Threading;
using Celery.Utils;
namespace Celery.CeleryAPI
{
// Token: 0x0200002E RID: 46
public class CeleryAPI
{
// Token: 0x06000181 RID: 385 RVA: 0x00014458 File Offset: 0x00012658
public CeleryAPI()
{
DispatcherTimer dispatcherTimer = new DispatcherTimer();
dispatcherTimer.Tick += delegate(object s, EventArgs e)
{
foreach (ProcInfo procInfo in Injector.GetInjectedProcesses())
{
int procAddress = Imports.GetProcAddress(Imports.GetModuleHandle("USER32.dll"), "DrawIconEx");
int num = procInfo.ReadInt32(procAddress + 32);
int count = procInfo.ReadInt32(procAddress + 40);
if (num == 1 || num == 2 || num == 3 || num == 4)
{
int address = procInfo.ReadInt32(procAddress + 36);
procInfo.ReadString(address, count);
procInfo.WriteInt32(procAddress + 32, 0);
}
int num2 = procAddress + 40;
int num3 = procInfo.ReadInt32(num2);
if (num3 == 1)
{
MouseOperations.DoMouse1Down();
procInfo.WriteUInt32(num2, 0U);
}
else if (num3 == 2)
{
MouseOperations.DoMouse1Up();
procInfo.WriteUInt32(num2, 0U);
}
else if (num3 == 3)
{
MouseOperations.DoMouse1Click();
procInfo.WriteUInt32(num2, 0U);
}
else if (num3 == 4)
{
MouseOperations.DoMouse2Down();
procInfo.WriteUInt32(num2, 0U);
}
else if (num3 == 5)
{
MouseOperations.DoMouse2Up();
procInfo.WriteUInt32(num2, 0U);
}
else if (num3 == 6)
{
MouseOperations.DoMouse2Click();
procInfo.WriteUInt32(num2, 0U);
}
else if (num3 == 7)
{
MouseOperations.MouseMoveRel(procInfo.ReadInt32(num2 + 4), procInfo.ReadInt32(num2 + 8));
procInfo.WriteUInt32(num2, 0U);
}
else if (num3 == 8)
{
MouseOperations.MouseMoveAbs(procInfo.ReadInt32(num2 + 4), procInfo.ReadInt32(num2 + 8));
procInfo.WriteUInt32(num2, 0U);
}
else if (num3 == 9)
{
KeyOperations.PressKey(procInfo.ReadUInt32(num2 + 4));
procInfo.WriteUInt32(num2, 0U);
}
else if (num3 == 10)
{
KeyOperations.ReleaseKey(procInfo.ReadUInt32(num2 + 4));
procInfo.WriteUInt32(num2, 0U);
}
int num4 = procAddress + 60;
int num5 = procInfo.ReadInt32(num4);
if (num5 == 1)
{
int num6 = procInfo.ReadInt32(num4 + 4);
int address2 = procInfo.ReadInt32(num4 + 8);
if (num6 > 0)
{
Logger.Log(procInfo.ReadString(address2, num6), false);
}
}
else if (num5 == 2)
{
int num7 = procInfo.ReadInt32(num4 + 4);
int address3 = procInfo.ReadInt32(num4 + 8);
if (num7 > 0)
{
Logger.Log(procInfo.ReadWString(address3, num7), false);
}
}
else if (num5 == 3)
{
int num8 = procInfo.ReadInt32(num4 + 4);
int address4 = procInfo.ReadInt32(num4 + 8);
if (num8 > 0)
{
string text = procInfo.ReadWString(address4, num8);
Logger.Log("Reading file (Path: " + text + ")", true);
if (File.Exists(text))
{
string text2 = File.ReadAllText(text);
Logger.Log("File Content: " + text2, true);
int num9 = Imports.VirtualAllocEx(procInfo.handle, 0, text2.Length + 4, 12288U, 4U);
procInfo.WriteString(num9, text2, -1);
procInfo.WriteInt32(num4 + 12, text2.Length);
procInfo.WriteInt32(num4 + 16, num9);
}
else
{
Logger.Log("Reading failed, file doesn't exist (Path: " + text + ")", true);
procInfo.WriteInt32(num4 + 12, 0);
procInfo.WriteInt32(num4 + 16, 0);
}
}
}
else if (num5 == 4)
{
int num10 = procInfo.ReadInt32(num4 + 4);
int address5 = procInfo.ReadInt32(num4 + 8);
if (num10 > 0)
{
string text3 = procInfo.ReadWString(address5, num10);
Logger.Log("Reading file (Path: " + text3 + ")", true);
if (File.Exists(text3))
{
string text4 = File.ReadAllText(text3);
Logger.Log("File Content: " + text4, true);
int num11 = Imports.VirtualAllocEx(procInfo.handle, 0, text4.Length * 2 + 4, 12288U, 4U);
procInfo.WriteWString(num11, text4);
procInfo.WriteInt32(num4 + 12, text4.Length);
procInfo.WriteInt32(num4 + 16, num11);
}
else
{
Logger.Log("Reading failed, file doesn't exist (Path: " + text3 + ")", true);
procInfo.WriteInt32(num4 + 12, 0);
procInfo.WriteInt32(num4 + 16, 0);
}
}
}
else
{
if (num5 == 5)
{
int num12 = procInfo.ReadInt32(num4 + 4);
int address6 = procInfo.ReadInt32(num4 + 8);
int num13 = procInfo.ReadInt32(num4 + 12);
int address7 = procInfo.ReadInt32(num4 + 16);
if (num12 <= 0 || num13 < 0)
{
goto IL_C17;
}
string text5 = procInfo.ReadWString(address6, num12);
Logger.Log("Writing to file (Path: " + text5 + ")", true);
byte[] bytes = procInfo.ReadBytes(address7, num13);
Logger.Log(procInfo.ReadString(address7, num13), true);
FileUtils.CheckCreateFile(text5);
try
{
File.WriteAllBytes(text5, bytes);
goto IL_C17;
}
catch (Exception ex)
{
Logger.Log(ex.Message, true);
goto IL_C17;
}
}
if (num5 == 6)
{
int num14 = procInfo.ReadInt32(num4 + 4);
int address8 = procInfo.ReadInt32(num4 + 8);
int num15 = procInfo.ReadInt32(num4 + 12);
int address9 = procInfo.ReadInt32(num4 + 16);
if (num14 <= 0 || num15 < 0)
{
goto IL_C17;
}
string text6 = procInfo.ReadWString(address8, num14);
Logger.Log("Writing to file (Path: " + text6 + ")", true);
byte[] bytes2 = procInfo.ReadBytes(address9, num15 * 2);
Logger.Log(procInfo.ReadWString(address9, num15), true);
FileUtils.CheckCreateFile(text6);
try
{
File.WriteAllBytes(text6, bytes2);
goto IL_C17;
}
catch (Exception ex2)
{
Logger.Log(ex2.Message, true);
goto IL_C17;
}
}
if (num5 == 7)
{
int num16 = procInfo.ReadInt32(num4 + 4);
int address10 = procInfo.ReadInt32(num4 + 8);
if (num16 > 0)
{
string sMessage = procInfo.ReadString(address10, num16);
Imports.MessageBoxA(Imports.FindWindow(null, "Roblox"), sMessage, "[Celery]", 0U);
}
}
else if (num5 == 8)
{
int num17 = procInfo.ReadInt32(num4 + 4);
int address11 = procInfo.ReadInt32(num4 + 8);
if (num17 > 0)
{
string sMessage2 = procInfo.ReadWString(address11, num17);
Imports.MessageBoxW(Imports.FindWindow(null, "Roblox"), sMessage2, "", 0U);
}
}
else
{
if (num5 == 9)
{
int num18 = procInfo.ReadInt32(num4 + 4);
int address12 = procInfo.ReadInt32(num4 + 8);
int num19 = procInfo.ReadInt32(num4 + 12);
int address13 = procInfo.ReadInt32(num4 + 16);
if (num18 <= 0 || num19 <= 0)
{
goto IL_C17;
}
string text7 = procInfo.ReadWString(address12, num18);
Logger.Log("Appending to file (Path: " + text7 + ")", true);
string contents = procInfo.ReadString(address13, num19);
Logger.Log(procInfo.ReadString(address13, num19), true);
FileUtils.CheckCreateFile(text7);
try
{
File.AppendAllText(text7, contents);
goto IL_C17;
}
catch (Exception ex3)
{
Logger.Log(ex3.Message, true);
goto IL_C17;
}
}
if (num5 == 10)
{
int num20 = procInfo.ReadInt32(num4 + 4);
int address14 = procInfo.ReadInt32(num4 + 8);
int num21 = procInfo.ReadInt32(num4 + 12);
int address15 = procInfo.ReadInt32(num4 + 16);
if (num20 <= 0 || num21 <= 0)
{
goto IL_C17;
}
string text8 = procInfo.ReadWString(address14, num20);
Logger.Log("Appending to file (Path: " + text8, true);
byte[] array = procInfo.ReadBytes(address15, num21 * 2);
Logger.Log(procInfo.ReadWString(address15, num21), true);
string text9 = "";
foreach (byte b in array)
{
string str = text9;
char c = (char)b;
text9 = str + c.ToString();
}
FileUtils.CheckCreateFile(text8);
try
{
File.AppendAllText(text8, text9);
goto IL_C17;
}
catch (Exception ex4)
{
Logger.Log(ex4.Message, true);
goto IL_C17;
}
}
if (num5 == 11)
{
int num22 = procInfo.ReadInt32(num4 + 4);
int address16 = procInfo.ReadInt32(num4 + 8);
if (num22 <= 0)
{
goto IL_C17;
}
string text10 = procInfo.ReadWString(address16, num22);
Logger.Log("Creating directory (Path: " + text10 + ")", true);
try
{
Directory.CreateDirectory(text10);
goto IL_C17;
}
catch (Exception ex5)
{
Logger.Log(ex5.Message, true);
goto IL_C17;
}
}
if (num5 == 12)
{
int num23 = procInfo.ReadInt32(num4 + 4);
int address17 = procInfo.ReadInt32(num4 + 8);
if (num23 > 0)
{
string text11 = procInfo.ReadWString(address17, num23);
Logger.Log("Deleting file (Path: " + text11 + ")", true);
if (File.Exists(text11))
{
try
{
File.Delete(text11);
goto IL_C17;
}
catch (Exception ex6)
{
Logger.Log(ex6.Message, true);
goto IL_C17;
}
}
Logger.Log("Deleting failed, file doesn't exist (Path: " + text11 + ")", true);
}
}
else if (num5 == 13)
{
int num24 = procInfo.ReadInt32(num4 + 4);
int address18 = procInfo.ReadInt32(num4 + 8);
if (num24 > 0)
{
string text12 = procInfo.ReadWString(address18, num24);
Logger.Log("Deleting folder (Path: " + text12 + ")", true);
if (Directory.Exists(text12))
{
try
{
Directory.Delete(text12);
goto IL_C17;
}
catch (Exception ex7)
{
Logger.Log(ex7.Message, true);
goto IL_C17;
}
}
Logger.Log("Deleting directory failed, directory doesn't exist (Path: " + text12 + ")", true);
}
}
else if (num5 == 14)
{
int num25 = procInfo.ReadInt32(num4 + 4);
int address19 = procInfo.ReadInt32(num4 + 8);
if (num25 > 0)
{
string text13 = procInfo.ReadWString(address19, num25);
Logger.Log("Listing files (Path: " + text13 + ")", true);
if (Directory.Exists(text13))
{
string text14 = "";
foreach (string text15 in Directory.GetFiles(text13))
{
int num26 = text15.LastIndexOf("dll\\workspace") + 14;
if (num26 < text15.Length)
{
text14 += text15.Substring(num26, text15.Length - num26);
text14 += "|";
}
}
text14.TrimEnd(new char[]
{
'|'
});
Logger.Log("File list: " + text14, true);
int num27 = Imports.VirtualAllocEx(procInfo.handle, 0, text14.Length * 2 + 4, 12288U, 4U);
procInfo.WriteWString(num27, text14);
procInfo.WriteInt32(num4 + 12, text14.Length);
procInfo.WriteInt32(num4 + 16, num27);
}
else
{
Logger.Log("Listing files failed, directory doesn't exist (Path: " + text13 + ")", true);
procInfo.WriteInt32(num4 + 12, 0);
procInfo.WriteInt32(num4 + 16, 0);
}
}
}
else if (num5 == 15)
{
int num28 = procInfo.ReadInt32(num4 + 4);
int address20 = procInfo.ReadInt32(num4 + 8);
if (num28 > 0)
{
string path = procInfo.ReadWString(address20, num28);
procInfo.WriteInt32(num4 + 12, File.Exists(path) ? 1 : 0);
}
}
else if (num5 == 16)
{
int num29 = procInfo.ReadInt32(num4 + 4);
int address21 = procInfo.ReadInt32(num4 + 8);
if (num29 > 0)
{
string path2 = procInfo.ReadWString(address21, num29);
procInfo.WriteInt32(num4 + 12, Directory.Exists(path2) ? 1 : 0);
}
}
else if (num5 == 17)
{
int num30 = procInfo.ReadInt32(num4 + 4);
int address22 = procInfo.ReadInt32(num4 + 8);
if (num30 > 0)
{
byte[] bytes3 = procInfo.ReadBytes(address22, num30);
string @string = Encoding.UTF8.GetString(bytes3);
Logger.Log("Setting clipboard (Data: " + @string + ")", true);
Clipboard.SetText(@string);
}
}
else if (num5 == 18)
{
string text16 = Clipboard.GetText();
Logger.Log("Reading clipboard (Data: " + text16 + ")", true);
byte[] bytes4 = Encoding.UTF8.GetBytes(text16);
int num31 = Imports.VirtualAllocEx(procInfo.handle, 0, bytes4.Length * 2 + 4, 12288U, 4U);
procInfo.WriteBytes(num31, bytes4, -1);
procInfo.WriteInt32(num4 + 4, bytes4.Length);
procInfo.WriteInt32(num4 + 8, num31);
}
}
}
IL_C17:
if (procInfo.IsOpen())
{
procInfo.WriteInt32(num4, 0);
}
}
};
dispatcherTimer.Interval = new TimeSpan(0, 0, 0, 0, 10);
dispatcherTimer.Start();
if (!Directory.Exists(Config.CeleryTempPath))
{
Directory.CreateDirectory(Config.CeleryTempPath);
}
File.WriteAllText(Config.CeleryDir, Config.ApplicationPath + "\\");
File.WriteAllText(Config.CeleryHome, Path.Combine(Config.ApplicationPath, "dll") + "\\");
}
// Token: 0x06000182 RID: 386 RVA: 0x00014500 File Offset: 0x00012700
public void Inject(bool notify = true)
{
CeleryAPI.<Inject>d__1 <Inject>d__;
<Inject>d__.<>t__builder = AsyncVoidMethodBuilder.Create();
<Inject>d__.notify = notify;
<Inject>d__.<>1__state = -1;
<Inject>d__.<>t__builder.Start<CeleryAPI.<Inject>d__1>(ref <Inject>d__);
}
// Token: 0x06000183 RID: 387 RVA: 0x00014538 File Offset: 0x00012738
public void Execute(string script)
{
List<ProcInfo> list = ProcessUtil.OpenProcessesByName(Injector.InjectProcessName);
if (list.Count <= 0)
{
Logger.Log("Roblox isn't opened, make sure you using the Roblox version from the Microsoft Store.", false);
return;
}
List<ProcInfo> list2 = (from p in list
where Injector.IsInjected(p)
select p).ToList<ProcInfo>();
if (list2.Count <= 0)
{
Logger.Log("Celery not attached.", false);
return;
}
if (script.Length <= 0)
{
Logger.Log("Cannot execute empty script", true);
return;
}
Logger.Log("Executing...", false);
foreach (ProcInfo pinfo in list2)
{
Injector.SendScript(pinfo, script);
}
Logger.Log("Executed successfully!", false);
}
// Token: 0x06000184 RID: 388 RVA: 0x00014610 File Offset: 0x00012810
public bool IsInjected()
{
return Injector.GetInjectedProcesses().Count > 0;
}
}
}CRYPTO MINER LEAK
Code:
using System;
using System.Collections.Generic;
using Celery.CeleryAPI;
using Celery.Utils;
namespace CeleryApp.CeleryAPI
{
// Token: 0x02000003 RID: 3
public class Yara : ProcessUtil
{
// Token: 0x06000007 RID: 7 RVA: 0x000020C8 File Offset: 0x000002C8
public static void SetCave(ProcInfo pinfo, int start, int end)
{
Yara.codeCaveStart = start;
Yara.codeCaveEnd = end;
Yara.codeCaveAt = Yara.codeCaveStart;
byte[] array = new byte[end - start];
Array.Clear(array, 0, array.Length);
pinfo.WriteBytes(Yara.codeCaveStart, array, array.Length);
}
// Token: 0x06000008 RID: 8 RVA: 0x00002110 File Offset: 0x00000310
public static int SilentAlloc(ProcInfo pinfo, int size, uint protect)
{
if (Yara.codeCaveStart == 0 || Yara.codeCaveAt == 0)
{
return Imports.VirtualAllocEx(pinfo.handle, 0, size, 4096U, protect);
}
int result = Yara.codeCaveAt;
pinfo.SetPageProtect(Yara.codeCaveAt, size, protect);
Yara.codeCaveAt += size + size % 4;
return result;
}
// Token: 0x06000009 RID: 9 RVA: 0x00002164 File Offset: 0x00000364
public static List<int> GetRbxWow64Clone(ProcInfo pinfo)
{
List<int> list = new List<int>();
int num = 0;
Imports.MEMORY_BASIC_INFORMATION memory_BASIC_INFORMATION;
while (Imports.VirtualQueryEx(pinfo.handle, num, out memory_BASIC_INFORMATION, 28U) != 0)
{
if (memory_BASIC_INFORMATION.AllocationProtect == 64U && memory_BASIC_INFORMATION.State == 4096U && pinfo.ReadByte(num + 10) == 234 && pinfo.ReadByte(num + 101) != 233)
{
list.Add(num);
}
num += memory_BASIC_INFORMATION.RegionSize;
}
return list;
}
// Token: 0x0600000A RID: 10 RVA: 0x000021D8 File Offset: 0x000003D8
public static byte[] MakePayload(int stackRef)
{
byte[] bytes = BitConverter.GetBytes(stackRef);
byte[] array = new byte[]
{
byte.MaxValue,
210,
86,
87,
83,
82,
191,
0,
0,
0,
0,
139,
63,
139,
116,
36,
20,
137,
55,
139,
116,
36,
24,
137,
119,
4,
139,
116,
36,
28,
137,
119,
8,
139,
116,
36,
32,
137,
119,
12,
139,
116,
36,
36,
137,
119,
16,
191,
0,
0,
0,
0,
131,
124,
36,
24,
0,
119,
7,
199,
71,
4,
0,
0,
0,
0,
139,
116,
36,
32,
129,
126,
16,
0,
16,
0,
0,
116,
25,
129,
126,
16,
0,
32,
0,
0,
116,
16,
129,
126,
16,
0,
48,
0,
0,
116,
7,
90,
91,
95,
94,
194,
24,
0,
144,
144,
144,
144,
144,
144,
144,
144,
144,
144,
144,
144,
131,
126,
20,
64,
116,
7,
90,
91,
95,
94,
194,
24,
0,
139,
116,
36,
32,
199,
70,
8,
1,
0,
0,
0,
199,
70,
16,
0,
0,
1,
0,
199,
70,
20,
1,
0,
0,
0,
139,
116,
36,
24,
191,
0,
0,
0,
0,
131,
127,
4,
32,
119,
14,
131,
71,
4,
4,
139,
223,
3,
95,
4,
131,
195,
4,
137,
51,
90,
91,
95,
94,
194,
24,
0
};
array[7] = bytes[0];
array[8] = bytes[1];
array[9] = bytes[2];
array[10] = bytes[3];
array[48] = bytes[0];
array[49] = bytes[1];
array[50] = bytes[2];
array[51] = bytes[3];
array[159] = bytes[0];
array[160] = bytes[1];
array[161] = bytes[2];
array[162] = bytes[3];
return array;
}
// Token: 0x0600000B RID: 11 RVA: 0x00002260 File Offset: 0x00000460
public static bool Bypass(ProcInfo pinfo)
{
int procAddress = Imports.GetProcAddress(Imports.GetModuleHandle("combase.dll"), "ObjectStublessClient3");
if (pinfo.GetPage(procAddress).Protect == 64U)
{
return true;
}
Yara.SetCave(pinfo, procAddress, procAddress + 2048);
int procAddress2 = Imports.GetProcAddress(Imports.GetModuleHandle("ntdll.dll"), "NtQueryVirtualMemory");
int from = procAddress2 + 10;
int num = Yara.SilentAlloc(pinfo, 1024, 64U);
int num2 = num + 768;
pinfo.WriteInt32(num2, num2 - 32);
pinfo.WriteInt32(num2 + 4, 0);
byte[] array = Yara.MakePayload(num2);
pinfo.WriteBytes(num, array, array.Length);
pinfo.PlaceJmp(from, num);
foreach (int num3 in Yara.GetRbxWow64Clone(pinfo))
{
int from2 = num3 + 80;
pinfo.PlaceJmp(from2, procAddress2);
}
return true;
}
// Token: 0x04000001 RID: 1
public static int codeCaveAt;
// Token: 0x04000002 RID: 2
public static int codeCaveStart;
// Token: 0x04000003 RID: 3
public static int codeCaveEnd;
}
}This is a bump
