The Bytecode Club
Cracking (HackForums) String Encryption - Printable Version

+- The Bytecode Club (https://the.bytecode.club)
+-- Forum: Reverse Engineering (https://the.bytecode.club/forumdisplay.php?fid=70)
+--- Forum: Java Reverse Engineering (https://the.bytecode.club/forumdisplay.php?fid=8)
+---- Forum: Snippets (https://the.bytecode.club/forumdisplay.php?fid=91)
+---- Thread: Cracking (HackForums) String Encryption (/showthread.php?tid=101)



Cracking (HackForums) String Encryption - Barr - 10-13-2014

Credits to Bibl. He's #1
Code:
import java.io.File;
import java.lang.reflect.Field;

import jrat.*; // loaded the jar file of the thing we want to crack

import org.objectweb.asm.tree.MethodNode;

import eu.bibl.banalysis.asm.ClassNode; //Bibl is #1 memmr
import eu.bibl.banalysis.asm.insn.InstructionPrinter;
import eu.bibl.bio.JarInfo;
import eu.bibl.bio.jfile.in.JarDownloader;

public class Start {

    public static void main(String[] args) throws Exception{
        Class<?> c = nw.class;
        for(Field f : c.getDeclaredFields()){
            if(f.getName().equals("z")){
                f.setAccessible(true);
                String[] s1 = (String[]) f.get(null);
                for(int i=0; i < s1.length; i++){
                    System.out.println("z[" + i + "] = " + s1[i]);
                }
            }
        }
        
        JarDownloader dl = new JarDownloader(new JarInfo(new File("lib/Controller.jar")));
        dl.parse();
        
        for(ClassNode cn : dl.getContents().getNodes().values()){
            if(cn.name.equals("a")){
                for(MethodNode m : cn.methods()){
                    if(m.name.equals("main")){
                        InstructionPrinter.consolePrint(m);
                    }
                }
            }
        }
    }
}


Decrypts Strings :
Code:
z[0] =


Do you want to accept it?


(You can turn off this notification in settings)
z[1] = HTTP Request
z[2] = proxyhost
z[3] = proxyport
z[4] = jRAT tries to connect to:



z[5] = %host%
z[6] = proxy
z[7] = proxysocks
z[8] = askurl
z[9] = Requesting
z[10] = askurl
z[11] = proxysocks
z[12] =


Do you want to accept it?


(You can turn off this notification in settings)
z[13] = jRAT tries to connect to:



z[14] = proxy
z[15] = proxyport
z[16] = HTTP Request
z[17] = proxyhost



RE: Cracking (HackForums) String Encryption - Bibl - 10-13-2014

I wonder who wrote this code...


RE: Cracking (HackForums) String Encryption - Barr - 10-14-2014

(10-13-2014, 09:50 PM)Bibl Wrote:  I wonder who wrote this code...

Do you not see the "bibl is #1 memmr"


RE: Cracking (HackForums) String Encryption - Bibl - 10-14-2014

(10-14-2014, 11:51 AM)ByteCode Wrote:  
(10-13-2014, 09:50 PM)Bibl Wrote:  I wonder who wrote this code...

Do you not see the "bibl is #1 memmr"
Is that not implied?


RE: Cracking (HackForums) String Encryption - Konloch - 10-14-2014

Good solution, we should try to figure out what obfuscator uses this method


RE: Cracking (HackForums) String Encryption - GHzGangster - 11-05-2014

The static "z" field seems to faintly remind me of Zelix KlassMaster, but I'm not sure.


RE: Cracking (HackForums) String Encryption - Konloch - 11-05-2014

(11-05-2014, 02:25 AM)GHzGangster Wrote:  The static "z" field seems to faintly remind me of Zelix KlassMaster, but I'm not sure.

It too reminded me to ZKM, however I feel that ZKM is more powerful obfuscation than this.


RE: Cracking (HackForums) String Encryption - Konloch - 12-14-2014

The Eldevin linux loader - https://www.eldevin.com/download/linux uses the same obfuscator, so it's vulnerable to the same decryption technique.


RE: Cracking (HackForums) String Encryption - Bibl - 05-22-2015

URM
this might not be a good idea.
someone could put some code in the <clinit> of a class and when you try to get the field value, it will load the code and run it, so they could add dummy classes which download viruses or fuck some other shit up


RE: Cracking (HackForums) String Encryption - Konloch - 05-23-2015

(05-22-2015, 11:24 PM)Bibl Wrote:  URM
this might not be a good idea.
someone could put some code in the <clinit> of a class and when you try to get the field value, it will load the code and run it, so they could add dummy classes which download viruses or fuck some other shit up
Aye, keep this in mind whenever you load any classes into a classloader.