+- The Bytecode Club - Reverse Engineering Forum (https://the.bytecode.club)
+-- Forum: Lobby (https://the.bytecode.club/forumdisplay.php?fid=1)
+--- Forum: Programming (https://the.bytecode.club/forumdisplay.php?fid=86)
+--- Thread: Cracking (HackForums) String Encryption (/showthread.php?tid=101)
Cracking (HackForums) String Encryption - Barr - 10-13-2014
Credits to Bibl. He's #1
Code:
import java.io.File;
import java.lang.reflect.Field;
import jrat.*; // loaded the jar file of the thing we want to crack
import org.objectweb.asm.tree.MethodNode;
import eu.bibl.banalysis.asm.ClassNode; //Bibl is #1 memmr
import eu.bibl.banalysis.asm.insn.InstructionPrinter;
import eu.bibl.bio.JarInfo;
import eu.bibl.bio.jfile.in.JarDownloader;
public class Start {
public static void main(String[] args) throws Exception{
Class<?> c = nw.class;
for(Field f : c.getDeclaredFields()){
if(f.getName().equals("z")){
f.setAccessible(true);
String[] s1 = (String[]) f.get(null);
for(int i=0; i < s1.length; i++){
System.out.println("z[" + i + "] = " + s1[i]);
}
}
}
JarDownloader dl = new JarDownloader(new JarInfo(new File("lib/Controller.jar")));
dl.parse();
for(ClassNode cn : dl.getContents().getNodes().values()){
if(cn.name.equals("a")){
for(MethodNode m : cn.methods()){
if(m.name.equals("main")){
InstructionPrinter.consolePrint(m);
}
}
}
}
}
}Decrypts Strings :
Code:
z[0] =
Do you want to accept it?
(You can turn off this notification in settings)
z[1] = HTTP Request
z[2] = proxyhost
z[3] = proxyport
z[4] = jRAT tries to connect to:
z[5] = %host%
z[6] = proxy
z[7] = proxysocks
z[8] = askurl
z[9] = Requesting
z[10] = askurl
z[11] = proxysocks
z[12] =
Do you want to accept it?
(You can turn off this notification in settings)
z[13] = jRAT tries to connect to:
z[14] = proxy
z[15] = proxyport
z[16] = HTTP Request
z[17] = proxyhostRE: Cracking (HackForums) String Encryption - Bibl - 10-13-2014
I wonder who wrote this code...
RE: Cracking (HackForums) String Encryption - Barr - 10-14-2014
(10-13-2014, 09:50 PM)Bibl Wrote: I wonder who wrote this code...
Do you not see the "bibl is #1 memmr"
RE: Cracking (HackForums) String Encryption - Bibl - 10-14-2014
(10-14-2014, 11:51 AM)ByteCode Wrote:Is that not implied?(10-13-2014, 09:50 PM)Bibl Wrote: I wonder who wrote this code...
Do you not see the "bibl is #1 memmr"
RE: Cracking (HackForums) String Encryption - Konloch - 10-14-2014
Good solution, we should try to figure out what obfuscator uses this method
RE: Cracking (HackForums) String Encryption - GHzGangster - 11-05-2014
The static "z" field seems to faintly remind me of Zelix KlassMaster, but I'm not sure.
RE: Cracking (HackForums) String Encryption - Konloch - 11-05-2014
(11-05-2014, 02:25 AM)GHzGangster Wrote: The static "z" field seems to faintly remind me of Zelix KlassMaster, but I'm not sure.
It too reminded me to ZKM, however I feel that ZKM is more powerful obfuscation than this.
RE: Cracking (HackForums) String Encryption - Konloch - 12-14-2014
The Eldevin linux loader - https://www.eldevin.com/download/linux uses the same obfuscator, so it's vulnerable to the same decryption technique.
RE: Cracking (HackForums) String Encryption - Bibl - 05-22-2015
URM
this might not be a good idea.
someone could put some code in the <clinit> of a class and when you try to get the field value, it will load the code and run it, so they could add dummy classes which download viruses or fuck some other shit up
RE: Cracking (HackForums) String Encryption - Konloch - 05-23-2015
(05-22-2015, 11:24 PM)Bibl Wrote: URMAye, keep this in mind whenever you load any classes into a classloader.
this might not be a good idea.
someone could put some code in the <clinit> of a class and when you try to get the field value, it will load the code and run it, so they could add dummy classes which download viruses or fuck some other shit up