Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Additional Information
#1
I am finally starting to reverse engineering this client and it has been quite fun so far Smile

As mentioned in the other thread b.o class handles the encryption/decryption and if you apply the string decryption method you get the following:

Code:
Class: b.o
z[0] = CB13370FDC5197B54FA4D269D5A80ACD
z[1] = AES/CBC/PKCS5Padding
z[2] = AES
z[3] = 747DA8F0024ABFE26AA49B6C3285CC47
z[4] = native
z[5] = file
z[6] = lib
z[7] = .class

As you can see it is using AES encryption and AES/CBC/PKCS5Padding for the cipher stream. The values in z[0] and z[3] is really what interests me so i started working on them and i got them figured out:

z[3] = IvParameterSpec after DatatypeConverter.parseHexBinary (so z[3] is the IV for the aes decryption and is encoded with HexBinary as well.)
z[0] = SecretKeySpec this is the key for AES after DatatypeConverter.parseHexBinary (So z[0] is the actual key for the aes decryption it is just encoded with HexBinary sequence)

Basically to reproduce the information:
Code:
Cipher.getInstance("AES/CBC/PKCS5Padding").init(Cipher.DECRYPT_MODE, new SecretKeySpec(DatatypeConverter.parseHexBinary("CB13370FDC5197B54FA4D269D5A80ACD"), "AES"), new IvParameterSpec(DatatypeConverter.parseHexBinary("747DA8F0024ABFE26AA49B6C3285CC47")));
That is the Cipher stream you will use to decrypt the information.

Upon further inspection of the code i have learned that they are using Pack200 [java.util.jar packer] to unpack the jar file:
Code:
Pack200.newUnpacker().unpack(new GZipInputStream(data), JarOutputStream);

Code:
private static byte[] b(String s, byte abyte0[])
    {
        byte abyte1[];
        byte abyte2[];
        s = new d(s.getBytes());
        String s1;
        abyte1 = DatatypeConverter.parseHexBinary(s1 = z[3]);
        s.c(abyte1);
        abyte2 = DatatypeConverter.parseHexBinary(s1 = z[0]);
        s.c(abyte2);
        (s = Cipher.getInstance(z[1])).init(2, new SecretKeySpec(abyte2, z[2]), new IvParameterSpec(abyte1));
        return s.doFinal(abyte0);
        JVM INSTR dup ;
        s;
        printStackTrace();
        return null;
    }
This is the method in the b.o class that handles the decryption of information and where the information above comes from. Parameter abyte0[] is the encrypted information. abyte1 is the unencoded IV, abyte2 is the unencoded SecretKey.


I will keep working on this and see what else i can do. I will start working on dumping the actual jar from memory and hopefully i can find the method that will load the cache Smile.
Reply
 


Messages In This Thread
Additional Information - by Cafebabe - 01-29-2015, 07:11 AM
RE: Additional Information - by Konloch - 01-29-2015, 10:02 AM
RE: Additional Information - by Cafebabe - 01-29-2015, 12:35 PM
RE: Additional Information - by Konloch - 01-30-2015, 09:06 AM

Forum Jump:


Users browsing this thread: 4 Guest(s)

About The Bytecode Club

We're a community forum focused on Reverse Engineering, we try to target Java/Android but we also include other langauges/platforms. We pride ourselves in supporting and free and open sourced applications.

Website