Credits to Bibl. He's #1

Code:

import java.io.File;
import java.lang.reflect.Field;

import jrat.*; // loaded the jar file of the thing we want to crack

import org.objectweb.asm.tree.MethodNode;

import eu.bibl.banalysis.asm.ClassNode; //Bibl is #1 memmr
import eu.bibl.banalysis.asm.insn.InstructionPrinter;
import eu.bibl.bio.JarInfo;
import eu.bibl.bio.jfile.in.JarDownloader;

public class Start {

    public static void main(String[] args) throws Exception{
        Class<?> c = nw.class;
        for(Field f : c.getDeclaredFields()){
            if(f.getName().equals("z")){
                f.setAccessible(true);
                String[] s1 = (String[]) f.get(null);
                for(int i=0; i < s1.length; i++){
                    System.out.println("z[" + i + "] = " + s1[i]);
                }
            }
        }
        
        JarDownloader dl = new JarDownloader(new JarInfo(new File("lib/Controller.jar")));
        dl.parse();
        
        for(ClassNode cn : dl.getContents().getNodes().values()){
            if(cn.name.equals("a")){
                for(MethodNode m : cn.methods()){
                    if(m.name.equals("main")){
                        InstructionPrinter.consolePrint(m);
                    }
                }
            }
        }
    }
}

Decrypts Strings :

Code:

z[0] =


Do you want to accept it?


(You can turn off this notification in settings)
z[1] = HTTP Request
z[2] = proxyhost
z[3] = proxyport
z[4] = jRAT tries to connect to:



z[5] = %host%
z[6] = proxy
z[7] = proxysocks
z[8] = askurl
z[9] = Requesting
z[10] = askurl
z[11] = proxysocks
z[12] =


Do you want to accept it?


(You can turn off this notification in settings)
z[13] = jRAT tries to connect to:



z[14] = proxy
z[15] = proxyport
z[16] = HTTP Request
z[17] = proxyhost

I wonder who wrote this code...

I wonder who wrote this code...

Do you not see the "bibl is #1 memmr"

I wonder who wrote this code...

Do you not see the "bibl is #1 memmr"

Is that not implied?

Good solution, we should try to figure out what obfuscator uses this method

The static "z" field seems to faintly remind me of Zelix KlassMaster, but I'm not sure.

The static "z" field seems to faintly remind me of Zelix KlassMaster, but I'm not sure.

It too reminded me to ZKM, however I feel that ZKM is more powerful obfuscation than this.

The Eldevin linux loader - https://www.eldevin.com/download/linux uses the same obfuscator, so it's vulnerable to the same decryption technique.

URM
this might not be a good idea.
someone could put some code in the <clinit> of a class and when you try to get the field value, it will load the code and run it, so they could add dummy classes which download viruses or fuck some other shit up

URM
this might not be a good idea.
someone could put some code in the <clinit> of a class and when you try to get the field value, it will load the code and run it, so they could add dummy classes which download viruses or fuck some other shit up

Aye, keep this in mind whenever you load any classes into a classloader.