Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Cracking (HackForums) String Encryption
#1
Credits to Bibl. He's #1
Code:
import java.io.File;
import java.lang.reflect.Field;

import jrat.*; // loaded the jar file of the thing we want to crack

import org.objectweb.asm.tree.MethodNode;

import eu.bibl.banalysis.asm.ClassNode; //Bibl is #1 memmr
import eu.bibl.banalysis.asm.insn.InstructionPrinter;
import eu.bibl.bio.JarInfo;
import eu.bibl.bio.jfile.in.JarDownloader;

public class Start {

    public static void main(String[] args) throws Exception{
        Class<?> c = nw.class;
        for(Field f : c.getDeclaredFields()){
            if(f.getName().equals("z")){
                f.setAccessible(true);
                String[] s1 = (String[]) f.get(null);
                for(int i=0; i < s1.length; i++){
                    System.out.println("z[" + i + "] = " + s1[i]);
                }
            }
        }
        
        JarDownloader dl = new JarDownloader(new JarInfo(new File("lib/Controller.jar")));
        dl.parse();
        
        for(ClassNode cn : dl.getContents().getNodes().values()){
            if(cn.name.equals("a")){
                for(MethodNode m : cn.methods()){
                    if(m.name.equals("main")){
                        InstructionPrinter.consolePrint(m);
                    }
                }
            }
        }
    }
}


Decrypts Strings :
Code:
z[0] =


Do you want to accept it?


(You can turn off this notification in settings)
z[1] = HTTP Request
z[2] = proxyhost
z[3] = proxyport
z[4] = jRAT tries to connect to:



z[5] = %host%
z[6] = proxy
z[7] = proxysocks
z[8] = askurl
z[9] = Requesting
z[10] = askurl
z[11] = proxysocks
z[12] =


Do you want to accept it?


(You can turn off this notification in settings)
z[13] = jRAT tries to connect to:



z[14] = proxy
z[15] = proxyport
z[16] = HTTP Request
z[17] = proxyhost
Reply
#2
I wonder who wrote this code...
Reply
#3
(10-13-2014, 09:50 PM)Bibl Wrote:  I wonder who wrote this code...

Do you not see the "bibl is #1 memmr"
Reply
#4
(10-14-2014, 11:51 AM)ByteCode Wrote:  
(10-13-2014, 09:50 PM)Bibl Wrote:  I wonder who wrote this code...

Do you not see the "bibl is #1 memmr"
Is that not implied?
Reply
#5
Good solution, we should try to figure out what obfuscator uses this method
Reply
#6
The static "z" field seems to faintly remind me of Zelix KlassMaster, but I'm not sure.
[Image: XARNhJ.png]
Reply
#7
(11-05-2014, 02:25 AM)GHzGangster Wrote:  The static "z" field seems to faintly remind me of Zelix KlassMaster, but I'm not sure.

It too reminded me to ZKM, however I feel that ZKM is more powerful obfuscation than this.
Reply
#8
The Eldevin linux loader - https://www.eldevin.com/download/linux uses the same obfuscator, so it's vulnerable to the same decryption technique.
Reply
#9
URM
this might not be a good idea.
someone could put some code in the <clinit> of a class and when you try to get the field value, it will load the code and run it, so they could add dummy classes which download viruses or fuck some other shit up
Reply
#10
(05-22-2015, 11:24 PM)Bibl Wrote:  URM
this might not be a good idea.
someone could put some code in the <clinit> of a class and when you try to get the field value, it will load the code and run it, so they could add dummy classes which download viruses or fuck some other shit up
Aye, keep this in mind whenever you load any classes into a classloader.
Reply
 


Forum Jump:


Users browsing this thread: 2 Guest(s)

About The Bytecode Club

We're a community forum focused on Reverse Engineering, we try to target Java/Android but we also include other langauges/platforms. We pride ourselves in supporting and free and open sourced applications.

Website