Closed MizzMaster closed 4 years ago
That looks like Radon (https://github.com/itzsomebody/radon) obfuscator.
I read some but I couldnt figure out which executions I should use when i deobfuscate. I am new to these topics like which obfuscators does what, and deobfuscation tactics. I know that issue refers to "What obfuscator used" but can you help me finding correct list and order of executions?
There currently aren't any executions for Radon. Although there are some generic deobfuscations you can perform (flow). I also think the DashO string deobfuscator could work with Radon too.
DashO string deobfuscator works perfectly! Thanks
I searched some about invoke dynamics and methodhandles, and looked again to README.md.
Does Radon obfuscate methods like Paramorphism? In this repository's README, there is a picture below Paramorphism.
https://camo.githubusercontent.com/70f58345a6f087d7f5f486bff1fdd86bfebd2e28/68747470733a2f2f692e696d6775722e636f6d2f6e65746c45676c2e706e67
They look similar to each other.(ConstantCallSite, Lookups, etc.) So i tried to run with executions(after DashO string):
Remove bad attributes (Paramorphism)
Access obfuscation removal (Paramorphism)
but it says that No access obfuscation matching Paramorphism 2.1 have been found!
and I also tried all generic and access executions one by one, but nothing changed
So, you said that
There currently aren't any executions for Radon.
Will they be added in the future? Thanks a lot for helping!
Paramorphism's invokedynamic obfuscation is similar, but not the same. Radon will be added to the the TO-DO list. ;)
If you're looking to deobfuscate Radon, java-deobfuscator should be able to help you. https://github.com/java-deobfuscator/deobfuscator
Finally, i could deobfuscate that jar, using both Java-Deobfuscator and ThreadTear, thank you all for replying and helping!
Hello, I'm trying to deobfuscate a .jar file that contains encrypted method calls and strings but I couldn't find the correct executions. I tried almost all of the execution options(not all of them at the same time), but still i can't get what i expect. (Maybe i am expecting more than this program does, anyway there is a huge of effort to build this)
Can someone help me to find the correct executions list?
Here is the stringdecryptor class:
This basically does Exclusive OR (XOR) between decrypted string and given key to convert string char by char.
I changed some of the method names(and class name too) to make it human readable. In original version, it contains HashMap functions to store already decrypted strings and return back.
Here is the MethodCallerClass thing that idk how to name it, i rewrited some of the variable names and i parsed it The creation of variables and arrays to work with: https://i.hizliresim.com/Isl2z2.png The while loops that does XOR with specified keys: https://i.hizliresim.com/D1O4kn.png (char by char) The actual caller thing (ConstantCallSite, MethodHandles, etc.): https://i.hizliresim.com/jZxz0j.png
Here are examples of how these things works:
stringdecryptor.Decrypt("\u3837\u3832\u3839\u3829\u383a\u3829\u3832\u383e\u3828", -214419365);
is equivalent to: librariesMethodCaller class behaves strange, just look at arguments
sdeg$wxOw.lOkD("\u2007\u2009\u2006\u200a", 0, "\u0474\u0466\u0457\u0446", "\u0784\u0793\u079b\u0799\u0780\u0793\u07b0\u0799\u079a\u0792\u0793\u0784", "\u07a0\u07c4\u07e2\u07e9\u07fe\u07e9\u07a7\u07e1\u07e7\u07a7\u07ce\u07e1\u07e4\u07ed\u07b3\u07a1\u07de", randomPath);
is equivalent to:qcRC.removeFolder(randomPath);
because of 0 means it's a static method and there is one argument after "method caller class's own arguments"sdeg$wxOw.lOkD("\u2008\u200c\u200a\u200d", 1, "\u046f\u0464\u0473\u0464\u042b\u046c\u046a\u042b\u0443\u046c\u0469\u0460", "\u0782\u0799\u07a3\u07a4\u07bf", "\u07a0\u07a1\u07c4\u07e2\u07e9\u07fe\u07e9\u07a7\u07e6\u07ed\u07fc\u07a7\u07dd\u07da\u07c1\u07b3", file);
is equivalent to:file.toURI()
because of 1 means it's a virtual method and there is no arguments given after thefile
objectThere is a few little encryption-decryption methods for specific things in the jar file but they are not much important as this ones and they are easy to solve. (I think they are written by hand)
If there is a execution that deobfuscates this type of jar files?
Btw, if the photo links gone, tell me, i will reupload them