Failed to deobfuscated DexProtector

[iamcsharper]

[main] INFO com.javadeobfuscator.deobfuscator.Deobfuscator - Loading classpath
[main] INFO com.javadeobfuscator.deobfuscator.Deobfuscator - Loading input
[main] INFO com.javadeobfuscator.deobfuscator.Deobfuscator - Computing callers
[main] INFO com.javadeobfuscator.deobfuscator.Deobfuscator - Transforming
[main] INFO com.javadeobfuscator.deobfuscator.Deobfuscator - Running com.javadeobfuscator.deobfuscator.transformers.stringer.StringEncryptionTransformer
[Stringer] [StringEncryptionTransformer] Starting
[Stringer] [StringEncryptionTransformer] Found 33 encrypted strings

Deobfuscation failed. Please open a ticket on GitHub and provide the following error:
java.lang.IllegalArgumentException: argument type mismatch
        at java.lang.reflect.Array.set(Native Method)
        at com.javadeobfuscator.deobfuscator.executor.MethodExecutor.executeArrayStore(MethodExecutor.java:179)
        at com.javadeobfuscator.deobfuscator.executor.MethodExecutor.execute(MethodExecutor.java:519)
        at com.javadeobfuscator.deobfuscator.executor.MethodExecutor.execute(MethodExecutor.java:76)
        at com.javadeobfuscator.deobfuscator.executor.defined.MappedMethodProvider.invokeMethod(MappedMethodProvider.java:54)
        at com.javadeobfuscator.deobfuscator.executor.providers.DelegatingProvider.invokeMethod(DelegatingProvider.java:35)
        at com.javadeobfuscator.deobfuscator.executor.MethodExecutor.execute(MethodExecutor.java:1306)
        at com.javadeobfuscator.deobfuscator.executor.MethodExecutor.execute(MethodExecutor.java:76)
        at com.javadeobfuscator.deobfuscator.transformers.stringer.StringEncryptionTransformer.decrypt(StringEncryptionTransformer.java:331)
        at com.javadeobfuscator.deobfuscator.transformers.stringer.StringEncryptionTransformer.transform(StringEncryptionTransformer.java:50)
        at com.javadeobfuscator.deobfuscator.Deobfuscator.runFromConfig(Deobfuscator.java:302)
        at com.javadeobfuscator.deobfuscator.Deobfuscator.start(Deobfuscator.java:262)
        at com.javadeobfuscator.deobfuscator.DeobfuscatorMain.run(DeobfuscatorMain.java:112)
        at com.javadeobfuscator.deobfuscator.DeobfuscatorMain.main(DeobfuscatorMain.java:50)

[samczsun]

Gotta provide the sample

[iamcsharper]

Okay, here's my archive in which included all necessary files for testing and reproducing the error:

[ThisTestUser]

It doesn't look like Stringer, but it looks similar (DexProtector?)

[iamcsharper]

Yes, I've thought tough about it though. Is it possible to simplify a bit all this trash to something readable using java-deobfuscator?

[ThisTestUser]

Yeah, but you could do this yourself by decompiling the code using FernFlower and then pasting the strings to manually decrypt them.

[iamcsharper]

Thanks, I'll have a closer look on fernflower

[samczsun]

I've got a couple minutes to take a look. If it's a nice simple pattern it shouldn't be too hard to write a custom transformer

[samczsun]

Protected-Notice: AV contact email - primary@licelus.com
APK-Signature: 3OdnAbLchSvukQ0NdHXE45sd+wuHtxh21EZIy8GBa7sBMTR6
Created-By: 1.0 (Android)
Protected-By: 6.5.7 DexProtector (20160809)

It is DexProtector... a really old version though. Probably a cracked copy floating around

[samczsun]

Looks simple enough. I'll probably have more time to look at this over the weekend, but if you want to get started by yourself feel free to make the following modification locally:

Change the string here to (Ljava/lang/String;)Ljava/lang/String; and add a nullcheck after this line. Then you should be all set to decrypt the strings.

In the long term it looks like there's some Android-specific obfuscation going on here. Not sure how I want to approach this as the conversion from apk -> jar is pretty lossy

[iamcsharper]

Yes, thanks a lot for the feedback, I'll try to solve this in parallel with you maybe will send a pull req

[samczsun]

I'm good at this "identifying obfuscators thing" trust me

[ThisTestUser]

observerDeob.zip I deobbed the main class for you, but there's not anything else to deobfuscate though.

[EtherealCod3]

Same exact error as @iamcsharper report. My jar file is odexed from a classes.dex file (android apk)

Applied the modifications suggested by @samczsun here but still crashes trying.

Available to share a sample or talk about it privately, then committing changes in public source, could be a good chance to add another obfuscator to the list.

[ThisTestUser]

You could do that, but remember that dex2jar doesn't work perfectly, and if the bytecode is broken, there's no way for it to be deobfuscated.

[EtherealCod3]

@ThisTestUser Yes, I know, and in this specific case dex2jar also failed to get a good jar file. Still I am unable to deobfuscate the strings and I'm at a dead end. Have you had some success against it?

[ThisTestUser]

I don't know what your sample is, so I don't know.

[febryanasaperdana]

Looks simple enough. I'll probably have more time to look at this over the weekend, but if you want to get started by yourself feel free to make the following modification locally:

Change the string here to (Ljava/lang/String;)Ljava/lang/String; and add a nullcheck after this line. Then you should be all set to decrypt the strings.

I've just tried to deobfuscate my APK that is protected with DexProtector 10 (maximum protection setting/config), and then convert the DEX to JAR with dex2jar and enjarify. I think DEX to JAR conversion is very lossy, since the DEX file is actually in the Dalvik bytecode format, not java bytecode, hence there must be some "difference", and that's why it's lossy. Nevertheless, DexProtector encrypts/protects the classes/original DEX file, so deobfuscating the JAR/APK will still give useless result/output.

I think java-deobfuscator is best to be used with true Java app. For Android app, you can see other approach, such as trying to dynamically analyze and hook the app then dump the class, but you should proceed with caution and only if you are authorized to do that.