String deobfuscating an enjarified app

[SnazzySnorlax]

Im trying to deobfuscate the classes in com/apiguard3, oooooo/, nnnnnn/ (which includes the string decryption classes and methods), in the attached jar (which is actually just an apk that i ran through enjarify). it seems like its a custom obfuscator, theres no flow obf or number obf, so its pretty readable, but theres string obf (methods that take a string and 1 to 3 chars and return the actual string), and theres reflection obf (its just normal reflection calls to class.getMethod and invoke, but the method names are string encrypted), i tried copying one of the simpler string transformers already in here, and editing it to fit this one, but it always decrypts the strings as an empty string for some reason. I would really appreciate any help in either deobfuscating it, or just a nudge as to why my transformer always decrypts them as empty strings. Thanks in advance.

Jar: https://filebin.net/429kobwkfwbbmcdm/apk_obf.jar?t=q4kn2vme

[ThisTestUser]

Make sure you are editing the latest version of deobfuscator, and also make sure the methods are defined here: https://github.com/java-deobfuscator/deobfuscator/blob/master/src/main/java/com/javadeobfuscator/deobfuscator/executor/defined/JVMMethodProvider.java

[SnazzySnorlax]

It was indeed missing 3 methods (a string constructor, a collections method, and a class method), but its still giving out empty strings

[ThisTestUser]

If you want me to take a look at the file, upload the JAR file again and tell me what changes you made to the transformers.

[SnazzySnorlax]

Jar: https://filetransfer.io/data-package/Ar019crP Transformer: Exact same as Radon V2 String, but changed for the method description of (Ljava/lang/String;CC)Ljava/lang/String; and (Ljava/lang/String;CC)Ljava/lang/String; Changes to JVMMethodProvider: Added this constructor to java/lang/String

put("<init>(Ljava/lang/String;)V", (targetObject, args, context) -> {
        expect(targetObject, "java/lang/String");
        targetObject.initialize(new String(args.get(0).as(String.class)));
        return null;
});

Added this constructor to java/lang/Character:

put("<init>(C)V", (targetObject, args, context) -> {
        expect(targetObject, "java/lang/Character");
        targetObject.initialize(new Character((char) args.get(0).intValue()));
        return null;
});

Added this method to java/lang/Class:

put("desiredAssertionStatus()Z", (targetObject, args, context) -> false);

Also added this:

put("java/util/Collections", new HashMap<String, Function3<JavaValue, List<JavaValue>, Context, Object>>() {{
    put("shuffle(Ljava/util/List;Ljava/util/Random;)V", (targetObject, args, context) -> {
        Collections.shuffle(args.get(0).as(List.class), args.get(1).as(Random.class));
        return null;
    });
}});

[ThisTestUser]

Make sure you're editing on the latest version of deobfuscator. It should throw errors instead.

[SnazzySnorlax]

Make sure you're editing on the latest version of deobfuscator. It should throw errors instead.

it isnt throwing an exception for me, but i am on the latest version, i noticed i forgot sending one of the things, i changed "add" under ArrayList to this: put("add(Ljava/lang/Object;)Z", (targetObject, args, context) -> targetObject.as(ArrayList.class).add(args.get(0).value()));

[ThisTestUser]

The string encryption looks like it has some interface calls, so it probably won't run on MethodExecutor.

[SnazzySnorlax]

What would be the best way to do this then?

[ThisTestUser]

You can look at this transformer (https://github.com/java-deobfuscator/deobfuscator/blob/master/src/main/java/com/javadeobfuscator/deobfuscator/transformers/dasho/string/StringEncryptionTransformer.java) for guidance.

[SnazzySnorlax]

Switched to using the javavm thing, but it didnt help, it produces empty strings as well

[ThisTestUser]

Try printing out consensus.get() here (https://github.com/java-deobfuscator/deobfuscator/blob/master/src/main/java/com/javadeobfuscator/deobfuscator/transformers/dasho/string/StringEncryptionTransformer.java#L78) and tell me what you get.

[SnazzySnorlax]

e49:J8=>Nݒ=BCSAFGWEJK[
255
4

heres an example of one of the outputs

[ThisTestUser]

It looks like the string decryptor may be bugged (converting APKs to JARs is a bit buggy), or there might be something called before the strings are the decrypted. Either way, I cannot help you with this.

[SnazzySnorlax]

ok, thanks anyways