net/minecraft/client/Minecraft could not be found

[KTibow]

I'm trying to deobfuscate a virus Minecraft mod (obfuscated with branchlock, I'm just using allatori because I don't know what else to use, given that I haven't had any successful runs). Here's a link to the jar. However, I'm getting this in my log:

[main] WARN com.javadeobfuscator.deobfuscator.DeobfuscatorMain - The specified output JAR already exists!
[main] INFO com.javadeobfuscator.deobfuscator.Deobfuscator - Loading classpath
[main] INFO com.javadeobfuscator.deobfuscator.Deobfuscator - Loading input
[main] INFO com.javadeobfuscator.deobfuscator.Deobfuscator - Computing callers
[main] INFO com.javadeobfuscator.deobfuscator.Deobfuscator - Transforming
[main] INFO com.javadeobfuscator.deobfuscator.Deobfuscator - Running com.javadeobfuscator.deobfuscator.transformers.allatori.FlowObfuscationTransformer
[Allatori] [FlowObfuscationTransformer] Starting
[Allatori] [FlowObfuscationTransformer] Fixed 29 instructions
[Allatori] [FlowObfuscationTransformer] Done
[main] INFO com.javadeobfuscator.deobfuscator.Deobfuscator - Writing
Error: net/minecraft/client/Minecraft could not be found while writing b/HT. Using COMPUTE_MAXS

Here's my config file for context:

input: SkyblockToolkit+2021.3.jar
output: output.jar
transformers:
  - allatori.FlowObfuscationTransformer
libraries:
  - "/home/kendell/.minecraft/runtime/jre-legacy/linux/jre-legacy/lib/rt.jar"
  - "/home/kendell/.minecraft/libraries/org/apache/httpcomponents/httpclient/4.5.13/httpclient-4.5.13.jar"
  - "/home/kendell/.minecraft/libraries/org/apache/httpcomponents/httpcore/4.4.14/httpcore-4.4.14.jar"

Any clues for where I can find a jar I can use for the libraries?

[Janmm14]

Probably in .minecraft/versions

[KTibow]

Tried that before, it didn't work (Still doesn't). (Also, if I need to use the Forge version, I don't see any jars, just a json file.)

[Janmm14]

Yeah, for forge the process of getting the right jar files is quite bad, also because of the transformations. For forge you need the dev environment for that version and then you need to find the remapped jar.

[KTibow]

If you'd be willing to elaborate, do you mean the MDK by the dev enviroment? And then, how would I find the remapped jar?

[Janmm14]

i just looked for jars, then i looked if they contain the classes i was looking for. i think with earlier forge these jars are more hidden than in newer forge. i cant help you further as i just deobfuscated a forge mod once and thats already quite some time ago

[KTibow]

Oh, I finally got it to work! I used deobfed.jar.

[KTibow]

While you're here, do you know of any transformers for unicode characters? eg

      char[] var0 = "ลົÄPJ·\u0097WJິÑ\\CåÍ\bOí\u0ebaJC¯\u0088\u001e\u0015ົÊW\u0016µÅW\u0015\u0ebfÅ\u000f\u001eິÑ\u0006\u0015´\u009aTC±ິ\u0013\u0015ïÊ\f\u0010»\u0097\u0ebf\u0014²Í\u0ebaR¹\u008fJ\u0006îົ\u000fA®\u009a\\@µ".toCharArray();

[Janmm14]

While you're here, do you know of any transformers for unicode characters? eg

      char[] var0 = "ลົÄPJ·\u0097WJິÑ\\CåÍ\bOí\u0ebaJC¯\u0088\u001e\u0015ົÊW\u0016µÅW\u0015\u0ebfÅ\u000f\u001eິÑ\u0006\u0015´\u009aTC±ິ\u0013\u0015ïÊ\f\u0010»\u0097\u0ebf\u0014²Í\u0ebaR¹\u008fJ\u0006îົ\u000fA®\u009a\\@µ".toCharArray();

Unicode characters are used by many different string obfuscators. did you try the detect feature?

[KTibow]

Yes, it didn't help that much, it only recommended the source file transformer. I know it was obfuscated with Branchlock.

[Janmm14]

Well this project does not have a transformer for Branchlock. You have two options: Either you can attempt to write your own transformer for the obfuscation. Or you hope someone like thistestuser looks at this issue and deobfuscates privately and posts the jar here.

[KTibow]

Someone else did give me a transformer file, but I have no idea how to use it.

[Janmm14]

@KTibow #858

[KTibow]

specify the full package.class name in the config

How exactly do I do that?

[pallavbs2]

Someone else did give me a transformer file, but I have no idea how to use it.

Could you send the transformer file? Also trying to deobf branchlock.

[KTibow]

No idea if this will work @pallavbs2

public final class TransformerBranchlockCompatibilityString implements IClassNodeTransformer {
    @Override
    public final void transform(final ClassNodeImpl target) {
        final MemberReference fieldReference = getBranchlockStringPool(target);
        if (fieldReference == null)
            return;
        for (final MethodNode methodNode : target.methods) {
            if (methodNode.instructions == null)
                continue;
            if (methodNode.name.equals("<clinit>"))
                continue;
            for (final AbstractInsnNode instruction : methodNode.instructions.toArray()) {
                if (instruction instanceof FieldInsnNode && instruction.getOpcode() == GETSTATIC) {
                    final FieldInsnNode fieldInstruction = (FieldInsnNode) instruction;
                    if (fieldReference.equals(MemberReferenceFactory.create(fieldInstruction))) {
                        final List<AbstractInsnNode> instructions = getInstructionsToEmulate(instruction);
                        if (instructions == null)
                            continue;
                        try {
                            final IVirtualMachine virtualMachine = new VirtualMachineImpl(instructions);
                            virtualMachine.run();
                            final String decrypted = (String) virtualMachine.getStack().pop();
                            System.out.println("DECRYPTED: " + decrypted);
                            methodNode.instructions.insert(instruction, new LdcInsnNode(decrypted));
                            instructions.forEach(insnNode -> methodNode.instructions.remove(insnNode));
                        } catch (Throwable e) {
                            e.printStackTrace();
                        }
                    }
                }
            }
        }
    }

    private static List<AbstractInsnNode> getInstructionsToEmulate(AbstractInsnNode instruction) {
        final List<AbstractInsnNode> instructions = new ArrayList<>();
        while (instruction != null && instruction.getOpcode() != AALOAD) {
            instructions.add(instruction);
            instruction = instruction.getNext();
        }
        if (instruction == null)
            return null;
        instructions.add(instruction);
        return instructions;
    }

    private static MemberReference getBranchlockStringPool(final ClassNodeImpl classNode) {
        final Optional<MethodNode> staticBlockOptional = classNode.methods.stream().filter(methodNode -> methodNode.name.equals("<clinit>")).findFirst();
        if (!staticBlockOptional.isPresent())
            return null;
        final MethodNode staticBlock = staticBlockOptional.get();
        boolean hasStracktrace = false;
        for (final AbstractInsnNode instruction : staticBlock.instructions) {
            if (!hasStracktrace && instruction instanceof MethodInsnNode) {
                final MethodInsnNode methodInstruction = (MethodInsnNode) instruction;
                if (methodInstruction.owner.equals("java/lang/StackTraceElement") && methodInstruction.name.equals("getMethodName"))
                    hasStracktrace = true;
            }
            else if (instruction instanceof FieldInsnNode && instruction.getOpcode() == PUTSTATIC) {
                final FieldInsnNode fieldInstruction = (FieldInsnNode) instruction;
                if (fieldInstruction.desc.equals("[Ljava/lang/String;"))
                    return MemberReferenceFactory.create(fieldInstruction);
            }
        }
        return null;
    }
}

[Janmm14]

@KTibow Well this will at least never work with this deobfuscator because that transformer is obviously using another framework/library for deobfuscation.

Judging from google and githubs code search, this seems to be part of some private project and in itself mostly useless.

Might be related to forge and jdi (java debug interface).

[KTibow]

Oh, didn't see that.