Open greenozon opened 2 years ago
I'd try rightlcickingthe radon transformer and changing its config options, for example try disabling fastIndy.
Otherwise the jar you sent is unfortunaly incomplete, not all classes used during decryption are inside, so attempts in fixing this are not possible.
I think there might also be stringer involved here, judging on a not-sent-class-name.
If you cannot provide the full jar file while respecting #653, I cannot help you, maybe some other maintainer wants to but they are usually even less active here.
Thanks for fast reply! Could you shed some light on what is Indy feature in Radon?
I've turned off as you recommended (well, actually I did off the Indy, not fastIndy) and yeah, it did not crash now -
[Thread-6] INFO com.javadeobfuscator.deobfuscator.Deobfuscator - Loading classpath
[Thread-6] INFO com.javadeobfuscator.deobfuscator.Deobfuscator - Loading input
[Thread-6] INFO com.javadeobfuscator.deobfuscator.Deobfuscator - Computing callers
[Thread-6] INFO com.javadeobfuscator.deobfuscator.Deobfuscator - Transforming
[Thread-6] INFO com.javadeobfuscator.deobfuscator.Deobfuscator - Running com.javadeobfuscator.deobfuscator.transformers.special.RadonTransformer
[Special] [RadonTransformer] Starting
[Special] [RadonTransformer] Removed 0 fake jump instructions
[Special] [RadonTransformer] Fixed 0 number instructions
[Special] [RadonTransformer] Unpooled 0 strings
[Special] [RadonTransformer] Decrypted 0 strings
[Special] [RadonTransformer] Removed 0 invokedynamic instructions
[Special] [RadonTransformer] Done
[Thread-6] INFO com.javadeobfuscator.deobfuscator.Deobfuscator - Writing
the jar is indeed incomplete as I tried to narrow down the issue...
Could I ask more about dependent classes - does the tool require all of them in order to do the good job? for example, in the output I still see something I do not expect to see (not all strings decoded), eg:
cArray = (char[])ak$aS.p("jajpupujjnzav", 182, "java.lang.String", "toCharArray", "()[C", C.aX.aV. ((String)"䌐졕⼂뤎൧従铄櫨綛仅㹙⮩⏺⎶氽쇂률諍⇉瞢ǥ鷆챴䊚㪋꽑⹋淳ⱨ쾾壴睃村ᔵ붿곱皉⍆㻦庣࢙ೖ쮐羐롛囑ầ홡ꄎ洟䀉闎ꍵ哗촫伔아⤌餤褜줪걝닊ੁ鞰힋୍ዴ䊾醝诿赈㊬鉨쪚枪䳺㼘㻀鴂밮䮲⻢簾왻삳热醬ၰ싡䫑봻䔰࿙爍酈ಁ뫕牶⽎끟㯉碓�갓圑謿ꎐ", (int)-306229624));
If you turn off whole "indy" it just will not attempt to decrypt invokedynamic.
Yes, you are right, with just these two classes alone, the error does pop up and it is a legitimate error. I might create a pr to fix this in a couple days.
However there is still a layer of stringer below this, and that one would need additional classes.
Oh, I see, indy must be shorten of "Invoke dynamic" then :)
I dont have luck to run stringer though... each time I'm getting OOM I"ve switched to command line mode and also started to use 64 bit java, as 32 bit does not allow to allocate even 1G...
one more question: how do I set the indy off in the detect.yml config file?
I"ve tried this one but it's not accepted...
transformers:
- com.javadeobfuscator.deobfuscator.transformers.special.RadonTransformer:indy=false
iirc in the config yml transformer options are like
transformer:
- xxx.yyy.zzz:
indy: false
The gui config were originally the program arguments, how you start the deobfuscator, back then there were no transformer options. I think last year I added the transformer options to the gui.
You can also start the gui with increased xmx.
Running stringer transformer on the project as its right now might not do much, because the radon stuff is still there.
Thanks! I might have missed that part how to customize some specific transformer in the .yml file
The GUI has a nice Save Config button, but for transofrmer customization it shows the format which is not OK for .yml
and about -Xmx - I'm having hard time setting this value in the GUI, each and every time it says OOM, so thats why I switched to the command line tool
Are you saying that I need to start the GUI passing -Xmx2G and this value will be propagated later on to transformers runs? or how should I set -Xmx in GUI?...
Are you saying that I need to start the GUI passing -Xmx2G and this value will be propagated later on to transformers runs? or how should I set -Xmx in GUI?...
the config save button is only useful if you want to load it into the gui
Yes, the gui runs the deobfuscator in the same java process as itself, so when you start the gui with higher Xmx it also affects the deobfuscation.
Took me some time to figure out why yaml parser was not happy, its all about indents :) valid format that worked in my case:
transformers:
- com.javadeobfuscator.deobfuscator.transformers.special.RadonTransformer:
indy:false
there are 4 spaces from letter 'c' in com... to 'i' in indy :) TAB not accepted
@greenozon I merged Jan's PR that should fix this. Feel free to holler if it still doesn't work.
Thanks for update! one tricky question: how do you guys build the final jar? I tried to build it up in my fav. NetBeans, but all of a sudden I'm getting these 2 errors:
1) src\com\javadeobfuscator\deobfuscator\executor\defined\ReflectiveProvider.java:26: error: package sun.invoke.util does not exist import sun.invoke.util.BytecodeDescriptor;
2) src\com\javadeobfuscator\deobfuscator\executor\defined\ReflectiveProvider.java:58: error: cannot find symbol List<Class<?>> l = BytecodeDescriptor.parseMethod(methodDesc, ClassLoader.getSystemClassLoader()); symbol: variable BytecodeDescriptor location: class ReflectiveProvider
I'm using old good JDK 1.8.0.331 x32 with NB 12.6
Forget to add that testing went fine - no exceptions at all (having indy flags on and off) Thanks!
One more question related to Radon transformation why does it skip one class in the intput jar (or if we rephrase - it does not write it into output jar)? e.g.:
left - input, right- output after running com.javadeobfuscator.deobfuscator.transformers.special.RadonTransformer
Thanks for update! one tricky question: how do you guys build the final jar? I tried to build it up in my fav. NetBeans, but all of a sudden I'm getting these 2 errors:
src\com\javadeobfuscator\deobfuscator\executor\defined\ReflectiveProvider.java:26: error: package sun.invoke.util does not exist import sun.invoke.util.BytecodeDescriptor;
src\com\javadeobfuscator\deobfuscator\executor\defined\ReflectiveProvider.java:58: error: cannot find symbol List<Class<?>> l = BytecodeDescriptor.parseMethod(methodDesc, ClassLoader.getSystemClassLoader()); symbol: variable BytecodeDescriptor location: class ReflectiveProvider
I'm using old good JDK 1.8.0.331 x32 with NB 12.6
I think your JDK somehow does not expose sun.invoke.util
for whatever reason. You can see how the jar is being built here: https://github.com/java-deobfuscator/deobfuscator/blob/latest/.github/workflows/automatic_release.yml
Alternatively just delete src\com\javadeobfuscator\deobfuscator\executor\defined\ReflectiveProvider.java
.
The class is not used, and was meant for development only, as using it would allow code to escape the bytecode emulator.
One more question related to Radon transformation why does it skip one class in the intput jar (or if we rephrase - it does not write it into output jar)? e.g.:
left - input, right- output after running com.javadeobfuscator.deobfuscator.transformers.special.RadonTransformer
The radon transformer thought that the class was originally added by the radon obfuscation: code
If that creates a potential problem later on when you try to remove BisGuard obfuscation, we could add options to the radon transformer to not delete methods / classes.
Thanks for reply just to close the question with sun.invoke.util
I'm using the standard JDK8 from Oracle (java -version java version "1.8.0_331" Java(TM) SE Runtime Environment (build 1.8.0_331-b09) Java HotSpot(TM) Client VM (build 25.331-b09, mixed mode) ) and in your provided .yml I see that this (specially crafted?) distribution being used
- name: Set up JDK 8
uses: actions/setup-java@v2
with:
java-version: '8'
distribution: 'adopt'
that exports sun.invoke.util?
2) about radon - I see now.. I don't know yet if that creates a potential problem, cause right now I'm working with BisGuard but the protected app happens to use javafx which is a show stopper... - why? cause it tries to load native libs -> boom
so I plan to unpack it by hands, radon already did a great job, but now I see that BG is a tricky guy, as it encrypts all the rest of app's classes and in order to get the decription key it does very smart stuff- it enumerates all the classes/methods/fields and even reads out some info from Linenumbertable ...
so long story short - could we make sure that after radon's work that info is kept as is?
anyway, I've decomplied the BG service classes (shown on above pic) but I hit the error when it creates the decryption key... it just can't properly decrypt rest of classes -> stopper...
so one of my ideas was that it needs all the original classes (but now I"m not sure)
sorry for long writeup, just having noone to share thoughts with...
Java 8 from Oracle should expose those classes as well. Maybe these errors are from netbeans ide and not from maven build? Java 8 from adopt is basic openjdk.
Well you can try to edit the transformers yourself (and build it yourself). maybe also try bisguard transformer before radon.
BG has a stopper like this:
[Thread-6] INFO com.javadeobfuscator.deobfuscator.Deobfuscator - Loading classpath
[Thread-6] INFO com.javadeobfuscator.deobfuscator.Deobfuscator - Loading input
[Thread-6] INFO com.javadeobfuscator.deobfuscator.Deobfuscator - Computing callers
[Thread-6] INFO com.javadeobfuscator.deobfuscator.Deobfuscator - Transforming
[Thread-6] INFO com.javadeobfuscator.deobfuscator.Deobfuscator - Running com.javadeobfuscator.deobfuscator.transformers.special.BisGuardTransformer
Deobfuscation failed. Please open a ticket on GitHub and provide the following error:
com.javadeobfuscator.javavm.exceptions.ExecutionException: UnsatisfiedLinkError: java/lang/ClassLoader$NativeLibrary load(Ljava/lang/String;ZZ)V
at com.javadeobfuscator.javavm.VirtualMachine.execute(VirtualMachine.java:1209)
at com.javadeobfuscator.javavm.VirtualMachine.internalExecute(VirtualMachine.java:1196)
at com.javadeobfuscator.javavm.instructions.InvocationInstruction.execute(InvocationInstruction.java:96)
................
at java.lang.Thread.run(Thread.java:750)
Suppressed: com.javadeobfuscator.javavm.exceptions.ConvertedException: java.lang.Throwable: null
at java.lang.ClassLoader.loadLibrary0(ClassLoader.java:1937)
at java.lang.ClassLoader.loadLibrary(ClassLoader.java:1841)
at java.lang.Runtime.loadLibrary0(Runtime.java)
at java.lang.System.loadLibrary(System.java:1122)
at java.lang.System.initializeSystemClass(System.java:1197)
I"ve read in another issue that this is a show stopper, right?
Some errors during RADON1 deobfuscation:
https://www.sendspace.com/file/63xtq1
java -jar deobfuscator.jar -input C:\temp\deobfuscator\o.jar -output c:\temp\deobfuscator\o2.jar -transformer special.Radon -libraries C:\Java\jdk1.8.0_331\jre\lib\rt.jar