search

java-deobfuscator / deobfuscator

The real deal
https://javadeobfuscator.com
Apache License 2.0
1.55k stars 289 forks source link

java.lang.UnsupportedOperationException on radon v1 #921

Open greenozon opened 2 years ago

greenozon commented 2 years ago

Some errors during RADON1 deobfuscation:

[Thread-7] INFO com.javadeobfuscator.deobfuscator.Deobfuscator - Loading classpath
[Thread-7] INFO com.javadeobfuscator.deobfuscator.Deobfuscator - Loading input
[Thread-7] INFO com.javadeobfuscator.deobfuscator.Deobfuscator - Computing callers
[Thread-7] INFO com.javadeobfuscator.deobfuscator.Deobfuscator - Transforming
[Thread-7] INFO com.javadeobfuscator.deobfuscator.Deobfuscator - Running com.javadeobfuscator.deobfuscator.transformers.special.RadonTransformer
[Special] [RadonTransformer] Starting
com.javadeobfuscator.deobfuscator.executor.exceptions.ExecutionException: java.lang.UnsupportedOperationException @ o/ak$aS p(Ljava/lang/invoke/MethodHandles$Lookup;Ljava/lang/String;Ljava/lang/invoke/MethodType;ILjava/lang/String;Ljava/lang/String;Ljava/lang/String;)Ljava/lang/Object;
    at com.javadeobfuscator.deobfuscator.executor.values.JavaValue.intValue(JavaValue.java:33)
    at com.javadeobfuscator.deobfuscator.executor.MethodExecutor.execute(MethodExecutor.java:955)
    at com.javadeobfuscator.deobfuscator.executor.MethodExecutor.execute(MethodExecutor.java:76)
    at com.javadeobfuscator.deobfuscator.transformers.special.RadonTransformer.transform(RadonTransformer.java:558)
    at com.javadeobfuscator.deobfuscator.Deobfuscator.runFromConfig(Deobfuscator.java:477)
    at com.javadeobfuscator.deobfuscator.Deobfuscator.start(Deobfuscator.java:434)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at com.javadeobfuscator.deobfuscator.ui.wrap.Deobfuscator.run(Deobfuscator.java:84)
    at com.javadeobfuscator.deobfuscator.ui.SwingWindow.lambda$null$17(SwingWindow.java:1009)
    at java.lang.Thread.run(Thread.java:750)
Caused by: java.lang.UnsupportedOperationException
    ... 13 more
com.javadeobfuscator.deobfuscator.executor.exceptions.ExecutionException: java.lang.UnsupportedOperationException @ o/ak$aS p(Ljava/lang/invoke/MethodHandles$Lookup;Ljava/lang/String;Ljava/lang/invoke/MethodType;ILjava/lang/String;Ljava/lang/String;Ljava/lang/String;)Ljava/lang/Object;
    at com.javadeobfuscator.deobfuscator.executor.values.JavaValue.intValue(JavaValue.java:33)
    at com.javadeobfuscator.deobfuscator.executor.MethodExecutor.execute(MethodExecutor.java:955)
    at com.javadeobfuscator.deobfuscator.executor.MethodExecutor.execute(MethodExecutor.java:76)
    at com.javadeobfuscator.deobfuscator.transformers.special.RadonTransformer.transform(RadonTransformer.java:558)
    at com.javadeobfuscator.deobfuscator.Deobfuscator.runFromConfig(Deobfuscator.java:477)
    at com.javadeobfuscator.deobfuscator.Deobfuscator.start(Deobfuscator.java:434)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at com.javadeobfuscator.deobfuscator.ui.wrap.Deobfuscator.run(Deobfuscator.java:84)
    at com.javadeobfuscator.deobfuscator.ui.SwingWindow.lambda$null$17(SwingWindow.java:1009)
    at java.lang.Thread.run(Thread.java:750)
Caused by: java.lang.UnsupportedOperationException
    ... 13 more
com.javadeobfuscator.deobfuscator.executor.exceptions.ExecutionException: java.lang.UnsupportedOperationException @ o/ak$aS p(Ljava/lang/invoke/MethodHandles$Lookup;Ljava/lang/String;Ljava/lang/invoke/MethodType;ILjava/lang/String;Ljava/lang/String;Ljava/lang/String;)Ljava/lang/Object;
    at com.javadeobfuscator.deobfuscator.executor.values.JavaValue.intValue(JavaValue.java:33)
    at com.javadeobfuscator.deobfuscator.executor.MethodExecutor.execute(MethodExecutor.java:955)
    at com.javadeobfuscator.deobfuscator.executor.MethodExecutor.execute(MethodExecutor.java:76)
    at com.javadeobfuscator.deobfuscator.transformers.special.RadonTransformer.transform(RadonTransformer.java:558)
    at com.javadeobfuscator.deobfuscator.Deobfuscator.runFromConfig(Deobfuscator.java:477)
    at com.javadeobfuscator.deobfuscator.Deobfuscator.start(Deobfuscator.java:434)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at com.javadeobfuscator.deobfuscator.ui.wrap.Deobfuscator.run(Deobfuscator.java:84)
    at com.javadeobfuscator.deobfuscator.ui.SwingWindow.lambda$null$17(SwingWindow.java:1009)
    at java.lang.Thread.run(Thread.java:750)
Caused by: java.lang.UnsupportedOperationException
    ... 13 more
com.javadeobfuscator.deobfuscator.executor.exceptions.ExecutionException: java.lang.UnsupportedOperationException @ o/ak$aS p(Ljava/lang/invoke/MethodHandles$Lookup;Ljava/lang/String;Ljava/lang/invoke/MethodType;ILjava/lang/String;Ljava/lang/String;Ljava/lang/String;)Ljava/lang/Object;
    at com.javadeobfuscator.deobfuscator.executor.values.JavaValue.intValue(JavaValue.java:33)
    at com.javadeobfuscator.deobfuscator.executor.MethodExecutor.execute(MethodExecutor.java:955)
    at com.javadeobfuscator.deobfuscator.executor.MethodExecutor.execute(MethodExecutor.java:76)
    at com.javadeobfuscator.deobfuscator.transformers.special.RadonTransformer.transform(RadonTransformer.java:558)
    at com.javadeobfuscator.deobfuscator.Deobfuscator.runFromConfig(Deobfuscator.java:477)
    at com.javadeobfuscator.deobfuscator.Deobfuscator.start(Deobfuscator.java:434)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at com.javadeobfuscator.deobfuscator.ui.wrap.Deobfuscator.run(Deobfuscator.java:84)
    at com.javadeobfuscator.deobfuscator.ui.SwingWindow.lambda$null$17(SwingWindow.java:1009)
    at java.lang.Thread.run(Thread.java:750)
Caused by: java.lang.UnsupportedOperationException
    ... 13 more
com.javadeobfuscator.deobfuscator.executor.exceptions.ExecutionException: java.lang.UnsupportedOperationException @ o/ak$aS p(Ljava/lang/invoke/MethodHandles$Lookup;Ljava/lang/String;Ljava/lang/invoke/MethodType;ILjava/lang/String;Ljava/lang/String;Ljava/lang/String;)Ljava/lang/Object;
    at com.javadeobfuscator.deobfuscator.executor.values.JavaValue.intValue(JavaValue.java:33)
    at com.javadeobfuscator.deobfuscator.executor.MethodExecutor.execute(MethodExecutor.java:955)
    at com.javadeobfuscator.deobfuscator.executor.MethodExecutor.execute(MethodExecutor.java:76)
    at com.javadeobfuscator.deobfuscator.transformers.special.RadonTransformer.transform(RadonTransformer.java:558)
    at com.javadeobfuscator.deobfuscator.Deobfuscator.runFromConfig(Deobfuscator.java:477)
    at com.javadeobfuscator.deobfuscator.Deobfuscator.start(Deobfuscator.java:434)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at com.javadeobfuscator.deobfuscator.ui.wrap.Deobfuscator.run(Deobfuscator.java:84)
    at com.javadeobfuscator.deobfuscator.ui.SwingWindow.lambda$null$17(SwingWindow.java:1009)
    at java.lang.Thread.run(Thread.java:750)
Caused by: java.lang.UnsupportedOperationException
    ... 13 more
com.javadeobfuscator.deobfuscator.executor.exceptions.ExecutionException: java.lang.UnsupportedOperationException @ o/ak$aS p(Ljava/lang/invoke/MethodHandles$Lookup;Ljava/lang/String;Ljava/lang/invoke/MethodType;ILjava/lang/String;Ljava/lang/String;Ljava/lang/String;)Ljava/lang/Object;
    at com.javadeobfuscator.deobfuscator.executor.values.JavaValue.intValue(JavaValue.java:33)
    at com.javadeobfuscator.deobfuscator.executor.MethodExecutor.execute(MethodExecutor.java:955)
    at com.javadeobfuscator.deobfuscator.executor.MethodExecutor.execute(MethodExecutor.java:76)
    at com.javadeobfuscator.deobfuscator.transformers.special.RadonTransformer.transform(RadonTransformer.java:558)
    at com.javadeobfuscator.deobfuscator.Deobfuscator.runFromConfig(Deobfuscator.java:477)
    at com.javadeobfuscator.deobfuscator.Deobfuscator.start(Deobfuscator.java:434)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at com.javadeobfuscator.deobfuscator.ui.wrap.Deobfuscator.run(Deobfuscator.java:84)
    at com.javadeobfuscator.deobfuscator.ui.SwingWindow.lambda$null$17(SwingWindow.java:1009)
    at java.lang.Thread.run(Thread.java:750)
Caused by: java.lang.UnsupportedOperationException
    ... 13 more
[Special] [RadonTransformer] Removed 0 fake jump instructions
[Special] [RadonTransformer] Fixed 0 number instructions
[Special] [RadonTransformer] Unpooled 0 strings
[Special] [RadonTransformer] Decrypted 0 strings
[Special] [RadonTransformer] Removed 0 invokedynamic instructions
[Special] [RadonTransformer] Done
[Thread-7] INFO com.javadeobfuscator.deobfuscator.Deobfuscator - Writing

https://www.sendspace.com/file/63xtq1

java -jar deobfuscator.jar -input C:\temp\deobfuscator\o.jar -output c:\temp\deobfuscator\o2.jar -transformer special.Radon -libraries C:\Java\jdk1.8.0_331\jre\lib\rt.jar

Janmm14 commented 2 years ago

I'd try rightlcickingthe radon transformer and changing its config options, for example try disabling fastIndy.

Otherwise the jar you sent is unfortunaly incomplete, not all classes used during decryption are inside, so attempts in fixing this are not possible.

I think there might also be stringer involved here, judging on a not-sent-class-name.

If you cannot provide the full jar file while respecting #653, I cannot help you, maybe some other maintainer wants to but they are usually even less active here.

greenozon commented 2 years ago

Thanks for fast reply! Could you shed some light on what is Indy feature in Radon?

I've turned off as you recommended (well, actually I did off the Indy, not fastIndy) and yeah, it did not crash now - 

[Thread-6] INFO com.javadeobfuscator.deobfuscator.Deobfuscator - Loading classpath
[Thread-6] INFO com.javadeobfuscator.deobfuscator.Deobfuscator - Loading input
[Thread-6] INFO com.javadeobfuscator.deobfuscator.Deobfuscator - Computing callers
[Thread-6] INFO com.javadeobfuscator.deobfuscator.Deobfuscator - Transforming
[Thread-6] INFO com.javadeobfuscator.deobfuscator.Deobfuscator - Running com.javadeobfuscator.deobfuscator.transformers.special.RadonTransformer
[Special] [RadonTransformer] Starting
[Special] [RadonTransformer] Removed 0 fake jump instructions
[Special] [RadonTransformer] Fixed 0 number instructions
[Special] [RadonTransformer] Unpooled 0 strings
[Special] [RadonTransformer] Decrypted 0 strings
[Special] [RadonTransformer] Removed 0 invokedynamic instructions
[Special] [RadonTransformer] Done
[Thread-6] INFO com.javadeobfuscator.deobfuscator.Deobfuscator - Writing

the jar is indeed incomplete as I tried to narrow down the issue...

Could I ask more about dependent classes - does the tool require all of them in order to do the good job? for example, in the output I still see something I do not expect to see (not all strings decoded), eg:

    cArray = (char[])ak$aS.p("jajpupujjnzav", 182, "java.lang.String", "toCharArray", "()[C", C.aX.aV.    ((String)"䌐졕⼂뤎൧従铄櫨綛仅㹙⮩⏺⎶氽쇂률諍⇉瞢ǥ鷆챴䊚㪋꽑⹋淳ⱨ쾾壴睃村ᔵ붿곱皉⍆㻦庣࢙ೖ쮐羐롛囑ầ홡ꄎ洟䀉闎ꍵ哗૎촫伔아⤌餤褜줪걝닊ੁ鞰힋୍ዴ䊾醝诿赈㊬೙鉨쪚枪䳺㼘㻀鴂밮䮲⻢簾왻삳热醬ၰ싡䫑봻䔰࿙爍酈ಁ뫕牶৔⽎끟㯉꟱碓�갓圑謿ꎐ", (int)-306229624));
Janmm14 commented 2 years ago

If you turn off whole "indy" it just will not attempt to decrypt invokedynamic.

Yes, you are right, with just these two classes alone, the error does pop up and it is a legitimate error. I might create a pr to fix this in a couple days.

However there is still a layer of stringer below this, and that one would need additional classes.

greenozon commented 2 years ago

Oh, I see, indy must be shorten of "Invoke dynamic" then :)

I dont have luck to run stringer though... each time I'm getting OOM I"ve switched to command line mode and also started to use 64 bit java, as 32 bit does not allow to allocate even 1G...

one more question: how do I set the indy off in the detect.yml config file?

I"ve tried this one but it's not accepted...

transformers:
  - com.javadeobfuscator.deobfuscator.transformers.special.RadonTransformer:indy=false
Janmm14 commented 2 years ago

iirc in the config yml transformer options are like

transformer:
  - xxx.yyy.zzz:
    indy: false

The gui config were originally the program arguments, how you start the deobfuscator, back then there were no transformer options. I think last year I added the transformer options to the gui.

You can also start the gui with increased xmx.

Running stringer transformer on the project as its right now might not do much, because the radon stuff is still there.

greenozon commented 2 years ago

Thanks! I might have missed that part how to customize some specific transformer in the .yml file

The GUI has a nice Save Config button, but for transofrmer customization it shows the format which is not OK for .yml

and about -Xmx - I'm having hard time setting this value in the GUI, each and every time it says OOM, so thats why I switched to the command line tool

Are you saying that I need to start the GUI passing -Xmx2G and this value will be propagated later on to transformers runs? or how should I set -Xmx in GUI?...

Janmm14 commented 2 years ago

Are you saying that I need to start the GUI passing -Xmx2G and this value will be propagated later on to transformers runs? or how should I set -Xmx in GUI?...

the config save button is only useful if you want to load it into the gui

Yes, the gui runs the deobfuscator in the same java process as itself, so when you start the gui with higher Xmx it also affects the deobfuscation.

greenozon commented 2 years ago

Took me some time to figure out why yaml parser was not happy, its all about indents :) valid format that worked in my case:

transformers:
  - com.javadeobfuscator.deobfuscator.transformers.special.RadonTransformer:
        indy:false

there are 4 spaces from letter 'c' in com... to 'i' in indy :) TAB not accepted

ItzSomebody commented 2 years ago

@greenozon I merged Jan's PR that should fix this. Feel free to holler if it still doesn't work.

greenozon commented 2 years ago

Thanks for update! one tricky question: how do you guys build the final jar? I tried to build it up in my fav. NetBeans, but all of a sudden I'm getting these 2 errors:

1) src\com\javadeobfuscator\deobfuscator\executor\defined\ReflectiveProvider.java:26: error: package sun.invoke.util does not exist import sun.invoke.util.BytecodeDescriptor;

2) src\com\javadeobfuscator\deobfuscator\executor\defined\ReflectiveProvider.java:58: error: cannot find symbol List<Class<?>> l = BytecodeDescriptor.parseMethod(methodDesc, ClassLoader.getSystemClassLoader()); symbol: variable BytecodeDescriptor location: class ReflectiveProvider

I'm using old good JDK 1.8.0.331 x32 with NB 12.6

greenozon commented 2 years ago

Forget to add that testing went fine - no exceptions at all (having indy flags on and off) Thanks!

greenozon commented 2 years ago

One more question related to Radon transformation why does it skip one class in the intput jar (or if we rephrase - it does not write it into output jar)? e.g.:

image

left - input, right- output after running com.javadeobfuscator.deobfuscator.transformers.special.RadonTransformer

Janmm14 commented 2 years ago

Thanks for update! one tricky question: how do you guys build the final jar? I tried to build it up in my fav. NetBeans, but all of a sudden I'm getting these 2 errors:

src\com\javadeobfuscator\deobfuscator\executor\defined\ReflectiveProvider.java:26: error: package sun.invoke.util does not exist import sun.invoke.util.BytecodeDescriptor;

src\com\javadeobfuscator\deobfuscator\executor\defined\ReflectiveProvider.java:58: error: cannot find symbol List<Class<?>> l = BytecodeDescriptor.parseMethod(methodDesc, ClassLoader.getSystemClassLoader()); symbol: variable BytecodeDescriptor location: class ReflectiveProvider

I'm using old good JDK 1.8.0.331 x32 with NB 12.6

I think your JDK somehow does not expose sun.invoke.util for whatever reason. You can see how the jar is being built here: https://github.com/java-deobfuscator/deobfuscator/blob/latest/.github/workflows/automatic_release.yml

Alternatively just delete src\com\javadeobfuscator\deobfuscator\executor\defined\ReflectiveProvider.java. The class is not used, and was meant for development only, as using it would allow code to escape the bytecode emulator.

One more question related to Radon transformation why does it skip one class in the intput jar (or if we rephrase - it does not write it into output jar)? e.g.:

image

left - input, right- output after running com.javadeobfuscator.deobfuscator.transformers.special.RadonTransformer

The radon transformer thought that the class was originally added by the radon obfuscation: code

If that creates a potential problem later on when you try to remove BisGuard obfuscation, we could add options to the radon transformer to not delete methods / classes.

greenozon commented 2 years ago

Thanks for reply just to close the question with sun.invoke.util

I'm using the standard JDK8 from Oracle (java -version java version "1.8.0_331" Java(TM) SE Runtime Environment (build 1.8.0_331-b09) Java HotSpot(TM) Client VM (build 25.331-b09, mixed mode) ) and in your provided .yml I see that this (specially crafted?) distribution being used

    - name: Set up JDK 8
      uses: actions/setup-java@v2
      with:
        java-version: '8'
        distribution: 'adopt'

that exports sun.invoke.util?

2) about radon - I see now.. I don't know yet if that creates a potential problem, cause right now I'm working with BisGuard but the protected app happens to use javafx which is a show stopper... - why? cause it tries to load native libs -> boom

so I plan to unpack it by hands, radon already did a great job, but now I see that BG is a tricky guy, as it encrypts all the rest of app's classes and in order to get the decription key it does very smart stuff- it enumerates all the classes/methods/fields and even reads out some info from Linenumbertable ...

so long story short - could we make sure that after radon's work that info is kept as is?

anyway, I've decomplied the BG service classes (shown on above pic) but I hit the error when it creates the decryption key... it just can't properly decrypt rest of classes -> stopper...

so one of my ideas was that it needs all the original classes (but now I"m not sure)

sorry for long writeup, just having noone to share thoughts with...

Janmm14 commented 2 years ago

Java 8 from Oracle should expose those classes as well. Maybe these errors are from netbeans ide and not from maven build? Java 8 from adopt is basic openjdk.

Well you can try to edit the transformers yourself (and build it yourself). maybe also try bisguard transformer before radon.

greenozon commented 2 years ago

BG has a stopper like this:

[Thread-6] INFO com.javadeobfuscator.deobfuscator.Deobfuscator - Loading classpath
[Thread-6] INFO com.javadeobfuscator.deobfuscator.Deobfuscator - Loading input
[Thread-6] INFO com.javadeobfuscator.deobfuscator.Deobfuscator - Computing callers
[Thread-6] INFO com.javadeobfuscator.deobfuscator.Deobfuscator - Transforming
[Thread-6] INFO com.javadeobfuscator.deobfuscator.Deobfuscator - Running com.javadeobfuscator.deobfuscator.transformers.special.BisGuardTransformer

Deobfuscation failed. Please open a ticket on GitHub and provide the following error:
com.javadeobfuscator.javavm.exceptions.ExecutionException: UnsatisfiedLinkError: java/lang/ClassLoader$NativeLibrary load(Ljava/lang/String;ZZ)V
    at com.javadeobfuscator.javavm.VirtualMachine.execute(VirtualMachine.java:1209)
    at com.javadeobfuscator.javavm.VirtualMachine.internalExecute(VirtualMachine.java:1196)
    at com.javadeobfuscator.javavm.instructions.InvocationInstruction.execute(InvocationInstruction.java:96)
................
    at java.lang.Thread.run(Thread.java:750)
    Suppressed: com.javadeobfuscator.javavm.exceptions.ConvertedException: java.lang.Throwable: null
        at java.lang.ClassLoader.loadLibrary0(ClassLoader.java:1937)
        at java.lang.ClassLoader.loadLibrary(ClassLoader.java:1841)
        at java.lang.Runtime.loadLibrary0(Runtime.java)
        at java.lang.System.loadLibrary(System.java:1122)
        at java.lang.System.initializeSystemClass(System.java:1197)

I"ve read in another issue that this is a show stopper, right?