Closed rm1410 closed 1 year ago
looks a lot like superblaubeere. if it did not detect superblaubeere, its some obfuscator based on it.
I think it would not be that hard to create a new transformer to handle this kind of obfuscation. usually in this project its not that important what a method does, as it can be emulated with the MethodExecutor anyway. More important is what environment info it uses, and so far you seem to be lucky on this one as well as its none.
unfortunaly this project is quite dead and most people who maintained it have each create a personal fork where they put in fixes and new transformers so they work for a longer time.
Thank you for the reply :)
if it did not detect superblaubeere
There is a detector for superblaubeere? As far as I have seen, there is no detector for this obfuscator in the "rules" package.
I think it would not be that hard to create a new transformer to handle this kind of obfuscation.
So there is no existing transformer in this project or a known fork for the obfuscation techniques described above? (except the classname obfuscation)
More important is what environment info it uses
What is the environment info and why am I lucky not to have it?
unfortunaly this project is quite dead and most people who maintained it have each create a personal fork
This is really a pity. I don't quite understand why maintainers don't want to merge the code anymore. That would have only advantages for everyone.
There is a detector for superblaubeere? As far as I have seen, there is no detector for this obfuscator in the "rules" package.
What is the environment info and why am I lucky not to have it?
Some obfuscation code checks or uses parts of the stack trace (very nasty obfuscation might do even more such checks) as part of a decryption key. The code you've shown doesn't do that.
This is really a pity. I don't quite understand why maintainers don't want to merge the code anymore. That would have only advantages for everyone.
As I said above, thats not neccessarily the case that it has advantages for everyone. Showing how you attack obfuscation does motivate obfuscation creators. There are samples available for free and for commercial obfuscators who did this in the past.
Edit: The anti-emulation stringer says to have is a result of this project. While ZKM does not mention stuff this directly, they do have updated their obfuscation to detect bugs in the bytecode execution emulators of this project.
Thank you very much. I used the associated transformer and removed the string encryption with it.
Some obfuscation code checks or uses parts of the stack trace (very nasty obfuscation might do even more such checks) as part of a decryption key. The code you've shown doesn't do that.
Oh yeah, that sounds really nasty. I'm glad I don't have anything like that.
Showing how you attack obfuscation does motivate obfuscation creators.
Oh, I hadn't thought of that. That makes sense, of course. I can totally understand that you'd rather keep your transformer to yourself if it's going to be bypassed right when you release it anyway.
The anti-emulation stringer says to have is a result of this project. While ZKM does not mention stuff this directly, they do have updated their obfuscation to detect bugs in the bytecode execution emulators of this project.
That's really interesting. But with something like this I would merge fixes, since it is almost a free bugreport XD
Thank you, I really appreciate the answers and the help.
Hi, I'm trying to find out which obfuscator was used for an application and if there are transformers to deobfuscate it (especially the string encryption). It is possible for me to send parts of the obfuscated jar, if you want to have them please ask.
Name obfuscation
All class, package and variable names are replaced by chars from a-z. The detector suggested the SourceFileClassNormalizer, which was able to successfully recover all class names.
Integer replacement
Many(all) integers from 0-3 are replaced by a String of 0-3 spaces and the #length() method.
Example:
Junk code
useless calls
There are useless
"".length();
calls that seem to be randomly inserted into the code.Example:
redundant if statements
Furthermore, there are if statements, which are always "false" and usually return null.
Example:
boolean operation obfuscation
Every boolean operation is replaced by a method requiring an integer to which the boolean is casted to.
Example of boolean operation methods:
Code example:
String encryption
Most classes contain two static arrays. One int[ ] and one String[ ].
The values of the integer array contain most integers used by the class. The values are set staticly with a mathematical equation as value.
Example:
The string array contains all strings used in the class. Strings are individually encrypted by either blowfish, Base64 or DES. The encryption method per string is seemingly random. Decryption method(s) are generated per class and require the encrypted String along with an MD5 hash.
Example:
Blowfish decryptor:
DES decryptor:
Base64 decryptor: