-
Notifications
You must be signed in to change notification settings - Fork 2.1k
DecryptStrings
dex-tools-0.0.9.12 add support to Decrypt Strings in a jar
in java we usually use the following code to use constant strings.
ldc "hello" // load the string to stack
invoke-virtual Lj/l/String;->toString() //use the string
and to prevent from reverse engineering, we encrypt the string and add add a static method to decrypt the string at runtime.
ldc "olleh"
invoke-static Ltest/Decrypt;->reverse(Lj/l/String;)Lj/l/String; // decrypt the string
invoke-virtual Lj/l/String;->toString()
now if we can figure out which method is the decrypt-method we can call
d2j-decrypt-string.sh -mo test.Decrypt -mn reverse path/to/the.jar
d2j-decrpyt-string.sh will invoke the decrypt-method by reflection and replace the encrypted string with the original string.
The decrypt method is invoked on your machine. malicious code maybe trigged. Carefully selecting the decrypt method.
dex-tools-2.1 add support to invoke method with primitive arguments, like DashO Pro style and
Dexguard style static String x(int, int, int)
string encryption
# the Obad sample
d2j-decrypt-string.sh E1064BFD836E4C895B569B2DE4700284-dex2jar.jar \
--decrypt-method-name oCIlCll \
--decrypt-method-owner com.android.system.admin.CCOIoll \
--arg-types int,int,int \
-cp /opt/android-sdk-linux/platforms/android-19/android.jar
# '--parameters-descriptor III' is equals to '--arg-types int,int,int'
as reversion acfbe14 we add support to use dex2jar IR to static analyze more const arguments, and is able to decrypt jeb-style static String x(byte[], int, int)
string encryption
# the jeb jar
d2j-dexrypt-string.sh jeb.jar \
--parameters-descriptor [BII \
--deep-analyze \
--decrypt-method-name ... \
--decrypt-method-owner ...