Skip to content

DecryptStrings

pxb1988 edited this page Mar 9, 2015 · 4 revisions

Introduction

dex-tools-0.0.9.12 add support to Decrypt Strings in a jar

Details

in java we usually use the following code to use constant strings.

ldc "hello" // load the string to stack
invoke-virtual Lj/l/String;->toString() //use the string

and to prevent from reverse engineering, we encrypt the string and add add a static method to decrypt the string at runtime.

ldc "olleh"
invoke-static Ltest/Decrypt;->reverse(Lj/l/String;)Lj/l/String; // decrypt the string
invoke-virtual Lj/l/String;->toString()

now if we can figure out which method is the decrypt-method we can call

d2j-decrypt-string.sh -mo test.Decrypt -mn reverse path/to/the.jar

d2j-decrpyt-string.sh will invoke the decrypt-method by reflection and replace the encrypted string with the original string.

WARN

The decrypt method is invoked on your machine. malicious code maybe trigged. Carefully selecting the decrypt method.

before

decrypt-string-before.png

after

decrypt-string-after.png

Update

dex-tools-2.1 add support to invoke method with primitive arguments, like DashO Pro style and Dexguard style static String x(int, int, int) string encryption

# the Obad sample
d2j-decrypt-string.sh  E1064BFD836E4C895B569B2DE4700284-dex2jar.jar \
    --decrypt-method-name oCIlCll \
    --decrypt-method-owner com.android.system.admin.CCOIoll \
    --arg-types int,int,int \
    -cp /opt/android-sdk-linux/platforms/android-19/android.jar
# '--parameters-descriptor III' is equals to '--arg-types int,int,int'

as reversion acfbe14 we add support to use dex2jar IR to static analyze more const arguments, and is able to decrypt jeb-style static String x(byte[], int, int) string encryption

# the jeb jar
d2j-dexrypt-string.sh jeb.jar \
    --parameters-descriptor [BII \
    --deep-analyze \
    --decrypt-method-name ... \
    --decrypt-method-owner ...
You can’t perform that action at this time.