Upload
crowdstrike
View
282
Download
3
Embed Size (px)
Citation preview
People still use Java?
CFR
FernFlower
JD-GUI
Krakatau
Procyon
IiiIIIIIiI("kq/#;n!+\u0005\u001d\u001e\u0001\u0019oing09SU_Y^un\u0012\u00004!\u0010\u0004\u0003\u0013lj\b\u0010\u0013ac`um"));iIIiiIIiii(".\u0012V|QgKCw3B3[`F3bfP_{p22\u001c&\u0007tdItT0|qC3@`M{\u001230\u0001t1yD|Gm8\u0000>\u000f1\u0001J:w\u001e=\u001c!Gb\t=<EDe\u001dsCb_w\u001dq|_<vGv`\u001dC@\\bv@Gk\\Xz\\\u0018%\u0017(\u001ftKz\f1"));IiiIIIIIiI("R'\"\u001e\u001d#n\u0002\b\u001f\u00078'3yw}urhm"));iIIiiIIiii("\rtV}Z1"));IiiIIIIIiI("nWNk%\u0011\u0014S8npqszm90*8(ic0'3m"));iIIiiIIiii("20\u00115[AfPvV.PlI!")+Server.settings.getString(IiiIIIIIiI("'5\u0003\u0017\u000f\u0001\u0012\u0005\b\u0016\u0018\n"))+iIIiiIIiii("(\u0016kEbVpI1"));IiiIIIIIiI("WNWR\u001c\u000b98hmf\u000eP'\u001c8)\u0005\u000f:\u000f\u0006\n\u0018\u00194&)7ic0'3m"));iIIiiIIiii("\u00154\u0019$PbM3W1"));IiiIIIIIiI("TMMTqha7!>2,m")+Server.settings.getString(iIIiiIIiii("sJtOofnaoWUn4_zG"))+IiiIIIIIiI("tr7!>2,m"));iIIiiIIiii("?Tu\u00132\u0013.`FA{]u\r?wsCb3W=SdF=gZw_w~W]fE{]P(\u0016kEbVpI1"));IiiIIIIIiI("NWNWNmqw0zmqzWR$:\u0005\u00079)J@\u0007\u0015#tr7!>2,m"));iIIiiIIiii("0\u0011)\b\u00154\u0005kEbVpI1")+iIiIIiIiiI2.getAbsolutePath()+IiiIIIIIiI("tr7!>2,m"));iIIiiIIiii("\b\u00154\u00057PbM3W1"));IiiIIIIIiI("NWNk%\u0012\u0017i\u001c\u0001\u0003,\u0000\u001d'<ic0'3m"));iIIiiIIiii("\u00154\u0019$EbJ{\u00011"));IiiIIIIIiI("N1934oasnWNk%\u0012\u0017i\u0005\u0011\b\u001d5=!+!ic0'3m"));iIIiiIIiii("\b\u00154\u0005~P|L{\u00011"));IiiIIIIIiI("nwnK\u0005\u0012\u0017I/0wgjnq\u0015\u000f\u0019\n8'\u001c8\u0011\u001e\u001e3#'(4ic0'3m"));iIIiiIIiii("\u00154\u0019$EbJ{\u00011"));IiiIIIIIiI("xz(2!>m"));iIIiiIIiii("\u00057A|VmZ1"));
Recompile & Debug Create Deobfuscator Dynamic Tracing
Capturing Java method calls
1 Lightweight, extensible, well-documented
2 Doesn’t require user to write Java code
3 Cross-platform & works with latest JVM
4 Captures method args and return values
5 Can begin trace at very first instruction
6 Doesn’t transform target’s bytecode
BTrace
Bytecode Visualizer
Chronon
Greys
InTrace
Java VisualVM
JavaSnoop
JSwat Debugger
Limpid Log
MaintainJ
MethodTracer
…
Built from the ground up
Bluescreen in 3… 2…
public class HelloWorld{
public static void main(String[] args){
System.out.println("Hello, World");}
}
package org.jsocket.b;...public abstract class iIIiiIIiii {
...public static String IIIiIiJSocket(String iIiIIiIiiI) {
int n;
StackTraceElement stackTraceElement = new Exception().getStackTrace()[1];
String string = new StringBuffer(stackTraceElement.getClassName()).append(stackTraceElement.getMethodName()).toString();int n2 = iIiIIiIiiI.length();int n3 = n2 - 1;char[] arrc = new char[n2];int n4 = 5 << 4 ^ 5 << 1;int n5 = (2 ^ 5) << 4 ^ (2 << 2 ^ 3);int n6 = n = string.length() - 1;String string2 = string;while (n3 >= 0) {
int n7 = n3--;arrc[n7] = (char)(n5 ^ (iIiIIiIiiI.charAt(n7) ^ string2.charAt(n)));if (n3 < 0) {
return new String(arrc);}char c = arrc[v3080] = (char)(n4 ^ (iIiIIiIiiI.charAt(n3--) ^ string2.charAt(n)));if (--n < 0) {
n = n6;}int n8 = n3;
}return new String(arrc);
}}
C:\>javajournal.py -jar adwind.jar -include org.jsocket.b.*org.jsocket.b.iIIiiIIiii.IIIiIiJSocket("Jb\")^ "TLS"org.jsocket.b.iIIiiIIiii.IIIiIiJSocket("∟}aU<X`]pYVf<@Va⌂D{KPg▬sTi◄zBc")^ "/org/jsocket/resources/key.dll"org.jsocket.b.iIIiiIIiii.IIIiIiJSocket("Ez\")^ "win"org.jsocket.b.iIIiiIIiii.IIIiIiJSocket("}@m]s^w")^ "OS_NAME"org.jsocket.b.iIIiiIIiii.IIIiIiJSocket("e_DsAw")^ "VMWARE"org.jsocket.b.iIIiiIIiii.IIIiIiJSocket("^Z|Fj")^ "LINUX"org.jsocket.b.iIIiiIIiii.IIIiIiJSocket("⌂Rq")^ "MAC"org.jsocket.b.iIIiiIIiii.IIIiIiJSocket("Ba]T`R⌂U[_w@:K%←")^ "ProgramFiles(X86)"org.jsocket.b.iIIiiIIiii.IIIiIiJSocket("o]aSp^vne{aFFs⌂p\j3uFw@f3sWvZfz]}A")^ "\Oracle\VirtualBox Guest Additions"org.jsocket.b.iIIiiIIiii.IIIiIiJSocket("bA}wChEs}U}B8g&↑&")^ "ProgramFiles(X86)"org.jsocket.b.iIIiiIIiii.IIIiIiJSocket("oD^ER`um_eBuK}◄DPqB|")^ "\VMware\VMware Tools"
Just give me the code already
GPL source code and documentation for JavaJournal and pyspresso: https://github.com/CrowdStrike/pyspresso https://pypi.python.org/pypi/pyspresso
pyspresso is still in alpha
Future work Inspection of method arguments in opaque frames for native methods (see Pstack) Improved object abstraction Automatic attaching to child processes GUI with extended capture information (see Rohitab’s API Monitor)
Hecklers be heckling