-
Notifications
You must be signed in to change notification settings - Fork 123
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ZKM reference obfuscation #13
Comments
Try to use commit 18425c9. There was a bug that blocked reflection where it shouldn't get blocked. |
Still don't get to deobfuscate it |
Seems like it is a variant of ZKM invokedynamic obfuscation that doesn't take (J), but instead takes (IJ). I can try to implement that. |
I tried to implement this variant of invokedynamics but it seems like there are some classes missing in your file and therefore it cannot be decrypted :/ |
Oh, that's unfortunate. Anyway, I've made a sample with reference obfuscation, that the tool is unable to deobfuscate, maybe you can take a look |
Which obfuscator and version is it? |
ZKM 14 |
Still doesn't work (just compiled the latest version, 2.5.0) |
I will have to update the regex for ZKM_INVOKEDYNAMIC_REAL_BOOTSTRAP_DESC. Seems like ZKM implemented multiple decryption longs / ints. You can add a long as last parameter to ZKM_INVOKEDYNAMIC_REAL_BOOTSTRAP_DESC and your Test.jar will probably decrypt. |
Please test if it works. |
Because of the failures in some cases, it still isn't perfect. Here is another sample with the same reference obfuscation. Only ~30% of the references are decrypted sucessfully |
Improved it to about 42%. Decryption class often throws NPEs -> i think the cause is that there are some class files / libraries missing. |
I am writing to you again asking for help in decrypting ZKM. Here is the link: https://workupload.com/file/ZhbjSnnnb5K |
Hi, Does ZKM work for 14.0.5? I really need. |
Fixed a bug that caused encrypted references with longs or ints as first arguments to fail decryption |
The following jar uses ZKM's method parameter change (aka hardening string encryption), so its not directly reference obfuscation. With the current build, no strings or references can be decrypted Edit: |
Seems like a known invalid array index crashes the ConstantTracker. Will fix. |
No strings have been decrypted edit: same with references https://hastebin.com/ikekumuqab.cs |
I only fixed the analyzer bugs, I didn't implement ZKM 13+ support yet |
Describe what's not working
The jar is obfuscated by ZKM (unknown version) and has string encryption + reference obfuscation applied. Only the calls to the string decryption method are encrypted. The tool is unable to deobfuscate it.
Java archive
v4_dumpfile.zip
Log / Screenshots
https://hasteb.in/xipijatu.kotlin
Please complete the following information:
The text was updated successfully, but these errors were encountered: