ZKM reference obfuscation

[skidunion]

Describe what's not working
The jar is obfuscated by ZKM (unknown version) and has string encryption + reference obfuscation applied. Only the calls to the string decryption method are encrypted. The tool is unable to deobfuscate it.

Java archive
v4_dumpfile.zip

Log / Screenshots
https://hasteb.in/xipijatu.kotlin

Please complete the following information:

• OS: Windows 10
• Java version: JRE 8 231

[GraxCode]

Try to use commit 18425c9. There was a bug that blocked reflection where it shouldn't get blocked.

[skidunion]

Still don't get to deobfuscate it
2020-12-09-02-12.log

[GraxCode]

Seems like it is a variant of ZKM invokedynamic obfuscation that doesn't take (J), but instead takes (IJ). I can try to implement that.

[GraxCode]

I tried to implement this variant of invokedynamics but it seems like there are some classes missing in your file and therefore it cannot be decrypted :/

[skidunion]

Oh, that's unfortunate. Anyway, I've made a sample with reference obfuscation, that the tool is unable to deobfuscate, maybe you can take a look
Test.zip
Log: https://hasteb.in/jelumoxe.lua

[GraxCode]

Which obfuscator and version is it?

[skidunion]

ZKM 14

[skidunion]

Still doesn't work (just compiled the latest version, 2.5.0)
Log: https://hasteb.in/enivotal.makefile

[GraxCode]

I will have to update the regex for ZKM_INVOKEDYNAMIC_REAL_BOOTSTRAP_DESC. Seems like ZKM implemented multiple decryption longs / ints. You can add a long as last parameter to ZKM_INVOKEDYNAMIC_REAL_BOOTSTRAP_DESC and your Test.jar will probably decrypt.

[GraxCode]

Please test if it works.

[skidunion]

Yep, it works, but some references aren't decrypted sucessfully
Here is the deobfuscated result

[skidunion]

Because of the failures in some cases, it still isn't perfect. Here is another sample with the same reference obfuscation. Only ~30% of the references are decrypted sucessfully

irc-1.0.jar.zip

[GraxCode]

Improved it to about 42%. Decryption class often throws NPEs -> i think the cause is that there are some class files / libraries missing.

[DarkyCat]

I am writing to you again asking for help in decrypting ZKM. Here is the link: https://workupload.com/file/ZhbjSnnnb5K

[d4ft1337]

Improved it to about 42%. Decryption class often throws NPEs -> i think the cause is that there are some class files / libraries missing.

Hi, Does ZKM work for 14.0.5? I really need.

[GraxCode]

Fixed a bug that caused encrypted references with longs or ints as first arguments to fail decryption

[skidunion]

I am writing to you again asking for help in decrypting ZKM. Here is the link: https://workupload.com/file/ZhbjSnnnb5K

The following jar uses ZKM's method parameter change (aka hardening string encryption), so its not directly reference obfuscation. With the current build, no strings or references can be decrypted

Edit:
String decryption logs: https://hasteb.in/koqanudi.pl
Reference decryption logs: https://hastebin.com/nejumileni.cs

[GraxCode]

I am writing to you again asking for help in decrypting ZKM. Here is the link: https://workupload.com/file/ZhbjSnnnb5K

The following jar uses ZKM's method parameter change (aka hardening string encryption), so its not directly reference obfuscation. With the current build, no strings or references can be decrypted

Edit:
String decryption logs: https://hasteb.in/koqanudi.pl
Reference decryption logs: https://hastebin.com/nejumileni.cs

Seems like a known invalid array index crashes the ConstantTracker. Will fix.

[skidunion]

No strings have been decrypted
https://hasteb.in/inudakop.sql

edit: same with references https://hastebin.com/ikekumuqab.cs

[GraxCode]

I only fixed the analyzer bugs, I didn't implement ZKM 13+ support yet