threadtear
threadtear copied to clipboard
GraxCode
ZKM reference obfuscation
Describe what's not working The jar is obfuscated by ZKM (unknown version) and has string encryption + reference obfuscation applied. Only the calls to the string decryption method are encrypted. The tool is unable to deobfuscate it.
Java archive v4_dumpfile.zip
Log / Screenshots https://hasteb.in/xipijatu.kotlin
Please complete the following information:
- OS: Windows 10
- Java version: JRE 8 231
Try to use commit 18425c9a1890b78b3c785a86dbb0b7cd22ded667. There was a bug that blocked reflection where it shouldn't get blocked.
Seems like it is a variant of ZKM invokedynamic obfuscation that doesn't take (J), but instead takes (IJ). I can try to implement that.
I tried to implement this variant of invokedynamics but it seems like there are some classes missing in your file and therefore it cannot be decrypted :/
Oh, that's unfortunate. Anyway, I've made a sample with reference obfuscation, that the tool is unable to deobfuscate, maybe you can take a look Test.zip Log: https://hasteb.in/jelumoxe.lua
Still doesn't work (just compiled the latest version, 2.5.0) Log: https://hasteb.in/enivotal.makefile
I will have to update the regex for ZKM_INVOKEDYNAMIC_REAL_BOOTSTRAP_DESC. Seems like ZKM implemented multiple decryption longs / ints. You can add a long as last parameter to ZKM_INVOKEDYNAMIC_REAL_BOOTSTRAP_DESC and your Test.jar will probably decrypt.
Yep, it works, but some references aren't decrypted sucessfully
Here is the deobfuscated result
Because of the failures in some cases, it still isn't perfect. Here is another sample with the same reference obfuscation. Only ~30% of the references are decrypted sucessfully
Improved it to about 42%. Decryption class often throws NPEs -> i think the cause is that there are some class files / libraries missing.
I am writing to you again asking for help in decrypting ZKM. Here is the link: https://workupload.com/file/ZhbjSnnnb5K
Improved it to about 42%. Decryption class often throws NPEs -> i think the cause is that there are some class files / libraries missing.
Hi, Does ZKM work for 14.0.5? I really need.
Fixed a bug that caused encrypted references with longs or ints as first arguments to fail decryption
I am writing to you again asking for help in decrypting ZKM. Here is the link: https://workupload.com/file/ZhbjSnnnb5K
The following jar uses ZKM's method parameter change (aka hardening string encryption), so its not directly reference obfuscation. With the current build, no strings or references can be decrypted
Edit: String decryption logs: https://hasteb.in/koqanudi.pl Reference decryption logs: https://hastebin.com/nejumileni.cs
I am writing to you again asking for help in decrypting ZKM. Here is the link: https://workupload.com/file/ZhbjSnnnb5K
The following jar uses ZKM's method parameter change (aka hardening string encryption), so its not directly reference obfuscation. With the current build, no strings or references can be decrypted
Edit: String decryption logs: https://hasteb.in/koqanudi.pl Reference decryption logs: https://hastebin.com/nejumileni.cs
Seems like a known invalid array index crashes the ConstantTracker. Will fix.
No strings have been decrypted https://hasteb.in/inudakop.sql
edit: same with references https://hastebin.com/ikekumuqab.cs