Menu

DecryptStrings

Featured (4)
Anonymous Bob Pan

Introduction

dex-tools-0.0.9.12 add support to Decrypt Strings in a jar

Details

in java we usually use the following code to use constant strings.

ldc "hello" // load the string to stack
invoke-virtual Lj/l/String;->toString() //use the string

and to prevent from reverse engineering, we encrypt the string and add add a static method to decrypt the string at runtime.

ldc "olleh"
invoke-static Ltest/Decrypt;->reverse(Lj/l/String;)Lj/l/String; // decrypt the string
invoke-virtual Lj/l/String;->toString()

now if we can figure out which method is the decrypt-method we can call

d2j-decrypt-string.sh -mo test.Decrypt -mn reverse path/to/the.jar

d2j-decrpyt-string.sh will invoke the decrypt-method by reflection and replace the encrypted string with the original string.

WARN

The decrypt method is invoked on your machine. malicious code maybe trigged.
Carefully selecting the decrypt method.

before

decrypt-string-before.png

after

decrypt-string-after.png

Update

dex-tools-2.1 add support to invoke method with primitive arguments, like DashO Pro style and
Dexguard style static String x(int, int, int) string encryption

# the Obad sample
d2j-decrypt-string.sh  E1064BFD836E4C895B569B2DE4700284-dex2jar.jar \
    --decrypt-method-name oCIlCll \
    --decrypt-method-owner com.android.system.admin.CCOIoll \
    --arg-types int,int,int \
    -cp /opt/android-sdk-linux/platforms/android-19/android.jar
# '--parameters-descriptor III' is equals to '--arg-types int,int,int'

as reversion acfbe14 we add support to use dex2jar IR to static analyze more const arguments, and is able to decrypt jeb-style static String x(byte[], int, int) string encryption

# the jeb jar
d2j-dexrypt-string.sh jeb.jar \
    --parameters-descriptor [BII \
    --deep-analyze \
    --decrypt-method-name ... \
    --decrypt-method-owner ...

Related

Wiki: Home

Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.