Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Deobfuscation Thread (ZKM, Smoke, Stringer, etc)
#1
Have you ever wanted to deobfuscate Strings obfuscated with Stringer? In this thread you can learn more about deobfuscating!



SkidAntiOb:

Best tool to deobfuscate Allatori, OldStringer, DashO, and ZKM5

https://github.com/LPK-Matt/SkidSuite2/releases

Made by LordPankake



AntiZKM:

Tool to deobfuscate Strings obfuscated with enchanced mode of ZKM 8.0.x

https://github.com/GraxCode/antizkm

Be careful, it uses reflection, so there is a risk of being infected!

Made by me



AntiSmoke:

Tool to deobufscate Jars obfuscated with Smoke (https://newtownia.net/smoke/)

It removes encrypted Numerals, Strings, and removes FlowObfuscation.

https://github.com/GraxCode/antismokeobfuscator

After deobfuscating, you should view it with fernflower.

Made by me



Java-Deobfuscator:

Tool to deobfuscate invokedynamics, reflection and string obfuscation by Stringer.
Can also remove various obfuscation of ZKM
Can remove synthetic & bridge modifiers and normalize fields, methods

Supported obfuscators:

https://github.com/java-deobfuscator/deobfuscator

Made by samczsun



If you have more tools, you can feel free to post them below.
replace filedropper.pw with pomf.host if the download isn't working..
Reply
#2
and this one? https://github.com/contra/JMD
[Image: ngnqjo.gif]
Reply
#3
(12-26-2016, 01:50 PM)MLG_Quscoper360BlazeIt Wrote: and this one? https://github.com/contra/JMD

Its outdated and the linked repos have updated reversers.
Reply
#4
Yeha, JMD's dead
Reply
#5
(12-26-2016, 11:12 AM)GraxCode Wrote: In this thread you can learn more about deobfuscating!

Worthless thread.  Let's learn about deobfuscating by only listing the tools that do it?  Anyone that is willing to spend more than 5 seconds will find these easily.  I'd say more but I'm playing CS:GO.

And for anyone that is saying JMD is dead/outdated you should probably realize that half of the clients use ZKM and it's always the outdated ZKM build. I'm 90% certain that it will still work well on most of them.
Reply
#6
(12-29-2016, 05:17 AM)dd0ng Wrote: And for anyone that is saying JMD is dead/outdated you should probably realize that half of the clients use ZKM and it's always the outdated ZKM build.  I'm 90% certain that it will still work well on most of them.

But you can use Java-Deobfuscator which is updated and should support both IIRC.

Side note: If you're lazy and don't care about security in any way, shape, or form you can just use reflection to get all the strings.
Code:
    @Override
    public void decryptStrings(InsnList ins) {
        if (ins == null || ins.size() < 6) return;
        for (int i = 2; i < ins.size(); i++) {
            AbstractInsnNode ain = ins.get(i);
            AbstractInsnNode p1 = ain.getPrevious();
            AbstractInsnNode p2 = p1.getPrevious();
            if (ain.getOpcode() == Opcodes.INVOKESTATIC && Utils.isNumeric(p1) &&  Utils.isNumeric(p2)){
                int i1 = Utils.getValue(p1);
                int i2 = Utils.getValue(p2);
                MethodInsnNode min = (MethodInsnNode) ain;
                if (min.desc.equals("(II)Ljava/lang/String;")) {
                    String className = min.owner.replace("/", ".");
                    String methodName = min.name;
                    try {
                        // Fuck it
                        // Security be damned, I have Malwarebytes
                        Class clazz = Class.forName(className);
                        Method method = clazz.getDeclaredMethod(methodName, int.class, int.class);
                        method.setAccessible(true);
                        Object value = method.invoke(null, i2,i1);
                        // Nop away old values, replace method call with value
                        ins.set(ain, new LdcInsnNode(value));
                        ins.set(p1, new InsnNode(Opcodes.NOP));
                        ins.set(p2, new InsnNode(Opcodes.NOP));
                    } catch (Exception e) {
                    //    e.printStackTrace();
                    }
                }
                
            }
        }
    }
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)