Skip to content

Commit

Permalink
Add rules and obfuscator detection
Browse files Browse the repository at this point in the history
  • Loading branch information
@samczsun
samczsun committed Jan 4, 2018
1 parent 2710031 commit 5fec956
Show file tree
Hide file tree
Showing 18 changed files with 849 additions and 261 deletions.
23 changes: 9 additions & 14 deletions .github/ISSUE_TEMPLATE.md
View file
Original file line number Diff line number Diff line change
@@ -1,19 +1,14 @@
<!--
If this issue is a bug report, please make sure that:
If this issue is a bug report (i.e. something wasn't deobfuscated),
please read the FAQs first (bottom of the README).
* The error does not mention "Could not locate a class file"
If it does, read the FAQs (in the README)
* The error does not mention "A StackOverflowError occurred during deobfuscation"
If it does, read the FAQs (in the README)
* You've provided some way of reproducing the bug, but only if you have permission to do so
If you don't have permission or don't provide a sample, feel free to open an issue anyways, but know that it may be closed without a fix
* You've provided the config file you used (or more precisely, the transformers you used)
* You've provided the error (please don't paste the error directly. put it in a code block)
Code blocks can be created like so:
```
This is inside a code block
```
Please make sure that you've provided a copy of the file you're deobfuscation if possible.
If you don't have permission to provide the entire program or you don't want to,
then there's not much I can do. I'm not psychic.
You should also provide a copy of the config/code you're using to run the deobfuscator.
Order of transformers matter, and sometimes you just need to switch them around.
Please paste the config/code in a code block. Here's how to do that: https://github.com/adam-p/markdown-here/wiki/Markdown-Cheatsheet#code-and-syntax-highlighting
Thank you!
-->
134 changes: 35 additions & 99 deletions README.md
View file
Original file line number Diff line number Diff line change
@@ -1,118 +1,52 @@
# Deobfuscator [![Build Status](https://ci.samczsun.com/buildStatus/icon?job=java-deobfuscator/Deobfuscator)](https://ci.samczsun.com/job/java-deobfuscator/job/Deobfuscator)

This is an all-in-one Java deobfuscator which will deobfuscate code obfuscated by most obfuscators available on the market.
This project aims to deobfuscate most commercially-available obfuscators for Java.

## What can the deobfuscator do?
## Quick Start

The deobfuscator supports deobfuscation of transformations such as string literal encryption, or reflection obfuscation. These transformations have been hard coded for a specific obfuscator, but generic deobfuscators are also available.

## What can't the deobfuscator do?

Things like method names, class names, etc cannot be deobfuscated because their renaming is irreversible. The information needed to deobfuscate is removed.

## My program wasn't deobfuscated

Check out [this guide](CUSTOMTRANSFORMER.md)

## Examples

### As a library

```java
public class SomeRandomDeobfuscator {
public static void main(String[] args) throws Throwable {
Configuration config = new Configuration();
config.setInput(new File("input.jar"));
config.setOutput(new File("output.jar"));
config.setPath(Arrays.asList(
new File("C:\\Program Files\\Java\\jdk_8\\jre\\lib\\rt.jar"),
new File("C:\\Program Files\\Java\\jdk_8\\jre\\lib\\jce.jar"),
new File("C:\\Program Files\\Java\\jdk_8\\jre\\lib\\ext\\jfxrt.jar"),
new File("C:\\Program Files\\Java\\jdk_8\\lib\\tools.jar")
));
config.setTransformers(Arrays.asList(
TransformerConfig.configFor(PeepholeOptimizer.class)
));
new Deobfuscator(config).start();
}
}
* [Download](https://ci.samczsun.com/job/java-deobfuscator/job/Deobfuscator/) the deobfuscator.
* If you know what obfuscators were used, skip the next two steps
* Create `detect.yml` with the following contents. Replace `input.jar` with the name of the input
```yaml
input: input.jar
detect: true
```

### CLI

If you don't want to import the project, you can always use the command line interface.

| Argument | Description |
| --- | --- |
| --config | The configuration file |

You may specify multiple transformers, and they will be applied in the order given. Order does matter as sometimes one transformation depends on another not being present.

If you wish to use one of the default transformers, then you may remove the `com.javadeobfuscator.deobfuscator.transformers` prefix.

Here is a sample `config.yaml`:

* Run `java -jar deobfuscator.jar --config detect.yml` to determine the obfuscators used
* Create `config.yml` with the following contents. Replace `input.jar` with the name of the input
```yaml
input: input.jar
output: output.jar
transformers:
- normalizer.MethodNormalizer:
mapping-file: normalizer.txt
- stringer.StringEncryptionTransformer
- normalizer.ClassNormalizer: {}
normalizer.FieldNormalizer: {}
```
- [fully-qualified-name-of-transformer]
- [fully-qualified-name-of-transformer]
- [fully-qualified-name-of-transformer]
- ... etc
```
* Run `java -jar deobfuscator.jar`
* Re-run the detection if the JAR was not fully deobfuscated - it's possible to layer obfuscations

For more details, please take a look at the wiki.
## Transformers
Official transformers are linked via the `Transformers` class.

| Transformer | Canonical Name | Description |
| --- | --- | --- |
| Allatori.STRING_ENCRYPTION | allatori.StringEncryptionTransformer | Decrypts strings encrypted by Allatori |
| DashO.STRING_ENCRYPTION | dasho.StringEncryptionTransformer | Decrypts strings encrypted by DashO |
| SkidSuite.STRING_ENCRYPTION | skidsuite2.StringEncryptionTransformer | Decrypts strings encrypted by SkidSuite2 |
| SkidSuite.FAKE_EXCEPTION | skidsuite2.FakeExceptionTransformer | Remove fake exceptions by SkidSuite2 |
| Stringer.STRING_ENCRYPTION | stringer.StringEncryptionTransformer | Decrypts strings encrypted by Stringer |
| Stringer.INVOKEDYNAMIC | stringer.InvokedynamicTransformer | Decrypts invokedynamic obfuscated calls by Stringer (Below version 3.0.0) |
| Stringer.REFLECTION_OBFUSCATION | stringer.ReflectionObfuscationTransformer | Decrypts reflection obfuscated calls by Stringer (Below version 3.0.0) |
| Stringer.HIDEACCESS_OBFUSCATION | stringer.HideAccessObfuscationTransformer | Decrypts hide access by Stringer (Included invokedynamic and reflection) |
| Stringer.RESOURCE_ENCRYPTION | stringer.ResourceEncryptionTransformer | Decrypts encrypted resources by Stringer |
| Zelix.STRING_ENCRYPTION | zelix.StringEncryptionTransformer | Decrypts strings encrypted by Zelix |
| Zelix.REFLECTION_OBFUSCATION | zelix.ReflectionObfuscationTransformer | Decrypts reflection obfuscated calls by Zelix |
| Zelix.FLOW_OBFUSCATION | zelix.FlowObfuscationTransformer | Removes flow obfuscation by Zelix |
| Smoke.STRING_ENCRYPTION | smoke.StringEncryptionTransformer | Removes string encryption by Smoke |
| Smoke.NUMBER_OBFUSCATION | smoke.NumberObfuscationTransformer | Removes number obfuscation by Smoke |
| Smoke.ILLEGAL_VARIABLE | smoke.IllegalVariableTransformer | Removes illegal variables by Smoke |
| General.PEEPHOLE_OPTIMIZER | general.peephole.PeepholeOptimizer | Optimizes the code |
| General.Removers.SYNTHETIC_BRIDGE | general.remover.SyntheticBridgeRemover | Removes synthetic and bridge modifiers from all methods and fields |
| General.Removers.LINE_NUMBER | general.remover.LineNumberRemover | Removes line number metadata |
| General.Removers.ILLEGAL_VARARGS | general.remover.IllegalVarargsRemover | Unmangles methods marked as variadic but aren't really |
| General.Removers.ILLEGAL_SIGNATURE | general.remover.IllegalSignatureRemover | Removes illegal signatures from members |
| General.Removers.LOCAL_VARIABLE | general.remover.LocalVariableRemover | Removes local variables from methods |
| Normalizer.CLASS_NORMALIZER | normalizer.ClassNormalizer | Renames all classes to Class<number> |
| Normalizer.METHOD_NORMALIZER | normalizer.MethodNormalizer | Renames all methods to Method<number> |
| Normalizer.FIELD_NORMALIZER | normalizer.FieldNormalizer | Renames all fields to Field<number> |
| Normalizer.PACKAGE_NORMALIZER | normalizer.PackageNormalizer | Renames all packages to Package<number> |
| Normalizer.SOURCEFILE_CLASS_NORMALIZER | normalizer.SourceFileClassNormalizer | Recovers `SourceFile` attributes when possible |
| Normalizer.DUPLICATE_RENAMER | normalizer.DuplicateRenamer | Renames all classes, methods, and fields with name clashes |

## Downloads

The latest build can be downloaded from my [CI Server](https://ci.samczsun.com/job/java-deobfuscator/job/Deobfuscator/)
Take a look at [USAGE.md](USAGE.md) for more information.

## It didn't work

If you're trying to recover the names of classes or methods, tough luck. That information is typically stripped out and there's no way to recover it.

Otherwise, check out [this guide](CUSTOMTRANSFORMER.md) on how to implement your own transformer (also, open a issue/PR so I can add support for it)

## Supported Obfuscators

[Zelix Klassmaster](http://www.zelix.com/)
[Stringer](https://jfxstore.com/stringer/)
[Allatori](http://www.allatori.com/)
[DashO](https://www.preemptive.com/products/dasho/overview)
[DexGuard](https://www.guardsquare.com/dexguard)
[Smoke](https://newtownia.net/smoke)
[DexGuard](https://www.guardsquare.com/dexguard)
[ClassGuard](https://www.zenofx.com/classguard/)
[Smoke](https://newtownia.net/smoke)
SkidSuite2 (dead, some forks are listed [here](https://github.com/tetratec/SkidSuite2/network/members))
Generic obfuscation

## List of Transformers

The automagic detection should be able to recommend the transformers you'll need to use. However, it may not be up to date. If you're familiar with Java reverse engineering, feel free to [take a look around](https://github.com/java-deobfuscator/deobfuscator/tree/master/src/main/java/com/javadeobfuscator/deobfuscator/transformers) and use what you need.

## FAQs

Expand All @@ -124,8 +58,10 @@ You need to specify all the JARs that the input file references. You'll almost a
Increase your stack size. For example, `java -Xss128m -jar deobfuscator.jar`

#### Does this work on Android apps?
Technically, yes, you could use something like [dex2jar](https://github.com/pxb1988/dex2jar) or [enjarify](https://github.com/storyyeller/enjarify), but try [simplify](https://github.com/CalebFenton/simplify) first.
It's a deobfuscator of sorts built specifically for Android.
Technically, yes, you could use something like [dex2jar](https://github.com/pxb1988/dex2jar)
or [enjarify](https://github.com/storyyeller/enjarify). However, dex -> jar conversion is lossy at best.
Try [simplify](https://github.com/CalebFenton/simplify) or [dex-oracle](https://github.com/CalebFenton/dex-oracle) first.
They were written specifically for Android apps.

## Licensing

Expand Down
47 changes: 47 additions & 0 deletions USAGE.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
# Usage
### As a library

```java
public class SomeRandomDeobfuscator {
public static void main(String[] args) throws Throwable {
Configuration config = new Configuration();
config.setInput(new File("input.jar"));
config.setOutput(new File("output.jar"));
config.setPath(Arrays.asList(
new File("C:\\Program Files\\Java\\jdk_8\\jre\\lib\\rt.jar"),
new File("C:\\Program Files\\Java\\jdk_8\\jre\\lib\\jce.jar"),
new File("C:\\Program Files\\Java\\jdk_8\\jre\\lib\\ext\\jfxrt.jar"),
new File("C:\\Program Files\\Java\\jdk_8\\lib\\tools.jar")
));
config.setTransformers(Arrays.asList(
TransformerConfig.configFor(PeepholeOptimizer.class)
));
new Deobfuscator(config).start();
}
}
```

### CLI

If you don't want to import the project, you can always use the command line interface.

| Argument | Description |
| --- | --- |
| --config | The configuration file |

You may specify multiple transformers, and they will be applied in the order given. Order does matter as sometimes one transformation depends on another not being present.

If you wish to use one of the default transformers, then you may remove the `com.javadeobfuscator.deobfuscator.transformers` prefix.

Here is a sample `config.yaml`:

```yaml
input: input.jar
output: output.jar
transformers:
- normalizer.MethodNormalizer:
mapping-file: normalizer.txt
- stringer.StringEncryptionTransformer
- normalizer.ClassNormalizer: {}
normalizer.FieldNormalizer: {}
```
Loading

0 comments on commit 5fec956

Please sign in to comment.