GraxCode's CrackMe2

CrackMe URL Answer: antidote First, we want to find the entry point. Let’s view META-INF/MANIFEST.MF. Manifest-Version: 1.0 Protected-Notice: AV contact email - [email protected] JAR-Signature: S94EzrNEa9XPP3HJnTSKTHY7H5pMzIkyOckf2zlblNDR1oPS Class-Path: . Protected-By: 3.0.9 Stringer (20170608) Main-Class: jcc.part2.CrackMe Name: jcc/part2/v.class SHA-256-Digest: I+hSWBo3DZwEtTlqVXyzdxRRKW9N/usMoCpOi8gYBUI= Name: jcc/part2/CrackMe.class SHA-256-Digest: REigvNjpIrv3Ht4aGavXQ8xVJp1ltZmarAxOg/XYYpY= Name: hpl/tko/hx.class SHA-256-Digest: HF4KWRh1bmN6zBzytVHEdImHyNHJEOeOYPxFhOLIRlc= Name: hpl/tko/bp.class SHA-256-Digest: CCw/Anec+ntGwgTqnMVgLmA3b09cLlVFMhP5WNnve9Y= Name: jcc/part2/sv.class SHA-256-Digest: TCB0kj/YJHSyY9IbGrbjKW//Rj01GT4B3ittqvr6dh8= Name: hpl/tko/f.class SHA-256-Digest: k4NdPnwzAWbNoeD7S3NuocywgXEp35iTG9ZbvYn6VnA= Name: jcc/part2/f.class SHA-256-Digest: 8BVz0nTL6PWCJTT29yzz2jXhojODAN3MtjZ/XTdqXNM= Oh dear, it’s obfuscated! Sure enough, when we view the main class, there is Zelix exception obfuscation, Zelix flow control obfuscation, Zelix enhanced string encryption, Stringer signing, Stringer string encryption, Stringer hide access obfuscation and who knows what. [Read More]

Unpacking Odin Anticheat

Edit: This JAR was protected with the Paramorphism Java obfuscator by Anthony Som. Edit #2: Removed JAR link at request of the author. While this JAR wasn’t too hard to poke around in and figure out what is going on, I found this one of the more unique obfuscations I have seen in attempting to prevent Java reverse-engineering. In this image, we can see the JAR has duplicated entries. I later found out after attempting to use my own Java obfuscator, Radon, to deobfuscate the JAR using my shrinker transformers, the entry duplication results in the fake classes being written to the JAR instead of the correct ones. [Read More]

Patching Java-AntiDecompiler

Site of Product: Java-AntiDecompiler is an anti-reverse-engineering product by BIS Guard & Co. which encrypts Java classes and decrypts them on runtime and loads them into memory. This writeup is intended to show how the weak anti-attachment mechanism protection in Java-AntiDecompiler can be easily disabled in under 2 minutes with Krakatau allowing for easy access to the classes loaded in memory. First, let’s disassemble the entry point method (main) with Krakatau [Read More]