Detailed explanation of the cracking principles of JAVA reverse and reverse obfuscation tracing Burpsuite

Last Update:2017-01-13 Source: Internet

Author: User

Tags decrypt reflection static class

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

Abstract:

Recently, a commercial security tool named Burpsuite was cracked. A malicious software named BurpLoader appeared on the Internet, which damaged the authentication process of Burpsuite, this poses a serious threat to world peace. This series of articles analyzes the cracking principles of Burpsuite through reverse analysis of several versions of BurpLoader and analyzes the security vulnerabilities in the Burpsuite authentication system.

Use and defects of JD-GUI:

JD-GUI is a free tool to restore JAVA source code from JAVA bytecode, usually use this tool to do JAVA reverse is enough, however, because the principle is to restore the corresponding JAVA source code from the JAVA bytecode according to the specific structure, once the bytecode structure is disrupted (for example, the obfuscator is used ), then the JD-GUI will lose its role, as shown in the figure when opening the Burpsuite with a JD-GUI:

Apparently, the JD-GUI failed to restore the JAVA source code, because Burpsuite uses a obfuscator to disrupt the bytecode structure, so the JD-GUI applies to 'Java bytecode without obfuscat, the defect is that once the bytecode structure is disrupted, it cannot play its role.

Bytecode analysis:

Java bytecode is not directly executed on computers like normal binary code. It runs on different platforms and computers through the JVM engine.

JVM is a stack-based virtual computer that uses the JVM operation code (and its mnemonic), which is very similar to the process of normal binary disassembly. It is actually very easy to decompile Java bytecode. JDK's built-in Javap tool can complete this task.

Example: decompile Javar. class

Note that the-c parameter of javap displays detailed code; otherwise, only method is displayed. Javar does not need to be suffixed according to the old java rules. You can also decompile Bytecode using the eclipse plug-in Bytecode Visualizer.

Pay attention to the flowchart on the right. You have painted it in the course of introducing program design. Now you can see its purpose. It can be seen at a glance that it is an if-else structure, the first two sentences define the I variable, and then take the I = 2 pressure stack constant 1, after comparing I and 1 are all java. lang. system. out. One output is wooyun and the other output is lxj616.

Analysis of old versions of BurpLoader:

As the Burpsuite is updated, the BurpLoader is also updated. Let's start with the old version of BurpLoader and briefly analyze the cracking principles of the old version of burpsuite. This section selects the version 1.5.01 BurpLoader for analysis first try to load the BurpLoader with JD-GUI:

The source code of the BurpLoader is restored successfully. Unfortunately, because of the patch of the burpsuite, the obfuscation of the burpsuite is still very readable in the burploader. However, it can be inferred that the burploader itself does not use the obfuscation tool.

public static void main (String [] args)
{
 try 
 {
 int ret = JOptionPane. showOptionDialog ( null , " This program can not be used for each cial purposes! ", " BurpLoader by larry_lau@163.com ", 0 , 2 , null , new String [] {" I Accept ", " I Decline "}, null );
 // Display selection dialog box: This program is written for learning purpose, author's email: larry_lau (at) 163.com 
 if (ret = 0 ) // select I agree 
 {
 // The following uses the java reflection mechanism, do not understand reflection, Please Baidu 
 for ( int I = 0 ; I <clzzData. length; I ++)
 {
Class clzz = Class. forName (clzzData [I]);
 // It is a static class of burpsuite (the name has been confused, no need to list them.) 
Field field = clzz. getDeclaredField (fieldData [I]);
 // The variables in the static class are also confused, you do not need to list them. 
Field. setAccessible ( true );
 // you must set this parameter before accessing private. Otherwise, an error is returned. 

Field. set ( null , strData [I]);
 // Set the variable to strData (what is a long string for the moment) 
 }

Preferences prefs = Preferences. userNodeForPackage (StartBurp. class );
 // Obviously preferences are used to store the setting information 
 for ( int I = 0 ; I <keys. length; I ++)
 {
 // you can guess what the key and val are. 
String v = prefs. get (keys [I], null );
 if (! Vals [I]. equals (v ))
 {
Prefs. put (keys [I], vals [I]);
 }
 }
StartBurp. main (args );
 }
 }
 catch (Exception e)
 {
JOptionPane. showMessageDialog ( null , " This program can only run with burpsuite_pro_v1.5.01.jar ", " BurpLoader by larry_lau@163.com ",
 0 );
 }
}
}

Therefore, the principle of BurpLoader is to forge valid keys for detection. Key input is injected through preference, and I guess it is a fixed Key calculation method, some environment variables are fixed as constants through reflection.

Analysis of the new version of BurpLoader:

The following is an analysis using the BurpLoader version 1.6beta: first try opening the BurpLoader with a JD-GUI:

It seems that this version of BurpLoader uses obfuscation for bytecode. This path cannot be used, so you can directly read the bytecode!

We can see that the strings here are all obfuscated, and every one is decrypted from jsr to 151.

This decryption code has obvious features. A switch uses five paths and transmits different decryption keys to 221. Isn't this the Zelix KlassMaster algorithm? It's just a simple difference, and it's easy to write the decryption machine:

public class Verify {
 private static String decrypt (String str ){
 char key [] = new char [] { 73 , 25 , 85 , 1 , 29 };
 char arr [] = str. toCharArray ();
 for ( int I = 0 ; I <arr. length; I ++ ){
Arr [I] ^ = key [I % 5 ];
}
 return new String (arr );
}

 public static void main (String args []) {
System. out. println (decrypt ( "% x 'sdgu4t3 # x # 'egj" hs.7 % m |/7; hp + l &/S t7tn5v: j'} _ dx % " ));
}
}

The Five Keys are the parameters passed by bipush in the preceding figure. Do not forget that the 1 in iconst_1 is decrypted as follows: larry. lau. javax. swing. plaf. nimbus. NimbusLook: 4

In fact, it is useless to decrypt the string here, because we have obtained the source code of the old version, but it may be very useful in reverse analysis of other software.

Summary & POC

Here is the modified BurpLoader. I have removed the malicious code and output the original value before the modification. You can compile and run this code after adding the burpsuite jar package.

package stratburp;

 import burp. StartBurp;
 import java. lang. reflect. Field;
 import java. util. prefs. Preferences;
 import javax. swing. JOptionPane;

 public class startburp 
{

 private static final String [] clzzData = {" burp. ecc ", " burp. voc ", " burp. jfc ",
 "burp. gtc ", " burp. zi ", " burp. q4c ", " burp. pid ", " burp. y0b " };

 private static final String [] fieldData = {" B ", "B" , " c ", " c ", "c" , " B ", " c ", "c" };
 private static final String errortip = " This program can only run with burpsuite_pro_v1.5.01.jar ";
 private static final String [] keys = {" license1 ", "uG4NTkffOhFN/on7RT1nbw =" };

 public static void main (String [] args)
{
 try 
 {
 for ( int I = 0 ; I <clzzData. length; I ++)
 {
Class clzz = Class. forName (clzzData [I]);
Field field = clzz. getDeclaredField (fieldData [I]);
Field. setAccessible ( true );

 // field. set (null, strData [I]); 
System. out. println (field. get ( null ));
 }

Preferences prefs = Preferences. userNodeForPackage (StartBurp. class );
 for ( int I = 0 ; I <keys. length; I ++)
 {
String v = prefs. get (keys [I], null );
System. out. println (prefs. get (keys [I], null ));
 }
StartBurp. main (args );
 }
 catch (Exception e)
 {
JOptionPane. showMessageDialog ( null , " This program can only run with burpsuite_pro_v1.5.01.jar ", " Notice ", 0 );
 }
}
}

The effect is shown in the screenshot.

The first eight lines of output are the original values of the target maliciously modified by the former BurpLoader (for my computer). The number of times the same device runs remains unchanged, the following key is a maliciously modified value because I have run the BurpLoader before (but cannot be verified by the Burpsuite because the first eight rows are not modified ), it can be seen that the BurpLoader actually uses the same key to register all the different computers, but it only modifies and fixes some environmental variables involved in key computing. This is probably the main idea of cracking the Burpsuite, how can we calculate the license that can be used at first?

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More