Java Reverse & anti-aliasing-tracing the principle of burpsuite

0x00 Summary:

This series of articles through the reverse analysis of several versions of Burploader, analysis of the burpsuite of the principle of decoding, analysis of burpsuite authentication system security loopholes.

Uses and defects of 0x01 Jd-gui:

Jd-gui is a free tool to restore Java source code from Java bytecode, and generally it is sufficient to use this tool to do the Java inverse, but since the principle is to restore the corresponding Java source code from Java bytecode according to a specific structure, So once the bytecode structure is disrupted (for example, by using a Jd-gui), then the Jd-gui loses its function to display when the Burpsuite is turned on with a:

Obviously, Jd-gui failed to restore the Java source code, because burpsuite used the obfuscation to disrupt the bytecode structure so, Jd-gui is suitable for the ' no obfuscation ' Java bytecode, and the flaw is that once the bytecode structure is disrupted, it can not play its role

0x02 Byte Code Analysis:

Java bytecode is not executed directly in the computer as normal binary code, it runs on different platforms and computers through the JVM engine.

The JVM is a stack-based virtual machine that uses the JVM opcode (and its mnemonic), which is very similar to the normal binary disassembly process. It is very simple to decompile Java bytecode, and the JDK built-in JAVAP tool can accomplish this task.

Example: Javar.class is reversed

Note that the-c parameter of JAVAP is to show verbose code, otherwise only method, and according to Java's usual javar do not add the suffix name at the same time you can also use the Eclipse plug-in bytecode visualizer to decompile the bytecode

Attention to the right of the flowchart, everyone in the introduction of program design lessons have been painted, now found its use, it is a if-else structure, the first two sentences define I variable, and then take i=2 pressure stack constant 1, Compared to I and 1 have been java.lang.system.out, an output Wooyun, an output lxj616.

0x03 old version of Burploader analysis:

With the update of Burpsuite, Burploader is also updating, we start with the old version of Burploader, briefly analyze the previous version of the burpsuite cracking principle. The department uses the 1.5.01 version of Burploader for analysis first try loading burploader with Jd-gui:

Successfully restored the Burploader source code, but unfortunately because it is burpsuite patch, so burpsuite confusion in Burploader still very poor, but can infer that Burploader itself does not use the obfuscation tool.

public static void Main (string[] args) {try {int ret = Joptionpane.showoptiondialog (NULL, "This program can Not being used for commercial purposes! "," Burploader by [email protected] ", 0, 2, NULL, new string[] {" I Accept "," I D      Ecline "}, NULL);        Display selection dialog box: This program is written for learning purposes, author mailbox Larry_lau (at) 163.com if (ret = = 0)//Select I agree {//The following is the Java reflection mechanism, do not understand the reflection please Baidu          for (int i = 0; i < clzzdata.length; i++) {Class clzz = Class.forName (Clzzdata[i]);         is a static class of Burpsuite (the name has been confused, and there is no need to list it) field field = Clzz.getdeclaredfield (Fielddata[i]);        The variables in the static class are also confused and do not have to list field.setaccessible (true);        Access to private must first set this, or will error field.set (NULL, strdata[i]);        Set the variable to strdata (what exactly is the long string is not discussed)} Preferences prefs = Preferences.usernodeforpackage (Startburp.class);          Obviously preferences is used to store setup information for (int i = 0; i < keys.length; i++) {//Key and Val can guess what it is. String v = prefS.get (keys[i], NULL);          if (!vals[i].equals (v)) {prefs.put (keys[i], vals[i]);      }} startburp.main (args); }} catch (Exception e) {joptionpane.showmessagedialog (NULL, "This program can only run with Burpsuite_pro_    V1.5.01.jar "," Burploader by [email protected] ", 0); }  }}

Therefore, the principle of burploader is to forge a valid key to pass the detection, key input is injected through the preference, and I guess it in order to fix key calculation method, through the reflection of some environment variables fixed to a constant

Burploader Analysis for new version of 0x04:

The following is analyzed using the 1.6beta version of Burploader: first try to open Burploader with Jd-gui:

It seems that this version of the Burploader to the bytecode use confusion, this road is not going to go through the direct reading byte code bar!

As you can see, the strings here are all mixed up, each with a JSR to 151 to decrypt.

This decryption code features very obvious, a switch to go 5 way, to 221 different decryption key, this is not the Zelix klassmaster algorithm? Simple xor, easy to write the decryption machine:

public class Verify {    private static string decrypt (String str) {        char key[] = new char[] {73,25,85,1,29};        Char arr[] = Str.tochararray ();        for (int i = 0; i < arr.length; i++) {            arr[i] ^= key[i% 5];        }        return new String (arr);    public static void Main (String args[]) {        System.out.println (Decrypt ("%x ' sdgu4t3#x# ' egj\" hs.7%m|/7;hp+l&/s T7tn\5v:j\ '}_dx% "));}    }

The 5 keys inside are the bipush of the iconst_1, and don't forget that the 1 decryption is:larry.lau.javax.swing.plaf.nimbus.NimbusLook:4

In fact, it's useless to decrypt the string here, because we've got the old version of the source code, but it could be very useful in other software reverse analysis.

0x05 Summary &poc

The following is my modified Burploader, where the malicious code I have removed, and will be modified before the output of the original value, you can add the Burpsuite jar package after the compilation run this Code

Package Stratburp;import burp. Startburp; Import Java.lang.reflect.Field; Import java.util.prefs.Preferences; Import Javax.swing.JOptionPane;  public class Startburp {private static final string[] Clzzdata = {"BURP.ECC", "Burp.voc", "BURP.JFC", "BURP.GTC",   "Burp.zi", "burp.q4c", "Burp.pid", "burp.y0b"};   private static final string[] FieldData = {"B", "B", "C", "C", "C", "B", "C", "C"};   private static final String Errortip = "This program can only run with Burpsuite_pro_v1.5.01.jar";   private static final string[] keys = {"License1", "ug4ntkffohfn/on7rt1nbw=="};           public static void Main (string[] args) {try {for (int i = 0; i < clzzdata.length; i++) {           Class clzz = Class.forName (Clzzdata[i]);           Field field = Clzz.getdeclaredfield (Fielddata[i]);           Field.setaccessible (TRUE);           Field.set (NULL, strdata[i]);        SYSTEM.OUT.PRINTLN (Field.get (null)); } Preferences prefs = Preferences.usernodEforpackage (Startburp.class);           for (int i = 0; i < keys.length; i++) {String v = prefs.get (keys[i], NULL);        System.out.println (Prefs.get (keys[i], null));     } startburp.main (args); } catch (Exception e) {joptionpane.showmessagedialog (NULL, "This program can only run with BURPSUITE_PRO_V1     .5.01.jar "," Notice ", 0); }   } }

The effect is as shown

Where the first 8 rows output is the target original value (for my Computer) that was previously burploader maliciously modified, the same device runs the same number of times without changing. After the key because I have run burploader and therefore is a maliciously modified value (but because the first 8 rows are not modified so it cannot be verified by Burpsuite), Burploader is actually using the same key to register all the different computers, Just modified and fixed some of the participating key calculation environment variables, this is probably the main idea of burpsuite crack, as for the original can be used license how to calculate, we will later study

CollectionSharing gives you the recommended technical articles for you:

1. Webshell series (i)---XML
2. Web Scanning crawler Optimization
3. Domain Infiltration--skeleton Key
4. QQ Simulation Login implementation of the four-and-a-two (based on the V8 engine)

http://drops.wooyun.org/tips/2689

Java Reverse & anti-aliasing-tracing the Burpsuite principle (RPM)