bug

Author: 4ra1n

native/CMakeLists.txt

@@ -179,5 +179,9 @@ else ()
             PRIVATE ${CMAKE_CURRENT_BINARY_DIR}/decrypt_linux.obj
     )
 
+    target_link_libraries(decrypt_test
+            PRIVATE ${CMAKE_CURRENT_BINARY_DIR}/encrypt_linux.obj
+    )
+
 endif ()
 

native/core_de.h

@@ -3,7 +3,7 @@
 
 #endif //NATIVE_CORE_DE_H
 
-#define LOG(msg) printf("[JVMTI-LOG] %s\n", msg)
+#define DE_LOG(msg) printf("[JVMTI-LOG] %s\n", msg)
 
 // SEE decrypt.asm
 extern void decrypt(unsigned char *, long);

native/core_en.h

@@ -3,7 +3,7 @@
 
 #endif //NATIVE_CORE_EN_H
 
-#define LOG(msg) printf("[ENCRYPT] %s\n", msg)
+#define EN_LOG(msg) printf("[ENCRYPT] %s\n", msg)
 
 // SEE encrypt.asm
 extern void encrypt(unsigned char *, long);

native/decrypt.asm

@@ -5,7 +5,10 @@ decrypt PROC
     push rbp
     mov rbp, rsp
     ; save
+    push rax
     push rbx
+    push rcx
+    push rdx
     push rsi
     push rdi
     ; char* str
@@ -53,7 +56,10 @@ magic:
     ; recover
     pop rdi
     pop rsi
+    pop rdx
+    pop rcx
     pop rbx
+    pop rax
     ; recover rbp
     pop rbp
     ret

native/decrypt_linux.asm

@@ -2,5 +2,66 @@ section .text
 global decrypt
 
 decrypt:
-    ; NOP
+    ; init
+    push rbp
+    mov rbp, rsp
+    ; save
+    push rax
+    push rbx
+    push rcx
+    push rdx
+    push rsi
+    push rdi
+    ; char* str -> rdi
+    mov rdi, rdi
+    ; long length -> rsi
+    mov rsi, rsi
+    mov rcx, rsi
+    ; rbx = 0
+    xor rbx, rbx
+    ; rbx = rbx + 4
+    add rbx, 004h
+    ; signature
+    mov rsi, rcx
+    sub rsi, 001h
+    mov al, byte [rdi+rsi]
+    mov ah, byte [rdi+004h]
+    mov byte [rdi+004h], al
+    mov byte [rdi+rsi], ah
+    ; reset
+    xor ah, ah
+    xor al, al
+    xor rsi, rsi
+link_start:
+    ; if ebx >= ecx goto end
+    cmp rbx, rcx
+    jge magic
+    ; al = str[rdi+rbx]
+    mov al, byte [rdi+rbx]
+    ; al = al ^ 22
+    xor al, 022h
+    ; al = al -1
+    sub al, 001h
+    ; al = ~al
+    not al
+    ; al = al ^ 11h
+    xor al, 011h
+    ; al = al + 2
+    add al, 002h
+    ; str[rdi+rbx] = al
+    mov byte [rdi+rbx], al
+    ; ebx ++
+    inc ebx
+    ; loop
+    jmp link_start
+magic:
+    ; recover
+    pop rdi
+    pop rsi
+    pop rdx
+    pop rcx
+    pop rbx
+    pop rax
+    ; recover rbp
+    pop rbp
     ret

native/decrypt_test.c

@@ -1,4 +1,5 @@
 #include "core_de.h"
+#include "core_en.h"
 #include "stdio.h"
 
 void printHex(const unsigned char *arr, int length) {
@@ -14,6 +15,8 @@ int main() {
             0x00, 0x00, 0x00, 0x05,
             0x01, 0x02, 0x03, 0x04,
     };
+    encrypt(code,12);
+    printHex(code,12);
     decrypt(code,12);
     printHex(code,12);
 }

native/encrypt.asm

@@ -5,7 +5,10 @@ encrypt PROC
     push rbp
     mov rbp, rsp
     ; save
+    push rax
     push rbx
+    push rcx
+    push rdx
     push rsi
     push rdi
     ; char* str
@@ -60,7 +63,10 @@ magic:
     ; recover
     pop rdi
     pop rsi
+    pop rdx
+    pop rcx
     pop rbx
+    pop rax
     ; recover rbp
     pop rbp
     ret

native/encrypt_linux.asm

@@ -2,5 +2,74 @@ section .text
 global encrypt
 
 encrypt:
-    ; NOP
+    ; init
+    push rbp
+    mov rbp, rsp
+
+    push rax
+    push rbx
+    push rcx
+    push rdx
+    push rsi
+    push rdi
+
+    ; char* str
+    mov rdi, rdi
+    ; long length
+    mov rcx, rsi
+    ; rbx = 0
+    xor rbx, rbx
+link_start:
+    ; if rbx >= rcx goto end
+    cmp rbx, rcx
+    jge magic
+    ; al = str[rdi+rbx]
+    mov al, byte [rdi+rbx]
+    ; al = al - 2
+    sub al, 0x02
+    ; al = al ^ 11h
+    xor al, 0x11
+    ; al = ~al
+    not al
+    ; al = al + 1
+    add al, 0x01
+    ; al = al ^ 22
+    xor al, 0x22
+    ; str[rdi+rbx] = al
+    mov byte [rdi+rbx], al
+    ; ebx ++
+    inc rbx
+    ; loop
+    jmp link_start
+magic:
+    ; magic
+    mov al, 0xca
+    mov byte [rdi+0x00], al
+    mov al, 0xfe
+    mov byte [rdi+0x01], al
+    mov al, 0xba
+    mov byte [rdi+0x02], al
+    mov al, 0xbe
+    mov byte [rdi+0x03], al
+    ; signature
+    mov rsi, rcx
+    sub rsi, 0x01
+    mov al, byte [rdi+rsi]
+    mov ah, byte [rdi+0x04]
+    mov byte [rdi+0x04], al
+    mov byte [rdi+rsi], ah
+    ; reset
+    xor ah, ah
+    xor al, al
+    xor rsi, rsi
+
+    pop rdi
+    pop rsi
+    pop rdx
+    pop rcx
+    pop rbx
+    pop rax
+
+    ; recover rbp
+    pop rbp
     ret

native/encryptor.c

@@ -52,21 +52,21 @@ JNIEXPORT jbyteArray JNICALL Java_org_y4sec_encryptor_core_CodeEncryptor_encrypt
     memcpy(chars, data, length);
     // 1. asm encrypt
     encrypt(chars, length);
-    LOG("ASM ENCRYPT FINISH");
+    EN_LOG("ASM ENCRYPT FINISH");
     // 2. tea encrypt
     if (length < 34) {
-        LOG("ERROR: BYTE CODE TOO SHORT");
+        EN_LOG("ERROR: BYTE CODE TOO SHORT");
         return text;
     }
     // {[10:14],[14:18]}
     internal(chars, 10);
-    LOG("TEA ENCRYPT #1");
+    EN_LOG("TEA ENCRYPT #1");
     // {[18:22],[22:26]}
     internal(chars, 18);
-    LOG("TEA ENCRYPT #2");
+    EN_LOG("TEA ENCRYPT #2");
     // {[26:30],[30:34]}
     internal(chars, 26);
-    LOG("TEA ENCRYPT #3");
+    EN_LOG("TEA ENCRYPT #3");
     (*env)->SetByteArrayRegion(env, text, 0, length, (jbyte *) chars);
     return text;
 }

native/start_linux.c

@@ -75,7 +75,7 @@ void JNICALL ClassDecryptHook(
 }
 
 JNIEXPORT void JNICALL Agent_OnUnload(JavaVM *vm) {
-    LOG("UNLOAD AGENT");
+    DE_LOG("UNLOAD AGENT");
 }
 
 JNIEXPORT jint JNICALL Agent_OnLoad(JavaVM *vm, char *options, void *reserved) {
@@ -107,7 +107,7 @@ JNIEXPORT jint JNICALL Agent_OnLoad(JavaVM *vm, char *options, void *reserved) {
     }
 
     if (value == NULL) {
-        LOG("NEED PACKAGE_NAME PARAMS\n");
+        DE_LOG("NEED PACKAGE_NAME PARAMS\n");
         return 0;
     }
 
@@ -119,44 +119,44 @@ JNIEXPORT jint JNICALL Agent_OnLoad(JavaVM *vm, char *options, void *reserved) {
     printf("PACKAGE-LENGTH: %lu\n", strlen(PACKAGE_NAME));
 
     jvmtiEnv *jvmti;
-    LOG("INIT JVMTI ENVIRONMENT");
+    DE_LOG("INIT JVMTI ENVIRONMENT");
     jint ret = (*vm)->GetEnv(vm, (void **) &jvmti, JVMTI_VERSION);
     if (JNI_OK != ret) {
         printf("ERROR: Unable to access JVMTI!\n");
         printf("PLEASE USE JVM VERSION 8");
         return ret;
     }
-    LOG("INIT JVMTI CAPABILITIES");
+    DE_LOG("INIT JVMTI CAPABILITIES");
     jvmtiCapabilities capabilities;
     (void) memset(&capabilities, 0, sizeof(capabilities));
 
     capabilities.can_generate_all_class_hook_events = 1;
 
-    LOG("ADD JVMTI CAPABILITIES");
+    DE_LOG("ADD JVMTI CAPABILITIES");
     jvmtiError error = (*jvmti)->AddCapabilities(jvmti, &capabilities);
     if (JVMTI_ERROR_NONE != error) {
         printf("ERROR: Unable to AddCapabilities JVMTI!\n");
         return error;
     }
 
-    LOG("INIT JVMTI CALLBACKS");
+    DE_LOG("INIT JVMTI CALLBACKS");
     jvmtiEventCallbacks callbacks;
     (void) memset(&callbacks, 0, sizeof(callbacks));
 
-    LOG("SET JVMTI CLASS FILE LOAD HOOK");
+    DE_LOG("SET JVMTI CLASS FILE LOAD HOOK");
     callbacks.ClassFileLoadHook = &ClassDecryptHook;
     error = (*jvmti)->SetEventCallbacks(jvmti, &callbacks, sizeof(callbacks));
     if (JVMTI_ERROR_NONE != error) {
         printf("ERROR: Unable to SetEventCallbacks JVMTI!\n");
         return error;
     }
-    LOG("SET EVENT NOTIFICATION MODE");
+    DE_LOG("SET EVENT NOTIFICATION MODE");
     error = (*jvmti)->SetEventNotificationMode(jvmti, JVMTI_ENABLE, JVMTI_EVENT_CLASS_FILE_LOAD_HOOK, NULL);
     if (JVMTI_ERROR_NONE != error) {
         printf("ERROR: Unable to SetEventNotificationMode JVMTI!\n");
         return error;
     }
 
-    LOG("INIT JVMTI SUCCESS");
+    DE_LOG("INIT JVMTI SUCCESS");
     return JNI_OK;
 }