new windows

Author: 4ra1n

native/CMakeLists.txt

@@ -22,15 +22,15 @@ if (WIN32)
     add_custom_target(
             native_encrypt_asm ALL
             COMMAND ml64 /c /Fo${CMAKE_CURRENT_BINARY_DIR}/native_encrypt_asm.obj
-            ${CMAKE_CURRENT_SOURCE_DIR}/encrypt.asm
+            ${CMAKE_CURRENT_SOURCE_DIR}/encrypt_windows.asm
             BYPRODUCTS ${CMAKE_CURRENT_BINARY_DIR}/native_encrypt_asm.obj
             WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}
     )
 
     add_custom_target(
             native_decrypt_asm ALL
             COMMAND ml64 /c /Fo${CMAKE_CURRENT_BINARY_DIR}/native_decrypt_asm.obj
-            ${CMAKE_CURRENT_SOURCE_DIR}/decrypt.asm
+            ${CMAKE_CURRENT_SOURCE_DIR}/decrypt_windows.asm
             BYPRODUCTS ${CMAKE_CURRENT_BINARY_DIR}/native_decrypt_asm.obj
             WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}
     )
@@ -51,7 +51,7 @@ if (WIN32)
     add_library(
             decrypter SHARED
             core_de.h
-            start.c
+            start_windows.c
 
             xxtea_common.c
             xxtea_common.h

native/core_de.h

@@ -5,5 +5,5 @@
 
 #define DE_LOG(msg) printf("[JVMTI-LOG] %s\n", msg)
 
-// SEE decrypt.asm
+// SEE decrypt_windows.asm
 extern void decrypt(unsigned char *, long);

native/core_en.h

@@ -5,5 +5,5 @@
 
 #define EN_LOG(msg) printf("[ENCRYPT] %s\n", msg)
 
-// SEE encrypt.asm
+// SEE encrypt_windows.asm
 extern void encrypt(unsigned char *, long);

native/decrypt.asm renamed to native/decrypt_windows.asm

@@ -67,7 +67,6 @@ void internal(unsigned char *_data, int start, unsigned char *key) {
     }
     uint32_t v[2] = {convert(first), convert(second)};
 
-    printf("DECRYPT KEY: %s\n", key);
     unsigned char *key_part1 = key;
     unsigned char *key_part2 = key + 4;
     unsigned char *key_part3 = key + 8;
@@ -113,16 +112,18 @@ void JNICALL ClassDecryptHook(
         for (int i = 0; i < class_data_len; i++) {
             _data[i] = class_data[i];
         }
-        if (class_data_len < 34) {
+        if (class_data_len < 18) {
             return;
         }
-        // 1. {[10:14],[14:18]}
-        internal(_data, 10, KEY);
-        // 2. {[18:22],[22:26]}
-        internal(_data, 18, KEY);
-        // 3. {[26:30],[30:34]}
-        internal(_data, 26, KEY);
-        // 4. asm encrypt
+
+        DE_LOG("START DECRYPT");
+        // 1. all xxtea
+        int total = (class_data_len - 10) / 8;
+        for (int i = 0; i < total; i++) {
+            internal(_data, 10 + i * 8, KEY);
+        }
+
+        // 2. asm encrypt
         decrypt((unsigned char *) _data, class_data_len);
     } else {
         for (int i = 0; i < class_data_len; i++) {
@@ -259,12 +260,14 @@ JNIEXPORT jint JNICALL Agent_OnLoad(JavaVM *vm, char *options, void *reserved) {
     uintptr_t baseAddress = (uintptr_t) moduleHandle;
     uintptr_t functionRVA = (uintptr_t) functionAddress - baseAddress;
 
-    printf("gHotSpotVMStructs RVA: 0x%08X\n", (unsigned int) functionRVA);
-    printf("Function Addr: 0x%08X\n", (unsigned int) (uintptr_t) functionAddress);
+    printf("gHotSpotVMStructs RVA: 0x%016llx\n", functionRVA);
+    printf("Function Addr: 0x%016llx\n",  (uintptr_t) functionAddress);
 
     *(size_t *) functionAddress = 0;
 
     FreeLibrary(moduleHandle);
 
+    DE_LOG("HACK JVM FINISH");
+
     return JNI_OK;
 }