Decrypting strings with a JEB script

In this article, we unpacked a malicious version of the “Tous Anti Covid” application. We know the main entry point of the payload DEX is dad.calm.invest.qusalkrlkyy.

the main entry point is located in the payload DEX (decrypted and dynamically loaded by the malware)

Encrypted strings

Using the decrypted payload DEX we unpacked in the previous article, we quickly notice in that class there are several encrypted strings. In this article, we’ll see how to create a JEB script to decrypt the strings.

The strings are Base64 encoded + encryption by a()

a() is a method which first decodes Base64 and then decrypts data using a custom algorithm. This algorithm is initialized with a hard coded key. Below, I show a “de-obfuscated” version of a():

private String decrypt(String encrypted_string) {
try {
return new String(new DecryptionAlgo(this.c.key.getBytes())
.decrypt(e.createByteArray(
new String(
Base64.decode(encrypted_string, 0),
“UTF-8”))));
}
...

Implementing the decryption algo in Python

I want to decrypt encrypted strings, ok? To do so, I need to understand the decryption algorithm, and automate that in a JEB script. JEB scripts are written in Python, so I’ll have to port Java code to Python.

The first thing a() does is Base64 decoding. This is easily done in Python with the base64 package and b64decode().

Then, the code converts the base64 string to a byte array and decrypts the byte array using b().

this is the (obfuscated) decryption algo

This decryption algorithm can quite easily be ported to Python:

  1. No need for explicit memory allocations in Python such as new byte. We simply need to say v0 is an array [].
  2. The for loop is transformed to for i in range(…) .
  3. In Python, you cannot “assign a value to an array” with v0[v1]=.... Rather, we can “append” a value to an array.
  4. The algorithm calls another method a(). If you look at its code, it simply swaps the values of indices v4 and this.c in array v3. That’s easy to implement in Python too.
The same algorithm, ported to Python. Here, decrypt is part of a Python class.

The other part we need to take care of is the algorithm’s key. We see the code instantiates a decryption object with a hard-coded key (its value is “dcpmeyucapxy”). The object constructor prepares the key with a custom algorithm (see below).

This method is called by the decryption object constructor (dad.calm.invest.c.c). It needs to be ported to Python.

The port of the method is not a problem, as modulo operator exist both in Java and Python.

Wrapping the algorithm into a JEB script

Once all elements of the decryption algorithm are implemented (we can test it in a standalone script), we need to wrap this up in a JEB script. JEB experts could do wonders, automatically recognize the strings, decrypt them and replace by the decrypted value (see scripts such as this one). However, I am not an expert, and I can’t spend hours on writing a script either. So, we’ll do something simpler: the JEB user is expected to select the string to decrypt, the script will automatically decrypt the string and add a comment next to it with the decrypted version. My script will not handle error cases, feel free to enhance 😄.

Creating a JEB script. The main class must derive from IScript (defined in package com.pnfsoftware.jeb.client.api that we must import) , and the class must implement a method named run()

The JEB script (1) gets the selected string (getSelectedText or getActiveItemAsText), (2) then we send that string to the decryption algorithm we implemented. The result is the decrypted string. Finally, (3) we add that string as a comment (setComment). I largely inspired my code from this one to do that.

Source code script to decrypt strings (GitHub).

Running the script

Finally, put the Python script somewhere JEB can access it. Then, select a string to decrypt. Then, File > Scripts > Run Script. Select the script. And it should work :) The print commands go to JEB’s logger console, the decrypted string is added as comment. For next times, you can simply use F2 to run the same script.

Very handy! Have a look at the video to see it in action.

I use F2 key to run the JEB script

— cryptax

Mobile and IoT malware researcher. The postings on this account are solely my own opinion and do not represent my employer.