Decrypting strings with a JEB script

the main entry point is located in the payload DEX (decrypted and dynamically loaded by the malware)

Encrypted strings

Using the decrypted payload DEX we unpacked in the previous article, we quickly notice in that class there are several encrypted strings. In this article, we’ll see how to create a JEB script to decrypt the strings.

The strings are Base64 encoded + encryption by a()
private String decrypt(String encrypted_string) {
try {
return new String(new DecryptionAlgo(this.c.key.getBytes())
new String(
Base64.decode(encrypted_string, 0),

Implementing the decryption algo in Python

I want to decrypt encrypted strings, ok? To do so, I need to understand the decryption algorithm, and automate that in a JEB script. JEB scripts are written in Python, so I’ll have to port Java code to Python.

this is the (obfuscated) decryption algo
  1. No need for explicit memory allocations in Python such as new byte. We simply need to say v0 is an array [].
  2. The for loop is transformed to for i in range(…) .
  3. In Python, you cannot “assign a value to an array” with v0[v1]=.... Rather, we can “append” a value to an array.
  4. The algorithm calls another method a(). If you look at its code, it simply swaps the values of indices v4 and this.c in array v3. That’s easy to implement in Python too.
The same algorithm, ported to Python. Here, decrypt is part of a Python class.
This method is called by the decryption object constructor (dad.calm.invest.c.c). It needs to be ported to Python.

Wrapping the algorithm into a JEB script

Once all elements of the decryption algorithm are implemented (we can test it in a standalone script), we need to wrap this up in a JEB script. JEB experts could do wonders, automatically recognize the strings, decrypt them and replace by the decrypted value (see scripts such as this one). However, I am not an expert, and I can’t spend hours on writing a script either. So, we’ll do something simpler: the JEB user is expected to select the string to decrypt, the script will automatically decrypt the string and add a comment next to it with the decrypted version. My script will not handle error cases, feel free to enhance 😄.

Creating a JEB script. The main class must derive from IScript (defined in package com.pnfsoftware.jeb.client.api that we must import) , and the class must implement a method named run()

Running the script

Finally, put the Python script somewhere JEB can access it. Then, select a string to decrypt. Then, File > Scripts > Run Script. Select the script. And it should work :) The print commands go to JEB’s logger console, the decrypted string is added as comment. For next times, you can simply use F2 to run the same script.

I use F2 key to run the JEB script



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store



Mobile and IoT malware researcher. The postings on this account are solely my own opinion and do not represent my employer.