Decrypting strings with a JEB script

In this article, we unpacked a malicious version of the “Tous Anti Covid” application. We know the main entry point of the payload DEX is dad.calm.invest.qusalkrlkyy.

the main entry point is located in the payload DEX (decrypted and dynamically loaded by the malware)

Encrypted strings

The strings are Base64 encoded + encryption by a()

a() is a method which first decodes Base64 and then decrypts data using a custom algorithm. This algorithm is initialized with a hard coded key. Below, I show a “de-obfuscated” version of a():

private String decrypt(String encrypted_string) {
try {
return new String(new DecryptionAlgo(this.c.key.getBytes())
.decrypt(e.createByteArray(
new String(
Base64.decode(encrypted_string, 0),
“UTF-8”))));
}
...

Implementing the decryption algo in Python

The first thing a() does is Base64 decoding. This is easily done in Python with the base64 package and b64decode().

Then, the code converts the base64 string to a byte array and decrypts the byte array using b().

this is the (obfuscated) decryption algo

This decryption algorithm can quite easily be ported to Python:

  1. No need for explicit memory allocations in Python such as new byte. We simply need to say v0 is an array [].
  2. The for loop is transformed to for i in range(…) .
  3. In Python, you cannot “assign a value to an array” with v0[v1]=.... Rather, we can “append” a value to an array.
  4. The algorithm calls another method a(). If you look at its code, it simply swaps the values of indices v4 and this.c in array v3. That’s easy to implement in Python too.
The same algorithm, ported to Python. Here, decrypt is part of a Python class.

The other part we need to take care of is the algorithm’s key. We see the code instantiates a decryption object with a hard-coded key (its value is “dcpmeyucapxy”). The object constructor prepares the key with a custom algorithm (see below).

This method is called by the decryption object constructor (dad.calm.invest.c.c). It needs to be ported to Python.

The port of the method is not a problem, as modulo operator exist both in Java and Python.

Wrapping the algorithm into a JEB script

Creating a JEB script. The main class must derive from IScript (defined in package com.pnfsoftware.jeb.client.api that we must import) , and the class must implement a method named run()

The JEB script (1) gets the selected string (getSelectedText or getActiveItemAsText), (2) then we send that string to the decryption algorithm we implemented. The result is the decrypted string. Finally, (3) we add that string as a comment (setComment). I largely inspired my code from this one to do that.

Source code script to decrypt strings (GitHub).

Running the script

Very handy! Have a look at the video to see it in action.

I use F2 key to run the JEB script

— cryptax