Monday, August 26, 2013

Creating a WIFI Honeypot

In this post I will go through the process of creating a WIFI Honeypot.  We can use this to get clients to to connect to us instead of the WIFI network they actually want to. 

When a device is running it is constantly sending out probes for wireless networks that it has previously connected to.  The devices also look for WIFI networks in the area that are available to connect with.  We can go wither way with this, in this post I will talk about WIFI networks that are in the clients range.  This attack can be used in a coffee shop, airport, corporate network, or whatever.   

NOTE: I will use honeypot and AP interchangeably for what we are creating, hopefully this doesnt create any confusion. But it probably will.

What you need:

+ Laptop
+ ALFA WIFI CARD
+ Aircrack-suite (Already installed on Backtrack and Kali)
+ Unsuspecting Victim


In another post we will further this attack for some advanced attacks. :)

Lets begin...


Ok so first we need to find wifi networks in the area that our victims will try to connect to.
To do this we need to put our Alfa card into monitor mode. So we find the interface:
running ifconfig:


From this we can see that in my case the interface is wlan2.  It may be different for you so check it!


Next we need to actually put it into monitor mode.

We run the command: sudo airmon-ng start wlan2

As you can see wlan2 is in monitor mode now. This will create the interface mon0

Now lets find some networks that are around and see if anyone is probing for them.  Then we will setup out honeypot.

To find APs and clients we will use airodump-ng.

Lets run sudo airodump-ng mon0 and see what we get.


From this output we can see one client not assosiated with Brea Network.  We want to attack the non-associated clients when possible, however we arent limited to that.  I have the AP SECNET2 running with a test network for my home lab so we will use that for now.

Now that we know what AP we are gong to create a honeypot for, we can now proceed to do so.  

NOTE: If you want to see more in depth traffic analysis, use wireshark and sniff on mon0, then you can filter probe requests and see everything moving across the airways.

moving on...

Lets create our Fake AP with the command sudo airbase-ng --essid "SECNET2" -c 2 mon0:

Now we have a fake AP called SECNET2 and if anyone comes into the area that has connected to SECNET2 before they should automatically connect to our honeypot.  But lets say we want the clients that are already connected to the legit AP.

NOTE:  A new interface called at0 was created, this will come in handy later on if you want to sniff the traffic on the fake AP.

Some of you may be wondering what the previous flags in airbase mean.

--essid = Name of BSSID to create
-c  = The channel your AP will be on.  This is optional and may be left blank to span all channels.

To kick the clients off of the legit access point we will send broadcast de-authentication messages.  This will de-authenticate the clients from the legit AP and hopefully when they re-authenticate they will connect to our AP.

NOTE: You may need to do multiple deauths.

lets break the clients connection to the legit AP:


So being as no clients were connected to the SECNET2 AP we dont kick anyone off and it errors out.

But as a new client comes in we see them connect to the rouge AP:

As you can see a client has now associated with our honeypot.  And whats interesting is that we have created a fake AP with no authentication in place of the legit AP that has WEP protection.  Clients dont know the difference because most of the time they will go for the open AP or their device will automatically connect to whichever has the strongest signal, and if we deauth them they will then connect to ours.


In the next post ill show you how to create a bridge for your fake AP so when clients connect they will be able to access the internet, because currently they cannot and that will raise some suspicion.  



Wednesday, July 10, 2013

[Tutorial] Finding OEP and unpacking Malware packed with ASPACK 2.12

Just FYI, there wont be a whole lot of technical explanation in this post. Its just a quick tutorial.
First we Identify that the exe is packed. Now we need to locate the OEP

This malware was packed with: ASPACK 2.12 


Load it up on Ollydbg.

Now the exe is loaded we need to look at the ECX register.

ECX holds 0012FFB0

We rightclick and choose follow in dump.

Now we have a hex dump in the lower left corner of Olly.

So we select the first four bytes and set a hardware on access breakpoint using WORD.

In the screenshot we can see the breakpoint:

Yay we have a breakpoint!!!


Now we need to run the program. And step 3 times.

Now we should see the following in Olly:






This is the OEP!!!

Now we use a sweet little plugin called Analyze this available here:
http://www.openrce.org/downloads/details/174/Analyze_This
This plugin allows Olly to re-analyze the code so it appears normal! This is great for us.

Lets run it:



This is our result! Thats nice. (we really didnt need to do this, but its fun)

Now we need to dump the process from memory to get the unpacked executable.



So we right clicked and selected dump debugged process, now we get the above menu.

Here we will want to uncheck Rebuild Import, Why?

Because Olly tends to screw this up, we will be using Import Reconstructor AKA ImpRec.
Download it here: http://www.woodmann.com/collaborative/tools/index.php/ImpREC


We will also want to copy the value in the Modify box. In this case it is 16A0.

Now you will dump the executable and save it.

The next step is to rebuild the Import Table.

Fire up ImpREC.



This is where the Modify value we copied earlier will come in.

You will be presented with the following:


We will attach it to the process that Olly created.

It will do its thing....

Now we will enter the value we copied.


Enter it in the OEP box like so:




And then we click auto search.





And you will be presented with the following:





Click OK then Get Imports.





It appears everything worked!! Now we can check it by clicking show invalid.

Right click and select cut Thunks.






Then we hit Fix Dump and save our newly fixed exe.

Select the exe you saved from Ollydump and open it.

Congrats you have unpacked the Malware!!!

Friday, June 7, 2013

[Reverse Engineering] Android - Backdoor.AndroidOS.Obad.a

Reversing Backdoor.AndroidOS.Obad.a


So were going a little off track on this one, we will take a look at the NEW Android Trojan called "Backdoor.AndroidOS.Obad.a"

Kaspersky Article on Backdoor.AndroidOS.Obad.a: http://www.securelist.com/en/blog/8106/The_most_sophisticated_Android_Trojan


The tools we will attempt to use:
  1. apktool
  2. dex2jar
  3. jd-gui

MD5:
E1064BFD836E4C895B569B2DE4700284

Lets start reversing it shall we.


To start we will extract the files from the .apk file:

Lets look at that directory now.

$ tree
.
├── AndroidManifest.xml
├── apktool.yml
├── res
│   ├── drawable
│   │   └── lcolooo.png
│   ├── layout
│   │   └── occcclc.xml
│   ├── values
│   │   ├── public.xml
│   │   └── strings.xml
│   └── xml
│       └── ccclocc.xml
└── smali
    └── com
        └── android
            ├── internal
            │   └── telephony
            │       ├── IExtendedNetworkService$oCIlCll.smali
            │       └── IExtendedNetworkService.smali
            └── system
                └── admin
                    ├── CClIOcc.smali
                    ├── cCloIOCC.smali
                    ├── CcOCoIcO.smali
                    ├── cCOIcIlo.smali
                    ├── cCoIOIOo.smali
                    ├── CCOIoll.smali
                    ├── CIcIoICo.smali
                    ├── CICoICCo.smali
                    ├── cIcoIIl.smali
                    ├── CIlOCClc.smali
                    ├── cIoCcIo.smali
                    ├── COcCccl.smali
                    ├── CoccOIo$oCIlCll.smali
                    ├── CoccOIo.smali
                    ├── COOlOIl.smali
                    ├── cOoOCCo.smali
                    ├── CoooOIIO.smali
                    ├── CoOOoOo.smali
                    ├── IcCcCOIC.smali
                    ├── ICcIIlo.smali
                    ├── ICclCcoC.smali
                    ├── IccOlCc.smali
                    ├── ICICcOCo.smali
                    ├── IcIOoOC.smali
                    ├── ICOColc.smali
                    ├── ICOIoCl.smali
                    ├── IlIIlCI.smali
                    ├── IololoI.smali
                    ├── IOOICOcI.smali
                    ├── lcclOlO.smali
                    ├── lCICoIO.smali
                    ├── lclOOCl.smali
                    ├── lIcoclC.smali
                    ├── lOCIOICC.smali
                    ├── lOClOOI.smali
                    ├── loOcccoC.smali
                    ├── loooIlo.smali
                    ├── MainService.smali
                    ├── OCICooCI.smali
                    ├── OcIcoOlc.smali
                    ├── oCIlCll$CIcIoICo.smali
                    ├── oCIlCll$oCIlCll.smali
                    ├── oCIlCll$oIlclcIc.smali
                    ├── oCIlCll.smali
                    ├── OCllCoO.smali
                    ├── OcOCclc.smali
                    ├── OCOcCOll.smali
                    ├── oICClCI.smali
                    ├── oIlclcIc.smali
                    ├── oIOccOcl.smali
                    ├── oIOocIlo.smali
                    ├── OlCCcIl.smali
                    ├── olcCIIC.smali
                    ├── ollIIIc.smali
                    └── OOIlIcCc.smali

12 directories, 64 files
Ok so now we can see some of the resources and we have the .smali files.
We can use the xml and yml files to gather some basic info about the app.
Some of you are probably wondering what smali files are.... ill explain.

The smali files are the disassembly of the Java Virtual Machine (JVM).  In the grand scheme of things these smali files give us a really accurate picture of what the code does.You just have to be able to read them, which can be time consuming.

For the sake of this tutorial we will not go into that now, but we will attempt to get the java src code or do the best we can and look at the smali files in another post.

To attempt to get the java src we will use dex2jar on the apk file:




In the above screenshot we can see that there are some errors. This is because the authors of the malware found a bug in dex2jar and used it to prevent the conversion of Dalvik bytecode into Java bytecode.  dex2jar is a popular tool to convert the bytcode into a jar file that we can then use jd-gui to read the java output.

The full output of the failed convertion is shown below:
$ ./dex2jar.sh ~/Documents/malware/AndroidOBada/E1064BFD836E4C895B569B2DE4700284
1 [main] INFO com.googlecode.dex2jar.v3.Main - version:0.0.7.11-SNAPSHOT
7 [main] INFO com.googlecode.dex2jar.v3.Main - dex2jar /home/android/Documents/malware/AndroidOBada/E1064BFD836E4C895B569B2DE4700284 -> E1064BFD836E4C895B569B2DE4700284_dex2jar.jar
295 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
296 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[5],name:[Lcom/android/system/admin/CIcIoICo;]
296 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. ROOT cause:
java.lang.NullPointerException
    at org.objectweb.asm.Item.set(Item.java:203)
    at org.objectweb.asm.ClassWriter.newClassItem(ClassWriter.java:944)
    at org.objectweb.asm.ClassWriter.newClass(ClassWriter.java:964)
    at org.objectweb.asm.ClassWriter.visitOuterClass(ClassWriter.java:620)
    at org.objectweb.asm.ClassAdapter.visitOuterClass(ClassAdapter.java:75)
    at com.googlecode.dex2jar.asm.TypeNameAdapter.visitOuterClass(TypeNameAdapter.java:129)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.build(V3ClassAdapter.java:161)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.visitField(V3ClassAdapter.java:205)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptField(DexFileReader.java:456)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:310)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
296 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
296 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[6],name:[Lcom/android/system/admin/IcCcCOIC;]
296 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. ROOT cause:
java.lang.NullPointerException
    at org.objectweb.asm.Item.set(Item.java:203)
    at org.objectweb.asm.ClassWriter.newClassItem(ClassWriter.java:944)
    at org.objectweb.asm.ClassWriter.newClass(ClassWriter.java:964)
    at org.objectweb.asm.ClassWriter.visitOuterClass(ClassWriter.java:620)
    at org.objectweb.asm.ClassAdapter.visitOuterClass(ClassAdapter.java:75)
    at com.googlecode.dex2jar.asm.TypeNameAdapter.visitOuterClass(TypeNameAdapter.java:129)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.build(V3ClassAdapter.java:161)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.visitField(V3ClassAdapter.java:205)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptField(DexFileReader.java:456)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:310)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
461 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
461 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[11],name:[Lcom/android/system/admin/ollIIIc;]
461 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. ROOT cause:
java.lang.NullPointerException
    at org.objectweb.asm.Item.set(Item.java:203)
    at org.objectweb.asm.ClassWriter.newClassItem(ClassWriter.java:944)
    at org.objectweb.asm.ClassWriter.newClass(ClassWriter.java:964)
    at org.objectweb.asm.ClassWriter.visitOuterClass(ClassWriter.java:620)
    at org.objectweb.asm.ClassAdapter.visitOuterClass(ClassAdapter.java:75)
    at com.googlecode.dex2jar.asm.TypeNameAdapter.visitOuterClass(TypeNameAdapter.java:129)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.build(V3ClassAdapter.java:161)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.visitField(V3ClassAdapter.java:205)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptField(DexFileReader.java:456)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:310)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
462 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
462 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[12],name:[Lcom/android/system/admin/CClIOcc;]
462 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. ROOT cause:
java.lang.NullPointerException
    at org.objectweb.asm.Item.set(Item.java:203)
    at org.objectweb.asm.ClassWriter.newClassItem(ClassWriter.java:944)
    at org.objectweb.asm.ClassWriter.newClass(ClassWriter.java:964)
    at org.objectweb.asm.ClassWriter.visitOuterClass(ClassWriter.java:620)
    at org.objectweb.asm.ClassAdapter.visitOuterClass(ClassAdapter.java:75)
    at com.googlecode.dex2jar.asm.TypeNameAdapter.visitOuterClass(TypeNameAdapter.java:129)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.build(V3ClassAdapter.java:161)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.visitField(V3ClassAdapter.java:205)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptField(DexFileReader.java:456)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:310)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
503 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
503 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[14],name:[Lcom/android/system/admin/OOIlIcCc;]
503 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. ROOT cause:
java.lang.NullPointerException
    at org.objectweb.asm.Item.set(Item.java:203)
    at org.objectweb.asm.ClassWriter.newClassItem(ClassWriter.java:944)
    at org.objectweb.asm.ClassWriter.newClass(ClassWriter.java:964)
    at org.objectweb.asm.ClassWriter.visitOuterClass(ClassWriter.java:620)
    at org.objectweb.asm.ClassAdapter.visitOuterClass(ClassAdapter.java:75)
    at com.googlecode.dex2jar.asm.TypeNameAdapter.visitOuterClass(TypeNameAdapter.java:129)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.build(V3ClassAdapter.java:161)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.visitField(V3ClassAdapter.java:205)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptField(DexFileReader.java:456)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:315)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
504 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
504 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[15],name:[Lcom/android/system/admin/cIoCcIo;]
504 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. ROOT cause:
java.lang.NullPointerException
    at org.objectweb.asm.Item.set(Item.java:203)
    at org.objectweb.asm.ClassWriter.newClassItem(ClassWriter.java:944)
    at org.objectweb.asm.ClassWriter.newClass(ClassWriter.java:964)
    at org.objectweb.asm.ClassWriter.visitOuterClass(ClassWriter.java:620)
    at org.objectweb.asm.ClassAdapter.visitOuterClass(ClassAdapter.java:75)
    at com.googlecode.dex2jar.asm.TypeNameAdapter.visitOuterClass(TypeNameAdapter.java:129)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.build(V3ClassAdapter.java:161)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.visitField(V3ClassAdapter.java:205)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptField(DexFileReader.java:456)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:310)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
505 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
505 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[16],name:[Lcom/android/system/admin/oIOccOcl;]
505 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. ROOT cause:
java.lang.NullPointerException
    at org.objectweb.asm.Item.set(Item.java:203)
    at org.objectweb.asm.ClassWriter.newClassItem(ClassWriter.java:944)
    at org.objectweb.asm.ClassWriter.newClass(ClassWriter.java:964)
    at org.objectweb.asm.ClassWriter.visitOuterClass(ClassWriter.java:620)
    at org.objectweb.asm.ClassAdapter.visitOuterClass(ClassAdapter.java:75)
    at com.googlecode.dex2jar.asm.TypeNameAdapter.visitOuterClass(TypeNameAdapter.java:129)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.build(V3ClassAdapter.java:161)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.visitField(V3ClassAdapter.java:205)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptField(DexFileReader.java:456)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:315)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
625 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
625 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[18],name:[Lcom/android/system/admin/lCICoIO;]
625 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. ROOT cause:
java.lang.NullPointerException
    at org.objectweb.asm.Item.set(Item.java:203)
    at org.objectweb.asm.ClassWriter.newClassItem(ClassWriter.java:944)
    at org.objectweb.asm.ClassWriter.newClass(ClassWriter.java:964)
    at org.objectweb.asm.ClassWriter.visitOuterClass(ClassWriter.java:620)
    at org.objectweb.asm.ClassAdapter.visitOuterClass(ClassAdapter.java:75)
    at com.googlecode.dex2jar.asm.TypeNameAdapter.visitOuterClass(TypeNameAdapter.java:129)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.build(V3ClassAdapter.java:161)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.visitField(V3ClassAdapter.java:205)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptField(DexFileReader.java:456)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:310)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
626 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
626 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[19],name:[Lcom/android/system/admin/olcCIIC;]
626 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. ROOT cause:
java.lang.NullPointerException
    at org.objectweb.asm.Item.set(Item.java:203)
    at org.objectweb.asm.ClassWriter.newClassItem(ClassWriter.java:944)
    at org.objectweb.asm.ClassWriter.newClass(ClassWriter.java:964)
    at org.objectweb.asm.ClassWriter.visitOuterClass(ClassWriter.java:620)
    at org.objectweb.asm.ClassAdapter.visitOuterClass(ClassAdapter.java:75)
    at com.googlecode.dex2jar.asm.TypeNameAdapter.visitOuterClass(TypeNameAdapter.java:129)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.build(V3ClassAdapter.java:161)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.visitField(V3ClassAdapter.java:205)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptField(DexFileReader.java:456)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:310)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
824 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
824 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[22],name:[Lcom/android/system/admin/OlCCcIl;]
824 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. ROOT cause:
java.lang.NullPointerException
    at org.objectweb.asm.Item.set(Item.java:203)
    at org.objectweb.asm.ClassWriter.newClassItem(ClassWriter.java:944)
    at org.objectweb.asm.ClassWriter.newClass(ClassWriter.java:964)
    at org.objectweb.asm.ClassWriter.visitOuterClass(ClassWriter.java:620)
    at org.objectweb.asm.ClassAdapter.visitOuterClass(ClassAdapter.java:75)
    at com.googlecode.dex2jar.asm.TypeNameAdapter.visitOuterClass(TypeNameAdapter.java:129)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.build(V3ClassAdapter.java:161)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.visitField(V3ClassAdapter.java:205)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptField(DexFileReader.java:456)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:310)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
824 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
824 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[23],name:[Lcom/android/system/admin/cCOIcIlo;]
824 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. ROOT cause:
java.lang.NullPointerException
    at org.objectweb.asm.Item.set(Item.java:203)
    at org.objectweb.asm.ClassWriter.newClassItem(ClassWriter.java:944)
    at org.objectweb.asm.ClassWriter.newClass(ClassWriter.java:964)
    at org.objectweb.asm.ClassWriter.visitOuterClass(ClassWriter.java:620)
    at org.objectweb.asm.ClassAdapter.visitOuterClass(ClassAdapter.java:75)
    at com.googlecode.dex2jar.asm.TypeNameAdapter.visitOuterClass(TypeNameAdapter.java:129)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.build(V3ClassAdapter.java:161)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.visitField(V3ClassAdapter.java:205)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptField(DexFileReader.java:456)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:310)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
825 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
825 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[24],name:[Lcom/android/system/admin/CIlOCClc;]
825 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. ROOT cause:
java.lang.NullPointerException
    at org.objectweb.asm.Item.set(Item.java:203)
    at org.objectweb.asm.ClassWriter.newClassItem(ClassWriter.java:944)
    at org.objectweb.asm.ClassWriter.newClass(ClassWriter.java:964)
    at org.objectweb.asm.ClassWriter.visitOuterClass(ClassWriter.java:620)
    at org.objectweb.asm.ClassAdapter.visitOuterClass(ClassAdapter.java:75)
    at com.googlecode.dex2jar.asm.TypeNameAdapter.visitOuterClass(TypeNameAdapter.java:129)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.build(V3ClassAdapter.java:161)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.visitField(V3ClassAdapter.java:205)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptField(DexFileReader.java:456)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:310)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
1091 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
1091 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[29],name:[Lcom/android/system/admin/lOClOOI;]
1091 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. while accept method:[Lcom/android/system/admin/lOClOOI;.oCIlCll(Ljava/io/File;)Ljava/lang/String;]
1091 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - ... ROOT cause:
java.lang.ArrayIndexOutOfBoundsException: Array index out of range: 1
    at java.util.Vector.get(Vector.java:694)
    at com.googlecode.dex2jar.optimize.TypeDetectTransformer.merge(TypeDetectTransformer.java:890)
    at com.googlecode.dex2jar.optimize.TypeDetectTransformer.transform(TypeDetectTransformer.java:199)
    at com.googlecode.dex2jar.v3.V3MethodAdapter.visitEnd(V3MethodAdapter.java:168)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptMethod(DexFileReader.java:547)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:319)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
1092 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
1092 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[30],name:[Lcom/android/system/admin/lOCIOICC;]
1092 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. ROOT cause:
java.lang.NullPointerException
    at org.objectweb.asm.Item.set(Item.java:203)
    at org.objectweb.asm.ClassWriter.newClassItem(ClassWriter.java:944)
    at org.objectweb.asm.ClassWriter.newClass(ClassWriter.java:964)
    at org.objectweb.asm.ClassWriter.visitOuterClass(ClassWriter.java:620)
    at org.objectweb.asm.ClassAdapter.visitOuterClass(ClassAdapter.java:75)
    at com.googlecode.dex2jar.asm.TypeNameAdapter.visitOuterClass(TypeNameAdapter.java:129)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.build(V3ClassAdapter.java:161)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.visitField(V3ClassAdapter.java:205)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptField(DexFileReader.java:456)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:315)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
1242 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
1242 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[33],name:[Lcom/android/system/admin/lclOOCl;]
1242 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. while accept method:[Lcom/android/system/admin/lclOOCl;.oCIlCll(Ljava/lang/String;Ljava/io/File;)Z]
1242 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - ... ROOT cause:
java.lang.ArrayIndexOutOfBoundsException: Array index out of range: 0
    at java.util.Vector.get(Vector.java:694)
    at com.googlecode.dex2jar.optimize.TypeDetectTransformer.merge(TypeDetectTransformer.java:890)
    at com.googlecode.dex2jar.optimize.TypeDetectTransformer.transform(TypeDetectTransformer.java:238)
    at com.googlecode.dex2jar.v3.V3MethodAdapter.visitEnd(V3MethodAdapter.java:168)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptMethod(DexFileReader.java:547)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:319)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
1246 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
1246 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[35],name:[Lcom/android/system/admin/ICOIoCl;]
1246 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. ROOT cause:
java.lang.NullPointerException
    at org.objectweb.asm.Item.set(Item.java:203)
    at org.objectweb.asm.ClassWriter.newClassItem(ClassWriter.java:944)
    at org.objectweb.asm.ClassWriter.newClass(ClassWriter.java:964)
    at org.objectweb.asm.ClassWriter.visitOuterClass(ClassWriter.java:620)
    at org.objectweb.asm.ClassAdapter.visitOuterClass(ClassAdapter.java:75)
    at com.googlecode.dex2jar.asm.TypeNameAdapter.visitOuterClass(TypeNameAdapter.java:129)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.build(V3ClassAdapter.java:161)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.visitField(V3ClassAdapter.java:205)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptField(DexFileReader.java:456)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:315)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
1247 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
1247 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[36],name:[Lcom/android/system/admin/CoOOoOo;]
1247 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. while accept method:[Lcom/android/system/admin/CoOOoOo;.<init>()V]
1247 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - ... ROOT cause:
java.lang.NullPointerException
    at org.objectweb.asm.Item.set(Item.java:203)
    at org.objectweb.asm.ClassWriter.newClassItem(ClassWriter.java:944)
    at org.objectweb.asm.ClassWriter.newClass(ClassWriter.java:964)
    at org.objectweb.asm.ClassWriter.visitOuterClass(ClassWriter.java:620)
    at org.objectweb.asm.ClassAdapter.visitOuterClass(ClassAdapter.java:75)
    at com.googlecode.dex2jar.asm.TypeNameAdapter.visitOuterClass(TypeNameAdapter.java:129)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.build(V3ClassAdapter.java:161)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.visitMethod(V3ClassAdapter.java:210)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptMethod(DexFileReader.java:493)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:319)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
2257 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
2257 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[39],name:[Lcom/android/system/admin/CoooOIIO;]
2257 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. ROOT cause:
java.lang.NullPointerException
    at org.objectweb.asm.Item.set(Item.java:203)
    at org.objectweb.asm.ClassWriter.newClassItem(ClassWriter.java:944)
    at org.objectweb.asm.ClassWriter.newClass(ClassWriter.java:964)
    at org.objectweb.asm.ClassWriter.visitOuterClass(ClassWriter.java:620)
    at org.objectweb.asm.ClassAdapter.visitOuterClass(ClassAdapter.java:75)
    at com.googlecode.dex2jar.asm.TypeNameAdapter.visitOuterClass(TypeNameAdapter.java:129)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.build(V3ClassAdapter.java:161)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.visitField(V3ClassAdapter.java:205)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptField(DexFileReader.java:456)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:315)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
2403 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
2403 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[42],name:[Lcom/android/system/admin/ICICcOCo;]
2403 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. ROOT cause:
java.lang.NullPointerException
    at org.objectweb.asm.Item.set(Item.java:203)
    at org.objectweb.asm.ClassWriter.newClassItem(ClassWriter.java:944)
    at org.objectweb.asm.ClassWriter.newClass(ClassWriter.java:964)
    at org.objectweb.asm.ClassWriter.visitOuterClass(ClassWriter.java:620)
    at org.objectweb.asm.ClassAdapter.visitOuterClass(ClassAdapter.java:75)
    at com.googlecode.dex2jar.asm.TypeNameAdapter.visitOuterClass(TypeNameAdapter.java:129)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.build(V3ClassAdapter.java:161)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.visitField(V3ClassAdapter.java:205)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptField(DexFileReader.java:456)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:310)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
2493 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
2493 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[46],name:[Lcom/android/system/admin/IccOlCc;]
2493 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. ROOT cause:
java.lang.NullPointerException
    at org.objectweb.asm.Item.set(Item.java:203)
    at org.objectweb.asm.ClassWriter.newClassItem(ClassWriter.java:944)
    at org.objectweb.asm.ClassWriter.newClass(ClassWriter.java:964)
    at org.objectweb.asm.ClassWriter.visitOuterClass(ClassWriter.java:620)
    at org.objectweb.asm.ClassAdapter.visitOuterClass(ClassAdapter.java:75)
    at com.googlecode.dex2jar.asm.TypeNameAdapter.visitOuterClass(TypeNameAdapter.java:129)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.build(V3ClassAdapter.java:161)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.visitField(V3ClassAdapter.java:205)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptField(DexFileReader.java:456)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:310)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
2542 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
2542 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[49],name:[Lcom/android/system/admin/oIOocIlo;]
2542 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. ROOT cause:
java.lang.NullPointerException
    at org.objectweb.asm.Item.set(Item.java:203)
    at org.objectweb.asm.ClassWriter.newClassItem(ClassWriter.java:944)
    at org.objectweb.asm.ClassWriter.newClass(ClassWriter.java:964)
    at org.objectweb.asm.ClassWriter.visitOuterClass(ClassWriter.java:620)
    at org.objectweb.asm.ClassAdapter.visitOuterClass(ClassAdapter.java:75)
    at com.googlecode.dex2jar.asm.TypeNameAdapter.visitOuterClass(TypeNameAdapter.java:129)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.build(V3ClassAdapter.java:161)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.visitField(V3ClassAdapter.java:205)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptField(DexFileReader.java:456)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:310)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
2609 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
2609 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[51],name:[Lcom/android/system/admin/cCloIOCC;]
2609 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. ROOT cause:
java.lang.NullPointerException
    at org.objectweb.asm.Item.set(Item.java:203)
    at org.objectweb.asm.ClassWriter.newClassItem(ClassWriter.java:944)
    at org.objectweb.asm.ClassWriter.newClass(ClassWriter.java:964)
    at org.objectweb.asm.ClassWriter.visitOuterClass(ClassWriter.java:620)
    at org.objectweb.asm.ClassAdapter.visitOuterClass(ClassAdapter.java:75)
    at com.googlecode.dex2jar.asm.TypeNameAdapter.visitOuterClass(TypeNameAdapter.java:129)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.build(V3ClassAdapter.java:161)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.visitField(V3ClassAdapter.java:205)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptField(DexFileReader.java:456)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:315)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
2610 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
2610 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[52],name:[Lcom/android/system/admin/IololoI;]
2610 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. while accept method:[Lcom/android/system/admin/IololoI;.<init>()V]
2610 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - ... ROOT cause:
java.lang.NullPointerException
    at org.objectweb.asm.Item.set(Item.java:203)
    at org.objectweb.asm.ClassWriter.newClassItem(ClassWriter.java:944)
    at org.objectweb.asm.ClassWriter.newClass(ClassWriter.java:964)
    at org.objectweb.asm.ClassWriter.visitOuterClass(ClassWriter.java:620)
    at org.objectweb.asm.ClassAdapter.visitOuterClass(ClassAdapter.java:75)
    at com.googlecode.dex2jar.asm.TypeNameAdapter.visitOuterClass(TypeNameAdapter.java:129)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.build(V3ClassAdapter.java:161)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.visitMethod(V3ClassAdapter.java:210)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptMethod(DexFileReader.java:493)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:319)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
3059 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
3059 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[56],name:[Lcom/android/system/admin/loooIlo;]
3060 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. ROOT cause:
java.lang.NullPointerException
    at org.objectweb.asm.Item.set(Item.java:203)
    at org.objectweb.asm.ClassWriter.newClassItem(ClassWriter.java:944)
    at org.objectweb.asm.ClassWriter.newClass(ClassWriter.java:964)
    at org.objectweb.asm.ClassWriter.visitOuterClass(ClassWriter.java:620)
    at org.objectweb.asm.ClassAdapter.visitOuterClass(ClassAdapter.java:75)
    at com.googlecode.dex2jar.asm.TypeNameAdapter.visitOuterClass(TypeNameAdapter.java:129)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.build(V3ClassAdapter.java:161)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.visitField(V3ClassAdapter.java:205)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptField(DexFileReader.java:456)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:310)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
3068 [main] INFO com.googlecode.dex2jar.v3.Main - Done.

Lets take a look at the jar file that was created.

We open it in jd-gui to see the "source" code:
Above we can see the files that we have in java format, however if you notice there is an error in the java code itself.  Following the error is the bytecode.  This is what the malware authors wanted, to make it harder for us to analyze their code.

Almost every file has an error in the conversion.
Some more screenshots of other files:




That is all for this post, in the next post we will dig deeper and use some other analysis and reversing techniques and we will see what we can find.

Who knows maybe we will be able to find the Android exploit the Kaspersky article mentions, that would be fun.

Wednesday, June 5, 2013

Rootkits Part 3 - The setup & your first device driver

Rootkits Part 3 - The setup & your first rootkit


Sorry for taking so long to get this post out, it has been a busy month.

Ok so if you missed the last post take a look at it, it discusses some basic windows functionality and internals that we will need to know.  

DISCLAIMER: The following material is for information and educational use only.

now that the disclaimer has been said, lets start.

---------------------------------------------------------

There are many ways to start writing rootkits, some people use Microsofts Visual Studio 2010 (2012 sucks), which is a great option, you just need to install some tools like WinDDK which make rootkit developement easier.  To start we will just create our own files and not use a IDE to help us, that will be saved for a later post.

What you need:
  1. Windbg (for kernel debugging)
  2. Virtualization software (VMWare, KVM, Virtualbox, etc..)
  3. Windows XP (test/dev box)
  4. Windows 7 or another XP machine (remote debugging box)

Be sure to take snapshots before you start anything or run the rootkit, if you mess up you will get Blue screened real quick.

We will switch to all Windows 7 boxes after a basic understanding of development and debugging is covered.  


I decided to keep this post small so everyone can get a basic environment up and running.

Ok so once you have your environment up and running we will write a simple device driver.

We will be developing a device driver that will just print the classic "hello world", keep in mind real rootkits DO NOT print anything, this is just a basic driver, and by basic I mean basic.


TAKE A SNAPSHOT OF YOUR CLEAN MACHINE!!!!

Yes remember to take a snapshot of your clean box, you dont want to redo everything everytime, and it's not advised to just keep putting rootkits on a box, that can fuck shit up!

This code may be a little dated but it still works. (may need tweaking)
#include "ntddk.h" 
NTSTATUS DriverEntry( in PDRIVER_OBJECT theDriverObject, IN PUNICODE_STRING theRegistryPath ) '
{
     DbgPrint("hello world");
    return STATUS_SUCCESS;
}
This code was taken from Rootkits - Subverting the Windows kernel

Alright that was simple right.

Load this into the kernel and you will see the dbg message.

Now your wondering how the fuck do I load this into the Kernel, right?

We will use OSR Driver Loader, it can be found here:
http://www.osronline.com/article.cfm?article=157

Yes it hasnt been updated in a while, but it still works and beats writing your own driver loader, which we will eventually do in a later post.

Once OCR Driver Loader is installed run it and select the path to your driver then start it, you can check the task manager processes or use Process Explorer to check that the driver is running.  You should also see "hello world"  debug message.


We created this basic driver to check that our environment is working and that we can run a basic driver, this is a good step in any development environment to make sure everything is functioning and running properly.


I will add screenshots from my tests so there is visual reference and you can actually see it in action......  I wrote this post on a separate box from my development/test environment.


In the next post we will cover remote debugging, so make sure you have two windows boxes and have WinDBG installed.

Friday, May 17, 2013

Rootkits Part 2 - Windows kernel overview

Rootkits Part 2 - Windows kernel Overview


Now I know I said I was going to write about how rootkits work for this post, but I figured it would be better to get an understanding of the Windows Kernel and then just get right to it and write a simple rootkit.

Through writing the rootkit you will gain an understanding of how they work, which is better than just reading about it.  But first things first, you must have a understanding of the Windows kernel first.


----------------------------------------------------------------------


Im sure most of you have an idea of what the kernel is from previous posts, but just to re-iterate.  The Kernel is the core of an OS whether it be Windows, Linux or Mac OSX and even mobile OSs.  

Windows Architecture:


In the above image we can see that there is the User Mode and then the Kernel Mode.

From Microsoft Technet:
A Pentium microprocessor has four privilege levels, also known as rings, that control such things as memory access and access to certain sensitive CPU instructions (such as those related to security). Every thread executes at one of these privilege levels. Ring 0 is the most privileged level, with complete access to all memory and CPU instructions. Ring 3 is the least privileged level.
In order to maintain compatibility with non-Intel systems, the Windows operating systems support only two levels of privilege--Ring 0 and Ring 3. When a thread is running in Ring 0, it is said to be in kernel mode. When a thread is running in Ring 3, it is said to be in user mode. Low-level operating system code executes in kernel mode, whereas, in general, user application code runs in user mode.
Note that an application thread will switch from user mode to kernel mode when making certain API function calls that require a higher privilege level, such as those that involve accessing files or performing graphics-related functions. In fact, some user threads can spend more time in kernel mode than in user mode!
However, when the kernel mode code is completed, the user thread is automatically switched back to user mode. This prevents the programmer from being able to write instructions that run in kernel mode--the programmer can call only system functions that run in kernel mode.


some of the core services provided by the kernel include process management, memory management, I/O managers,Cache manager, Scheduler, Security reference monitor, Lightweight Procedure Call and others. So what exactly do these services do?  

Process management as you might imagine manages process and thread creation.

Memory manager deals with virtual address's, pagefaults, physical frame, and pagefile management.

I/O manager deals with plug & Play as well as power, it also maps user requests into IRP requests, implements services for drivers and configures and manages I/O devices.

The Cache manager deals with file-based chaching for the buffer file system I/O and is built over the memory manager.

The Scheduler Schedules thread execution on each processor.

Security reference monitor handles token management and access checks

Lightweight Procedure Call deals with user mode system services and RPC (Native)



Kernel Organization:

The Kernel is organized into roughly three main things

NTOS (Kernel mode services) - which include runtime library, Scheduling, service execution, object management, I/O services, memory and processes.  There is more to it than that but it is overwhelming.

Hardware Adaptation Layer (HAL) - provides insulation of NTOS and drivers from hardware dependencies  IT also provides device access, timers, interrupt servicing, clocks and spinlocks.

Drivers - These are Kernel extensions and are mainly for device access.


Ok so that will be it for this post... I hope it gave you a decent understanding of the kernel and a little knowledge on organization and some services.  We will learn more about the kernel and what we can do with it as we progress and start building rootkits.

If you want to read up on the Windows kernel, just Google search or check out some of the links below.



Rootkits Part 1 - Types of rootkits

Rootkits Part 1 - Types of rootkits


Alright this should be a fairly short post to give you a basic understanding of the various types of rootkits.

If you havent read the first part of the blog series I would suggest you do so. It can be found here.



Lets begin --->

So rootkits come in a few different types and each has its own set of things it can and cannot do.

Types of rootkits:

  • User Mode rootkits
  • Kernel Mode
  • Bootkits
  • Hypervisor
  • Firmware

User Mode:

User mode rootkits live at the application level, so they run with the same permissions as most applications and do not have direct access to the kernel.  These rootkits can patch standard APIs to modify and hook other applicatons thus changeing their behavior.

Kernel Mode:

Kernel Mode rootkits run at the kernel level and are thus able to do basically whatever they want.  These live in Ring0 and usually come in the form of device drivers (windows) or loadable modules (*nix).  If the rootkit has a bug in anyway it can crash the system or cause an issue that may lead to the rootkits discovery, that being said these actually are harder to detect as they run at the same level as the OS and can subvert some of the OSs operations. 

Bootkits:

Bootkits are a different form of Kernel mode rootkit, these are usually used to replace the bootloader and attack encryption keys using what is called the "Evil Maid Attack"  These are becoming common for cybercriminals and are used to lock a user out of their system and demand ransom to gain back control. 

Hypervisor: 

These rootkits run at ring -1, and are virtualized so they have a higher privileged level than even rin0 rootkits (Kernel Mode).  "A hypervisor rootkit does not have to make any modifications to the kernel of the target to subvert it; however, that does not mean that it cannot be detected by the guest operating system. For example, timing differences may be detectable in CPU instructions." ~ Wikipedia

Firmware:

These rootkits are based in the firmware of chips, or the hardware.  These are extremely hard to detect because firmware code isnt normaly inspected for rootkits and yes these rootkits have been seen in the wild.  These can hide in the NIC, HardDrive, System BIOS or wherever else.  The new EFI that replaced the BIOS even has a rootkit for it already called "Dreamboot". 


So now you have an idea of the different types of rootkits that are out there, this is just to give you a quick understanding of them.  We will mainly focus on User and Kernel Mode rootkits, maybe venture into hypervisor rootkits who knows.

Next up we sill dig a little more into how rootkits work

Feel free to leave feedback in comments or drop me a line on Twitter.


Thursday, May 16, 2013

Rootkits Part 0 - What, Why and Who


Rootkit Series Part 0


Sure you have heard about rootkits before and recently there have been a few advanced rootkits in the news, but do you know how they are used, why, or how they can be detected? For most people the answer is no, and if you are someone who is interested in writing rootkits or just want to learn more about them I hope you find this series interesting and informative.

Keep in mind this series is for educational purposes only and to promote infosec education through hands on learning, if you use this info in any illegal way I am not responsible for your actions.

Lets dig in and explain WTF a rootkit is, who uses them and some basic usage.


What is a rootkit?

The term "rootkit" has been around for a while (10+ years).  You can think of a rootkit as basically
a set of programs that allow an attacker to remain undetected in a system and maintain root access.

As our good friend Wikipedia puts it:
"A rootkit is a stealthy type of software, often malicious, designed to hide the existence of certain processes or programs from normal methods of detection and enable continued privileged access to a computer."

The thing is rootkits for the most part are not actually malicious, the intent may be but the code itself isnt.

Rootkits are used by "Good" and "Bad" guys alike, many companies have rootkit technology on systems to monitor things, law enforcement uses them sometimes and "rootkit" technology has many other legitimate uses other than what you hear in the news or
usually think of when you hear rootkit.



So now we have an idea of what a rootkit is to an extent. Now you may be wondering about why someone would use them and what some
legit uses would be.  Ill attempt to answer that now, if anything is unclear use your good friend Google or drop me a line.

Why rootkits?

Rootkits are mainly used to maintain access to a system and remain undetected, you may be thinking well isnt that the point of a trojan and other malware (RATs, Backdoors, Etc...) well yes and no.  Rootkits are made specifically to hide activity of your malware and to maintain a high level of access as mentioned earlier they of course can be tailored for your needs just like malware.  Keep in mind if you just want to get in steal data and get out without a trace a rootkit may not be the best option, most of the time you will leave your rootkit behind and it may eventually be detected and could lead back to you or your operation (unless you are able to wipe it).

Rootkits have for the most part two main functions, they can be used as a remote command an control and/or used for software eavesdropping   There are many things you can do with rootkits but these are the most common functions as of now.

Remote Control:

Think of this as having the ability to control the remote system, this could be a command shell, sending commands, controlling files, and many other things we will go into later.

Software Eavesdropping:

This is basically as it sounds, you can sniff network traffic, log keystrokes, gather passwords, crypto keys and just watch what a user is doing.  This is very useful for gathering inelegance for further exploitation of other systems on the network and a whole plethora of other things good or bad.


WHO?

As we have mentioned there are legitimate uses for rootkits.  Law enforcement agencies may use them to "bug" a suspects computer system to gather evidence of CP, music and software piracy, computer trespass  and other computer related "crimes".

Nation States may use rootkits for military puropses. You can think of Stuxnet as a hybrid malware, it used a rootkit like component to remain undetected in systems.  Most of the major advanced attacks seen most likely used some sort of rootkit like functionality to remain hidden and undetected in the target systems.


Im sure you can think of the illegitimate uses of rootkits on your own. But ill just throw some examples of how it has been used by nation states, cyber criminals and others.

The following is a list of "legit" and not so legit uses: (these all have some sort of rootkit like component and/or functionality)

  • GhostNet
  • Zeus
  • CIPAV (FBI)
  • Magic Lantern (FBI)
  • Aurora (china?)
  • Stuxnet
  • Flame
  • Red October
  • Avatar Rootkit
  • Spyeye (actually had a component to kill Zeus)


The list goes on and on.


As you can see Rootkits are uses not just by cyber criminals but as mentioned Nation States use them for cyber espionage and other operations military and civilian. There are even companies that sell rootkits legitimately used as monitoring software.


So we now have an idea of what a rootkit is, who may be using it and some basic uses for a rootkit.

Thats all for this post, I tried to keep it short and simple, we will go into more detail of uses and will eventually write a simple rootkit for our good friend Windows and maybe *nix in later posts. Feel free to give me feedback and if I missed something or got some detail wrong let me know and as always suggestions are encouraged.

Next post we will discuss the different types of rootkits.

[ANNOUNCEMENT] Rootkits

Greetz to u all

I will be writing a short multipart tutorial series about rootkits.


What I hope to cover:

+ What a rootkit is
+ Types of rootkits
+ How they are used by attackers
+ Building a simple rootkit (possibly going more advanced later on)
+ How to identify rootkits on a system
+ Some other stuff I haven't thought of yet


Suggestions are welcome, just drop a comment, email me or find me on twitter.

Email: es07er1k@ring-zer0.com
Twitter: @Es07er1K


Should have the first post up soon.


es0

Monday, April 29, 2013

Metaspl0it Monday week 5 slides Now available.

We have posted the slides in Powerpoint and PDF format on ring-zer0.com  check them out.  We will try and post all the slides from previous Metaspl0it Mondays asap.

Schedule and slides available here: slides & schedule

Blog has arrived!

Welcome to the ring-zero.com blog, we will be updating this with news, cool projects were working on and other stuff we find interesting or relevant.