Showing posts with label Reverse Engineering. Show all posts
Showing posts with label Reverse Engineering. Show all posts

Wednesday, July 10, 2013

[Tutorial] Finding OEP and unpacking Malware packed with ASPACK 2.12

Just FYI, there wont be a whole lot of technical explanation in this post. Its just a quick tutorial.
First we Identify that the exe is packed. Now we need to locate the OEP

This malware was packed with: ASPACK 2.12 


Load it up on Ollydbg.

Now the exe is loaded we need to look at the ECX register.

ECX holds 0012FFB0

We rightclick and choose follow in dump.

Now we have a hex dump in the lower left corner of Olly.

So we select the first four bytes and set a hardware on access breakpoint using WORD.

In the screenshot we can see the breakpoint:

Yay we have a breakpoint!!!


Now we need to run the program. And step 3 times.

Now we should see the following in Olly:






This is the OEP!!!

Now we use a sweet little plugin called Analyze this available here:
http://www.openrce.org/downloads/details/174/Analyze_This
This plugin allows Olly to re-analyze the code so it appears normal! This is great for us.

Lets run it:



This is our result! Thats nice. (we really didnt need to do this, but its fun)

Now we need to dump the process from memory to get the unpacked executable.



So we right clicked and selected dump debugged process, now we get the above menu.

Here we will want to uncheck Rebuild Import, Why?

Because Olly tends to screw this up, we will be using Import Reconstructor AKA ImpRec.
Download it here: http://www.woodmann.com/collaborative/tools/index.php/ImpREC


We will also want to copy the value in the Modify box. In this case it is 16A0.

Now you will dump the executable and save it.

The next step is to rebuild the Import Table.

Fire up ImpREC.



This is where the Modify value we copied earlier will come in.

You will be presented with the following:


We will attach it to the process that Olly created.

It will do its thing....

Now we will enter the value we copied.


Enter it in the OEP box like so:




And then we click auto search.





And you will be presented with the following:





Click OK then Get Imports.





It appears everything worked!! Now we can check it by clicking show invalid.

Right click and select cut Thunks.






Then we hit Fix Dump and save our newly fixed exe.

Select the exe you saved from Ollydump and open it.

Congrats you have unpacked the Malware!!!
at No comments:
Labels: , , , , , ,

Friday, June 7, 2013

[Reverse Engineering] Android - Backdoor.AndroidOS.Obad.a

Reversing Backdoor.AndroidOS.Obad.a


So were going a little off track on this one, we will take a look at the NEW Android Trojan called "Backdoor.AndroidOS.Obad.a"

Kaspersky Article on Backdoor.AndroidOS.Obad.a: http://www.securelist.com/en/blog/8106/The_most_sophisticated_Android_Trojan


The tools we will attempt to use:
  1. apktool
  2. dex2jar
  3. jd-gui

MD5:
E1064BFD836E4C895B569B2DE4700284

Lets start reversing it shall we.


To start we will extract the files from the .apk file:

Lets look at that directory now.

$ tree
.
├── AndroidManifest.xml
├── apktool.yml
├── res
│   ├── drawable
│   │   └── lcolooo.png
│   ├── layout
│   │   └── occcclc.xml
│   ├── values
│   │   ├── public.xml
│   │   └── strings.xml
│   └── xml
│       └── ccclocc.xml
└── smali
    └── com
        └── android
            ├── internal
            │   └── telephony
            │       ├── IExtendedNetworkService$oCIlCll.smali
            │       └── IExtendedNetworkService.smali
            └── system
                └── admin
                    ├── CClIOcc.smali
                    ├── cCloIOCC.smali
                    ├── CcOCoIcO.smali
                    ├── cCOIcIlo.smali
                    ├── cCoIOIOo.smali
                    ├── CCOIoll.smali
                    ├── CIcIoICo.smali
                    ├── CICoICCo.smali
                    ├── cIcoIIl.smali
                    ├── CIlOCClc.smali
                    ├── cIoCcIo.smali
                    ├── COcCccl.smali
                    ├── CoccOIo$oCIlCll.smali
                    ├── CoccOIo.smali
                    ├── COOlOIl.smali
                    ├── cOoOCCo.smali
                    ├── CoooOIIO.smali
                    ├── CoOOoOo.smali
                    ├── IcCcCOIC.smali
                    ├── ICcIIlo.smali
                    ├── ICclCcoC.smali
                    ├── IccOlCc.smali
                    ├── ICICcOCo.smali
                    ├── IcIOoOC.smali
                    ├── ICOColc.smali
                    ├── ICOIoCl.smali
                    ├── IlIIlCI.smali
                    ├── IololoI.smali
                    ├── IOOICOcI.smali
                    ├── lcclOlO.smali
                    ├── lCICoIO.smali
                    ├── lclOOCl.smali
                    ├── lIcoclC.smali
                    ├── lOCIOICC.smali
                    ├── lOClOOI.smali
                    ├── loOcccoC.smali
                    ├── loooIlo.smali
                    ├── MainService.smali
                    ├── OCICooCI.smali
                    ├── OcIcoOlc.smali
                    ├── oCIlCll$CIcIoICo.smali
                    ├── oCIlCll$oCIlCll.smali
                    ├── oCIlCll$oIlclcIc.smali
                    ├── oCIlCll.smali
                    ├── OCllCoO.smali
                    ├── OcOCclc.smali
                    ├── OCOcCOll.smali
                    ├── oICClCI.smali
                    ├── oIlclcIc.smali
                    ├── oIOccOcl.smali
                    ├── oIOocIlo.smali
                    ├── OlCCcIl.smali
                    ├── olcCIIC.smali
                    ├── ollIIIc.smali
                    └── OOIlIcCc.smali

12 directories, 64 files
Ok so now we can see some of the resources and we have the .smali files.
We can use the xml and yml files to gather some basic info about the app.
Some of you are probably wondering what smali files are.... ill explain.

The smali files are the disassembly of the Java Virtual Machine (JVM).  In the grand scheme of things these smali files give us a really accurate picture of what the code does.You just have to be able to read them, which can be time consuming.

For the sake of this tutorial we will not go into that now, but we will attempt to get the java src code or do the best we can and look at the smali files in another post.

To attempt to get the java src we will use dex2jar on the apk file:




In the above screenshot we can see that there are some errors. This is because the authors of the malware found a bug in dex2jar and used it to prevent the conversion of Dalvik bytecode into Java bytecode.  dex2jar is a popular tool to convert the bytcode into a jar file that we can then use jd-gui to read the java output.

The full output of the failed convertion is shown below:
$ ./dex2jar.sh ~/Documents/malware/AndroidOBada/E1064BFD836E4C895B569B2DE4700284
1 [main] INFO com.googlecode.dex2jar.v3.Main - version:0.0.7.11-SNAPSHOT
7 [main] INFO com.googlecode.dex2jar.v3.Main - dex2jar /home/android/Documents/malware/AndroidOBada/E1064BFD836E4C895B569B2DE4700284 -> E1064BFD836E4C895B569B2DE4700284_dex2jar.jar
295 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
296 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[5],name:[Lcom/android/system/admin/CIcIoICo;]
296 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. ROOT cause:
java.lang.NullPointerException
    at org.objectweb.asm.Item.set(Item.java:203)
    at org.objectweb.asm.ClassWriter.newClassItem(ClassWriter.java:944)
    at org.objectweb.asm.ClassWriter.newClass(ClassWriter.java:964)
    at org.objectweb.asm.ClassWriter.visitOuterClass(ClassWriter.java:620)
    at org.objectweb.asm.ClassAdapter.visitOuterClass(ClassAdapter.java:75)
    at com.googlecode.dex2jar.asm.TypeNameAdapter.visitOuterClass(TypeNameAdapter.java:129)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.build(V3ClassAdapter.java:161)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.visitField(V3ClassAdapter.java:205)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptField(DexFileReader.java:456)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:310)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
296 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
296 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[6],name:[Lcom/android/system/admin/IcCcCOIC;]
296 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. ROOT cause:
java.lang.NullPointerException
    at org.objectweb.asm.Item.set(Item.java:203)
    at org.objectweb.asm.ClassWriter.newClassItem(ClassWriter.java:944)
    at org.objectweb.asm.ClassWriter.newClass(ClassWriter.java:964)
    at org.objectweb.asm.ClassWriter.visitOuterClass(ClassWriter.java:620)
    at org.objectweb.asm.ClassAdapter.visitOuterClass(ClassAdapter.java:75)
    at com.googlecode.dex2jar.asm.TypeNameAdapter.visitOuterClass(TypeNameAdapter.java:129)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.build(V3ClassAdapter.java:161)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.visitField(V3ClassAdapter.java:205)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptField(DexFileReader.java:456)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:310)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
461 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
461 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[11],name:[Lcom/android/system/admin/ollIIIc;]
461 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. ROOT cause:
java.lang.NullPointerException
    at org.objectweb.asm.Item.set(Item.java:203)
    at org.objectweb.asm.ClassWriter.newClassItem(ClassWriter.java:944)
    at org.objectweb.asm.ClassWriter.newClass(ClassWriter.java:964)
    at org.objectweb.asm.ClassWriter.visitOuterClass(ClassWriter.java:620)
    at org.objectweb.asm.ClassAdapter.visitOuterClass(ClassAdapter.java:75)
    at com.googlecode.dex2jar.asm.TypeNameAdapter.visitOuterClass(TypeNameAdapter.java:129)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.build(V3ClassAdapter.java:161)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.visitField(V3ClassAdapter.java:205)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptField(DexFileReader.java:456)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:310)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
462 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
462 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[12],name:[Lcom/android/system/admin/CClIOcc;]
462 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. ROOT cause:
java.lang.NullPointerException
    at org.objectweb.asm.Item.set(Item.java:203)
    at org.objectweb.asm.ClassWriter.newClassItem(ClassWriter.java:944)
    at org.objectweb.asm.ClassWriter.newClass(ClassWriter.java:964)
    at org.objectweb.asm.ClassWriter.visitOuterClass(ClassWriter.java:620)
    at org.objectweb.asm.ClassAdapter.visitOuterClass(ClassAdapter.java:75)
    at com.googlecode.dex2jar.asm.TypeNameAdapter.visitOuterClass(TypeNameAdapter.java:129)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.build(V3ClassAdapter.java:161)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.visitField(V3ClassAdapter.java:205)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptField(DexFileReader.java:456)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:310)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
503 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
503 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[14],name:[Lcom/android/system/admin/OOIlIcCc;]
503 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. ROOT cause:
java.lang.NullPointerException
    at org.objectweb.asm.Item.set(Item.java:203)
    at org.objectweb.asm.ClassWriter.newClassItem(ClassWriter.java:944)
    at org.objectweb.asm.ClassWriter.newClass(ClassWriter.java:964)
    at org.objectweb.asm.ClassWriter.visitOuterClass(ClassWriter.java:620)
    at org.objectweb.asm.ClassAdapter.visitOuterClass(ClassAdapter.java:75)
    at com.googlecode.dex2jar.asm.TypeNameAdapter.visitOuterClass(TypeNameAdapter.java:129)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.build(V3ClassAdapter.java:161)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.visitField(V3ClassAdapter.java:205)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptField(DexFileReader.java:456)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:315)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
504 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
504 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[15],name:[Lcom/android/system/admin/cIoCcIo;]
504 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. ROOT cause:
java.lang.NullPointerException
    at org.objectweb.asm.Item.set(Item.java:203)
    at org.objectweb.asm.ClassWriter.newClassItem(ClassWriter.java:944)
    at org.objectweb.asm.ClassWriter.newClass(ClassWriter.java:964)
    at org.objectweb.asm.ClassWriter.visitOuterClass(ClassWriter.java:620)
    at org.objectweb.asm.ClassAdapter.visitOuterClass(ClassAdapter.java:75)
    at com.googlecode.dex2jar.asm.TypeNameAdapter.visitOuterClass(TypeNameAdapter.java:129)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.build(V3ClassAdapter.java:161)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.visitField(V3ClassAdapter.java:205)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptField(DexFileReader.java:456)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:310)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
505 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
505 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[16],name:[Lcom/android/system/admin/oIOccOcl;]
505 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. ROOT cause:
java.lang.NullPointerException
    at org.objectweb.asm.Item.set(Item.java:203)
    at org.objectweb.asm.ClassWriter.newClassItem(ClassWriter.java:944)
    at org.objectweb.asm.ClassWriter.newClass(ClassWriter.java:964)
    at org.objectweb.asm.ClassWriter.visitOuterClass(ClassWriter.java:620)
    at org.objectweb.asm.ClassAdapter.visitOuterClass(ClassAdapter.java:75)
    at com.googlecode.dex2jar.asm.TypeNameAdapter.visitOuterClass(TypeNameAdapter.java:129)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.build(V3ClassAdapter.java:161)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.visitField(V3ClassAdapter.java:205)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptField(DexFileReader.java:456)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:315)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
625 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
625 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[18],name:[Lcom/android/system/admin/lCICoIO;]
625 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. ROOT cause:
java.lang.NullPointerException
    at org.objectweb.asm.Item.set(Item.java:203)
    at org.objectweb.asm.ClassWriter.newClassItem(ClassWriter.java:944)
    at org.objectweb.asm.ClassWriter.newClass(ClassWriter.java:964)
    at org.objectweb.asm.ClassWriter.visitOuterClass(ClassWriter.java:620)
    at org.objectweb.asm.ClassAdapter.visitOuterClass(ClassAdapter.java:75)
    at com.googlecode.dex2jar.asm.TypeNameAdapter.visitOuterClass(TypeNameAdapter.java:129)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.build(V3ClassAdapter.java:161)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.visitField(V3ClassAdapter.java:205)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptField(DexFileReader.java:456)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:310)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
626 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
626 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[19],name:[Lcom/android/system/admin/olcCIIC;]
626 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. ROOT cause:
java.lang.NullPointerException
    at org.objectweb.asm.Item.set(Item.java:203)
    at org.objectweb.asm.ClassWriter.newClassItem(ClassWriter.java:944)
    at org.objectweb.asm.ClassWriter.newClass(ClassWriter.java:964)
    at org.objectweb.asm.ClassWriter.visitOuterClass(ClassWriter.java:620)
    at org.objectweb.asm.ClassAdapter.visitOuterClass(ClassAdapter.java:75)
    at com.googlecode.dex2jar.asm.TypeNameAdapter.visitOuterClass(TypeNameAdapter.java:129)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.build(V3ClassAdapter.java:161)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.visitField(V3ClassAdapter.java:205)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptField(DexFileReader.java:456)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:310)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
824 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
824 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[22],name:[Lcom/android/system/admin/OlCCcIl;]
824 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. ROOT cause:
java.lang.NullPointerException
    at org.objectweb.asm.Item.set(Item.java:203)
    at org.objectweb.asm.ClassWriter.newClassItem(ClassWriter.java:944)
    at org.objectweb.asm.ClassWriter.newClass(ClassWriter.java:964)
    at org.objectweb.asm.ClassWriter.visitOuterClass(ClassWriter.java:620)
    at org.objectweb.asm.ClassAdapter.visitOuterClass(ClassAdapter.java:75)
    at com.googlecode.dex2jar.asm.TypeNameAdapter.visitOuterClass(TypeNameAdapter.java:129)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.build(V3ClassAdapter.java:161)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.visitField(V3ClassAdapter.java:205)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptField(DexFileReader.java:456)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:310)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
824 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
824 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[23],name:[Lcom/android/system/admin/cCOIcIlo;]
824 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. ROOT cause:
java.lang.NullPointerException
    at org.objectweb.asm.Item.set(Item.java:203)
    at org.objectweb.asm.ClassWriter.newClassItem(ClassWriter.java:944)
    at org.objectweb.asm.ClassWriter.newClass(ClassWriter.java:964)
    at org.objectweb.asm.ClassWriter.visitOuterClass(ClassWriter.java:620)
    at org.objectweb.asm.ClassAdapter.visitOuterClass(ClassAdapter.java:75)
    at com.googlecode.dex2jar.asm.TypeNameAdapter.visitOuterClass(TypeNameAdapter.java:129)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.build(V3ClassAdapter.java:161)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.visitField(V3ClassAdapter.java:205)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptField(DexFileReader.java:456)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:310)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
825 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
825 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[24],name:[Lcom/android/system/admin/CIlOCClc;]
825 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. ROOT cause:
java.lang.NullPointerException
    at org.objectweb.asm.Item.set(Item.java:203)
    at org.objectweb.asm.ClassWriter.newClassItem(ClassWriter.java:944)
    at org.objectweb.asm.ClassWriter.newClass(ClassWriter.java:964)
    at org.objectweb.asm.ClassWriter.visitOuterClass(ClassWriter.java:620)
    at org.objectweb.asm.ClassAdapter.visitOuterClass(ClassAdapter.java:75)
    at com.googlecode.dex2jar.asm.TypeNameAdapter.visitOuterClass(TypeNameAdapter.java:129)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.build(V3ClassAdapter.java:161)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.visitField(V3ClassAdapter.java:205)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptField(DexFileReader.java:456)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:310)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
1091 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
1091 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[29],name:[Lcom/android/system/admin/lOClOOI;]
1091 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. while accept method:[Lcom/android/system/admin/lOClOOI;.oCIlCll(Ljava/io/File;)Ljava/lang/String;]
1091 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - ... ROOT cause:
java.lang.ArrayIndexOutOfBoundsException: Array index out of range: 1
    at java.util.Vector.get(Vector.java:694)
    at com.googlecode.dex2jar.optimize.TypeDetectTransformer.merge(TypeDetectTransformer.java:890)
    at com.googlecode.dex2jar.optimize.TypeDetectTransformer.transform(TypeDetectTransformer.java:199)
    at com.googlecode.dex2jar.v3.V3MethodAdapter.visitEnd(V3MethodAdapter.java:168)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptMethod(DexFileReader.java:547)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:319)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
1092 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
1092 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[30],name:[Lcom/android/system/admin/lOCIOICC;]
1092 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. ROOT cause:
java.lang.NullPointerException
    at org.objectweb.asm.Item.set(Item.java:203)
    at org.objectweb.asm.ClassWriter.newClassItem(ClassWriter.java:944)
    at org.objectweb.asm.ClassWriter.newClass(ClassWriter.java:964)
    at org.objectweb.asm.ClassWriter.visitOuterClass(ClassWriter.java:620)
    at org.objectweb.asm.ClassAdapter.visitOuterClass(ClassAdapter.java:75)
    at com.googlecode.dex2jar.asm.TypeNameAdapter.visitOuterClass(TypeNameAdapter.java:129)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.build(V3ClassAdapter.java:161)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.visitField(V3ClassAdapter.java:205)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptField(DexFileReader.java:456)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:315)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
1242 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
1242 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[33],name:[Lcom/android/system/admin/lclOOCl;]
1242 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. while accept method:[Lcom/android/system/admin/lclOOCl;.oCIlCll(Ljava/lang/String;Ljava/io/File;)Z]
1242 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - ... ROOT cause:
java.lang.ArrayIndexOutOfBoundsException: Array index out of range: 0
    at java.util.Vector.get(Vector.java:694)
    at com.googlecode.dex2jar.optimize.TypeDetectTransformer.merge(TypeDetectTransformer.java:890)
    at com.googlecode.dex2jar.optimize.TypeDetectTransformer.transform(TypeDetectTransformer.java:238)
    at com.googlecode.dex2jar.v3.V3MethodAdapter.visitEnd(V3MethodAdapter.java:168)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptMethod(DexFileReader.java:547)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:319)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
1246 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
1246 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[35],name:[Lcom/android/system/admin/ICOIoCl;]
1246 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. ROOT cause:
java.lang.NullPointerException
    at org.objectweb.asm.Item.set(Item.java:203)
    at org.objectweb.asm.ClassWriter.newClassItem(ClassWriter.java:944)
    at org.objectweb.asm.ClassWriter.newClass(ClassWriter.java:964)
    at org.objectweb.asm.ClassWriter.visitOuterClass(ClassWriter.java:620)
    at org.objectweb.asm.ClassAdapter.visitOuterClass(ClassAdapter.java:75)
    at com.googlecode.dex2jar.asm.TypeNameAdapter.visitOuterClass(TypeNameAdapter.java:129)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.build(V3ClassAdapter.java:161)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.visitField(V3ClassAdapter.java:205)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptField(DexFileReader.java:456)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:315)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
1247 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
1247 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[36],name:[Lcom/android/system/admin/CoOOoOo;]
1247 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. while accept method:[Lcom/android/system/admin/CoOOoOo;.<init>()V]
1247 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - ... ROOT cause:
java.lang.NullPointerException
    at org.objectweb.asm.Item.set(Item.java:203)
    at org.objectweb.asm.ClassWriter.newClassItem(ClassWriter.java:944)
    at org.objectweb.asm.ClassWriter.newClass(ClassWriter.java:964)
    at org.objectweb.asm.ClassWriter.visitOuterClass(ClassWriter.java:620)
    at org.objectweb.asm.ClassAdapter.visitOuterClass(ClassAdapter.java:75)
    at com.googlecode.dex2jar.asm.TypeNameAdapter.visitOuterClass(TypeNameAdapter.java:129)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.build(V3ClassAdapter.java:161)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.visitMethod(V3ClassAdapter.java:210)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptMethod(DexFileReader.java:493)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:319)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
2257 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
2257 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[39],name:[Lcom/android/system/admin/CoooOIIO;]
2257 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. ROOT cause:
java.lang.NullPointerException
    at org.objectweb.asm.Item.set(Item.java:203)
    at org.objectweb.asm.ClassWriter.newClassItem(ClassWriter.java:944)
    at org.objectweb.asm.ClassWriter.newClass(ClassWriter.java:964)
    at org.objectweb.asm.ClassWriter.visitOuterClass(ClassWriter.java:620)
    at org.objectweb.asm.ClassAdapter.visitOuterClass(ClassAdapter.java:75)
    at com.googlecode.dex2jar.asm.TypeNameAdapter.visitOuterClass(TypeNameAdapter.java:129)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.build(V3ClassAdapter.java:161)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.visitField(V3ClassAdapter.java:205)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptField(DexFileReader.java:456)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:315)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
2403 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
2403 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[42],name:[Lcom/android/system/admin/ICICcOCo;]
2403 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. ROOT cause:
java.lang.NullPointerException
    at org.objectweb.asm.Item.set(Item.java:203)
    at org.objectweb.asm.ClassWriter.newClassItem(ClassWriter.java:944)
    at org.objectweb.asm.ClassWriter.newClass(ClassWriter.java:964)
    at org.objectweb.asm.ClassWriter.visitOuterClass(ClassWriter.java:620)
    at org.objectweb.asm.ClassAdapter.visitOuterClass(ClassAdapter.java:75)
    at com.googlecode.dex2jar.asm.TypeNameAdapter.visitOuterClass(TypeNameAdapter.java:129)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.build(V3ClassAdapter.java:161)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.visitField(V3ClassAdapter.java:205)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptField(DexFileReader.java:456)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:310)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
2493 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
2493 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[46],name:[Lcom/android/system/admin/IccOlCc;]
2493 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. ROOT cause:
java.lang.NullPointerException
    at org.objectweb.asm.Item.set(Item.java:203)
    at org.objectweb.asm.ClassWriter.newClassItem(ClassWriter.java:944)
    at org.objectweb.asm.ClassWriter.newClass(ClassWriter.java:964)
    at org.objectweb.asm.ClassWriter.visitOuterClass(ClassWriter.java:620)
    at org.objectweb.asm.ClassAdapter.visitOuterClass(ClassAdapter.java:75)
    at com.googlecode.dex2jar.asm.TypeNameAdapter.visitOuterClass(TypeNameAdapter.java:129)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.build(V3ClassAdapter.java:161)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.visitField(V3ClassAdapter.java:205)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptField(DexFileReader.java:456)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:310)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
2542 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
2542 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[49],name:[Lcom/android/system/admin/oIOocIlo;]
2542 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. ROOT cause:
java.lang.NullPointerException
    at org.objectweb.asm.Item.set(Item.java:203)
    at org.objectweb.asm.ClassWriter.newClassItem(ClassWriter.java:944)
    at org.objectweb.asm.ClassWriter.newClass(ClassWriter.java:964)
    at org.objectweb.asm.ClassWriter.visitOuterClass(ClassWriter.java:620)
    at org.objectweb.asm.ClassAdapter.visitOuterClass(ClassAdapter.java:75)
    at com.googlecode.dex2jar.asm.TypeNameAdapter.visitOuterClass(TypeNameAdapter.java:129)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.build(V3ClassAdapter.java:161)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.visitField(V3ClassAdapter.java:205)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptField(DexFileReader.java:456)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:310)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
2609 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
2609 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[51],name:[Lcom/android/system/admin/cCloIOCC;]
2609 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. ROOT cause:
java.lang.NullPointerException
    at org.objectweb.asm.Item.set(Item.java:203)
    at org.objectweb.asm.ClassWriter.newClassItem(ClassWriter.java:944)
    at org.objectweb.asm.ClassWriter.newClass(ClassWriter.java:964)
    at org.objectweb.asm.ClassWriter.visitOuterClass(ClassWriter.java:620)
    at org.objectweb.asm.ClassAdapter.visitOuterClass(ClassAdapter.java:75)
    at com.googlecode.dex2jar.asm.TypeNameAdapter.visitOuterClass(TypeNameAdapter.java:129)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.build(V3ClassAdapter.java:161)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.visitField(V3ClassAdapter.java:205)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptField(DexFileReader.java:456)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:315)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
2610 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
2610 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[52],name:[Lcom/android/system/admin/IololoI;]
2610 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. while accept method:[Lcom/android/system/admin/IololoI;.<init>()V]
2610 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - ... ROOT cause:
java.lang.NullPointerException
    at org.objectweb.asm.Item.set(Item.java:203)
    at org.objectweb.asm.ClassWriter.newClassItem(ClassWriter.java:944)
    at org.objectweb.asm.ClassWriter.newClass(ClassWriter.java:964)
    at org.objectweb.asm.ClassWriter.visitOuterClass(ClassWriter.java:620)
    at org.objectweb.asm.ClassAdapter.visitOuterClass(ClassAdapter.java:75)
    at com.googlecode.dex2jar.asm.TypeNameAdapter.visitOuterClass(TypeNameAdapter.java:129)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.build(V3ClassAdapter.java:161)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.visitMethod(V3ClassAdapter.java:210)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptMethod(DexFileReader.java:493)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:319)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
3059 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
3059 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[56],name:[Lcom/android/system/admin/loooIlo;]
3060 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. ROOT cause:
java.lang.NullPointerException
    at org.objectweb.asm.Item.set(Item.java:203)
    at org.objectweb.asm.ClassWriter.newClassItem(ClassWriter.java:944)
    at org.objectweb.asm.ClassWriter.newClass(ClassWriter.java:964)
    at org.objectweb.asm.ClassWriter.visitOuterClass(ClassWriter.java:620)
    at org.objectweb.asm.ClassAdapter.visitOuterClass(ClassAdapter.java:75)
    at com.googlecode.dex2jar.asm.TypeNameAdapter.visitOuterClass(TypeNameAdapter.java:129)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.build(V3ClassAdapter.java:161)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.visitField(V3ClassAdapter.java:205)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptField(DexFileReader.java:456)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:310)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
3068 [main] INFO com.googlecode.dex2jar.v3.Main - Done.

Lets take a look at the jar file that was created.

We open it in jd-gui to see the "source" code:
Above we can see the files that we have in java format, however if you notice there is an error in the java code itself.  Following the error is the bytecode.  This is what the malware authors wanted, to make it harder for us to analyze their code.

Almost every file has an error in the conversion.
Some more screenshots of other files:




That is all for this post, in the next post we will dig deeper and use some other analysis and reversing techniques and we will see what we can find.

Who knows maybe we will be able to find the Android exploit the Kaspersky article mentions, that would be fun.
at 1 comment:
Labels: , , , , , ,
Subscribe to: Posts (Atom)