Breaking Eggs And Making Omelettes

Topics On Multimedia Technology and Reverse Engineering


Archives:

Success On The Java De-obfuscation Front

April 24th, 2005 by Multimedia Mike

So I finally managed to recompile the Retroguard project. Then I created my own class to help in de-obfuscating obfuscated Java source code. The first part of this exercise is to de-obfuscate fields, i.e. nouns. For my list of nouns, I used this impressive list of animal names (2400+).

Whereas an identifier used to be obfuscated as:

        U = new short[6][64];

it is de-obfuscated using a random animal name and declared as:

        australianKestrel = new short[6][64];

Since the field is quite clearly storage space for a YUV4:2:0 macroblock of DCT coefficients (if you are not familiar with video coding concepts, just trust me on this one), let’s look at some of the places where the australianKestrel[] array is used. This fragment clears the whole block:

        for(int k1 = 0; k1 < 6; k1++)
        {
            for(int l1 = 0; l1 < 64; l1++)
                australianKestrel[k1][l1] = 0;
        }

This fragment looks like the dequantization function:

        short aword0[] = australianKestrel[i1];
        for(int j1 = 0; j1 < 64; j1++)
            kingsnake[eastAfricanCrownedCrane[j1]] = aword0[j1] * conch[j1];

Looks like conch[] is the dequantizer array while eastAfricanCrownedCrane[] would be the de-zigzag array. Who knew that reverse engineering could be such silly fun?

This is the work of the new NounNameMaker Java class. The next part is to construct the VerbNameMaker Java class for the method names. Hopefully, this will unravel the insane operator overloading that Retroguard is capable of performing (like 27 unique forms of the method a()).

Posted in Java, Reverse Engineering | Comments Off on Success On The Java De-obfuscation Front

Comments are closed.