{"id":151,"date":"2013-06-10T09:52:38","date_gmt":"2013-06-10T17:52:38","guid":{"rendered":"http:\/\/www.android-decompiler.com\/blog\/?p=151"},"modified":"2021-09-10T14:27:20","modified_gmt":"2021-09-10T22:27:20","slug":"android-obad-decompiled-sources","status":"publish","type":"post","link":"https:\/\/www.pnfsoftware.com\/blog\/android-obad-decompiled-sources\/","title":{"rendered":"Android OBad decompiled sources"},"content":{"rendered":"

This threat was initially reported by Kaspersky<\/a>\u00a0and seems to have gathered\u00a0quite some amount of attention lately.<\/p>\n

I’m attaching the sources decompiled by JEB 1.2 to this post, for analysts who’d like to take a look at it. One particularity of OBad: it’s been protected by a well-known commercial obfuscator (which was briefly mentioned here<\/a> and there<\/a>). This protector employs generalized string encryption and calls methods through reflection, which makes raw source code a bit difficult to read – the sources have not been refactored and marked-up, the usefulness of it all is very limited: you be warned.<\/p>\n

Archive:\u00a0obad_decomp.zip<\/a><\/p>\n

Sample MD5:\u00a0f7be25e4f19a3a82d2e206de8ac979c8<\/p>\n

Edit (June 11)<\/strong><\/p>\n

Jurriaan Bremer<\/a> was kind enough to provide oboy.dex<\/a>, a version of OBad with encrypted strings replaced by their decoded versions. JEB handles the file okay, despite the multiple string duplicates (which is one of the reasons why it could not be loaded on a phone.) I’ve attached the decompiled sources for his version below. (I also disabled the try-catch support for improved clarity.)<\/p>\n

Archive:\u00a0oboy_decompiled.zip<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

This threat was initially reported by Kaspersky\u00a0and seems to have gathered\u00a0quite some amount of attention lately. I’m attaching the sources decompiled by JEB 1.2 to this post, for analysts who’d like to take a look at it. One particularity of OBad: it’s been protected by a well-known commercial obfuscator (which was briefly mentioned here and … Continue reading Android OBad decompiled sources<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[15,3,2],"tags":[],"class_list":["post-151","post","type-post","status-publish","format-standard","hentry","category-android","category-decompilation","category-malware"],"_links":{"self":[{"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/posts\/151","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/comments?post=151"}],"version-history":[{"count":0,"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/posts\/151\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/media?parent=151"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/categories?post=151"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/tags?post=151"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}