{"id":4112,"date":"2021-03-09T15:39:10","date_gmt":"2021-03-09T23:39:10","guid":{"rendered":"https:\/\/www.pnfsoftware.com\/blog\/?p=4112"},"modified":"2021-03-10T22:05:46","modified_gmt":"2021-03-11T06:05:46","slug":"jeb-gendec-ir-emulation-for-auto-decryption-of-data-items","status":"publish","type":"post","link":"https:\/\/www.pnfsoftware.com\/blog\/jeb-gendec-ir-emulation-for-auto-decryption-of-data-items\/","title":{"rendered":"JEB&#8217;s GENDEC IR Emulation for Auto-Decryption of Data Items"},"content":{"rendered":"\n<p>Under some circumstances, JEB&#8217;s generic decompiler is able to detect inline decryptors, and subsequently attempt to emulate the underlying IR to generate plaintext data items, both in the disassembly view and, most importantly, decompiled views.<sup class='footnote'><a href='#fn-4112-1' id='fnref-4112-1' onclick='return fdfootnote_show(4112)'>1<\/a><\/sup><\/p>\n\n\n\n<p>This feature is available starting with <a href=\"https:\/\/www.pnfsoftware.com\">JEB 4.0.3-beta<\/a>. It makes use of the <a href=\"https:\/\/www.pnfsoftware.com\/jeb\/apidoc\/reference\/com\/pnfsoftware\/jeb\/core\/units\/code\/asm\/decompiler\/ir\/emulator\/IREmulator.html\">IREmulator<\/a> object, available in the public API for scripting and plugins.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/www.pnfsoftware.com\/jeb\/assets\/jeb-gendec-ir-emu-auto-string-decryption.gif\"><img decoding=\"async\" src=\"https:\/\/www.pnfsoftware.com\/jeb\/assets\/jeb-gendec-ir-emu-auto-string-decryption.gif\" alt=\"\" class=\"wp-image-4133\"\/><\/a><figcaption>&#8211;<\/figcaption><\/figure>\n\n\n\n<p>Here&#8217;s an example of a protected elf file<sup class='footnote'><a href='#fn-4112-2' id='fnref-4112-2' onclick='return fdfootnote_show(4112)'>2<\/a><\/sup> (aarch64) that was encountered a few months ago:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2021\/03\/image.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"595\" src=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2021\/03\/image-1024x595.png\" alt=\"\" class=\"wp-image-4113\" srcset=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2021\/03\/image-1024x595.png 1024w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2021\/03\/image-300x174.png 300w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2021\/03\/image-768x446.png 768w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2021\/03\/image-1536x893.png 1536w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2021\/03\/image-2048x1190.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><figcaption>Disassembly of the target routine<\/figcaption><\/figure>\n\n\n\n<p>GENDEC&#8217;s unsafe optimizers are enabled by default. Let&#8217;s disable them before performing a first decompilation, in order to see what the inline decryptor looks like.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2021\/03\/image-1.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"488\" src=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2021\/03\/image-1-1024x488.png\" alt=\"\" class=\"wp-image-4114\" srcset=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2021\/03\/image-1-1024x488.png 1024w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2021\/03\/image-1-300x143.png 300w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2021\/03\/image-1-768x366.png 768w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2021\/03\/image-1-1536x732.png 1536w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2021\/03\/image-1.png 1839w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><figcaption>To bring up the decompilation options on-demand, use CTRL+TAB (or Command+TAB), or alternatively, menu Action, command Decompile with Options<\/figcaption><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2021\/03\/image-3.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"480\" src=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2021\/03\/image-3-1024x480.png\" alt=\"\" class=\"wp-image-4116\" srcset=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2021\/03\/image-3-1024x480.png 1024w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2021\/03\/image-3-300x141.png 300w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2021\/03\/image-3-768x360.png 768w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2021\/03\/image-3-1536x720.png 1536w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2021\/03\/image-3-2048x959.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><figcaption>Decompilation #1: unsafe optimizers disabled<\/figcaption><\/figure>\n\n\n\n<p>That decryptor&#8217;s control flow is obfuscated (flattened, controlled by the state variable v5). It is called once, depending on the boolean value at 0x2F227. Here, the decrypted contents is used by <em>system_property_get<\/em>.<\/p>\n\n\n\n<p>Below, the contents in virtual memory, pre-decryption:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2021\/03\/image-6.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"126\" src=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2021\/03\/image-6-1024x126.png\" alt=\"\" class=\"wp-image-4119\" srcset=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2021\/03\/image-6-1024x126.png 1024w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2021\/03\/image-6-300x37.png 300w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2021\/03\/image-6-768x95.png 768w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2021\/03\/image-6.png 1273w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><figcaption>Encrypted contents.<\/figcaption><\/figure>\n\n\n\n<p>Let&#8217;s perform another decompilation of the same routine, <strong>with the unsafe optimizers enabled this time<\/strong>. GENDEC now will:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>detect something that potentially could be decryption code<\/li><li>start emulating the underlying IR (not visible here, but you can easily read\/write the <a href=\"https:\/\/www.pnfsoftware.com\/jeb\/apidoc\/reference\/com\/pnfsoftware\/jeb\/core\/units\/code\/asm\/decompiler\/ir\/IEGeneric.html\">Intermediate Representation<\/a> via API) portion of code is emulated<\/li><li>collect and apply results<\/li><\/ul>\n\n\n\n<p>See the decrypted contents below. (An data item existed beforehand at 0x2F137, and the decompiler chose not to erase it.) The decompiled code on the right panel no longer shows the decryption loop: an optimizer has discarded it since it can no longer be executed.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2021\/03\/image-4.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"210\" src=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2021\/03\/image-4-1024x210.png\" alt=\"\" class=\"wp-image-4117\" srcset=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2021\/03\/image-4-1024x210.png 1024w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2021\/03\/image-4-300x62.png 300w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2021\/03\/image-4-768x158.png 768w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2021\/03\/image-4-1536x315.png 1536w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2021\/03\/image-4-2048x421.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><figcaption>Decompilation #2: unsafe optimizers enabled<\/figcaption><\/figure>\n\n\n\n<p>We may convert the data item (or bytes) to a string by pressing the A key (menu <em>Native<\/em>, command <em>Create String<\/em>). The decompiled code will pick it up and refresh the AST as well.<\/p>\n\n\n\n<p>The final result looks like:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2021\/03\/image-5.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"283\" src=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2021\/03\/image-5-1024x283.png\" alt=\"\" class=\"wp-image-4118\" srcset=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2021\/03\/image-5-1024x283.png 1024w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2021\/03\/image-5-300x83.png 300w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2021\/03\/image-5-768x213.png 768w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2021\/03\/image-5-1536x425.png 1536w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2021\/03\/image-5-2048x567.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><figcaption>The VM and decompiled view show the decrypted code, &#8220;ro.build.version.sdk&#8221;<\/figcaption><\/figure>\n\n\n\n<p>A few additional comments:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>This optimizer is considered <strong>unsafe<\/strong><sup class='footnote'><a href='#fn-4112-3' id='fnref-4112-3' onclick='return fdfootnote_show(4112)'>3<\/a><\/sup><strong> <\/strong>because it is allowed to modify the VM of the underlying native code unit, as seen above. <\/li><li>The optimizer is <strong>generic <\/strong>(architecture-agnostic). It performs its work on the underlying IR mid-stage in the decompilation pipeline, when various optimizations are applied.<\/li><li>It makes use of <strong>public API<\/strong> methods only, mostly the IREmulator class. Advanced users can write similar optimizers if they choose to. (We will also publish the code of this optimizer on GitHub shortly, as it will serve as a good real-life example of how to use the IR emulator to write powerful optimizers. It&#8217;s slightly more than 100 lines of Java.)<\/li><\/ul>\n\n\n\n<p>We hope you enjoy using <a href=\"https:\/\/www.pnfsoftware.com\/blog\/whats-new-in-jeb4\/\">JEB 4 Beta<\/a>. There is a license type for everyone, so feel free to try things out. Do not hesitate to reach out to us on <a href=\"https:\/\/twitter.com\/jebdec\">Twitter<\/a>, <a href=\"https:\/\/www.pnfsoftware.com\/chat\">Slack<\/a>, or privately over <a href=\"mailto:support@pnfsoftware.com\">email<\/a>! Thanks, and until next time \ud83d\ude42<\/p>\n\n\n<div class='footnotes' id='footnotes-4112'><div class='footnotedivider'><\/div><ol><li id='fn-4112-1'> Users familiar with JEB&#8217;s Dex decompilers will remember that a similar feature was introduced to JEB 3 in 2020, for Android Dalvik code. <span class='footnotereverse'><a href='#fnref-4112-1'>&#8617;<\/a><\/span><\/li><li id='fn-4112-2'> sha256 43816c47315aab27e50e6f895774a7b86d591807179e1d3262446ab7d68a56ef also available as lib\/arm64-v8a\/libd.so in 309d848275aa128ebb7e27e570e5a2876977122625638630a6c61f7434b771c3 <span class='footnotereverse'><a href='#fnref-4112-2'>&#8617;<\/a><\/span><\/li><li id='fn-4112-3'> &#8220;unsafe&#8221; in the context of decompilation; unsafe here is <strong>not<\/strong> to be understood as, &#8220;could any code be executed on the machine&#8221;, etc. <span class='footnotereverse'><a href='#fnref-4112-3'>&#8617;<\/a><\/span><\/li><\/ol><\/div>","protected":false},"excerpt":{"rendered":"<p>Under some circumstances, JEB&#8217;s generic decompiler is able to detect inline decryptors, and subsequently attempt to emulate the underlying IR to generate plaintext data items, both in the disassembly view and, most importantly, decompiled views.1 This feature is available starting with JEB 4.0.3-beta. It makes use of the IREmulator object, available in the public API &hellip; <a href=\"https:\/\/www.pnfsoftware.com\/blog\/jeb-gendec-ir-emulation-for-auto-decryption-of-data-items\/\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">JEB&#8217;s GENDEC IR Emulation for Auto-Decryption of Data Items<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,22,13,5],"tags":[],"class_list":["post-4112","post","type-post","status-publish","format-standard","hentry","category-decompilation","category-jeb4","category-native-code","category-obfuscation"],"_links":{"self":[{"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/posts\/4112","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/comments?post=4112"}],"version-history":[{"count":0,"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/posts\/4112\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/media?parent=4112"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/categories?post=4112"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/tags?post=4112"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}