The decryption routine usually takes 3 arguments, although in some simpler cases, it may only take two arguments. The arguments may also be shuffled. (Note: from a Dalvik standpoint, that routine is oddly structured. Although JEB’s decompiled output is structurally fine, a for-loop construct cannot be created, mainly because of the irregular jump inside the first if-cond branch.)<\/p>\n The screenshot below represents that decryption routine. The name was obfuscated by the app protector. Notice the constant numerals that have been circled in that code snippet: they are the decryption routine characteristics.<\/p>\n The following screenshot shows the same piece of code after marking it up. As you can see, the encryption algorithm is fairly simple: the current output character is derived from the previous character as well as the current byte of the encryptedStrings<\/em> array. A constant (-8 in this case) is added to yield the final character. The initial length (length<\/em>) as well as initial character (curChar<\/em>) are also offset by hard-coded constants. These three constants (0x3E, 0x199, -8) characterize the decryption routine, and are unique for each routine. The curChar<\/em> parameter acts as the decryption key.<\/p>\n You may customize this Python script to decrypt the strings:<\/p>\n Combined with reflection (another feature of the protector), the protection can be pretty effective.<\/p>\n","protected":false},"excerpt":{"rendered":" Let’s have a quick look at one feature of this well-known Android application protector, the string encryption mechanism. The app in question is a version of Cyanide. First, access to strings inside a protected class are replaced by calls to a static private decryption routine. That routine accesses a static private array containing all protected … Continue reading A look inside an Android app protector<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[15,3,5],"tags":[],"class_list":["post-90","post","type-post","status-publish","format-standard","hentry","category-android","category-decompilation","category-obfuscation"],"_links":{"self":[{"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/posts\/90","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/comments?post=90"}],"version-history":[{"count":0,"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/posts\/90\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/media?parent=90"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/categories?post=90"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/tags?post=90"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}![\"1\"](\"http:\/\/www.android-decompiler.com\/blog\/wp-content\/uploads\/2013\/04\/1.png\")
<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n#!\/usr\/bin\/python\n# decryptor\n\n# customize\nstrings = [0x4C, 0xE, 2, 9, -7, 0x10, -54, 0x3E, 0x17, -9, -44, 0x4C, 0xA, ...]\nc0, c1, c2 = (0x199, 0x3E, -8)\n\ndef decrypt(length, curChar, pos):\n length += c0\n curChar += c1\n r = ''\n for i in range(length):\n r += chr(curChar & 0xFF)\n curEncodedChar = strings[pos]\n pos += 1\n curChar = curChar + curEncodedChar + c2\n return r<\/pre>\n