Didier Stevens

Sunday 26 September 2021

Patching A Java .class File

Filed under: 010 Editor,Forensics,Hacking,Malware — Didier Stevens @ 0:00

010 Editor is one of few commercial applications that I use daily. It’s a powerful binary editor with scripting and templates.

I recently had to patch a Java .class file: extend a string inside that class. Before going the route of decompiling / editing / recompiling, I tried with 010 Editor.

Here is the file opened inside the editor:

When opening the file, 010 Editor recognized the .class extension and installed and ran the template for .class files. That’s what I wanted to know: is there a template for .class files? Yes, there is!

Here is how you can apply a template manually, in case the file extension is not the original extension:

And this is how the template results look like:

Under the hex/ascii dump, the template results are displayed: a set of nested fields that match the internal structure of .class file. For example, the first field I selected here, u4 magic, is the magic header of a .class file: CAFEBABE.

The string I want to extend is this one:

I need to extend string “1.2 (20210922)”. Into something like “1.2 (20210922a)”.

Doing so will make the string longer, thus I need to add a byte to the file (trivial), but I also need to make sure that the binary structure of .java files remain valid: for example, if there is something in that structure like a field length, I need to change the field length too.

I’m not familiar with the internal structure of .class files, that why I’m using 010 Editor’s .class template, hoping that the template will make it clear to me what needs to be changed.

To find the template result field I need to modify, I position my cursor on the string I want to modify inside the ASCII dump, I right-click and select “Jump To Template Variable”:

Which selects the corresponding template variable:

So my cursor was on the 10th byte (bytes[9]) of the string, which is part of template variable cp_info constant_pool[27]. From that I gather that the string I want to modify is inside a pool of constants.

I can select that template variable:

And here I can see which bytes inside the .class file were selected. It’s not only the string, but also bytes that represent the tag and length. The length is 14, that’s indeed the length of the string I want to extend. Since I want to add 1 character, I change the length from 14 to 15: I can do that inside the template results by double-clicking the value 14, I don’t need to make that change inside the hexdump:

Next I need to add a character to the string. I can do that in the ASCII dump:

I have to make sure that the editor is in insert mode (INS), so that when I type characters, they are inserted at the cursor, in stead of overwriting existing bytes:

And then I can type my extra character:

So I have changed the constant string I wanted to change. Maybe there are more changes to make to the internal structure of this .class file, like other length fields … I don’t know. But what I do as an extra check is: save the modified file and run the template again. It runs without errors, and the result looks good.

So I guess there are no more changes to make, and I decide to tryout my modified .class file and see what happens: it works, so there are no other changes to make.

Thursday 28 January 2021

Update: XORSelection.1sc Version 6.0

Filed under: 010 Editor,Encryption,Malware,My Software — Didier Stevens @ 0:00

I released an update to my 010 Editor script XORSelection.1sc.

010 is a binary editor with a scripting engine. XORSelection.1sc is a script I wrote years ago, that will XOR-encode a (partial) file open in the editor.

The first version just accepted a printable, arbitrary-length string as XOR-key. Later versions accepted an hexadecimal key too, and introduced various options.

With version 6.0, I add support for a dynamic XOR-key. That is a key that changes while it is being used. It can change, one byte at-a-time, before or after each XOR operation at byte-level is executed.

Hence option cb means change before, and ca means change after. Watch this video to understand exactly how the key changes (if you want to skip the part explaining my script XORSelection, you can jump directly to the dynamic XOR-key explanation).

 

I made this update to my XORSelection script, because I had to “manually” decode a Cobalt Strike beacon that was XOR-encoded with a changing XOR key (it is part of a WebLogic server attack). Later I included this decoding in my Cobalt Strike beacon analysis tool 1768.py.

The decoding shellcode is in the first 62 bytes (0x3E) of the file:

After the shellcode comes the XOR-key, the size and the beacon:

We can decode the beacon size, that is XOR-encoded with key 0x3F0882FB, as follows. First we select the bytes to be decoded:

Then we launch 010 Editor script XORSelection.1sc:

Provide the XOR key (prefix 0x is to indicate that the key is provide as hexadecimal byte values):

And then, after pressing OK, the bytes that contain the beacon size are decoded by XOR-ing them with the provided key:

This beacon size (bytes 00 14 04 00) is a little-endian, 32-bit integer: 0x041400.

To decode the beacon, we select the encoded beacon and launch script XORSelection.1sc again:

This time, we need to provide an option to change the XOR-decoding process. We press OK without entering a value, this will make the next prompt appear, where we can provide options:

The option we need to use to decode this Cobalt Strike beacon, is cb: change before.

In the next prompt, we can provide the XOR-key:

And we end up with the decoded beacon (you can see parts of the PE file that is the beacon):

Remark that you can enter “h” at the option prompt, to get a help screen:

I made this video explaining how to use this new option, and also explaining how the XOR key is changed exactly when using option change before (cb) or change after (ca).

If you want to skip the part explaining my script XORSelection, you can jump directly to the dynamic XOR-key explanation.

XORSelection_V6_0.zip (https)
MD5: C1872C275B59E236906D38B2302F3F4B
SHA256: 1970A506299878FAC2DDD193F9CE230FD717854AC1C85554610DDD95E04DE9E9

 

Saturday 29 December 2018

New Tool: SimpleEncoder

Filed under: 010 Editor,My Software — Didier Stevens @ 0:00

I needed a 010 Editor script to do ROT-47 encoding. The script I developed supports different types of simple encodings (including ROT-47):

With custom shift encoding, you choose the shift value by providing a number in a second input dialog. This number can be negative to shift the characters to the left in stead of to the right.µ

FYI: I submitted this script to 010 Editor’s repository.

SimpleEncoder_V1_0.zip (https)
MD5: 02C7BA20D8BF9EB965B3957BE8D26094
SHA256: 7C98B404F49F5E22A8A052AB4E100BF4ABCE37F39518293FC697D21C1D36A4F3

Monday 16 April 2018

Update: XORSelection.1sc Version 4.0

Filed under: 010 Editor,My Software,Update — Didier Stevens @ 0:00

XORSelection is a 010 Editor script I wrote some time ago, and it is included in the 010 Editor script repository. You provided it with an XOR key (ASCII or HEX), and then it will XOR-encode the file (or selection) open in 010 Editor.

I discovered it will not work properly if the hexadecimal key contains a NULL byte (0x00). This is fixed in this new version.

This new version also allows whitespace characters when an hexadecimal key is provided (hexadecimal keys start with 0x).

XORSelection_V4_0.zip (https)
MD5: 1B3DB8C8DA51224DDE7CA0E4BDAAC945
SHA256: 22E60E10BC99BD24A408C12CC674858DB6F318088CD34B7C70782833401AACF2

Tuesday 10 May 2016

MovingXORSelection.1sc

Filed under: 010 Editor,My Software — Didier Stevens @ 0:00

This is a new script for 010 Editor. Like my XORSelection.1sc script, it encodes/decodes with the XOR operator.

The encoding method is as follows: the values of byte 1 and 2 are XORed and the result is stored as byte 2. Then this result (byte 2) is XORed with the value of byte 3, and that result is stored as byte 3. This goes on until all selected bytes are encoded.

Decoding is similar, but from right to left.

The script takes 2 parameters:

  1. Moving XOR is performed from left-to-right (L) or from right-to-left (R).
  2. The offset of the “previous” byte to XOR with the current byte (default -1).

20160508-172356

20160508-172436

The result:

20160508-173128

MovingXORSelection_V1_0.zip (https)
MD5: C0B069044E0CA64856B74DE03250F837
SHA256: CE4D0F139728DBCD7F3B817BB3B610FFAA893B3B5BDF73715345EE170166F36C

Monday 16 June 2014

Wireshark-export

Filed under: 010 Editor,My Software — Didier Stevens @ 0:37

Here is the 010 Editor script I developed to generate Wireshark hex dumps.

Watch how to use it in my previous blogpost: “Packet Class: Wireshark – Import Hex Dump”.

wireshark-export_v0_0_1.zip (https)
MD5: B339EFD0898B6506CBEAAFCBCE08B3A6
SHA256: 557B39246FAC3BD91CE24EAD3DF07F8B68100778241393A26C67A566756C404B

Tuesday 10 June 2014

Packet Class: Wireshark – Import Hex Dump

Filed under: 010 Editor,My Software,Wireshark — Didier Stevens @ 20:34

During my “Packet Class: Wireshark” training, we do an exercise on importing a hex dump in Wireshark.

I recently created a 010 Editor script to help with the creation of hex dumps for Wireshark.

This video shows its usage:

Thursday 18 July 2013

Update: js-unicode-unescape.1sc

Filed under: 010 Editor,My Software,Update — Didier Stevens @ 18:36

Because I had to use a workaround in my js-unicode-unescape.1sc script to copy an array of bytes to the clipboard, I asked the 010 Editor developers if they could add a function that does exactly this.

They included this new function, CopyBytesToClipboard, in their new version 5.0.

Here is a new version that uses this function:
js-unicode-unescape_v0_0_2.zip (https)
MD5: 6200C4F235CA527E8C0DCD5076CB1C09
SHA256: 2CACC9EE1BB1D1BC4C9FABC6EC3B3440CFF304AA560966B0B531279C369549BB

Sunday 21 April 2013

js-unicode-unescape.1sc

Filed under: 010 Editor,My Software — Didier Stevens @ 0:00

As a thank you to those who nominated me for the European Security Bloggers Awards, I’m going to release some new scripts this week. Here’s the sixth one.

This script does the opposite of js-unicode-escape.1sc: a Unicode escape encode string is decode to bytes.

js-unicode-unescape_v0_0_1.zip (https)
MD5: E4FF29FB631142AC995636EED4CFB2AB
SHA256: C5659BCED1C6A7F92C2F7F9058DAA5807D2907283041E4F9DD1E4B6F318F2BBD

Saturday 20 April 2013

js-unicode-escape.1sc

Filed under: 010 Editor,My Software — Didier Stevens @ 0:00

As a thank you to those who nominated me for the European Security Bloggers Awards, I’m going to release some new scripts this week. Here’s the fifth one.

010 Editor has a different functions to copy bytes from a file. As raw bytes, as hex, as base64, …

This script copies the selected bytes to the clipboard as a Unicode escape encoded string for JavaScript: %u3421%u9a0d…

js-unicode-escape_v0_0_3.zip (https)
MD5: B86B7E73D93C5A4C086384C2FF89303C
SHA256: 81F26C328FD67FB7512CD60485481D7FFD8B7FE5ACE95455D45F4F635EADF81C

Next Page »

Blog at WordPress.com.