Java Journal & Pyresso: A Python-Based Framework for Debugging Java

50 %
50 %
Information about Java Journal & Pyresso: A Python-Based Framework for Debugging Java

Published on June 25, 2016

Author: CrowdStrike

Source: slideshare.net

1. People still use Java?

2.  CFR  FernFlower  JD-GUI  Krakatau  Procyon

3. IiiIIIIIiI("kq/#;n!+u0005u001du001eu0001u0019oing09SU_Y^unu0012u00004!u0 010u0004u0003u0013ljbu0010u0013ac`um"));iIIiiIIiii(".u0012V|QgKCw3B3[`F3b fP_{p22u001c&u0007tdItT0|qC3@`M{u001230u0001t1yD|Gm8u0000>u000f1u0001J:w u001e=u001c!Gbt=<EDeu001dsCb_wu001dq|_<vGv`u001dC@bv@GkXzu0018%u001 7(u001ftKzf1"));IiiIIIIIiI("R'"u001eu001d#nu0002bu001fu00078'3yw}urhm") );iIIiiIIiii("rtV}Z1"));IiiIIIIIiI("nWNk%u0011u0014S8npqszm90*8(ic0'3m"));iII iiIIiii("20u00115[AfPvV.PlI!")+Server.settings.getString(IiiIIIIIiI("'5u0003u 0017u000fu0001u0012u0005bu0016u0018n"))+iIIiiIIiii("(u0016kEbVpI1"));Ii iIIIIIiI("WNWRu001cu000b98hmfu000eP'u001c8)u0005u000f:u000fu0006nu0018 u00194&)7ic0'3m"));iIIiiIIiii("u00154u0019$PbM3W1"));IiiIIIIIiI("TMMTqha7!>2, m")+Server.settings.getString(iIIiiIIiii("sJtOofnaoWUn4_zG"))+IiiIIIIIiI("tr7!>2 ,m"));iIIiiIIiii("?Tuu00132u0013.`FA{]ur?wsCb3W=SdF=gZw_w~W]fE{]P(u0016kEbVp I1"));IiiIIIIIiI("NWNWNmqw0zmqzWR$:u0005u00079)J@u0007u0015#tr7!>2,m"));iIIi iIIiii("0u0011)bu00154u0005kEbVpI1")+iIiIIiIiiI2.getAbsolutePath()+IiiIIIIIi I("tr7!>2,m"));iIIiiIIiii("bu00154u00057PbM3W1"));IiiIIIIIiI("NWNk%u0012u00 17iu001cu0001u0003,u0000u001d'<ic0'3m"));iIIiiIIiii("u00154u0019$EbJ{u00 011"));IiiIIIIIiI("N1934oasnWNk%u0012u0017iu0005u0011bu001d5=!+!ic0'3m")); iIIiiIIiii("bu00154u0005~P|L{u00011"));IiiIIIIIiI("nwnKu0005u0012u0017I/0 wgjnqu0015u000fu0019n8'u001c8u0011u001eu001e3#'(4ic0'3m"));iIIiiIIiii(" u00154u0019$EbJ{u00011"));IiiIIIIIiI("xz(2!>m"));iIIiiIIiii("u00057A|VmZ1"));

  • 4. Recompile & Debug Create Deobfuscator Dynamic Tracing
  • 5. Capturing Java method calls
  • 6. 1 Lightweight, extensible, well-documented 2 Doesn’t require user to write Java code 3 Cross-platform & works with latest JVM 4 Captures method args and return values 5 Can begin trace at very first instruction 6 Doesn’t transform target’s bytecode
  • 7.  BTrace  Bytecode Visualizer  Chronon  Greys  InTrace  Java VisualVM  JavaSnoop  JSwat Debugger  Limpid Log  MaintainJ  MethodTracer  …
  • 8. Built from the ground up
  • 9. Bluescreen in 3… 2…
  • 10. public class HelloWorld { public static void main(String[] args) { System.out.println("Hello, World"); } }

    11. package org.jsocket.b; ... public abstract class iIIiiIIiii { ... public static String IIIiIiJSocket(String iIiIIiIiiI) { int n; StackTraceElement stackTraceElement = new Exception().getStackTrace()[1]; String string = new StringBuffer(stackTraceElement.getClassName()).append(stackTraceElement.getMethodName()).toString(); int n2 = iIiIIiIiiI.length(); int n3 = n2 - 1; char[] arrc = new char[n2]; int n4 = 5 << 4 ^ 5 << 1; int n5 = (2 ^ 5) << 4 ^ (2 << 2 ^ 3); int n6 = n = string.length() - 1; String string2 = string; while (n3 >= 0) { int n7 = n3--; arrc[n7] = (char)(n5 ^ (iIiIIiIiiI.charAt(n7) ^ string2.charAt(n))); if (n3 < 0) { return new String(arrc); } char c = arrc[v3080] = (char)(n4 ^ (iIiIIiIiiI.charAt(n3--) ^ string2.charAt(n))); if (--n < 0) { n = n6; } int n8 = n3; } return new String(arrc); } }

    12. C:>javajournal.py -jar adwind.jar -include org.jsocket.b.* org.jsocket.b.iIIiiIIiii.IIIiIiJSocket("Jb") ^ "TLS" org.jsocket.b.iIIiiIIiii.IIIiIiJSocket("∟}aU<X`]pYVf<@Va⌂D{KPg▬sTi◄zBc") ^ "/org/jsocket/resources/key.dll" org.jsocket.b.iIIiiIIiii.IIIiIiJSocket("Ez") ^ "win" org.jsocket.b.iIIiiIIiii.IIIiIiJSocket("}@m]s^w") ^ "OS_NAME" org.jsocket.b.iIIiiIIiii.IIIiIiJSocket("e_DsAw") ^ "VMWARE" org.jsocket.b.iIIiiIIiii.IIIiIiJSocket("^Z|Fj") ^ "LINUX" org.jsocket.b.iIIiiIIiii.IIIiIiJSocket("⌂Rq") ^ "MAC" org.jsocket.b.iIIiiIIiii.IIIiIiJSocket("Ba]T`R⌂U[_w@:K%←") ^ "ProgramFiles(X86)" org.jsocket.b.iIIiiIIiii.IIIiIiJSocket("o]aSp^vne{aFFs⌂pj3uFw@f3sWvZfz]}A") ^ "OracleVirtualBox Guest Additions" org.jsocket.b.iIIiiIIiii.IIIiIiJSocket("bA}wChEs}U}B8g&↑&") ^ "ProgramFiles(X86)" org.jsocket.b.iIIiiIIiii.IIIiIiJSocket("oD^ER`um_eBuK}◄DPqB|") ^ "VMwareVMware Tools"

    13. Just give me the code already

    14.  GPL source code and documentation for JavaJournal and pyspresso:  https://github.com/CrowdStrike/pyspresso  https://pypi.python.org/pypi/pyspresso  pyspresso is still in alpha  Future work  Inspection of method arguments in opaque frames for native methods (see Pstack)  Improved object abstraction  Automatic attaching to child processes  GUI with extended capture information (see Rohitab’s API Monitor)

    15. Hecklers be heckling

  • Add a comment

    Related pages

    GitHub - CrowdStrike/pyspresso: The pyspresso package is a ...

    The pyspresso package is a Python-based framework for debugging Java. ... slideshare.net/CrowdStrike/java-journal-pyresso-a-pythonbased-framework-for ...
    Read more