Comments (6)
Interesting, didn't know you could bypass the security manager like that. Check out the latest commit.
from threadtear.
If you find another bypass, let me know!
from threadtear.
Your latest commit will actually break your other executions in certain cases (notably, the ones for Stringer) as some decryptor methods actually make use of some of the classes you prohibited with that commit.
Examples:
- Stringer 3.x.x string encryption with bytecode integrity checking (uses the Sun API to fetch the constant pool size of the callee's containing class).
- Stringer 3.x.x/9.x.x string encryption with JAR integrity checking which utilizes
java.lang.reflect
to check parts of the JAR to compute a key. - Stringer 3.x.x/9.x.x hide access obfuscation which utilizes classes from
java.lang.reflect
to produce either CallSite or ajava.lang.reflect.{Method/Field}
to the appropriate class member.
Furthermore, the presence of the VM can still be found with something such as if (PoC.class.getClassLoader().getClass().getName().startsWith("me.nov")) throw new RuntimeException("Found deobfuscator instance")
.
from threadtear.
Oops, didn't notice that. You can't really hide the VM instance, but that's not that important IMO. Gotta find a workaround for that.
from threadtear.
It is gonna be pretty hard to block bypasses using reflection, as ReflectPermission
does not provide a way to get the context (e. g. allow reflection for everything, except java.lang.System
). For now I'm disabling reflection checks for these executions you listed.
from threadtear.
Java doesn't allow me to redefine java.lang.reflect.AccessibleObject
either. Still haven't found any way to only block certain reflection.
from threadtear.
Related Issues (20)
- help HOT 11
- Cannot open jar because svg failed to load HOT 3
- [FEATURED] Libs
- Look And Feel Setting Problem HOT 1
- QUESTION: Any plans on doing more ZKM DES Cipher work?
- Paramorphism issue
- Boolean value is inverted when casting
- Transformer request - Binsecure HOT 1
- UI Theme cleared after program restart
- ReobfuscateClassNames throws exception
- All Strings is same in Paramorphism String Deobfuscation
- java.lang.NoSuchFieldError: APP_SERVER_CLASSLOADER_APPLICATION_PU_SEARCH_STRING_PREFIX
- Absolutely no idea how to deobfusc this
- IDK how to deobfuscate a specific jar.
- Name restoring strips generic classes
- Can't find a way to deobfuscate it (help!!!)
- String Names Hidden with weird
- Can not run in Win 10 with JDK 19 HOT 3
- Deobf Error
- awt issue
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from threadtear.