1
Cracking String Encryption in Java Obfuscated Bytecode
subere@uncon.org
November 2006
Abstract
This paper discusses in technical detail the type of String Encryption used by popular java obfuscation
tools. The main motivation behind this work lies within the identification of attack vectors as well as
potential entry points of a given obfuscated application. Following a brief introduction, a methodology for
reverse engineering Java bytecode is presented. We focus on the encryption techniques deployed by the
following obfuscators: Zelix KlassMaster (version 4.5.0), RetroGuard (version 2.2.0), JShrink (version
2.3.7) and Dash-O (version 3.2.0). Ways to crack the corresponding levels of String encryption as well as
potential further attack vectors that such obfuscators might introduce are also examined. The findings of
this paper show that cracking String encryption within the above obfuscators is a task which can be
performed even in an automated way. In order to mitigate against the problem a brief proposal is outlined
stating the need for polymorphic obfuscators that have the ability to select from an algorithm pool
depending on the type of application as well as the level of obfuscation required.
1. Introduction
The practice of obfuscating intermediate platform independent code, such as Java bytecode or Microsoft
Intermediate Language (MSIL now CIL1) code often carries an element solely dedicated to the
“encryption”2 of String values embedded within the code. As the encryption taking place is part of the
obfuscation process it cannot affect the behaviour of the program or deviate from the original program
operations. Thus, at runtime, the Virtual Machine needs to be able to reverse any such process of
encryption within the obfuscated code.
This paper examines standard “decryption” techniques which can be applied to obfuscated Java bytecode
that has been reverse engineered. As the algorithm and any keys used to encrypt the Strings are
embedded within the application, a