Thank you to all of you for your feedback, patience, and support! It now has the same functions as Data Converter as described here. In addition, I’ve added a couple more features. To help you understand how to use them, let’s try it out on the latest version of Blackhole.
I grabbed a Blackhole landing page link from a favorite site of mine, malc0de.com/database. Be sure you check it out and subscribe to the feed to get the latest!
Here, my browser is going to get hit by a Java exploit:
Analyzing this JAR file, we see at #26 a ClassCode is being created. It is calling two functions (test.iar then test.stob).
Here’s the “iar” function:
And the “stob” function:
Let’s get the string of characters from ClassCode and perform the same functions using Converter. Here’s what the array looks like. At the end of the array is the number “2″ which is passed to the “iar” function as the “glueString”.
We copy the array into Converter and do a search of ” , ” and replace it with “2″.
Now we use the Tools > Key Search/Convert function. You’ll notice that the Before and After Action has changed. I made it more robust to handle calculations that go beyond the original addition and subtraction actions. Looking at the “stob” function of the Java applet, each byte has 42 subtracted from it then a modulo 256 is performed. It’s also not doing any XOR function. We can replicate this in Converter like so:
The word “val” must appear in the calculate field. What Converter is doing is replacing “val” with each byte from the input field, subtracting 42 then doing a mod 256. You have to enter an XOR key but you can use a 0×00 to have it do nothing.
You can perform numeric operators (+ 0 * / \ ^ mod) and boolean operators (not and or xor eqv imp) in the correct order of operation (use parenthesis). All values should be entered as decimal. To be honest, I haven’t tried all of the operators nor arithmetic functions so use at your own risk.
I also added this functionality to the File > Convert Binary File option. Since this does file conversions and not a key search, the screen looks different. Just choose “Convert” if no XOR calculations need to be performed.
Here’s the resulting file:
And the same file loaded in JD-GUI:
The final addition is the ability to do a key search to find a matching hex code instead of just text. It can do decimal (CSV-delimited) too.
Data Converter has been updated to v0.5 to include the before/after actions functions and hex/decimal key searching as described above.
In addition, Revelo has been updated to v0.5.1. I just made some of the functions more efficient and fixed a few bugs along the way.
All of these tools can be found here.