Brainstorming: Deobfuscation of Framework JARs in 5.x FW

[Marco77]

Hello there,

I've been thinking of ways to somehow allow JBPatch'ing on newer FW versions.

First and foremost, let me apologize as I won't be online as often as I'd like to in the next couple of weeks.

This is just discussion/brainstorming at this point;
I would like to have input from people here, ye who have deep knowledge and are clearly more experienced in modding their K-devices, if the following seems sound and realistic. If it's already been done, my apologies, please point me to the correct place.

Situation Assessment

• framework stuff in /opt/amazon/ebook has been obfuscated at some point in 2012 (5.0.1). It has been reported that a product from "Allatori" was used for such purposes, with some tricks like case-sensitive filenames (but no string literal was obscured).
• it is harder to navigate code in usual tools like JD-GUI
• people have been relying on crude, yet proven solutions such as Java Bytecode Editor to directly edit the (lower-level) bytecode instructions
• JBPatch requires specific code to handle every newer firmware iteration; there were no updates beyond 5.3.x, for unspecified reasons. One may speculate it was too much a hassle to maintain

The course of action:

1. Use older firmwares to map obfuscated symbols (class names, methods and fields) to their real counterparts.
2. Generate a "mapping" for a target firmware version using free and open-source tools such as Enigma / Nocturne
3. Regenerate the jars using the restored names
4. Try to have a working CVM, preferably using an alternate framework location (to prevent softbrick)

1) I cannot link the 5.0.0 firmware due to forum rules but is quite easy to find online thanks to Ixtab (again). Extract the img.gz and mount this rootfs as a loop device (used Explore2fs as I have no access to a Linux vm), then copy the /opt contents somewhere.

2) Output from these tools may need to be tweaked.

3) I do not know an off-the-shelf solution for this. I had some (very)limited success for a SINGLE jar with java-deobfuscator, for instance:

Code:

C:\Tools\Java\jdk1.8.0_74\jre\bin\java.exe -jar deobfuscator-1.0.0.jar -input Reader.jar -output Reader-dob.jar -transformer normalizer.ClassNormalizer -transformer normalizer.MethodNormalizer -transformer normalizer.FieldNormalizer -path C:\Tools\j2dk142_19\jre\lib\rt.jar -path \opt\amazon\ebook\lib\ReaderSDK.jar -path \opt\amazon\ebook\lib\kaf.jar -path \opt\amazon\ebook\booklet\AbstractReaderBooklet.jar -path \opt\amazon\ebook\lib\utilities.jar

I have no idea how to do that for several jars at a time (cross references), and how to apply the mappings. http://stackoverflow.com/a/36272210 is interesting, but this will probably need tooling tailored for the job.


[1] http://www.minecraftforum.net/forums...-java-bytecode
[2] http://www.minecraftforum.net/forums...-deobfuscation

[knc1]

The obfuscation is different for every version released.

Whatever you do, you will have to do it every time the firmware build is re-done.