 JAR reverse engineering

ID: cia-2010-covert-communication-websites/jar-reverse-engineering

 Top articles  Latest articles + New article in topic

CIA 2010 covert communication websites / JAR reverse engineering by

Ciro Santilli 37  Updated 2025-06-17  +Created 2025-03-08

TODO it would be cool to have a look at the JARs and see if they have anything in common that makes for a good fringerprint. Would not help find new ones, but would help to confirm possible hits.

The most advanced reverse engineering effort so far has been by GitHub user quat1024, an undergratuate student at Ohio State University, Minecraft modding extraordinaire and furry afficionado. Minecraft is written in Java, which may partly explains his Java skills.

He managed to deobfuscate the strings present inthe JARs using Enigma, possibly github.com/FabricMC/Enigma, a Java reverse engineering tool. Cool findings on web.archive.org/web/20110208072027/http://newsupdatesite.com/update.jar include:

applet.configs1 deobfuscated contains a date:
```
 Fri Feb 05 12:04:29 EST 2010
```
Also cool is the present of a timeszone, "EST" unsurprisingly.

web.archive.org/web/20110208072027/http://newsupdatesite.com/update.jar unzips to:

.
./c
./c/b
./c/b/b.class
./c/b/c.class
./c/b/d.class
./c/b/a
./c/b/a/a.class
./c/b/a/b.class
./c/b/a/c.class
./c/b/a/d.class
./c/a
./c/a/a.class
./c/a/b.class
./c/a/c.class
./b
./b/a
./b/a/a
./b/a/a/e.class
./b/a/a/f.class
./b/a/a/a.class
./b/a/a/b.class
./b/a/a/g.class
./b/a/a/c.class
./b/a/a/d.class
./META-INF
./META-INF/MANIFEST.MF
./a
./a/cre
./a/a
./a/a/b
./a/a/b/a.class
./a/a/a
./a/a/a/e.class
./a/a/a/applet.configs
./a/a/a/b
./a/a/a/b/e.class
./a/a/a/b/f.class
./a/a/a/b/b.class
./a/a/a/b/g.class
./a/a/a/b/c.class
./a/a/a/b/d.class
./a/a/a/b/a
./a/a/a/b/a/a.class
./a/a/a/b/a/b.class
./a/a/a/b/a/c.class
./a/a/a/c.class
./a/a/a/d.class
./a/a/a/a
./a/a/a/a/a.class

so it is fully obfuscated.

./META-INF/MANIFEST.MF

Manifest-Version: 1.0
Ant-Version: Apache Ant 1.7.1
Created-By: 1.5.0_17-b04 (Sun Microsystems Inc.)

Other files whose existence might help to fingerprint include:

a/a/a/applet.configs
empty a/cre

A quick:

find . -type f | xargs strings | sort -u

does not reveal any obvious cryptography calls.

web.archive.org/web/20110207204640/http://flyingtimeline.com/aircraft.jar is very similar looking. META-INF/MANIFEST.MF is identical:

Manifest-Version: 1.0
Ant-Version: Apache Ant 1.7.1
Created-By: 1.5.0_17-b04 (Sun Microsystems Inc.)

web.archive.org/web/20110202185659/http://differentviewtoday.com/bwm.jar is a bit different with tree:

META-INF/MANIFEST.MF
a/a.class
b/a/a/a.class
b/a/a/b.class
b/a/a/c.class
b/a/b/a.class
b/a/b/b.class
b/a/b/c.class
b/a/b/d.class
b/a/b/e.class
b/a/bw.properties
b/a/c.class
c/a/a/a.class
c/a/a/b.class
c/a/a/c.class
c/a/a/d.class
c/a/b.class
c/a/c.class
c/a/d.class
c/a/e.class
c/b/a.class
c/b/b.class
c/b/c.class

and:

META-INF/MANIFEST.MF
Manifest-Version: 1.0
Ant-Version: Apache Ant 1.6.5
Created-By: 1.5.0_12-b04 (Sun Microsystems Inc.)

 Read the full article

 New to topics? Read the docs here!