Here is how to get decrypted classes from memory to disk: Program used is OllyDbg 1.10 plug-ins.Copy plug-ins to olly directory. Example used is (java.exe -jar) fico.jar with two classes: Classlist.class and Student.class, classguard version used is 3.2.2.Download example (encrypted classes and plugs) here.  -Set standard breakpoint (in APIfinder) -Now,Hit F9 until stack shows you the library in the temporary directory:  -Remove breakpoint on LoadLibraryA -Hit Ctrl+F9 -Put breakpoint on 100023F2h -Hit F9 until you reach it -Scroll until you get  -Decrypted class is at SS:[EBP-38] -Save it to disk using Memory Dump plug-in.   -If you get the following message:  turn back your system clock before 2010-05-15.That might help. (it's because classguard itself is not registered,it's a trial) -To get other encrypted classes keep hitting F9 ,to get again to (EIP=)100023F2h, then dump SS:[EBP - 38] and then save to disk. Just remember to look for "CAFEBABE" bytes! THE END? |