Getting Started With Java Reverse Engineering - Printable Version +- The Bytecode Club - Reverse Engineering Forum (https://the.bytecode.club) +-- Forum: Lobby (https://the.bytecode.club/forumdisplay.php?fid=1) +--- Forum: Programming (https://the.bytecode.club/forumdisplay.php?fid=86) +--- Thread: Getting Started With Java Reverse Engineering (/showthread.php?tid=12) Pages:
1
2
|
Getting Started With Java Reverse Engineering - Konloch - 07-17-2014 MOVED TO https://the.bytecode.club/wiki/index.php?title=Learn_Java_Reverse_Engineering INDEX: 1) Introduction 2) Tools 3) Explaining The Classfile 4) Decompiling the Classfile 5) Bytecode 101 6) Basic Cracking (IFEQ/IFNE) 7) Tips 1) Introduction: What is Java Bytecode? It's the compiled Java source code; I like to think of Bytecode as almost having the source code. If you can write/read Bytecode well, you'll be able to easily mod/patch/whatever any Java application with ease, even those obfuscated with advanced obfuscation techniques. Reverse Engineering (RE) is not limited to Bytecode editing, RE is the art of figuring out exactly how a piece of code works, and being able to alter part of it. In this tutorial you'll be learning how to Reverse Engineer by modifying the class files (Bytecode) directly. I'll be assuming you have a basic to intermediate understanding of Java programming, if you don't go learn Java first. If you're planning on doing advanced Bytecode edits, you'll also need an understanding of how the JVM works (the stack, etc). 2) Tools: The first thing to Java reverse engineering would be the tools, I recommend you go and download Bytecode Viewer & CJBE from http://the.bytecode.club/tools.php. I'd also recommending getting a code highlighting text editor, like Notepad++ if you're on Windows. Once you download the tools, I recommend you read the discussion threads for both of them. 3) Explaining The Classfile: There are 10 basic sections to the Java Class File structure:
General Layout: Because the class file contains variable-sized items and does not also contain embedded file offsets (or pointers), it is typically parsed sequentially, from the first byte toward the end. At the lowest level the file format is described in terms of a few fundamental data types:
The Constant Pool: The constant pool table is where most of the literal constant values are stored. This includes values such as numbers of all sorts, strings, identifier names, references to classes and methods, and type descriptors. All indexes, or references, to specific constants in the constant pool table are given by 16-bit (type u2) numbers, where index value 1 refers to the first constant in the table (index value 0 is invalid). Due to historic choices made during the file format development, the number of constants in the constant pool table is not actually the same as the constant pool count which precedes the table. First, the table is indexed starting at 1 (rather than 0), but the count should actually be interpreted as the maximum index plus one.[3] Additionally, two types of constants (longs and doubles) take up two consecutive slots in the table, although the second such slot is a phantom index that is never directly used. There are only two integral constant types, integer and long. Other integral types appearing in the high-level language, such as boolean, byte, and short must be represented as an integer constant. Class names in Java, when fully qualified, are traditionally dot-separated, such as "java.lang.Object". However within the low-level Class reference constants, an internal form appears which uses slashes instead, such as "java/lang/Object". 4) Decompiling the Classfile: For the most part the process of decompiling is automatic. If the classfile or jar you're trying to decompile hasn't implemented any form of obfuscation, you'll be able to decompile the class file completely. For those of you that don't know, decompiling means converting the classfile's Bytecode back to Java Source Code. The tool I recommend to decompile is Bytecode Viewer, it contain's 3 different modern Java Decompilers inside of it. It can also display the Bytecode right beside the source code to make it easier for the user to learn Bytecode, and make it easier on experienced users who want to just quickly view the source code. You can download it at https://github.com/Konloch/bytecode-viewer/releases 5) Bytecode 101: Bytecode is constructed using Opcodes (instructions), here's some example Bytecode: Code: getstatic java/lang/System/out Ljava/io/PrintStream; This is from a Hello World example: Code: System.out.println("Hello World"); Bytecode instructions fall into a number of broad groups:
Many instructions have prefixes and/or suffixes referring to the types of operands they operate on. These are as follows: Prefix/Suffix Operand Type i integer l long s short b byte c character f float d double z boolean a reference For example, "iadd" will add two integers, while "dadd" will add two doubles. The "const", "load", and "store" instructions may also take a suffix of the form "_n", where n is a number from 0–3 for "load" and "store". The maximum n for "const" differs by type. The "const" instructions push a value of the specified type onto the stack. For example "iconst_5" will push an integer 5, while "dconst_1" will push a double 1. There is also an "aconst_null", which pushes "null". The n for the "load" and "store" instructions specifies the location in the variable table to load from or store to. The "aload_0" instruction pushes the object in variable 0 onto the stack (this is usually the "this" object). "istore_1" stores the integer on the top of the stack into variable 1. For variables with higher numbers the suffix is dropped and operands must be used. 6) Basic Cracking (IFEQ/IFNE): From here on out we'll be working with Bytecode, if you're not sure what Bytecode is, it's essentially what the .Java files are compiled down to (.class now). There is a few mild ways to obfuscate the Bytecode (Flow Obfuscation, etc), but this doesn't really do much, for the most part once you learn to read/write the Bytecode, you'll be able to crack anything written in Java. So, let's look at the basic protection system: Code: public static void main(String[] args) { There is two obvious ways to crack this, one just give out the 'securepassword' by decompiling, but we're going to do something different. Here's the Bytecode of that method Code: aload_0 Now it's time to learn the two simple Opcodes; IFEQ if(equals) and IFNE if(!equals). Utilizing these two Opcodes will allow you to crack any form of serial/login based authentication. (Since it'll end up having to compare the serial/login response to something). So, as you can see if the String 'securepassword' was dynamic, or if their security relies on simple if checks, all you'll need to do is replace all of the ifeqs with ifnes. (vise versa if needed) Cracked Bytecode: Code: aload_0 And the Java source code of this would be: Code: public static void main(String[] args) { Isn't cracking easy? You'd be surprised by how many programs rely on ifeq/ifne (Almost all indie programs/games will). 7) Tips: You'll really need to think of it like this, you have control of the source code, if you can read/write Bytecode well enough, you could even develop in it (highly unlikely, but this means modding/patching/whatever can be done without even needing to have access to the source code. For example, say there is a method that returns a String, this is used to generate a unique key made only for your computer, we could simply edit the classfile's Bytecode quickly and make the method return random shit. A jar file is essentially just a ZIP file with a META-INF/ folder and Java class files inside of it, because of this you can open it with any Zip archive tool. Also, another good thing to remember, if you're on Windows and you come across a jar file with aa.class AA.class Aa.class, etc. Try reobfuscating it without strong obfuscation, or else you won't be able to fully extract the jar file to your filesystem. RE: Getting Started With Java Reverse Engineering - Konloch - 08-21-2014 Updated RE: Getting Started With Java Reverse Engineering - Konloch - 09-04-2014 Updated RE: Getting Started With Java Reverse Engineering - HeyiTzEmO - 09-08-2014 Its a nice tutorial man, Thanks i'm going to look at some other stuff then try a crack me RE: Getting Started With Java Reverse Engineering - Konloch - 09-08-2014 (09-08-2014, 08:44 PM)HeyiTzEmO Wrote: Its a nice tutorial man, Thanks i'm going to look at some other stuff then try a crack me Thanks, I'll be sure to make some crack me's soon, I've been quite busy lately so I haven't had much time to dedicate. RE: Getting Started With Java Reverse Engineering - Konloch - 10-04-2014 Updated, added Decompiling the Classfile. RE: Getting Started With Java Reverse Engineering - Konloch - 11-03-2014 Updated, included Bytecode Viewer. RE: Getting Started With Java Reverse Engineering - xpiamchris - 11-25-2014 Do you have a good recommendation on where we can start learning some java? Thanks! RE: Getting Started With Java Reverse Engineering - Konloch - 11-25-2014 (11-25-2014, 11:10 AM)xpiamchris Wrote: Do you have a good recommendation on where we can start learning some java? http://docs.oracle.com/javase/tutorial/ I also recommend using an IDE like eclipse for development. RE: Getting Started With Java Reverse Engineering - zooty - 11-25-2014 (11-25-2014, 11:10 AM)xpiamchris Wrote: Do you have a good recommendation on where we can start learning some java? https://www.youtube.com/playlist?list=PLFE2CE09D83EE3E28 If you can understand his weird accent he's great. |