Results 1 to 8 of 8

Thread: JAvA Byte Code Reverse Engineering: problems while patching

  1. #1

    JAvA Byte Code Reverse Engineering: problems while patching

    Hi,

    I am trying to patch an applet code:

    Here is the piece of code i am trying to change:

    aload_0;
    invokevirtual echo.DataApplet:: java.net.URL getCodeBase()

    The class extends the JApplet class.

    I am changing it to:

    new java.net.URL
    dup
    ldc "http://xxxxxx"
    invokespecial java.net.URL::void <init>
    astore 1

    i am trying to hard code the address with which it connects so that i can run it using applet viewer otherwise it gives a NULL pointer exception since later on the URL object is used to connect to the server.

    When i patch the code i get a error:

    java.lang.ClassFormatError: Method <init> has illegal signature

    Can anybody help me with this?

  2. #2
    ::[ Reverse Engineer ]:: OHPen's Avatar
    Join Date
    Nov 2002
    Location
    .text
    Posts
    399
    Blog Entries
    5
    hi ronnie,

    although i don't know what you have patched, so i have to assume that you simply searched the original string and overwrite that string with the url you want to string to point to !?
    if this assumption is correct and the original string is not as long as the string you try to patch in you overwrote important data in the constant pool of the class. this could be the reason for the error message if you damaged the string which is declaring the signature of the constructor.

    if your new string is not longer than that original one you can overwrite the orig string easily but then you have to adjust the length field of you constant pool string entry to contain the string length of your new string. you will also have to cut out the overlapping bytes, otherwise you will also damage the class file format.

    nevertheless a java class file rebuilder is the best solution. if you don't want to write one on your own. use a binary instrumentation framework like bcel or asm or rebuild your class file after applying the changes.

    regards,
    OHPen.
    - Reverse Enginnering can be everything, but sometimes it's more than nothing. Really rare moments but then they appear to last ages... -

  3. #3
    Another possible avenue, assuming you know the url being resolved, would be to just set up a dummy web server and edit your hosts file to point that url to your private server.

    I've done it a couple time with pretty decent results.

  4. #4
    @OHpen: the code it tried to patch is given in my earlier post:

    aload_0;
    invokevirtual echo.DataApplet:: java.net.URL getCodeBase()

    when translated becomes:

    java.net.URL url = getCodeBase();

    Now as u can see this poses a problem, i can't run it locally, that is download the applet and run it using appletviewer in debug mode, and also no embedded string for target webserver.

    So i changed it to Java.net.URL url("http://<harcoded address>");

    As u mentioned i am using CCK (Class contruction kit) (http://bcel.sourceforge.net/cck.html) to patch the code, so i think it'll do all the required corrections.

    Still i am getting the ClassFormatError message.

    Is this an issue with the tool?

    I replaced these two lines :

    aload_0;
    invokevirtual echo.DataApplet:: java.net.URL getCodeBase()

    with these four lines

    new java.net.URL
    dup
    ldc "http://xxxxxx"
    invokespecial java.net.URL::void <init>

    Is there something wrong with the code?

  5. #5
    ::[ Reverse Engineer ]:: OHPen's Avatar
    Join Date
    Nov 2002
    Location
    .text
    Posts
    399
    Blog Entries
    5
    To be honest i have to admin i never used BCEL for my projects as I'm working for a drm company where we cannot use public tools like this. Therefore i wrote my own kit which is doing well.

    i cannot help you without the source. if possible upload it here and i will take a look. should be a problem to get the source with a common decompiler.

    regards,
    OHPen
    - Reverse Enginnering can be everything, but sometimes it's more than nothing. Really rare moments but then they appear to last ages... -

  6. #6
    @OHpen: was able to get it to work, i used the BCEL library directly, there must have been some issues with CCK tool.

  7. #7
    ::[ Reverse Engineer ]:: OHPen's Avatar
    Join Date
    Nov 2002
    Location
    .text
    Posts
    399
    Blog Entries
    5
    Hey,

    that's great news! Did you compare your working version against the non-working one ?

    Would be interesting to see the difference between them.

    Regards,
    OHPen
    - Reverse Enginnering can be everything, but sometimes it's more than nothing. Really rare moments but then they appear to last ages... -

  8. #8
    yeah, the only difference i see is that CCK changes the entered ldc to ldc_w and when i do it through bcel it remains the same. No idea why that is happening and how it creates the classformaterror?

    there might be more changes but these are the only ones visible to me.
    Last edited by ronnie291983; March 19th, 2010 at 05:29.

Similar Threads

  1. Reverse Code Engineering Book
    By inline_asm in forum The Newbie Forum
    Replies: 2
    Last Post: June 2nd, 2012, 08:29
  2. Reverse Engineering a DLL, assembler problems
    By Kane49 in forum Mini Project Area
    Replies: 3
    Last Post: July 27th, 2009, 15:35
  3. VB Reverse Engineering
    By asifpervez in forum The Newbie Forum
    Replies: 6
    Last Post: July 23rd, 2008, 00:13
  4. Byte patching issue
    By sailor__eda in forum Linux RCE
    Replies: 16
    Last Post: January 26th, 2008, 14:44
  5. Replies: 2
    Last Post: November 26th, 2007, 15:18

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •