Results 1 to 4 of 4

Thread: Any way to RCE java with ollydbg?

  1. #1
    alexopth1512
    Guest

    Any way to RCE java with ollydbg?

    I have this application that has encrypted java .jar files. Cant decompile with JAD etc.
    There is a custom private_jre directory that most probably loads from special rt.jar but I cant figure out what is happening... (really no java knowledge but assembly, C... )

    So I was thinking a way to breakpoint on java.dll and _java_java_classloader_defineclass calls, so i will be able to get the loading java classes (too many "java" in this text d@mm) and dump them from memory, hoping that they will be decrypted.


    A thought was to attach to javaw.exe but the application will not stop on any point, if it detects altered jars or dlls it exits during launch.

    So far I found with WinHex the 0xCAFEBABE segments on javaw.exe memory space and dumped them but i think i didnt get all the info, information is missing.

    So, if i use a simple C program that executes the "java -jar app.jar etc", will I be able to use Ollydbg, going to javaw.exe?

    Or any other ideas welcome.

    BTW, hello to this forum, after years of RCE (starting from Amstrads 20 years ago) this is my 1st post on a forum...
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,125
    Blog Entries
    5
    Hi. A couple of us worked on dumping java classes in a similar way here, maybe of some use to you.

    http://www.woodmann.com/forum/showthread.php?1692-Java-protection-w-Crypted-Class-Loaders-Help-my-brain-is-melting-!!!

    Cheers,
    Kayaker

  3. #3
    alexopth1512
    Guest
    Thanx for your reply mate

    I read this thread and i saw how much you helped. And actually the idea to break on defineclass came from this thread. I ll create a little wrapper in C and i will see what it will happen.

    Also If I upload rt.jar, is it possible to tell me how it decrypts the .jar files? (i am no java man )

    OK I created a simple C wrapper with CreateProcess() and when running from wrapper it runs fine.
    I debugged till I found the SYSENTER from ntdll
    I read the thread that deals with the problem but I dont understand the solution, if any.

    I have this on disassembler in Ollydbg:

    Code:
    LEA ESP, [EDX]
    LEA ECX, [ECX]
    MOV EDX,ESP
    SYSENTER
    RET
    stack has:
    return to ntdll
    return to kernel32 from ntdll.zwCreateThread
    12F720

    As I can understand SYSENTER goes to ring0? Then returns to ring3 but Ollydbg doesnt know where it returns? ... I have to understand what is going on...

    I checked again the dump from memory of the .class i was mainly interested. It seems that it is correct. On original .jar file there are some other insignificant classes, mainly exception handlers that i could not dump from memory. So one way is to learn some java and create the missing classes that would simply return 0 and do nothing.

    I wonder if there is a magic or something that rt.jar understands what .jar files are encrypted. In case I create a correct unencrypted version of the original one and replace I wonder if it would be possible to be loaded or rejected.
    Last edited by alexopth1512; August 4th, 2010 at 07:17.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    alexopth1512
    Guest
    I read other posts for SYSENTER carefully and found references, so I figured out what is going on, it doesnt seem to be much of a problem, I managed to stepover, BUT...
    Change of plans and I really had progress.
    I abandoned the wrapper idea. I found a simpler and more efficient way to debug.
    I just started command line olly and passed as argument all the java starting line.
    I previously setup carefully the environment.It works like a charm! Olly passes all the arguments to javaw.exe and I managed to run the application inside Olly.

    Now I will set breakpoints on all LoadLibrary calls so i will be near to finally enter the java.dll. I have already did so for jvm.dll and it works...
    I dont have much time, so i look it for a couple hours every now and then but it really seems to compensate....
    I ll post interesting breakpoints and function calls and in the end how i did it. I noticed imports on defineclass...
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. java obfuscators, which ones?
    By Shub-nigurrath in forum Advanced Reversing and Programming
    Replies: 4
    Last Post: June 7th, 2012, 08:37
  2. java BigInteger
    By neur0n in forum The Newbie Forum
    Replies: 2
    Last Post: November 24th, 2004, 07:43
  3. How to use ollydbg debug java program that run on
    By Teerayoot in forum OllyDbg Support Forums
    Replies: 3
    Last Post: June 5th, 2003, 00:28
  4. java reversing
    By jimmy in forum Advanced Reversing and Programming
    Replies: 3
    Last Post: April 30th, 2001, 03:33
  5. java : PE & .class
    By keyser in forum Advanced Reversing and Programming
    Replies: 1
    Last Post: December 23rd, 2000, 13:45

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •