Log in

View Full Version : JAvA Byte Code Reverse Engineering: problems while patching


ronnie291983
March 12th, 2010, 06:26
Hi,

I am trying to patch an applet code:

Here is the piece of code i am trying to change:

aload_0;
invokevirtual echo.DataApplet:: java.net.URL getCodeBase()

The class extends the JApplet class.

I am changing it to:

new java.net.URL
dup
ldc "http://xxxxxx"
invokespecial java.net.URL::void <init>
astore 1

i am trying to hard code the address with which it connects so that i can run it using applet viewer otherwise it gives a NULL pointer exception since later on the URL object is used to connect to the server.

When i patch the code i get a error:

java.lang.ClassFormatError: Method <init> has illegal signature

Can anybody help me with this?

OHPen
March 12th, 2010, 08:13
hi ronnie,

although i don't know what you have patched, so i have to assume that you simply searched the original string and overwrite that string with the url you want to string to point to !?
if this assumption is correct and the original string is not as long as the string you try to patch in you overwrote important data in the constant pool of the class. this could be the reason for the error message if you damaged the string which is declaring the signature of the constructor.

if your new string is not longer than that original one you can overwrite the orig string easily but then you have to adjust the length field of you constant pool string entry to contain the string length of your new string. you will also have to cut out the overlapping bytes, otherwise you will also damage the class file format.

nevertheless a java class file rebuilder is the best solution. if you don't want to write one on your own. use a binary instrumentation framework like bcel or asm or rebuild your class file after applying the changes.

regards,
OHPen.

CluelessNoob
March 12th, 2010, 09:07
Another possible avenue, assuming you know the url being resolved, would be to just set up a dummy web server and edit your hosts file to point that url to your private server.

I've done it a couple time with pretty decent results.

ronnie291983
March 14th, 2010, 23:36
@OHpen: the code it tried to patch is given in my earlier post:

aload_0;
invokevirtual echo.DataApplet:: java.net.URL getCodeBase()

when translated becomes:

java.net.URL url = getCodeBase();

Now as u can see this poses a problem, i can't run it locally, that is download the applet and run it using appletviewer in debug mode, and also no embedded string for target webserver.

So i changed it to Java.net.URL url("http://<harcoded address>";

As u mentioned i am using CCK (Class contruction kit) (http://bcel.sourceforge.net/cck.html) to patch the code, so i think it'll do all the required corrections.

Still i am getting the ClassFormatError message.

Is this an issue with the tool?

I replaced these two lines :

aload_0;
invokevirtual echo.DataApplet:: java.net.URL getCodeBase()

with these four lines

new java.net.URL
dup
ldc "http://xxxxxx"
invokespecial java.net.URL::void <init>

Is there something wrong with the code?

OHPen
March 15th, 2010, 08:59
To be honest i have to admin i never used BCEL for my projects as I'm working for a drm company where we cannot use public tools like this. Therefore i wrote my own kit which is doing well.

i cannot help you without the source. if possible upload it here and i will take a look. should be a problem to get the source with a common decompiler.

regards,
OHPen

ronnie291983
March 19th, 2010, 00:15
@OHpen: was able to get it to work, i used the BCEL library directly, there must have been some issues with CCK tool.

OHPen
March 19th, 2010, 05:20
Hey,

that's great news! Did you compare your working version against the non-working one ?

Would be interesting to see the difference between them.

Regards,
OHPen

ronnie291983
March 19th, 2010, 05:23
yeah, the only difference i see is that CCK changes the entered ldc to ldc_w and when i do it through bcel it remains the same. No idea why that is happening and how it creates the classformaterror?

there might be more changes but these are the only ones visible to me.