I have this application that has encrypted java .jar files. Cant decompile with JAD etc.
There is a custom private_jre directory that most probably loads from special rt.jar but I cant figure out what is happening... (really no java knowledge but assembly, C... )

So I was thinking a way to breakpoint on java.dll and _java_java_classloader_defineclass calls, so i will be able to get the loading java classes (too many "java" in this text d@mm) and dump them from memory, hoping that they will be decrypted.


A thought was to attach to javaw.exe but the application will not stop on any point, if it detects altered jars or dlls it exits during launch.

So far I found with WinHex the 0xCAFEBABE segments on javaw.exe memory space and dumped them but i think i didnt get all the info, information is missing.

So, if i use a simple C program that executes the "java -jar app.jar etc", will I be able to use Ollydbg, going to javaw.exe?

Or any other ideas welcome.

BTW, hello to this forum, after years of RCE (starting from Amstrads 20 years ago) this is my 1st post on a forum...

Hi. A couple of us worked on dumping java classes in a similar way here, maybe of some use to you.

http://www.woodmann.com/forum/showthread.php?1692-Java-protection-w-Crypted-Class-Loaders-Help-my-brain-is-melting-!!!

Cheers,
Kayaker

Thanx for your reply mate

I read this thread and i saw how much you helped. And actually the idea to break on defineclass came from this thread. I ll create a little wrapper in C and i will see what it will happen.

Also If I upload rt.jar, is it possible to tell me how it decrypts the .jar files? (i am no java man )

OK I created a simple C wrapper with CreateProcess() and when running from wrapper it runs fine.
I debugged till I found the SYSENTER from ntdll
I read the thread that deals with the problem but I dont understand the solution, if any.

I have this on disassembler in Ollydbg:



stack has:
return to ntdll
return to kernel32 from ntdll.zwCreateThread
12F720

As I can understand SYSENTER goes to ring0? Then returns to ring3 but Ollydbg doesnt know where it returns? ... I have to understand what is going on...

I checked again the dump from memory of the .class i was mainly interested. It seems that it is correct. On original .jar file there are some other insignificant classes, mainly exception handlers that i could not dump from memory. So one way is to learn some java and create the missing classes that would simply return 0 and do nothing.

I wonder if there is a magic or something that rt.jar understands what .jar files are encrypted. In case I create a correct unencrypted version of the original one and replace I wonder if it would be possible to be loaded or rejected.

I read other posts for SYSENTER carefully and found references, so I figured out what is going on, it doesnt seem to be much of a problem, I managed to stepover, BUT...
Change of plans and I really had progress.
I abandoned the wrapper idea. I found a simpler and more efficient way to debug.
I just started command line olly and passed as argument all the java starting line.
I previously setup carefully the environment.It works like a charm! Olly passes all the arguments to javaw.exe and I managed to run the application inside Olly.

Now I will set breakpoints on all LoadLibrary calls so i will be near to finally enter the java.dll. I have already did so for jvm.dll and it works...
I dont have much time, so i look it for a couple hours every now and then but it really seems to compensate....
I ll post interesting breakpoints and function calls and in the end how i did it. I noticed imports on defineclass...