HI,
I have a programm which has a window which has activex web browsing component on it. if I left click the serface of it and press ctrl + f the mircrosoft explorer search window is shown.
I have also checked that msjava module gets loaded.

This all makes me believe that behind there is an html/java or other scripting language is used in place of key check routine.

If this is a java I heared the dump java class and decompile with jed approach could be employed. However I do not have any ideas on how to determing start and end addresses of the class to dump.

How to find the addresses or may there be other methods?

Any links to guides are much appreciated.

Thanks

Hiya Gorr,

Well, as it turns out dumping Java classes is surprisingly easy. If you look at the exports in your msjava.dll, you should see a java_lang_ClassLoader_defineClass0. This is the API the Java virtual machine calls to dynamcially load class files and the one you will probably want to place a bpx on.

The defineClass function's parameters are as follows:

defineClass
protected final Class defineClass(byte data[], int offset, int length)

Converts an array of bytes to an instance of class Class. Before the Class can be used it must be resolved.

Parameters:
data - the bytes that make up the Class
offset - the start offset of the Class data
length - the length of the Class data

Returns:
the Class object which was created from the data

From this API, you have the starting offset of the class in memory as well as the length of the entire class file (everything you need to do a decompilable dump of the class).

I used this technique on a rather unique 'packed' Java app at one time that dynamically loaded its classes from a crypted .bin file. I also noted that the start offset of the class data appeared offset by 8 bytes so the start address of my dump was the offset parameter + 8 of the defineClass API. You can actually determine the beginning of the class by visual inspection as all java class files begin with the signature byte sequence CA FE BA BE. If dumped correctly, you should have no trouble running your class files through a decompiler like JAD.

Ooh, gotta love Java's OOP... They make it sooo easy for us

Hope this helps,
Clandestiny

alo Clandestiny

I have try to dump a java class file from memory, but softice don't break.

I set a bpx on java_lang_classloader_defineclass0 (msjava.dll), -> Softice don't break But when I set bpx on _java_java_lang_classloader_defineclass0@28 (java.dll)-> softice breaks

The problem is that it don't looks like

push xxxxxxxxx
push xxxxxxxxx
push xxxxxxxxx
call xxxxxxxxx

I have attached the file I want to dump from

Please guide me...Thx

Chitech

Hiya,

I don't think your attachment made it onto your post... Can you try to attach it again or mail it to me so I can have a look at the target.

Thanks,
Clandestiny

Here is the file....

Didn't you read the main Rce messageboards Regroupment.
No uploads.You should send by mail

alo Clandestiny

I have solved the problem. It's because I use JVM from SUN, so I have to use java.dll instead of msjava.dll from microsoft.

I set a breakpoint on _java_java_lang_classloader_defineclass0@28

ebp+14 -> size
ebp+18 -> offset
ebp+2c -> image

When I dump from memmory I use this statement:

/dump image+12byte size c:\test.class

And it works

It looks like there are a little different between Microsoft & Sun JVM


Chitech