9
votes
Accepted
Find function in a stripped dynamic ELF library
There're two broad ways in which you can declare JNI functions.
The first is the more obvious way in which the JNI function has to follow a specific naming convention like JNIEXPORT void JNICALL ...
- 6,120
7
votes
Accepted
Why do obfuscators remove line numbers, and can I safely leave them in?
Stripping line numbers has a minimal impact on the difficulty of reverse engineering code. If it is causing you problems, I would recommend disabling it.
Col-E's answer is a red herring because it is ...
- 2,012
6
votes
Accepted
[Ghidra]How to set global variable type?
First get the DataType that you want, for example struct foo:
DataType dt = getDataTypes("foo")[0];
Or if it's just a pointer you'll have to get the pointer of that type.
You said you ...
- 441
5
votes
Extracting classes from running JVM
You can dump bytecode at runtime using HotSpot tools, and use a decompiler to reverse the bytecode. I made a proof of concept, available here
It requires 3 dependencies:
JDK libraries (sa-jdi.jar, ...
- 151
5
votes
Are there any Java decompilers accurate enough that if I recompiled the result, it should be identical to the original program?
Krakatau is probably the decompiler most likely to produce code equivalent in behavior to the original (unless the code is using Java 8 lambdas, which Krakaau doesn't support). However, it is not ...
- 2,012
5
votes
Accepted
Dynamic analysis (Frida) reveals instance of a class that doesn't exist in the source code (dex2jar)
There are multiple possibilities how this might happen.
The code is loaded dynamically at run-time, e.g. for an [obfuscated/encrypted] dex file that is present in the APK file but does not follow the ...
- 1,243
4
votes
Compute stack frames while edit java bytecode
Stack maps were a feature added in Java 6 (corresponding to version 50), but were not made mandatory until Java 7 (version 51) in order to ease the transition. Stack maps make classloading slightly ...
- 2,012
4
votes
Is PNF's JEB Reverse Engineering platform written in pure Java?
There's no technical limitation preventing software development in Java verses C. The only major advantage is execution speed. Moreover, as JEB is directed towards Java programs (android APKs) writing ...
- 11.9k
4
votes
Accepted
Constant pool error
The issue is that constant pool entry 67 (the one for your List.get()) method has the type Method, rather than InterfaceMethod, even though you are trying to invoke it as an interface method. When ...
- 2,012
4
votes
Accepted
Dealing with heavily obfuscated Java, possibly on bytecode level
First off, you should never use javap when dealing with obfuscated applications, because javap is not designed to handle malicious bytecode, and can easily be thwarted in a number of ways. Luckily, ...
- 2,012
4
votes
Accepted
How do we decompile java so easy?
In short, the difference is in the format into which Java and native code are compiled and executed. Compilation into native code formats eliminates from resulting executable a lot of information that ...
- 8,548
3
votes
Accepted
Patching a class file inside Jar using bytecode
Can you post the classfile, as well as the changes you want made to it? Depending on the changes, it should be possible. Obviously if you want to add a lot of new code or data, that won't be possible ...
- 2,012
3
votes
How can I generate the recovery password on a legacy system (Original company is out of business) running on my local machine?
There's not much information to go on, but I would probably try to proceed like this:
Figure out how the web server is running (e.g. what is the server process?) and where are the pages and any ...
- 37k
3
votes
Accepted
How can I open id0, id1, nam, so, or til files?
id0, id1, nam and til files - are the temporary files which IDA creates when you load your binary into it. And after you close IDA, choosing to save the disassembly result, it's going to delete those ...
- 1,870
3
votes
Reversing video protocol for chinese drone so i can view the stream outside of the app
Dowload the apk and open it in jadx or any such decompiler tool. The app is not obfuscated. package com.lewei.lib looks promising with classes like VideoPlayer, FlyCtrl, H264Frame etc. On looking ...
- 2,739
3
votes
How to add code to compiled java class
There are several ways to achieve this:
Decompile .class to .java source (not necessarily original source, but equivalent), make your changes, compile again. There are many Java decompilers out there, ...
- 37k
3
votes
can't edit class file with recaf.0.9 without re-compile
How can I edit .class file and not recompile it , and not working with bytecode.
These requirements are contradictory. You have to choose one or the other.
There are two main ways to edit Java code. ...
- 2,012
3
votes
What is a good Java decompiler and deobfuscator?
I'm using https://github.com/JetBrains/intellij-community/tree/master/plugins/java-decompiler/engine
It's the decompiler from IntelliJ, it decompile codes where JD-GUI fail.
It's a unofficial mirror ...
3
votes
Reverse engineering android native packer
You can't analyze native functions with a standard decompiler because native functions are not implemented in the Java Bytecode (The Java Native Keyword and Methods).
You have to use common x86 ...
- 141
3
votes
Constant pool error
Regarding your comment (Would respond as a comment, but don't have the 50 rep yet):
I added links to the class file before and after modification. Is there any other better tool around?
I develop ...
- 138
3
votes
How to do debug a running java process in linux?
You can use jdb to attach to a running program without having compiled it with debug flags.
on my machine with jdb located at /usr/local/jdk/jdk1.8.0_202/bin/jdb
and pid of my running java process = ...
- 31
3
votes
Java reverse engineering tool
I develop Recaf, a free Java bytecode editor. Recaf currently supports most of what you're looking for in the current release (Decompile via CFR, class/member renaming, a verbose search feature, and ...
- 138
3
votes
Accepted
J2ME games obfuscator - Spyro and Tekken 5
No there isn't. You'll have to assign meangingful names yourself while reverse engineering.
Just be glad that even with names stripped, Java is far easier to reverse engineer than native binaries.
- 2,012
3
votes
Accepted
How can I retrieve the encryption key in this code?
The encryption key is stored in the variable f4800b. It comes out to the following byte array.
43, 57, 97, -68, -63, -61, -40, 9, 50, 87, -104, 101, 63, 34, -78, 60
The cipher algorithm used is ...
- 6,120
3
votes
How can I get classes from "protected" JAR file?
The obfuscator probably used the '\u0000' "exploit".
This character is known as NUL terminator and its used for terminate the length of a character string in C/C++.
All renamed classes will ...
- 141
3
votes
Accepted
How to Launch and debug Ghidra from Eclipse with two Modules I'm developing at the same time?
I figured it out by trial and error.
From the main Eclipse window:
Click on the dropdown arrow on the "Debug As..." button in the toolbar.
Select "Debug Configurations..."
In the Configuration Editor:...
- 601
3
votes
what do these assembly code doing?
00100e44 08 00 40 f9 ldr x8, [param_1 ]
This load the value at memory address param_1 into register x8.
00100e48 01 00 00 b0 adrp x1, s_c7a584936712f32773d3d0a_00101000
...
- 191
3
votes
Accepted
Debug problem with Ghidra 3rd party language
I see that there were some problems with released versions up to 1.02. With latest changes I had no problem loading your example binary.
https://github.com/achan1989/ghidra-65816/commit/...
- 364
3
votes
Accepted
How to hook RuntimeException to prevent crashes?
RuntimeException is an Exception class like all the others, the only difference is that developers are not forced to catch RuntimeException and its child classes. And there is no special relation ...
- 1,243
2
votes
Secure resources from being extracted?
I know few ways to prevent resources extraction/reading:
Encrypt your resources and dynamically decrypt them in runtime without writing temp files.
Load the resources from the Internet (require ...
- 141
Only top scored, non community-wiki answers of a minimum length are eligible