Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 11-23-2016, 15:07
suddenLy suddenLy is offline
Friend
 
Join Date: Jan 2005
Posts: 60
Rept. Given: 2
Rept. Rcvd 3 Times in 3 Posts
Thanks Given: 1
Thanks Rcvd at 7 Times in 7 Posts
suddenLy Reputation: 3
Java reversing question

Hi ppl,

I have java reversing question.
I had experienced jar file, but it is different situation with this target.

1. running target file
A-gui.exe

2. in the interal A.exe, java runs (by createprocess)
javaw.exe -parameters A-gui.exe

3. can debug target file attach javaw.exe with ollydbg. Is it normal???
I do not much know about this kind of java running.
moreover, at this time, killing A-gui.exe process is no matter.
The only running process is javaw.exe.

Here is question.
How can I catch the entry point of javaw.exe?
I mean internally created process of A.exe by javaw.exe..
Reply With Quote
  #2  
Old 11-23-2016, 15:29
Mkz Mkz is offline
Friend
 
Join Date: Jan 2002
Posts: 98
Rept. Given: 0
Rept. Rcvd 2 Times in 2 Posts
Thanks Given: 5
Thanks Rcvd at 25 Times in 17 Posts
Mkz Reputation: 2
A-gui.exe is a regular native application which launches a java process, much like you can launch java(w) itself using the command line.
With a tool such as Process Explorer you can see what the full command line is of the child javaw process so that perhaps you can even launch it manually, without having A-gui.exe do it.

The parent process is probably launching java with an API such as JNI_CreateJavaVM, see here: hxxp://docs.oracle.com/javase/7/docs/technotes/guides/jni/spec/invocation.html

You can debug both the parent and the child process with Olly, naturally, but if the child is javaw, you're better off reversing its classes or monitoring with things like JVisualVM or Mission Control.
Reply With Quote
The Following User Says Thank You to Mkz For This Useful Post:
tonyweb (11-23-2016)
  #3  
Old 11-24-2016, 18:37
suddenLy suddenLy is offline
Friend
 
Join Date: Jan 2005
Posts: 60
Rept. Given: 2
Rept. Rcvd 3 Times in 3 Posts
Thanks Given: 1
Thanks Rcvd at 7 Times in 7 Posts
suddenLy Reputation: 3
yep, the child process is javaw.exe.
When I try using command line, file integrity error pops.

Even if catching crack point through monitoring tool as you said, how can I find that byte code??

Anyway, thanks for your comments.
Reply With Quote
  #4  
Old 11-25-2016, 02:47
Mkz Mkz is offline
Friend
 
Join Date: Jan 2002
Posts: 98
Rept. Given: 0
Rept. Rcvd 2 Times in 2 Posts
Thanks Given: 5
Thanks Rcvd at 25 Times in 17 Posts
Mkz Reputation: 2
Quote:
Originally Posted by suddenLy View Post
yep, the child process is javaw.exe.
When I try using command line, file integrity error pops.

Even if catching crack point through monitoring tool as you said, how can I find that byte code??

Anyway, thanks for your comments.
Check the 2 attached images, also uploaded to:
- hxxp://i65.tinypic.com/2nu0fie.png
- hxxp://i67.tinypic.com/xfcgtd.png

I launched JVisualVM, which is part of the Java SDK, and also uses the same approach: there's an executable which loads some java code in a spawned process.

The 1st image shows you the command line which could - I guess - be executed directly to launch the java code. It indicates the classpath (which libs to load), the parameters, the start class name, etc.
When you mention "file integrity error", I'm not sure if it's related to checks done by the java program, or if you didn't supply exactly everything it needed - including the correct working dir or environemnt variables.

The 2nd image is for a thread dump I requested from JVisualVM to a running java program (which happens to be JVisualVM itself) and you can see one of the threads' call stack.
If you want to, say, understand what the "org.openide.util.RequestProcessor$task.run" method does, you'll need to use the regular java tools to decompile its class file and take a look at its "decompiled source" or even the java bytecode if decompilation is not possible.
You'll need to search all the jars in the classpath to understand which one provides that class, so you can decompile it.
Attached Images
File Type: png java_example.png (48.2 KB, 8 views)
File Type: png java_example_2.PNG (40.2 KB, 3 views)
Reply With Quote
  #5  
Old 11-29-2016, 13:08
suddenLy suddenLy is offline
Friend
 
Join Date: Jan 2005
Posts: 60
Rept. Given: 2
Rept. Rcvd 3 Times in 3 Posts
Thanks Given: 1
Thanks Rcvd at 7 Times in 7 Posts
suddenLy Reputation: 3
Is it possible to extract jar from exe?

There is no jar in the target directory, but dlls and exe are only existed.

For your interest, I found license check dll and I can use 'EBFE' method to catch target export function.

However, unfortunately, file CRC check error pops from target exe file.

Anyway many thanks.
Reply With Quote
  #6  
Old 11-30-2016, 14:37
fqjp fqjp is offline
Friend
 
Join Date: Apr 2011
Posts: 43
Rept. Given: 1
Rept. Rcvd 2 Times in 1 Post
Thanks Given: 2
Thanks Rcvd at 34 Times in 18 Posts
fqjp Reputation: 2
You can try to use "process monitor" to watch whether the extracting jar file, the using jd-gui such tools decompile jar.
Reply With Quote
The Following User Says Thank You to fqjp For This Useful Post:
niculaita (11-30-2016)
  #7  
Old 12-14-2017, 20:23
CodeCracker CodeCracker is offline
VIP
 
Join Date: Jun 2011
Posts: 454
Rept. Given: 27
Rept. Rcvd 398 Times in 129 Posts
Thanks Given: 21
Thanks Rcvd at 1,824 Times in 349 Posts
CodeCracker Reputation: 300-399 CodeCracker Reputation: 300-399 CodeCracker Reputation: 300-399 CodeCracker Reputation: 300-399
If the program is starting "javaw.exe -parameters A-gui.exe" it means that the zip (jar) file is under exe overlays, calculate overlay offset by adding to last section raw adddress the raw size,

Or try:
https://forum.exetools.com/showpost.php?p=110417&postcount=6
Reply With Quote
The Following User Says Thank You to CodeCracker For This Useful Post:
niculaita (12-15-2017)
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT +8. The time now is 21:45.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )