#1
|
|||
|
|||
Java reversing question
Hi ppl,
I have java reversing question. I had experienced jar file, but it is different situation with this target. 1. running target file A-gui.exe 2. in the interal A.exe, java runs (by createprocess) javaw.exe -parameters A-gui.exe 3. can debug target file attach javaw.exe with ollydbg. Is it normal??? I do not much know about this kind of java running. moreover, at this time, killing A-gui.exe process is no matter. The only running process is javaw.exe. Here is question. How can I catch the entry point of javaw.exe? I mean internally created process of A.exe by javaw.exe.. |
#2
|
|||
|
|||
A-gui.exe is a regular native application which launches a java process, much like you can launch java(w) itself using the command line.
With a tool such as Process Explorer you can see what the full command line is of the child javaw process so that perhaps you can even launch it manually, without having A-gui.exe do it. The parent process is probably launching java with an API such as JNI_CreateJavaVM, see here: hxxp://docs.oracle.com/javase/7/docs/technotes/guides/jni/spec/invocation.html You can debug both the parent and the child process with Olly, naturally, but if the child is javaw, you're better off reversing its classes or monitoring with things like JVisualVM or Mission Control. |
The Following User Says Thank You to Mkz For This Useful Post: | ||
tonyweb (11-23-2016) |
#3
|
|||
|
|||
yep, the child process is javaw.exe.
When I try using command line, file integrity error pops. Even if catching crack point through monitoring tool as you said, how can I find that byte code?? Anyway, thanks for your comments. |
#4
|
|||
|
|||
Quote:
- hxxp://i65.tinypic.com/2nu0fie.png - hxxp://i67.tinypic.com/xfcgtd.png I launched JVisualVM, which is part of the Java SDK, and also uses the same approach: there's an executable which loads some java code in a spawned process. The 1st image shows you the command line which could - I guess - be executed directly to launch the java code. It indicates the classpath (which libs to load), the parameters, the start class name, etc. When you mention "file integrity error", I'm not sure if it's related to checks done by the java program, or if you didn't supply exactly everything it needed - including the correct working dir or environemnt variables. The 2nd image is for a thread dump I requested from JVisualVM to a running java program (which happens to be JVisualVM itself) and you can see one of the threads' call stack. If you want to, say, understand what the "org.openide.util.RequestProcessor$task.run" method does, you'll need to use the regular java tools to decompile its class file and take a look at its "decompiled source" or even the java bytecode if decompilation is not possible. You'll need to search all the jars in the classpath to understand which one provides that class, so you can decompile it. |
#5
|
|||
|
|||
Is it possible to extract jar from exe?
There is no jar in the target directory, but dlls and exe are only existed. For your interest, I found license check dll and I can use 'EBFE' method to catch target export function. However, unfortunately, file CRC check error pops from target exe file. Anyway many thanks. |
#6
|
|||
|
|||
You can try to use "process monitor" to watch whether the extracting jar file, the using jd-gui such tools decompile jar.
|
The Following User Says Thank You to fqjp For This Useful Post: | ||
niculaita (11-30-2016) |
#7
|
|||
|
|||
If the program is starting "javaw.exe -parameters A-gui.exe" it means that the zip (jar) file is under exe overlays, calculate overlay offset by adding to last section raw adddress the raw size,
Or try: https://forum.exetools.com/showpost.php?p=110417&postcount=6 |
The Following User Says Thank You to CodeCracker For This Useful Post: | ||
niculaita (12-15-2017) |
Thread Tools | |
Display Modes | |
|
|