2

I am trying to replace a certain class file with my own in an obfuscated jar. The original class file has methods named "new" and "null" so a quick decompile + compile doesn't work. I tried compiling and using jbe to add new methods named "new" that relayed everything to "new_symbol" functions (with new_symbol beeing the decompiled version of the original "new" function). This did not work. ("code segment has wrong length in class file")

Does anyone know of a way to refractor method names in class files? And if that isn't possible, a way to reliably create those "proxy functions"? From google I learned that there are about 1000+ different backend library's but only jbe as fronted for bytecode editing?

EDIT: Let me try to illustrate it. Let's say that there is a jar file with a class that provides a function that logs everything you give it to a database. I'd like to replace that class file with my own, and it should not only log everything to a database, but also print whatever data it gets to the command line.

The problem is, that class file was obfuscated and the obfuscator gave it public method names like "new" or "null". If you try:

public class replacement{
public void new (string data){
...
}
}

And compile that, you get compilation errors.

My idea was to create this :

public class replacement{
public void newsymbol (string data){
...
}
}

And use a bytecode editor to create a function named "new" that calls "newsymbol" with the same arguments. (but I get "code segment wrong length" and other errors going down this route.

My question therefore could be better frased as "give me a way to intercept calls to a class file who's public methods are named "new" "null" "weird_unicode_symbols""....

Improve this question
11
  • Have you tried Java Decompiler? Commented Dec 25, 2013 at 17:12
  • Java decompilers try to convert it to java source code but I can't recompile that source code because the public methods will never have the correct names to interface with the rest of that jar file. They expect public methods named "new" but if you name a method "new" in a java file, you can't compile it because it goes against the java naming convention. Commented Dec 25, 2013 at 17:15
  • I hope you have noticed that I have provided a link to a program called Java Decompiler. Please attempt to decompile your original jar file using this program (not some other decompiler program) and report your result (whether the program has correctly decoded to valid method names instead of invalid method names like new). Commented Dec 25, 2013 at 17:17
  • 1
    javassist provides a way to manipulate existing java byte code before actually loading a class. It provides ways to remove, add or modify existing methods or fields. Commented Dec 25, 2013 at 17:25
  • 1
    How about a simple hex editor? Make sure that the method name is the same length as the intended length, and then just find-replace. Commented Dec 25, 2013 at 17:44

2 Answers 2

Reset to default
1

Scala allows you to use identifiers in names if you surround them by `.

class f{
    def `new`():Int = {
        return 3
    }
}

jd-gui output

import scala.reflect.ScalaSignature;

@ScalaSignature(bytes=/* snip */)
public class f
{
    public int jdMethod_new()
    {
        return 3;
    }
}

I assume that jdMethod_ is prefixed in order to make the identifier valid. There is no jdMethod_ when looking at the class file using a hex editor.

However, this does have a flaw when you need to use public fields; scalac never generates public fields, it always makes them private and creates accessors.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

jdMethod_new is indeed what jd_gui uses to make the identifier valid. If I knew how to program in scala, I would've accepted this as solution.
0

So, what turned out to be the best solution for me was to use a hex editor (as suggested by user60561).

Apparantly, the name of every function and field is only saved once in the class file so if you use names with the same amount of bytes you can hexedit your way to victory. For me it came down to replacing "new" by "abc" and every strange unicode character with a two-char sequence.

Thanks for all the suggestions.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.