We’re excited to release the Java Decompiler package for all licenses of Cerbero Suite: this package is capable of decompiling Java Class files from their bytecode back to Java.
Once you have installed the package, you can access the decompiler from the bytecode view.
The bytecode view and the decompiler are accessible not only within Java Class files but also within JAR files.
The upcoming version 0.9.4 of the Profiler introduces improvements to several disasm engines: ActionScript3, Dalvik, Java, MSIL. In particular it adds options, so that the user can decide whether to include file offsets and opcodes in the output.
The code indentation can be changed as well.
Another important addition is that these engines have been exposed as filters. This is especially noteworthy since byte code can sometimes be injected or stored outside of a method body, so that it is necessary to be able to disassemble raw data.
Of course these filters can be used from Python too.
from Pro.Core import *
sp = proContext().currentScanProvider()
c = sp.getObjectStream()
c.setRange(0x2570, 0x10)
fstr = " Output:
/* 00000000 1A 00 8A+ */ const-string v0, // string@018a (394)
/* 00000004 12 01 */ const/4 v1, #int 0 // #0
/* 00000006 12 22 */ const/4 v2, #int 2 // #2
/* 00000008 70 52 42+ */ invoke-direct {v3, v4, v0, v1, v2}, // method@0042 (66)
/* 0000000E 0E 00 */ return-void
In the future it will be possible to output a filter directly to NTTextStream, avoiding the need to read from NTContainer.
Stay tuned!
The upcoming 0.9.0 version of the Profiler adds support for Java class files. This will be especially useful for malware analysis. The support includes: disassembler, format views and layout ranges. Let’s see some screeshots of the format itself first.
Here’s a view of the constants:
Note: Utf8 strings are highlighted in orange just to distinguish them.
Here’s a view of the methods with their attributes:
And here’s the layout ranges view:
Again strings are in orange, while the actual code of a method is in a slightly lighter green than the method itself.
Since the format of class files is contiguous, it’s extremely easy to use layout ranges to create a new custom class file using the hex editor.
And finally, the disassembler:
The output shown in the screenshot above:
// SourceFile: HelloWorld.java
super class HelloWorld extends java.lang.Object
{
static float f1;
public static java.lang.String hello;
HelloWorld()
{
// max_stack = 1 max_locals = 1
// line 1
aload_0
invokespecial java.lang.Object.() // returns void
return
}
public static void main(java.lang.String[])
{
// max_stack = 7 max_locals = 6
// line 7
ldc2_w 454.546
dstore_1
// line 8
ldc2_w 552441554577111995
lstore_3
// line 9
getstatic java.lang.System.out // java.io.PrintStream
ldc "The value of i is: %f and %d"
iconst_2
anewarray java.lang.Object
dup
iconst_0
getstatic HelloWorld.f1 // float
invokestatic java.lang.Float.valueOf(float) // returns java.lang.Float
aastore
dup
iconst_1
lload_3
invokestatic java.lang.Long.valueOf(long) // returns java.lang.Long
aastore
invokevirtual java.io.PrintStream.format(java.lang.Stringjava.lang.Object[]) // returns java.io.PrintStream
pop
// line 10
getstatic java.lang.System.out // java.io.PrintStream
getstatic HelloWorld.hello // java.lang.String
invokevirtual java.io.PrintStream.println(java.lang.String) // returns void
// line 13
try
{
getstatic java.lang.System.out // java.io.PrintStream
ldc "test2"
invokevirtual java.io.PrintStream.println(java.lang.String) // returns void
}
catch (java.lang.Exception) goto loc_57
// line 18
goto loc_67
// line 15
loc_57:
astore 5
// line 17
getstatic java.lang.System.out // java.io.PrintStream
ldc "error"
invokevirtual java.io.PrintStream.println(java.lang.String) // returns void
// line 19
loc_67:
return
}
static void ()
{
// max_stack = 1 max_locals = 0
// line 3
ldc 43
putstatic HelloWorld.f1 // float
// line 4
ldc "Hello world!"
putstatic HelloWorld.hello // java.lang.String
return
}
} And the original source file:
class HelloWorld
{
static float f1 = 43;
public static String hello = "Hello world!";
public static void main(String[] args)
{
double d1 = 454.545774;
long l1 = 552441554577111995L;
System.out.format("The value of i is: %f and %d", f1, l1);
System.out.println(hello);
try
{
System.out.println("test2");
}
catch (Exception e)
{
System.out.println("error");
}
}
} There’s yet more to come. Stay tuned. 🙂