What this hack will do is modify the way the JRE classes before run time and can help you execute your analyzing code. I prefer to do this in a virtual machine. If you choose not to, don't forget to make a backup of rt.jar.
An example sounds nice, yes? Let's say we want to see every URL that a Java application instantiates and for whatever reason we can't use a network analyzer :P. Well, we could write our own implementation of the URL class and then edit the applications bytecode to use our URL class, but that's extremely prone to errors. We could decrypt every string and hope the application doesn't load the strings from the Internet. Unfortunately, that's not even guaranteed to work and chances are the decryption algorithm isn't to easy to extract from the application. So how could we go about doing this? Let's begin.
Open three windows:
- JBE - By running the bash/batch script
- A file explorer - Probably open to the desktop
- WinRAR
Open WinRAR to your Java installation folder. I am (unfortunately) on Windows right now so my path is:
Code:
C:\Program Files\Java
Open the JRE folder, mine is called jre7. Now open the lib folder and open rt.jar. You should now see the root of the rt.jar in WinRAR. From there open the 'java' folder and then 'net' folder. Find URL.class and drag it out. For the purpose of this demonstration only I will assume you placed in on your Desktop.
Now go to JBE and open (File -> Open class file) the URL.class you just placed on the desktop. Expand the 'Methods' branch of the tree. Because we already know the last constructor is the one that is always called no matter what, we will begin there. Now expand the last <init> branch and click on the Code branch.
By cross referencing the last exception in the exception table (second tab) with the offset in the first 'Bytecode' tab we realize that the last instruction covered by the exception is at 245. We simply type this into the code editor starting on line 245 (before the goto instruction):
Code:
getstatic java/lang/System/out Ljava/io/PrintStream;
invokevirtual java/net/URL/toExternalForm()Ljava/lang/String;
invokevirtual java/io/PrintStream/println(Ljava/lang/String;)V
Click 'Save method'. Drag the edited class file back into WinRAR and close.
Run the .jar that you wish to analyze by CLI.