Reverse Engineering Asked by CospriMalice on March 13, 2021
I’m trying to get classes from JAR file / actually running JVM machine but:
When I’m trying to open JAR file using for example 7Zip I dont see any classes. After unzip Manifest file is empty too.
When I’m trying to "dump" classes from running JVM machine, I got "very funny" named – empty classes (not really empty, but contains info like "gtfo" etc..)
JD-Gui showed nothing – just nothing.
Around month ago, when I tried to open it using 7Zip, there was classes with same name, and custom extension.
What should I do, and what tools do You recommend for actions like this?
Link: https://drive.google.com/file/d/1qhfEXu-ITQLW1mi55hMqnHmWt9BM5ur3/view
EDIT: Every decompiler I tested show info like this:
mv.visitMethodInsn(INVOKESTATIC, "net/minecraft/client/main/Main",
"u0000extends throws try goto 8 n 9 * package * + finally return
static * " float abstract | transient n synchronized catch =
strictfp transient static extends while final long ! 0 throws & n %
double 4 this if const n interface ‘ ^ ~ do 1 ] % ? throws super
long", "(Ljava/lang/String;)Ljava/lang/String;", false)
The obfuscator probably used the 'u0000' "exploit". This character is known as NUL terminator and its used for terminate the length of a character string in C/C++. All renamed classes will contain that character, this will confuse tools like 7Zip, WinRar etc..
Quick explanation:
=======
Original file names:
Renamed file names:
=======
Try to use https://github.com/TerriblePanda/JByteMod-Reborn or https://github.com/GraxCode/threadtear to decompile your jar.
Probable obfuscator used: https://paramorphism.dev/
Answered by Princekin on March 13, 2021
Get help from others!
Recent Answers
Recent Questions
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP