TransWikia.com

How can I get classes from "protected" JAR file?

Reverse Engineering Asked by CospriMalice on March 13, 2021

I’m trying to get classes from JAR file / actually running JVM machine but:

When I’m trying to open JAR file using for example 7Zip I dont see any classes. After unzip Manifest file is empty too.

When I’m trying to "dump" classes from running JVM machine, I got "very funny" named – empty classes (not really empty, but contains info like "gtfo" etc..)

JD-Gui showed nothing – just nothing.

Around month ago, when I tried to open it using 7Zip, there was classes with same name, and custom extension.

What should I do, and what tools do You recommend for actions like this?

Link: https://drive.google.com/file/d/1qhfEXu-ITQLW1mi55hMqnHmWt9BM5ur3/view

EDIT: Every decompiler I tested show info like this:

mv.visitMethodInsn(INVOKESTATIC, "net/minecraft/client/main/Main",
"u0000extends throws try goto 8 n 9 * package * + finally return
static * " float abstract | transient n synchronized catch =
strictfp transient static extends while final long ! 0 throws & n %
double 4 this if const n interface ‘ ^ ~ do 1 ] % ? throws super
long", "(Ljava/lang/String;)Ljava/lang/String;", false)

One Answer

The obfuscator probably used the 'u0000' "exploit". This character is known as NUL terminator and its used for terminate the length of a character string in C/C++. All renamed classes will contain that character, this will confuse tools like 7Zip, WinRar etc..

Quick explanation:

=======

Original file names:

  1. Main.class
  2. Main2.class
  3. Main3.class

Renamed file names:

  1. Main.classu0000.class -> 7Zip -> Main.class (u0000 is the string end so the other characters will be not displayed)
  2. Main.classu00002.class -> 7Zip -> Main.class
  3. Main.classu00003.class -> 7Zip -> Main.class

=======

Try to use https://github.com/TerriblePanda/JByteMod-Reborn or https://github.com/GraxCode/threadtear to decompile your jar.

Probable obfuscator used: https://paramorphism.dev/

Answered by Princekin on March 13, 2021

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP