最近遇見一個麻煩,明明知道是java寫的小軟件,但是打包成了exe,木得辦法,之前打包的都有緩存能在TEMP文件夾找到。這次可不一樣了,特此記錄一下。
為此特地搜集了一些java打包成exe的軟件。
一、exe4j。
說明:exe4j可以將Jar文件制作成exe文件,但需jre支持,也可將Jar文件放在外面。
軟件性質:共享軟件
下載地址:http://www.ej-technologies.com/products/exe4j/overview.html
二、JBuilder。
說明:新版本的JBuilder可以直接把工程制作成各系統的可執行文件,包括Windows系統。
軟件性質:商業軟件
下載地址:略。我是從eMule下載的。
三、NativeJ。
說明:與exe4j功能類似。
軟件性質:共享軟件
下載地址:http://www.dobysoft.com/products/nativej/download.html
四、Excelsior JET。
說明:可以直接將Java類文件制作成exe文件,除AWT和Swing及第三方圖形接口外可不需jre支持(Java5.0不行)。
軟件性質:共享軟件
下載地址:http://excelsior-usa.com/home.html
五、jshrink。
說明:可將Jar文件打包進exe文件。同時具有混淆功能(這才是它的主要功能)。
軟件性質:共享軟件
下載地址:http://www.e-t.com/jshrink.html
六、InstallAnywhere。
說明:打包工具,對Java打包最好用。可打包成各操作系統運行包。包括Windows系統。
軟件性質:商業軟件。
下載地址:http://www.zerog.com/
七、InstallShieldX。
說明:與InstallAnywhere類似,但比InstallAnywhere功能強大。相對的,比較復雜,不易上手,我現在還沒學會。
軟件性質:商業軟件。
下載地址:http://www.installshield.com/八、Jar2Exe.
這是今天特地要說的java打包成EXE的軟件
Jar2Exe
- 明文:簡單的打包方式,解壓軟件解壓一下所有Class文件都在里面。
- 隱藏,Jar包會被經過簡單的加密之后存儲在EXE程序中的資源內。
- 加密+隱藏:Jar包會被加密,並且所有文件名都會被哈希,之后存儲在EXE程序資源中,這是最常見的一種加密,也是最麻煩的一種提取方式。
面對后兩種情況下,通常來說,我們如果想要提取完整的jar包,必須用ODB調程序執行到解密完成調用jar的位置,然后dump內存把所有內容dump下來。
這里學習一種方法(但是方法有一定缺點,我們后面講把)
首先構建一個Java代理(JavaAgent),目的是讓程序員可以更加靈活的監控Java虛擬機的運行。我們要實現的是監控ClassLoader,在它要加載一個類的時候,dump出這個類來並寫入一個jar文件中。
然后激活該JavaAgent,接着運行Jar2Exe編譯的Exe程序。盡可能多的測試程序中的功能,點擊不同的按鈕,讓更多的類文件被加載到內存中,這樣它們就會被dump出來。
但是缺點是很明顯的
1.如果class沒有加載就dump不到了
2.jar中的圖片、音頻等資源是得不到的。
重點來了!下面講步驟
1.准備工作
下載地址:https://github.com/HaoQinLandv/e2j
然后放到同一個目錄下
打開命令行並進入要破解的程序所在目錄,在命令行輸入以下命令設置JavaAgent的加載
set JAVA_TOOL_OPTIONS=-javaagent:e2j-agent.jar
該命令是讓java程序在加載一個類時會自動調用JavaAgent
2.操作
命令行運行你需要提取源代碼的軟件即可。
這種方法有缺陷,但是最簡單的辦法,下面來看國外大神如何提取的。
http://reverseengineeringtips.blogspot.com/2014/12/unpacking-jar2exe-21-extracting-jar.html
這個連接天朝境內無法訪問。
=========================================================================================
這里是分割線
==========================================================================================
Unpacking Jar2Exe 2.1: Extracting The Jar File At All 3 Protection Levels
Welcome to this extensive tutorial for unpacking Jar2Exe. Jar2Exe is a java executable wrapper which works by taking your original java archive, wrapping it into an executable, and executing it through a virtual environment using the jvm.dll provided with each java distribution. It also provides the ability to hide your archive and encrypt the class names making recovery difficult. The goal of this tutorial is to demonstrate how to recover a jar file at the 3 different protection levels provided by Jar2Exe.
In this tutorial, I will be using the file SimpleApp.jar which is included with launch4j. You can protect it with the same settings to reverse along with me.
Tools Needed:
Resource Hacker
Winhex
Ollydbg 1.10+ MemoryDump 0.9 and Olly Advanced or StrongOD Plugin(for advanced ctrl+g).
DJ Java Decompiler
7-Zip or Winrar
Jar2Exe Level 1: No Hiding, No Encryption:
This is the default wrapping level which provides no protection to your java file. As you can see, the Hide class files and Encrypt and hide class files options are left unchecked. This level of protection simply takes your java archive/jar file, concatenates it to the end of the executable, and embeds its java files inside of it. This java archive can be recovered using a hex editor, just like we did with launch4j in the previous tutorial. To begin, we will open sample file called 'SimpleAppNoHide.exe' in winhex. To find the archive, scroll to the bottom of the file. Another option you can try other than scrolling is to search for the ascii string "serial "(with the space). This should take you directly to the archive, but I cannot guarantee that this approach will always be successful.
Once you are here, the first occurrence of 'PK' labels the start of our archive. We can label this as our beginning of block:
Once you have done so, right click the selected block and click Edit. In the new pane, go to Copy Block -> Into New File.
Afterwards, we can save it as a jar file. I used the name SimpleAppNoHide.jar:
Once we are finished, the program will run correctly, but to be tidy, we need to delete the extra files that Jar2Exe added to our archive. Let's open the archive in 7-zip or winrar(whichever you fancy).
Once it is opened, you can see that Jar2Exe adds an additional directory called 'com'. While some other java applications may use this directory, Jar2Exe adds an additional subdirectory called regexlab.
After entering the com directory, we see that regexlab is the only subdirectory it contains, meaning that the entire com folder is unused and can simply be deleted from the archive, let's go ahead and delete it:
After confirming the deletion, we can close the archive and run the jar file.
If you did everything correctly, the application should run without problems and our work is finished.
Jar2Exe Level 2: Hidden Archive:
With the level 2 protection, Jar2Exe takes our java archive, encrypts it, and adds it as an RCData entry in the resource directory. To find the offset of the encrypted archive, we need to open our executable which I named 'SimpleAppHide.exe' in a resource editor. For this, I prefer resource hacker:
Above, we have located the encrypted data in the "RCData" section of the resource table. In this case, our offset is 46398h. Keep a note of this and open the application in Ollydbg. Once you have it opened, go to the hex dump section and go to the offset above:
Once you arrive at the offset, right click the byte and add a Hardware Breakpoint On Access -> Byte:
Now, let's run the program and wait for the break to occur. We should arrive here:
This loop will decrypt our archive byte for byte. Let's toggle a breakpoint on the instruction after the loop. In this example, the instruction is 00401BE3 > CMP DWOR PTR SS:[ESP+18],EBP. Run the program now and let the decryption complete. Once we break here, the register EAX will contain the location where our decrypted jar file is located and ECX contains its size. Using this information, we are ready to dump the file from memory. To do this, I found a very simple plugin called Memory Dump. It allows you to simply specify a memory address and size to dump those bytes to disk. Let's open the plugin:
To begin, check the field which says End Address / Lenght. This will allow us to enter the length value. Set the Start Address to the value in EAX and the lenght(length) equal to the value in ECX. In my case, the address is 296810 and the size is 11EC. Once you have entered these values, we are ready to dump this to disk.
A limitation of this tool is that you can only save the file with a .dmp extension, but we can easily rename it once we are finished. Simply save it with the name you fancy. In this case I named it as SimpleApp3Hide.dmp for easy recognition.
After a quick renaming, the file is ready to run.
Jar2Exe Level 3: Hidden Archive + Encrypted Class Names:
This is the strongest protection offered by Jar2Exe. First, it changes all of the class file names to gibberish. Second, it encrypts and hides the files just like the level 2 protection. While we can recover the archive with a similar method as in Level 2, we need to take an additional step to repair the class names.
To begin, let's open the application "SimpleAppEncrypt.exe" in a resource editor just as before to acquire the offset of the encrypted RCData:
Our offset in this case is 49398h. Let's note that and open the application in Ollydbg and follow the offset
Once we arrive at the offset, place a hardware breakpoint on access-> byte just like before.
Run the program an wait for the breakpoint. We should arrive at the following code:
This is the new decryption routine. The instruction 0040ACED-> MOV BYTE PTR DS:[ECX],AL will move each decrypted byte to their new memory location.
According to the code, the address of the memory location where our file is decrypted to can be found at the stack pointer [ESP+18]
The value at ESP+1C contains the size of the memory region. This can be verified by checking the decrement value of the loop.
This code verifies that ESP+1C is the value decremented. ESP+1c is moved to EAX, decremented, and then moved back.
At our current location where the hardware breakpoint landed us, the values at ESP +18 and ESP+1C are the ones we need for our dump. Please note them and target a breakpoint on the instruction outside of the loop.
Once you break here, we are ready to make a dump of the file. But first, I would like to show you the encrypted strings in our archive to give you a glimpse of how jar2exe encrypts them:
As you can see here, the names of our classes and manifest files have been completely obfuscated. As a result, we need to recover these names manually. The way that jar2exe gets the original names for the class is to read them directly from the class file itself. I will show you a simple approach to doing this once we dump the archive.
Now since I am finished digressing, let's dump the file just like before.
In my case, the location of the decrypted file is at 296858 and its length is 1284. We are ready to dump.
Now that we have saved the file, let's rename change the extension to .jar and prepare to extract the contents.
Please note that due to the encryption employed on the names, the file will not run until we correct the classes. Let's extract the contents to a new folder so we can begin repairing.
Once we have extracted the files, let's open the new directory and see the files.
As we can see here, the file names are complete gibberish. The randomly named directories will typically not contain a file and can be deleted. The rest of the files will be the original class and manifest files. To begin the recovery, I like to first identify which file is the manifest. We can usually assume that the manifest will be the smallest file contained in the archive. The manifest.mf file tells the java runtime which file contains the main() class. Without it, the runtime would not know how to execute the code. Let's find the smallest file and open it in a text editor.
As you can see, we have identified our manifest file. This file should be renamed to 'MANIFEST.MF' and placed in a subdirectory called 'META-INF'. Remember that these names are case sensitive and must be typed in all uppercase.
To continue with the rest of the files, let's add a '.class' extension to each of them and open them in your favorite java decompiler. You can read these names with a hex editor if you fancy, but a decompiler makes it a little cleaner. Let's begin with the largest file which is 4kb. I will open it in DJ Java Decompiler
As we can see here, we have identified the name of this class file as SimpleApp which according to the manifest, contains our main() procedure. The name of the package this file resides in is 'net.sf.launch4j.example'. The dots between these words represent a subdirectory. That means that this class belongs in a folder hierarchy of net/sf/launch4j/example. Let's rename this to class file to 'SimpleApp.class', create the directory hierarchy listed above, and place this file in it.
Now that we have completed this, we just need to go back and follow the same steps for the rest of the files. Please remember that every name is case sensitive. Once you have recovered each of them and placed them into the correct directory(there is only one directory), it should look like this:
Now that we are done, it is time to recreate the jar file. A jar file is simply a zip archive under a different extension. All we need to do is go back to the directory that contains our two folders named 'net' and 'META-INF' and add them to a zip archive.
Now, we simply change the extension of the zip archive to jar and it is ready to run.
Now let's see the finished result
I hope that you have learned a few things from this tutorial and have walked away with some new knowledge. If something in this tutorial is not clear, please feel free to post a comment and I will try to explain it further. Until next time, happy reversing.
============================================================================================
我也用OD試了一下,可能是因為不會用的問題吧,拖入進去木有反應,SO放棄了老外這種方法了。