In the previous tutorials, I’ve described the simple Java byte code structure and stated to reverse a simple Hello World Java application. In this tutorial, I will describe the remaining parts of the class file.
Access Flags
The next byte after constant pool is Access Flag. First two bytes (00 21) shows that this class is super+ public.
List of access flags is attached below:
This Class and Super Class
Next two bytes are this class (00 05) and the followed two bytes are super class (00 06). Which means that cp[05] is this class (HelloWorld) and cp[06] is super class (<java/lang/Object>). You may check previous article about reversing java for constant pool entries.
Interfaces
The next two bytes after, are interfaces count which shows the number of interfaces which are implemented in this class. Thus the simple Hello World does not implement any interfaces, number of interfaces is 0 (00 00).
Fields
The next two bytes after, are fields count which shows the number of fields which are used in this class. Thus the simple Hello World does not have any field, number of interfaces is 0 (00 00). As a note, fields are variables that are defined inside class structure and are accessible through all class members.
class test {
public String fieldString = "A Simple field variable";
public test() {
}
}
Methods
The next two bytes shows the methods count (00 02). Here we have two methods which follows method info structure:
First Method
We start to analyze the bytes of the first method.
00 01 => Access Flag => public
00 07 => Name Index (cp[07]) => <init>
00 08 => Descriptor Index (cp[08]) => ()V (means void)
00 01 => Attribute Count (1)
Attribute Info:
00 09 => Attribute Name Index (cp[09]) => Code
00 00 00 1d => Code Length (Code attribute followed by four bytes indicating code length, thus java class can have maximum FF FF FF FF = 4,294,967,295 lines of code!) => 29
00 01 => Maximum Stack Depth => 1
00 01 => Maximum Local Variables => 1
00 00 00 05 => Code Length => 5
Byte Codes (next 5 bytes):
2a b7 00 01 b1 (Check Java bytecode instruction listings for byte codes table):
2a => aload_0
b7 00 01 => invokespecial cp[01] => invokespecial java/lang/Object/<init>()V
b1 => return
Next LineNumberTable attribute is parsed:
00 00 00 01 => 1 Line Table
00 0a => Name Index (cp[10]) => LineNumberTable
00 00 00 06 => Attribute Length => 6
00 01 => Line Number Table Lenght => 1
00 00 => start pc => 0
00 01 => Line Number => 1
Second Method
00 09 => Attribute Name Index (cp[09]) => Code
00 0b => Name (cp[11]) => <main>
00 0c => Descriptor (cp[12]) => ([Ljava/lang/String;)V
00 01 => Access Flag => public static
00 09 => Attribute Name Index (cp[9]) => Code
00 00 00 25 => Code Length => 37
00 02 => Maximum Stack Depth => 2
00 01 => Maximum Local Variables => 1
00 00 00 09 => Code Length => 9
Byte Codes (next 9 bytes):
b2 00 02 12 03 b6 00 04 b1 (Check the same link at the above for byte codes table):
getstatic cp[2] => java/lang/System/out Ljava/io/PrintStream;
ldc cp[3] => Hello World!
invokevirtual cp[4] => java/io/PrintStream/println(Ljava/lang/String;)V
return
00 00 00 01 => 1 Line Table
00 0a => Name Index (cp[10]) => LineNumberTable
00 00 00 0a => Attribute Length => 10
00 02 => Line Number Table Lenght => 2
Number 1:
00 00 => start pc => 0
00 03 => Line Number => 3
Number 2:
00 08 => start pc => 8
00 04 => Line Number => 4
Attributes
Remaining bytes are attributes of this class file. first two bytes are attributes count which is obviously 1 (00 01).
00 0d => Attribute Name Index (cp[13]) => SourceFile
00 00 00 02 => Length => 2
00 0e => Source File Name Index (cp[14]) => HelloWorld.java
The last two bytes (00 0e = cp[14]) shws the source file which is compiled to this class file.
Conclusion
A simple java Hello World example is compiled and reversed through the 3 part tutorial. You may use external tools to view (or edit) class files. Some useful tools are:
Also the class file is attached: Hello World.class