Reversing Java: Part III

2

In the previous tutorials, I’ve described the simple Java byte code structure and stated to reverse a simple Hello World Java application. In this tutorial, I will describe the remaining parts of the class file.

Access Flags

The next byte after constant pool is Access Flag. First two bytes (00 21) shows that this class is super+ public.

List of access flags is attached below:

Access-Flags

This Class and Super Class

Next two bytes are this class (00 05) and the followed two bytes are super class (00 06). Which means that cp[05] is this class (HelloWorld) and cp[06] is super class (<java/lang/Object>). You may check previous article about reversing java for constant pool entries.

Interfaces

The next two bytes after, are interfaces count which shows the number of interfaces which are implemented in this class. Thus the simple Hello World does not implement any interfaces, number of interfaces is 0 (00 00).

Fields

The next two bytes after, are fields count which shows the number of  fields which are used in this class. Thus the simple Hello World does not have any field, number of interfaces is 0 (00 00). As a note, fields are variables that are defined inside class structure and are accessible through all class members.

class test {
public String fieldString = "A Simple field variable";
public test() {
}
}

Methods

The next two bytes shows the methods count (00 02). Here we have two methods which follows method info structure:

Method Info

First Method

We start to analyze the bytes of the first method.

00 01 => Access Flag => public

00 07 => Name Index (cp[07]) => <init>

00 08 => Descriptor Index (cp[08]) => ()V (means void)

00 01 => Attribute Count (1)

Attribute Info:

00 09 => Attribute Name Index (cp[09]) => Code

00 00 00 1d => Code Length (Code attribute followed by four bytes indicating code length, thus java class can have maximum FF FF FF FF = 4,294,967,295 lines of code!) => 29

00 01 => Maximum Stack Depth => 1

00 01 => Maximum Local Variables => 1

00 00 00 05 => Code Length => 5

Byte Codes (next 5 bytes):

2a b7 00 01 b1 (Check Java bytecode instruction listings for byte codes table):

2a => aload_0

b7 00 01 => invokespecial cp[01] => invokespecial java/lang/Object/<init>()V

b1 => return

Next LineNumberTable attribute is parsed:

Line Number

00 00 00 01 => 1 Line Table

00 0a => Name Index (cp[10]) => LineNumberTable

00 00 00 06 => Attribute Length => 6

00 01 => Line Number Table Lenght => 1

00 00 => start pc => 0

00 01 => Line Number => 1

Second Method

00 09 => Attribute Name Index (cp[09]) => Code

00 0b => Name (cp[11]) => <main>

00 0c => Descriptor (cp[12]) => ([Ljava/lang/String;)V

00 01 => Access Flag => public static

00 09 => Attribute Name Index (cp[9]) => Code

00 00 00 25 => Code Length => 37

00 02 => Maximum Stack Depth => 2

00 01 => Maximum Local Variables => 1

00 00 00 09 => Code Length => 9

Byte Codes (next 9 bytes):

b2 00 02 12 03 b6 00 04 b1 (Check the same link at the above for byte codes table):

getstatic cp[2] => java/lang/System/out Ljava/io/PrintStream;
ldc cp[3] => Hello World!
invokevirtual cp[4] => java/io/PrintStream/println(Ljava/lang/String;)V
return

00 00 00 01 => 1 Line Table

00 0a => Name Index (cp[10]) => LineNumberTable

00 00 00 0a => Attribute Length => 10

00 02 => Line Number Table Lenght => 2

Number 1:

00 00 => start pc => 0

00 03 => Line Number => 3

Number 2:

00 08 => start pc => 8

00 04 => Line Number => 4

Attributes

Remaining bytes are attributes of this class file. first two bytes are attributes count which is obviously 1 (00 01).

00 0d => Attribute Name Index (cp[13]) => SourceFile

00 00 00 02 => Length => 2

00 0e => Source File Name Index (cp[14]) => HelloWorld.java

The last two bytes (00 0e = cp[14]) shws the source file which is compiled to this class file.

Conclusion

A simple java Hello World example is compiled and reversed through the 3 part tutorial. You may use external tools to view (or edit) class files. Some useful tools are:

JD-GUI

Java ByteCode Editor

Also the class file is attached: Hello World.class

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *