Java Bytecode Reversing and Patching Exercise
Description of the Exercise:
Imagine that you have just implemented a Java version of a console
application called “Password Vault” that helps computer users create
and manage their passwords in a secure and convenient way. Before
releasing a limited trial version of the application on your company’s
Web site, you would like to understand how difficult it would be for a
reverse engineer to circumvent a limitation in the trial version that
exists to encourage purchases of the full version; the trial version
of the application limits the number of password records a user may
create to five. The Java version of the Password Vault application was
developed to provide a non-trivial application for reversing exercises
without the myriad of legal concerns involved with reverse engineering
software owned by others. The Java version of the Password Vault
application employs 128-bit AES encryption, using Sun’s Java
Cryptography Extensions (JCE), to securely store passwords for
multiple users—each in separate, encrypted XML files.Software for the Exercise:
Password Vault Java Windows installer FrontEnd Plus (java bytecode
decompiler) Jad (java bytecode decompiler) (if you prefer to work at
the command-line)
首先把文件解压,安装密码库,把jar包解压缩,打开.class文件分析:
整个代码库最重要的部分就是这里的验证密码记录的条数是否大于5,而我们的目的是使密码记录的条数没有限制。
先用javap -verbose PasswordVault命令查看PasswordVault.class文件的字节码内容,找到对应函数的相应位置:
所以我们目前的主要思路有3种:
**1、**修改if_icmplt(比较栈顶两个数size和5,小于则跳转)为ifge(比较栈顶的一个数size,大于等于0跳转)
**2、**修改if_icmplt(比较栈顶两个数size和5,小于则跳转)为goto(无需栈顶的数,无条件跳转)。
**3、**修改return为nop让函数不结束返回。
方法一:修改if_icmplt
修改if_icmplt小于跳转为ifge(小于等于跳转)或goto无条件跳转
用编辑器以16进制打开PasswordVault.class,用搜索功能找到if_icmplt对应的16进制代码A1的位置:
用编辑器把if_icmplt对应的16进制代码A1改为goto对应的16进制代码A7:
将所有的.class文件打包成jar包,并配置主清单属性修改MANIFEST.MF。之后运行jar包:
但是程序在修改的goto这报了错误:当前帧的堆栈大小与stackmap不匹配。打开源字节码:
发现这是因为原字节码中if_icmplt把两个数size和5压入了栈顶进行比较,而goto不需要比较数,直接跳转,所以我们还要修改栈顶让它不要压入数。
我们先尝试将if_icmplt(比较栈顶两个数size和5,小于则跳转)修改为ifge(比较栈顶的一个数size,大于等于0则跳转)、并将iconst_5改为nop:
将所有的.class文件打包成jar包,并配置主清单属性修改MANIFEST.MF。之后运行jar包:
可以看到添加成功:
方法二:修改if_icmplt
修改if_icmplt(比较栈顶两个数size和5,小于则跳转)为goto(无需栈顶的数,无条件跳转),并把size函数删掉。
先查看字节码,修改前:
所以我们要把if_icmplt修改为goto,将从aload_0到iconst_5的字节码都改为nop。
修改后:
将所有的.class文件打包成jar包,并配置主清单属性修改MANIFEST.MF。之后运行jar包:
添加密码记录成功。
方法三:修改return
修改return让函数不返回结束
用编辑器以16进制打开PasswordVault.class,找到刚刚代码的位置,用编辑器把return对应的16进制代码B1改为nop对应的16进制代码00:
将所有的.class文件打包成jar包,并配置主清单属性修改MANIFEST.MF。之后运行jar包:
一直添加密码记录:
结果成功添加7条密码记录,没有限制退出,证明我们已经成功突破限制。