I'm trying to figure out what a Java applet's class file is doing under the hood. Opening it up with Notepad or Textpad just shows a bunch of gobbledy-gook.
Is there any way to wrangle it back into a somewhat-readable format so I can try to figure out what it's doing?
Environment == Windows w/ VS 2008 installed.
jd-gui is the best decompiler at the moment. it can handle newer features in Java, as compared to the getting-dusty JAD.
If you don't mind reading bytecode, javap should work fine. It's part of the standard JDK installation.
Usage: javap <options> <classes>...
where options include:
-c Disassemble the code
-classpath <pathlist> Specify where to find user class files
-extdirs <dirs> Override location of installed extensions
-help Print this usage message
-J<flag> Pass <flag> directly to the runtime system
-l Print line number and local variable tables
-public Show only public classes and members
-protected Show protected/public classes and members
-package Show package/protected/public classes
and members (default)
-private Show all classes and members
-s Print internal type signatures
-bootclasspath <pathlist> Override location of class files loaded
by the bootstrap class loader
-verbose Print stack size, number of locals and args for methods
If verifying, print reasons for failure
As pointed out by #MichaelMyers, use
javap -c <name of java class file>
to get the JVM assembly code. You may also redirect the output to a text file for better visibility.
javap -c <name of java class file> > decompiled.txt
You want a java decompiler, you can use the command line tool javap to do this. Also, Java Decompiler HOW-TO describes how you can decompile a class file.
you can also use the online java decompilers available. For e.g. http://www.javadecompilers.com
Using Jad to decompile it is probably your best option. Unless the code has been obfuscated, it will produce an okay result.
what you are looking for is a java de-compiler. I recommend JAD http://www.kpdus.com/jad.html It's free for non commercial use and gets the job done.
Note: this isn't going to make the code exactly the same as what was written. i.e. you're going to lose comments and possibly variable names, so it's going to be a little bit harder than just reading normal source code. If the developer is really secretive they will have obfuscated their code as well, making it even harder to read.
cpuguru, if your applet has been compiled with javac 1.3 (or less), your best option is to use Jad.
Unfortunately, the last JDK supported by JAD 1.5.8 (Apr 14, 2001) is JDK 1.3.
If your applet has been compiled with a more recent compiler, you could try JD-GUI : this decompiler is under development, nevertheless, it generates correct Java sources, most of time, for classes compiled with the JDKs 1.4, 1.5 or 1.6.
DarenW, thank you for your post. JD-GUI is not the best decompiler yet ... but I'm working on :)
jd-gui "http://code.google.com/p/innlab/downloads/detail?name=jd-gui-0.3.3.windows.zip&can=2&q=" is the best and user friendly option for decompiling .class file....
That's compiled code, you'll need to use a decompiler like JAD: http://www.kpdus.com/jad.html
You need to use a decompiler. Others have suggested JAD, there are other options, JAD is the best.
I'll echo the comments that you may lose a bit compared to the original source code. It is going to look especially funny if the code used generics, due to erasure.
JAD and/or JADclipse Eclipse plugin, for sure.
If the class file you want to look into is open source, you should not decompile it, but instead attach the source files directly into your IDE. that way, you can just view the code of some library class as if it were your own
As suggested you can use JAD to decompile it and view the files. To make it easier to read you can use the JADclipse plugin for eclipse to integrate JAD directly to eclipse or use DJ Java Decompiler which is much easier to use than command line JAD
JAD is an excellent option if you want readable Java code as a result. If you really want to dig into the internals of the .class file format though, you're going to want javap. It's bundled with the JDK and allows you to "decompile" the hexadecimal bytecode into readable ASCII. The language it produces is still bytecode (not anything like Java), but it's fairly readable and extremely instructive.
Also, if you really want to, you can open up any .class file in a hex editor and read the bytecode directly. The result is identical to using javap.
There is no need to decompile Applet.class. The public Java API classes sourcecode comes with the JDK (if you choose to install it), and is better readable than decompiled bytecode. You can find compressed in src.zip (located in your JDK installation folder).
CFR - another java decompiler is a great decompiler for modern Java written i Java 6.
Related
I know a good hacker can obtain the source code of my Java files but I want to at least make it difficult for any one else to do so.
I can use ProGuard to obfuscate my jar file and the next step is to convert the jar file into Windows exe, Ubuntu bin?, Mac Os ...
What are the free software to do so?
None at all. java-code is always compiled into .class-files, which are bundled into .jar-files. Just change the file-extension of a jar into .zip and try to open it. You can create a launcher for the app, but the app itself is written in java. Next point:
"A good hacker" isn't necessary. There are decompilers out there available to anyone, which can convert .class-files into readable java-files. Obfuscating code alters variable- and class-names in a way that makes them unusable for human readers; good obfuscators in addition alter the bytecode in a way that makes the code (nearly) decompileable. And .exe and the counterparts on Linux and Mac OS are decompile-able as well, so there isn't much use in it anyways.
In general: executable binaries more secure than a .jar-file. The vital point is to obfuscate the byte-code properly.
I have a jar, which contains a line of code which compares two doubles, one having the value of 0.7, but I need to be able to change that to 0.0.
I cannot use reflection or anything like that because of the fact that this is a compiled jar file (not open source) but changing this value is crucial, because if it stays at 0.7 there is a huge lag problem.
I was thinking of editing bytecode, but cannot find any good software to do so.
I appreciate any help with this.
Look into how to decompile the program Java classes, and then re-compile the software yourself.
How do I "decompile" Java class files?
From another similar question: (Change string constant in a compiled class)
If you have the sources for this class, then my approach is:
Get the JAR file
Get the source for the single class
Compile the source with the JAR on the classpath (that way, you don't have to compile anything else; it doesn't hurt that the JAR already contains the binary). You can use the latest Java version for this; just downgrade the compiler using -source and -target.
Replace the class file in the JAR with the new one using jar u or an Ant task
If you can decompile the class, you can make the change and recompile it. Then roll up the jarfile with your patched class. It depends on the class and the JDK used to compile it how easy this will be.
References: JAD (Wiki link because JAD is basically a dead project, though it continues to work when I need it to.) If you use Eclipse, you might have luck with JD-Eclipse. There is also the Procyon project, which I have had limited success with.
Besides using (Hex) Editor or decompiler, use can use a byte code manipulation lib like asm. You actually might even be able to use an pre-load agent to transform the code on the fly.
I have just downloaded a third party java library which i need for a program i'm about to create.
But i can't figure out how to actually install the library so that i can literally type
import path.to.library;
in my java class file without having any errors.
I have looked at many tutorials and answers on StackOverflow but each of them seems to include the use of some or the other IDEs for java.
Well, i'm a bit rustic and would like to know how to make it work with notepad and the command line, coz that's what i use to make a program.
When you are compiling, include the following in your line:
-classpath nameOfJar.jar
However, once you actually switch to use an IDE, you will see the multiple benefits this approach can bring.
You don't specify a path in the import statement, just the package name.
All usable JAR files have to be specified in the classpath on commandline when starting your Java program.
You need to understand how Java's classpath works. For a comprehensive description, read the Oracle manual page on this topic. Alternatively the PATH and CLASSPATH page of the Java Tutorial.
(FWIW - it is generally considered to be a bad idea to use the CLASSPATH environment variable to set the classpath, because this is liable to lead to "nasty surprises" if you deal with software that requires different classpaths.)
If you don't use any IDE you won't have code complete. However if you know all the packages/classes/methods names/signitures you can use pure Notepad and then compile it by adding the library to your classpath (eg. using the -cp switch in the javac command when compiling)
JARs are not required to be installed. They required to be accessible at compile- and run- time. You can add jar by command line parameter or CLASSPATH environment variable. IDEs have special means for setting JAR;s location in visual manner.
You'll need to be more specific about what you have tried so far. This generally isn't something complex though, if you want to manually invoke the compiler you would do something like
javac -cp somejar.jar myclass
Once you get used to this process, it's better to automate it using a build tool such as ant or maven. Ant is a little easier to begin with, maven has some additional capabilities that make it a little more complex.
We have normal java files residing in the SVN. We have made some changes in those files , but it happens that , those files are lost (they are not in SVN). But we have the class files that are generated using the newly changed files.
Can we use the class files , decompile them and compare it against SVN. What is the easiest way to do it?
There are about 400 changed files. So comparing one by one is not feasible.
I am looking for any tool or scripts.
Also is there any decompiler , that would decompile a whole folder at one go?
Thanks
For decompiling use JAD, most commonly used tool. Comparing is a bit tricky though. I would suggest the following scenario:
Grab the latest source code from SVN
Build it
Decompile it (!)
Take your compiled classes that include some modifications but you don't have sources
Decompile them as well
Compare both decompiled sources directories
Why compiling and decompiling the original source codes? Because JAD produces pretty good results, but it will never generate the exact same sources that were used. So if you want to avoid headaches when comparing original sources and decompiled ones (and pinpoint the actual differences quickly), you have to compare two JAD outputs rather than original source and synthetic JAD output.
I hope having two directory structures to compare won't be a problem for you. You can use Total Commander on Windows or various utilities/scripts on Linux, like:
$ diff -r dir1 dir2
jad can decompile a whole folder but the result depends on a couple of factors. First, JAD only supports Java 4 well. Java 5 and up will contain odd byte code chunks that JAD didn't understand.
If the code is compiled with debug symbols, you can realign line numbers (the jadclipse plugin can do that) but JAD itself can't do it.
If you compiled the code with -g:source, then the class files contain the complete source code. At first glance, I don't know how to get at this but tools like javap (comes with the JDK) or ASM should allow you to get it.
It is possible to compare a decompiled source file with the orginal, provided you did not use obfuscation when generating class files. However, automated comparison will be difficult because the decompiled source is often slightly different than the original source due to compiler optimization for example.
Personally I use jad as a decompiler, but I'm not sure you can provide it with a whole folder at one go.
I used the below command(jad decompiler) to compile all the class files in a folder in one go.
jad -o -r -sjava -dsrc tree/**/*.class
Use jd-gui, very good decompiler, but the compering ... its going to be painful.
Right now im doing exactly that, using http://java.decompiler.free.fr/ to decompile and beyond compare (http://www.scootersoftware.com/) to compare packages and files. It looks like a great idea to make a fast compare against the actual version (svn) compiled and decompiled, to check which files (and which sections) are up to date.
Is it possible to convert a .class file to .java file?
How can this be done?
What about the correctness of the code extracted from this option?
It is possible. You need a Java Decompiler to do this.
You'll find mostly it'll do a surprisingly good job. What you'll get is a valid .java file which will compile to the .class file but this .java file won't necessarily be the same as the original source code. Things like looping constructs might come out differently, and anything that's compile time only such as generics and annotations won't be re-created.
You might have a problem if the code has been obfuscated. This is a process which alters the class files to make them hard to decompile. For example, class and variable names are changed to all be similar so you'll end up with code like aa.a(ab) instead of employee.setName(name) and it's very hard to work out what's going on.
I remember using JAD to do this but I don't think this is actively maintained so it may not work with never versions of Java. A Google search for java decompiler will give you plenty of options.
This is possible using one of the available Java decompilers. Since you are working from byte-code which may have been optimised by the compiler (inlining static variables, restructing control flow etc) what you get out may not be exactly the same as the code that was originally compiled but it will be functionally equivalent.
Adding to the previous answers: recently, a new wave of decompilers has been coming, namely Procyon, CFR, JD, Fernflower
Here's a list of modern decompilers as of March, 2015:
Procyon
CFR
JD
Fernflower
You may test above mention decompilers online, no installation required and make your own educated choice.
Java decompilers in the cloud: http://www.javadecompilers.com/
It is always possible. Search for "java disassembler".
But source code comments and temporary variables will not be available.
If you decompile a class and see the code is too complex with variable names and method names are like a,b,c... that means that the project is obfuscated.
Not exactly a decompiler, but the JDK contains javap, a disassembler:
javap -c org.example.MyClass
Depending on your usecase, it might still be interesting to know or use.
Note that results of class file decompilation depend on the included information within a class file. If I remember correctly, included debug information (see -g flag of javac) is important, especially for naming of variables and the like.
DJ is the easy to use java decompiler . Just open any .class file and it will show you its java code.
Also, you can use jadClipse plugin for eclipse to directly decompile the .class into .java
What about the correctness of the code extracted from this option?
In any case, the code which will be generated by any java decompiler will not be the same as it was written in orginal java class. As it just decodes the bytecode into java code. The only thing you can be sure is, that the output will be same as the output of orginal java code.