From: phugo@highspeedweb.net
Date: Wed May 12 2004 - 11:59:24 EDT
Hello,
> After having an understanding of Java class format, the next
> challenge is to find out which byte to change. The byte codes
> are nothing but the assembly language instructions, which are
> interpreted by JVM at run time. In order to find the exact
> byte it is required to know the opcodes of JVM instructions.
> Then I found a list of JVM Instructions opcodes with their
> mnemonics. Now the next challenge was to search for exact
> byte in the class file for manipulation.
>
You can do this much easier using IDA Pro. IDA gives you the full class
disassembly with it's opcodes (if you enable it).
I reversed and modified JAVA classes long time ago. Basically I don't
anything about Java.
What I did was looking at the opcodes, and modifying them, with compatible
code doing what I was looking for or just nop'ing the bytes (from what I can
remember, I had to nope full routines due to alignment or something like
it).
At the time I did this, I had no opcode table, so I had to do it this brute
way.
> The solution for byte code manipulation can be taken care by
> implementing hashing for a package and before starting an
> application the hash should be calculated and compared with
> the server side precalculated hash, if both of them match
> then only allow further execution. Other way to solve the
> problem is to implement server side checks no doubt it will
> affect the performance of server.
Hashing and checksums always had their problems in such cenarios. If the
user can control the application, the situation is complicated to deal with.
If you can disassemble the JAVA class, you can modify it and recompile it.
So you get the original hash, and return the good hash to the server, but
with the java class modified. And voila, there goes your hash protection.
Server side checks can be beaten too, since you have control of the client
app, so you can verify the checks and return them.
Direct access to the software means basically the same as hardware access,
no 100% protection guarantee (the good side is that you can delay the
reversing, but that's it).
Regards,
Pedro Hugo
------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:54 EDT