Using jhsdb (HotSpot Debugger) to crack encrypted Java applications

One solution to protect Java code is class file encryption. This solution involves loading encrypted class files or jar files using a custom loader. However, this method is ineffective due to the existence of JVM's Attach mechanism, and it can be easily cracked using tools that come with the JDK.

Example application

Here is an example application with a simple swinging window and button.

https://github.com/3-keys/test-swing-app

img

Encryption application

Export a runnable jar file using Eclipse, and encrypt the jar file with an encryption tool. After encryption, the structure of the jar file is as follows:

img

test-swing-app.jar is an encrypted jar file data, and Launcher class is the custom loading class of this tool. The encrypted jar package can still be executed using the standard java -jar command.

Cracking encrypted applications

First, run the encrypted jar file, then locate the bin directory of JDK. You should be able to find a jshdb file.

1_nsxbwNJrGJB4mpzsQv55VA

Execute jhsdb hsdb, open the HotSpot debugger. If you are on Windows, you may need to run as an administrator. Click File, select Attach to HotSpot process...

img

By using the "ps aux | grep java" command in Linux system, and finding the Process ID (pid) of the process through Task Manager in Windows system, enter the process pid in the dialog box below.

img

After successfully attaching, click on Tools -> Class Browser.

img

The browser-like tool contains information about all loaded classes. If you search for com.example, you may see all the classes under com.example.

img

Click com.example.TestWindow @0x0000…. Then click "Create .class File"

img

cd to the directory where you previously executed the jhsdb command, and you will see the generated class files.

img

Use Luyten or jadxOpen the class file, and you can see the decompiled code.

img