Using jhsdb (HotSpot Debugger) to crack encrypted Java applications

One solution to protect Java code is class file encryption. This solution involves loading encrypted class files or jar files using a custom loader. However, this method is ineffective due to the existence of JVM's Attach mechanism, and it can be easily cracked using tools that come with the JDK.

Example application

Here is an example application with a simple swinging window and button.

https://github.com/3-keys/test-swing-app

Encryption application

Export a runnable jar file using Eclipse, and encrypt the jar file with an encryption tool. After encryption, the structure of the jar file is as follows:

test-swing-app.jar is an encrypted jar file data, and Launcher class is the custom loading class of this tool. The encrypted jar package can still be executed using the standard java -jar command.

Cracking encrypted applications

First, run the encrypted jar file, then locate the bin directory of JDK. You should be able to find a jshdb file.

Execute jhsdb hsdb, open the HotSpot debugger. If you are on Windows, you may need to run as an administrator. Click File, select Attach to HotSpot process...

By using the "ps aux | grep java" command in Linux system, and finding the Process ID (pid) of the process through Task Manager in Windows system, enter the process pid in the dialog box below.

After successfully attaching, click on Tools -> Class Browser.

The browser-like tool contains information about all loaded classes. If you search for com.example, you may see all the classes under com.example.

Click com.example.TestWindow @0x0000…. Then click "Create .class File"

cd to the directory where you previously executed the jhsdb command, and you will see the generated class files.

Use Luyten or jadxOpen the class file, and you can see the decompiled code.