Monday, November 19, 2007

Hacking Java I

Well Java is said to be safe since JVM commonly takes care of everything (loading, resolution and so on). Actually it is. However this does not mean that Java is safe from careless usage.When JVM loads a class file, it does not take for granted that it was produced by some kind of Java compiler. It actually is interested in checking its file format.This process is known as bytecode verification and it is supposed to prevent from invoking code that seems to be messed up.

Whatever class fails the verification it is really a bad Java class. But this does not mean that classes that pass it are ok.

To demonstrate this I am going to develop a useful but harmless example to test a case where we compile Java source code and subsequently we deform the class file to alter its functionality.

Here is the code...

public class JavaHack {

public static void main(String[] args){

int a=6;
int b = DivideBy2(a);
int c = DivideBy3(a);
System.out.println(""+a+"/2 = "+b);
System.out.println(""+a+"/3 = "+c);
}

public static int DivideBy2(int i) {return i/2;}
public static int DivideBy3(int j) {return j/3;}

}


If compiled and run successfully we will finally get the output:
6/2=3
6/3=2

Now use a Hex editor, like HxD Editor.
Open the JavaHack class with the editor and search for the sequence: 0xB8 0x00 0x02 0x3D 0x1B ... and alter 0x02 byte to 0x03.
Then immediately(no more compilation) run the JavaHack class. The output will be:
6/2=2 (!)
6/3=2

The function DivideBy2 seems to be returning wrong results. What is actually going on is that we do not call this method any more. To explain, every method has an index into the method table in the class file. The DivideBy2 has id 2 and DivideBy3 has id 3. The sequence 0xB8 0x00 0x02 is actually invokestatic #2 in JVM code, meaning that it invokes the static method with id 2. Changing the value 0x02 to 0x03 actually calls the function DivideBy3, which eventually is called twice!! This explains the strange result of the modified class file.

The example can be easily extended and generalized to create more complex hacks (e.g. find out values of un-initialized variables and so on)

6 comments:

Anonymous said...

I've read a few excellent stuff here. Certainly price bookmarking for revisiting. I wonder how a lot effort you place to create any such fantastic informative site.
Feel free to visit my blog post :: Slow computer

Anonymous said...

I'm not sure where you are getting your information, but great topic. I needs to spend some time learning more or understanding more. Thanks for excellent information I was looking for this info for my mission.
my webpage - captain black

Anonymous said...

Wow! This blog looks just like my old one! It's on a totally different subject but it has pretty much the same layout and design. Excellent choice of colors!
Here is my website :: erinmore tobacco

Anonymous said...

Everything posted made a bunch of sense. However, what
about this? what if you were to write a awesome headline?
I mean, I don't wish to tell you how to run your website, however what if you added a title that grabbed folk's attention?
I mean "Hacking Java I" is a little boring. You ought to look at Yahoo's front page and watch how they write post titles to get people to click. You might try adding a video or a pic or two to grab people interested about what you've got to say.
Just my opinion, it might bring your posts a little livelier.
Review my web-site Antalya immobilien

Anonymous said...

Hi there to every , for the reason that I am actually
eager of reading this webpage's post to be updated on a regular basis. It includes good stuff.
Here is my web blog - brown acne scars

Anonymous said...

Do you have a spam problem on this site; I also am a blogger, and
I was wondering your situation; we have developed some
nice methods and we are looking to trade techniques with other folks, be sure to shoot me an e-mail if
interested.
My page :: university of alabama school of medicine faculty