Merge jar files to simplify remote debugging of closed source java applications

Posted by Hans-Martin Münch on 31 Oct 2018 | Tags: Java Offensive Debugging

When it comes to analyzing closed source Java Applications, most researchers quickly fire up decompilers like JD-GUI and start analyzing. These tools are fine, however they only allow static analysis. In case of complex code it is often much better to attach a debugger and analyze the application during runtime.

Unlike dnspy (a decompiler for .NET applications), JD-GUI itself doesn’t provide any debugging capabilities. However, it is possible to extend IDEs like Intellij or Eclipse with a decompiler plugin.

To debug an external application, you basically do the following:

  • Create a new Java Project, and include the .class and jar files as external in the build path.
  • Enable remote debugging in the start configuration of the target
  • Configure a remote target inside Eclipse

JD-Eclipse has its own issues, one is the problem of finding/decompiling a .class file that is located in another jar archive. We can work around this problem by placing all .class files in one big jar file.

jarjarbigs.py is a simple Python script that does exactly that. It traverses recursively through a directory, unpacks all jar/war/ear files and merges the class file into one jar file. This jar file can then be included as an external jar file within an eclipse project. The script is based on the idea of Matthias Kaiser, who used rsync for this task.

h0ng10@rocksteady ~/w/jarjarbigs> python3 jarjarbigs.py -h
--- jarjarbigs.py 0.1 by MOGWAI LABS GmbH --------------------------------------

usage: jarjarbigs.py [-h] [-l LOGFILE] [-x XML] source destination

jarjarbigs.py - create a huge jar file from existing jar/war/ear files

positional arguments:
  source                source directory with jar/war/ear files
  destination           destination jar file

optional arguments:
  -h, --help            show this help message and exit
  -l LOGFILE, --logfile LOGFILE
                        Create a log file which jar contains which classes
  -x XML, --xml XML     Create a second zip archive that contains all xml- and
                        property files

Using jarjarbigs.py is quite simple, just provide the directory with the jar files and the name of the new jar file.

python3 jarjarbigs.py /home/h0ng10/temp/java/testclient/ /home/h0ng10/temp/merged.jar                                                                                                  
--- jarjarbigs.py 0.1 by MOGWAI LABS GmbH --------------------------------------

[+] Processing /home/h0ng10/temp/java/testclient/applications/ScriptGridBean-v2.2.jar
[+] Processing /home/h0ng10/temp/java/testclient/applications/POVRayGridBean-v3.6.jar
[+] new archive(s) found: ['/tmp/jarjarbigsugf0yecm/png.jar']
[+] Processing /tmp/jarjarbigsugf0yecm/png.jar
[+] Processing /home/h0ng10/temp/java/testclient/applications/GenericGridBean-v2.3.jar
[+] Processing /home/h0ng10/temp/java/testclient/jre_1.8.101/lib/charsets.jar
[+] Processing /home/h0ng10/temp/java/testclient/jre_1.8.101/lib/management-agent.jar
[+] Processing /home/h0ng10/temp/java/testclient/jre_1.8.101/lib/resources.jar
[+] Processing /home/h0ng10/temp/java/testclient/jre_1.8.101/lib/jce.jar
[+] Processing /home/h0ng10/temp/java/testclient/jre_1.8.101/lib/jsse.jar
[+] Processing /home/h0ng10/temp/java/testclient/jre_1.8.101/lib/ext/nashorn.jar
[+] Processing /home/h0ng10/temp/java/testclient/jre_1.8.101/lib/ext/zipfs.jar
[+] Processing /home/h0ng10/temp/java/testclient/jre_1.8.101/lib/ext/sunec.jar
[+] Processing /home/h0ng10/temp/java/testclient/jre_1.8.101/lib/ext/cldrdata.jar
[+] Processing /home/h0ng10/temp/java/testclient/jre_1.8.101/lib/ext/sunjce_provider.jar
[+] Processing /home/h0ng10/temp/java/testclient/plugins/de.fzj.unicore.rcp.terminal_7.4.0.jar  
[+] Processing /home/h0ng10/temp/java/testclient/plugins/org.eclipse.swt.gtk.linux.x86_64_3.107.0.v20180611-0422.jar  
[+] Processing /home/h0ng10/temp/java/testclient/plugins/org.sat4j.pb_2.3.5.v201404071733.jar  
[+] Creating jar archive /home/h0ng10/temp/merged.jar

jarjarbigs.py will go recursively through each subdirectory and merge all class files from jar, war and ear archives. This also includes jar files that are part of extracted war/ear archives. The generated jar archive can then be added as external JAR to the Eclipse project.

Other features

log file
jarjarbigs.py can create a text file that logs which archive contained which .class file. This can be useful if you need to create a small PoC tool that only references the necessary classes/jar files. Use the “-l” parameter to do that.

python3 jarjarbigs.py /opt/path/to/application /home/h0ng10/work/merged.jar -l /tmp/jarjarbigs.log

A typical log file looks like this:

POVRayGridBean-v3.6.jar: com/sixlegs/image/pngChunk_oFFs.class
POVRayGridBean-v3.6.jar: com/sixlegs/image/pngChunk_gIFx.class
POVRayGridBean-v3.6.jar: com/sixlegs/image/pngChunk_pHYs.class
POVRayGridBean-v3.6.jar: com/sixlegs/image/pngBitMover8RGBA.class
POVRayGridBean-v3.6.jar: com/sixlegs/image/pngChunk_iTXt.class
POVRayGridBean-v3.6.jar: com/sixlegs/image/pngBitMover4G.class
POVRayGridBean-v3.6.jar: com/sixlegs/image/pngChunk.class
POVRayGridBean-v3.6.jar: com/sixlegs/image/pngUnfilterInputStream.class
POVRayGridBean-v3.6.jar: com/sixlegs/image/pngChunk_IHDR.class
POVRayGridBean-v3.6.jar: com/sixlegs/image/pngChunk_tIME.class
POVRayGridBean-v3.6.jar: com/sixlegs/image/pngChunk_iCCP.class
POVRayGridBean-v3.6.jar: com/sixlegs/image/pngBitMover8G.class
POVRayGridBean-v3.6.jar: com/sixlegs/image/pngAbstractTextChunk.class
POVRayGridBean-v3.6.jar: com/sixlegs/image/pngBitMover16G.class
POVRayGridBean-v3.6.jar: com/sixlegs/image/pngChunk_IEND.class
POVRayGridBean-v3.6.jar: com/sixlegs/image/pngAdam7Interlacer.class
POVRayGridBean-v3.6.jar: com/sixlegs/image/pngChunk_sBIT.class
POVRayGridBean-v3.6.jar: com/sixlegs/image/pngChunk_hIST.class
POVRayGridBean-v3.6.jar: com/sixlegs/image/pngBitMover16GA.class
POVRayGridBean-v3.6.jar: com/sixlegs/image/pngBitMover.class
POVRayGridBean-v3.6.jar: com/sixlegs/image/pngTextChunk.class
POVRayGridBean-v3.6.jar: com/sixlegs/image/pngIDATInputStream.class
POVRayGridBean-v3.6.jar: com/sixlegs/image/pngPngImage$Data.class
POVRayGridBean-v3.6.jar: com/sixlegs/image/pngChunk_tRNS.class
POVRayGridBean-v3.6.jar: com/sixlegs/image/pngChunk_pCAL.class
POVRayGridBean-v3.6.jar: com/sixlegs/image/pngPngExceptionSoft.class
POVRayGridBean-v3.6.jar: com/sixlegs/image/pngChunkHandler.class
POVRayGridBean-v3.6.jar: com/sixlegs/image/pngChunk_PLTE.class

store xml-/properties files
war/ear archives also contain XML- or properties files like web.xml which would not be included in the generated JAR archive. As these files often provide useful information when analyzing an application, jarjarbigs.py can store these files in a separate zip archive.

python3 jarjarbigs.py /opt/path/to/application /home/h0ng10/work/merged.jar -x /tmp/application.xml

You can find jarjarbigs.py at GitHub.