[question] Java decompiler for exe

[qespresso]

Dear all,
I found 1 great software to scan ssh socks. The software scan for ip range to get the ssh support ips , after that it brute force the simple login from a txt file.
The question is: Since it an exe file but using Java so I want to ask if is there a way to extract, decompile it in to source.
They sell the software with a silly price so I really need to decompile it.
Thank you very much for your attention in my topic.
Here is the following software

Code: [Select]

https://www.dropbox.com/s/570tet3lfp0e1f3/Lazy%20SSH%201.6.6.rarRequirements
- Java: https://www.java.com/en/download/
- Microsoft Visual C++ 2010: http://www.microsoft.com/en-us/download/details.aspx?id=5555

[Deque]

Since it an exe file but using Java so I want to ask if is there a way to extract, decompile it in to source.

Depends on the program used to wrap or compile the file to exe. There are java wrappers that just put the bytecode or the jar as is somewhere into the exe file and the stub just extracts and runs it. Use this tool and see what information it yields:

https://evilzone.org/evilzone-releases/%28release-source%29-jwscan-scanner-for-java-to-exe-wrapper/

Besides wrappers there are also compilers that really turn the bytecode into machine code. However, I doubt this is the case here.

[qespresso]

Thank you very much for your response. I did it with no luck. Hope to see another solutions for this case. Cheer

Code: [Select]

C:\Users\buda\Downloads\jwscan>java -jar jwscan.jar SSH.exe

____ _  _ _ _    ___  ____ _  _ ____           _ _ _ _ ____ ____ ____ _  _
|___ |  | | |      /  |  | |\ | |___    __     | | | | [__  |    |__| |\ |
|___  \/  | |___  /__ |__| | \| |___          _| |_|_| ___] |___ |  | | \|
                             by Deque

scanning file ...

file name: SSH.exe

Exception in thread "main" java.lang.IllegalArgumentException: MALFORMED
        at java.util.zip.ZipCoder.toString(Unknown Source)
        at java.util.zip.ZipCoder.toStringUTF8(Unknown Source)
        at java.util.zip.ZipInputStream.readLOC(Unknown Source)
        at java.util.zip.ZipInputStream.getNextEntry(Unknown Source)
        at com.github.katjahahn.tools.Jar2ExeScanner.readZipEntriesAt(Jar2ExeSca
nner.scala:47)
        at com.github.katjahahn.tools.Jar2ExeScanner$$anonfun$getZipAddresses$1.
apply$mcZJ$sp(Jar2ExeScanner.scala:104)
        at com.github.katjahahn.tools.Jar2ExeScanner$$anonfun$getZipAddresses$1.
apply(Jar2ExeScanner.scala:102)
        at com.github.katjahahn.tools.Jar2ExeScanner$$anonfun$getZipAddresses$1.
apply(Jar2ExeScanner.scala:102)
        at scala.collection.TraversableLike$$anonfun$filter$1.apply(TraversableL
ike.scala:264)
        at scala.collection.immutable.List.foreach(List.scala:318)
        at scala.collection.TraversableLike$class.filter(TraversableLike.scala:2
63)
        at scala.collection.AbstractTraversable.filter(Traversable.scala:105)
        at com.github.katjahahn.tools.Jar2ExeScanner.getZipAddresses(Jar2ExeScan
ner.scala:102)
        at com.github.katjahahn.tools.Jar2ExeScanner.createReport(Jar2ExeScanner
.scala:78)
        at com.github.katjahahn.tools.Jar2ExeScanner$.invokeCLI(Jar2ExeScanner.s
cala:192)
        at com.github.katjahahn.tools.Jar2ExeScanner$.main(Jar2ExeScanner.scala:
173)
        at com.github.katjahahn.tools.Jar2ExeScanner.main(Jar2ExeScanner.scala)


[Deque]

Thank you very much for your response. I did it with no luck. Hope to see another solutions for this case. Cheer

Code: [Select]

C:\Users\buda\Downloads\jwscan>java -jar jwscan.jar SSH.exe

____ _  _ _ _    ___  ____ _  _ ____           _ _ _ _ ____ ____ ____ _  _
|___ |  | | |      /  |  | |\ | |___    __     | | | | [__  |    |__| |\ |
|___  \/  | |___  /__ |__| | \| |___          _| |_|_| ___] |___ |  | | \|
                             by Deque

scanning file ...

file name: SSH.exe

Exception in thread "main" java.lang.IllegalArgumentException: MALFORMED
        at java.util.zip.ZipCoder.toString(Unknown Source)
        at java.util.zip.ZipCoder.toStringUTF8(Unknown Source)
        at java.util.zip.ZipInputStream.readLOC(Unknown Source)
        at java.util.zip.ZipInputStream.getNextEntry(Unknown Source)
        at com.github.katjahahn.tools.Jar2ExeScanner.readZipEntriesAt(Jar2ExeSca
nner.scala:47)
        at com.github.katjahahn.tools.Jar2ExeScanner$$anonfun$getZipAddresses$1.
apply$mcZJ$sp(Jar2ExeScanner.scala:104)
        at com.github.katjahahn.tools.Jar2ExeScanner$$anonfun$getZipAddresses$1.
apply(Jar2ExeScanner.scala:102)
        at com.github.katjahahn.tools.Jar2ExeScanner$$anonfun$getZipAddresses$1.
apply(Jar2ExeScanner.scala:102)
        at scala.collection.TraversableLike$$anonfun$filter$1.apply(TraversableL
ike.scala:264)
        at scala.collection.immutable.List.foreach(List.scala:318)
        at scala.collection.TraversableLike$class.filter(TraversableLike.scala:2
63)
        at scala.collection.AbstractTraversable.filter(Traversable.scala:105)
        at com.github.katjahahn.tools.Jar2ExeScanner.getZipAddresses(Jar2ExeScan
ner.scala:102)
        at com.github.katjahahn.tools.Jar2ExeScanner.createReport(Jar2ExeScanner
.scala:78)
        at com.github.katjahahn.tools.Jar2ExeScanner$.invokeCLI(Jar2ExeScanner.s
cala:192)
        at com.github.katjahahn.tools.Jar2ExeScanner$.main(Jar2ExeScanner.scala:
173)
        at com.github.katjahahn.tools.Jar2ExeScanner.main(Jar2ExeScanner.scala)


Congrats and thank you for finding a bug in my program.
Here is a scan after correcting the bug:

Code: [Select]

scanning file ...

file name: Lazy SSH.exe

Signatures found:
* Jar2Exe.com signature
* PZIP Magic Number (weak indication for embedded zip)

Entry point: 0x14f9b

ZIP/Jar offsets: 0x423a8, 0x105084
So you know now it was done with the tool jar2exe and you know two file offsets the jar is probably saved in.
If you are on windows you could give it a shot to just rename the .exe to .zip and try to open it with e.g. 7zip.
See if you can extract the .class files like that. If that doesn't work, you should try to cut the jar at the offsets specified and try to extract after. You can use my tool for doing so, but I have to upload the corrected version first.

Once you have the .class files decompiling them should be a piece of cake.

Write again if you have any problems.

[qespresso]

Thank you for your reply,
I tried the updated version and it go smoothly and got the same with yours result.
As your suggestion I renamed to.zip and extracted but the .class files only 7kB while the original file is 1MB.
Using Dj java decompiler I could extract the source but seem like it not so helpful in this case.

I still confuse about the step of your suggestion :  "try to cut the jar at the offsets specified and try to extract after"
I tried the -d option to extract the dump file but to be honest I don't know what next step with this.
Since Java is new to me, I'm sorry for any troubles and really appreciate to get your next response

[Deque]

Thank you for your reply,
I tried the updated version and it go smoothly and got the same with yours result.
As your suggestion I renamed to.zip and extracted but the .class files only 7kB while the original file is 1MB.
Using Dj java decompiler I could extract the source but seem like it not so helpful in this case.

I still confuse about the step of your suggestion :  "try to cut the jar at the offsets specified and try to extract after"
I tried the -d option to extract the dump file but to be honest I don't know what next step with this.
Since Java is new to me, I'm sorry for any troubles and really appreciate to get your next response

Renaming the whole file to .zip probably only gave you the first embedded jar.
There is a second jar. You use the tool to extract it.

Code: [Select]

java -jar jwscan.jar -d 105084 Lazy\ SSH.exe
You should get an output like this:

Code: [Select]

file name: Lazy SSH.exe

Signatures found:
* Jar2Exe.com signature
* PZIP Magic Number (weak indication for embedded zip)

Entry point: 0x14f9b

ZIP/Jar offsets: 0x423a8, 0x105084

successfully dumped from offset 0x105084 to dumped.out
Name the output as .zip again and extract it.

It is not that surprising if the resulting files are much smaller in size. But see what you get from the second jar.

[Deque]

Forget the above, I looked into the decompiled source and it is just a classloader, but not the original code.
Jar2Exe.com also explains how they do it dependend on the option used: http://www.jar2exe.com/intro/dependedjars
In this case they chose to protect the jar, which is why we can't simply extract it.

But I found a possible solution. Looks like someone wrote a program to unpack protected jar2exe files: https://github.com/slavemaster/e2j

See if that helps and write again if you encounter any problems.

[Architect]

This is a pretty nice tool but technically shouldn't this be in reverse engineering? Just a thought I guess. But other than placement, this is like I said a good tool for decompiling and finding shit.

[qespresso]

Thank you for moving to the right place Architect, at first I confused because it wrote in Java so that why I post the topic in that place.

But I found a possible solution. Looks like someone wrote a program to unpack protected jar2exe files: https://github.com/slavemaster/e2j

The usage of e2j really a messy I can't handle that. I tried to follow steps but haven't got luck yet.

[Deque]

Thank you for moving to the right place Architect, at first I confused because it wrote in Java so that why I post the topic in that place.
The usage of e2j really a messy I can't handle that. I tried to follow steps but haven't got luck yet.

What exactly did you do and what was the result? Post the error message if there is any.

[qespresso]

Code: [Select]

set old_opts=%JAVA_TOOL_OPTIONS%
set JAVA_TOOL_OPTIONS=-javaagent:e2j-agent.jar(=output-file)
I really don't know what do they mean with the 3rd instruction "C:\dev\e2j>packed-exe
  ...
  C:\dev\e2j>set JAVA_TOOL_OPTIONS=%old_opts%"
And when trying to run it directly I had this error

Code: [Select]

C:\Documents and Settings\Administrator\My Documents\Downloads\e2j-master\e2j-ma
ster>java e2j-agent.jar
Picked up JAVA_TOOL_OPTIONS: %JAVA_TOOL_OPTIONS%
Unrecognized option: %JAVA_TOOL_OPTIONS%
Error: Could not create the Java Virtual Machine.
Error: A fatal exception has occurred. Program will exit.
I'm sorry for my bad skill with java. Really appreciate your afford to help me.

[Deque]

Code: [Select]

set old_opts=%JAVA_TOOL_OPTIONS%
set JAVA_TOOL_OPTIONS=-javaagent:e2j-agent.jar(=output-file)
I really don't know what do they mean with the 3rd instruction "C:\dev\e2j>packed-exe
  ...
  C:\dev\e2j>set JAVA_TOOL_OPTIONS=%old_opts%"
And when trying to run it directly I had this error

In the third instruction you run the packed exe, in your case the SSH.exe
You don't run the jar directly.

[qespresso]

I tried many times exactly the step of the instruction but nothing happen. I don't know why that the exe file can't execute from command line. It just can be executed by double click.

[Deque]

I tried many times exactly the step of the instruction but nothing happen. I don't know why that the exe file can't execute from command line. It just can be executed by double click.

The agent maybe doesn't run the jar, but just extracts it. It should work by doubleclick as well, though.
Did you check if there is an outputfile?

[qespresso]

In fact, there is not output file. The previous version of the software were written in C# - if this information is helpful.