1

I've got a file that is a binary java file that was compiled using a proprietary program. I've tried to open this up in some of the standard decompilers but they will not recognize it.

I suspect it's because some specific proprietary headers have been added, based on looking at the file in a hex editor. Is there any way to detect where the java bytecode begins and ends on this file, or how to extract it so I can run it through a decompiler like this one? Any help is much appreciated.

[Edit]

As a side note i'd like to know how this was achieved, in other words what facility/feature of Java allows you to use their compiler in such a customized way as this?

alt text P.S. The image is bigger if you open it in another tab. alt text

JasonMArcher
  • 14,195
  • 22
  • 56
  • 52
James
  • 12,636
  • 12
  • 67
  • 104
  • 2
    This doesn't look like a java class file. Open it in hex editor, first 4 bytes should be CA FE BA BE. Maybe it's jar? Try opening it as a zip file. – Denis Tulskiy Nov 11 '10 at 06:46
  • 1
    This is not a jar file -- a jar file should start with 'PK'. – J-16 SDiZ Nov 11 '10 at 09:33
  • 1
    Try a hex dump (or open in a hex editor and capture screen). It is impossible to see what's those character is on your image. – J-16 SDiZ Nov 11 '10 at 09:36
  • @ J-16 SDiZ: I added a partial hex dump screenshot to my post above. – James Nov 11 '10 at 17:18
  • After further analysis I suspect this file may be encrypted and or packed, 7 Zip reports it's pack method is LZMA:17 but exports an empty file. I tried creating a new password protected 7-zip file and comparing but they look nothing alike, perhaps it's because this was created with the Java 7 zip library. – James Nov 11 '10 at 17:23
  • If anyone wants to look at this themselves, the file can be downloaded from http://moneyfactory.biz/indicators.html - it's the SuperSignals plugin for JForex. – Tom Anderson Feb 25 '11 at 14:37
  • The start of the file is some sort of header, with count-prefixed strings. After that, no idea. An interesting puzzle! – Tom Anderson Feb 25 '11 at 14:47

2 Answers2

2

My guess is it is an encrypted jar. The compiled code still has to be Java bytecode to run on a JVM unless they wrote their own which is highly unlikely. The proprietary part of the process may be the encryption of the jar so that it won't run without the proper decryption key.

If that is the case, there has to be another part of the package that has both the proper key and mechanism to decrypt it. You say that it is a binary Java file but that could mean a .class file or a jar file.

How is this code executed? Do you have to start the jvm yourself ("c:/>java com.mystery.App") or is it a module used by some other executable (exe, jar, batch, etc.)?

Kelly S. French
  • 12,198
  • 10
  • 63
  • 93
  • Great questions. This file is an add-in module to a desktop application. This application allows you to code up some Java and compile it all from within the application itself. After compiling it creates the file *.jfx which contains what you see above in the screen caps. This compiled file is portable and the application allows you to register .jfx files that you drop in a folder. – James Nov 11 '10 at 18:08
  • Try adding the *.jfx file to an Eclipse project and see if Eclipse can show you either the public fields/methods if it is a class or the packages and classes if it is a jar. – Kelly S. French Nov 11 '10 at 18:13
1

Did you try unpack200?

J-16 SDiZ
  • 26,473
  • 4
  • 65
  • 84