java

Documentation

Index

• Variables
• func ExtractBytecode(classBytes []byte) ([][]byte, error)
• func HashClassInstructions(classBytes []byte) (string, error)
• func ReadMethodByteCode(jarFile string, className string) (bytecode [][]byte, err error)
• type ClassHash
  • func HashClass(jarFile string, className string) (ClassHash, error)
• type MethodByteCodeComparison
  • func CompareClasses(firstJarName, firstClassName, secondJarName, secondClassName string) (MethodByteCodeComparison, error)
• type Opcodes
  • func OpcodeLookupTables() *Opcodes
  • func (opcodes *Opcodes) OpcodeOperands(opcode byte) (int, error)
• type PartialMatch

Variables

var DoubleOperandOpcodes = make([]bool, 0xff)

var NoOperandOpcodes = make([]bool, 0xff)

var OpcodesInitialised = false

var OtherOpcodes = []uint8{0xc4, 0xab, 0xaa, 0xfe, 0xff, 0xca}

OtherOpcodes that are either reserved or take a variable number of operands

var QuadOperandOpcodes = make([]bool, 0xff)

var SingleOperandOpcodes = make([]bool, 0xff)

var TripleOperandOpcodes = []uint8{0xc5}

Functions

func ExtractBytecode

func ExtractBytecode(classBytes []byte) ([][]byte, error)

func HashClassInstructions

func HashClassInstructions(classBytes []byte) (string, error)

HashClassInstructions produces a hash of the opcodes that define the methods of the specified class. This is intended to not change if the package name or other details are changed with the resulting changes to the non-opcode parts of the class format.

func ReadMethodByteCode

func ReadMethodByteCode(jarFile string, className string) (bytecode [][]byte, err error)

Types

type ClassHash

type ClassHash struct {
	ClassSize               int64
	CompleteHash            string
	BytecodeInstructionHash string
}

func HashClass

func HashClass(jarFile string, className string) (ClassHash, error)

type MethodByteCodeComparison

type MethodByteCodeComparison struct {
	FirstClassMethodBytecode     [][]byte
	FirstClassUnmatchedBytecode  [][]byte
	SecondClassMethodBytecode    [][]byte
	SecondClassUnmatchedBytecode [][]byte
	ExactMatches                 [][]byte
	PartialMatches               []PartialMatch
}

func CompareClasses

func CompareClasses(firstJarName, firstClassName, secondJarName, secondClassName string) (MethodByteCodeComparison, error)

CompareClasses finds common parts between two versions of the same class, e.g. after obfuscation or some other process.

First all non-opcodes are dropped to leave only constant bytecode values such that renaming of items in the constant table is ignored.

The bytecode for each method is then compared.

Any exact matches between the two classes are found and removed from further consideration. The rest is then sorted and a greedy algorithm used to find the longest match for each method from the first class. If there is any method in the second classes bytecode which has a common prefix and suffix then a match is found and the methods from both the first and second class removed from any further matching.

type Opcodes

type Opcodes struct {
	NoOperandOpcodeLookupTable     []bool
	SingleOperandOpcodeLookupTable []bool
	DoubleOperandOpcodeLookupTable []bool
	QuadOperandOpcodeLookupTable   []bool
	TripleOperandOpcodes           []uint8
	OtherOpcodes                   []uint8
}

Opcodes are used when hashing bytecode to separate out the parts that are relatively static when shading or obfuscating classfiles while skipping the operands that change with those modifications.

These tables are intended to use memory (1mb per number of operands) in order to speed up lookups. Total memory use remains reasonable as these are shared between all uses.

func OpcodeLookupTables

func OpcodeLookupTables() *Opcodes

func (*Opcodes) OpcodeOperands

func (opcodes *Opcodes) OpcodeOperands(opcode byte) (int, error)

OpcodeOperands looks in the opcode tables to see how many operands this opcode takes, and advance to the end which must be another opcode or the end of the bytecode

type PartialMatch

type PartialMatch struct {
	Prefix        []byte
	Suffix        []byte
	AmountSkipped int
}