JNLP is essentially Java’s version of Flash. It runs as a web link and caches a copy locally. Now since we can decompile Java this leaves room for attacks similar to the old fashion flash game cheating. Many of these Jar files are stored in common temp directories. Once the Jar file is located the modifications can begin.

Nothing in here is really hacking at all, I just wanted to combine some known Java functionality and craft it into something that could be used in an attack. There are two main ways we can go about this. One is to decompile the code and recompile with the changes or actually do binary manipulation in IDA. I will not talk about any details on binary manipulation.

First lets talk about if a Jar file is signed. When the Jar file is signed, any modifications you try to make to the code will fail on an MD5 check. To get around this you can make your own keys and sign it with them after you have made your modifications.

JAR Signing

Note: These tools are located in the JDK bin section.

1. Create Your Own Keys

keytool -genkey -keystore mykeystore -alias test

2. Sign Modified JAR File

jarsigner -keystore mykeystore –signedjar app-signed.jar new-app.jar test

3. Verify Signing

jarsigner -verify -keystore mykeystore app-signed.jar

Decompiling JARs

This first method of decompiling JAR file is the easiest to modify code.  Some problems may arise depending on java versions and libraries.  You can extract the JAR file with many programs such as 7zip. The extracted copy is where you will replace your modified java files. Remember to remove the META-INF data if you plan to sign the JAR with your own keys.

You can now decompile your JAR file to view the code. In the below example I am using JD-GUI .  Another nice decompiler is JAD.  Once you decompile you can view and export the specific Java files you would like to modify.

Make your modifications and replace the original with your modified version in the area you extracted the JAR to.

Compile and Sign

javac -cp .;c:\Progra~1\Java\jdk1.5.0_17\lib;C:\app newfile.java

JAR Binary Modifications

This section is a little trickier since you have make changes in a binary disassembled form. To make it easier read though the code with a java decompiler and look for functions you want to modify.  Once you know what you want to modify search for those functions in the disassembler to find the correct offset. Once the offset is found, you can modify the JAR with a hex editor.

Note: This document does not discuss any reverse engineering techniques.

1.  Find function you would like to modify and load into IDA.

2.   Now you have find the offset of this function in IDA. This offset will be used to  modify the binary with a hex editor.  Open the Jar file in a hex editor and search for that offset to make your changes. In the example below I used HxD . Check out the security tube link below for more details.

References:

–        http://www.owasp.org/index.php/Signing_jar_files_with_jarsigner

–        http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/jarsigner.html

–        http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/keytool.html

–        http://www.securitytube.net/Java-and-JNLP-Application-Hacking-video.aspx

15 Thoughts on “JNLP/JAR Hacking

  1. Thanks For the Post, its nice.

  2. tester on August 26, 2010 at 1:06 am said:

    this method won’t work, what if somebody remove the signature file is meta info by overwriting(big renaming the jar to zip and rename back to jar afterward) the class file with the cracked one. I’ve tried it and it’s works to crack/hack the jar in this way.

  3. Hi,
    I looked at your method on how to hack jnlp and I find it really clever and
    really impressed me.

    I Have a proposal for you: I need to hack a jnlp applications this way: once
    the application runs I would like to change only one image replacing it with
    another one made by me. Unfortunately I am not smart in hacking so I cannot do
    it myself.

    The jnlp files has 3 jar files and the image I want to replace is in one of
    these.
    If you think you can do this please let me know and we can discuss about your
    payment for this job. On your positive answer I will give you every detail you
    need to do the work.

    Thanks in advance

    MArk Serra

  4. Nice hacking software. i like it.

  5. Could you tell me more about this JAR hacking? Thanks!

    Bill Basset

  6. This is some great information; I really appreciate it. It may not be hacking technically, but it’s useful for knowing how to understand attacks or preventing attacks.

  7. Yes this information help me to hack my friend.

    thanks

  8. This seems very exciting. It is really more the challenge than the result for me anyway. Thanks A Lot!

    Will

  9. @itdesi: how did you exactly hack your friend, if you don’t mind my asking. Seems scary to be your friend 😀

  10. It really sounds great, hacking into your friends accounts really cool, hey can you give us some tricks and trip on it.

  11. patrick on June 19, 2012 at 8:25 am said:

    hey, the video sais its for chess? is it for minecraft too. plz reply

  12. Useful read shared in this thread having great useful material which is much helpful one for many persons to required knowledge.

  13. This will be cool go for it I will use it. Thank You

  14. secret on March 7, 2013 at 6:44 am said:

    Hey dude does anyone of you know how to crack/hack, or make a keygen of a java application on mobile phones? please crack it for me

    http://www.mediafire.com/download.php?a5djtycn8gjecu3

  15. i want find the code of this jar file Clients.jar

Leave a Reply

Your email address will not be published. Required fields are marked *

Post Navigation