├── .gitignore
├── README.md
├── build.gradle
├── gradle
    └── wrapper
    │   ├── gradle-wrapper.jar
    │   └── gradle-wrapper.properties
├── gradlew
├── gradlew.bat
├── settings.gradle
└── src
    └── main
        └── java
            └── me
                └── yamakaja
                    └── unsafe
                        └── classhacking
                            ├── ASMClassLoader.java
                            ├── ClassHacking.java
                            ├── SpecialString.java
                            └── SpecialStringClassGenerator.java


/.gitignore:
--------------------------------------------------------------------------------
 1 | .gradle/
 2 | build/
 3 | 
 4 | *.iml
 5 | .idea/
 6 | out/
 7 | 
 8 | *~
 9 | 
10 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Extending final classes
 2 | 
 3 | This is a demonstration repository about how
 4 | final classes can be extended. The usefulness of this
 5 | technique is questionable at best, use at your own risk!
 6 | 
 7 | *Why would anybody even want to extend final classes?*
 8 | 
 9 | Don't ask [me](https://twitter.com/AgentK20/status/861640304566427651)
10 | 
11 | ## Explanation
12 | 
13 | ### Preparation
14 | 
15 | The following requires access to an instance of the Unsafe class, which can
16 | be obtained like this:
17 | 
18 | ```java
19 | Field theUnsafe = Unsafe.class.getDeclaredField("theUnsafe");
20 | theUnsafe.setAccessible(true);
21 | Unsafe unsafe = theUnsafe.get(null);
22 | ```
23 | 
24 | ### The process itself
25 | 
26 | First, we need to clear the final bit in the Klass' access modifiers
27 | (A good data overview can be found [here](https://gist.github.com/0x277F/33b14fe2d8fc29735a2873fcd04b48ea)),
28 | for that we need to obtain the class pointer first, which is conveniently
29 | placed in the header of every object. There is just one more issue we have
30 | to account for: [Compressed OOPs](https://wiki.openjdk.java.net/display/HotSpot/CompressedOops)
31 | might cause the pointer to be stored in a different format.
32 | 
33 | *Obtaining the `Klass*`*
34 | 
35 | ```java
36 | Object target = ""; // Instance of the class that you want to remove the final modifier of
37 | long klassPointer = unsafe.arrayIndexScale(Object[].class) == 4 ? (unsafe.getInt(target, 8L) & 0xFFFFFFFFL) << 3 : unsafe.getLong(target, 8L);
38 | ```
39 | 
40 | Now that we have the Klass pointer, we just have to edit the modifiers:
41 | 
42 | ```java
43 | unsafe.putInt(klassPointer + MODIFIER_OFFSET, unsafe.getInt(klassPointer + MODIFIER_OFFSET) & ~Modifier.FINAL);
44 | unsafe.putInt(klassPointer + ACCESS_FLAG_OFFSET, unsafe.getInt(klassPointer + ACCESS_FLAG_OFFSET) & ~Modifier.FINAL);
45 | ```
46 | 
47 | (`MODIFIER_OFFSET = 152` and `ACCESS_FLAG_OFFSET = 156`)
48 | 
49 | And there we go, (in this case) String is no longer final!
50 | 
51 | ### Usage
52 | 
53 | Now we still can't do anything with what we've achieved. The compiler
54 | wont compile classes that extend a final class, and I can't do anything
55 | about that. But wait! ASM and dynamic class generation step in to save
56 | the day!
57 | 
58 | For an example please see this repository ;)
59 | 
60 | ## Issues
61 | 
62 | When extending crucial JVM-own classes like java.lang.String you will
63 | most likely run into JVM crashes, you might have better luck with other
64 | classes though.
65 | 


--------------------------------------------------------------------------------
/build.gradle:
--------------------------------------------------------------------------------
 1 | group 'me.yamakaja.unsafe'
 2 | version '1.0-SNAPSHOT'
 3 | 
 4 | apply plugin: 'java'
 5 | 
 6 | sourceCompatibility = 1.8
 7 | 
 8 | repositories {
 9 |     mavenCentral()
10 |     mavenLocal()
11 | }
12 | 
13 | dependencies {
14 |     compile "org.ow2.asm:asm-all:5.0.4"
15 | }
16 | 


--------------------------------------------------------------------------------
/gradle/wrapper/gradle-wrapper.jar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Yamakaja/class-hacking/055bd4b65fac6a912d297cb6f870632e180c0333/gradle/wrapper/gradle-wrapper.jar


--------------------------------------------------------------------------------
/gradle/wrapper/gradle-wrapper.properties:
--------------------------------------------------------------------------------
1 | #Thu Sep 07 20:18:31 CEST 2017
2 | distributionBase=GRADLE_USER_HOME
3 | distributionPath=wrapper/dists
4 | zipStoreBase=GRADLE_USER_HOME
5 | zipStorePath=wrapper/dists
6 | distributionUrl=https\://services.gradle.org/distributions/gradle-3.5-rc-2-all.zip
7 | 


--------------------------------------------------------------------------------
/gradlew:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env sh
  2 | 
  3 | ##############################################################################
  4 | ##
  5 | ##  Gradle start up script for UN*X
  6 | ##
  7 | ##############################################################################
  8 | 
  9 | # Attempt to set APP_HOME
 10 | # Resolve links: $0 may be a link
 11 | PRG="$0"
 12 | # Need this for relative symlinks.
 13 | while [ -h "$PRG" ] ; do
 14 |     ls=`ls -ld "$PRG"`
 15 |     link=`expr "$ls" : '.*-> \(.*\)$'`
 16 |     if expr "$link" : '/.*' > /dev/null; then
 17 |         PRG="$link"
 18 |     else
 19 |         PRG=`dirname "$PRG"`"/$link"
 20 |     fi
 21 | done
 22 | SAVED="`pwd`"
 23 | cd "`dirname \"$PRG\"`/" >/dev/null
 24 | APP_HOME="`pwd -P`"
 25 | cd "$SAVED" >/dev/null
 26 | 
 27 | APP_NAME="Gradle"
 28 | APP_BASE_NAME=`basename "$0"`
 29 | 
 30 | # Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
 31 | DEFAULT_JVM_OPTS=""
 32 | 
 33 | # Use the maximum available, or set MAX_FD != -1 to use that value.
 34 | MAX_FD="maximum"
 35 | 
 36 | warn ( ) {
 37 |     echo "$*"
 38 | }
 39 | 
 40 | die ( ) {
 41 |     echo
 42 |     echo "$*"
 43 |     echo
 44 |     exit 1
 45 | }
 46 | 
 47 | # OS specific support (must be 'true' or 'false').
 48 | cygwin=false
 49 | msys=false
 50 | darwin=false
 51 | nonstop=false
 52 | case "`uname`" in
 53 |   CYGWIN* )
 54 |     cygwin=true
 55 |     ;;
 56 |   Darwin* )
 57 |     darwin=true
 58 |     ;;
 59 |   MINGW* )
 60 |     msys=true
 61 |     ;;
 62 |   NONSTOP* )
 63 |     nonstop=true
 64 |     ;;
 65 | esac
 66 | 
 67 | CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar
 68 | 
 69 | # Determine the Java command to use to start the JVM.
 70 | if [ -n "$JAVA_HOME" ] ; then
 71 |     if [ -x "$JAVA_HOME/jre/sh/java" ] ; then
 72 |         # IBM's JDK on AIX uses strange locations for the executables
 73 |         JAVACMD="$JAVA_HOME/jre/sh/java"
 74 |     else
 75 |         JAVACMD="$JAVA_HOME/bin/java"
 76 |     fi
 77 |     if [ ! -x "$JAVACMD" ] ; then
 78 |         die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME
 79 | 
 80 | Please set the JAVA_HOME variable in your environment to match the
 81 | location of your Java installation."
 82 |     fi
 83 | else
 84 |     JAVACMD="java"
 85 |     which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
 86 | 
 87 | Please set the JAVA_HOME variable in your environment to match the
 88 | location of your Java installation."
 89 | fi
 90 | 
 91 | # Increase the maximum file descriptors if we can.
 92 | if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then
 93 |     MAX_FD_LIMIT=`ulimit -H -n`
 94 |     if [ $? -eq 0 ] ; then
 95 |         if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then
 96 |             MAX_FD="$MAX_FD_LIMIT"
 97 |         fi
 98 |         ulimit -n $MAX_FD
 99 |         if [ $? -ne 0 ] ; then
100 |             warn "Could not set maximum file descriptor limit: $MAX_FD"
101 |         fi
102 |     else
103 |         warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT"
104 |     fi
105 | fi
106 | 
107 | # For Darwin, add options to specify how the application appears in the dock
108 | if $darwin; then
109 |     GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\""
110 | fi
111 | 
112 | # For Cygwin, switch paths to Windows format before running java
113 | if $cygwin ; then
114 |     APP_HOME=`cygpath --path --mixed "$APP_HOME"`
115 |     CLASSPATH=`cygpath --path --mixed "$CLASSPATH"`
116 |     JAVACMD=`cygpath --unix "$JAVACMD"`
117 | 
118 |     # We build the pattern for arguments to be converted via cygpath
119 |     ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null`
120 |     SEP=""
121 |     for dir in $ROOTDIRSRAW ; do
122 |         ROOTDIRS="$ROOTDIRS$SEP$dir"
123 |         SEP="|"
124 |     done
125 |     OURCYGPATTERN="(^($ROOTDIRS))"
126 |     # Add a user-defined pattern to the cygpath arguments
127 |     if [ "$GRADLE_CYGPATTERN" != "" ] ; then
128 |         OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)"
129 |     fi
130 |     # Now convert the arguments - kludge to limit ourselves to /bin/sh
131 |     i=0
132 |     for arg in "$@" ; do
133 |         CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -`
134 |         CHECK2=`echo "$arg"|egrep -c "^-"`                                 ### Determine if an option
135 | 
136 |         if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then                    ### Added a condition
137 |             eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"`
138 |         else
139 |             eval `echo args$i`="\"$arg\""
140 |         fi
141 |         i=$((i+1))
142 |     done
143 |     case $i in
144 |         (0) set -- ;;
145 |         (1) set -- "$args0" ;;
146 |         (2) set -- "$args0" "$args1" ;;
147 |         (3) set -- "$args0" "$args1" "$args2" ;;
148 |         (4) set -- "$args0" "$args1" "$args2" "$args3" ;;
149 |         (5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;;
150 |         (6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;;
151 |         (7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;;
152 |         (8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;;
153 |         (9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;;
154 |     esac
155 | fi
156 | 
157 | # Escape application args
158 | save ( ) {
159 |     for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done
160 |     echo " "
161 | }
162 | APP_ARGS=$(save "$@")
163 | 
164 | # Collect all arguments for the java command, following the shell quoting and substitution rules
165 | eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS"
166 | 
167 | # by default we should be in the correct project dir, but when run from Finder on Mac, the cwd is wrong
168 | if [ "$(uname)" = "Darwin" ] && [ "$HOME" = "$PWD" ]; then
169 |   cd "$(dirname "$0")"
170 | fi
171 | 
172 | exec "$JAVACMD" "$@"
173 | 


--------------------------------------------------------------------------------
/gradlew.bat:
--------------------------------------------------------------------------------
 1 | @if "%DEBUG%" == "" @echo off
 2 | @rem ##########################################################################
 3 | @rem
 4 | @rem  Gradle startup script for Windows
 5 | @rem
 6 | @rem ##########################################################################
 7 | 
 8 | @rem Set local scope for the variables with windows NT shell
 9 | if "%OS%"=="Windows_NT" setlocal
10 | 
11 | set DIRNAME=%~dp0
12 | if "%DIRNAME%" == "" set DIRNAME=.
13 | set APP_BASE_NAME=%~n0
14 | set APP_HOME=%DIRNAME%
15 | 
16 | @rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
17 | set DEFAULT_JVM_OPTS=
18 | 
19 | @rem Find java.exe
20 | if defined JAVA_HOME goto findJavaFromJavaHome
21 | 
22 | set JAVA_EXE=java.exe
23 | %JAVA_EXE% -version >NUL 2>&1
24 | if "%ERRORLEVEL%" == "0" goto init
25 | 
26 | echo.
27 | echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
28 | echo.
29 | echo Please set the JAVA_HOME variable in your environment to match the
30 | echo location of your Java installation.
31 | 
32 | goto fail
33 | 
34 | :findJavaFromJavaHome
35 | set JAVA_HOME=%JAVA_HOME:"=%
36 | set JAVA_EXE=%JAVA_HOME%/bin/java.exe
37 | 
38 | if exist "%JAVA_EXE%" goto init
39 | 
40 | echo.
41 | echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME%
42 | echo.
43 | echo Please set the JAVA_HOME variable in your environment to match the
44 | echo location of your Java installation.
45 | 
46 | goto fail
47 | 
48 | :init
49 | @rem Get command-line arguments, handling Windows variants
50 | 
51 | if not "%OS%" == "Windows_NT" goto win9xME_args
52 | 
53 | :win9xME_args
54 | @rem Slurp the command line arguments.
55 | set CMD_LINE_ARGS=
56 | set _SKIP=2
57 | 
58 | :win9xME_args_slurp
59 | if "x%~1" == "x" goto execute
60 | 
61 | set CMD_LINE_ARGS=%*
62 | 
63 | :execute
64 | @rem Setup the command line
65 | 
66 | set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar
67 | 
68 | @rem Execute Gradle
69 | "%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS%
70 | 
71 | :end
72 | @rem End local scope for the variables with windows NT shell
73 | if "%ERRORLEVEL%"=="0" goto mainEnd
74 | 
75 | :fail
76 | rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of
77 | rem the _cmd.exe /c_ return code!
78 | if  not "" == "%GRADLE_EXIT_CONSOLE%" exit 1
79 | exit /b 1
80 | 
81 | :mainEnd
82 | if "%OS%"=="Windows_NT" endlocal
83 | 
84 | :omega
85 | 


--------------------------------------------------------------------------------
/settings.gradle:
--------------------------------------------------------------------------------
1 | rootProject.name = 'class-hacking'
2 | 


--------------------------------------------------------------------------------
/src/main/java/me/yamakaja/unsafe/classhacking/ASMClassLoader.java:
--------------------------------------------------------------------------------
 1 | package me.yamakaja.unsafe.classhacking;
 2 | 
 3 | /**
 4 |  * Created by Yamakaja on 9/7/17.
 5 |  */
 6 | public class ASMClassLoader extends ClassLoader {
 7 | 
 8 | 
 9 |     public ASMClassLoader() {
10 |         super(ASMClassLoader.class.getClassLoader());
11 |     }
12 | 
13 |     public Class<?> load(String name, byte[] data) {
14 |         return this.defineClass(name, data, 0, data.length);
15 |     }
16 | 
17 | }
18 | 


--------------------------------------------------------------------------------
/src/main/java/me/yamakaja/unsafe/classhacking/ClassHacking.java:
--------------------------------------------------------------------------------
 1 | package me.yamakaja.unsafe.classhacking;
 2 | 
 3 | import sun.misc.Unsafe;
 4 | 
 5 | import java.io.File;
 6 | import java.lang.reflect.Field;
 7 | import java.lang.reflect.Modifier;
 8 | 
 9 | /**
10 |  * Created by Yamakaja on 9/6/17.
11 |  */
12 | public class ClassHacking {
13 | 
14 |     public static final int MODIFIER_OFFSET = 152;
15 |     public static final int ACCESS_FLAG_OFFSET = 156;
16 | 
17 |     public static void main(String[] args) throws Exception {
18 |         Field theUnsafe = Unsafe.class.getDeclaredField("theUnsafe");
19 |         theUnsafe.setAccessible(true);
20 |         Unsafe unsafe = (Unsafe) theUnsafe.get(null);
21 | 
22 |         System.load(new File("classhacking").getAbsolutePath());
23 | 
24 |         System.out.println(Modifier.toString(ClassHacking.getClassModifiers("")));
25 | 
26 |         long klassPointer = unsafe.arrayIndexScale(Object[].class) == 4 ? (unsafe.getInt("", 8L) & 0xFFFFFFFFL) << 3 : unsafe.getLong("", 8L);
27 | 
28 |         unsafe.putInt(klassPointer + MODIFIER_OFFSET, unsafe.getInt(klassPointer + MODIFIER_OFFSET) & ~Modifier.FINAL);
29 |         unsafe.putInt(klassPointer + ACCESS_FLAG_OFFSET, unsafe.getInt(klassPointer + ACCESS_FLAG_OFFSET) & ~Modifier.FINAL);
30 | 
31 |         Class<?> clazz = new ASMClassLoader().load("me.yamakaja.unsafe.classhacking.SpecialStringImpl", SpecialStringClassGenerator.generateStringClass());
32 | 
33 |         SpecialString specialString = (SpecialString) clazz.getConstructor(String.class).newInstance("Hello World!");
34 | 
35 |         specialString.print();
36 |     }
37 | 
38 | }
39 | 


--------------------------------------------------------------------------------
/src/main/java/me/yamakaja/unsafe/classhacking/SpecialString.java:
--------------------------------------------------------------------------------
 1 | package me.yamakaja.unsafe.classhacking;
 2 | 
 3 | /**
 4 |  * Created by Yamakaja on 9/7/17.
 5 |  */
 6 | public interface SpecialString {
 7 | 
 8 |     void print();
 9 | 
10 | }
11 | 


--------------------------------------------------------------------------------
/src/main/java/me/yamakaja/unsafe/classhacking/SpecialStringClassGenerator.java:
--------------------------------------------------------------------------------
 1 | package me.yamakaja.unsafe.classhacking;
 2 | 
 3 | import org.objectweb.asm.ClassWriter;
 4 | import org.objectweb.asm.Label;
 5 | import org.objectweb.asm.MethodVisitor;
 6 | 
 7 | import static org.objectweb.asm.Opcodes.*;
 8 | 
 9 | /**
10 |  * Created by Yamakaja on 9/6/17.
11 |  */
12 | public class SpecialStringClassGenerator {
13 | 
14 |     public static byte[] generateStringClass() {
15 |         ClassWriter cw = new ClassWriter(0);
16 |         MethodVisitor mv;
17 | 
18 |         cw.visit(52, ACC_PUBLIC + ACC_SUPER, "me/yamakaja/unsafe/classhacking/SpecialStringImpl", null, "java/lang/String", new String[]{"me/yamakaja/unsafe/classhacking/SpecialString"});
19 | 
20 |         cw.visitSource("SubString.java", null);
21 | 
22 |         {
23 |             mv = cw.visitMethod(ACC_PUBLIC, "<init>", "(Ljava/lang/String;)V", null, null);
24 |             mv.visitCode();
25 |             Label l0 = new Label();
26 |             mv.visitLabel(l0);
27 |             mv.visitVarInsn(ALOAD, 0);
28 |             mv.visitVarInsn(ALOAD, 1);
29 |             mv.visitMethodInsn(INVOKESPECIAL, "java/lang/String", "<init>", "(Ljava/lang/String;)V", false);
30 |             mv.visitInsn(RETURN);
31 |             Label l1 = new Label();
32 |             mv.visitLabel(l1);
33 |             mv.visitLocalVariable("this", "Lme/yamakaja/unsafe/classhacking/SpecialStringImpl;", null, l0, l1, 0);
34 |             mv.visitLocalVariable("initialValue", "Ljava/lang/String;", null, l0, l1, 0);
35 |             mv.visitMaxs(2, 2);
36 |             mv.visitEnd();
37 |         }
38 |         {
39 |             mv = cw.visitMethod(ACC_PUBLIC, "toString", "()Ljava/lang/String;", null, null);
40 |             mv.visitCode();
41 |             Label l0 = new Label();
42 |             mv.visitLabel(l0);
43 |             mv.visitLdcInsn("Linus Torvalds, a custom string!");
44 |             mv.visitInsn(ARETURN);
45 |             Label l1 = new Label();
46 |             mv.visitLabel(l1);
47 |             mv.visitLocalVariable("this", "Lme/yamakaja/unsafe/classhacking/SpecialStringImpl;", null, l0, l1, 0);
48 |             mv.visitMaxs(1, 1);
49 |             mv.visitEnd();
50 |         }
51 |         {
52 |             mv = cw.visitMethod(ACC_PUBLIC, "print", "()V", null, null);
53 |             mv.visitCode();
54 |             Label l0 = new Label();
55 |             mv.visitLabel(l0);
56 | 
57 |             mv.visitFieldInsn(GETSTATIC, "java/lang/System", "out", "Ljava/io/PrintStream;");
58 |             mv.visitVarInsn(ALOAD, 0);
59 |             mv.visitMethodInsn(INVOKEVIRTUAL, "java/io/PrintStream", "println", "(Ljava/lang/String;)V");
60 |             mv.visitInsn(RETURN);
61 |             Label l1 = new Label();
62 |             mv.visitLabel(l1);
63 |             mv.visitLocalVariable("this", "Lme/yamakaja/unsafe/classhacking/SpecialStringImpl;", null, l0, l1, 0);
64 |             mv.visitMaxs(2, 1);
65 |             mv.visitEnd();
66 |         }
67 |         cw.visitEnd();
68 | 
69 |         return cw.toByteArray();
70 |     }
71 | 
72 | }
73 | 


--------------------------------------------------------------------------------