├── .DS_Store ├── README.md ├── bypass_jvm_verifier_clzmaker ├── .gitignore ├── .idea │ ├── .gitignore │ └── inspectionProfiles │ │ └── Project_Default.xml ├── build.gradle.kts ├── gradle.properties ├── gradle │ └── wrapper │ │ ├── gradle-wrapper.jar │ │ └── gradle-wrapper.properties ├── gradlew ├── gradlew.bat ├── settings.gradle.kts └── src │ └── main │ └── kotlin │ └── Main.kt ├── bypass_jvm_verifier_test ├── .gitignore ├── .idea │ ├── .gitignore │ ├── encodings.xml │ └── misc.xml ├── pom.xml └── src │ ├── main │ └── java │ │ └── org │ │ └── vidar │ │ ├── BytecodeVerifierNoper.java │ │ ├── Main.java │ │ └── entity │ │ ├── Fld.java │ │ ├── JVMFlag.java │ │ ├── JVMStruct.java │ │ └── JVMType.java │ └── test │ └── java │ ├── Test.java │ └── TestVMStructs.java └── 一种Java反编译器的通用对抗手段.pdf /.DS_Store: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/luelueking/Bypass_JVM_Verifier/63d886ef1809008f30920628ef9ef7e25fa6d29d/.DS_Store -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Bypass_JVM_Verifier 2 | - 通过Unsafe在java层实现-noverify，从而提升字节码指令自由度，对抗反编译器 3 | - 原理可见仓库中的pdf或者我的[blog](http://www.luelueking.com/archives/1695293894037) 4 | -------------------------------------------------------------------------------- /bypass_jvm_verifier_clzmaker/.gitignore: -------------------------------------------------------------------------------- 1 | .gradle 2 | build/ 3 | !gradle/wrapper/gradle-wrapper.jar 4 | !**/src/main/**/build/ 5 | !**/src/test/**/build/ 6 | 7 | ### IntelliJ IDEA ### 8 | .idea/modules.xml 9 | .idea/jarRepositories.xml 10 | .idea/compiler.xml 11 | .idea/libraries/ 12 | *.iws 13 | *.iml 14 | *.ipr 15 | out/ 16 | !**/src/main/**/out/ 17 | !**/src/test/**/out/ 18 | 19 | ### Eclipse ### 20 | .apt_generated 21 | .classpath 22 | .factorypath 23 | .project 24 | .settings 25 | .springBeans 26 | .sts4-cache 27 | bin/ 28 | !**/src/main/**/bin/ 29 | !**/src/test/**/bin/ 30 | 31 | ### NetBeans ### 32 | /nbproject/private/ 33 | /nbbuild/ 34 | /dist/ 35 | /nbdist/ 36 | /.nb-gradle/ 37 | 38 | ### VS Code ### 39 | .vscode/ 40 | 41 | ### Mac OS ### 42 | .DS_Store -------------------------------------------------------------------------------- /bypass_jvm_verifier_clzmaker/.idea/.gitignore: -------------------------------------------------------------------------------- 1 | # Default ignored files 2 | /shelf/ 3 | /workspace.xml 4 | # Editor-based HTTP Client requests 5 | /httpRequests/ 6 | # Datasource local storage ignored files 7 | /dataSources/ 8 | /dataSources.local.xml 9 | -------------------------------------------------------------------------------- /bypass_jvm_verifier_clzmaker/.idea/inspectionProfiles/Project_Default.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 5 | -------------------------------------------------------------------------------- /bypass_jvm_verifier_clzmaker/build.gradle.kts: -------------------------------------------------------------------------------- 1 | plugins { 2 | java 3 | kotlin("jvm") version "1.3.61" 4 | } 5 | 6 | group = "org.vidar" 7 | version = "1.0.0" 8 | 9 | repositories { 10 | mavenCentral() 11 | maven("https://maven.hackery.site/") 12 | } 13 | 14 | dependencies { 15 | implementation(kotlin("stdlib-jdk8")) 16 | 17 | arrayOf("asm", "asm-tree", "asm-commons").forEach { 18 | implementation(group = "org.ow2.asm", name = it, version = "7.2") 19 | } 20 | 21 | implementation("codes.som.anthony:koffee:7.1.0") 22 | } 23 | 24 | configure { 25 | sourceCompatibility = JavaVersion.VERSION_1_8 26 | } 27 | tasks { 28 | compileKotlin { 29 | kotlinOptions.jvmTarget = "1.8" 30 | } 31 | compileTestKotlin { 32 | kotlinOptions.jvmTarget = "1.8" 33 | } 34 | } 35 | -------------------------------------------------------------------------------- /bypass_jvm_verifier_clzmaker/gradle.properties: -------------------------------------------------------------------------------- 1 | kotlin.code.style=official 2 | -------------------------------------------------------------------------------- /bypass_jvm_verifier_clzmaker/gradle/wrapper/gradle-wrapper.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/luelueking/Bypass_JVM_Verifier/63d886ef1809008f30920628ef9ef7e25fa6d29d/bypass_jvm_verifier_clzmaker/gradle/wrapper/gradle-wrapper.jar -------------------------------------------------------------------------------- /bypass_jvm_verifier_clzmaker/gradle/wrapper/gradle-wrapper.properties: -------------------------------------------------------------------------------- 1 | distributionBase=GRADLE_USER_HOME 2 | distributionPath=wrapper/dists 3 | distributionUrl=https\://services.gradle.org/distributions/gradle-7.4.2-bin.zip 4 | zipStoreBase=GRADLE_USER_HOME 5 | zipStorePath=wrapper/dists -------------------------------------------------------------------------------- /bypass_jvm_verifier_clzmaker/gradlew: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # 4 | # Copyright © 2015-2021 the original authors. 5 | # 6 | # Licensed under the Apache License, Version 2.0 (the "License"); 7 | # you may not use this file except in compliance with the License. 8 | # You may obtain a copy of the License at 9 | # 10 | # https://www.apache.org/licenses/LICENSE-2.0 11 | # 12 | # Unless required by applicable law or agreed to in writing, software 13 | # distributed under the License is distributed on an "AS IS" BASIS, 14 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 15 | # See the License for the specific language governing permissions and 16 | # limitations under the License. 17 | # 18 | 19 | ############################################################################## 20 | # 21 | # Gradle start up script for POSIX generated by Gradle. 22 | # 23 | # Important for running: 24 | # 25 | # (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is 26 | # noncompliant, but you have some other compliant shell such as ksh or 27 | # bash, then to run this script, type that shell name before the whole 28 | # command line, like: 29 | # 30 | # ksh Gradle 31 | # 32 | # Busybox and similar reduced shells will NOT work, because this script 33 | # requires all of these POSIX shell features: 34 | # * functions; 35 | # * expansions «$var», «${var}», «${var:-default}», «${var+SET}», 36 | # «${var#prefix}», «${var%suffix}», and «$( cmd )»; 37 | # * compound commands having a testable exit status, especially «case»; 38 | # * various built-in commands including «command», «set», and «ulimit». 39 | # 40 | # Important for patching: 41 | # 42 | # (2) This script targets any POSIX shell, so it avoids extensions provided 43 | # by Bash, Ksh, etc; in particular arrays are avoided. 44 | # 45 | # The "traditional" practice of packing multiple parameters into a 46 | # space-separated string is a well documented source of bugs and security 47 | # problems, so this is (mostly) avoided, by progressively accumulating 48 | # options in "$@", and eventually passing that to Java. 49 | # 50 | # Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, 51 | # and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; 52 | # see the in-line comments for details. 53 | # 54 | # There are tweaks for specific operating systems such as AIX, CygWin, 55 | # Darwin, MinGW, and NonStop. 56 | # 57 | # (3) This script is generated from the Groovy template 58 | # https://github.com/gradle/gradle/blob/master/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt 59 | # within the Gradle project. 60 | # 61 | # You can find Gradle at https://github.com/gradle/gradle/. 62 | # 63 | ############################################################################## 64 | 65 | # Attempt to set APP_HOME 66 | 67 | # Resolve links: $0 may be a link 68 | app_path=$0 69 | 70 | # Need this for daisy-chained symlinks. 71 | while 72 | APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path 73 | [ -h "$app_path" ] 74 | do 75 | ls=$( ls -ld "$app_path" ) 76 | link=${ls#*' -> '} 77 | case $link in #( 78 | /*) app_path=$link ;; #( 79 | *) app_path=$APP_HOME$link ;; 80 | esac 81 | done 82 | 83 | APP_HOME=$( cd "${APP_HOME:-./}" && pwd -P ) || exit 84 | 85 | APP_NAME="Gradle" 86 | APP_BASE_NAME=${0##*/} 87 | 88 | # Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. 89 | DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' 90 | 91 | # Use the maximum available, or set MAX_FD != -1 to use that value. 92 | MAX_FD=maximum 93 | 94 | warn () { 95 | echo "$*" 96 | } >&2 97 | 98 | die () { 99 | echo 100 | echo "$*" 101 | echo 102 | exit 1 103 | } >&2 104 | 105 | # OS specific support (must be 'true' or 'false'). 106 | cygwin=false 107 | msys=false 108 | darwin=false 109 | nonstop=false 110 | case "$( uname )" in #( 111 | CYGWIN* ) cygwin=true ;; #( 112 | Darwin* ) darwin=true ;; #( 113 | MSYS* | MINGW* ) msys=true ;; #( 114 | NONSTOP* ) nonstop=true ;; 115 | esac 116 | 117 | CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar 118 | 119 | 120 | # Determine the Java command to use to start the JVM. 121 | if [ -n "$JAVA_HOME" ] ; then 122 | if [ -x "$JAVA_HOME/jre/sh/java" ] ; then 123 | # IBM's JDK on AIX uses strange locations for the executables 124 | JAVACMD=$JAVA_HOME/jre/sh/java 125 | else 126 | JAVACMD=$JAVA_HOME/bin/java 127 | fi 128 | if [ ! -x "$JAVACMD" ] ; then 129 | die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME 130 | 131 | Please set the JAVA_HOME variable in your environment to match the 132 | location of your Java installation." 133 | fi 134 | else 135 | JAVACMD=java 136 | which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. 137 | 138 | Please set the JAVA_HOME variable in your environment to match the 139 | location of your Java installation." 140 | fi 141 | 142 | # Increase the maximum file descriptors if we can. 143 | if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then 144 | case $MAX_FD in #( 145 | max*) 146 | MAX_FD=$( ulimit -H -n ) || 147 | warn "Could not query maximum file descriptor limit" 148 | esac 149 | case $MAX_FD in #( 150 | '' | soft) :;; #( 151 | *) 152 | ulimit -n "$MAX_FD" || 153 | warn "Could not set maximum file descriptor limit to $MAX_FD" 154 | esac 155 | fi 156 | 157 | # Collect all arguments for the java command, stacking in reverse order: 158 | # * args from the command line 159 | # * the main class name 160 | # * -classpath 161 | # * -D...appname settings 162 | # * --module-path (only if needed) 163 | # * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. 164 | 165 | # For Cygwin or MSYS, switch paths to Windows format before running java 166 | if "$cygwin" || "$msys" ; then 167 | APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) 168 | CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) 169 | 170 | JAVACMD=$( cygpath --unix "$JAVACMD" ) 171 | 172 | # Now convert the arguments - kludge to limit ourselves to /bin/sh 173 | for arg do 174 | if 175 | case $arg in #( 176 | -*) false ;; # don't mess with options #( 177 | /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath 178 | [ -e "$t" ] ;; #( 179 | *) false ;; 180 | esac 181 | then 182 | arg=$( cygpath --path --ignore --mixed "$arg" ) 183 | fi 184 | # Roll the args list around exactly as many times as the number of 185 | # args, so each arg winds up back in the position where it started, but 186 | # possibly modified. 187 | # 188 | # NB: a `for` loop captures its iteration list before it begins, so 189 | # changing the positional parameters here affects neither the number of 190 | # iterations, nor the values presented in `arg`. 191 | shift # remove old arg 192 | set -- "$@" "$arg" # push replacement arg 193 | done 194 | fi 195 | 196 | # Collect all arguments for the java command; 197 | # * $DEFAULT_JVM_OPTS, $JAVA_OPTS, and $GRADLE_OPTS can contain fragments of 198 | # shell script including quotes and variable substitutions, so put them in 199 | # double quotes to make sure that they get re-expanded; and 200 | # * put everything else in single quotes, so that it's not re-expanded. 201 | 202 | set -- \ 203 | "-Dorg.gradle.appname=$APP_BASE_NAME" \ 204 | -classpath "$CLASSPATH" \ 205 | org.gradle.wrapper.GradleWrapperMain \ 206 | "$@" 207 | 208 | # Use "xargs" to parse quoted args. 209 | # 210 | # With -n1 it outputs one arg per line, with the quotes and backslashes removed. 211 | # 212 | # In Bash we could simply go: 213 | # 214 | # readarray ARGS < <( xargs -n1 <<<"$var" ) && 215 | # set -- "${ARGS[@]}" "$@" 216 | # 217 | # but POSIX shell has neither arrays nor command substitution, so instead we 218 | # post-process each arg (as a line of input to sed) to backslash-escape any 219 | # character that might be a shell metacharacter, then use eval to reverse 220 | # that process (while maintaining the separation between arguments), and wrap 221 | # the whole thing up as a single "set" statement. 222 | # 223 | # This will of course break if any of these variables contains a newline or 224 | # an unmatched quote. 225 | # 226 | 227 | eval "set -- $( 228 | printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | 229 | xargs -n1 | 230 | sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | 231 | tr '\n' ' ' 232 | )" '"$@"' 233 | 234 | exec "$JAVACMD" "$@" 235 | -------------------------------------------------------------------------------- /bypass_jvm_verifier_clzmaker/gradlew.bat: -------------------------------------------------------------------------------- 1 | @rem 2 | @rem Copyright 2015 the original author or authors. 3 | @rem 4 | @rem Licensed under the Apache License, Version 2.0 (the "License"); 5 | @rem you may not use this file except in compliance with the License. 6 | @rem You may obtain a copy of the License at 7 | @rem 8 | @rem https://www.apache.org/licenses/LICENSE-2.0 9 | @rem 10 | @rem Unless required by applicable law or agreed to in writing, software 11 | @rem distributed under the License is distributed on an "AS IS" BASIS, 12 | @rem WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | @rem See the License for the specific language governing permissions and 14 | @rem limitations under the License. 15 | @rem 16 | 17 | @if "%DEBUG%" == "" @echo off 18 | @rem ########################################################################## 19 | @rem 20 | @rem Gradle startup script for Windows 21 | @rem 22 | @rem ########################################################################## 23 | 24 | @rem Set local scope for the variables with windows NT shell 25 | if "%OS%"=="Windows_NT" setlocal 26 | 27 | set DIRNAME=%~dp0 28 | if "%DIRNAME%" == "" set DIRNAME=. 29 | set APP_BASE_NAME=%~n0 30 | set APP_HOME=%DIRNAME% 31 | 32 | @rem Resolve any "." and ".." in APP_HOME to make it shorter. 33 | for %%i in ("%APP_HOME%") do set APP_HOME=%%~fi 34 | 35 | @rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. 36 | set DEFAULT_JVM_OPTS="-Xmx64m" "-Xms64m" 37 | 38 | @rem Find java.exe 39 | if defined JAVA_HOME goto findJavaFromJavaHome 40 | 41 | set JAVA_EXE=java.exe 42 | %JAVA_EXE% -version >NUL 2>&1 43 | if "%ERRORLEVEL%" == "0" goto execute 44 | 45 | echo. 46 | echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. 47 | echo. 48 | echo Please set the JAVA_HOME variable in your environment to match the 49 | echo location of your Java installation. 50 | 51 | goto fail 52 | 53 | :findJavaFromJavaHome 54 | set JAVA_HOME=%JAVA_HOME:"=% 55 | set JAVA_EXE=%JAVA_HOME%/bin/java.exe 56 | 57 | if exist "%JAVA_EXE%" goto execute 58 | 59 | echo. 60 | echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% 61 | echo. 62 | echo Please set the JAVA_HOME variable in your environment to match the 63 | echo location of your Java installation. 64 | 65 | goto fail 66 | 67 | :execute 68 | @rem Setup the command line 69 | 70 | set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar 71 | 72 | 73 | @rem Execute Gradle 74 | "%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* 75 | 76 | :end 77 | @rem End local scope for the variables with windows NT shell 78 | if "%ERRORLEVEL%"=="0" goto mainEnd 79 | 80 | :fail 81 | rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of 82 | rem the _cmd.exe /c_ return code! 83 | if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 84 | exit /b 1 85 | 86 | :mainEnd 87 | if "%OS%"=="Windows_NT" endlocal 88 | 89 | :omega 90 | -------------------------------------------------------------------------------- /bypass_jvm_verifier_clzmaker/settings.gradle.kts: -------------------------------------------------------------------------------- 1 | 2 | rootProject.name = "bypass_jvm_verifier_clzmaker" 3 | 4 | -------------------------------------------------------------------------------- /bypass_jvm_verifier_clzmaker/src/main/kotlin/Main.kt: -------------------------------------------------------------------------------- 1 | package codes.som.noverify 2 | 3 | import codes.som.anthony.koffee.assembleClass 4 | import codes.som.anthony.koffee.insns.jvm.* 5 | import codes.som.anthony.koffee.modifiers.public 6 | import org.objectweb.asm.ClassWriter 7 | import org.objectweb.asm.tree.ClassNode 8 | import java.io.FileOutputStream 9 | import java.io.PrintStream 10 | 11 | 12 | fun saveClz(payload: ClassNode) { 13 | 14 | val classWriter = ClassWriter(ClassWriter.COMPUTE_MAXS) 15 | payload.accept(classWriter) 16 | val fos = FileOutputStream("Payload.class") 17 | fos.write(classWriter.toByteArray()) 18 | fos.close() 19 | println("success") 20 | } 21 | 22 | fun main() { 23 | saveClz(assembleClass(public, "Payload") { 24 | method(public + static, "hack", void) { 25 | 26 | new(ProcessBuilder::class.java) 27 | dup 28 | iconst_1 29 | anewarray(String::class.java) 30 | dup 31 | iconst_0 32 | ldc("gnome-calculator") 33 | aastore 34 | invokespecial(ProcessBuilder::class.java,"",void, Array::class) 35 | invokevirtual(ProcessBuilder::class.java,"start",Process::class.java) 36 | pop 37 | 38 | bipush(3) 39 | istore_1 // locals[1] = 3, where locals[1] will be our counter 40 | +L["loop_start"] 41 | ldc("1ue") 42 | iinc(1, -1) // and decrement the counter. 43 | iload_1 44 | ifne(L["loop_start"]) // If the counter isn't zero yet, go back to the loop head. 45 | 46 | swap 47 | 48 | for (i in 0 until 3) { 49 | getstatic(System::class, "out", PrintStream::class) 50 | swap 51 | invokevirtual(PrintStream::class, "println", void, String::class) 52 | } 53 | 54 | _return 55 | } 56 | }) 57 | } -------------------------------------------------------------------------------- /bypass_jvm_verifier_test/.gitignore: -------------------------------------------------------------------------------- 1 | target/ 2 | !.mvn/wrapper/maven-wrapper.jar 3 | !**/src/main/**/target/ 4 | !**/src/test/**/target/ 5 | 6 | ### IntelliJ IDEA ### 7 | .idea/modules.xml 8 | .idea/jarRepositories.xml 9 | .idea/compiler.xml 10 | .idea/libraries/ 11 | *.iws 12 | *.iml 13 | *.ipr 14 | 15 | ### Eclipse ### 16 | .apt_generated 17 | .classpath 18 | .factorypath 19 | .project 20 | .settings 21 | .springBeans 22 | .sts4-cache 23 | 24 | ### NetBeans ### 25 | /nbproject/private/ 26 | /nbbuild/ 27 | /dist/ 28 | /nbdist/ 29 | /.nb-gradle/ 30 | build/ 31 | !**/src/main/**/build/ 32 | !**/src/test/**/build/ 33 | 34 | ### VS Code ### 35 | .vscode/ 36 | 37 | ### Mac OS ### 38 | .DS_Store -------------------------------------------------------------------------------- /bypass_jvm_verifier_test/.idea/.gitignore: -------------------------------------------------------------------------------- 1 | # Default ignored files 2 | /shelf/ 3 | /workspace.xml 4 | # Editor-based HTTP Client requests 5 | /httpRequests/ 6 | # Datasource local storage ignored files 7 | /dataSources/ 8 | /dataSources.local.xml 9 | -------------------------------------------------------------------------------- /bypass_jvm_verifier_test/.idea/encodings.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | -------------------------------------------------------------------------------- /bypass_jvm_verifier_test/.idea/misc.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 10 | 11 | 12 | 13 | 14 | -------------------------------------------------------------------------------- /bypass_jvm_verifier_test/pom.xml: -------------------------------------------------------------------------------- 1 | 2 | 5 | 4.0.0 6 | 7 | org.example 8 | bypass_jvm_verifier_test 9 | 1.0-SNAPSHOT 10 | 11 | 12 | 8 13 | 8 14 | UTF-8 15 | 16 | 17 | -------------------------------------------------------------------------------- /bypass_jvm_verifier_test/src/main/java/org/vidar/BytecodeVerifierNoper.java: -------------------------------------------------------------------------------- 1 | package org.vidar; 2 | 3 | import org.vidar.entity.Fld; 4 | import org.vidar.entity.JVMFlag; 5 | import org.vidar.entity.JVMStruct; 6 | import org.vidar.entity.JVMType; 7 | import sun.misc.Unsafe; 8 | 9 | import java.lang.reflect.Constructor; 10 | import java.lang.reflect.InvocationTargetException; 11 | import java.lang.reflect.Method; 12 | import java.util.ArrayList; 13 | import java.util.HashMap; 14 | import java.util.List; 15 | import java.util.Map; 16 | 17 | public class BytecodeVerifierNoper { 18 | private static Unsafe unsafe = getUnsafe(); 19 | private static Method findNativeMethod = getFindNativeMethod(); 20 | 21 | public static void nop() { 22 | Map structs = getStructs(); 23 | System.out.println("structs size:" + structs.size()); 24 | Map types = getTypes(structs); 25 | System.out.println("types size:" + types.size()); 26 | List flags = getFlags(types); 27 | for (JVMFlag flag : flags) { 28 | if (flag.getName().equals("BytecodeVerificationLocal") 29 | || flag.getName().equals("BytecodeVerificationRemote")) { 30 | unsafe.putByte(flag.getAddress(), (byte) 0); 31 | } 32 | } 33 | } 34 | 35 | public static List getFlags(Map types) { 36 | List jvmFlags = new ArrayList<>(); 37 | 38 | JVMType flagType = types.get("Flag"); 39 | if (flagType == null) { 40 | flagType = types.get("JVMFlag"); 41 | if (flagType == null) { 42 | throw new RuntimeException("Could not resolve type 'Flag'"); 43 | } 44 | } 45 | 46 | Fld flagsField = flagType.getFields().get("flags"); 47 | if (flagsField == null) { 48 | throw new RuntimeException("Could not resolve field 'Flag.flags'"); 49 | } 50 | long flags = unsafe.getAddress(flagsField.getOffset()); 51 | 52 | Fld numFlagsField = flagType.getFields().get("numFlags"); 53 | if (numFlagsField == null) { 54 | throw new RuntimeException("Could not resolve field 'Flag.numFlags'"); 55 | } 56 | int numFlags = unsafe.getInt(numFlagsField.getOffset()); 57 | 58 | Fld nameField = flagType.getFields().get("_name"); 59 | if (nameField == null) { 60 | throw new RuntimeException("Could not resolve field 'Flag._name'"); 61 | } 62 | 63 | Fld addrField = flagType.getFields().get("_addr"); 64 | if (addrField == null) { 65 | throw new RuntimeException("Could not resolve field 'Flag._addr'"); 66 | } 67 | 68 | for (int i = 0; i < numFlags; i++) { 69 | long flagAddress = flags + (i * flagType.getSize()); 70 | long flagNameAddress = unsafe.getAddress(flagAddress + nameField.getOffset()); 71 | long flagValueAddress = unsafe.getAddress(flagAddress + addrField.getOffset()); 72 | 73 | String flagName = getString(flagNameAddress); 74 | if (flagName != null) { 75 | JVMFlag flag = new JVMFlag(flagName, flagValueAddress); 76 | jvmFlags.add(flag); 77 | } 78 | } 79 | 80 | return jvmFlags; 81 | } 82 | 83 | 84 | 85 | public static Map getTypes(Map structs) { 86 | Map types = new HashMap<>(); 87 | 88 | long entry = symbol("gHotSpotVMTypes"); 89 | long arrayStride = symbol("gHotSpotVMTypeEntryArrayStride"); 90 | 91 | while (true) { 92 | String typeName = derefReadString(entry + offsetTypeSymbol("TypeName")); 93 | if (typeName == null) { 94 | break; 95 | } 96 | 97 | String superClassName = derefReadString(entry + offsetTypeSymbol("SuperclassName")); 98 | 99 | int size = unsafe.getInt(entry + offsetTypeSymbol("Size")); 100 | boolean oop = unsafe.getInt(entry + offsetTypeSymbol("IsOopType")) != 0; 101 | boolean intType = unsafe.getInt(entry + offsetTypeSymbol("IsIntegerType")) != 0; 102 | boolean unsigned = unsafe.getInt(entry + offsetTypeSymbol("IsUnsigned")) != 0; 103 | 104 | Map structFields = null; 105 | JVMStruct struct = structs.get(typeName); 106 | if (struct != null) { 107 | structFields = struct.getFields(); 108 | } 109 | // Map structFields = structs.get(typeName).getFields(); 110 | JVMType jvmType = new JVMType(typeName, superClassName, size, oop, intType, unsigned); 111 | if (structFields != null) { 112 | jvmType.getFields().putAll(structFields); 113 | } 114 | 115 | types.put(typeName, jvmType); 116 | 117 | entry += arrayStride; 118 | } 119 | 120 | return types; 121 | } 122 | 123 | 124 | public static Map getStructs() { 125 | Map structs = new HashMap<>(); 126 | 127 | long currentEntry = symbol("gHotSpotVMStructs"); 128 | long arrayStride = symbol("gHotSpotVMStructEntryArrayStride"); 129 | 130 | while (true) { 131 | String typeName = derefReadString(currentEntry + offsetStructSymbol("TypeName")); 132 | String fieldName = derefReadString(currentEntry + offsetStructSymbol("FieldName")); 133 | if (typeName == null || fieldName == null) { 134 | break; 135 | } 136 | 137 | String typeString = derefReadString(currentEntry + offsetStructSymbol("TypeString")); 138 | boolean staticField = unsafe.getInt(currentEntry + offsetStructSymbol("IsStatic")) != 0; 139 | 140 | long offsetOffset = staticField ? offsetStructSymbol("Address") : offsetStructSymbol("Offset"); 141 | long offset = unsafe.getLong(currentEntry + offsetOffset); 142 | 143 | JVMStruct struct = structs.computeIfAbsent(typeName, JVMStruct::new); 144 | struct.setField(fieldName, new Fld(fieldName, typeString, offset, staticField)); 145 | 146 | currentEntry += arrayStride; 147 | } 148 | 149 | return structs; 150 | } 151 | 152 | public static long symbol(String name) { 153 | return unsafe.getLong(findNative(name,null)); 154 | } 155 | 156 | public static long offsetStructSymbol(String name) { 157 | return symbol("gHotSpotVMStructEntry" + name + "Offset"); 158 | } 159 | 160 | public static long offsetTypeSymbol(String name) { 161 | return symbol("gHotSpotVMTypeEntry" + name + "Offset"); 162 | } 163 | 164 | public static String derefReadString(long addr) { 165 | return getString(unsafe.getLong(addr)); 166 | } 167 | 168 | public static String getString(long addr) { 169 | if (addr == 0L) { 170 | return null; 171 | } 172 | StringBuilder stringBuilder = new StringBuilder(); 173 | int offset = 0; 174 | 175 | while (true) { 176 | byte b = unsafe.getByte(addr + offset); 177 | char ch = (char) b; 178 | if (ch == '\u0000') { 179 | break; 180 | } 181 | stringBuilder.append(ch); 182 | offset++; 183 | } 184 | return stringBuilder.toString(); 185 | } 186 | 187 | public static Long findNative(String name,ClassLoader classLoader) { 188 | try { 189 | return (Long) findNativeMethod.invoke(null,classLoader,name); 190 | } catch (IllegalAccessException e) { 191 | throw new RuntimeException(e); 192 | } catch (InvocationTargetException e) { 193 | throw new RuntimeException(e); 194 | } 195 | } 196 | 197 | 198 | private static Method getFindNativeMethod() { 199 | try { 200 | Method findNative = ClassLoader.class.getDeclaredMethod("findNative", ClassLoader.class, String.class); 201 | findNative.setAccessible(true); 202 | return findNative; 203 | } catch (NoSuchMethodException e) { 204 | throw new RuntimeException(e); 205 | } 206 | } 207 | 208 | 209 | public static Unsafe getUnsafe() { 210 | try { 211 | Constructor constructor = Unsafe.class.getDeclaredConstructor(); 212 | constructor.setAccessible(true); 213 | return (Unsafe) constructor.newInstance(); 214 | } catch (NoSuchMethodException e) { 215 | throw new RuntimeException(e); 216 | } catch (InstantiationException e) { 217 | throw new RuntimeException(e); 218 | } catch (IllegalAccessException e) { 219 | throw new RuntimeException(e); 220 | } catch (InvocationTargetException e) { 221 | throw new RuntimeException(e); 222 | } 223 | } 224 | } 225 | -------------------------------------------------------------------------------- /bypass_jvm_verifier_test/src/main/java/org/vidar/Main.java: -------------------------------------------------------------------------------- 1 | package org.vidar; 2 | 3 | import java.io.IOException; 4 | import java.lang.reflect.InvocationTargetException; 5 | import java.lang.reflect.Method; 6 | import java.nio.file.Files; 7 | import java.nio.file.Paths; 8 | 9 | public class Main { 10 | public static void main(String[] args) throws ClassNotFoundException, NoSuchMethodException, InvocationTargetException, IllegalAccessException { 11 | BytecodeVerifierNoper.nop(); 12 | Class payload = new InMemoryClassLoader().findClass("Payload"); 13 | Method m = payload.getDeclaredMethod("hack"); 14 | m.setAccessible(true); 15 | System.out.println(m); 16 | m.invoke(null); 17 | } 18 | 19 | static class InMemoryClassLoader extends ClassLoader { 20 | @Override 21 | protected Class findClass(String name) throws ClassNotFoundException { 22 | byte[] classData = new byte[0]; 23 | try { 24 | classData = Files.readAllBytes(Paths.get("Payload.class")); 25 | } catch (IOException e) { 26 | e.printStackTrace(); 27 | } 28 | return defineClass(name, classData, 0, classData.length); 29 | } 30 | } 31 | } 32 | -------------------------------------------------------------------------------- /bypass_jvm_verifier_test/src/main/java/org/vidar/entity/Fld.java: -------------------------------------------------------------------------------- 1 | package org.vidar.entity; 2 | 3 | public class Fld { 4 | private final String name; 5 | private final String type; 6 | private final long offset; 7 | private final boolean isStatic; 8 | 9 | public Fld(String name, String type, long offset, boolean isStatic) { 10 | this.name = name; 11 | this.type = type; 12 | this.offset = offset; 13 | this.isStatic = isStatic; 14 | } 15 | 16 | public String getName() { 17 | return name; 18 | } 19 | 20 | public String getType() { 21 | return type; 22 | } 23 | 24 | public long getOffset() { 25 | return offset; 26 | } 27 | 28 | public boolean isStatic() { 29 | return isStatic; 30 | } 31 | 32 | } -------------------------------------------------------------------------------- /bypass_jvm_verifier_test/src/main/java/org/vidar/entity/JVMFlag.java: -------------------------------------------------------------------------------- 1 | package org.vidar.entity; 2 | 3 | public class JVMFlag { 4 | private final String name; 5 | private final long address; 6 | 7 | public JVMFlag(String name, long address) { 8 | this.name = name; 9 | this.address = address; 10 | } 11 | 12 | public String getName() { 13 | return name; 14 | } 15 | 16 | public long getAddress() { 17 | return address; 18 | } 19 | } -------------------------------------------------------------------------------- /bypass_jvm_verifier_test/src/main/java/org/vidar/entity/JVMStruct.java: -------------------------------------------------------------------------------- 1 | package org.vidar.entity; 2 | 3 | import java.util.HashMap; 4 | import java.util.Map; 5 | 6 | public class JVMStruct { 7 | private final String name; 8 | private final Map fields; 9 | 10 | public JVMStruct(String name) { 11 | this.name = name; 12 | this.fields = new HashMap<>(); 13 | } 14 | 15 | public void setField(String fieldName, Fld value) { 16 | fields.put(fieldName, value); 17 | } 18 | 19 | public Fld getField(String fieldName) { 20 | return fields.get(fieldName); 21 | } 22 | 23 | public String getName() { 24 | return name; 25 | } 26 | 27 | public Map getFields() { 28 | return fields; 29 | } 30 | } -------------------------------------------------------------------------------- /bypass_jvm_verifier_test/src/main/java/org/vidar/entity/JVMType.java: -------------------------------------------------------------------------------- 1 | package org.vidar.entity; 2 | 3 | import java.util.HashMap; 4 | import java.util.Map; 5 | 6 | public class JVMType { 7 | private final String type; 8 | private final String superClass; 9 | private final int size; 10 | private final boolean oop; 11 | private final boolean intType; 12 | private final boolean unsigned; 13 | private final Map fields; 14 | 15 | public JVMType(String type, String superClass, int size, boolean oop, boolean intType, boolean unsigned) { 16 | this.type = type; 17 | this.superClass = superClass; 18 | this.size = size; 19 | this.oop = oop; 20 | this.intType = intType; 21 | this.unsigned = unsigned; 22 | this.fields = new HashMap<>(); 23 | } 24 | 25 | public Map getFields() { 26 | return fields; 27 | } 28 | 29 | public String getType() { 30 | return type; 31 | } 32 | 33 | public String getSuperClass() { 34 | return superClass; 35 | } 36 | 37 | public int getSize() { 38 | return size; 39 | } 40 | 41 | public boolean isOop() { 42 | return oop; 43 | } 44 | 45 | public boolean isIntType() { 46 | return intType; 47 | } 48 | 49 | public boolean isUnsigned() { 50 | return unsigned; 51 | } 52 | } -------------------------------------------------------------------------------- /bypass_jvm_verifier_test/src/test/java/Test.java: -------------------------------------------------------------------------------- 1 | import java.io.IOException; 2 | 3 | 4 | public class Test { 5 | public static void main(String[] args) throws IOException { 6 | Runtime.getRuntime().exec("gnome-calculator"); 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /bypass_jvm_verifier_test/src/test/java/TestVMStructs.java: -------------------------------------------------------------------------------- 1 | import org.vidar.BytecodeVerifierNoper; 2 | import sun.misc.Unsafe; 3 | 4 | 5 | public class TestVMStructs { 6 | public static void main(String[] args) { 7 | Long vmStructs = BytecodeVerifierNoper.findNative("gHotSpotVMStructs", null); 8 | Unsafe unsafe = BytecodeVerifierNoper.getUnsafe(); 9 | System.out.printf(Long.toHexString(vmStructs)+ 10 | ", value: "+ Long.toHexString(unsafe.getLong(vmStructs))); 11 | } 12 | } 13 | -------------------------------------------------------------------------------- /一种Java反编译器的通用对抗手段.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/luelueking/Bypass_JVM_Verifier/63d886ef1809008f30920628ef9ef7e25fa6d29d/一种Java反编译器的通用对抗手段.pdf --------------------------------------------------------------------------------