Here is a CAP file possible containing a malware code, without source code, and also without an export file.
It is a CAP file for old platform version, i.e. GP211.
I have a big experience Java reverse-engineering in Classic JVM and Dalvik. But Java Card is lesser popular and closer platform. Most tools are for CLASS/JAR or DEX, not CAP.
I found the several tools (including some VMs who simulates the JCOP) which could disassemble a CAP file, but the CAP is quite big, and the working with assembly code is too complex and slow for me.
And we cannot simply do "CAP text bytecode -> Notepad++ --> some Java Bytecode editor -> Java bytecode".
Too many differences between CAP bytecode and Java bytecode. Not just method table, it is also a big amount of different opcodes.
Just decompile the converter.jar of a Java Card Kit (it is a tool which converts CLASS -> CAP) and see that conversion is a quite complex process.
I need some automated converter.
Meanwhile, I developing a set of smart card solutions and the "CAP decompiler" will be a good piece in the list.
Yes, I'm going to write it.
I plan to build it on top of Javassist from one side, some CAP disassembling library from the second one, and some standard Java decompiler(-s) from the third one.
But I should be sure that there are no analogs.
QUESTION IS HERE:
Is there some tool in the Earth which can convert Java Card *.cap to Java *.class (or decompile *.cap directly) or no?
I am not asking for a library (i found some libraries), I am asking for a tool. Runnable.
(Also if you know some pitfalls in this bytecode conversion I will be grateful if you'll describe them to me. Now I saw it as just a copying one opcode list to another one with a giant if...else if...else if...else if...
or switch...case...case...case
tree (and some misc staff i.e. conversion of access modifiers, fields, etc).
To generate .class
files out of .cap
file use normalizer tool which is part of recent Java Card SDK ('Classic-3.0.4' worked for me).
For example to convert helloworld.cap from gpshell sources use the following command (you will have to adjust api_export_files path to the appropriate directory):
normalizer.bat normalize -i helloworld.cap -p /path/to/api_export_files
Then you can decompile output file ( net/sourceforge/globalplatform/jc/helloworld/AAA.class
) using your favorite java decompiler, giving e.g.:
package net.sourceforge.globalplatform.jc.helloworld;
import javacard.framework.APDU;
import javacard.framework.Applet;
import javacard.framework.Util;
public class AAA
extends Applet
{
private static final byte[] sfield_token255_descoff10_staticref0 = { 72, 101, 108, 108, 111, 32, 87, 111, 114, 108, 100, 33 };
public void process(APDU paramAPDU)
{
byte[] arrayOfByte = paramAPDU.getBuffer();
paramAPDU.setIncomingAndReceive();
Util.arrayCopyNonAtomic(sfield_token255_descoff10_staticref0, (short)0, arrayOfByte, (short)0, sfield_token255_descoff10_staticref0.length);
paramAPDU.setOutgoingAndSend((short)0, sfield_token255_descoff10_staticref0.length);
}
public static void install(byte[] paramArrayOfByte, short paramShort, byte paramByte)
{
new AAA();
}
private AAA()
{
register();
}
}
Some additional (random) notes:
this approach does not straightforwardly work for all applets (some output .class
files for an applet I wrote earlier were refused by decompiler as invalid, but YMMV)
you need to provide export files for all the applet's imported packages, including:
Java Card API (the latest version always worked for me, but YMMV)
Global Platform API, SIM-toolkit related APIs, card vendor extensions or any other publicly available packages (if any of them are used)
other non-public packages (which might/will cause trouble -- I have never dealt with that so can't help)
to get list of imported package AIDs you can either check appropriate structures in the CAP file (I am not aware of any publicly available tool for this, sorry) or just try incrementally (normalizer gives error messages like "Cannot find export file for imported package " for missing export files)
export package for the .cap
itself is not necessary
it will be probably more difficult to re-compile the applet from reverse-engineered sources than it is for desktop java (partly depends on the used decompiler capabilities)
if all you need is to check if someone did not introduce a backdoor into a binary .cap
file then it will be much simpler to build a clean .cap
file from trusted sources (ideally using the same compiler) and compare decompiler outputs for both clean and suspicious cap files
check legality of whatever-you-are-doing
Good luck!
For those who are trying to perform reverse engineering and getting below errors while running normalizer:
Cannot find export file for imported package a0:0:0:0:62:0:1
Please provide the correct export file
Java Card JDK api export files missing.
-p /Users/user/etc/jcard-sdk-3.0.5u3/api_export_files/
Cannot find export file for imported package a0:0:0:0:9:0:3:ff:ff:ff:ff:89:10:71:0:2
Please provide the correct export file
Sim Toolkit JDK export files are missing
-p /Users/user/etc/etc/43019-560/Annex_B_Export_Files
Here is the details for Sim Toolkit JDK installation
Here is the command line script for running normalizer on linux variants:
java -server -Djc.home=/Users/user/etc/jcard-sdk-3.0.5u3 -cp .:../lib/* com.sun.javacard.normalizer.Main normalize -i /Users/user/test.cap -p /Users/user/etc/jcard-sdk-3.0.5u3/api_export_files/ -p /Users/user/etc/43019-560/Annex_B_Export_Files/
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With