Convert Java Applet CAP file to *.class for decompilation

Question

Here is a CAP file possible containing a malware code, without source code, and also without an export file.

It is a CAP file for old platform version, i.e. GP211.

I have a big experience Java reverse-engineering in Classic JVM and Dalvik. But Java Card is lesser popular and closer platform. Most tools are for CLASS/JAR or DEX, not CAP.

I found the several tools (including some VMs who simulates the JCOP) which could disassemble a CAP file, but the CAP is quite big, and the working with assembly code is too complex and slow for me.

And we cannot simply do "CAP text bytecode -> Notepad++ --> some Java Bytecode editor -> Java bytecode".
Too many differences between CAP bytecode and Java bytecode. Not just method table, it is also a big amount of different opcodes.
Just decompile the converter.jar of a Java Card Kit (it is a tool which converts CLASS -> CAP) and see that conversion is a quite complex process.

I need some automated converter.

Meanwhile, I developing a set of smart card solutions and the "CAP decompiler" will be a good piece in the list.
Yes, I'm going to write it.
I plan to build it on top of Javassist from one side, some CAP disassembling library from the second one, and some standard Java decompiler(-s) from the third one.

But I should be sure that there are no analogs.

QUESTION IS HERE:
Is there some tool in the Earth which can convert Java Card *.cap to Java *.class (or decompile *.cap directly) or no?
I am not asking for a library (i found some libraries), I am asking for a tool. Runnable.

(Also if you know some pitfalls in this bytecode conversion I will be grateful if you'll describe them to me. Now I saw it as just a copying one opcode list to another one with a giant if...else if...else if...else if... or switch...case...case...case tree (and some misc staff i.e. conversion of access modifiers, fields, etc).

Answer 1

To generate .class files out of .cap file use normalizer tool which is part of recent Java Card SDK ('Classic-3.0.4' worked for me).

For example to convert helloworld.cap from gpshell sources use the following command (you will have to adjust api_export_files path to the appropriate directory):

normalizer.bat normalize -i helloworld.cap -p /path/to/api_export_files

Then you can decompile output file ( net/sourceforge/globalplatform/jc/helloworld/AAA.class) using your favorite java decompiler, giving e.g.:

package net.sourceforge.globalplatform.jc.helloworld;

import javacard.framework.APDU;
import javacard.framework.Applet;
import javacard.framework.Util;

public class AAA
  extends Applet
{
  private static final byte[] sfield_token255_descoff10_staticref0 = { 72, 101, 108, 108, 111, 32, 87, 111, 114, 108, 100, 33 };

  public void process(APDU paramAPDU)
  {
    byte[] arrayOfByte = paramAPDU.getBuffer();
    paramAPDU.setIncomingAndReceive();
    Util.arrayCopyNonAtomic(sfield_token255_descoff10_staticref0, (short)0, arrayOfByte, (short)0, sfield_token255_descoff10_staticref0.length);
    paramAPDU.setOutgoingAndSend((short)0, sfield_token255_descoff10_staticref0.length);
  }

  public static void install(byte[] paramArrayOfByte, short paramShort, byte paramByte)
  {
    new AAA();
  }

  private AAA()
  {
    register();
  }
}

Some additional (random) notes:

• this approach does not straightforwardly work for all applets (some output .class files for an applet I wrote earlier were refused by decompiler as invalid, but YMMV)

• you need to provide export files for all the applet's imported packages, including:

  • Java Card API (the latest version always worked for me, but YMMV)

  • Global Platform API, SIM-toolkit related APIs, card vendor extensions or any other publicly available packages (if any of them are used)

  • other non-public packages (which might/will cause trouble -- I have never dealt with that so can't help)

• to get list of imported package AIDs you can either check appropriate structures in the CAP file (I am not aware of any publicly available tool for this, sorry) or just try incrementally (normalizer gives error messages like "Cannot find export file for imported package " for missing export files)

• export package for the .cap itself is not necessary

• it will be probably more difficult to re-compile the applet from reverse-engineered sources than it is for desktop java (partly depends on the used decompiler capabilities)

• if all you need is to check if someone did not introduce a backdoor into a binary .cap file then it will be much simpler to build a clean .cap file from trusted sources (ideally using the same compiler) and compare decompiler outputs for both clean and suspicious cap files

• check legality of whatever-you-are-doing

Good luck!

Answer 2

For those who are trying to perform reverse engineering and getting below errors while running normalizer:

Cannot find export file for imported package a0:0:0:0:62:0:1

Please provide the correct export file

Java Card JDK api export files missing. -p /Users/user/etc/jcard-sdk-3.0.5u3/api_export_files/

Cannot find export file for imported package a0:0:0:0:9:0:3:ff:ff:ff:ff:89:10:71:0:2

Please provide the correct export file

Sim Toolkit JDK export files are missing -p /Users/user/etc/etc/43019-560/Annex_B_Export_Files

Here is the details for Sim Toolkit JDK installation

Here is the command line script for running normalizer on linux variants:

java -server -Djc.home=/Users/user/etc/jcard-sdk-3.0.5u3 -cp .:../lib/* com.sun.javacard.normalizer.Main normalize -i /Users/user/test.cap -p /Users/user/etc/jcard-sdk-3.0.5u3/api_export_files/ -p /Users/user/etc/43019-560/Annex_B_Export_Files/