A Challengers Handbook

by

Caesum

Applets

I think a lot of people do not realise the distinction between Javascript and Java and Applets. Javascript is a scripting language that is processed along with the HTML in a webpage. Java is a programming language that can create standalone applications. An applet is a Java program that runs within the web browser by conforming to certain programming standards. Javascript source code can be seen as part of the web page but an applet will be in a separate compiled class file. Also Javascript was developed by Netscape but Java was developed by Sun. If you find that all you see on web pages are small grey squares where an applet should be then you probably need to install the latest Java VM, simply go to Sun and download it, it is free. You may want to download sdk's, etc so that you can play about and develop and write your own java programs and applets.

Now class files contain compiled java bytecode, along with a lot of other information. Luckily this is easily decompiled back into a source code form. This can be done because the mapping between java bytecode and java is quite close (one-one as opposed to c and assembler which is more like many-many). Anyway there are many decompilers around and some are better than others. If your decompiler ever fails then simply try a different one. The one I use most of the time is mDeJava v1.0b and I have never really had any problems with it.

So basically the technique for dealing with applets is firstly to grab the class file, by whatever technique you want to use, then to decompile it with your decompiler and then to interpret what you have found the best you can. Once again you can grab files off your hard disk, which will give you the full set of files that you need straight away, and you do find that additional files are downloaded and included with only slight references in the other files. At the simplest level there will simply be a password or url to go to and at the more complex level you will have a full program to decipher. Having got this far there is little else other than persevering to understand each line of code that can be done. With any luck there will be an easily reversible algorithm otherwise you will be faced with writing some kind of brute forcer to find a password. The master of the applet challenges is TheGame and you will need a deep understanding of Java to make it to the top but along the way you will have some fun with lower level tricks similar to our JavaScript file tricks.

It is possible to mess with compiled class files so that decompilers will have a hard time decompiling them, so you may come across variables with very similar names (z,zz,zzz,zz1,zz2,zzx,etc), or funny constructs (jmp l104), just be aware of this. Normally you should be able to recompile an applet fairly easily though.

I haven't put any java or applet reference books at the end of this section because I haven't yet come across anything good enough, if you have any ideas then let me know :) I have however linked to one book which is far more detailed than than the average challenger needs to know, and it is exclusively from the reverse engineering side of things.

Back to Contents