Convert Java Applet CAP file to *.class for decompilation

Asked 29/4, 2018 at 5:10 Answered 9/1, 2019 at 19:21

reverse-engineering smartcard javacard jcop

Here is a CAP file possible containing a malware code, without source code, and also without an export file.

It is a CAP file for old platform version, i.e. GP211.

I have a big experience Java reverse-engineering in Classic JVM and Dalvik. But Java Card is lesser popular and closer platform. Most tools are for CLASS/JAR or DEX, not CAP.

I found the several tools (including some VMs who simulates the JCOP) which could disassemble a CAP file, but the CAP is quite big, and the working with assembly code is too complex and slow for me.

And we cannot simply do "CAP text bytecode -> Notepad++ --> some Java Bytecode editor -> Java bytecode".
Too many differences between CAP bytecode and Java bytecode. Not just method table, it is also a big amount of different opcodes.
Just decompile the converter.jar of a Java Card Kit (it is a tool which converts CLASS -> CAP) and see that conversion is a quite complex process.

I need some automated converter.

Meanwhile, I developing a set of smart card solutions and the "CAP decompiler" will be a good piece in the list.
Yes, I'm going to write it.
I plan to build it on top of Javassist from one side, some CAP disassembling library from the second one, and some standard Java decompiler(-s) from the third one.

But I should be sure that there are no analogs.

QUESTION IS HERE:
Is there some tool in the Earth which can convert Java Card *.cap to Java *.class (or decompile *.cap directly) or no?
I am not asking for a library (i found some libraries), I am asking for a tool. Runnable.

(Also if you know some pitfalls in this bytecode conversion I will be grateful if you'll describe them to me. Now I saw it as just a copying one opcode list to another one with a giant if...else if...else if...else if... or switch...case...case...case tree (and some misc staff i.e. conversion of access modifiers, fields, etc).

Dutch answered 29/4, 2018 at 5:10 Comment(2)

Hmm, yeah, wow, you didn't repeat the question in the body after all that text. Right. So it is explicitly off topic for StackOverflow because it is asking for software: "Questions asking for tool or library recommendations are off-topic for Stack Overflow" is a close reason. But generally, if you're favorite search engine won't find it it is little use to ask for it on SO. – Distinguishing 29/4, 2018 at 17:41

@MaartenBodewes Understatement :) "Questions asking for tool or library recommendations are off-topic for Stack Overflow as they tend to attract opinionated answers and spam" I am not asking for a recommendation which tool is better i.e. "A vs B", I just asking for information about ANY such tool presence. Just one. – Dutch 29/4, 2018 at 18:36

To generate .class files out of .cap file use normalizer tool which is part of recent Java Card SDK ('Classic-3.0.4' worked for me).

For example to convert helloworld.cap from gpshell sources use the following command (you will have to adjust api_export_files path to the appropriate directory):

normalizer.bat normalize -i helloworld.cap -p /path/to/api_export_files

Then you can decompile output file ( net/sourceforge/globalplatform/jc/helloworld/AAA.class) using your favorite java decompiler, giving e.g.:

package net.sourceforge.globalplatform.jc.helloworld;

import javacard.framework.APDU;
import javacard.framework.Applet;
import javacard.framework.Util;

public class AAA
  extends Applet
{
  private static final byte[] sfield_token255_descoff10_staticref0 = { 72, 101, 108, 108, 111, 32, 87, 111, 114, 108, 100, 33 };

  public void process(APDU paramAPDU)
  {
    byte[] arrayOfByte = paramAPDU.getBuffer();
    paramAPDU.setIncomingAndReceive();
    Util.arrayCopyNonAtomic(sfield_token255_descoff10_staticref0, (short)0, arrayOfByte, (short)0, sfield_token255_descoff10_staticref0.length);
    paramAPDU.setOutgoingAndSend((short)0, sfield_token255_descoff10_staticref0.length);
  }

  public static void install(byte[] paramArrayOfByte, short paramShort, byte paramByte)
  {
    new AAA();
  }

  private AAA()
  {
    register();
  }
}

Some additional (random) notes:

this approach does not straightforwardly work for all applets (some output .class files for an applet I wrote earlier were refused by decompiler as invalid, but YMMV)
you need to provide export files for all the applet's imported packages, including:
- Java Card API (the latest version always worked for me, but YMMV)
- Global Platform API, SIM-toolkit related APIs, card vendor extensions or any other publicly available packages (if any of them are used)
- other non-public packages (which might/will cause trouble -- I have never dealt with that so can't help)
to get list of imported package AIDs you can either check appropriate structures in the CAP file (I am not aware of any publicly available tool for this, sorry) or just try incrementally (normalizer gives error messages like "Cannot find export file for imported package " for missing export files)
export package for the .cap itself is not necessary
it will be probably more difficult to re-compile the applet from reverse-engineered sources than it is for desktop java (partly depends on the used decompiler capabilities)
if all you need is to check if someone did not introduce a backdoor into a binary .cap file then it will be much simpler to build a clean .cap file from trusted sources (ideally using the same compiler) and compare decompiler outputs for both clean and suspicious cap files
check legality of whatever-you-are-doing

Good luck!

Nasion answered 9/5, 2018 at 7:7 Comment(6)

Would this work, given the very first sentence of the question: "Here is a CAP file possible containing a malware code, without source code, and also without an export file"? Was your applet named AAA or is that due to the conversion tool not finding an export file? – Distinguishing 9/5, 2018 at 12:36

I have an java_card_kit-2_2_2 (yes, old version, my target is GP211 and only it) and I can't find normalizer.bat here... Should I install Java Card SDK 3.0? will it help? – Dutch 9/5, 2018 at 13:30

@SmInc: Use normalizer from recent SDK (I used 3.0.4) and api_export_files from 2.2.2 (I used 2.2.1, but 3.0.4 work as well). – Nasion 9/5, 2018 at 16:9

@MaartenBodewes: You do not need target applet's export file to use this way (there is no .exp file in gpshell repository). The AAA class name is (IMHO) generated by normalizer and would be replaced with a valid identifier if .exp file for given .cap was provided. See updated answer. – Nasion 9/5, 2018 at 17:9

I tried to generate .class file for a .cap with a known .exp file and did not get valid names (this information is not here) – Nasion 9/5, 2018 at 17:26

Yeah, I guess that if they are not required by an application or lib that uses the libraries that they are not present. The .exp files are used to statically link to the code in the .cap file. – Distinguishing 10/5, 2018 at 0:43

For those who are trying to perform reverse engineering and getting below errors while running normalizer:

Cannot find export file for imported package a0:0:0:0:62:0:1

Please provide the correct export file

Java Card JDK api export files missing. -p /Users/user/etc/jcard-sdk-3.0.5u3/api_export_files/

Cannot find export file for imported package a0:0:0:0:9:0:3:ff:ff:ff:ff:89:10:71:0:2

Please provide the correct export file

Sim Toolkit JDK export files are missing -p /Users/user/etc/etc/43019-560/Annex_B_Export_Files

Here is the details for Sim Toolkit JDK installation

Here is the command line script for running normalizer on linux variants:

java -server -Djc.home=/Users/user/etc/jcard-sdk-3.0.5u3 -cp .:../lib/* com.sun.javacard.normalizer.Main normalize -i /Users/user/test.cap -p /Users/user/etc/jcard-sdk-3.0.5u3/api_export_files/ -p /Users/user/etc/43019-560/Annex_B_Export_Files/

Hickerson answered 9/1, 2019 at 19:21 Comment(0)

Recommended topics

Hot tags