Reverse engineering J2ME apps tagged:

Reverse engineering J2ME apps

Posted by in J2ME

Sometimes it’s interesting to see how “professional” J2ME apps are done. Their techniques, methods they use and how they handle security. Java apps can generally be decompiled and the source code viewed. This is where obfuscation helps a little by renaming your variable names and method names to un-meaningful names. This does make it slightly more difficult to figure out what methods are doing, but useful information can still be extracted from taking a little time digging around.

J2ME applications are quite easy to decompile. All you need is the .jar file and a decompiler. I use this, which worked without any problems. It is also available for both Windows and Mac.

To decompile the file, rename the .jar file to .zip. Extract the contents of the file. Run the decompiler on all .class files. A .jad file is then created. The jad files are essentially the source files. For convenience, you could rename all the jad files to .java files.

The hard part is usually getting the jar file. The jar URL can be found in the jad file (just open it in notepad). Most companies try to make it a little harder to get hold of their jar files by checking the user-agent that is downloading the files. This can be overcome by using the user-agent switcher in Firefox. You can find some user-agent strings here.

Other trends I’ve seen is supplying the user with a installer app, which a small J2ME application that basically loads a url to download the app. You can also overcome this by running the installer app on a J2ME emulator such as MPowerPlayer.

Other cool things you can do with running an emulator on your desktop computer is monitoring network traffic. You can do this with WireShark.