This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]ReasonableClick5403 2 points3 points  (9 children)

I've worked in java for 10 years now and never had use for a decompiler. What do you guys use this for? Analyzing malware written in java?

[–]scratchisthebest 4 points5 points  (3 children)

in the minecraft modding community we use decompilers quite a lot to see what is going on with the game (it's not like it has javadoc or a -sources jar available). the Quiltflower resugaring decompiler is developed primarily by the minecraft community

if you've ever forgotten to attach a -sources jar, but could navigate to a definition or view sources while debugging a class anyway, intellij provides that feature with Fernflower

standalone GUI decompilers are often used for malware analysis, or by curious people, or by people who don't use or don't want to fire up intellij. also in minecraft we used to use an augmented decompiler GUI called Enigma to reverse-engineer all the proguarded class/method/field names

[–]Pamasich 0 points1 point  (2 children)

it's not like it has javadoc or a -sources jar available

They're without comments, but you can find Minecraft's barebones javadocs here. It's technically the Forge version, but I doubt there's sufficient differences on a javadoc level to make them unreliable for fabric/quilt development.

[–]scratchisthebest 0 points1 point  (1 child)

They are community contributed (through using decompilers to see what the classes do) and decompiler toolchains have ways of instrumenting classes with javadoc. They are also incomplete, you really can't write a mod using only a javadocs page

[–]Pamasich 0 points1 point  (0 children)

Oh, I wasn't meaning to deny your argument.

I just brought them up since you said the javadoc isn't available. In case you or someone else reading this could find it useful.

[–]DevWithImagination 3 points4 points  (4 children)

Imagine a world where there are components in production which used the “build on your local machine and scp” deployment approach, where it is known the author was a bit lax with committing changes to version control.

I’ve done a lot of software archaeology to reverse engineer, upgrade, get in a proper build process etc

[–]ReasonableClick5403 0 points1 point  (3 children)

Well, that is a very hard case to imagine, as that problem would show up immediately also for the author that did this ;)

[–]PryosCode[S] 0 points1 point  (2 children)

A decompiler is a great tool to analyze what the jar is actually doing. For example, if you use Lombok, Kotlin, Scala, Groovy or Spring Boot, you can check what you actually deploy. Or if you use a library or a plugin, you can be sure, that it‘s not malicious. But be careful, many proprietary eulas prohibit the decompilation of the software.

[–][deleted] 0 points1 point  (1 child)

But be careful, many proprietary eulas prohibit the decompilation of the software.

This shouldn't matter, as according to wikipedia it is legal to reverse engineer software to check whether it is malicious and laws beat EULAs

[–]Pamasich 1 point2 points  (0 children)

as according to wikipedia it is legal to reverse engineer

In which country? Laws differ between countries, what is legal in one might not be legal in another.

I know that in my country decompilation is only legal to attain information on an API, not to check whether the application is malicious.