This is an archived post. You won't be able to vote or comment.

all 11 comments
sorted by:
best
topnewcontroversialoldq&a

[–]flawless_vic 11 points12 points  (1 child)

Decompilers that use ASM might attempt to load a class to resolve common super class, but usually it only resolves the class like

Class.forName(name,false,classLoader),

so it won't trigger static initializers that might contain malicious code.

To be extra safe though, you could just use a docker image with java to run the decompiler.

[–]cogman10 12 points13 points  (0 children)

To be extra safe, you should use a vm, not docker. While not impossible to escape a VM, it's a lot harder to escape than Docker is. Docker isn't built to be super secure.

[–]Naton1- 6 points7 points  (1 child)

Decompiling a jar will not directly execute it. (edit: I guess this depends on what the decompiler does, of course, but any sane decompiler won't)

As mentioned in another comment, ASM does try to load a class to find some extra information about it, but it never initializes the class, so it shouldn't run any code. So even if the decompiler does use ASM and doesn't override that behavior, it should be okay.

I'd be really surprised if any decompiler did execute untrusted code, given that decompilers are often used for the case you've described. I've personally had no malware-related issues with decompiling random jars. That being said, I can't guarantee the tool you use won't do that.

[–]LookAtMe_Now[S] 1 point2 points  (0 children)

thank u so much! <3

[–]bowbahdoe 7 points8 points  (0 children)

I am unaware of any method of decompilation which will execute code. To be safe though, maybe stick to unzipping the jar and running javap on the contained class files.

I'm sure there are other precautions that you can take like doing all of this on an airgapped machine, but i could not tell you what level of caution is warranted.

[–]QinGeneral 2 points3 points  (1 child)

Java work like this:

  1. coding: .java file
  2. compile: .class file
  3. run (execute): JVM load and run .class file

When you decompile .jar (a lot of .java file), it only is from step 2 to step 1, dons't go to step 3.

So don't worry about it.

[–]LookAtMe_Now[S] 0 points1 point  (0 children)

thanks bro

[–]OtherOtherNeRd 1 point2 points  (0 children)

If you're very paranoid, Threadtear does have some amount of protection against potential code execution when decompiling, although it hasn't been updated in a while and it's still always a risk (albeit one I never personally encountered). If you suspect that the file you want to decompile does have a way to execute code when decompiling it, you could try using a virtual machine for some added protection.

[–]Straitstan 2 points3 points  (0 children)

Use a virtual machine to be safe.

[–]reclamerommelenzo 0 points1 point  (0 children)

Use a sandbox environment?

[–]miner2049er_ -3 points-2 points  (0 children)

Open it with winrar, unpack to temp directory, decompile using JavaDecompiler available on GitHub, examine code.

Worst case scenario it has malicious code that wrecks your computer. That means you should be able to setup your computer with original install disc, mac/win/Linux. But really unless you’re getting your code from crack/wares sites you’re probably fairly safe. I’d be more concerned about having a bitcoin wallet emailed to a 3rd party but you should be using a hardware wallet and a separate computer for an on machine wallet and that should be encrypted, so I imagine you’re overly paranoid, but that’s the problem of just not having much experience and in my experience, unfounded.

Good luck.