views:

910

answers:

9

I work for a government contractor that is really picky about what software gets installed on their machines (US government laws). As part of a reverse engineering effort, I need to figure out what a certain set of .class files do. A decompiler would be really helpful, but I can't seem to find one that meets the standards set here. Basically, I need to find a decompiler that was developed in the United States. Anyone know of any? Free is preferred, but commercial will do.

FYI, JAD and JD are out as they are not developed in the US.

A: 

I assume that it's legal for you to be decompiling them in the first place, right? Most user-agreements I've read state that you aren't allowed to reverse engineer anything... Assuming it's legal, how come JAD and JD are out?

I've had success with DJ Java Decompiler, though it's not nearly as pretty as JD. There's also SoThink Java Decompiler, but I've never used it personally.

There are several others, but most of them seem to be built upon JAD, so I guess they're out too.

Cory Larson
JAD and JD are not produced in the United States. JAD is Russian, and it appears that JD is French.
Thomas Owens
legality has been addressed and it is fine.
geowa4
+1  A: 

I'm assuming that you can't move the .class files off of the machine and on to a lab machine where you can install JAD?

I work with the government as well and if a particular piece of software is critical to the success of your project, you need to communicate that to your PM, who will then communicate that to his or her government counterpart. After that, there should be a checklist for your IA assessors to follow to approve that piece of software.

Kevin
yeah, i am hoping that i can avoid the bureaucracy and red tape.
geowa4
A: 

I once used cavaj (freeware), but I don't know whether it is made in the US.

Curd
cavaj is a front end to jad.
geowa4
A: 

mmmh pretty ironic, you cant use a decompiler because the decompiler isent made in the US but you can decompile code nevertheless ?

If you need to know what a class does then ask the people that created it for the source

If they refuse to give the source then i dont think its legal to decompile it anyway

Peter
Reverse engineering is legal, and this probably includes decompiling (I'm not a lawyer). It is often banned in license agreements.
David Thornley
A: 

Here's an idea, can you send the files to someone else to decompile and then just send you the decompiled source?

WedTM
obviously it's not that simple.
geowa4
+2  A: 

What about installing "unapproved" software on a VM?

Tal Pressman
interesting idea, i'll look into this tomorrow.
geowa4
+3  A: 

I'd inform your employer that putting preconditions on where the software comes from isn't going to protect them, and it's not going to get them what they want. The U.S. competes in a global economy and in the global internet. It sounds a little childish of them to think that they gain any advantage or security from not installing software that works. Part of being a good employee, designer, or programmer is helping your client realize their limitations and overcome them. You should help them to greater success.

arbales
its a rule set by the government. since they write the checks, they write the rules.
geowa4
Regardless of how the limitation "sounds," I don't think it's quite as childish as you might think. Software built by the government protects secrets of that government. You can't guarantee safety 100%, but you can at least try to make sure anyone who tries to hack your software is within the government's legal jurisdiction. Open source is no guarantee of safety, as the developers of the Linux kernel discovered: http://linux.slashdot.org/article.pl?sid=03/11/06/058249. It's a pain to work around, but so are a lot of security issues.
rtperson
That said, even with that justification, the rule is still completely silly, roughly akin to the government's attempts to classify 128-bit crypto schemes as "munitions" in the 90s. Watching the government try to figure out technology is kind of like watching a little kid at the beach build a wall out of sand to protect his sandcastle from the incoming tide.
rtperson
+1  A: 

It scares me when I hear this type of nonsense eminating from my own government.

Run jad -p, recompile the source and compare the compiled class with the origional class file.

You can run jad on a throwaway computer/VM instance. If there is reasonable agreement on the compiled class you know the software functioned properly.

Einstein
"Run jad -p..." Now how am I supposed to do that if I can't put the two on the same machine?
geowa4
A: 

I figured that I should answer this since nothing provided worked. I ended up solving the requirements by using javap, guessing a lot, and banging my head against the desk until it worked. javap didn't give me much of what I needed, since it called a lot of native code. Eventually, I got what I needed using the tried and true guess and check method.

There really needs to be a decompiler. Maybe Sun (Oracle) can make one...

geowa4
You mean, *"there really needs to be an **all-American** decompiler for xenophobic government agencies and bureaucrats."*
Stu Thompson
yeah, that seems fairly accurate. i don't work there any more. tooling was always an issue since a lot of good stuff is developed elsewhere.
geowa4