I recently ran into a challenge where I was given a Java Jar file that I needed to analyze and patch to exploit. I didn’t find many good tutorials on how to do this, so I wanted to get my notes down. For now it’s just a cheat sheet table of commands. When the challenge ends, I’ll update with some narrative.

Jar File Structure

A Jar (Java Archive) file is just a ZIP file that contains Java class (compiled) files and the necessary metadata and resources (text, images). That said, they are very picky, and it can be important how to interact with them when pulling stuff in and out.

The Jar will have a META-INF/ folder at the root, which contains metadata such as signatures, license, and the MANIFEST.MF file.

The MANIFEST.MF file provides the Jdk version, as well as optionally a Main-Class attribute. If Main-Class is present, this Jar can be executed without providing a class name, which makes it an executable Jar. The manifest file also contains base64 format hashes of the other files in the archive.

Cheat Sheet

Here’s all the commands from this post (and a few extras that are useful with Jars):

Task Command
Execute Jar java -jar [jar]
Unzip Jar unzip -d [output directory] [jar]
Create Jar jar -cmf META-INF/MANIFEST.MF [output jar] *
Base64 SHA256 sha256sum [file] | cut -d' ' -f1 | xxd -r -p | base64
Delete from Jar zip -d [jar] [file to remove]
Decompile class procyon -o . [path to class]
Decompile Jar procyon -jar [jar] -o [output directory]
Compile class javac [path to .java file]

It’s always important to track file structure and your relative directory. I’ve found it’s easiest to work out of the root directory of the unzipped Jar.

Procyon “installed” by downloading the Jar and creating a symlink: ln -s /opt/procyron/procyon-decompiler-0.5.36.jar /usr/local/bin/procyon.