How to check if binaries are built from particular sources

前端未结

关注

 4  1311

忘掉有多难 2021-01-18 02:32

The legacy project I am working on includes some external library in a form of set of binary jar files. We decided that for analysis and potential patching, we want to recei

4条回答

傲寒 (楼主)

2021-01-18 02:42
For method signatures, use a tool like jardiff.

For similarity of implementation, you have to fall back to a wild guess. Comparing the bytecode on opcode-level may be compiler-dependent and lead to a large number of false negatives. If this is the case, you could fall back to compare the methods of a class using the LineNumberTable.

It gives you a list of line numbers for each method (as long as the class file has been compiled with the debug flag, which is often missing in very old or commercial libraries).

If two class files are compiled from the same source code, then at least the line numbers of each method should match exactly.

You can use a library such as Apache BCEL to retrieve the LineNumberTable:
```
  // import org.apache.bcel.classfile.ClassParser;
  JavaClass fooClazz = new ClassParser( "Foo.class" ).parse();
  for( Method m : fooClazz.getMethods() )
  {
     LineNumberTable lnt = m.getLineNumberTable();
     LineNumber[] tab = lnt.getLineNumberTable();
     for( LineNumber ln : tab )
     {
        System.out.println( ln.getLineNumber() );
     }
  }
```
0 讨论(0)

查看其它4个回答
发布评论:

提交评论
- 加载中...