I have a binary file that contains Java Serialized objects (which are value objects), but I do not have access to the Class that was serialized to create those objects. Without the class file, JVM does not allow me to read the objects with objectInputStreamInstance.readObject() and rightfully throws the java.lang.ClassNotFoundException.
我有一个二进制文件,其中包含Java序列化对象(它们是值对象),但是我无法访问序列化来创建这些对象的类。如果没有类文件,JVM不允许我使用objectInputStreamInstance.readObject()来读取对象,并正确地抛出java.lang.ClassNotFoundException。
Is there a library that can help be extract the data in XML or other standarized format? For example, if the Person class below is serialized and stored in a file, I would like to extract data from it:
是否有一个库可以帮助以XML或其他标准化格式提取数据?例如,如果下面的Person类被序列化并存储在一个文件中,我想从中提取数据:
Class Definition
类定义
class Person implements Serializable {
int age;
String name;
public Person(int age, int name) {
this.age = age;
this.name = name;
}
}
Required Extraction Format (without access to the class file)
要求的提取格式(不访问类文件)
<Person>
<age>10</age>
<name>Name</name>
</Person>
I have also checked the following but did not get what I was looking for:
我也检查了以下内容,但没有得到我想要的:
- Xstream (http://x-stream.github.io/) needs access to the a Java object in order to create XML from that object. However, I am unable create objects for want of class file.
- Xstream (http://x-stream.github.io/)需要访问Java对象,以便从该对象创建XML。但是,我不能为需要类文件而创建对象。
- Serialysis appears to be very old https://weblogs.java.net/blog/emcmanus/archive/2007/06/disassembling_s.html
- 序列化似乎是非常古老的https://weblogs.java.net/blog/emc已经/ archive/2007/06/disassembly _s.html
Thank you for your help.
谢谢你的帮助。
Regards, Gursev
问候,Gursev
1 个解决方案
#1
5
Check jdeserialize . It has a command line mode, but also a reasonably well documented API. Regarding automatically re-serializing into XML? I don't think so. There are just too many ways of doing it. You will probably need to go through this as 2 separate steps. jdeserialize can be helpful in reverse engineering the classes (producing source java code), especially when this is required by many XML serialization tools.
检查jdeserialize。它有一个命令行模式,但也有一个相当完善的API文档。关于自动重新序列化到XML?我不这么想。做这件事的方法太多了。您可能需要通过这两个单独的步骤。jdeserialize可以帮助逆向工程类(产生源java代码),特别是当这是许多XML序列化工具所需要的时候。
Now, if the original classes did not use the default serialization mechanism (by overriding readObject or similars) or did use data obfuscation/encryption techniques (like wrapping objects in javax.crypto.SealedObject and/or java.security.SignedObject), then your chances of success are fewer and fewer.
现在,如果原始类没有使用默认的序列化机制(通过覆盖readObject或similars),也没有使用数据混淆/加密技术(比如在java .crypto中封装对象)。SealedObject和/或java.security.SignedObject),那么你成功的机会就会越来越少。
#1
5
Check jdeserialize . It has a command line mode, but also a reasonably well documented API. Regarding automatically re-serializing into XML? I don't think so. There are just too many ways of doing it. You will probably need to go through this as 2 separate steps. jdeserialize can be helpful in reverse engineering the classes (producing source java code), especially when this is required by many XML serialization tools.
检查jdeserialize。它有一个命令行模式,但也有一个相当完善的API文档。关于自动重新序列化到XML?我不这么想。做这件事的方法太多了。您可能需要通过这两个单独的步骤。jdeserialize可以帮助逆向工程类(产生源java代码),特别是当这是许多XML序列化工具所需要的时候。
Now, if the original classes did not use the default serialization mechanism (by overriding readObject or similars) or did use data obfuscation/encryption techniques (like wrapping objects in javax.crypto.SealedObject and/or java.security.SignedObject), then your chances of success are fewer and fewer.
现在,如果原始类没有使用默认的序列化机制(通过覆盖readObject或similars),也没有使用数据混淆/加密技术(比如在java .crypto中封装对象)。SealedObject和/或java.security.SignedObject),那么你成功的机会就会越来越少。