AdSubtract Pro - by Goatass
Published
by +Tsehp feb 2001
Tools:
------
JAD -
Java Decompiler, protools.cjb.net
JDK
1.1+ - Java Developer Kit 1.1 or higher, sun.java.com
Target:
-------
http://www.adsubtract.com/bin/20082404/ad-pro.exe
Introduction:
-------------
This
target was brought to my attention by a fellow Fravia BlackB
on
newbiesforum.cjb.net. The target uses a
license file which contains
your
name, time to live, and a license type. The other part is that
the
serial is hashed using MD5. So I took on the target and I noticed
it was
written in Java, first thing that came to me was that there are
not
many Java tutorials out there so why not write one, so here it is.
Lets
begin:
-----------
First
thing we do is install the target and run it to see what's going on.
Running
the program we see that it takes a year and a half to load, typical
of Java
programs. Then take a look around in
the subdirectories and you
will
see all the java files. In the root
directory there is a file called
classes.zip
could be interesting.
Run the
program again but this time with FileMon in the background, you will
see
that it looks for a file called LICENSE and also that is accesses a lot
of
class files (probably the ones in the classes.zip).
When
the program asks for a name and code enter something and note the
error
message it gives.
Next
what we do is unzip the classes.zip file to some temp directory,
I used
c:\AdSubtract Pro\x and then we install JAD.
Why
trace something when we can so easily decompile it and read it's source.
Start
decompiling file by file inside the iM subdirectory, don't worry about
the
other subdirs in there. The first file
you decompile should be _0.class
and
looking in it we see our beloved error message. Lets try to understand
what is
going on here.
First
all the way at the top you can see:
//
Referenced classes of package iM:
// _8, _56, _48, MD5
This is
important to notice so you will know what else uses this class, note
MD5 is
being uses, but to save you time I will tell you that _56 is the other
file
you need to decompile. I found this
planely by decompiling all the files
one by
one and checking them out. So go decompile _56.class and come back.
Now
that you are back lets look at _0 again. Scroll down until you find the error
message,
below that you see alot of other error messages and above it you see
some
codes that can be used in the password box to get an Evaluation license,
but we
don't care about that we gonna make a License so we won't need to type
anything
in. If you want to generate a code feel
free to look into it, I
don't
have the time.
Looking
at all the code around our error message we see there are some variables
that
are from the _56.class such as _56.px and _56.az.
Lets
take a look at _56.class, scroll down and look around you will see stuff
like:
String
s = "EVALUATION";
s1 =
WinExt._287();
s =
WinExt.isProEdition() ? "EVALUATION" : "STANDARD";
i =
WinExt.isProEdition() ? -1 : 0;
if(s1
== null)
s1 =
WinExt.isProEdition() ? "Evaluation User" : "Standard
User";
_0._0(s,
s1, i, az);
this is
all located at void _350() so we assume this is a function dealing with
the
license. What is this function
WinExt.isProEdition() ??
well
you can decompile WinExt.class and see but it's very easy to tell that
it
returns -1 if you have an Evaluation license and a 0 is you have a Standard
license. Just as a note there is no Pro version the
function is just called
that
way for no reason.
You can
see that this function WinExt.isProEdition() has different signatures,
it can
return a string or an integer.
So what
happens next is that it gets from WinExt.isProEdition() whether it's
an
Evaluation User or Standard User and then calls a function from our
_0.class
file called _0 and passes it:
s =
either "EVALUATION" or "STANDARD"
s1 =
either "Evaluation User" or "Standard User"
i =
either -1 or 0
az =
installation directory of AdSubtract Pro
I know
what az is because I searched for az in the code above this function
to see
what initilizes it and found it that way, it's very simple just scroll
up a
little bit and you will see.
Ok now
we gonna go back to our _0.class to see what is the method _0 doing.
First
thing we see is:
static boolean _0(String s, String s1,
long l, String s2)
{
long l1 = (new Date()).getTime() /
1000L;
long l2 = l1 + l * 24L * 60L * 60L;
l2 += 0x15180L - l2 % 0x15180L;
That
looks like it's taking the third parameter and doing some time manipulations
to it,
could that be the variable in the license that tells us when will our
license
expires ?? it sure is.
Continuing
on we see this:
s3 = s3
+ "Expires: " + l2 + " (" + (new Date(l2 *
1000L)).toGMTString() + ")\n\n";
and
that proves our theory.
Further
down you see some MD5 action which is not very important just so that you
know
that it hashes the serial in the license file using MD5.
Remeber
when we first looked at the error messages in _0.class there was also this
near
some of the messages:
s2 =
_0("SINGLE USER", s, 15L, _56.az) ? null : "AdSubtract cannot
store your registration
information
on disk. Please contact
sales@adsubtract.com for assistance.";
See
that it's calling the _0 method too with similar parameters as we saw in
_56.class.
Lets
see that they mean:
"SINGLE
USER" tells us the license type.
s is
"Standard User" or Evaluation User" so it's basically your name.
15L is
what you think it is, the amount of days the license will live.
_56.az
remember that, it's the directory where to save the licese file.
Knowing
all that we can make a little program to generate a license for us.
Assuming
you already installed your JDK and that it's working, open notepad
or
whatever you want to write your code in and write a small program to call
the _0
method with the correct parameters.
Here is
my code:
package
iM; //to give access to all the
required class files
import java.lang.*;
public
class RegMe {
public static void main(String[] args) {
String ry = new String();
String sy = new String();
String az = new String();
//All
this do is find out the current direcotry you are in
ry =
System.getProperty("user.dir");
if(ry.endsWith("/"))
ry = ry.substring(0, ry.length() -
1);
if(ry.startsWith("file:///"))
sy = ry.substring(7);
else
if(ry.startsWith("file://"))
sy = ry.substring(6);
else
if(ry.startsWith("file:/"))
sy = ry.substring(5);
else
sy = ry;
if(sy.length() > 2 && sy.charAt(0)
== '/' && (sy.charAt(2) == '|' || sy.charAt(2) == ':'))
sy = sy.substring(1, 2) +
":" + sy.substring(3);
if(sy.length() > 0 &&
(sy.endsWith("/") || sy.endsWith("\\")))
sy = sy.substring(0, sy.length() -
1);
//The
file name for our license file is LICENSE
az = sy + "/" +
"LICENSE";
//Make
the call to the method, note 0L means never expires
iM._0._0("SINGLE USER",
"goatass", 0L, az);
}
}
That is
it, now what you need to do is, put this file in the root of the directory
where you
extracted the classes.zip file to.
put
your file here or whatever you named your directories, and compile it.
c:\AdSubtract
Pro\x
Copy
the generated RegMe.class file into the iM subdirectory
c:\AdSubtract
Pro\x\iM
From
here run the file: java iM.RegMe and it will create the license file for you.
c:\AdSubtract
Pro\x
Copy
your new license file into the root of the program c:\AdSubtract Pro\
and you
are done.
I hope
you learned something, it was an easy target.
**Note
to java developers, don't bother protecting your applications**
Greets:
BlackB,
thanks for bring this program to my attenion.
My
pals:
zip,
CrackZ, Mr_G and many more....
Peace,
I'm out....Goatass