Published by +Tsehp feb 2001

 

 

Tools:

------

JAD - Java Decompiler, protools.cjb.net

JDK 1.1+ - Java Developer Kit 1.1 or higher, sun.java.com

 

 

Target:

-------

http://www.adsubtract.com/bin/20082404/ad-pro.exe

 

 

Introduction:

-------------

This target was brought to my attention by a fellow Fravia BlackB

on newbiesforum.cjb.net.  The target uses a license file which contains

your name, time to live, and a license type. The other part is that

the serial is hashed using MD5. So I took on the target and I noticed

it was written in Java, first thing that came to me was that there are

not many Java tutorials out there so why not write one, so here it is.

 

 

Lets begin:

-----------

 

First thing we do is install the target and run it to see what's going on.

Running the program we see that it takes a year and a half to load, typical

of Java programs.  Then take a look around in the subdirectories and you

will see all the java files.  In the root directory there is a file called

classes.zip could be interesting.

Run the program again but this time with FileMon in the background, you will

see that it looks for a file called LICENSE and also that is accesses a lot

of class files (probably the ones in the classes.zip).

When the program asks for a name and code enter something and note the

error message it gives.

 

Next what we do is unzip the classes.zip file to some temp directory,

I used c:\AdSubtract Pro\x and then we install JAD.

Why trace something when we can so easily decompile it and read it's source.

 

Start decompiling file by file inside the iM subdirectory, don't worry about

the other subdirs in there.  The first file you decompile should be _0.class

and looking in it we see our beloved error message.  Lets try to understand

what is going on here.

 

First all the way at the top you can see:

 

// Referenced classes of package iM:

//            _8, _56, _48, MD5

 

This is important to notice so you will know what else uses this class, note

MD5 is being uses, but to save you time I will tell you that _56 is the other

file you need to decompile.  I found this planely by decompiling all the files

one by one and checking them out. So go decompile _56.class and come back.

 

Now that you are back lets look at _0 again. Scroll down until you find the error

message, below that you see alot of other error messages and above it you see

some codes that can be used in the password box to get an Evaluation license,

but we don't care about that we gonna make a License so we won't need to type

anything in.  If you want to generate a code feel free to look into it, I

don't have the time.

Looking at all the code around our error message we see there are some variables

that are from the _56.class such as _56.px and _56.az.

 

Lets take a look at _56.class, scroll down and look around you will see stuff

like:

 

String s = "EVALUATION";

 

s1 = WinExt._287();

s = WinExt.isProEdition() ? "EVALUATION" : "STANDARD";

i = WinExt.isProEdition() ? -1 : 0;

 

if(s1 == null)

s1 = WinExt.isProEdition() ? "Evaluation User" : "Standard User";

_0._0(s, s1, i, az);

 

this is all located at void _350() so we assume this is a function dealing with

the license.  What is this function WinExt.isProEdition() ??

well you can decompile WinExt.class and see but it's very easy to tell that

it returns -1 if you have an Evaluation license and a 0 is you have a Standard

license.  Just as a note there is no Pro version the function is just called

that way for no reason.

You can see that this function WinExt.isProEdition() has different signatures,

it can return a string or an integer.

 

So what happens next is that it gets from WinExt.isProEdition() whether it's

an Evaluation User or Standard User and then calls a function from our

_0.class file called _0 and passes it:

 

s = either "EVALUATION" or "STANDARD"

s1 = either "Evaluation User" or "Standard User"

i = either -1 or 0

az = installation directory of AdSubtract Pro

 

I know what az is because I searched for az in the code above this function

to see what initilizes it and found it that way, it's very simple just scroll

up a little bit and you will see.

 

Ok now we gonna go back to our _0.class to see what is the method _0 doing.

First thing we see is:

 

    static boolean _0(String s, String s1, long l, String s2)

    {

        long l1 = (new Date()).getTime() / 1000L;

        long l2 = l1 + l * 24L * 60L * 60L;

        l2 += 0x15180L - l2 % 0x15180L;

 

That looks like it's taking the third parameter and doing some time manipulations

to it, could that be the variable in the license that tells us when will our

license expires ?? it sure is.

 

Continuing on we see this:

s3 = s3 + "Expires: " + l2 + " (" + (new Date(l2 * 1000L)).toGMTString() + ")\n\n";

and that proves our theory.

 

Further down you see some MD5 action which is not very important just so that you

know that it hashes the serial in the license file using MD5.

 

Remeber when we first looked at the error messages in _0.class there was also this

near some of the messages:

 

s2 = _0("SINGLE USER", s, 15L, _56.az) ? null : "AdSubtract cannot store your registration

information on disk.  Please contact sales@adsubtract.com for assistance.";

 

See that it's calling the _0 method too with similar parameters as we saw in _56.class.

 

Lets see that they mean:

"SINGLE USER" tells us the license type.

s is "Standard User" or Evaluation User" so it's basically your name.

15L is what you think it is, the amount of days the license will live.

_56.az remember that, it's the directory where to save the licese file.

 

Knowing all that we can make a little program to generate a license for us.

 

Assuming you already installed your JDK and that it's working, open notepad

or whatever you want to write your code in and write a small program to call

the _0 method with the correct parameters.

 

Here is my code:

 

package iM;  //to give access to all the required class files

 

import java.lang.*;

 

public class RegMe {

 

      public static void main(String[] args) {

 

      String ry = new String();

      String sy = new String();

      String az = new String();

 

//All this do is find out the current direcotry you are in

 

      ry = System.getProperty("user.dir");

      if(ry.endsWith("/"))

            ry = ry.substring(0, ry.length() - 1);

 

      if(ry.startsWith("file:///"))

            sy = ry.substring(7);

      else

      if(ry.startsWith("file://"))

            sy = ry.substring(6);

      else

      if(ry.startsWith("file:/"))

            sy = ry.substring(5);

      else

            sy = ry;

      if(sy.length() > 2 && sy.charAt(0) == '/' && (sy.charAt(2) == '|' || sy.charAt(2) == ':'))

            sy = sy.substring(1, 2) + ":" + sy.substring(3);

      if(sy.length() > 0 && (sy.endsWith("/") || sy.endsWith("\\")))

            sy = sy.substring(0, sy.length() - 1);

     

//The file name for our license file is LICENSE

      az = sy + "/" + "LICENSE";

 

//Make the call to the method, note 0L means never expires

      iM._0._0("SINGLE USER", "goatass", 0L, az);

      }

}

 

That is it, now what you need to do is, put this file in the root of the directory

where you extracted the classes.zip file to.

 

put your file here or whatever you named your directories, and compile it.

c:\AdSubtract Pro\x

 

Copy the generated RegMe.class file into the iM subdirectory

c:\AdSubtract Pro\x\iM

 

From here run the file: java iM.RegMe and it will create the license file for you.

c:\AdSubtract Pro\x

 

Copy your new license file into the root of the program c:\AdSubtract Pro\

and you are done.

 

 

I hope you learned something, it was an easy target.

 

**Note to java developers, don't bother protecting your applications**

 

 

Greets:

BlackB, thanks for bring this program to my attenion.

 

My pals:

zip, CrackZ, Mr_G and many more....

 

 

Peace, I'm out....Goatass