Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 04-23-2005, 01:23
deephousederek
 
Posts: n/a
Unhappy Java Cracking...

Hi All,

I've been attempting to crack a java program for the last few days, however all attempts have failed....

I've managed to decompile the decompilable parts, however the program uses a custom ClassLoader, and possibly a custom defineclass, or some other bytecode encryption when it goes to load important pieces of code, which are not decompilable at present.

I can decompile the classloader alright, but when I go to parse the bytecode array using the JOIE ClassInfo class I get an exception, I've also tried looking at the JavaAssist Classlibrary, and the BCEL classlibrary to try to decompile the returned class file. No luck however....

I've tried reflection as well on the class to try and find some methods, and variables, but the class file seems to be non standard....

Any help on this much appreciated....

The app is Poker Office, available here.... http://www.pokeroffice.com

The path details to the classloader, and encrypted bits is...

com/aetdata/security/c.class

Thanks in advance.....

D....
Reply With Quote
  #2  
Old 04-23-2005, 16:04
Mkz Mkz is offline
Friend
 
Join Date: Jan 2002
Posts: 98
Rept. Given: 0
Rept. Rcvd 2 Times in 2 Posts
Thanks Given: 5
Thanks Rcvd at 25 Times in 17 Posts
Mkz Reputation: 2
Quote:
Originally Posted by deephousederek
I can decompile the classloader alright, but when I go to parse the bytecode array using the JOIE ClassInfo class I get an exception, I've also tried looking at the JavaAssist Classlibrary, and the BCEL classlibrary to try to decompile the returned class file. No luck however....
How exactly did you do this? In memory?

Try the following approach:
Modify the c classloader to dump the classes it loads, just after decryption:
Code:
    public Class findClass(String s) {
        byte abyte0[] = a(s);
        dumpClass(s, abyte0);
Code:
    private void dumpClass(String name, byte[] cls) {
        try {
            name = name.replace('.', '/');
            name += ".class_ok";
            OutputStream os = new FileOutputStream(".../PokerOffice/" + name);
            os.write(cls);
            os.close();
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
This will create the files *.class_ok wherever there are the *.xclass.
If you're curious to see the encryption password, just log it in the c constructor. They are passed to the poker.ProgramLauncher by the executable.

The dumped classes seems perfectly normal to me, they can be decompiled like the others.

If you need any tip finding the encrypted serial encryption just let me know
Reply With Quote
  #3  
Old 04-25-2005, 20:36
deephousederek
 
Posts: n/a
Cool Cheers...

Hi Mks,

A big thank you for that, your suggestion was the only thing I didn't try, as I didn't think that it would work, came across similar info late at night, and was too tired to give it a go, when I went to look for the info again, couldn't find it

Anyway, cheers for that, will hopefully be able to find the serial stuff myself, have done some Java cryto work in the past (Having said that I suppose we'll wait and see !)

D...
Reply With Quote
  #4  
Old 04-26-2005, 05:23
Mkz Mkz is offline
Friend
 
Join Date: Jan 2002
Posts: 98
Rept. Given: 0
Rept. Rcvd 2 Times in 2 Posts
Thanks Given: 5
Thanks Rcvd at 25 Times in 17 Posts
Mkz Reputation: 2
Just keep us posted
Reply With Quote
  #5  
Old 05-15-2005, 00:19
deephousederek
 
Posts: n/a
Update

Hi Mks,

Succeeded in finding the encryption routines, attempted to remove checks and recompile, but looked to be too much hassle, as would have had to dump and recompile all dependents, and then change the classloader class....

Decided to rip the key checking code and create my own keygen instead 8-)

Only downside is that there are some online checks, which cause the generated serial to timeout if not checked after a while, not a big issue....

Attempted to work on these but ran into some problems with re-compiling the offending file....

It's in com/aetdata/net/NetUpdater.xclass

Any chance you might be able to have a look and give me some pointers ?

Thanks.....

D...
Reply With Quote
  #6  
Old 05-17-2005, 07:55
Mkz Mkz is offline
Friend
 
Join Date: Jan 2002
Posts: 98
Rept. Given: 0
Rept. Rcvd 2 Times in 2 Posts
Thanks Given: 5
Thanks Rcvd at 25 Times in 17 Posts
Mkz Reputation: 2
Quote:
Originally Posted by deephousederek
Attempted to work on these but ran into some problems with re-compiling the offending file....
You're probably talking about the reserved-words methods and fields.
You can recreate a totally new NetUpdater class, provided you keep the same interface (implements, constructor and the 2 public methods). All else can be removed, as well as these method contents. You might need to leave some code to reenable the serial, though, be it here or in the class that calls this one.

After you have a fixed file, you can either remove the exception (not an Exception ) for this class in the classloader, to load a regular .class, or you can recreate the xclass so that everything else is untouched. If I recall correctly, the xclass is decoded with a symmetric algo (in com.aetdata.security.a), and you can easily find the algName and key by inserting some logs in the classloader. It is not in java code, it's propagated from the .exe.
After that you can recreate the .xclass from the .class.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
java self-contained application packaging cracking Chuck954 General Discussion 3 08-20-2022 00:57
java cracking ChupaChu General Discussion 68 03-28-2021 09:04


All times are GMT +8. The time now is 17:39.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )