Cracking by example: Java




Disclaimer:

The information presented in this article is for educational and research purposes only. Any actions and/or activities related to the material contained within this article are solely your responsibility. The misuse of the information from this website can result in criminal charges brought against the persons in question. The authors will not be held responsible in the event any criminal charges be brought against any individuals misusing the information in this website to break the law.

One week ago I stumbled across RazorSQL, a nice looking multi-SQL engine client. It has a free trial for 30 days. I really was not going to use it, but I couldn't resist the temptation of trying to crack it. This article resumes my short but interesting adventure, where I learned a couple of things.

The main JAR is razorsql.jar, so we go ahead and decompile it. We find out that load.c class cannot be decompiled, so it is hidden somehow. load.d#tx() returns a decrypted class that can be instantiated


String "bG9hZC5j" is “load.c” encoded. Decoding these strings having this first decompilation is trivial, so I will just skip over this part.
  • URL var65 is file:/home/m0skit0/razorsql/data/run.ssql 
  • URL var68 is file:/home/m0skit0/razorsql/razorsql.jar
Checking load.d#da() we find it adds the URLs using load.h
 

 

We create a FakeD class that extends load.d and a simple main() to have a debuggable controlled RazorSQL run.
 

Overloading FakeD.findClass() we can dump the class binary (shown as CrackTest.dumpBinary()) just before it is resolved for loading (so it must be totally decoded)
 

Bingo, now we got load.c code! We create a class called ClearC with this decompilation. Needs some fixes: external JAR (downloaded), imports from load package when needed, replaced load.d with FakeD, and some other small code fixes that should be no problem for you. Make our main class extends load.RazorSQL class and copy main method code. Again some straightforward fixes are needed to make it compile (like a private method in RazorSQL we cannot access). After this, we’re going to inject our ClearC class instead of load.c.
 

Cool, now we can launch RazorSQL like normal with our own ClearC class instead of load.c. ClearC continues through the z() method, which creates other class instances that take control to create the GUI. 


Note that that localD is a FakeD instance loaded with “file:/home/m0skit0/razorsql/data/run.ssql”. We can see this invokes a custom ClassLoader to load com.rp.gui.database.RazorSQL, which looks like the actual main class. Using the same trick for FakeD as before, we get the binary for com.rp.gui.database.ClassUtil. We find out it extends RClassLoader, which we don’t have, so we need it too, and so on. We continue to extract all required classes until we can get a basic compilation. Here’s an example on how I did it, but you can find whatever methods suits you best (like dumping all classes without checking any names).
 

After fixing all compilation errors (tip: for very big classes, utils and logging, you can either comment the lines or remove everything and keep just the methods you need to use), our next objective is to get the code for com.rp.gui.database.RazorSQL. For this, we will use a similar approach: make ClearC instantiate a ClassUtil of our own, then get the binary of RazorSQL class and dump it.
 

Then at ClassUtil#findClass we can dump the binary we’re looking for. After we get RazorSQL class, we can rapidly find it imports another class called RegistrationUtil. We can then see this is definitely where the registration check and process is done. This looks like exactly what we want, so following the same procedure, we dump its binary as well.
 

Next we check where is RegistrationUtil loaded from. Debugging at StandardClassLoader#findBytes we can find it is loaded from file:/home/m0skit0/razorsql/data/base.ssql by using BaseJarReader. If you look at this class, you will see it decrypts the JAR as a temporary file then loads it as a normal JAR. If we set up a breakpoint at BaseJarReader#init(), we can stop before the temporary file has been deleted and get the original decrypted JAR. Looking there we also find the JAR “decryption” process: XOR 90 (0x5A), that is, decrypted-byte = encrypted-byte XOR 90. So the inverse process would simply be encrypted-byte = decrypted-byte XOR 90. Now we can encode/decode their hidden JARs.
 

The decrypted JAR is a valid one, but we quickly find out the classes it contains are not valid Java classes. We can see in ClassUtil#doC there’s another XOR encoding for the class binaries using byte 0x58.
   

At this point, we have pwned their security since we can freely encode/decode their classes and hidden JARs at will. We should write a script or some small tool that encodes/decodes classes and JARs, or even better, encode class + replace in JAR + encode JAR. This is left as an exercise to the reader :) 

Back to registration and specifically RegistrationUtils#doRegistration().
 

It looks like that for a successful registration we need to make sure that 
  1. var1 has a value (isn’t null) 
  2. isValidCode always returns true. 

To acheive this, we’re going to use a Java bytecode framework, in this case Javassist. So the first step is to return a fixed string from RSQLManager#getRegistrationCodeFromFile.
  

Next, RegistrationUtils#isValidCode should always return true.
 

Now we replace these 2 classes with the newly generated ones in the base.ssql JAR (remember the 2-step encoding we found out previously), replace the original one from RazorSQL, launch it and…


BINGO!

I hope you find this article interesting and feel free to let me know if you have any questions.

Comments

  1. Hi m0skit0! What a pity! The images are not visible. Is there any way to recover them?

    ReplyDelete
    Replies
    1. Cracking By Example: Java >>>>> Download Now

      >>>>> Download Full

      Cracking By Example: Java >>>>> Download LINK

      >>>>> Download Now

      Cracking By Example: Java >>>>> Download Full

      >>>>> Download LINK yb

      Delete
  2. Amazing blog! I really like the way you explained such information about this post with us. And blog is really helpful for us this website
    razorsql-crack
    window-12-pro-crack
    idm-crack
    screenfloat-crack
    edraw-max-crack

    ReplyDelete
  3. I am very impressed with your post because this post is very beneficial for me and provide a new knowledge…
    mushroom-garden-seasons-hd-crack
    antistress-relaxation-toys-crack
    razorsql-crack
    window-12-pro-crack

    ReplyDelete
  4. Cracking By Example: Java >>>>> Download Now

    >>>>> Download Full

    Cracking By Example: Java >>>>> Download LINK

    >>>>> Download Now

    Cracking By Example: Java >>>>> Download Full

    >>>>> Download LINK N4

    ReplyDelete
  5. I am very impressed with your post because this post is very beneficial for me and provide a new knowledge…
    FL Studio
    StreamFab
    iMyFone AnyTo
    Advanced SystemCare Pro
    freepccrack

    ReplyDelete
  6. Thanks a lot for sharing such a nice content. EaseUS MobiUnlock is a best tools for device unlocking puepose. Again thanks to allow my comment.

    ReplyDelete
  7. Thanks a lot for sharing such a nice content. StramFAB is a best tool for live streaming designing puepose. Again thanks to allow my comment.

    ReplyDelete

Post a Comment

Comment, motherf*cker

Popular Posts