courtesy of fravia+'s page of reverse engineering
Hi there fravia+, I'm writing you in order to (try to) contribute with all those great essays about reverse engineering. I have cracked other programs and never emailed any essay; but this time, i think that this is going to be usefull because this time its java, and i found very little about java reverse engineering on the web. Ok, the targets are those beautiful www.opencube.com applets. they are great,and you can download them...but theres one little thing, you wont be able to use them in your website if they are not registered. When you upload the file to your webserver, and try to see the page where the applet is embeded all you will get is a nasty phrase which reads 'invalid notice tag'. "Ahi!" -you say- "this high tech applet wont work!" But if you send money to the guys at opencube, they will send you a couple of 'key' files called 'ocekey.class' and 'ocjwkey.class' and when you replace the files you had downloaded with those they sent you... voila! the applets work. Of course,when you buy the applets, they tell you to specify a domain so they can make those applets 'workable' within your domain. The thing is simple, all you ëcrackersí have to do is in some way, change the url those demo applets are registered to... How can you do that? VERY easy, remember that everything is possible in this software world of us... if you use your head. Ok now, i did decompile that ëkeyí class using JAD, a very powerful ë.class-to-.javaí decompiler which can be found at : ftp://Meurrens.ML.org/pub/Java/codeEngineering/jadnt15.zip Well, in fact the game is already almost over, all you have to do is decompile using jad (jad ocekey.class); the jad decompiler will make a ocekey.jad file which is the ocekey.class source code (cool huh?). After that you open the file and see that little and poor class file that is trying to prevent you from using an applet... the source of the ocekey.class is the following: import java.net.URL; class ocjwkey { public static String getKey(String note, URL u) { String regURL = "www.opencube.com"; <------- bad guys :) int i = 1; while(Character.isDigit(note.charAt(note.length() - i))) i++; if(u.getProtocol().equalsIgnoreCase("file") || u.getHost().equalsIgnoreCase(regURL)) <---vital part :) return note.substring(0, (note.length() - i) + 1).trim(); else return "-1"; } ocjwkey() { } } Yahooooo! Look at the regURL variable... what do we have here? Oh yes you guessed it mr cracker! The url for the applet! Now you have two options: you know, 1) you can change the url for the applet to work on your own site or 2) you modify the source for it to work on ANY web site ... If you choose the first option, I don't need to tell you what you should do, since it is jolly obvious, but if you choose the second option you have to delete the following lines : 1) if(u.getProtocol().equalsIgnoreCase("file") || u.getHost().equalsIgnoreCase(regURL)) 2) else 3) return "-1"; After this, you recompile the ocekey.class and replace the old one with the cracked one. Well, that's it actually! Easy easy cracking... right? The other 'key' class, is quite similar, i won't explain it here, tackle that one yourself! (an easy reversing task) Enjoy java cracking, it's easy, it's great fun, it's interesting. El Latigo Ps: If you dont know how to compile a .java file, then you shouldn't be reading this at all, come back later... :) Ps2: You can download the target applets from http://www.opencube.com/colgo User Name: cu2248 password: homefree But, please, remember to delete them after having cracked them / played with them... this is only for study purposes of course. In fact we are not here in order to steal this or that specific software, we are here in order to MASTER software, in order to LEARN how to use any software whatsoever whenever we like, however we like and for any purpose we want, changing it on the fly if needs be, cracking it black and blue if we fancy it.