cracking codelink v4.0 by silkware
("applets cracking")

by douby, 2 December 1998
(slightly edited by reverser+)

red

cracking codelink v4.0 by silkware                              
by douby

  More and more companies are trying to make big money out of java
applets ... yet what's money? Money is NOTHING compared to knowledge... 
as you will see cracking such an applet is a piece cake ... 

  The applet used in this essay is codelink v4.0 by silkware.
  You can download it at 
http://silk.webware.co.nz 
this applet can be used to password-protect some of your pages (duh!.. as if 
my readers would need an applet to protect their pages)... it's a 30 day trial 
version and reading the readme.html you'll soon find out that it can be registered 
using a correct registration key... 

  To crack this baby only one tool is needed... JAD, a java decompiler... 
you can download it at
http://www.geocities.com/SiliconValley/Bridge/8617/jad.html. 

  Ok, enough 'chit chat' let's start cracking this applet...
decompile all the classes in the codelink directory and examine the
output files ... you will quickly come to the conclusion  that the protection
scheme is hidden in the file called V4Codelink.class in a method called ftxx... 
so, let's take a look at the protection scheme... 
	int fxtx = 2098;
	String hexstart = "f-";
	String hexfin = "3C";
	boolean xzxzvv = true;
	String xzxzv = "";
	String param = getParameter("RegistrationID");
	if(param == null)
	    return false;
	if(param != null)
	    xzxzv = param;
	xzxzv = xzxzv.trim();           //get right reg. id
	String hexa4 = "";
	int lengthh = xzxzv.length();   //store length of reg. id in lengthh
	String bitof = "";
	int iii = lengthh;              //iii = length of reg. id
	if(lengthh <= 9)             //if lengthh <= 9 wrong reg. id
	    return false;               //length of reg. id must be >= 10

Hhmm... interesting! The value of the param RegistrationID is stored in a
string called param, if param isn't null the string is stored in a string
called xzxzy... the string xzxzy is trimmed and it's length is stored in both
int lengthh and in int iii 
if  lengthh is < 10 you've got a wrong reg. id... 

at this point in the code we've reached a for-loop .. let's take a look
at it

for(int ii = 0; ii <= lengthh; ii++)  
{
		iii--;
		if(iii <= 0)
		    iii = 0;
		bitof = xzxzv.substring(iii, lengthh - ii);
		hexa4 = hexa4 + bitof;
	    }
hmm ... the string bitof is filled with the character at position
lengthh-ii in the string and is concatenated to hexa4 so the only 
thing this for loop does is to turn the string around... 
btw they could have used charAt instead of substring but I bet 
they used substring to make the code tougher too crack... hahaha... 
let's take a look at the next part of the code...

String hexa5 = hexa4;                        //hexa5=hexa4
	int hexa7 = hexa5.length();          //hexa7=length of hexa5
	String Licen = hexa5.substring(0, 2);//Licen=first 2 chars of hexa5
	String ProdnVers = hexa5.substring(hexa7 - 2, hexa7);
					     //ProdnVers=last 2 chars of hexa5
	String rawNum = hexa5.substring(2, hexa7 - 3);  
					     //rawnr is the rest of the chars

on to the next 'obstacle' the string in hexa4 is copied in the string
called hexa5 the length of hexa5 is copied into hexa7... now comes the
interesting part this part tells use a right reg. id should consist of a Licen
string, a ProdnVers String, and a rawNum string... the Licen string has to be 
the first 2 chars of the hexa5 string, the prodnVers has to be the last 2 chars
of the hexa5 string, the rawNum string contains the rest of the remaining
characters 

int moveto = rawNum.indexOf("-");       //there must be a '-' in the rawnr
					//string
	if(moveto < 0)
	    return false;
	String bitup = rawNum.substring(0, moveto);
					//copy part before '-' into bitup
	String bitdn = rawNum.substring(moveto + 1, rawNum.length());   
					//copy part after '-' into bitdn
	String Num = bitup + bitdn;     //concatenate bitup+bitdn
	String Whatisit = "Code:" + xzxzv + " The Reverse:" + hexa4 + 
	  " licence:" + Licen + "  Version" + ProdnVers + "\n" + rawNum + "  "
          + Num;

somewhere in the rawNum string there has to be a "-" character if not
the  registration id you're using is a fake ... else the bitup string is
given the value of the part before the "-" and bitdn is given the value of
the part after the "-" both bitup and bitdn are concatenated and copied
into the string num ... 

try
	{
	    original = Integer.parseInt(Num);   //parse string to int
	}
	catch(Exception e)
	{
	    Num = "0";
	    return false;
	}
	int Result = 0;
	Result = original % fxtx;       //nr has to be a mod of fxtx=2098
	boolean rtclassconvert = false;
	rtclassconvert = hexfin.equals(ProdnVers);      
					//ProdnVers has to be "3C"
	boolean KeepCool = true;
	KeepCool = hexstart.equals(Licen);              
					//Licen has to be "f-"
	String fallornerd = "not Registered";
	if(Result == 0 && rtclassconvert && KeepCool)
	{
	    fallornerd = "Licenced";
	    return true;
	}
	else
	{
	    return false;
	}

in the remaining part of the code the string Num is parsed to an int and 
copied into the int original ... the int original has to be a modulus of 
2098, the ProdnVers string has to be 3C and the Licen string has to be "f-" 
putting all this information together we get a turned around 
registration id looking like this...

f-abcd-e3C

with "f-" being the Licen String, "3C" being the ProdnVers and 
abcde mod 2098=0 turn it around and you'll get the right reg. id... 
something like this ...

C3e-dcba-f

well that's all folks ... hope you liked the essay ...

for comments,suggestions or just to say hello you can email me at:

douby_(at)hotmail(dot)com

bye!


redhomepage red links red anonymity +ORC redstudents' essays redacademy database redbots wars
redantismut redtools redcocktails redjavascript wars redsearch_forms redmail_reverser
redIs reverse engineering illegal?