Java cracking, reversing applets


by El Latigo

25 November 1998

courtesy of reverser+'s page of reverse engineering


Hi there reverser+,

I'm writing you in order to (try to) contribute with all those great
essays about reverse engineering. I have cracked other programs and 
never emailed any essay; but this time, i think that this is going 
to be usefull because this time its java, and i found very little about
java reverse engineering on the web.
Ok, the targets are those beautiful www.opencube.com applets.
they are great,and you can download them...but theres one little thing,
you wont be able to use them in your website if they are not registered. 
When you upload the file to your webserver, and try to see the
page where the applet is embeded all you will get is a nasty phrase
which reads 'invalid notice tag'.
"Ahi!" -you say- "this high tech applet wont work!"
But if you send money to the guys at opencube, they will send you  a
couple of 'key' files called 'ocekey.class' and 'ocjwkey.class'
and when you replace the files you had downloaded with those they sent
you... voila! the applets work.
Of course,when you buy the applets, they tell you to specify a domain so
they can make those applets 'workable' within your domain. The thing is
simple, all you ‘crackers’ have  to do is in some way, change the url
those demo applets are registered to...
How can you do that? VERY easy, remember that everything is possible 
in this software world of us... if you use your head.
Ok now, i did decompile that ‘key’ class using JAD, a very
powerful ‘.class-to-.java’ decompiler which can be found at :
ftp://www.meurrens.org/pub/Java/codeEngineering/jadnt15.zip
Well, in fact the game is already almost over, all you have to do is 
decompile using jad (jad ocekey.class);  
the jad decompiler will make a ocekey.jad file which is the 
ocekey.class source code (cool huh?).
After that you open the file and see that little and poor class file 
that is trying to prevent you from using an applet... the source of 
the ocekey.class is the following:

import java.net.URL;

class ocjwkey
{

    public static String getKey(String note, URL u)
    {
        String regURL = "www.opencube.com";  <------- bad guys :)
        int i = 1;
        while(Character.isDigit(note.charAt(note.length() - i)))
            i++;

        if(u.getProtocol().equalsIgnoreCase("file") ||
u.getHost().equalsIgnoreCase(regURL))  <---vital part :)


            return note.substring(0, (note.length() - i) + 1).trim();
        else
            return "-1";
    }

    ocjwkey()
    {
    }
}

Yahooooo! Look at the regURL variable... what do we have here? Oh
yes you guessed it mr cracker! The url for the applet! Now you have two
options: you know, 1) you can change the url for the applet to work on your
own site or 2) you modify the source for it to work on ANY web site ...
If you choose the first option, I don't need to tell you what you should do, 
since it is jolly obvious, but if you choose the second option you have 
to delete the following lines :


1) if(u.getProtocol().equalsIgnoreCase("file") ||
   u.getHost().equalsIgnoreCase(regURL))

2) else

3) return "-1";


After this, you recompile the ocekey.class and replace the old one with
the cracked one.
Well, that's it actually! Easy easy cracking... right?
The other 'key'  class, is quite similar, i won't explain it here, tackle 
that one yourself! (an easy reversing task)

Enjoy java cracking, it's easy, it's great fun, it's interesting.

El Latigo

Ps: If you dont know how to compile a .java file, then you shouldn't be
reading this at all, come back later... :)

Ps2: You can download the target applets from  
http://www.opencube.com/colgo

User Name: cu2248
password:  homefree

But, please, remember to delete them after having cracked them / played 
with them... this is only for study purposes of course. In fact we 
are not here in order to steal this or that specific software, we 
are here in order to MASTER software, in order to LEARN how to use 
any software whatsoever whenever we like, however we like and 
for any purpose we want, changing it on the fly if needs be, cracking 
it black and blue if we fancy it. 


redhomepage red links red anonymity +ORC redstudents' essays redacademy database redbots wars
redantismut redtools redcocktails redjavascript wars redsearch_forms redmail_reverser
redIs reverse engineering illegal?