1. This is a semi-technical post.  It assumes some knowledge of programming and how software works, but I’ll try to keep it as simple as possible.
2. I’ve done my best to not give away what application I’m writing about.  This is on purpose.  While this is an interesting look into hacking software, getting around DRM is, to the best of my knowledge, illegal.  This article is actually about reverse-engineering, not cracking software.
3. If the author of this application finds this blog post and thinks I’ve given away too much, they should please e-mail me and I’ll take it down.  If you think this article is about your application and it is not, however, I will not remove the article.
4. If you like software, buy it!  Seriously… software developers need to eat, too!

Now, let’s get into the bread and butter of this article!

There’s a certain piece of software that I’ve used once or twice, each time with wonderful results.  It really is well-written, it’s just a bit expensive for how often I use it.  Luckily, it has a free 15-day trial, so I’ve been able to use that occasionally.  However, I wanted to see if I could do more than that.  I wondered if I could break open the licensing for this software, figure out how it works, and bypass it.  As it turns out, it was easier to just give myself a license, but that doesn’t come until the end.

The download page for this particular software notes that it requires Java to run.  Since I know of a java decompiler, and I’m familiar with Java, I figured I’d be able to decompile the source code and get to hacking.  However, the software installs to an exe.  So, my first question is this: where are the class files?  Those familiar with Java should know that one writes a .java file, then uses javac to compile that to a .class file, which is executed by the java interpreter.   Luckily, the class files I was looking for were hidden right inside the exe.  Even more, 7-zip had no problem opening the exe as an archive and exposing those class files.

So, now I’ve got the class files and a Java decompiler.  Let’s get to reading source code!  This part gets a bit tricky.  I discovered very quickly that the source code was run through an obfuscator before being compiled.  An obfuscator is an application that takes easy-to-read code, and makes it close to impossible to read.  There’s a couple tricks obfuscators generally use to do this.  Whatever obfuscator was used on the application I’m decompiling, however, only seemed to do one thing: it took all variables, class names, method names, etc., and renamed them.  It started with A and went to Z.  This makes code very difficult to follow, because classes and variables are usually named to describe what they contain.  For example, if there was a method to verify a license, it would be called… verifyLicense.  This would be an easy method for me to search for and change.  Now, instead of looking for something to do with licensing, I have to figure out what code executes, and go through it line-by-line.

So, I start looking through classes, thinking perhaps I’ll find something useful.  Lo-and-behold… I did!  There was a class staring right at me named “Startup”.  Looking inside that class, it had a “main” method.  Perfect!  So, I start looking through code.  Luckily, jd-gui is able to link to other classes where necessary.  So, instead of attempting to figure out which “A” a certain line of code is referring to, I just click on the “A” and I’m taken right to the relevant code.  This made my job a lot easier.

As I’m going through the code, I notice a lot of it is just initializing the program.  A couple threads created, variables populated, etc.  Then, I notice an if statement.  This if statement takes me to another class which I notice contains the code for creating the licensing dialog.  Perfect!  Essentially, this if statement checks for a valid license, and if false, displays the licensing dialog.  So… all I need to do is remove this if statement, compile the code, replace the class in the exe and I’m done right?

As it turns out, not so right.  I was able to change the code, but compilation was another problem in and of itself.  First off, since a package already existed with the name of the package this class belonged to, I had to leave out the “package” line.  I figured this wouldn’t be a big issue and moved on.  Next, I realized that the java compiler I was using had much stricter class-package name standards.  It wouldn’t let me have a class which shared a name with a package.  So, if I had package com.truejournals.D.E, containing classes A, B and C, I couldn’t have a class named com.truejournals.D.E.  This is a huge problem, as the entire obfuscation process seemed to ignore this.  In order to get around this, I would have to refractor almost all of the code.

I’m not sure how… but by removing an import or two, I was able to get the code to compile.  Replacing it, however, proved to be another challenge.  Using a resource editor, I found a jar file inside the exe.  I was able to extract that jar file, and was greeted with all the class files I found when opening the exe with 7-zip.  So, this is where I needed to replace the file.  After finding how to do this (7-zip won’t do it… jar uf will!), I was able to put my class file inside the jar.  Now, all I had to do was place the jar file back inside the exe.  However, the resource editor I was using wouldn’t let me do this.  So, I found another that would and was able to replace the jar file.

Now… the moment of truth… I open the exe and… nothing.  Nothing pops up on my screen, so I open task manager.  Turns out, the process is just sitting there idling.  Perhaps there’s another check somewhere, or perhaps the exe is just rejecting my self-compiled class.  Either way, it looks like I need to find a better way to do this.  What if I could, instead, create my own valid license?

By following the methods in jd-gui, I was able to actually find the code that checks the license.  Here’s an outline of how this process works:

1. When you open the application for the first time, it creates a file in your application data folder.  The name of this file is the md5 of your computer name with a couple more characters tacked on the end.  The content of this file is a bunch of random uppercase letters with a couple dashes thrown in.
2. When you enter a serial number, a string is created with a couple pieces of information, separated by ||| (three bars).  The information contained is: the serial from an older version of the program, the serial number you entered, the contents of the file from step #1, your computer’s host name, and the version of the application.
3. This string is encrypted by DES-ECB with the first eight characters of the md5 of a key stored in the program’s code, and sent to “license2.php” on the website the application is hosted on.
4. license2.php generates a response, which is read by the application.
5. The response is first decrypted using DES-ECB with the first eight characters of the md5 of the contents of the file from step #1 as the key.
6. This decrypted string is then decrypted again using the same key used in step 3.
7. The fully decrypted string is checked.  The first character is a key validity checker: 0, 1, 2, 3 or 5 seem to represent a valid license, perhaps some of these with restrictions.  0 seems to be a fully valid license.  The rest of the decrypted string must be the serial number sent to the server.  Although, this only seems to matter if the first character is a 0.
8. The encrypted response received from the server is stored in the settings file of the application for future offline license verification.

Since I now knew that a valid license string is stored in the settings file, all I have to do is generate my own in the right format with the right encryption.  At this point, I have two options.  Either I can run all the encryption once and generate a perfectly valid license for my computer, or I can create an application that will read the special file from part #1 above and generate a valid license.  I chose to go with option 2.

So I opened Visual Studio and went to work, coding in C# because it’s what I’m most familiar with from Visual Studio.  After a lot of coding, and a lot of debugging, I was able to create an application that writes the settings file with a valid serial number of 1234.  To be honest, I have no idea what a valid serial number for this application actually looks like, but that doesn’t matter — the program doesn’t care.  If the stored license works, it’s happy.

I’ve run this application on two computers now, with stunning results: it works!  A click of a button and a little waiting gives a valid license for this application.  Overall, I’m very happy with how this came out.  Normally, application cracks either patch an exe or generate a valid serial number, then disable online checking.  However, neither of these options seemed to work for me, so I came up with the next best thing: generate a valid license.  This was an intriguing look into a licensing method for a piece of software, and a great way for me to explore some code.  It’s unlikely that I’d ever be able to use this same methodology to crack another program, but I’m still glad I went through all the trouble to figure this out.

First off, let me say that whether Wave succeeds or not makes little difference for Google.  Google is a company with enough resources to work on a major product, even if that product is a failure.  Google wanted Wave to replace e-mail.  This is where the whole “Federated Wave Servers” idea came from.  In order for Wave to be the new standard, companies had to be able to run their own Wave servers — Google couldn’t control it.  Besides that, Google already controls a good chunk of the e-mail market with GMail, so this was mostly a fun experiment for them.

But, still, it seems like something that should have succeed… or, at least, lasted a good amount of time.  But, Wave has quickly lost momentum and died in everyone’s mind.  The problem is that Google stopped innovating, and the Wave server never became very popular.  I don’t believe there have been any feature additions to Wave since it launched, and I’m not sure there’s any good source other than Google Wave to get a Wave account.

Wave died because Google seems to have abandoned it.  They released a product, and they appeared to have stopped working on it.  Wave is something Google needed to not only push to corporations, but also continue innovating, and releasing new features, and this never happened.  Google was unable to explain to potential customers why they need Wave, and this is where it failed.  I think this is slightly unfortunate, but I’m not very surprised.  While e-mail is antiquated, it still works, and it’s going to take a lot of push in order to move away from it.  Google didn’t seem to have any major corporations backing Wave, which also contributed to the failure.

Who knows… maybe we’ll see Google attempt to revive Wave with some new features.  Maybe it will come back for a couple months… But Google will have to work really hard to get the momentum and excitement about Wave going again.

I do, by the way, have 12 Wave invites.  I suppose you can comment here or contact me if you want one.  That’s a dangerous statement to say on the Internet.  Although Wave has died, I have a feeling there are people who never got in on the game, and are still looking for invites, only to find a product that no one uses.

The different sections of the line are separated by semicolons. So, priority is the first part, then a semicolon, then the “ScreenOn” value, then a semicolon, etc. So, I’ll use your example and point out each section of the programming.

0;1;0;40002000200040ff200020000000;0000;0000

To make this easier, I’m going to assign an index to each section of the command. I’ll split the string up by the semicolons. We’ll say the first character (a zero, in this case) has an index of 1. The second part of the split (a one), has an index of 2, etc, etc.

0;1;0;40002000200040ff200020000000;0000;0000
Index 1 defines the priority. If two patterns trigger at once, items with a higher priority (lower number for this section), take precedence, because only one pattern can be going at once. Since the priority is 1 (0 being the highest priority, 255 being the lowest), this pattern will display instead of almost any other pattern (the exception is patterns that have a priority of 0)

0;1;0;40002000200040ff200020000000;0000;0000
Index 2 defines whether or not the pattern should fire based on what state the display is in. In this case, it’s a 1, which mce.ini tells us means “show pattern even when the display is on”. So, this pattern will display no matter what.

0;1;0;40002000200040ff200020000000;0000;0000
Index three gives the timeout. This can tell the pattern to stop firing after a certain amount of time. In this case, it’s a zero, which means that the pattern will never stop firing (unless it’s told to).

0;1;0;40002000200040ff200020000000;0000;0000
Index four starts the actual programming of the LED. Index four gives the programming of the RED LED. It also gets a bit more complicated here. We have to split this section up into strings of four characters each in order to understand the programming. This is what the pattern looks like, split into four-character strings, with each string separated by a pipe (|):
4000|2000|2000|40ff|2000|2000|0000
So, there are seven different commands given to the red LED. Let’s take a look at them one by one:

1. 4000 — This sets the brightness of the LED (anything starting with a 40 will change the brightness). I believe this tells the LED to turn off (0 brightness). I believe that ff would be 100% brightness.
2. 2000 — This bumps the brightness up over a certain amount of time. This gets REALLY confusing. The first two characters, 20, tell how long it should take to change the brightness. 20 is in the 01 – 3f range, so we get “short” steps. If I understand this, we get 19 “short” steps of time ~0.49ms, so this should take about 9.31 milliseconds. The next two characters, 00, defines how many steps in brightness the LED should take. 00 is no change, so the pattern will pause for about 9.31 milliseconds.
3. 2000 — Because this is the same command as above, this will also create a 9.31 millisecond pause.
4. 40ff — Again we see a 40. This says to change the channel brightness. This time, we’re changing it to ff, which should be 100% brightness. So, this command turns the LED on.
5. 2000 — This creates another 9.31 ms pause.
6. 2000 — This creates another 9.31 ms pause.
7. 0000 — This tells the pattern to loop (“jump to the start of the pattern”).

So, the red LED will turn off, pause for (2*9.31 ms =) 18.62 milliseconds, turn on, pause for another 18.62 milliseconds, then loop.

0;1;0;40002000200040ff200020000000;0000;0000
Index five gives the pattern for the GREEN LED. This is a very exciting pattern. It simply tells the pattern to repeat again and again and again. So… nothing happens with the green LED.

0;1;0;40002000200040ff200020000000;0000;0000
Index six gives the pattern for the BLUE LED. Again, very exciting. The blue LED does… nothing.

I hope this helps you understand how the programming works.

With a SQL database backend, it’s quite easy to figure out a login problem.  It’s a simple matter of searching the databse for a username that is equal to the one the user entered.  If the password of that row matches the password the user entered (generally md5 encoded), then the user can login.  If it doesn’t, they get the “incorrect password” message, and if the username search returns zero rows, they get an “incorrect username” message.  Simple and secure, right?

Wrong.  The problem with telling the user that the password was the incorrect data entered is that it lets them know that the username is correct.  For someone legitimately logging into the website, this is great.  They know exactly what to fix, they fix it and move on.  For someone who doesn’t actually own the account, however, this message is a lot more interesting.

Potentially, a script could be written to try thousands, even millions of usernames all with the same password.  Once an “incorrect password” message is reached, the script can then try another list of thousands to millions of passwords, until it gets an account.  All automated, and very simple.

So, the solution is to not let the user know what’s wrong.  Just say “incorrect login details.”  Something is wrong, but we’re not gonna tell you what.  Good luck!  This will stop any username-guessing script.  Now, you can’t tell a valid username from an invalid username.  However, some websites like to have lists of their members, or the hacker may already know a username for some reason.  So, how do we combat this?

Login try limits.  After 5 failed attempts, lock out the IP address in question.  Any user who just typed something wrong should be able to get it right within five tries, and blocking the IP will stop from additional attacks.  However, some robots are more complex than this.

When it comes down to it, if someone really wants to get into your website, they will.  A botnet will millions of different IP addresses could foil the above scheme.  Additionally, proxies could get around this block.  It would seem that there is no way to keep a website secure.

The responsibility falls on the user, really.  Most websites say somewhere that if someone breaks into your account, they aren’t responsible.  Website admins should have really long annoying to type passwords, because they can easily save the password somewhere, and normal users should have passwords that are strong enough.  If you’re really worried that someone will break into your account, choose a better, longer password.

Or, do we need to go above and beyond passwords?  Is there a level of security past passwords that we have yet to reach.  A lot of computers now have fingerprint readers.  Could we have websites that require your fingerprint as your password?  How about an image?  A website could issue you a completely random image for your password.  You save this image, and have to upload it any time you want to login.  The image would have to be small enough to let dial up users be able to upload the image, but it could be big enough to be very, very random.

So, security isn’t perfect.  I doubt it ever will be.  If someone really, really wants to break into something, they will.  This is why we have jails.

My brainstorming session basically consists of my tablet running xournal.  I get nice lined notebook paper, where I can write down any ideas that pop into my head.  I can then look at that later and go “No… that won’t work” or “Hmm… I might be on to something,” and try to implement it.

So, if you’d like to see what I’ve been thinking about for tear bookmarks, look at the following PDF: 2009-04-22-tearbookmarksbrainstorm.  Enjoy!