TrueJournals

Before I really get into this article, I need to place a couple notes here:

1. This is a semi-technical post.  It assumes some knowledge of programming and how software works, but I’ll try to keep it as simple as possible.
2. I’ve done my best to not give away what application I’m writing about.  This is on purpose.  While this is an interesting look into hacking software, getting around DRM is, to the best of my knowledge, illegal.  This article is actually about reverse-engineering, not cracking software.
3. If the author of this application finds this blog post and thinks I’ve given away too much, they should please e-mail me and I’ll take it down.  If you think this article is about your application and it is not, however, I will not remove the article.
4. If you like software, buy it!  Seriously… software developers need to eat, too!

Now, let’s get into the bread and butter of this article!

There’s a certain piece of software that I’ve used once or twice, each time with wonderful results.  It really is well-written, it’s just a bit expensive for how often I use it.  Luckily, it has a free 15-day trial, so I’ve been able to use that occasionally.  However, I wanted to see if I could do more than that.  I wondered if I could break open the licensing for this software, figure out how it works, and bypass it.  As it turns out, it was easier to just give myself a license, but that doesn’t come until the end.

The download page for this particular software notes that it requires Java to run.  Since I know of a java decompiler, and I’m familiar with Java, I figured I’d be able to decompile the source code and get to hacking.  However, the software installs to an exe.  So, my first question is this: where are the class files?  Those familiar with Java should know that one writes a .java file, then uses javac to compile that to a .class file, which is executed by the java interpreter.   Luckily, the class files I was looking for were hidden right inside the exe.  Even more, 7-zip had no problem opening the exe as an archive and exposing those class files.

So, now I’ve got the class files and a Java decompiler.  Let’s get to reading source code!  This part gets a bit tricky.  I discovered very quickly that the source code was run through an obfuscator before being compiled.  An obfuscator is an application that takes easy-to-read code, and makes it close to impossible to read.  There’s a couple tricks obfuscators generally use to do this.  Whatever obfuscator was used on the application I’m decompiling, however, only seemed to do one thing: it took all variables, class names, method names, etc., and renamed them.  It started with A and went to Z.  This makes code very difficult to follow, because classes and variables are usually named to describe what they contain.  For example, if there was a method to verify a license, it would be called… verifyLicense.  This would be an easy method for me to search for and change.  Now, instead of looking for something to do with licensing, I have to figure out what code executes, and go through it line-by-line.

So, I start looking through classes, thinking perhaps I’ll find something useful.  Lo-and-behold… I did!  There was a class staring right at me named “Startup”.  Looking inside that class, it had a “main” method.  Perfect!  So, I start looking through code.  Luckily, jd-gui is able to link to other classes where necessary.  So, instead of attempting to figure out which “A” a certain line of code is referring to, I just click on the “A” and I’m taken right to the relevant code.  This made my job a lot easier.

As I’m going through the code, I notice a lot of it is just initializing the program.  A couple threads created, variables populated, etc.  Then, I notice an if statement.  This if statement takes me to another class which I notice contains the code for creating the licensing dialog.  Perfect!  Essentially, this if statement checks for a valid license, and if false, displays the licensing dialog.  So… all I need to do is remove this if statement, compile the code, replace the class in the exe and I’m done right?

As it turns out, not so right.  I was able to change the code, but compilation was another problem in and of itself.  First off, since a package already existed with the name of the package this class belonged to, I had to leave out the “package” line.  I figured this wouldn’t be a big issue and moved on.  Next, I realized that the java compiler I was using had much stricter class-package name standards.  It wouldn’t let me have a class which shared a name with a package.  So, if I had package com.truejournals.D.E, containing classes A, B and C, I couldn’t have a class named com.truejournals.D.E.  This is a huge problem, as the entire obfuscation process seemed to ignore this.  In order to get around this, I would have to refractor almost all of the code.

I’m not sure how… but by removing an import or two, I was able to get the code to compile.  Replacing it, however, proved to be another challenge.  Using a resource editor, I found a jar file inside the exe.  I was able to extract that jar file, and was greeted with all the class files I found when opening the exe with 7-zip.  So, this is where I needed to replace the file.  After finding how to do this (7-zip won’t do it… jar uf will!), I was able to put my class file inside the jar.  Now, all I had to do was place the jar file back inside the exe.  However, the resource editor I was using wouldn’t let me do this.  So, I found another that would and was able to replace the jar file.

Now… the moment of truth… I open the exe and… nothing.  Nothing pops up on my screen, so I open task manager.  Turns out, the process is just sitting there idling.  Perhaps there’s another check somewhere, or perhaps the exe is just rejecting my self-compiled class.  Either way, it looks like I need to find a better way to do this.  What if I could, instead, create my own valid license?

By following the methods in jd-gui, I was able to actually find the code that checks the license.  Here’s an outline of how this process works:

1. When you open the application for the first time, it creates a file in your application data folder.  The name of this file is the md5 of your computer name with a couple more characters tacked on the end.  The content of this file is a bunch of random uppercase letters with a couple dashes thrown in.
2. When you enter a serial number, a string is created with a couple pieces of information, separated by ||| (three bars).  The information contained is: the serial from an older version of the program, the serial number you entered, the contents of the file from step #1, your computer’s host name, and the version of the application.
3. This string is encrypted by DES-ECB with the first eight characters of the md5 of a key stored in the program’s code, and sent to “license2.php” on the website the application is hosted on.
4. license2.php generates a response, which is read by the application.
5. The response is first decrypted using DES-ECB with the first eight characters of the md5 of the contents of the file from step #1 as the key.
6. This decrypted string is then decrypted again using the same key used in step 3.
7. The fully decrypted string is checked.  The first character is a key validity checker: 0, 1, 2, 3 or 5 seem to represent a valid license, perhaps some of these with restrictions.  0 seems to be a fully valid license.  The rest of the decrypted string must be the serial number sent to the server.  Although, this only seems to matter if the first character is a 0.
8. The encrypted response received from the server is stored in the settings file of the application for future offline license verification.

Since I now knew that a valid license string is stored in the settings file, all I have to do is generate my own in the right format with the right encryption.  At this point, I have two options.  Either I can run all the encryption once and generate a perfectly valid license for my computer, or I can create an application that will read the special file from part #1 above and generate a valid license.  I chose to go with option 2.

So I opened Visual Studio and went to work, coding in C# because it’s what I’m most familiar with from Visual Studio.  After a lot of coding, and a lot of debugging, I was able to create an application that writes the settings file with a valid serial number of 1234.  To be honest, I have no idea what a valid serial number for this application actually looks like, but that doesn’t matter — the program doesn’t care.  If the stored license works, it’s happy.

I’ve run this application on two computers now, with stunning results: it works!  A click of a button and a little waiting gives a valid license for this application.  Overall, I’m very happy with how this came out.  Normally, application cracks either patch an exe or generate a valid serial number, then disable online checking.  However, neither of these options seemed to work for me, so I came up with the next best thing: generate a valid license.  This was an intriguing look into a licensing method for a piece of software, and a great way for me to explore some code.  It’s unlikely that I’d ever be able to use this same methodology to crack another program, but I’m still glad I went through all the trouble to figure this out.