|Database accessing : Reversing Simple Java Protections |
A generic approach
Published at www.searchlores.org in April 2002
Fundamental lore for seekers, that should not and never be stopped by any
The complete idiot's (that should be me :) guide to breaking simple java applet protections
1. You'll need a java compiller for this. Get it here http://java.sun.com/products/jdk/1.1/
2. Go to the login page, save the applet, the html, and any additional files that the applet requires (for riadalock that should be lock.txt, other protections may be better at hiding those files, but you should be able to find them in your browser chache anyway).
3. Decompile the applet, rename *.jad to *.java. rename applet to something else so it doesnt get overwritten when you recompile the classes.
4. Load the source into your favourite editor and look around.
A good place to start is the init() method, where the calls to the various initialization functions will be, including the loadAndDecryptPasswords() method.
The protections we have seen up to now follow a similar model : they load some parameters from the html (via getParameter()), where there are either the encrypted user/pass combos, or an external file, where these are located.
So, fish those getParameter() calls - around one of them should be the decryptPass() call. For example in RiadaLock.class we have :
private String z0(String s, String s1, Properties properties, boolean flag)
if(properties != null)
s2 = properties.getProperty(s);
s2 = getParameter(s);
if(s2 != null)
s1 = z0(s2); //aha!
s1 = s2; //if the flag is set - do not decode
return s1; //return the decoded string
Thus we have found the spot where the string is decoded. Now comes the really idiotic part :)
Right before the "return s1;" line insert this:
5. Recompile the file (must be .java). For example:
c:\jdk1.1\bin\javac RiadaLock.java (the case must match!)
6. Run the applet viewer
c:\jdk1.1\bin\appletviewer login.html (so the applet gets proper params)
A nice window with the applet's content appears, while the console window is dumped with
all decrypted data you needed. You may like to run appletviewer like this
c:\jdk1.1\bin\appletviewer login.html > passwords.txt
For riadalock there are other strings in the dump - obviously they use a generic function for all strings they need)
Please note that this will work for really SIMPLE protections - if for example they do it
the right way, they would ENCRYPT the user/pass and check encrypted vs encrypted strings.
They MUST decrypt the url to load though, so maybe one should be able to find the backdoor