Hi all ;-)

Few days ago I've downloaded a cool program: AdSubtract Pro. It filters ads and popups while browsing the web.
More particular, it's interesting from reversing perspective, because it uses java to calculate a valid regcode, to display the "wrong regcode" message, etc ... .
The program itself is written in VC++. The .class java files are in a file called classes.zip. These get unzipped when you run the program and used when necessary. When disassembling the .class files (there are a lot of them) in IDA, you can see the "wrong regcode" messages.
When entering your name and regcode, they get stored in the registery, after that they're queried and get processed by the java .class files.
When your regcode is valid, a file "license." gets updated. This is also done by a .class file.
This license file gets validated with some method called MD5 (unknown to me), so it's very hard (maybe impossible?) to create one yourself.

Anyway.....the problem I have is that I haven't got the slightest clue on how to reverse this regcode generation routine. You know.....I tried it the old getwindowtexta (and all those other well-known api's), but when the javacode gets compiled (yea, don't forget, those .class files get compiled at runtime) and the javacode starts executing....you're totally lost.
BPR -ing on your username/regcode is no use.

So, if anyone 's up to a challenge (and thus can help me, give me hints/tips) :
http://www.adsubtract.com/bin/20082404/ad-pro.exe

see what you guys do with this I provided you some basic info so you don't have to worry about that anymore

greets

The Blackbird aka BlackB

MD5 is a strong cryptographic hash function. You can't break it (at least, if you do break it, you'll be famous). You may be able to patch the compare.

Hi, I don't know where you got the idea that this is written in VC++ but it's entirely written in java.
I like the developers, one of the class files is named: NetscapeSucks.class
gotta love it

If you want you can get JAD, get it from protools.cjb.net and decompile _0.class and MD5.class and you will see how the protection works. Basically it takes the activation code you entered checks to see if it's an evaluation code or a real one. Then it replaces certain characters with numbers. Then it stores the resulting number in a byte array and does some shifting and adding to it. Then it creates an MD5 object and calls some functions on the byte array. It then compares the results to another byte array that a function from the MD5 object generated. There are some other checks, I don't have the time to look at them now but I will soon and will let you know what I find.

goatass

Hi BlackB, well I managed to make the program generate a license file, it was really simple.
All you have to do is call a method in the _0.class file, like this:
iM._0._0("SINGLE USER", "goatass", 0L, "C:\AdSubtract PRO\LICENSE";
the 3rd parameter (0L) is a long variable, it's 0 meaning your license will not expire, if you put 15L then the algorithm will do (Today+15), so your license will expire in 15 days, you don't want that.

What I did was write a small java program to do this call and create the license file. For it to work you need to extract the Classes.zip file and use the class files in the iM directory, since we gonna use their own functions to make us a license.

If you don't know how to do this post a message and I'll try to explain.

goatass

hi goatass (funny nick btw, hehe)

i found out myself that i probably could use that procedure to make a valid keyfile, I only didn't know what some parameters stand for.
wel......you helped me out anywayz
and don't worry, i'm able to code some simple java

thx again

BlackB

arggggghhhh
this is so embarrassing, hehe.

i tried to import the _0.class file, but that doesn't work actually (becoz the class is not public i suppose?)

so....how did you do it

hehe

greets

BlackB

Hi BlackB,
you don't import the class, you include the package it's in (iM)
at the top of your source code where the import statements are add:

package iM;
and then put your source code in that directory and run it. if it says Error: Wrong Name. then run it like this: java iM.YourCode

hope that helps

goatass

Well it's not really running that is the problem
It's compiling my darn java file:
package iM;

public class license {

public static void main (String args[]) {
iM._0._0("SINGLE USER", "BlackB", 0L, "C:\\Program Files\\AdSubtract PRO\\LICENSE";
}
}

errormessage:
cannot resolve symbol (line 6)
symbol: class _0
location: package iM


maybe i'm missing the clue of this
well, i guess so

greets

BlackB

well extract the classes.zip, and then copy your class file into that iM directory. from outside that directory (one dir out) type:
java iM.license (it would run your file)

and change this: C:\\Program Files\\AdSubtract PRO\\LICENSE
to: C:\Program Files\AdSubtract PRO\LICENSE

goatass

heheheh.
okay.....i think you don't understand

a java source file (like a .cpp file for c++, a .pas file for Pascal), has the extension .java.
so, BEFORE you have a compiled .class file of that source you first have to compile pretty obvious
compiling a .java file is done with javac.exe .....now THAT gives the problem and that gives the error message.

and btw, the dubble "\\" are needed or the java compiler gives another three errors.

anyway, as you succeeded in creating a valid license file, i really wonder how you did it.
i use the java 1.3 sdk (which is the newest).

btw, we might better discuss this by email, coz this is going to turn out real embarrassing for one of us, heheh :P

greets (again)

BlackB

Hey BlackB, I misread your previous post I thought you said it did compile.

Thanks for checking and yes I do know how java works and what a source file is, I did got it working remember ?

here is my code:

package iM;

import java.lang.*;

public class RegMe {

public static void main(String[] args) {

String ry = new String();
String sy = new String();
String az = new String();

ry = System.getProperty("user.dir";
if(ry.endsWith("/")
ry = ry.substring(0, ry.length() - 1);

if(ry.startsWith("file:///")
sy = ry.substring(7);
else
if(ry.startsWith("file://")
sy = ry.substring(6);
else
if(ry.startsWith("file:/")
sy = ry.substring(5);
else
sy = ry;
if(sy.length() > 2 && sy.charAt(0) == '/' && (sy.charAt(2) == '|' || sy.charAt(2) == ':'))
sy = sy.substring(1, 2) + ":" + sy.substring(3);
if(sy.length() > 0 && (sy.endsWith("/" || sy.endsWith("\\"))
sy = sy.substring(0, sy.length() - 1);

az = sy + "/" + "LICENSE";

iM._0._0("SINGLE USER", "goatass", 0L, az);
}
}

all the stuff before the iM._0._0() call does is find out the current directory you are in and formats it into a string and that is what the variable "az" is.

My code compiles fine I'm sure of it. Now you have to make sure that you have a directory called iM with all the class files from teh classes.zip file when you compile.

So make a directory called X, then unzip the classes.zip file to that directory so you will have the iM subdir and a couple others (not important), now put your java file in the X directory and compile it. Then copy the resulting class file into the iM subdir and from the X dir run: java iM.YourClassFile and it will make a LICENSE file in the current directory.

p.s I'm not embarresed I know what I'm doing, and you soundn't be either you are learning.

goatass

Okay, thx for all your effort.
The source code you gave is actually a more detailed version of mine, but actually identical.
I still got the same compiling errors.....and I read a doc about it and I had to use the option -deprecation to make the class file.
anyway, as well as your source as my source worked.....i guess we have different compilers, or a different version....don't know, anyway, it works

thx for all your time

greets

BlackB

I use Java 1.18 and in my compiler I got the same problem but it was a "Warning" not an "Error" so it didn't matter.

goatass

thanks for this very interesting conversation, but actually we're kind
of missing some java essays, could one of you take the time to do
an essay about this clever reverse ?
in reward, your name will be famous
TIA,

+Tsehp

I'm busy writing an essay....and....well, I'm writing it in name of myself AND in name of goatass, so we can both get famous ;-) hehe

greets

BlackB

Hey guys, I was gonna write an essay about this protection but if BlackB is doing it I won't. If you need any help with it let me know.

goatass

Thanks for this post, I knew nothing about JAVA before this so dl'd a compiler, and after 1/2 hr and a few errors had a true license. I finally figured out the name of the java file must be the same as the "Public" declaration, also JAVA is very case sensative. Quite simple to do, thanks again, now I'll get a book on JAVA.