Cracking Wingdis 2.12

	Cracking Wingdis 2.12 by +Alt-F4 , 9 January 1998
f	Courtesy of Fravia's page of reverse engineering
fravia's comments	Well, Alt-F4 is an incredibly interesting +cracker that works a lot with Java, he's the Author of a FONDAMENTAL essay for all java reversers: Cracking (black and blue) Java Workshop 2.0, a program that you should by all means study and use ~ alternatively, you may have found on some CD-ROM for free Symantec Visual café trial version 1.0, and you could in that case enjoy A+heist's essay a very silly protection scheme on a very interesting target Therefore it suits us all A LOT that +ALT-F4 shows here the (incredibly simple) way to reverse the main Java disassembler: Wingdis. In fact, after the sad demise of the clever Author of the mocha disassembler (hope he'll enjoy some reversing possibilities wherever he did land after having left us :-) Wingdis will be one of the main tools we all will have to use in the next months That said, we'll use Wingdis until our own +HCU '98 tools will be ready -at the moment they seem still "under development" :-( Anyway all these java essays are GOOD NEWS! Java is coming! Die Gates die in flames, you horrible slimy bloated bane! Die die die with all your useless overbloated applications! :-) So I'm happy to host another fine "Java" +HCU essay, coming to you from mighty +ALT-F4 pen (and brain).
f	There is a crack, a crack in everything That's how the light gets in
Rating	(x)Beginner ( )Intermediate ( )Advanced ( )Expert A simple Essay showing how you can patch a fondamental tool in order to crack and patch Java programs. If you can understand Java, you can understand this essay! If you cannot understand Java, you'll sink with gates Operating system in a well deserved oblivion!
Title	Cracking WingDis 2.12 (Preparing ourselves for 'real' Java cracking) Written by +Alt-F4
Intro	The other day I downloaded ICQ java, because I wanted to decompile it(Imagine the possibilities!) I tried decompiling with Mocha, but unfortunately it didn't work(Mocha is a Beta version,and always will be, as sadly, the author died) Searching for other de-compilers I came accross WingDis The output is only slightly inferrior to Mocha, but it can decompile all java programs I have come across, and it is being continually updated The program has a 5 day limit though! In this essay I will show how I patched WingDis.
Tools Required	IDA Hex Editor(May I suggest UltraEdit?) ~ Traget: WingDis, available at http://www.wingsoft.com
Program History	Irrelavent(I only bother checking history on hard targets...)
T H E E S S A Y	Search for the text "trial" in all the class files in the wingdis directory. The only file you will find containing the text is, ClassReader.class, so this is our immediate target. Obviously the first thing to try is to use Wingdis on itself to decompile ClassReader. "Sorry, WingDis is not allowed to decompile itself." Oh good! Another thing to crack! Time Cracks are always boring, so lets crack this first! Allowing WingDis to decompile itself Mocha doesn't work, so load up ClassReader.class in IDA, and search for the "trial" again. 021 004 iload var020_4 006 iconst_3 159 000 076 if_icmpeq met020_355 :If Good jump away 042 aload_0 # var020_0 180 001 027 getfield 283 018 096 ldc1 "javadis" 182 000 201 invokevirtual int java.lang.String.indexOf(java.lang.String) 156 000 027 ifge met020_318 :If Bad jump to Error 042 aload_0 # var020_0 180 001 027 getfield 283 018 095 ldc1 "WingSoft" 182 000 201 invokevirtual int java.lang.String.indexOf(java.lang.String) 156 000 015 ifge met020_318 :If Bad jump to Error 042 aload_0 # var020_0 180 001 027 getfield 283 018 094 ldc1 "wingsoft" 182 000 201 invokevirtual int java.lang.String.indexOf(java.lang.String) 155 000 040 iflt met020_355 :If Good Jump away met020_318:Bad Guy 042 aload_0 187 000 131 new java.lang.StringBuffer 089 dup 183 000 130 invokenonvirtual void java.lang.StringBuffer.() 178 000 121 getstatic java.lang.String NEWLINE 182 000 129 invokevirtual java.lang.StringBuffer java.lang.StringBuffer.append(java.lang.String) 018 093 ldc1 "Sorry, WingDis is not" {Unimportant code} met020_355:Good Guy {Unimportant code} (Make sure you have told IDA to display op codes) Simple crack! Just change the third statement to always jump to good guy. Look through the code until you find a "goto" operation, and write down the opcode It's 167, or 0xA7 Then just search for the relavant bytes, and change the 159(0x9F) to 0xA7. Then try de-compiling Wingdis, and it works! Getting rid of the time limit Run WingDis on itself, and search the source code until you find the date check: `Long long13 = new Long(string11); long14 = long13.longValue(); date3 = new Date(); long16 = date3.getTime() - long14; if ((long16 = 5L)) { throw new IOException("Sorry, the trial version has expired"); } if ((boolea1 == false)) { ....... }` All we have to do is change the first if, to always jump to the third if. Search in IDA for "sorry", and we get to here: 182 000 147 invokevirtual long java.util.Date.getTime() 022 014 lload var083_14 101 lsub 055 016 lstore var083_16 022 016 lload var083_16 009 lconst_0 148 lcmp 156 000 013 ifge met083_241 //if ((long16 187 000 146 new java.io.IOException 089 dup 018 010 ldc1 "Sorry, the trial version has expired" 183 000 145 invokenonvirtual void java.io.IOException.(java.lang.String) 191 athrow met083_241: //if (((long16 / long8) >= 5L)) 022 016 lload var083_16 022 008 lload var083_8 109 ldiv 020 000 160 ldc2w 5 148 lcmp 155 000 013 iflt met083_263 187 000 146 new java.io.IOException 089 dup 018 010 ldc1 "Sorry, the trial version has expired" 183 000 145 invokenonvirtual void java.io.IOException.(java.lang.String) 191 athrow met083_263: //if ((boolea1 == false)) Ok, lets change 156 000 013 ifge met083_241 to make it always jump to met083_263. The Offset for the goto instrcution is calculated by the front of the goto instruction to the front of the instruction jumped to. By adding the bytes listed above, you will see we need to jump 35 bytes. We do this by changing: 156 000 013 ifge jump 13 bytes to 167 000 035 jump 35 bytes As usual, Date crack was so simple it could make you cry! When will programmers learn? Fixing the comments at the start of each page At the start of each disassembled file, there is a comment: // This program is generated by WingDis 2.12 Trial Version, a product from WingSoft // For more information about WingSoft, please visit http://www.wingsoft.com I wanted to keep a comment there(So I can know what I have written, and what I have decompiled), but I don't like being bothered about irrelevant things. This is simple to fix, just hex edit ClassReader.class, and change the text (Nice of the programmers to put the entire protection inside one file for us!) To make things easier, don't change the length of the comments, just change them to something like: // This source code was decompiled using WingDis 2.12 ALT-F4_HCU Version //******************************************************************** Appendix A:Java Opcodes** Here is a quick list of some of Java Opcodes I got just from looking at the source code. Cmnd Opcode Hex ifge 156 xxx xxx :9c iflt 155 xxx xxx :9b Goto 167 xxx xxx :a7 ifieq 159 xxx xxx :9f Call 182 xxx xxx :b6 For a more complete source, go to http://www.palenaka.com/~palenaka/que/quebooks/sej2e/36javafi.htm (c) +Alt-F4 9 Jan 1998 All rights reversed.
Ob duh	I wont even bother explaining you that you should BUY this target program if you intend to use it for a longer period than the allowed one. Should you want to STEAL this software instead, you don't need to crack its protection scheme at all: you'll find it on most Warez sites, complete and already regged, farewell.
Final Notes	I hope you enjoyed this essay, which shows how easily we can patch Java! With the combination of WingDis, IDA and a hex-editor,we can now crack anything the java programmers will throw at us!
way out	You are deep inside fravia's page of reverse engineering, choose your way out: homepage links anonymity +ORC students' essays academy database tools cocktails antismut CGI-scripts search_forms mail_fravia+ Is reverse engineering legal?