如何得到jexepackv4.1a的java源码
【破解作者】 winndy[FCG][PYG]
【作者邮箱】 CNwinndy@hotmail.com
【使用工具】 DJ Java Decompiler 3.8 ,ollydbg v1.10fly修改版 ,EasyRecovery Professional v6.10
【破解平台】 Winxp
【软件名称】 jexepackv4.1a
【官方网址】 http://www.duckware.com/jexepack/index.html
【编写语言】 java(jexepack) vc(j2exestubc,j2exestubw)
【软件介绍】 可以把java的class文件打包成exe文件,但存在极大漏洞,我正是通过此漏洞,获得了其自身的java源码,也就完成了破解。
我是在国庆节以前下载的,现在已是5.1a的版本。
【破解声明】 For Study ,For Fun
【破解过程】
$$1.漏洞的发现
我用jexepack将自己写的一个程序转化为了Example.exe,但是未注册版本会弹出一个画面。于是操起ollydbg,
对Example.exe进行分析,发现程序会在临时目录:
C:\Documents and Settings\User\Local Settings\Temp下新建一个目录
注意Local Settings是隐藏目录。
004018AD . /0F85 5B0600>jnz write2.00401F0E
004018B3 . |8D85 C4FEFF>lea eax,dword ptr ss:[ebp-13C]
004018B9 . |50 push eax ; /Buffer
004018BA . |68 E6000000 push 0E6 ; |BufSize = E6 (230.)
004018BF . |FF15 543040>call dword ptr ds:[<&KERNEL32.GetTempPathA>] ; \GetTempPathA
004018C5 . |85C0 test eax,eax
004018C7 . |7E 52 jle short write2.0040191B
004018C9 . |80BC05 C3FE>cmp byte ptr ss:[ebp+eax-13D],5C
004018D1 . |74 13 je short write2.004018E6 ; jump
004018D3 . |8D85 C4FEFF>lea eax,dword ptr ss:[ebp-13C]
004018D9 . |68 58444000 push write2.00404458 ; /src = "\"
004018DE . |50 push eax ; |dest
004018DF . |E8 78080000 call <jmp.&MSVCRT.strcat> ; \strcat
004018E4 . |59 pop ecx
004018E5 . |59 pop ecx
004018E6 > |8D85 C4FEFF>lea eax,dword ptr ss:[ebp-13C]
004018EC . |50 push eax
004018ED . |68 4C444000 push write2.0040444C ; ASCII "temppath"
004018F2 . |E8 2EF7FFFF call write2.00401025
004018F7 . |59 pop ecx
004018F8 . |8D85 C4FEFF>lea eax,dword ptr ss:[ebp-13C]
004018FE . |59 pop ecx
004018FF . |50 push eax ; /FileName
00401900 . |FF15 503040>call dword ptr ds:[<&KERNEL32.GetFileAttributesA>; \GetFileAttributesA
00401906 . |83F8 FF cmp eax,-1
00401909 . |74 04 je short write2.0040190F
0040190B . |A8 10 test al,10
0040190D . |75 18 jnz short write2.00401927
0040190F > |C745 F8 192>mov dword ptr ss:[ebp-8],2719
00401916 . |E9 25030000 jmp write2.00401C40
0040191B > |C745 F8 172>mov dword ptr ss:[ebp-8],2717
00401922 . |E9 19030000 jmp write2.00401C40
00401927 > |FF15 4C3040>call dword ptr ds:[<&KERNEL32.GetTickCount>] ; [GetTickCount
0040192D . |50 push eax
0040192E . |6A 00 push 0 ; /timer = NULL
00401930 . |FF15 A43040>call dword ptr ds:[<&MSVCRT.time>] ; \time
00401936 . |59 pop ecx
00401937 . |50 push eax
00401938 . |8D85 60FEFF>lea eax,dword ptr ss:[ebp-1A0]
0040193E . |68 44444000 push write2.00404444 ; ASCII "%X%X"
00401943 . |50 push eax
00401944 . |FFD7 call edi
00401946 . |8D85 60FEFF>lea eax,dword ptr ss:[ebp-1A0]
0040194C . |50 push eax ; /src
0040194D . |8D85 C4FEFF>lea eax,dword ptr ss:[ebp-13C] ; |
00401953 . |50 push eax ; |dest
00401954 . |E8 03080000 call <jmp.&MSVCRT.strcat> ; \strcat
00401959 . |8D85 C4FEFF>lea eax,dword ptr ss:[ebp-13C]
0040195F . |50 push eax
00401960 . |68 3C444000 push write2.0040443C ; ASCII "tempdir"
00401965 . |E8 BBF6FFFF call write2.00401025
0040196A . |83C4 20 add esp,20
0040196D . |8D85 C4FEFF>lea eax,dword ptr ss:[ebp-13C]
00401973 . |6A 00 push 0 ; /pSecurity = NULL
00401975 . |50 push eax ; |Path
00401976 . |FF15 483040>call dword ptr ds:[<&KERNEL32.CreateDirectoryA>] ; \CreateDirectoryA
0040197C . |85C0 test eax,eax
0040197E . |0F84 FD0100>je write2.00401B81
00401984 . |6A 00 push 0 ; /BufSize = 0
00401986 . |BB 34444000 mov ebx,write2.00404434 ; |ASCII "path"
0040198B . |6A 00 push 0 ; |Buffer = NULL
0040198D . |53 push ebx ; |VarName => "path"
0040198E . |FF15 443040>call dword ptr ds:[<&KERNEL32.GetEnvironmentVari>; \GetEnvironmentVariableA
00401B8D > \FF35 144040>push dword ptr ds:[404014] ; write2.00404070
00401B93 . 8D85 C4FEFF>lea eax,dword ptr ss:[ebp-13C]
00401B99 . 50 push eax
00401B9A . 8D85 58FCFF>lea eax,dword ptr ss:[ebp-3A8]
00401BA0 . 68 F0434000 push write2.004043F0 ; ASCII "%s\%sboot.class"
00401BA5 . 50 push eax
00401BA6 . FFD7 call edi
00401BA8 . 83C4 10 add esp,10
00401BAB . 33C0 xor eax,eax
00401BAD . 50 push eax ; /hTemplateFile => NULL
00401BAE . 50 push eax ; |Attributes => 0
00401BAF . 6A 02 push 2 ; |Mode = CREATE_ALWAYS
00401BB1 . 50 push eax ; |pSecurity => NULL
00401BB2 . 6A 03 push 3 ; |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
00401BB4 . 8D85 58FCFF>lea eax,dword ptr ss:[ebp-3A8] ; |
00401BBA . 68 000000C0 push C0000000 ; |Access = GENERIC_READ|GENERIC_WRITE
00401BBF . 50 push eax ; |FileName
00401BC0 . FF15 383040>call dword ptr ds:[<&KERNEL32.CreateFileA>] ; \CreateFileA
;jexepackboot.class生成,但无内容
00401BC6 . 83F8 FF cmp eax,-1
00401BC9 . 8945 F0 mov dword ptr ss:[ebp-10],eax
00401BCC . 74 6B je short write2.00401C39
00401BCE . 8B45 E8 mov eax,dword ptr ss:[ebp-18]
00401BD1 . 8B4D DC mov ecx,dword ptr ss:[ebp-24]
00401BD4 . 6A 01 push 1
00401BD6 . 8B5C01 18 mov ebx,dword ptr ds:[ecx+eax+18]
00401BDA . 53 push ebx
00401BDB . FFD6 call esi
00401BDD . 8945 F4 mov dword ptr ss:[ebp-C],eax
00401BE0 . 59 pop ecx
00401BE1 . 33C0 xor eax,eax
00401BE3 . 59 pop ecx
00401BE4 . 85DB test ebx,ebx
00401BE6 . 7E 28 jle short write2.00401C10
00401BE8 . 8B55 DC mov edx,dword ptr ss:[ebp-24]
00401BEB . 2B55 F4 sub edx,dword ptr ss:[ebp-C]
00401BEE . 8955 E0 mov dword ptr ss:[ebp-20],edx
00401BF1 . EB 03 jmp short write2.00401BF6
00401BF3 > 8B55 E0 mov edx,dword ptr ss:[ebp-20]
00401BF6 > 8B4D F4 mov ecx,dword ptr ss:[ebp-C]
00401BF9 . 8B75 E8 mov esi,dword ptr ss:[ebp-18]
00401BFC . 03C8 add ecx,eax
00401BFE . 03D1 add edx,ecx
00401C00 . 8A5432 1C mov dl,byte ptr ds:[edx+esi+1C]
00401C04 . 32D0 xor dl,al
00401C06 . 80EA 64 sub dl,64
00401C09 . 40 inc eax
00401C0A . 3BC3 cmp eax,ebx
00401C0C . 8811 mov byte ptr ds:[ecx],dl
00401C0E .^ 7C E3 jl short write2.00401BF3
00401C10 > 8D45 C8 lea eax,dword ptr ss:[ebp-38]
00401C13 . 6A 00 push 0 ; /pOverlapped = NULL
00401C15 . 50 push eax ; |pBytesWritten
00401C16 . 53 push ebx ; |nBytesToWrite
00401C17 . FF75 F4 push dword ptr ss:[ebp-C] ; |Buffer
00401C1A . FF75 F0 push dword ptr ss:[ebp-10] ; |hFile
00401C1D . FF15 3C3040>call dword ptr ds:[<&KERNEL32.WriteFile>] ; \WriteFile
;写入jexepackboot.class
00401C23 . 85C0 test eax,eax
00401C25 . 75 07 jnz short write2.00401C2E
00401C27 . C745 F8 112>mov dword ptr ss:[ebp-8],2711
00401C2E > FF75 F0 push dword ptr ss:[ebp-10] ; /hObject
00401C31 . FF15 083040>call dword ptr ds:[<&KERNEL32.CloseHandle>] ; \CloseHandle
00401C37 . EB 07 jmp short write2.00401C40
00401C39 > C745 F8 112>mov dword ptr ss:[ebp-8],2711
00401C40 > 33DB xor ebx,ebx
00401C42 . 53 push ebx
00401C43 . 68 EC434000 push write2.004043EC ; ASCII "mf"
00401C48 . FF75 E4 push dword ptr ss:[ebp-1C]
00401C4B . E8 AEF7FFFF call write2.004013FE
00401C50 . 53 push ebx
00401C51 . 68 E4434000 push write2.004043E4 ; ASCII "minver"
00401C56 . FF75 E4 push dword ptr ss:[ebp-1C]
00401C59 . 8945 F4 mov dword ptr ss:[ebp-C],eax
00401C5C . E8 9DF7FFFF call write2.004013FE
00401C61 . 68 D4444000 push write2.004044D4
00401C66 . 68 E0434000 push write2.004043E0 ; ASCII "jop"
00401C6B . FF75 E4 push dword ptr ss:[ebp-1C]
00401C6E . 8945 F0 mov dword ptr ss:[ebp-10],eax
00401C71 . E8 88F7FFFF call write2.004013FE
00401C76 . FF75 E8 push dword ptr ss:[ebp-18] ; /block
00401C79 . A3 CC444000 mov dword ptr ds:[4044CC],eax ; |
00401C7E . FF15 A03040>call dword ptr ds:[<&MSVCRT.free>] ; \free
00401C84 . 83C4 28 add esp,28
00401C87 395D F8 cmp dword ptr ss:[ebp-8],ebx
00401C8A . 895D E8 mov dword ptr ss:[ebp-18],ebx
00401C8D . 0F85 350200>jnz write2.00401EC8
00401C93 . BE E8424000 mov esi,write2.004042E8 ; ASCII "This EXE was produced using an
UNREGISTERED version of JexePack. Any
distribution
of this EXE is prohibited
and a violation of US Copyright law and
international treaty.
An EXE produced
with a registered JexePack does not display
this "...
00401C98 . 56 push esi ; /s => "This EXE was produced using an
UNREGISTERED version of JexePack. Any
distribution
of this EXE is prohibited and a
violation of US Copyright law and
international treaty.
An EXE produced with a
registered JexePack does not display this "...
00401C99 . E8 B8040000 call <jmp.&MSVCRT.strlen> ; \strlen
00401C9E . 59 pop ecx
00401C9F . 33C9 xor ecx,ecx
00401CA1 . 85C0 test eax,eax
00401CA3 . EB 6A jmp short write2.00401D0F
00401CA5 > 0FBE91 E842>movsx edx,byte ptr ds:[ecx+4042E8]
00401CAC . 03D1 add edx,ecx
00401CAE . 69D2 71FEC5>imul edx,edx,1FC5FE71
00401CB4 . 33DA xor ebx,edx
00401CB6 . 41 inc ecx
00401CB7 . 3BC8 cmp ecx,eax
00401CB9 .^ 7C EA jl short write2.00401CA5
00401CBB . 81FB B70D15>cmp ebx,94150DB7
00401CC1 . 75 40 jnz short write2.00401D03
00401CC3 . FF15 4C3040>call dword ptr ds:[<&KERNEL32.GetTickCount>] ; [GetTickCount
00401CC9 . 8945 E0 mov dword ptr ss:[ebp-20],eax
00401CCC . 33DB xor ebx,ebx
00401CCE > FF15 4C3040>call dword ptr ds:[<&KERNEL32.GetTickCount>] ; [GetTickCount
00401CD4 . 2B45 E0 sub eax,dword ptr ss:[ebp-20] ;两次得到的tick数相减
00401CD7 . 3D E8030000 cmp eax,3E8
00401CDC . 73 20 jnb short write2.00401CFE
00401CDE . A1 C8444000 mov eax,dword ptr ds:[4044C8]
00401CE3 . 85C0 test eax,eax
00401CE5 . 75 05 jnz short write2.00401CEC
00401CE7 . A1 14404000 mov eax,dword ptr ds:[404014]
00401CEC > 6A 10 push 10 ; /Style = MB_OK|MB_ICONHAND|MB_APPLMODAL
00401CEE . 50 push eax ; |Title
00401CEF . 56 push esi ; |Text
00401CF0 . 6A 00 push 0 ; |hOwner = NULL
00401CF2 . FF15 E03040>call dword ptr ds:[<&USER32.MessageBoxA>] ; \MessageBoxA
00401CF8 . 43 inc ebx
00401CF9 . 83FB 64 cmp ebx,64
00401CFC .^ 7C D0 jl short write2.00401CCE
00401CFE > 83FB 14 cmp ebx,14
00401D01 . 7E 0C jle short write2.00401D0F
00401D03 > C745 F8 382>mov dword ptr ss:[ebp-8],2738
00401D0A . E9 B9010000 jmp write2.00401EC8
00401D0F > 8D85 C4FEFF>lea eax,dword ptr ss:[ebp-13C]
00401D15 . 50 push eax
00401D16 . 8D85 00FAFF>lea eax,dword ptr ss:[ebp-600]
00401D1C . 68 DC424000 push write2.004042DC ; ASCII "%s\Jz.Ky.Tx"
;这是个长为0x64字节,每个字节都是0的文件
00401D21 . 50 push eax
00401D22 . FFD7 call edi
00401D24 . 8B5D CC mov ebx,dword ptr ss:[ebp-34]
00401D27 . 83C4 0C add esp,0C
00401D2A . 33F6 xor esi,esi
00401D2C . 8A03 mov al,byte ptr ds:[ebx]
00401D2E . 8975 DC mov dword ptr ss:[ebp-24],esi
00401D31 . 84C0 test al,al
00401D33 . 0F84 500100>je write2.00401E89 ; no jump
00401D39 > 85F6 test esi,esi
00401D3B . 0F85 870100>jnz write2.00401EC8
00401D41 . 3975 F4 cmp dword ptr ss:[ebp-C],esi
00401D44 . 75 05 jnz short write2.00401D4B
00401D46 . 3975 D4 cmp dword ptr ss:[ebp-2C],esi
00401D49 . 74 07 je short write2.00401D52 ; jump
00401D4B > B9 D8424000 mov ecx,write2.004042D8
00401D50 . EB 05 jmp short write2.00401D57
00401D52 > B9 D4424000 mov ecx,write2.004042D4 ; ASCII "ER"
00401D57 > 6A 00 push 0
00401D59 . 8D95 5CFDFF>lea edx,dword ptr ss:[ebp-2A4]
00401D5F . FF75 08 push dword ptr ss:[ebp+8]
00401D62 . 52 push edx
00401D63 . 8D95 C4FEFF>lea edx,dword ptr ss:[ebp-13C]
00401D69 . FF35 144040>push dword ptr ds:[404014] ; write2.00404070
00401D6F . 52 push edx
00401D70 . FF75 FC push dword ptr ss:[ebp-4]
00401D73 . 51 push ecx
00401D74 . 50 push eax
00401D75 . E8 F2F7FFFF call write2.0040156C
00401D7A . 50 push eax
00401D7B . E8 FDF2FFFF call write2.0040107D
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)