首页
社区
课程
招聘
[原创]申请加入DFCG No.3--如何得到jexepackv4.1a的java源码
发表于: 2005-10-12 12:07 10145

[原创]申请加入DFCG No.3--如何得到jexepackv4.1a的java源码

2005-10-12 12:07
10145

如何得到jexepackv4.1a的java源码
【破解作者】 winndy[FCG][PYG]
【作者邮箱】 CNwinndy@hotmail.com
【使用工具】 DJ Java Decompiler 3.8 ,ollydbg v1.10fly修改版 ,EasyRecovery Professional v6.10
【破解平台】 Winxp
【软件名称】 jexepackv4.1a
【官方网址】 http://www.duckware.com/jexepack/index.html
【编写语言】 java(jexepack) vc(j2exestubc,j2exestubw)
【软件介绍】 可以把java的class文件打包成exe文件,但存在极大漏洞,我正是通过此漏洞,获得了其自身的java源码,也就完成了破解。
             我是在国庆节以前下载的,现在已是5.1a的版本。
【破解声明】 For Study ,For Fun
【破解过程】
             $$1.漏洞的发现
               我用jexepack将自己写的一个程序转化为了Example.exe,但是未注册版本会弹出一个画面。于是操起ollydbg,
对Example.exe进行分析,发现程序会在临时目录:
C:\Documents and Settings\User\Local Settings\Temp下新建一个目录
注意Local Settings是隐藏目录。

004018AD    . /0F85 5B0600>jnz write2.00401F0E
004018B3    . |8D85 C4FEFF>lea eax,dword ptr ss:[ebp-13C]
004018B9    . |50          push eax                                         ; /Buffer
004018BA    . |68 E6000000 push 0E6                                         ; |BufSize = E6 (230.)
004018BF    . |FF15 543040>call dword ptr ds:[<&KERNEL32.GetTempPathA>]     ; \GetTempPathA
004018C5    . |85C0        test eax,eax
004018C7    . |7E 52       jle short write2.0040191B
004018C9    . |80BC05 C3FE>cmp byte ptr ss:[ebp+eax-13D],5C
004018D1    . |74 13       je short write2.004018E6                         ;  jump
004018D3    . |8D85 C4FEFF>lea eax,dword ptr ss:[ebp-13C]
004018D9    . |68 58444000 push write2.00404458                             ; /src = "\"
004018DE    . |50          push eax                                         ; |dest
004018DF    . |E8 78080000 call <jmp.&MSVCRT.strcat>                        ; \strcat
004018E4    . |59          pop ecx
004018E5    . |59          pop ecx
004018E6    > |8D85 C4FEFF>lea eax,dword ptr ss:[ebp-13C]
004018EC    . |50          push eax
004018ED    . |68 4C444000 push write2.0040444C                             ;  ASCII "temppath"
004018F2    . |E8 2EF7FFFF call write2.00401025
004018F7    . |59          pop ecx
004018F8    . |8D85 C4FEFF>lea eax,dword ptr ss:[ebp-13C]
004018FE    . |59          pop ecx
004018FF    . |50          push eax                                         ; /FileName
00401900    . |FF15 503040>call dword ptr ds:[<&KERNEL32.GetFileAttributesA>; \GetFileAttributesA
00401906    . |83F8 FF     cmp eax,-1
00401909    . |74 04       je short write2.0040190F
0040190B    . |A8 10       test al,10
0040190D    . |75 18       jnz short write2.00401927
0040190F    > |C745 F8 192>mov dword ptr ss:[ebp-8],2719
00401916    . |E9 25030000 jmp write2.00401C40
0040191B    > |C745 F8 172>mov dword ptr ss:[ebp-8],2717
00401922    . |E9 19030000 jmp write2.00401C40
00401927    > |FF15 4C3040>call dword ptr ds:[<&KERNEL32.GetTickCount>]     ; [GetTickCount
0040192D    . |50          push eax
0040192E    . |6A 00       push 0                                           ; /timer = NULL
00401930    . |FF15 A43040>call dword ptr ds:[<&MSVCRT.time>]               ; \time
00401936    . |59          pop ecx
00401937    . |50          push eax
00401938    . |8D85 60FEFF>lea eax,dword ptr ss:[ebp-1A0]
0040193E    . |68 44444000 push write2.00404444                             ;  ASCII "%X%X"
00401943    . |50          push eax
00401944    . |FFD7        call edi
00401946    . |8D85 60FEFF>lea eax,dword ptr ss:[ebp-1A0]
0040194C    . |50          push eax                                         ; /src
0040194D    . |8D85 C4FEFF>lea eax,dword ptr ss:[ebp-13C]                   ; |
00401953    . |50          push eax                                         ; |dest
00401954    . |E8 03080000 call <jmp.&MSVCRT.strcat>                        ; \strcat
00401959    . |8D85 C4FEFF>lea eax,dword ptr ss:[ebp-13C]
0040195F    . |50          push eax
00401960    . |68 3C444000 push write2.0040443C                             ;  ASCII "tempdir"
00401965    . |E8 BBF6FFFF call write2.00401025
0040196A    . |83C4 20     add esp,20
0040196D    . |8D85 C4FEFF>lea eax,dword ptr ss:[ebp-13C]
00401973    . |6A 00       push 0                                           ; /pSecurity = NULL
00401975    . |50          push eax                                         ; |Path
00401976    . |FF15 483040>call dword ptr ds:[<&KERNEL32.CreateDirectoryA>] ; \CreateDirectoryA
0040197C    . |85C0        test eax,eax
0040197E    . |0F84 FD0100>je write2.00401B81
00401984    . |6A 00       push 0                                           ; /BufSize = 0
00401986    . |BB 34444000 mov ebx,write2.00404434                          ; |ASCII "path"
0040198B    . |6A 00       push 0                                           ; |Buffer = NULL
0040198D    . |53          push ebx                                         ; |VarName => "path"
0040198E    . |FF15 443040>call dword ptr ds:[<&KERNEL32.GetEnvironmentVari>; \GetEnvironmentVariableA


00401B8D    > \FF35 144040>push dword ptr ds:[404014]                       ;  write2.00404070
00401B93    .  8D85 C4FEFF>lea eax,dword ptr ss:[ebp-13C]
00401B99    .  50          push eax
00401B9A    .  8D85 58FCFF>lea eax,dword ptr ss:[ebp-3A8]
00401BA0    .  68 F0434000 push write2.004043F0                             ;  ASCII "%s\%sboot.class"
00401BA5    .  50          push eax
00401BA6    .  FFD7        call edi
00401BA8    .  83C4 10     add esp,10
00401BAB    .  33C0        xor eax,eax
00401BAD    .  50          push eax                                         ; /hTemplateFile => NULL
00401BAE    .  50          push eax                                         ; |Attributes => 0
00401BAF    .  6A 02       push 2                                           ; |Mode = CREATE_ALWAYS
00401BB1    .  50          push eax                                         ; |pSecurity => NULL
00401BB2    .  6A 03       push 3                                           ; |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
00401BB4    .  8D85 58FCFF>lea eax,dword ptr ss:[ebp-3A8]                   ; |
00401BBA    .  68 000000C0 push C0000000                                    ; |Access = GENERIC_READ|GENERIC_WRITE
00401BBF    .  50          push eax                                         ; |FileName
00401BC0    .  FF15 383040>call dword ptr ds:[<&KERNEL32.CreateFileA>]      ; \CreateFileA
                                                                            ;jexepackboot.class生成,但无内容
00401BC6    .  83F8 FF     cmp eax,-1
00401BC9    .  8945 F0     mov dword ptr ss:[ebp-10],eax
00401BCC    .  74 6B       je short write2.00401C39
00401BCE    .  8B45 E8     mov eax,dword ptr ss:[ebp-18]
00401BD1    .  8B4D DC     mov ecx,dword ptr ss:[ebp-24]
00401BD4    .  6A 01       push 1
00401BD6    .  8B5C01 18   mov ebx,dword ptr ds:[ecx+eax+18]
00401BDA    .  53          push ebx
00401BDB    .  FFD6        call esi
00401BDD    .  8945 F4     mov dword ptr ss:[ebp-C],eax
00401BE0    .  59          pop ecx
00401BE1    .  33C0        xor eax,eax
00401BE3    .  59          pop ecx
00401BE4    .  85DB        test ebx,ebx
00401BE6    .  7E 28       jle short write2.00401C10
00401BE8    .  8B55 DC     mov edx,dword ptr ss:[ebp-24]
00401BEB    .  2B55 F4     sub edx,dword ptr ss:[ebp-C]
00401BEE    .  8955 E0     mov dword ptr ss:[ebp-20],edx
00401BF1    .  EB 03       jmp short write2.00401BF6
00401BF3    >  8B55 E0     mov edx,dword ptr ss:[ebp-20]
00401BF6    >  8B4D F4     mov ecx,dword ptr ss:[ebp-C]
00401BF9    .  8B75 E8     mov esi,dword ptr ss:[ebp-18]
00401BFC    .  03C8        add ecx,eax
00401BFE    .  03D1        add edx,ecx
00401C00    .  8A5432 1C   mov dl,byte ptr ds:[edx+esi+1C]
00401C04    .  32D0        xor dl,al
00401C06    .  80EA 64     sub dl,64
00401C09    .  40          inc eax
00401C0A    .  3BC3        cmp eax,ebx
00401C0C    .  8811        mov byte ptr ds:[ecx],dl
00401C0E    .^ 7C E3       jl short write2.00401BF3
00401C10    >  8D45 C8     lea eax,dword ptr ss:[ebp-38]
00401C13    .  6A 00       push 0                                           ; /pOverlapped = NULL
00401C15    .  50          push eax                                         ; |pBytesWritten
00401C16    .  53          push ebx                                         ; |nBytesToWrite
00401C17    .  FF75 F4     push dword ptr ss:[ebp-C]                        ; |Buffer
00401C1A    .  FF75 F0     push dword ptr ss:[ebp-10]                       ; |hFile
00401C1D    .  FF15 3C3040>call dword ptr ds:[<&KERNEL32.WriteFile>]        ; \WriteFile
                                                                            ;写入jexepackboot.class
00401C23    .  85C0        test eax,eax
00401C25    .  75 07       jnz short write2.00401C2E
00401C27    .  C745 F8 112>mov dword ptr ss:[ebp-8],2711
00401C2E    >  FF75 F0     push dword ptr ss:[ebp-10]                       ; /hObject
00401C31    .  FF15 083040>call dword ptr ds:[<&KERNEL32.CloseHandle>]      ; \CloseHandle
00401C37    .  EB 07       jmp short write2.00401C40
00401C39    >  C745 F8 112>mov dword ptr ss:[ebp-8],2711
00401C40    >  33DB        xor ebx,ebx
00401C42    .  53          push ebx
00401C43    .  68 EC434000 push write2.004043EC                             ;  ASCII "mf"
00401C48    .  FF75 E4     push dword ptr ss:[ebp-1C]
00401C4B    .  E8 AEF7FFFF call write2.004013FE
00401C50    .  53          push ebx
00401C51    .  68 E4434000 push write2.004043E4                             ;  ASCII "minver"
00401C56    .  FF75 E4     push dword ptr ss:[ebp-1C]
00401C59    .  8945 F4     mov dword ptr ss:[ebp-C],eax
00401C5C    .  E8 9DF7FFFF call write2.004013FE
00401C61    .  68 D4444000 push write2.004044D4
00401C66    .  68 E0434000 push write2.004043E0                             ;  ASCII "jop"
00401C6B    .  FF75 E4     push dword ptr ss:[ebp-1C]
00401C6E    .  8945 F0     mov dword ptr ss:[ebp-10],eax
00401C71    .  E8 88F7FFFF call write2.004013FE
00401C76    .  FF75 E8     push dword ptr ss:[ebp-18]                       ; /block
00401C79    .  A3 CC444000 mov dword ptr ds:[4044CC],eax                    ; |
00401C7E    .  FF15 A03040>call dword ptr ds:[<&MSVCRT.free>]               ; \free
00401C84    .  83C4 28     add esp,28
00401C87       395D F8     cmp dword ptr ss:[ebp-8],ebx
00401C8A    .  895D E8     mov dword ptr ss:[ebp-18],ebx
00401C8D    .  0F85 350200>jnz write2.00401EC8
00401C93    .  BE E8424000 mov esi,write2.004042E8                          ;  ASCII "This EXE was produced using an          

                                                                      UNREGISTERED version of JexePack.  Any                  

                                                              distribution
of this EXE is prohibited 
                                                                               and a violation of US Copyright law and        

                                                                         international treaty.

An EXE produced 
                                                                               with a registered JexePack does not display    

                                                                            this "...
00401C98    .  56          push esi                                         ; /s => "This EXE was produced using an           

                                                                    UNREGISTERED version of JexePack.  Any                    

                                                           distribution
of this EXE is prohibited and a                       

                                                        violation of US Copyright law and                                     

                                          international treaty.

An EXE produced with a                                       

                                        registered JexePack does not display this "...
00401C99    .  E8 B8040000 call <jmp.&MSVCRT.strlen>                        ; \strlen
00401C9E    .  59          pop ecx
00401C9F    .  33C9        xor ecx,ecx
00401CA1    .  85C0        test eax,eax
00401CA3    .  EB 6A       jmp short write2.00401D0F
00401CA5    >  0FBE91 E842>movsx edx,byte ptr ds:[ecx+4042E8]
00401CAC    .  03D1        add edx,ecx
00401CAE    .  69D2 71FEC5>imul edx,edx,1FC5FE71
00401CB4    .  33DA        xor ebx,edx
00401CB6    .  41          inc ecx
00401CB7    .  3BC8        cmp ecx,eax
00401CB9    .^ 7C EA       jl short write2.00401CA5
00401CBB    .  81FB B70D15>cmp ebx,94150DB7
00401CC1    .  75 40       jnz short write2.00401D03
00401CC3    .  FF15 4C3040>call dword ptr ds:[<&KERNEL32.GetTickCount>]     ; [GetTickCount
00401CC9    .  8945 E0     mov dword ptr ss:[ebp-20],eax
00401CCC    .  33DB        xor ebx,ebx
00401CCE    >  FF15 4C3040>call dword ptr ds:[<&KERNEL32.GetTickCount>]     ; [GetTickCount
00401CD4    .  2B45 E0     sub eax,dword ptr ss:[ebp-20]                    ;两次得到的tick数相减
00401CD7    .  3D E8030000 cmp eax,3E8   
                                    
                                                                                
00401CDC    .  73 20       jnb short write2.00401CFE
00401CDE    .  A1 C8444000 mov eax,dword ptr ds:[4044C8]
00401CE3    .  85C0        test eax,eax
00401CE5    .  75 05       jnz short write2.00401CEC
00401CE7    .  A1 14404000 mov eax,dword ptr ds:[404014]
00401CEC    >  6A 10       push 10                                          ; /Style = MB_OK|MB_ICONHAND|MB_APPLMODAL
00401CEE    .  50          push eax                                         ; |Title
00401CEF    .  56          push esi                                         ; |Text
00401CF0    .  6A 00       push 0                                           ; |hOwner = NULL
00401CF2    .  FF15 E03040>call dword ptr ds:[<&USER32.MessageBoxA>]        ; \MessageBoxA
00401CF8    .  43          inc ebx
00401CF9    .  83FB 64     cmp ebx,64
00401CFC    .^ 7C D0       jl short write2.00401CCE
00401CFE    >  83FB 14     cmp ebx,14
00401D01    .  7E 0C       jle short write2.00401D0F
00401D03    >  C745 F8 382>mov dword ptr ss:[ebp-8],2738
00401D0A    .  E9 B9010000 jmp write2.00401EC8
00401D0F    >  8D85 C4FEFF>lea eax,dword ptr ss:[ebp-13C]
00401D15    .  50          push eax
00401D16    .  8D85 00FAFF>lea eax,dword ptr ss:[ebp-600]
00401D1C    .  68 DC424000 push write2.004042DC                             ;  ASCII "%s\Jz.Ky.Tx"
                                                                            ;这是个长为0x64字节,每个字节都是0的文件
00401D21    .  50          push eax
00401D22    .  FFD7        call edi
00401D24    .  8B5D CC     mov ebx,dword ptr ss:[ebp-34]
00401D27    .  83C4 0C     add esp,0C
00401D2A    .  33F6        xor esi,esi
00401D2C    .  8A03        mov al,byte ptr ds:[ebx]
00401D2E    .  8975 DC     mov dword ptr ss:[ebp-24],esi
00401D31    .  84C0        test al,al
00401D33    .  0F84 500100>je write2.00401E89                               ;  no jump
00401D39    >  85F6        test esi,esi
00401D3B    .  0F85 870100>jnz write2.00401EC8
00401D41    .  3975 F4     cmp dword ptr ss:[ebp-C],esi
00401D44    .  75 05       jnz short write2.00401D4B
00401D46    .  3975 D4     cmp dword ptr ss:[ebp-2C],esi
00401D49    .  74 07       je short write2.00401D52                         ;  jump
00401D4B    >  B9 D8424000 mov ecx,write2.004042D8
00401D50    .  EB 05       jmp short write2.00401D57
00401D52    >  B9 D4424000 mov ecx,write2.004042D4                          ;  ASCII "ER"
00401D57    >  6A 00       push 0
00401D59    .  8D95 5CFDFF>lea edx,dword ptr ss:[ebp-2A4]
00401D5F    .  FF75 08     push dword ptr ss:[ebp+8]
00401D62    .  52          push edx
00401D63    .  8D95 C4FEFF>lea edx,dword ptr ss:[ebp-13C]
00401D69    .  FF35 144040>push dword ptr ds:[404014]                       ;  write2.00404070
00401D6F    .  52          push edx
00401D70    .  FF75 FC     push dword ptr ss:[ebp-4]
00401D73    .  51          push ecx
00401D74    .  50          push eax
00401D75    .  E8 F2F7FFFF call write2.0040156C
00401D7A    .  50          push eax
00401D7B    .  E8 FDF2FFFF call write2.0040107D                            

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!

收藏
免费 7
支持
分享
最新回复 (14)
雪    币: 440
活跃值: (827)
能力值: ( LV9,RANK:690 )
在线值:
发帖
回帖
粉丝
2
忘记添加附件了,
附件:jexepack4.1a.rar
2005-10-12 12:10
0
雪    币: 136
活跃值: (135)
能力值: ( LV9,RANK:140 )
在线值:
发帖
回帖
粉丝
3
顶你  好像我的速度快了点嘿嘿!!
2005-10-12 12:13
0
雪    币: 440
活跃值: (827)
能力值: ( LV9,RANK:690 )
在线值:
发帖
回帖
粉丝
4
没人感兴趣,自己顶一个。
鼓励一下自己。
2005-10-12 20:37
0
雪    币: 440
活跃值: (827)
能力值: ( LV9,RANK:690 )
在线值:
发帖
回帖
粉丝
5
多谢版主加精鼓励
给点辛苦分...
2005-10-12 20:49
0
雪    币: 257
活跃值: (105)
能力值: ( LV8,RANK:130 )
在线值:
发帖
回帖
粉丝
6
对你恢复出的原代码我很感兴趣:)
2005-10-13 08:48
0
雪    币: 440
活跃值: (827)
能力值: ( LV9,RANK:690 )
在线值:
发帖
回帖
粉丝
7
最初由 舵手 发布
对你恢复出的原代码我很感兴趣:)


要是你有时间,写个完整的代码注释,贴出来供大家学习吧!
2005-10-13 12:08
0
雪    币: 257
活跃值: (105)
能力值: ( LV8,RANK:130 )
在线值:
发帖
回帖
粉丝
8
时间倒有,下载了新版试了一下,结果JVM老是报错,不知是不是版本的问题。
2005-10-13 14:21
0
雪    币: 440
活跃值: (827)
能力值: ( LV9,RANK:690 )
在线值:
发帖
回帖
粉丝
9
最初由 舵手 发布
时间倒有,下载了新版试了一下,结果JVM老是报错,不知是不是版本的问题。

JVM也是最新的吗?
5.1a我可以用。
既然兄弟有时间,麻烦研究研究。
2005-10-13 14:43
0
雪    币: 257
活跃值: (105)
能力值: ( LV8,RANK:130 )
在线值:
发帖
回帖
粉丝
10
1.4.2_08的JVM
2005-10-13 15:08
0
雪    币: 440
活跃值: (827)
能力值: ( LV9,RANK:690 )
在线值:
发帖
回帖
粉丝
11
我的是1.5的
最新版
2005-10-13 15:23
0
雪    币: 257
活跃值: (105)
能力值: ( LV8,RANK:130 )
在线值:
发帖
回帖
粉丝
12
留个QQ交流
2005-10-13 15:25
0
雪    币: 440
活跃值: (827)
能力值: ( LV9,RANK:690 )
在线值:
发帖
回帖
粉丝
13
最初由 舵手 发布
留个QQ交流


我很水的也,
但愿意与人交流经验
你把你qq发到我邮箱:CNwinndy@hotmail.com
我加你。
2005-10-13 17:28
0
雪    币: 280
活跃值: (58)
能力值: ( LV4,RANK:50 )
在线值:
发帖
回帖
粉丝
14
学习学习努力学习
2005-10-13 17:37
0
雪    币: 440
活跃值: (827)
能力值: ( LV9,RANK:690 )
在线值:
发帖
回帖
粉丝
15
工具下载区:
http://bbs.pediy.com/showthread.php?s=&threadid=18105
2005-11-1 17:27
0
游客
登录 | 注册 方可回帖
返回
//