SARASAVI English – Sinhala Dictionary Authentication Bypass

Several years ago (when I was grade 7 I guess) my parents gifted this dictionary to someone. It’s still available  here! There is a regular book + CD bundle.  I kept a copy of that CD to use myself.  But after that hoops.. It required a password which is randomly generate from their database to avoid using copies of the original CD.  So I couldn’t do anything. Yesterday I met  it again when packing my stuff because of the flood. So let’s see what’s inside there.

2

As you can see we can’t use the digital dictionary without the real book.  But hopefully they had used Java. So we can give try to decompile the jar file.  Actually jar files (bytecodes) contains a lots of information about the real source code such as original class, method, function, variable names. We can decompile jar files and generate a very similar code to source code unlike PE files.

3

zoom this

So I decompiled the main jar file.  Above picture is a screenshot of LoginScreen.class file as you can see. There is a nice little OR operator in line 80.  Those developing guys had used special string, instead of the randomly generated word to access the main screen.  It’s for debugging purposes or just for fun.  As you can seesandaObaMage” is the little secret. “Sanda” should be the crush of the developer :0 Anyway we got access to the dictionary.

4

Really I don’t know what the hell is this. There is something calling “Phonetic Alphabet”.  Probably I must install required fonts for a good view.  If you are interested in you can recompile that jar file by removing those IF statements.

Of course it’s possible to avoid these kinds of simple reversing by obfuscating the byte code.  There are several free tools like proguard , launch4j. I think launch4j is the best option because proguard doesn’t work well with libraries and it twices the file size according to my experience. You can obfuscate the code, convert it to exe and bundle the JRE using launch4j.  So it’s handy I think.

If you convert jar to exe without obfuscating it’s doesn’t make any sense, because anyone can extract class files using a zip tool.  Hope you enjoyed 🙂

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Create a website or blog at WordPress.com

Up ↑

%d bloggers like this: