REVERSING J2ME APPLICATIONS

by funtikar

This tutorial is meant for absolute beginners only

I only wrote this tutorial so that absolute beginners who want to learn
reversing j2me applications quickly without going to some hardcore brainbusting
This tutorial contains 2 part . The Introduction and the Reversing part.

=====================================================
INTRODUCTION
---------------------------------------------------------------------------------------------------------

--Info!
J2me apps are just zip file containing codes(class files) and resources( images,audio,text files etc).

++HEXADECIMALS++
Let me explain a little bit about Hexadecimals first..

I will first explain about Bits... Bits are the smallest form of data.. one bit could represent
1 or 0 . The binary number system uses this as its number so a binary system only contains
1 and 0. 8 digits from a binary number system forms a Byte ,for example 0100 0111 is considered
as 1 Byte. 0100 0111 in the form of bytes is 47, whilst 47 is actually in the hexadecimal number
system..Guess what ?
hexadecimal numbers can be converted to decimal numbers ! yes !! the one we use
everyday.. which is 0 until 9...

1
This means

Binary Hexadecimal Decimal

0100 0111 47 71

There are ways to manually convert these type of numbers but I wont explain them..By the way,
the Windows Calculator can do it for you..

++CODES++
-Codes are instruction to be excecuted by a computer/machine
..The codes used in java are compiled in the form of CLASS files in a specific format
..CLASS file are nothing but bits/bytes of data but when fed to the Java Virtual Machine it
becomes instructions/code for the JavaVirtualMachine to be excecuted..
..This means that the CLASS files can be viewed in hexadecimal form,this can be achieved by
using a hex-editor... Almost each of the bytes in the CLASS file represents a bytecode..

e.g

B2 00 0E 12 10 B6 00 16 B1

When Interpreted with Bytecode mnemonic reference it is actually

getstatic #14 //equals B2 00 0E

ldc1 #16 //equals 12 10

invokevirtual #22 //equals B6 00 16

2
return //equals B1

B2 is the opcode for getstatic whereas the 00 0E are just arguments or in this case locations to
be fed to the opcode.. As you can see..The others are just like that except return cause it
doesn't need arguments

IMPORTANT NOTE!!
for jumps such as ifne ifeq the arguments are not as in displayed.

++CODES:stacks++
Learn about at:
http://en.wikibooks.org/wiki/Java_Programming/Byte_Code

**Since there aren't any debugger I found for java like OllyDbg for .exe's.. I think it's really
hard for beginner to understand stacks if they dont have any experience before ,
on debugging .exe's. I think beginners might think what are stack?whydo they exist?
because even in high level language dont do a lot with stacks**..
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Stacks are like papers you put in a box.. You put it in and you take it out . It uses the LIFO
principal which is Last In First Out

for example :
Lets say in this example the push command store a value on top of the stack and the pop
command takes the most top value on the stack and put it in a variable

:lin1
push "qwerty" After the instruction has been excecuted from |"dvorak"|
push "dvorak" lin1 to lin2 the result in visualization is this--> |"qwerty"|.
3
:lin2
pop man When the excecution reaches lin3 the variable man would contain "dvorak"
:lin3 and left with |"qwerty"|.
pop goo And after it reaches lin4 the variable pop will have "qwerty" and the
:lin4 stack will be empty.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++

++Resources++
-Resources are things like images,audio,text files, and other things that are not CLASS files..

--Info
-The codes/intstruction are excecuted from top to bottom unless "jumped" or redirected with
opcode like IFNE,GOTO,IF_ICMPEQ,RETURN and some others...

Just in case if you dont know... the opcodes means

0x99 ifeq// means if equal

0x9a ifne// if not equal

0x9b iflt// if less than

0x9c ifge// if greater than or equal

0x9d ifgt// if greater than or equal

0x9e ifle// if less than or equal

4

===================
I dont know if you are getting confused by this :)
===================

=======================================================
Reversing J2ME apps or should I say Java 2 Mobile Environment applications
--------------------------------------------------------------

Target: crackmef1.jar
Description:Its created by me

Tools Used are:

(Google them)
JAD - Decompiles java class files into java source code
WinRar - For jar file archive management
HexWorkshop - For editing byte(s)/opcode in class files
SJboy Emulator - Since this jar file is a J2ME it cannot be run by the J2SE JVM .

First thing in Mind : startApp(),pauseApp() and destroyApp() are standard to J2MEs..

So it must always be present in J2MEs.

_1. THE TARGET

Firstly run the target which is crackmef1.jar with SJboy emulator. There should be a prompt
with Enter Registration.. and a button on which says Register!.. Enter anything
random and press the Register! button then you would see that the code was
5
not correct as it says "Nope that was not the code!". So we know that this is
the badboy message. This time we are going to use patching to make
the app show the goodboy message.

_2. EXTRACTION

Now we are going to extract the class file in this jar file using winrar. Right-click the file
and select "Extract files...". Winrar will then extract the content into a folder
named crackmef1. In real applications there would be lots of class files inside
it but to make it easier I only made one class file.

_3. DECOMPILING CLASS FILES

Now copy the JAD program into the folder and start the Command Prompt.
I placed the folder in
C:\crackmef1. So CHange Directory to that folder and type : "jad -a -s one.txt hehu.class" then
after that type "jad -a -s two.txt hehu.class" . Now there should be two text file generated.
The first one would be the one with the Java source only and the second(two) would be with
Java and disassembler code with it.

_4.PATCHING THE CLASS FILES

Open up hehu.one.txt with notepad and browse around it,try to read it..
You should see at the bottom

showFatalAlert("funtikar", "Nope that was not the code!");

This was called because..

if("JavaLang".equalsIgnoreCase(texbux.getString()))
showFatalAlert("funtikar", "Hehe You have cracked this stupid thing. ofcourse this crackme is totally for newbies");
6
else
showFatalAlert("funtikar", "Nope that was not the code!");

this thing means that if the string in the text box is equal to "JavaLang" ignoring the
case then show alert "Hehe You have cracked this stupid thing. ofcourse this
crackme is totally for newbies" or if something else happens it will show us the
alert "Nope that was not the code!".

Now take a look at hehu.two.txt and you'll see..

if("JavaLang".equalsIgnoreCase(texbux.getString()))
//* 0 0:ldc1 #92 <String "JavaLang">
//* 1 2:aload_0
//* 2 3:getfield #31 <Field TextBox texbux>
//* 3 6:invokevirtual #96 <Method String TextBox.getString()>
//* 4 9:invokevirtual #102 <Method boolean String.equalsIgnoreCase(String)>
//* 5 12:ifeq 26
showFatalAlert("funtikar", "Hehe You have cracked this stupid thing. ofcourse this crackme is totally for
newbies");
// 6 15:aload_0
// 7 16:ldc1 #104 <String "funtikar">
// 8 18:ldc1 #106 <String "Hehe You have cracked this stupid thing. ofcourse this crackme is totally for
newbies">
// 9 20:invokevirtual #108 <Method void showFatalAlert(String, String)>
else
//* 10 23:goto 34
showFatalAlert("funtikar", "Nope that was not the code!");
// 11 26:aload_0
// 12 27:ldc1 #104 <String "funtikar">
// 13 29:ldc1 #110 <String "Nope that was not the code!">
// 14 31:invokevirtual #108 <Method void showFatalAlert(String, String)>
// 15 34:return

Its the same thing but with the JAVA Disassembler code
As you can see the invokevirtual <Method boolean String.equalsIgnoreCase(String)> is
called and if the string were equal it would store a value on the stack if the string
7
were not equal it will push zero then the ifeq 26 will jump to :26 thus showing
us the badboy alert.

**The ifeq is also actually an 'if zero' and ifne is actually 'if not zero'. The "zero" it is
referring to is actually the value on stack. you have to imagine this to work this out**
If we change this ifeq 26 to ifne 26 then it would show the goodboy alert when given
any registration code except the real registration code..In hex the opcode
ifeq 26 is 99 00 xx so we need to change it to 9A 00 xx .So open up the original hehu.class
with HexWorkshop or any other hexeditor and search for the
bytes 99 00(make sure its the right place) and replace it with 9A 00. This thing has
been patched. Now update the jar file with this newly patch class file
just drag the class file onto the jar file then winrar will do that for you..

Then to test that this app has been patch successfully, run it on the sjboy emulator..
Try finding other ways to do this..

__REFERENCES
Primer on Reversing Symbian S60 Applications by Shub-Nigurrath / ArTeam
Notes on reversing and cracking Java target_Part1 until Part 3 by ThunderPwr / ArTeam
Reversing Java Programs - Part 1 by CodeRipper / SND
WikiPedia

__THE END
Greetings to Shub-Nigurrath / ArTeam, ThunderPwr / ArTeam and CodeRipper / SND.
I would like to thanks you guys so much for creating such brilliant tutorials

This is one of my first tutorial and I've only done it in a short amount of time .
So the quality isn't that great ,sorry. Excuse me for my english and
8
mistakes that I may have not noticed

funtikar(a)google mail
Comments and suggestion are welcome...