Monday, April 12, 2010

ClassGuard UNGUARDED or How to Crack ClassGuard ?

Quote from the site (http://www.jsecurity.net/modules/faq/faq_0003.html?uri=/classguard/index.html&categoryfolder=/modules/faq/) :

How secure is it really?

There is no way of cracking the used 128Bit AES Encryption. As the main part of ClassGuard is written in C, the key can't be extracted using a Java decompiler. However, there may be possibilities to crack the encryption using a debugger on the assembler level. At the moment, no such attempt is known.

Some experts state, it would be possible to crack byte code encryption by hacking some class files of the Java language itsself, e.g. defineClass() in java.lang.ClassLoader. Bytecode encrypted by ClassGuard is passed through to the virtual machine on the native level. The bytecode never appears in any Java class.



Note the underlined (by me) part in red.
This is (yet another) proof that security by obscurity is a BAD idea.

Classguard is set of java classes and a native library
that encrypts/decrypts java programs (.class files).Classes
must be in .jar archive before you encrypt/protect them.

When started ,your java program gets decrypted in memory.
The native libraries are located in classguard.jar/lib/ .
There are several ,for different OS-es.For windows these are
libcg_x64_win.dllx (64-bit) and lib\libcg_x86_win.dllx (32-bit).

Since library is packed in .jar file,during runtime
it gets unpacked into temporary directory with random name.On windows Xp temp dir is
\Documents and Settings\your_username\Local Settings\Temp\.
Library code is used to decrypt classes in memory.

Let's crack ClassGuard :)
Read more >>

6 comments:

  1. Thanks you. But it not work for me.

    When hit Ctrl-F9, im go from kernel32 to ntdll. :(

    Also how you find breakpoint adress 100023F2h?

    ReplyDelete
  2. Great post, bro !!!

    ReplyDelete
  3. Have you tried this with the new ClassGuard 4.0.1 version?

    ReplyDelete
  4. No, I haven't. I am currently busy with another project...

    ReplyDelete
  5. Their statement about your crack:


    "we don't think the described attack is a real threat to ClassGuard as this is a lot of effort to get single class files. For our overall security statement, please have a look at

    [their site]

    To put it in a nutshell, we think overall security is on the level of native programs, which are also not absolutely safe against these kind of debuggers. Of course another option is to combine ClassGuard and obfuscation, e.g. ProGuard."

    ReplyDelete
  6. Can someone help me for decrypted classguard zenofx? I could find .ddl file in Temp folder But I dont Know How find AES Key in it :(

    ReplyDelete