Cracking Nexus - Tutorial Series

	Enter your search terms Submit search form
	Web www.rscbunlocked.com www.kyab.asssoft.org rscheata.net

[solarwind]

These tutorials are hosted on ImpWiki (www.impwiki.metafy.org). Please feel free to edit these tutorials to improve them. Vandalism will not be tolerated and will result in a permanent ban from the wiki and these forums. Note: anyone can edit these tutorials, you don't need to register.

Tutorials:
Tutorial 1: Cracking Nexus - Understanding Nexus
Tutorial 2: Cracking Nexus - Decrypting Encrypted Strings
Tutorial 3: Cracking Nexus - Developing A BCEL Scanner - This tutorial includes a simple BCEL scanner for you to download and experiment with.
Tutorial 4: Cracking Nexus - Evolving The Scanner - In Progress
Tutorial 5: Cracking Nexus - The Server Side Script - Incomplete

Reference Information:
Wikipedia - Java Byte Code Reference - A reference and information for Java byte code.
Java Obfuscation - Information on Java obfuscation.
Cracking String Encryption In Java Obfuscated Byte Code

Useful Tools:
JBE - Java Byte Code Editor.

Useful Threads:
Error With Encrypting

Notes:
You guys will need to edit the wiki to improve my articles and post on this forum to help each other out. I can't do everything. I'm a busy guy with school and lots of home work. I do this solely to help others learn and for my own recreation. I simply don't have the time to make everything perfect. However, if each and everyone who wants to learn this helps contribute in any way (ex. edit the wiki pages, post more information on the forum regarding these tutorials, help others solve the asssignments, etc), this very well could be something quite close to perfect. Please, for the sake of man kind, be human beings and help each other out.

My Auto Cracker: (Just to motivate you guys.)

Code:

[====================================]
[                                    ]
[          ~~== nCrack ==~~          ]
[            Version: 2.0            ]
[                                    ]
[====================================]

Loaded 987 classes in 1345 ms.

=== [ Running class nCrack.crawler.modules.StringWrapper ]
(*) [ x.a(Ljava/lang/String;)Ljava/lang/String; ] Identified As StringEncoder

=== [ Running class nCrack.crawler.modules.FindConnects ]
(*) [ b.yj.<clinit>()V ] Identified As URL_AUTH
(*) [ b.ef.<clinit>()V ] Identified As URL_AUTH
(*) [ b.wi.<clinit>()V ] Identified As URL_AUTH
(*) [ b.mc.<clinit>()V ] Identified As URL_AUTH
(*) [ impsoft.threads.SWTThread.run()V ] Identified As URL_AUTH

=== [ Running class nCrack.crawler.modules.PatchStrings ]
(*) Method: b.yj.<clinit>()V has String: http://rscheata.net/nexusauth/auth.php?s=0&t=
[ DEBUG ] Edited Auth URL!
(*) Method: b.ef.<clinit>()V has String: http://rscheata.net/nexusauth/auth.php?s=0&t=
[ DEBUG ] Edited Auth URL!
(*) Method: b.wi.<clinit>()V has String: http://rscheata.net/nexusauth/auth.php?s=0&t=
[ DEBUG ] Edited Auth URL!
(*) Method: b.mc.<clinit>()V has String: http://rscheata.net/nexusauth/auth.php?s=0&t=
[ DEBUG ] Edited Auth URL!
(*) Method: impsoft.threads.SWTThread.run()V has String: http://rscheata.net/nexusauth/auth.php?s=0&t=
[ DEBUG ] Edited Auth URL!

Completed 0 patches and identified 6 methods in 2821 ms.

That is the output of my auto cracker running on Nexus 18.500. I didn't enable all the modules that do a lot more (such as: name classes, identify certain fields and so on) because there's still some stuff to fix. However, it's fully functional. But I'm not going to release it. Why? Because I want to prove to you guys that you guys can make one too if you read these tutorials and learn.

I'll be posting tutorials regularly.

[spookyman166]

solar and tandem = kings

i love it im so gonna follow it.

[tandem]

http://www.milw0rm.org/papers/117 has some useful information about reversing string encryption in different obfuscators.

[solarwind]

http://www.milw0rm.org/papers/117 has some useful information about reversing string encryption in different obfuscators.

Nice, I uploaded it to my server: http://www.pdfmenot.com/view/http://www.files.asssoft.org/Documents/Cracking_String_Encryption_In_Java_Obfuscated_Byte_Code.pdf

[super_]

auto cracker? hardly, all it seems to have done is loop through neXus's classfiles and try to find patterns.
P.S. StringEncoder being found in the module 'StringWrapper'?
wheres the string wrapping?

[solarwind]

auto cracker? hardly, all it seems to have done is loop through neXus's classfiles and try to find patterns.
P.S. StringEncoder being found in the module 'StringWrapper'?
wheres the string wrapping?

Didn't your mother ever tell you? If you don't have anything nice to say, don't say anything at all, unless it's constructive. Firstly, what you see in that output snippet isn't even 1/10th of my Auto Cracker. The naming is none of your bloody business. Holy shit, you're one irritating bastard.

[spookyman166]

sloar

isnt all the auths located in one central place. the splash screen and that is in SWTTHreads and the directory b

[solarwind]

sloar

isnt all the auths located in one central place. the splash screen and that is in SWTTHreads and the directory b

That is incorrect. The auth blocks are distributed sporadically. You need to search for them carefully. But I guess to search for them, you'll need to know how to decrypt strings. I'll cover that in a bit.

[spookyman166]

thanks solar you own

and can you post a tut on BCEL install and use please

[tandem]

And it will change with every single release.  Or atleast you should make the assumption it will.  That is why we suggest you create a program to search for them.

or you can manually do it the search each and every release, if you're a masochist like super. =P

[solarwind]

thanks solar you own

and can you post a tut on BCEL install and use please

Sure thing bro.

[solarwind]

And it will change with every single release.  Or atleast you should make the assumption it will.  That is why we suggest you create a program to search for them.

or you can manually do it the search each and every release, if you're a masochist like super. =P

ROFL that is so true. If you have the patience (or stupidity) like super_, you can search for them by hand every single release. The class names change EVERY release.

[spookyman166]

And it will change with every single release.  Or atleast you should make the assumption it will.  That is why we suggest you create a program to search for them.

or you can manually do it the search each and every release, if you're a masochist like super. =P

ROFL that is so true. If you have the patience (or stupidity) like super_, you can search for them by hand every single release. The class names change EVERY release.

then how would you know which one is which with out hand checking them

[solarwind]

And it will change with every single release.  Or atleast you should make the assumption it will.  That is why we suggest you create a program to search for them.

or you can manually do it the search each and every release, if you're a masochist like super. =P

ROFL that is so true. If you have the patience (or stupidity) like super_, you can search for them by hand every single release. The class names change EVERY release.

then how would you know which one is which with out hand checking them

Therein lies the beauty of the updater, the auto cracker, the class parser framework. They all work on the same principle: find a pattern and search for it in the code.

[spookyman166]

and im kinda guessing you will let me find out that?