Description of the Exercise:
Imagine that you have just implemented a Java version of a console application called “Password Vault” that helps computer users create and manage their passwords in a secure and convenient way. Before releasing a limited trial version of the application on your company’s Web site, you would like to understand how difficult it would be for a reverse engineer to circumvent a limitation in the trial version that exists to encourage purchases of the full version; the trial version of the application limits the number of password records a user may create to five. The Java version of the Password Vault application was developed to provide a non-trivial application for reversing exercises without the myriad of legal concerns involved with reverse engineering software owned by others. The Java version of the Password Vault application employs 128-bit AES encryption, using Sun’s Java Cryptography Extensions (JCE), to securely store passwords for multiple users—each in separate, encrypted XML files.
Software for the Exercise:
- Password Vault Java Windows® installer
- FrontEnd Plus (java bytecode decompiler)
- Jad (java bytecode decompiler) (if you prefer to work at the command-line)
Solution to the Exercise:
For instructional purposes, an animated solution that demonstrates the complete end-to-end reverse engineering of the Java Password Vault application was created using Qarbon Viewlet Builder and can be viewed using Macromedia Flash Player. The tutorial begins with the Java Password Vault application, FrontEnd Plus, and Sun’s Java JDK v1.6 installed on a Windows XP® machine.
Posted on May 6th, 2009 | By: teodoro
Comments are closed.