Lxj616 2014/07/30 is better

0 x00 abstract:


This series of articles through the reverse analysis of several versions of BurpLoader, analysis of Burpsuite cracking principle, analysis of Burpsuite authentication system security vulnerabilities.

0x01 JD-GUI uses and Defects:


Jd-gui is a free tool for restoring JAVA source code from JAVA bytecode. It is usually sufficient to reverse JAVA using this tool, but since it works by restoring the corresponding JAVA source code from JAVA bytecode to a specific structure, if the bytecode structure is scrambled (for example, using a confounder), Jd-gui will lose its usefulness, as shown when opening Burpsuite using JD-GUI:

Apparently, JD-GUI failed to restore the JAVA source code because Burpsuite uses a obfuscator to scramble the bytecode structure, so JD-GUI works with JAVA bytecode ‘without the obfuscator’, but the drawback is that once the bytecode structure is scrambled, it doesn’t work

0x02 Bytecode Analysis:


Java bytecode does not execute directly on a computer like normal binary code. It runs on different platforms and computers through a JVM engine.

The JVM is a stack-based virtual computer that uses JVM opcodes (and their mnemonics), much like the normal binary disassembly process. Decompiling Java bytecode is simple enough that the BUILT-IN Javap tools in the JDK do the job.

Example: Unmarshaling Javar. Class

Note that the -c argument to Javap displays the detailed code, otherwise only method is displayed. You can use eclipse’s Bytecode Visualizer to decompress the Bytecode

Wooyun = java.lang.system.out = java.lang.system.out = java.lang.system.out = java.lang.system.out = java.lang.system.out = java.lang.system.out = java.lang.system.out = java.lang.system.out = java.lang.system.out = java.lang.system.out = java.lang.system.out One output lXJ616.

Old BurpLoader analysis:


As Burpsuite is updated, so is BurpLoader. Let’s start with the old version of BurpLoader and briefly analyze the principle of cracking Burpsuite. BurpLoader 1.5.01 was used for analysis. First, we tried to load BurpLoader with JD-GUI:

The BurpLoader source code was successfully restored. Unfortunately, because it is a patch of BurpSuite, burpSuite obfuge is still very unreadable in BurpLoader, but it can be inferred that BurpLoader itself does not use obfuge tools.

public static void main(String[] args) { try { int ret = JOptionPane.showOptionDialog(null, "This program can not be used for commercial purposes!" , "BurpLoader by[email protected]", 0, 2, null, new String[] { "I Accept", "I Decline" }, null); For (int I = 0; int I = 0; int I = 0; int I = 0; i < clzzData.length; i++) { Class clzz = Class.forName(clzzData[i]); Field Field = clzz.getDeclaredField(fieldData[I]); Field Field = clzz.getDeclaredField(fieldData[I]); // Static class variables are also obfuscated, and there is no need to list field.setaccessible (true); Field. Set (null, strData[I]); / / variable Settings into strData (specific that what a long list of short duration does not discuss)} Preferences prefs = Preferences. The userNodeForPackage (StartBurp. Class); For (int I = 0; i < keys.length; String v = prefs.get(keys[I], null); if (! vals[i].equals(v)) { prefs.put(keys[i], vals[i]); } } StartBurp.main(args); } } catch (Exception e) { JOptionPane.showMessageDialog(null, "This program can only run with burpsuite_pro_v1.5.01.jar", "BurpLoader by[email protected]", 0); }}}Copy the code

Therefore, BurpLoader’s principle is to forge a valid Key to pass detection, the Key input is injected through preference, and I guess it fixes some environment variables by reflection in order to fix the Key calculation method

0x04 New BurpLoader analysis:


The following analysis is done with BurpLoader 1.6beta: First try to open BurpLoader with JD-GUI:

It looks like this version of BurpLoader uses bytecode obfuscated, this path is not going to work so just read bytecode!

As you can see, the strings here are all obfuscated, and each one is decrypted by JSR to 151

This decryption code features very obvious, a switch takes 5 paths, to 221 different decryption key, is not Zelix KlassMaster algorithm? Simple xOR, easily write decryption machine:

Public class Verify {private static String decrypt(String STR) {char key[] = new char[] {73,25,85,1,29}; char arr[] = str.toCharArray(); for (int i = 0; i < arr.length; i++) { arr[i] ^= key[i % 5]; } return new String(arr); } public static void main (String args[]) { System.out.println(decrypt("%x'sdgu4t3#x#`egj\"hs.7%m|/7; hp+l&/S t7tn\5v:j\'}_dx%")); }}Copy the code

In five key is above bipush of participation, the decryption is 1: don’t forget to iconst_1 larry. Lau. Javax.mail. Swing. Plaf. The nimbus. NimbusLook: 4

It’s not really useful to decrypt the string here, because we already have the old source code, but it might be useful in other software for reverse analysis, right

0 x05 summary & POC


Below is my modified BurpLoader. I have removed the malicious code and output the original value before modification. You can compile and run this code after adding the BurpSuite JAR package

package stratburp; import burp.StartBurp; import java.lang.reflect.Field; import java.util.prefs.Preferences; import javax.swing.JOptionPane; public class startburp { private static final String[] clzzData = { "burp.ecc", "burp.voc", "burp.jfc", "burp.gtc", "burp.zi", "burp.q4c", "burp.pid", "burp.y0b" }; private static final String[] fieldData = { "b", "b", "c", "c", "c", "b", "c", "c" }; Private static final String ErrorTip = "This program can only run with burpsuite_PRO_v1.5.01.jar "; private static final String[] keys = { "license1", "uG4NTkffOhFN/on7RT1nbw==" }; public static void main(String[] args) { try { for (int i = 0; i < clzzData.length; i++) { Class clzz = Class.forName(clzzData[i]); Field field = clzz.getDeclaredField(fieldData[i]); field.setAccessible(true); //field.set(null, strData[i]); System.out.println(field.get(null)); } Preferences prefs = Preferences.userNodeForPackage(StartBurp.class); for (int i = 0; i < keys.length; i++) { String v = prefs.get(keys[i], null); System.out.println(prefs.get(keys[i], null)); } StartBurp.main(args); } the catch (Exception e) {JOptionPane. ShowMessageDialog (null, "This program can only run with burpsuite_pro_v1. 5.01 the jar", "Notice",0); }}}Copy the code

The effect is shown in the screenshot

The first 8 lines of output are the original values that BurpLoader maliciously modified (for my computer). The same device runs the same number of times. Because I have run BurpLoader before, the value of the following key is maliciously modified (but the first 8 lines are not modified, so it cannot pass Burpsuite verification). It can be seen that BurpLoader actually uses the same key to register all different computers. Burpsuite only modified and fixed some environment variables involved in key calculation. This is probably the main idea of Burpsuite cracking. As for how to calculate the license that can be used initially, we will study later