Crack "caused E6 collaborative Document Management System" 3.2.847

Statement: This article is purely for the purpose of learning. If it is used for commercial purposes, the consequences of legal liability will be borne by itself.
As a result, E6 has also been upgraded to 5.5, which should have no effect and be posted as a technical discussion.

Recently studying Software Encryption problems, see "lead E6 collaborative Document Management System" (http://www.zhidesoft.com/a-5d4c6d9330535cae0131755be0325e59.shtml) Good, just try to crack. The free version limits some features, mainly by limiting the number of users to five, which cannot be used by general enterprises. In case of cracking, at least the number of users should be changed to a larger value.

1. download and install the latest software from the official website. The default installation directory is %: zdecm. It is worth mentioning that the installer will automatically install the software to a non-system disk partition to prevent data loss caused by system reinstallation. During installation, the software will be mounted to the D disk, I don't know if I will automatically find a larger partition like Pipi.

The following directories are installed:

Home Data Directory, which stores logs, backups, databases, and other data generated during operation.

Tomcat includes all running programs, including JRE, Tomcat, and the resulting software. The software is installed in the webapps/ROOT directory.

2. if we see that tomcat is half done, it must be written in java, and it is still WEB. If the JSP page is better, it does not matter if it does not have a JSP page but a pre-compiled JAR package, it is bytecode and not binary. It is much easier to analyze.

There are many directories under the WEB-INF's classes directory, but there is no. class file, it must be packaged into a jar package into a path, the most reasonable is the WEB-INF/lib, then we need to analyze which JAR package is the end. There are many jar packages under the lib directory, but many of them are very familiar with third-party libraries. Even if you are not familiar with them, there are later versions, which are very standard and should not be, only a few files do not contain version numbers. It is estimated that they are one or several of them. The name of the czd. jar file is very suspicious. It was targeted at it at the beginning.

3. Download The Decompilation tool Java Decompiler (JD)

Http://java.decompiler.free.fr /? Q = jdgui

It is also a GUI that is easy to use and as easy as. Net Reflector.

4. use JD to open czd. the jar file is mainly used to search for user-related items. When using user as a keyword, it is easy to find some SQL statements. However, this software uses struts and Hibernate, only some configuration files are used to map the model to the database table, while SQL statements are automatically generated, so it is hard to look at the code carefully.

Use the task manager to find the mqsql process, and then run the command line netstat-ao to check that the listening port for this process is 13307, the database uses MySQL, and the Administrator account is the default ROOT user, there is no password, and MySQL tools will be used in a row. I tried to use several field names of tdms_user to find out which SQL statements were not found. All these operations were handled by Hibernate.

5. since the User can be directly added to the database, the table tdms_user has an ID field, and no ID Generation Code is found in the source code model User class, it may also be automatically generated by Hibernate, so I added a user manually according to the previous users, but it is not displayed on the interface, the corresponding records of the group are displayed only after they are added.

6. when I clicked it, I found that the system information on the management interface would display the number of authorized users as 5. So I began to search for clues on the system information page and quickly found org. apache. jsps. admin. systemInfo_jsp is the compiled code of the JSP corresponding to the system information page, but the authorization-related information is obtained through PageContextImpl. the Code passed by proprietaryEvaluate does not directly obtain the authorization information.

7. Search for information related to systemInfo, and finally find the method to read the information in zd. dms. action. admin. SystemInfoAction.

This. infos. add (
New NameValuePair ("software name", SystemConfigManager. getInstance ()
. GetProductNameAndVersion ()));
The following code

This. infos. add (
New NameValuePair ("authorized users ",
String. valueOf (SDU. coc )));

It is even more gratifying that SDU. coc is
Www.2cto.com. Find the SDU class. JD is handsome. Just click it. It is zd. dms. e. SDU, and coc is just a static field.

Public class SDU
{
Public static int coc = 5;

I was so happy at the beginning. I changed 5 directly and re-compiled the class to generate SDU. class file, and then convert the czd. decompress jar (either rar, jar, or ZIP software) and use the newly generated SDU. class to replace the original file, and then re-package it with JAR, put it back to the original place, but found that it is still not easy to use.

Later, I took a closer look at the SystemInfoAction class. It turns out that other SDU fields are useful.

If (SDU. fk ){
StringBuilder sb = new StringBuilder ();
Sb. append ("");
Sb. append ("<span class = 'admintextfloatleft'> ");
Sb. append (String. valueOf (ECMLoader. getSDU (). ki ()));
Sb. append ("</span> ");

If (ECMLoader. getSDU (). cd ())
Sb. append ("<a href = 'javascript: void (0) 'class = 'btnnormal' onclick = 'showwindow (\" Activate encryption lock \", \ "/admin/activate.html \"); '> <span> reactivate the encryption lock </span> </a> ");
Else {
Sb. append ("<a href = 'javascript: void (0) 'class = 'btnnormal' onclick = 'showwindow (\" Activate encryption lock \", \ "/admin/activate.html \"); '> <span> activate the encryption lock </span> </a> ");
}
This. infos. add (new NameValuePair ("encryption lock number", sb. toString ()));

In particular, SDU. fk. Read the SDU. cd () code carefully.

Public boolean cd ()
{
Coc = 5;
OnlineUser. limitOnlineUserToTrial ();
Return false;
}

It is easy to understand that although coc started initialization, it was later changed back. simply remove all the code in cd () and return true directly.

Then you can see this section in package zd. dms. service. config. SystemConfigManager.

Public String getProductNameAndEdition (){
String productAndEdition = "resulting E6 collaborative document management system ";
ECMLoader. getSDU (); if (SDU. fk ){
If (ECMLoader. getSDU (). wdp ())
ProductAndEdition = productAndEdition + "(Professional Edition )";
Else if (ECMLoader. getSDU (). wdw ())
ProductAndEdition = productAndEdition + "(graphic version )";
Else if (ECMLoader. getSDU (). wdu ())
ProductAndEdition = productAndEdition + "(flagship edition )";
Else
ProductAndEdition = productAndEdition + "(Standard Edition )";
}
Else {
ProductAndEdition = productAndEdition + "(free version )";
}

Return productAndEdition;
}

This is SDU. the functions of fk, wdp (), wdw (), and wdu () indicate different versions, regardless of the features of each version, I feel that the "flagship version" should be the best, simply go to the "flagship edition" and modify the corresponding functions based on the above Code.

Public String ki ()
{
Return "";
}

Public boolean cd ()
{
Return true;
}

Public boolean dv ()
{
Return false;
}
Public boolean wdt ()
{
Return false;
}

Public boolean wdp ()
{
Return false;
}

Public boolean wdw ()
{
Return false;
}

Public boolean wdu ()
{
Return true;
}

Public boolean fk ()
{
Return true;
}

Modify the initialization of several fields during initialization

Public static int coc = 99999;

Public static boolean fk = true;

Private static boolean itd = true;

Here, the code is poorly written. Since fk is defined as public, why do I still write a function fk ()?

Then re-compile and replace SDU. class. Everything is normal. The logon IP address restriction function is added when users are added.

Get it done, go to bed.

C # Java Development is really fast, but it is troublesome to implement Software Encryption and restrictions. I don't remember who said it. There is a truth: "There is no secret in front of the source code ". In fact, C # and Java generally refer to compilers as just translators. to translate them into a common intermediate language, it is easy to translate them. To truly encrypt them, it still takes some time to work with C ++.

By the way, the software developer is prompted to confuse them with obfuscators before the next release, especially when renaming some variables with non-visible characters, in this way, it is a bit difficult to read the decompiled code.

As a result, some complex operations, such

Public String eci ()
{
If (StringUtils. isNotBlank (hid )){
Return hid;
}

String cpuId = HI2.getCPUId ();
String biosSN = HI2.getBiosSN ();
String hardId = cpuId + ":" + biosSN;
Byte [] encoded = Base64.encodeBase64 (hardId. getBytes ());
Hid = new String (encoded );
Return hid;
}

What CPUID and BIOSID do not make any sense. We need to clarify the language in principle and consider how to protect software copyrights in combination with C/C ++, it is more difficult to crack the code after being compiled into binary using C/C ++.

Sleeping. Let's talk about Software Encryption in another day.