BlackBerry

Everything can be reversed. Everything.

By July 25, 2010 Post a comment
Filed Under  , , ,

I recently started reverse engineering BlackBerry applications.  I have done it before, but this time around, I focused a lot more effort and energy on it.  In short, BlackBerry apps can be decompiled; enough to the point where you can begin to write keygens for them.  Yes, much like back in the good old days.  I’ll spare everyone the details suffice it to say that I took the BlackBerry compiler that converts .java files to .cod files and I made it reverse its core task and spit out the BlackBerty bytecode instead of .cod files.  Bytecode that runs on the BlackBerry specific JVM.

The fundamental thing about reverse engineering is that you absolutely need to know how things work in forward first.  You cannot reverse without knowing how things go forwards.  So I studied the compilation process in depth and discovered that the compilation is a three-step process.  The BlackBerry compile process is not, in actuality, something magical.  It first runs javac on a plain old .java file.  The resulting .class file is then preverified (a process by which you alter the class file in a way that you save the device JVM significant processing time).  After this, the BlackBerry compiler (rapc.jar) is executed to covert the .class file into a .cod file.  This .cod file is significantly smaller than the .class file.  It also appears to be compressed.  It is not a simple task to reverse this process.  Primarily because rapc.jar is obfuscated like a mofo and you need to spend countless hours refactoring and getting things to play well together.  But you don’t want to hear that do you?  No, instead you want to hear that I am able to reverse .cod files to the point at which I have pristine .java source code, right?  Well, yes.  I can do that.

As I often need to appease my evil personality, I did what most anyone else in my position would do.  I looked at a few programs out there to see if I can bypass their license key requirements.  The result?  Can you say “Shooting fish in a barrel”?  Ordinarily, I would take this moment to chide all the developers out there to use better protection, I am not going to do this today.  These days, any capable person with a laptop can write and sell applications for the iPhone or the BlackBerry.  Gone are the days where you see only larger software houses publishing commercial applications.  Now just about anyone can do it.  What each individual is willing to lose to piracy and the amount of effort they wish to spend on writing software protection is entirely up to them.  All I’m going to do today is say this: Everything can be reversed.  Everything.

Don’t be lulled into a false sense of security that when you write an app for the BlackBerry, your code is safe; it is not.  Your commercial protections CAN and WILL be broken.  Unless you want to lose money to this problem, the only suggestion I can offer is to consider spending more effort in designing better protections.  If not, then just forget it and go about your business as you normally would.  But be aware that an increasing number of people have the means to reverse your code.  It will only be a matter of time before sites will pop up with real working keygens that you can run on your BlackBerry device.  It will be like the second coming of the PC era where good old DOS games had keygens and keygenning groups flourished.  For those interested, what would good protection consist of?

  • Don’t do any calculations within your app that you can compare to.
  • Consider activating your app over the internet.
  • When activating your app over the internet, use SSL, and more important, VERIFY your server certificate.
  • If you need to offer trials, write two separate programs: 1 less functional trial and 1 full featured version.

To sum up, make sure that you protect what is important to you.  If your application generates revenue for you, then you will want to protect it.  Spend a little extra effort on designing a better software protection framework.  To everyone those who don’t know where to start, the company I work for offers consulting on this subject.  Get in touch with me if you’re serious about it.

  • A A

    Impressive work. Are you likely to release a decompiler? What sort of persuasion would you need :)

  • Robert Dunn

    How about reverse-engineering the Blackberry OS?

  • Pingback: Puttering around with BlackBerry forensics — Part 2 | Chirashi Security

  • _M_

    Intreresting article.. I’ve googled till exhaustion and you are the only one that states that can produce clear Java code. Until know I was only able to test codec, and although it prodices some code there are still plenty of opcodes that do not have clear Java translation.

    Are you going to release your code? Assuming you are not going to do it, any clues on how should I proceed to reproduce your work? You already spotted out couple of things I did know which is preverify and rapc.jar are the clue..

    Anything else?
     

    • Anonymous

      All I can say is start with rapc.jar. Decompile it and do your best to deobfuscate it without losing your mind. Since I’m already recovering in a mental institution after this process, I have been forbidden from releasing anything to the public for fear that I will relapse. I used both JD-GUI as well as JAD to decompile the file. The more decompilers you have the better (try the others like Cavaj, Sable/Dava, etc). Use Eclipse. Its the shizz. 

      Once you have rapc running from Eclipse, you can begin to take rapc apart. There is a distinct set of modules in rapc that will take a class file’s members, attributes and properties, etc and convert them to a .cod file. Some parts are done using a lookup table for bytecode. You will find this table inside rapc.jar. Your goal is to take a .cod file and bring it back into a .class file (all the resources to do this are in rapc.jar). To get java code, all you have to do is decompile the class file. Good luck. I’ll save you a seat in my ward. Ooh Friday is lime jello day!!