Description of the Exercise

Imagine that you have just implemented a Java version of a console application called “Password Vault” that helps computer users create and manage their passwords in a secure and convenient way.  Before releasing a limited trial version of the application on your company’s Web site, you would like to understand how difficult it would be for a reverse engineer to circumvent a limitation in the trial version that exists to encourage purchases of the full version; the trial version of the application limits the number of password records a user may create to five. The Java version of the Password Vault application was developed to provide a non-trivial application for reversing exercises without the myriad of legal concerns involved with reverse engineering software owned by others. The Java version of the Password Vault application employs 128-bit AES encryption, using Sun’s Java Cryptography Extensions (JCE), to securely store passwords for multiple users—each in separate, encrypted XML files.

Software for the Exercise

Password Vault Java Trial Application
FrontEnd Plus (java bytecode decompiler)
Jad (java bytecode decompiler) (if you prefer to work at the command-line)

Solution for the Exercise

For instructional purposes, an animated solution that demonstrates the complete end-to-end reverse engineering of the Java Password Vault application was created. The tutorial begins with the Java Password Vault application, FrontEnd Plus, and a Java JDK installed on Windows®. Note: viewing the animation requires a Flash player, such as Ruffle.

Java Bytecode Reversing and Patching Exercise Animated Solution