First of all, I usually use the Burpsuite free version rather than the pro version. Recently, a friend introduced me some good plugins for Burpsuite. So, I think there are many useful plugins in store’s Burpsuite. Unfortunately, they just run on Burpsuite pro.
My visa card has some problems, so I temporary cannot buy the pro license. During waiting for the bank, I tried to find “some free” for the license. Luckily, I found BurpLoader by larry_lau. It make me able to use Burpsuite Pro without any license.
However, when use BurpLoader, I wonder some things:
1. Who is larry_lau? Why don’t have any official page for BurpLoader hosting? I really don’t know my version which I used is malware or not.
2. Cracking Burpsuite is hard or not? Why is there no other tool besides the BurpLoader?
3. How can I get an unlimited version? Why is his license only 1 year (Current version is expired on Dec 2nd 2017)
I tried to find answers by Google. However, it does not seem much information.
So, nobody does, I do!
There are 3 parts in my BurpUnlimited series:
Part 1: Here, post quickly the final result, my project BurpUnlimited which extend current BurpLoader’s license and remove some unclear class in BurpLoader.
Part 2: Java reverse engineering — Some things for begginer
Part 3: Java reverse engineering — Some advance techniques for BurpLoader and Burpsuite analysis.
Part 1: BurpUnlimited — Just extends BurpLoader’s license
Important note: This project is NOT intended to replace BurpLoader. It just EXTENDS BurpLoader’s license!
Project name: BurpUnlimited
- Created by: mxcx [at] fosec.vn
- Email: firstname.lastname@example.org
- Based on: BurpLoader by larry_lau
- Repos: https://burpunlimited.sourceforge.io/
- Current release: https://sourceforge.net/projects/burpunlimited/files/BurpUnlimited.zip/download
What is this?
This is a tools which helps user’s BurpLoader continue use after expired at Dec 2nd 2017.
In addition, there are 2 difference features which are not in BurpLoader:
- It has an official page for download at https://burpunlimited.sourceforge.io/
- It’s opensource at https://sourceforge.net/p/burpunlimited/code/ci/master/tree/
How do I do it?
There are some techniques which I used in this project (more details will talked in Part 2 and Part 3):
- Decompile BurpLoader to get source code rebuild my own project which remove many obfuscated code.
- I used javaagent technique for somethings:
+ Compare all class’s BurpLoader at runtime with original class’s BurpPro at runtime to review all change which is maked by BurpLoader. That helps me to know what exactly did it do.
+ After review, Javaagent helps me remove some unclear code in TestDisclaimer class’s BurpLoader.
+ Javaagent also helps me change default license class in BurpPro to extend time (to Sep 2nd 9999) and change license name (add more “Unlimited by email@example.com”)
- In addition, I also used a native agent (https://github.com/faketime-java/faketime) to change the time at validation phase, and restore to true time after validating successfully.
How to use?
From command line:
java -javaagent:BurpUnlimited.jar -agentpath:lib/libfaketime<osverion> -jar BurpUnlimited.jar
From GUI, double click on BurpUnlimited.jar (set permision before)
- There are some requirements files in lib at current folder:
- burpsuite_pro_v1.7.26.jar is main object
- libfaketime* Lib for hook time activation. Sourcecode is at https://github.com/faketime-java/faketime
2. For windows, vcredist is required: https://www.microsoft.com/en-gb/download/details.aspx?id=48145
3. The folder for_windows_if_you_dont_wanna_install_vcredist is for anyone who don’t wana install vcredist, please chose the file for x64 or x86, rename to vcruntime140.dll and copy to BurpUnlimited.jar’s folder
4. To have no unexpected error, please leave all file in the folders which have not any space character (including java binary file in case not run with default java).
5. This version is tested run stable on MACOSX 64 bit, Ubuntu 64 bit, Windows 64 and 32 bit. If you have any error in starting, please try some ways:
- Change manually your datetime to before 01/10/2017
- Build your own libfaketime, sourcecode is at https://github.com/faketime-java/faketime
- Or contact me firstname.lastname@example.org
Hash MD5 version release 1
This project references some codes and some projects bellow:
- Decompile BurpLoader’s larry_lau