BurpUnlimited — Just extends BurpLoader’s license

First of all, I usually use the Burpsuite free version rather than the pro version. Recently, a friend introduced me some good plugins for Burpsuite. So, I think there are many useful plugins in store’s Burpsuite. Unfortunately, they just run on Burpsuite pro.

My visa card has some problems, so I temporary cannot buy the pro license. During waiting for the bank, I tried to find “some free” for the license. Luckily, I found BurpLoader by larry_lau. It make me able to use Burpsuite Pro without any license.

However, when use BurpLoader, I wonder some things:

1. Who is larry_lau? Why don’t have any official page for BurpLoader hosting? I really don’t know my version which I used is malware or not.
2. Cracking Burpsuite is hard or not? Why is there no other tool besides the BurpLoader?
3. How can I get an unlimited version? Why is his license only 1 year (Current version is expired on Dec 2nd 2017)

I tried to find answers by Google. However, it does not seem much information.

Some link I tried: http://0xd0m7.blogspot.com/2016/04/analizing-burploaderjar-larry-lau.html http://www.hahwul.com/2017/06/hacking-analyzing-burploaderjar-in-burp.html However, they are almost useless and do not have much information.

So, nobody does, I do!

There are 3 parts in my BurpUnlimited series:
Part 1: Here, post quickly the final result, my project BurpUnlimited which extend current BurpLoader’s license and remove some unclear class in BurpLoader.
Part 2: Java reverse engineering — Some things for begginer
Part 3: Java reverse engineering — Some advance techniques for BurpLoader and Burpsuite analysis.

Part 1: BurpUnlimited — Just extends BurpLoader’s license

Important note: This project is NOT intended to replace BurpLoader. It just EXTENDS BurpLoader’s license!

Project name: BurpUnlimited

What is this?

This is a tools which helps user’s BurpLoader continue use after expired at Dec 2nd 2017.

In addition, there are 2 difference features which are not in BurpLoader:

How do I do it?

There are some techniques which I used in this project (more details will talked in Part 2 and Part 3):

  • Decompile BurpLoader to get source code rebuild my own project which remove many obfuscated code.
  • I used javaagent technique for somethings:
    + Compare all class’s BurpLoader at runtime with original class’s BurpPro at runtime to review all change which is maked by BurpLoader. That helps me to know what exactly did it do.
    + After review, Javaagent helps me remove some unclear code in TestDisclaimer class’s BurpLoader.

+ Javaagent also helps me change default license class in BurpPro to extend time (to Sep 2nd 9999) and change license name (add more “Unlimited by mxcx@fosec.vn”)

How to use?
From command line:

java -javaagent:BurpUnlimited.jar -agentpath:lib/libfaketime<osverion> -jar BurpUnlimited.jar

From GUI, double click on BurpUnlimited.jar (set permision before)

Notes:

  1. There are some requirements files in lib at current folder:

2. For windows, vcredist is required: https://www.microsoft.com/en-gb/download/details.aspx?id=48145

3. The folder for_windows_if_you_dont_wanna_install_vcredist is for anyone who don’t wana install vcredist, please chose the file for x64 or x86, rename to vcruntime140.dll and copy to BurpUnlimited.jar’s folder

4. To have no unexpected error, please leave all file in the folders which have not any space character (including java binary file in case not run with default java).

5. This version is tested run stable on MACOSX 64 bit, Ubuntu 64 bit, Windows 64 and 32 bit. If you have any error in starting, please try some ways:

Hash MD5 version release 1

BurpUnlimited.zip 006b62bf925a4acb27392f8ab820fd14 
BurpUnlimited.jar 5cf68ad0cc2d4ee265d0da1469decf21

This project references some codes and some projects bellow:

I'm a developer working in cyber security. My regularly IDE is MS Word.