0xcb 发表于 2015-6-11 10:24:50

Synalyze It! Pro v1.11.2 破解过程+bin

本帖最后由 wx_f1Jji177 于 2015-6-11 10:43 编辑

-------------------------------------------------------------------

#Synalyze It! Pro v1.11.2 目前最新,类似010Editor,具有数据模型、语法高亮、执行脚本等功能

-------------------------------------------------------------------

www.synalysis.net -> (http://www.synalysis.net)

!(http://www.synalysis.net/_Media/screenshot1_med.png)

试想一下...

你有一个二进制文件,不知道它的内容。或者你有一个规范,但不希望他们手动解码某些软件创建的二进制文件。

你曾经看着十六进制转储,并认为它是多么困难,使这有意义吗?而且要记住所有的比特和字节的意思?

你来对地方了! Synalyze它!允许您为你的二进制文件创建交互式语法。不同于常规的十六进制编辑器或观众文件自动为您解读!二进制文件分析从未如此简单。

此外Synalyze It!是Mac OS X上面一个全功能的十六进制编辑器,让您用几十种文字的编码编辑任意大小的文件,并解释字节含义。

### 主要功能:(http://www.synalysis.net/additional-features.html)

**十六进制编辑**

Synalyze It! allows editing of files of any size without delay. Even copying of data of any size via clipboard is possible.
When you insert a string from the clipboard, the selected encoding is applied, of course. This enables you to convert text from one encoding to another easily.

**计算检验字节**

Compute various checksums for the selected bytes

**数据可视化关系导出**

Visualize your grammars by exporting to .dot (GrapzViz) files

**数据视图**

Display the selection in different number and color representations

**打印预览**

Print the hex view with or without text and mapped structures

**保存选中字节**

Selected bytes can be written to disk directly

**跳到指定位置**

Directly jump to a specific file offset (decimal or hex)

**在工具栏中跳到指定位置**

Jump to positions entering expressions

**数据统计**

Let Synalyze It! count the occurence of each byte in a file.

**比较字节的不同编码值**

Check the text encoding (ASCII/EBCDIC) of some hex values

**增量文本搜索与编码选择**

Search text incrementally using one of dozens of code pages

**查找数值8-64 Bit signed/unsigned, little/big endian**

Find a number in a file instantly and jump directly to the findings

**查找字节序列匹配蒙版**

Find all places in a file that match a certain bit mask

**查找字符串**

See all strings with a certain encoding

Find all strings in a file like with the Unix strings command

**使用脚本的可扩展语法高亮**

Write Python or Lua scripts where the "static" grammar is not enough

**语法支持强大的表达式**

Structure and element sizes as well as repeat counts can contain complex formulas

---------------------------------------------------------------------------
**1.试用过期后,打开后会有日志输出:**

      0xcb@cb.cn ~/Desktop> cd Synalyze\ It!\ Pro.app/Contents/MacOS/
      0xcb@cb.cn ~/D/S/C/MacOS> ./Synalyze\ It!\ Pro
      2015-06-11 00:07:35.804 Synalyze It! Pro Encountered error 'Invalid product key' ('91')
      2015-06-11 00:07:35.804 Synalyze It! Pro Encountered error 'Invalid product key' ('91')
---------------------------------------------------------------------------
**2.所以先调试定位验证授权的位置,用`lldb`打开`Synalyze It! Pro`进行调试,在输出日志的方法`NSLogv`打断点,之后运行程序。断点断在:Foundation.Formwork的`0x7fff9349f2dd NSLogv` 位置。查看调用堆栈,根据方法名很容易找到弹出过期窗口的验证方法:`- + 80`**

      0xcb@cb.cn ~/Desktop> lldb Synalyze\ It!\ Pro.app
      (lldb) target create "Synalyze It! Pro.app"
      Current executable set to 'Synalyze It! Pro.app' (x86_64).
      (lldb) br s -n NSLogv
      Breakpoint 1: where = Foundation`NSLogv, address = 0x00000000000442dd
      (lldb) r
      Process 2873 launched: '/Users/0xcb/Desktop/Synalyze It! Pro.app/Contents/      MacOS/Synalyze It! Pro' (x86_64)
      Process 2873 stopped
      * thread #1: tid = 0x11181, 0x00007fff9349f2dd Foundation`NSLogv, queue =         'com.apple.main-thread', stop reason = breakpoint 1.1
    frame #0: 0x00007fff9349f2dd Foundation`NSLogv
      Foundation`NSLogv:
      -> 0x7fff9349f2dd:pushq%rbp
         0x7fff9349f2de:movq   %rsp, %rbp
          0x7fff9349f2e1:pushq%r15
         0x7fff9349f2e3:pushq%r14
      (lldb) bt
      * thread #1: tid = 0x11181, 0x00007fff9349f2dd Foundation`NSLogv, queue =         'com.apple.main-thread', stop reason = breakpoint 1.1
          * frame #0: 0x00007fff9349f2dd Foundation`NSLogv
    frame #1: 0x00000001000368fe Synalyze It! Pro`_LogTraceMessage + 51
    frame #2: 0x000000010006ffe5 Synalyze It! Pro`TraceMessage + 1064
    frame #3: 0x000000010006fb79 Synalyze It! Pro`TraceFatal + 185
    frame #4: 0x0000000100067f09 Synalyze It! Pro`- + 329
    frame #5: 0x00007fff95d063ac AppKit`- + 450
    frame #6: 0x00007fff95cecfa6 AppKit`- + 110
    frame #7: 0x0000000100067ba3 Synalyze It! Pro`- + 32
    frame #8: 0x0000000100067db9 Synalyze It! Pro`- + 121
    frame #9: 0x0000000100068179 Synalyze It! Pro`- + 36
    frame #10: 0x000000010006820e Synalyze It! Pro`- + 80
    frame #11: 0x0000000100035a74 Synalyze It! Pro`- + 587
    frame #12: 0x00007fff8ec54e0c CoreFoundation`__CFNOTIFICATIONCENTER_IS_CALLING_OUT_TO_AN_OBSERVER__ + 12
    frame #13: 0x00007fff8eb4882d CoreFoundation`_CFXNotificationPost + 2893
    frame #14: 0x00007fff9345ddda Foundation`- + 68
    frame #15: 0x00007fff95a78b69 AppKit`- + 289
    frame #16: 0x00007fff95a7889c AppKit`- + 195
    frame #17: 0x00007fff95a75786 AppKit`- + 570
    frame #18: 0x00007fff95a751db AppKit`- + 242
    frame #19: 0x00007fff9347c52a Foundation`- + 294
    frame #20: 0x00007fff9347c39d Foundation`_NSAppleEventManagerGenericHandler + 106
    frame #21: 0x00007fff95791e1f AE`aeDispatchAppleEvent(AEDesc const*, AEDesc*, unsigned int, unsigned char*) + 381
    frame #22: 0x00007fff95791c32 AE`dispatchEventAndSendReply(AEDesc const*, AEDesc*) + 31
    frame #23: 0x00007fff95791b36 AE`aeProcessAppleEvent + 315
    frame #24: 0x00007fff97e39161 HIToolbox`AEProcessAppleEvent + 56
    frame #25: 0x00007fff95a710b6 AppKit`_DPSNextEvent + 1026
    frame #26: 0x00007fff95a7089b AppKit`- + 122
    frame #27: 0x00007fff95a6499c AppKit`- + 553
    frame #28: 0x00007fff95a4f783 AppKit`NSApplicationMain + 940
    frame #29: 0x000000010006a155 Synalyze It! Pro`main + 97
    frame #30: 0x0000000100001934 Synalyze It! Pro`start + 52
      (lldb)
**3.接下来查看该方法的汇编:`- + 80`**

      (lldb) frame select 10
      frame #10: 0x000000010006820e Synalyze It! Pro`- + 80
      Synalyze It! Pro`- + 80:
      -> 0x10006820e:jmp    0x100068231               ; - + 115
         0x100068210:leaq   0x191563d(%rip), %rcx   ; "<unknown>"
         0x100068217:leaq   0x18fc6cc(%rip), %rdi   ; "/Users/ape/projects/Synalyze-It/Cocoa/TurboActivateController.m"
         0x10006821e:leaq   0x1915665(%rip), %rdx   ; "Encountered error '%s' ('%d')"
      (lldb) dis
      Synalyze It! Pro`-:
         0x1000681be:pushq%rbp
         0x1000681bf:movq   %rsp, %rbp
         0x1000681c2:pushq%rbx
         0x1000681c3:pushq%rax
         0x1000681c4:movq   %rdi, %rbx
         0x1000681c7:movb   $0x0, -0x9(%rbp)
         0x1000681cb:leaq   -0x9(%rbp), %rdi
         0x1000681cf:callq0x100069fce               ; LicenseQueryActivatedOrInTrialTA
         0x1000681d4:movl   %eax, %r8d
         0x1000681d7:testl%r8d, %r8d
         0x1000681da:je   0x1000681f5               ; - + 55
         0x1000681dc:cmpl   $0xda, %r8d
         0x1000681e3:ja   0x100068210               ; - + 82
         0x1000681e5:movslq %r8d, %rax
         0x1000681e8:leaq   0x19b6201(%rip), %rcx   ; GioMemFunctions + 88
         0x1000681ef:movq   (%rcx,%rax,8), %rcx
         0x1000681f3:jmp    0x100068217               ; - + 89
         0x1000681f5:cmpb   $0x0, -0x9(%rbp)
         0x1000681f9:jne    0x100068231               ; - + 115
         0x1000681fb:movq   0x19e6426(%rip), %rsi   ; "showWindow:"
         0x100068202:movq   %rbx, %rdi
         0x100068205:movq   %rbx, %rdx
         0x100068208:callq*0x199d16a(%rip)          ; (void *)0x00007fff94c85080: objc_msgSend
      -> 0x10006820e:jmp    0x100068231               ; - + 115
         0x100068210:leaq   0x191563d(%rip), %rcx   ; "<unknown>"
         0x100068217:leaq   0x18fc6cc(%rip), %rdi   ; "/Users/ape/projects/Synalyze-It/Cocoa/TurboActivateController.m"
         0x10006821e:leaq   0x1915665(%rip), %rdx   ; "Encountered error '%s' ('%d')"
         0x100068225:movl   $0xe5, %esi
         0x10006822a:xorl   %eax, %eax
         0x10006822c:callq0x10006fac0               ; TraceFatal
         0x100068231:addq   $0x8, %rsp
         0x100068235:popq   %rbx
         0x100068236:popq   %rbp
         0x100068237:retq   
         (lldb)
**4.找到可疑位置的方法调用:`0x1000681cf:callq0x100069fce ; LicenseQueryActivatedOrInTrialTA`,进入查看:**

      (lldb) dis -s 0x100069fce -c 36
      Synalyze It! Pro`LicenseQueryActivatedOrInTrialTA:
         0x100069fce:pushq%rbp
         0x100069fcf:movq   %rsp, %rbp
         0x100069fd2:pushq%r14
         0x100069fd4:pushq%rbx
         0x100069fd5:subq   $0x10, %rsp
         0x100069fd9:movq   %rdi, %r14
         0x100069fdc:movb   $0x0, -0x11(%rbp)
         0x100069fe0:leaq   -0x11(%rbp), %rdi
         0x100069fe4:callq0x100069f83               ; LicenseQueryActivatedTA
         0x100069fe9:movl   %eax, %ebx
         0x100069feb:testl%ebx, %ebx
         0x100069fed:je   0x10006a007               ; LicenseQueryActivatedOrInTrialTA + 57
         0x100069fef:cmpl   $0xda, %ebx
         0x100069ff5:ja   0x10006a015               ; LicenseQueryActivatedOrInTrialTA + 71
         0x100069ff7:movslq %ebx, %rax
         0x100069ffa:leaq   0x19b43ef(%rip), %rcx   ; GioMemFunctions + 88
         0x10006a001:movq   (%rcx,%rax,8), %rcx
         0x10006a005:jmp    0x10006a01c               ; LicenseQueryActivatedOrInTrialTA + 78
         0x10006a007:cmpb   $0x0, -0x11(%rbp)
         0x10006a00b:je   0x10006a044               ; LicenseQueryActivatedOrInTrialTA + 118
         0x10006a00d:movb   $0x1, (%r14)
         0x10006a011:xorl   %ebx, %ebx
         0x10006a013:jmp    0x10006a039               ; LicenseQueryActivatedOrInTrialTA + 107
         0x10006a015:leaq   0x1913838(%rip), %rcx   ; "<unknown>"
         0x10006a01c:leaq   0x18fb039(%rip), %rdi   ; "/Users/ape/projects/Synalyze-It/c/LicensingTurbo.c"
         0x10006a023:leaq   0x1913860(%rip), %rdx   ; "Encountered error '%s' ('%d')"
         0x10006a02a:movl   $0x147, %esi
         0x10006a02f:xorl   %eax, %eax
         0x10006a031:movl   %ebx, %r8d
         0x10006a034:callq0x10006fac0               ; TraceFatal
         0x10006a039:movl   %ebx, %eax
         0x10006a03b:addq   $0x10, %rsp
         0x10006a03f:popq   %rbx
         0x10006a040:popq   %r14
         0x10006a042:popq   %rbp
         0x10006a043:retq   
         (lldb)
**5.明显的调用查询激活状态:`0x100069fe4: callq0x100069f83 ; LicenseQueryActivatedTA`查看该方法的汇编:**

      (lldb) dis -s 0x100069f83 -c 28
      Synalyze It! Pro`LicenseQueryActivatedTA:
         0x100069f83:pushq%rbp
         0x100069f84:movq   %rsp, %rbp
         0x100069f87:pushq%rbx
         0x100069f88:pushq%rax
         0x100069f89:movq   %rdi, %rbx
         0x100069f8c:leaq   0x18fb102(%rip), %rdi   ; "202385488551004732b6fe35.69803382"
         0x100069f93:callq0x100443cc2               ; symbol stub for: IsActivated
         0x100069f98:cmpl   $0x1, %eax
         0x100069f9b:jne    0x100069fa4               ; LicenseQueryActivatedTA + 33
         0x100069f9d:movb   $0x0, (%rbx)
         0x100069fa0:xorl   %ecx, %ecx
         0x100069fa2:jmp    0x100069fc5               ; LicenseQueryActivatedTA + 66
         0x100069fa4:testl%eax, %eax
         0x100069fa6:jne    0x100069faf               ; LicenseQueryActivatedTA + 44
         0x100069fa8:movb   $0x1, (%rbx)
         0x100069fab:xorl   %ecx, %ecx
         0x100069fad:jmp    0x100069fc5               ; LicenseQueryActivatedTA + 66
         0x100069faf:movl   $0x72, %ecx
         0x100069fb4:cmpl   $0x19, %eax
         0x100069fb7:ja   0x100069fc5               ; LicenseQueryActivatedTA + 66
         0x100069fb9:cltq   
         0x100069fbb:leaq   0x18a76be(%rip), %rcx   ; alertNativeButtonIndexAndTypeToButtonIndex + 48
         0x100069fc2:movl   (%rcx,%rax,4), %ecx
         0x100069fc5:movl   %ecx, %eax
         0x100069fc7:addq   $0x8, %rsp
         0x100069fcb:popq   %rbx
         0x100069fcc:popq   %rbp
         0x100069fcd:retq

**6.找到方面及一个固定参数:`0x100069f93:callq0x100443cc2 ; symbol stub for: IsActivated`。参数:"202385488551004732b6fe35.69803382",继续跟进:**
      (lldb) dis -s 0x100443cc2 -c 5
      Synalyze It! Pro`symbol stub for: IsActivated:
         0x100443cc2:jmpq   *0x15c1b70(%rip)          ; (void *)0x0000000101f75e18: IsActivated
      
      Synalyze It! Pro`symbol stub for: IsDateValid:
         0x100443cc8:jmpq   *0x15c1b72(%rip)          ; (void *)0x000000010044488e
      
      Synalyze It! Pro`symbol stub for: TrialDaysRemaining:
         0x100443cce:jmpq   *0x15c1b74(%rip)          ; (void *)0x0000000101f750b9: TrialDaysRemaining
      
      Synalyze It! Pro`symbol stub for: UseTrial:
         0x100443cd4:jmpq   *0x15c1b76(%rip)          ; (void *)0x0000000101f751f8: UseTrial
      
      Synalyze It! Pro`symbol stub for: NSDivideRect:
         0x100443cda:jmpq   *0x15c1b78(%rip)          ; (void *)0x00000001004448ac
         (lldb)

**7.这里就到了符号表跳到系统符号了:查找 `IsActivated` 符号所在镜像。**

      (lldb) image lookup -r -n IsActivated
      1 match found in /Users/0xcb/Desktop/Synalyze It! Pro.app/Contents/MacOS/./libTurboActivate.dylib:
                Address: libTurboActivate.dylib (libTurboActivate.dylib.__TEXT.__text + 79288)
                Summary: libTurboActivate.dylib`IsActivated
      (lldb)

**8.得出结论,查询是否激活的调用在动态链接库`libTurboActivate.dylib`中:**

---------------------------------------------------------------------------

**9.找到`libTurboActivate.dylib`库进行字符串查看:**

      0xcb@cb.cn ~/Desktop> cd Synalyze\ It!\ Pro.app/Contents/MacOS/
      0xcb@cb.cn ~/D/S/C/MacOS> ls
                Synalyze It! Pro       TurboActivate.dat      libTurboActivate.dylib
      0xcb@cb.cn ~/D/S/C/MacOS> stringslibTurboActivate.dylib
                Could not create new curl instance
                TurboActivate/3.4.0.0 (http://wyday.com/limelm/)
                socks=
                http=
                (proxies != NULL) == (error == NULL)
                /Users/wyatt/source/turboactivate/Library/ProxyResolverMac.cpp
                resultPtr != NULL
                *resultPtr == NULL
                proxies != NULL
                expandedProxiesPtr != NULL
                *expandedProxiesPtr == NULL
                thisProxy != NULL
                CFGetTypeID(thisProxy) == CFDictionaryGetTypeID()
                proxyType != NULL
                CFGetTypeID(proxyType) == CFStringGetTypeID()
                scriptURL != NULL
                CFGetTypeID(scriptURL) == CFURLGetTypeID()
                com.apple.dts.CFProxySupportTool
                result != NULL
                false
                (err == noErr) == (*expandedProxiesPtr != NULL)
                scheme != NULL
                HTTP
                GetProxiesForURL
                CreateProxyListWithExpandedPACProxies
                ResultCallback
                /Users/wyatt/source/cryptopp/secblock.h
                m_register.size() > 0
                /Users/wyatt/source/cryptopp/modes.h
                !"ProcessRecoverableMessage() not implemented"
                /Users/wyatt/source/cryptopp/pubkey.h
                /Users/wyatt/source/cryptopp/filters.h
                /Users/wyatt/source/cryptopp/cryptlib.h
                ......
                ......
                其余略去
                ......

**10.找到可用信息:http://wyday.com/limelm/,进入网站(http://wyday.com/limelm/)注册查看,下载该模块的sdk。之后自己编写一个同样接口的sdk,然后放入文件夹:`Synalyze\ It!\ Pro.app/Contents/MacOS/`下面,替换`libTurboActivate.dylib`之后即为已授权状态 :)**





---------------------------------------------------------------------------

####小结:本来是用Hopper Disassembler暴破修改libTurboActivate.dylib的几个方法的,之后搜索查看到字符串中该动态库的支持网站,顺藤摸瓜。理论上通杀之前所有版本:)

---------------------------------------------------------------------------
整合好的直接可用的
**** Hidden Message *****授权使用的三方的sdk:
**** Hidden Message *****
---------------------------------------------------------------------------





howardlee 发表于 2015-6-11 10:36:54

居然还有这种软件,太高大上了!

飘云 发表于 2015-6-11 10:41:05

不错!! 精华了~

fzx118 发表于 2015-6-11 11:16:26

谢谢分享 佩服佩服

开心啦 发表于 2015-6-11 12:04:32

精品,感谢楼主

tiansha 发表于 2015-6-11 13:28:29

在中文版的吗

Dxer 发表于 2015-6-11 14:04:33

我去,一来就mac精华,以后IOS就是你的地盘了

creantan 发表于 2015-6-11 15:35:27

支持下。。不错。。继续继续。。哈哈

yhym599 发表于 2015-6-11 17:31:10

这个必须支持,膜拜楼主大神~

qinccckencn 发表于 2015-6-11 21:16:23

这么牛叉的工具,一定要试试,不愧为精华啊
页: [1] 2 3 4
查看完整版本: Synalyze It! Pro v1.11.2 破解过程+bin