SQLProSQLite.1.0.49c(1.x通用)算法分析+keygen代码
官方下载:https://www.sqlitepro.com/伸手党传送门:
SQLProSQLite/SQLProMSSQL/SQLProMySQL 1.xKeyGen
https://www.chinapyg.com/thread-79312-1-1.html
(出处: 中国飘云阁(PYG官方论坛) )
1.打开软件输入试探信息:
然后hopper搜索关键字, Invalid License无果!
2.命令行运行主程序发现有日志输出
2015-06-13 17:39:10:334 SQLPro for SQLite Check license called
这次找到了切入点: cfstring_Check_license_called:
0000000100224cb0 dq ___CFConstantStringClassReference, 0x7c8, 0x1001c2294, 0x14 ; "Check license called", XREF=-+47找到函数分析下: -:
0000000100004971 push rbp ; Objective C Implementation defined at 0x100231590 (instance)
0000000100004972 mov rbp, rsp
0000000100004975 push r15
0000000100004977 push r14
0000000100004979 push r13
000000010000497b push r12
000000010000497d push rbx
000000010000497e sub rsp, 0x68
0000000100004982 mov qword , rdi
0000000100004986 mov rdi, qword ; argument "instance" for method _objc_msgSend
000000010000498d mov rsi, qword ; @selector(log:level:flag:context:file:function:line:tag:format:), argument "selector" for method _objc_msgSend
0000000100004994 mov edx, 0x1
0000000100004999 mov ecx, 0x1f
000000010000499e xor eax, eax
00000001000049a0 lea rbx, qword ; @"Check license called"
00000001000049a7 mov qword , rbx
00000001000049ac lea r12, qword ; "-"
00000001000049b3 mov qword , r12
00000001000049b8 lea r15, qword ; "/Users/kylehankinson/Code/SQLitePro/OSX/SQLite Toolbox/Document.m"
00000001000049bf mov qword , r15
00000001000049c3 mov qword , 0x0
00000001000049cc mov qword , 0x267
00000001000049d5 mov r13, qword
00000001000049dc mov r8d, 0x10
00000001000049e2 xor r9d, r9d
00000001000049e5 call r13 ; _objc_msgSend
; HSLicense类
00000001000049e8 mov rdi, qword
00000001000049ef mov rsi, qword ; @selector(sharedInstance)
00000001000049f6 call r13
00000001000049f9 mov rdi, rax ; argument "instance" for method imp___stubs__objc_retainAutoreleasedReturnValue
00000001000049fc call imp___stubs__objc_retainAutoreleasedReturnValue
0000000100004a01 mov rbx, rax
; 验证函数在此!
0000000100004a04 mov rsi, qword ; @selector(isLicensed)
0000000100004a0b mov rdi, rbx
0000000100004a0e call r13
0000000100004a11 mov r14b, al
0000000100004a14 mov rdi, rbx
0000000100004a17 call qword
0000000100004a1d test r14b, r14b
0000000100004a20 je 0x100004b9b
.
.
.
.
; endpHSLicense类isLicensed方法继续寻找,发现悲催了!找不到这个类~~
上lldb:
(lldb) target create "/Users/luowei/Downloads/SQLProSQLite.app/Contents/MacOS/SQLPro for SQLite"
恩定位到了,在HSShared.framework里面~~
3.hopper载入HSShared分析: -:
000000000003f463 push rbp ; Objective C Implementation defined at 0x1394e0 (instance)
000000000003f464 mov rbp, rsp
000000000003f467 push r15
000000000003f469 push r14
000000000003f46b push r13
000000000003f46d push r12
000000000003f46f push rbx
000000000003f470 push rax
000000000003f471 mov r14, rdi
000000000003f474 mov rsi, qword ; @selector(licensedEmail)
000000000003f47b mov r13, qword
000000000003f482 call r13 ; _objc_msgSend
000000000003f485 mov rdi, rax ; argument "instance" for method imp___stubs__objc_retainAutoreleasedReturnValue
000000000003f488 call imp___stubs__objc_retainAutoreleasedReturnValue
000000000003f48d mov r12, rax
000000000003f490 mov rsi, qword ; @selector(length)
000000000003f497 mov rdi, r12
000000000003f49a call r13
000000000003f49d test rax, rax
000000000003f4a0 je 0x3f555
000000000003f4a6 mov rsi, qword ; @selector(rangeOfString:options:), argument "selector" for method imp___got__objc_msgSend
000000000003f4ad lea rdx, qword ; @"@noy.com"
000000000003f4b4 mov ecx, 0x1
000000000003f4b9 mov rdi, r12
000000000003f4bc call qword
000000000003f4c2 movabs rcx, 0x7fffffffffffffff
000000000003f4cc cmp rax, rcx
000000000003f4cf jne 0x3f555
000000000003f4d5 mov rdi, qword
000000000003f4dc mov rsi, qword ; @selector(standardUserDefaults)
000000000003f4e3 call r13
000000000003f4e6 mov rdi, rax ; argument "instance" for method imp___stubs__objc_retainAutoreleasedReturnValue
000000000003f4e9 call imp___stubs__objc_retainAutoreleasedReturnValue
000000000003f4ee mov rbx, rax
000000000003f4f1 mov rsi, qword ; @selector(objectForKey:)
000000000003f4f8 lea rdx, qword ; @"LicensedKey"
000000000003f4ff mov rdi, rbx
000000000003f502 call r13
000000000003f505 mov rdi, rax ; argument "instance" for method imp___stubs__objc_retainAutoreleasedReturnValue
000000000003f508 call imp___stubs__objc_retainAutoreleasedReturnValue
000000000003f50d mov r15, rax
000000000003f510 mov rdi, rbx
000000000003f513 call qword
000000000003f519 test r12, r12
000000000003f51c je 0x3f551
000000000003f51e mov rsi, qword ; @selector(length), argument "selector" for method imp___got__objc_msgSend
000000000003f525 mov rdi, r12
000000000003f528 call qword
000000000003f52e xor ebx, ebx
000000000003f530 cmp rax, 0x3
000000000003f534 jb 0x3f58f
000000000003f536 test r15, r15
000000000003f539 je 0x3f58f
000000000003f53b mov rsi, qword ; @selector(length), argument "selector" for method imp___got__objc_msgSend
000000000003f542 mov rdi, r15
000000000003f545 call qword
000000000003f54b cmp rax, 0x3
000000000003f54f jae 0x3f559
000000000003f551 xor ebx, ebx ; XREF=-+185
000000000003f553 jmp 0x3f58f
000000000003f555 xor ebx, ebx ; XREF=-+61, -+108
000000000003f557 jmp 0x3f598
000000000003f559 mov rsi, qword ; @selector(licenseForEmailAddress:), XREF=-+236
000000000003f560 mov rdi, r14
000000000003f563 mov rdx, r12
; 继续调用 @selector(licenseForEmailAddress:) 函数进行验证
000000000003f566 call r13
000000000003f569 mov rdi, rax ; argument "instance" for method imp___stubs__objc_retainAutoreleasedReturnValue
000000000003f56c call imp___stubs__objc_retainAutoreleasedReturnValue
000000000003f571 mov r14, rax
000000000003f574 mov rsi, qword ; @selector(isEqualToString:)
000000000003f57b mov rdi, r14
000000000003f57e mov rdx, r15
000000000003f581 call r13
000000000003f584 mov bl, al
000000000003f586 mov rdi, r14
000000000003f589 call qword
000000000003f58f mov rdi, r15 ; XREF=-+209, -+214, -+240
000000000003f592 call qword
000000000003f598 mov rdi, r12 ; XREF=-+244
000000000003f59b call qword
000000000003f5a1 movsx eax, bl
000000000003f5a4 add rsp, 0x8
000000000003f5a8 pop rbx
000000000003f5a9 pop r12
000000000003f5ab pop r13
000000000003f5ad pop r14
000000000003f5af pop r15
000000000003f5b1 pop rbp
000000000003f5b2 ret
; endp; 继续调用 @selector(licenseForEmailAddress:) 函数进行验证
4.直达核心函数: -:
000000000003f111 push rbp ; Objective C Implementation defined at 0x139498 (instance)
000000000003f112 mov rbp, rsp
000000000003f115 push r15
000000000003f117 push r14
000000000003f119 push r13
000000000003f11b push r12
000000000003f11d push rbx
000000000003f11e sub rsp, 0x18
000000000003f122 mov r15, rdi
000000000003f125 mov r14, qword
; Email转小写
000000000003f12c mov rsi, qword ; @selector(lowercaseString)
000000000003f133 mov r12, qword
000000000003f13a mov rdi, rdx ; argument "instance" for method _objc_msgSend
000000000003f13d call r12 ; _objc_msgSend
000000000003f140 mov rdi, rax ; argument "instance" for method imp___stubs__objc_retainAutoreleasedReturnValue
000000000003f143 call imp___stubs__objc_retainAutoreleasedReturnValue
000000000003f148 mov r13, rax
; licenseSecret由主程序传入的常量 --- 待会再找!!
000000000003f14b mov rax, qword
000000000003f152 mov r8, qword
000000000003f156 mov r15, r12
000000000003f159 mov rsi, qword ; @selector(stringWithFormat:)
; Email+licenseSecret常量
000000000003f160 lea rdx, qword ; @"%@%@"
000000000003f167 xor eax, eax
000000000003f169 mov rdi, r14
000000000003f16c mov rcx, r13
000000000003f16f call r15
000000000003f172 mov rdi, rax ; argument "instance" for method imp___stubs__objc_retainAutoreleasedReturnValue
000000000003f175 call imp___stubs__objc_retainAutoreleasedReturnValue
000000000003f17a mov rbx, rax
000000000003f17d mov qword , rbx
000000000003f181 mov rdi, r13
000000000003f184 call qword
000000000003f18a mov rdi, qword
; Email+licenseSecret常量 进行md5运算
000000000003f191 mov rsi, qword ; @selector(MD5String:)
000000000003f198 mov rdx, rbx
000000000003f19b call r15
000000000003f19e mov rdi, rax ; argument "instance" for method imp___stubs__objc_retainAutoreleasedReturnValue
000000000003f1a1 call imp___stubs__objc_retainAutoreleasedReturnValue
000000000003f1a6 mov rbx, rax
000000000003f1a9 mov qword , rbx
; 定义一个NSMutableString变量,处理上面MD5字符串
000000000003f1ad mov rdi, qword
000000000003f1b4 mov rsi, qword ; @selector(string)
000000000003f1bb call r15
000000000003f1be mov rdi, rax ; argument "instance" for method imp___stubs__objc_retainAutoreleasedReturnValue
000000000003f1c1 call imp___stubs__objc_retainAutoreleasedReturnValue
000000000003f1c6 mov r13, rax
000000000003f1c9 mov rsi, qword ; @selector(length)
000000000003f1d0 mov rdi, rbx
000000000003f1d3 call r15
000000000003f1d6 mov rbx, rax
000000000003f1d9 test rbx, rbx
000000000003f1dc jle 0x3f227
000000000003f1de mov r14, qword ; @selector(appendString:)
000000000003f1e5 lea rdx, qword ; XREF=-+276
000000000003f1e9 mov ecx, 0x1
000000000003f1ee mov rdi, qword
000000000003f1f2 mov rsi, qword ; @selector(substringWithRange:)
000000000003f1f9 call r15
000000000003f1fc mov rdi, rax ; argument "instance" for method imp___stubs__objc_retainAutoreleasedReturnValue
000000000003f1ff call imp___stubs__objc_retainAutoreleasedReturnValue
000000000003f204 mov r12, r15
000000000003f207 mov r15, rax
000000000003f20a mov rdi, r13
000000000003f20d mov rsi, r14
000000000003f210 mov rdx, r15
000000000003f213 call r12
000000000003f216 mov rdi, r15 ; argument "instance" for method imp___got__objc_release
000000000003f219 mov r15, r12
000000000003f21c call qword
000000000003f222 dec rbx
000000000003f225 jg 0x3f1e5
000000000003f227 mov rdi, qword ; XREF=-+203
; 这个函数对MD5字符串插入分隔符“-”
000000000003f22e mov rsi, qword ; @selector(hyphonate:everyX:)
000000000003f235 mov ecx, 0x6
000000000003f23a mov rdx, r13
; 调用后,返回 3A9F57-A219DB-F88F1C-D2C827-43FC01-3D
000000000003f23d call r15
000000000003f240 mov rdi, rax ; argument "instance" for method imp___stubs__objc_retainAutoreleasedReturnValue
000000000003f243 call imp___stubs__objc_retainAutoreleasedReturnValue
000000000003f248 mov rbx, rax
000000000003f24b mov rsi, qword ; @selector(rangeOfString:options:)
; 简单正则匹配!!从尾部开始匹配 “-”号
000000000003f252 lea rdx, qword ; @"-"
; NSBackwardsSearch = 4
000000000003f259 mov ecx, 0x4
000000000003f25e mov rdi, rbx
000000000003f261 call r15
000000000003f264 mov rsi, qword ; @selector(substringToIndex:)
; 截取最后一个“-”前面的字符串~这里搞复杂了,其实就是对0xFbyte进行处理就行
000000000003f26b mov rdi, rbx
000000000003f26e mov rdx, rax
; 调用后返回:3A9F57-A219DB-F88F1C-D2C827-43FC01
000000000003f271 call r15
000000000003f274 mov rdi, rax ; argument "instance" for method imp___stubs__objc_retainAutoreleasedReturnValue
000000000003f277 call imp___stubs__objc_retainAutoreleasedReturnValue
000000000003f27c mov r14, rax
000000000003f27f mov r12, r15
000000000003f282 mov r15, qword
000000000003f289 mov rdi, rbx ; argument "instance" for method _objc_release
000000000003f28c call r15 ; _objc_release
; 转大写
000000000003f28f mov rsi, qword ; @selector(uppercaseString)
000000000003f296 mov rdi, r14
; 调用后即为正确注册码!!!
000000000003f299 call r12
000000000003f29c mov rdi, rax ; argument "instance" for method imp___stubs__objc_retainAutoreleasedReturnValue
000000000003f29f call imp___stubs__objc_retainAutoreleasedReturnValue
000000000003f2a4 mov rbx, rax
000000000003f2a7 mov rdi, r14
000000000003f2aa call r15
000000000003f2ad mov rdi, r13
000000000003f2b0 call r15
000000000003f2b3 mov rdi, qword
000000000003f2b7 call r15
000000000003f2ba mov rdi, qword
000000000003f2be call r15
000000000003f2c1 mov rdi, rbx ; argument "instance" for method imp___stubs__objc_autoreleaseReturnValue
000000000003f2c4 add rsp, 0x18
000000000003f2c8 pop rbx
000000000003f2c9 pop r12
000000000003f2cb pop r13
000000000003f2cd pop r14
000000000003f2cf pop r15
000000000003f2d1 pop rbp
000000000003f2d2 jmp imp___stubs__objc_autoreleaseReturnValue
; endp
后继续分析知道licenseSecret由主程序调用-: 传入:
keygen代码:
#include <CommonCrypto/CommonDigest.h>
NSString *keygen(NSString *email){
// 转小写
email = ;
NSString *str = ;
NSData *data = ;
unsigned char md5;
CC_MD5(data.bytes, (CC_LONG)data.length, md5);
NSLog(@"data = %@", data);
for (int i = 0; i < sizeof(md5); i++) {
printf("%.2X ", md5);
}
printf("\n\n");
NSMutableString *key = [ init];
for (int i = 0; i < sizeof(md5) - 1; i++) {
];
}
//NSLog(@"key = %@", key);
// 插入分隔符
for (int i = 0; i < 4; i++) {
;
}
// 可以省略~~
// ;
return key;
}
int main(int argc, const char * argv[]) {
@autoreleasepool {
NSLog(@"SN = %@", keygen(@"piaoyun04@163.com"));
}
return 0;
}
KO:
前排学习~~~~
当软件都非常熟悉使用时,发现思路是那么的重要~{:soso_e179:} 本帖最后由 wx_f1Jji177 于 2015-6-13 19:26 编辑
赞,学习啦,这软件竟然比较真码,{:titter:},sql的工具还是Navicat Premium强悍
弹窗需要授权的时候是有日志的:
2015-06-13 19:18:07:602 SQLPro for SQLite Check license called
2015-06-13 19:18:07:602 SQLPro for SQLite Is not licensed.断点br s -nNSLogv
分析发现:后缀@noy.com的邮箱算出来的验证码是被列入黑名单的,邮箱长度大于等于3,
wx_f1Jji177 发表于 2015-6-13 19:10
赞,学习啦,这软件竟然比较真码,,sql的工具还是Navicat Premium强悍
弹窗需要授权的时候是有 ...
黑名单代码不用管它了,我没贴出来,因为没人用 @noy.com算号~
伸手党传送门:
SQLProSQLite/SQLProMSSQL/SQLProMySQL 1.xKeyGen
https://www.chinapyg.com/thread-79312-1-1.html
(出处: 中国飘云阁(PYG官方论坛) )
老大太厉害了,真的适合分析算法 欢迎更多的小伙伴在老大的带领下进入Apple领域。。。 飘总威武{:soso_e130:} 非常棒的算法分析,认真学习!!!
页:
[1]
2