会员申请:斯人
文字标题:【MacOS破解】破解市场屏保区Top1的软件
我最近下载了一个屏保软件,据说Mac屏保软件中排行Top 1的,最重要素材真的很好,
可惜需要付费才能下载更多素材。
如图,(支持正版,本文章仅供学习交流使用)点击下载会弹出购买窗口,
因为我已经破解完成没办法打开购买窗口,所以不能截图了。
界面功能比较简单,一个付费、一个素材库列表,未购买下载素材会提示付费。
所需工具:
1. HopperDisassember
2. Frida
3. class-dump
分析篇:
整体思路:
为了保证软件响应速度,一般来讲会员状态都会写入在本地,假如我们能找到软件写用户状态的地址,就可以完成复购校验了。
UI分析:
支付窗口有两个按钮,新用户购买和老用户恢复购买,这两个都可以作为我们的切入点,我选择的是”恢复购买“作为切入点,找到软件的二进制文件,所在路径:
/Applications/Live Wallpaper.app/Contents/MacOS/Live Wallpaper
预先通过class-dump -H Live Wallpaper生成头文件,以备不时之需。
拖入到HopperDisassember中,用采用字符串搜索,"恢复购买“,发现找不到,因此可以认为该软件采用了本地语言包的方式,进入到资源目录:/Applications/Live Wallpaper.app/Contents/Resources,
本地有一个文件:zh-Hans.lproj,通过名字就可以判断出这是汉化包,进入到页面搜索:find ./ -name '*.strings' -print|xargs grep '恢复购买'
汉化包连类名都我们标记出来。
恢复的英文是:restore,这个函数应该是恢复购买的逻辑了,点击进去
查看反汇编代码: -:
000000010002650c push rbp ; Objective C Implementation defined at 0x1001137f0 (instance method), Begin of try block, DATA XREF=0x1001137f0
000000010002650d mov rbp, rsp
0000000100026510 push r15
0000000100026512 push r14
0000000100026514 push r13
0000000100026516 push r12
0000000100026518 push rbx
0000000100026519 sub rsp, 0x58
// 调用 indicatorView方法,不重要
000000010002651d mov r14, rdi
0000000100026520 mov rsi, qword ; argument "selector" for method _objc_msgSend, @selector(indicatorView)
0000000100026527 mov r15, qword ; _objc_msgSend_1000f4360
000000010002652e call r15 ; Jumps to 0x100174ec0 (_objc_msgSend), _objc_msgSend
0000000100026531 mov rdi, rax ; argument "instance" for method imp___stubs__objc_retainAutoreleasedReturnValue
0000000100026534 call imp___stubs__objc_retainAutoreleasedReturnValue ; objc_retainAutoreleasedReturnValue
//调用 setHidden方法,不重要
0000000100026539 mov rbx, rax
000000010002653c mov rsi, qword ; argument "selector" for method _objc_msgSend, @selector(setHidden:)
0000000100026543 mov rdi, rax ; argument "instance" for method _objc_msgSend
0000000100026546 xor edx, edx
0000000100026548 call r15 ; Jumps to 0x100174ec0 (_objc_msgSend), _objc_msgSend
000000010002654b mov rdi, rbx ; argument "instance" for method _objc_release
000000010002654e call qword ; _objc_release, _objc_release_1000f4368,_objc_release
0000000100026554 lea rdi, qword ; argument "addr" for method imp___stubs__objc_initWeak
0000000100026558 mov rsi, r14 ; argument "value" for method imp___stubs__objc_initWeak
000000010002655b call imp___stubs__objc_initWeak ; objc_initWeak
//划重点,SiShiPurchaseHelper这个类
0000000100026560 mov rdi, qword ; argument "instance" for method _objc_msgSend, objc_cls_ref_SiShiPurchaseHelper
0000000100026567 mov rsi, qword ; argument "selector" for method _objc_msgSend, @selector(sharedInstance)
000000010002656e call r15 ; End of try block started at 0x10002650c, Begin of try block (catch block at 0x10002664c), Jumps to 0x100174ec0 (_objc_msgSend), _objc_msgSend
0000000100026571 mov rdi, rax ; End of try block started at 0x10002656e, Begin of try block, argument "instance" for method imp___stubs__objc_retainAutoreleasedReturnValue
0000000100026574 call imp___stubs__objc_retainAutoreleasedReturnValue ; objc_retainAutoreleasedReturnValue
0000000100026579 mov r15, rax
000000010002657c mov rax, qword ; __NSConcreteStackBlock_1000f41b8
0000000100026583 lea r14, qword
0000000100026587 mov qword , rax
000000010002658b mov r13d, 0xc2000000
0000000100026591 mov qword , r13
0000000100026595 lea rax, qword ; sub_100026660
000000010002659c mov qword , rax
00000001000265a0 lea rax, qword ; 0x1000f4e28
00000001000265a7 mov qword , rax
00000001000265ab lea r12, qword
00000001000265af mov rdi, r14 ; argument "dest" for method imp___stubs__objc_copyWeak
00000001000265b2 mov rsi, r12 ; argument "src" for method imp___stubs__objc_copyWeak
00000001000265b5 call imp___stubs__objc_copyWeak ; objc_copyWeak
00000001000265ba lea rbx, qword
00000001000265be mov rax, qword ; __NSConcreteStackBlock_1000f41b8
00000001000265c5 mov qword , rax
00000001000265c9 mov qword , r13
00000001000265cd lea rax, qword ; sub_100026691
00000001000265d4 mov qword , rax
00000001000265d8 lea rax, qword ; 0x1000f4ef8
00000001000265df mov qword , rax
00000001000265e3 mov rdi, rbx ; argument "dest" for method imp___stubs__objc_copyWeak
00000001000265e6 mov rsi, r12 ; argument "src" for method imp___stubs__objc_copyWeak
00000001000265e9 call imp___stubs__objc_copyWeak ; objc_copyWeak
//重点是这个方法 startRestore
00000001000265ee mov rsi, qword ; argument "selector" for method _objc_msgSend, @selector(startRestore:failedBlock:)
00000001000265f5 lea rdx, qword ; End of try block started at 0x100026571, Begin of try block (catch block at 0x100026637)
00000001000265f9 lea rcx, qword
00000001000265fd mov rdi, r15 ; argument "instance" for method _objc_msgSend
0000000100026600 call qword ; _objc_msgSend, _objc_msgSend_1000f4360,_objc_msgSend
0000000100026606 mov rdi, r15 ; End of try block started at 0x1000265f5, Begin of try block, argument "instance" for method _objc_release
0000000100026609 call qword ; _objc_release, _objc_release_1000f4368,_objc_release
000000010002660f mov rdi, rbx ; argument "instance" for method imp___stubs__objc_destroyWeak
0000000100026612 call imp___stubs__objc_destroyWeak ; objc_destroyWeak
0000000100026617 mov rdi, r14 ; argument "instance" for method imp___stubs__objc_destroyWeak
000000010002661a call imp___stubs__objc_destroyWeak ; objc_destroyWeak
000000010002661f lea rdi, qword ; argument "instance" for method imp___stubs__objc_destroyWeak
0000000100026623 call imp___stubs__objc_destroyWeak ; objc_destroyWeak
0000000100026628 add rsp, 0x58
000000010002662c pop rbx
000000010002662d pop r12
000000010002662f pop r13
0000000100026631 pop r14
0000000100026633 pop r15
0000000100026635 pop rbp
0000000100026636 ret
通过汇编代码,知道重点在SiShiPurchaseHelper:startRestore 这个方法中,二话不说,进入到代码区,上面的汇编代码晦涩难懂,HopperDisassmber可以给我们生成伪代码,位置如下图:
这样就直观多了:/* @class SiShiPurchaseHelper */
-(void)startRestore:(void *)arg2 failedBlock:(void *)arg3 {
r12 = ;
rbx = ;
;
;
;
;
;
rax = ;
rax = ;
;
;
return;
}
这里发现代码没办法跟进去了,通过查阅资料,SKPaymentQueue是一个APL在Mac下支持的lib库用于桌面的支付操作,所以一定有一个Delegate回调方法用于处理支付的校验,怎么找呢?
我们回到刚才生成的头文件文件夹下,执行Linux命令: ls *SK*,意思是查找所有包含SK字符串的头文件名:OSSPlainTextAKSKPairCredentialProvider.h
SKPaymentTransactionObserver-Protocol.h
SKProductsRequestDelegate-Protocol.h
SKRequestDelegate-Protocol.h
返回的内容如上,很明显,SKPaymentTransactionObserver-Protocol.h就是实现的协议了。#import "NSObject-Protocol.h"
@class NSArray, NSError, SKPayment, SKPaymentQueue, SKProduct;
@protocol SKPaymentTransactionObserver- (void)paymentQueue:(SKPaymentQueue *)arg1 updatedTransactions:(NSArray *)arg2;
@optional
- (void)paymentQueue:(SKPaymentQueue *)arg1 didRevokeEntitlementsForProductIdentifiers:(
- (void)paymentQueueDidChangeStorefront:(SKPaymentQueue *)arg1;
- (BOOL)paymentQueue:(SKPaymentQueue *)arg1 shouldAddStorePayment:(SKPayment *)arg2 forP
- (void)paymentQueue:(SKPaymentQueue *)arg1 updatedDownloads:(NSArray *)arg2;
- (void)paymentQueueRestoreCompletedTransactionsFinished:(SKPaymentQueue *)arg1;
- (void)paymentQueue:(SKPaymentQueue *)arg1 restoreCompletedTransactionsFailedWithError:
- (void)paymentQueue:(SKPaymentQueue *)arg1 removedTransactions:(NSArray *)arg2;
@end它实现了几个回调方法,不管它,在Hopper中搜索 paymentQueue,并生成伪代码:
/* @class SiShiPurchaseHelper */
-(void)paymentQueue:(void *)arg2 updatedTransactions:(void *)arg3 {
rbx = self;
rax = ;
var_150 = intrinsic_movaps(var_150, 0x0);
*(int128_t *)(&var_150 + 0x10) = intrinsic_movaps(*(int128_t *)(&var_150 + 0x10), 0x0);
*(int128_t *)(&var_150 + 0x20) = intrinsic_movaps(*(int128_t *)(&var_150 + 0x20), 0x0);
*(int128_t *)(&var_150 + 0x30) = intrinsic_movaps(*(int128_t *)(&var_150 + 0x30), 0x0);
var_B8 = rax;
rax = ;
var_D8 = rax;
if (rax != 0x0) {
var_100 = **(&var_150 + 0x10);
var_C0 = rbx;
do {
r12 = 0x0;
do {
if (*var_140 != var_100) {
objc_enumerationMutation(var_B8);
}
r14 = *(var_148 + r12 * 0x8);
rax = ;
if (rax != 0x3) {
if (rax != 0x2) {
if (rax == 0x1) {
// 关键位置
;
}
}
else {
rax = ;
rax = ;
r14 = ;
;
if (r14 == 0x2) {
rbx = var_C0;
;
}
else {
rbx = var_C0;
retain] localizedStringForKey:@"Unlock failed" value:@"" table:0x0] retain]];
;
;
}
}
}
else {
;
}
r12 = r12 + 0x1;
} while (r12 < var_D8);
rax = ;
var_D8 = rax;
} while (rax != 0x0);
}
var_30 = **___stack_chk_guard;
;
if (**___stack_chk_guard != var_30) {
__stack_chk_fail();
}
return;
}
它实现了几个回调方法,不管它,在Hopper中搜索 paymentQueue,并生成伪代码:/* @class SiShiPurchaseHelper */
-(void)completeTransaction:(void *)arg2 {
r14 = self;
rax = ;
r15 = rax;
rax = ;
rax = ;
r12 = rax;
rax = ;
rax = ;
;
;
if (rax != 0x0) {
;
//关键方法:
;
;
}
;
return;
}
找到两个疑似关键方法:;
;
经过阅读代码,找到最终设置用户身份的函数bornWenYuShan/* @class SiShiPurchaseHelper */
-(void)bornWenYuShan {
;
rax = ;
rax = ;
;
;
rbx = [ retain];
;
;
return;
}
了解APL开发的童鞋都知道,是生成该软件用户信息的地方。
;
写入值为YES。
经过以上分析,只要能写入这个代码重启软件应该就可以实现付费破解了。
整理思路:
如果我们要实现 completeTransaction 的调用,前面要修改多个if校验的逻辑,是在是麻烦,有没有简单有效的办法呢?
既然找到了 关键函数,那我们在点击”恢复购买“的按钮时直接执行它不就可以了,省去了多处的修改也易于操作和验证。
回到函数位置:
掐头去尾只保留开始的入栈和出栈部分,也就是:0000000100012910 push rbp ; Objective C Implementation defined at 0x10010f4d0 (instance method), DATA XREF=0x10010f4d0
0000000100012911 mov rbp, rsp
0000000100012914 push r15
0000000100012916 push r14
0000000100012918 push r13
000000010001291a push r12
000000010001291c push rbx
000000010001291d push rax
0000000100026519 sub rsp, 0x58
......中间的代码全部NOP掉
00000001000129bd pop rbx
00000001000129be pop r12
00000001000129c0 pop r13
00000001000129c2 pop r14
00000001000129c4 pop r15
00000001000129c6 pop rbp
00000001000129c7 jmp rax
NOP后,在第九行编写代码片,上面都加了注释便于理解// r14 = self
000000010001291e mov r14, rdi
// rbx = _objc_msgSend_1000f4360
0000000100012921 mov rbx, qword
// msgSend函数的第一个参数:rsi = bornWenYuShan
0000000100012928 mov rsi, qword
// msgSend函数的第二个参数:rdi = r14
000000010001292f mov rdi, r14
0000000100012932 call rbx
//等于执行 msgSend(self,bornWenYuShan)
最终代码如图:
调用Hopper生成可执行文件覆盖源文件/Applications/Live Wallpaper.app/Contents/MacOS/Live Wallpaper 即可。
最后我们退出软件后发现打不开了?是代码改的有问题吗?并不是。
因为APL的所有软件必须签名,我们导出的的二进制文件必须要重新签名才可以执行,进入到/Applications/目录
执行以下命令进行签名即可:sudo codesign --sign - --force --deep ./Live Wallpaper.app
有关签名的内容大家可自行Google脑补。
效果:首次安装后,在支付窗口点击“恢复购买” 重开软件,发现购买窗口没有了,随便选一个素材点击即可直接下载使用。
开发者不易,支持正版!
申请也不看好格式,邮箱也不写,https://bbs.pediy.com/thread-270803.htm 这个原帖是你发布的吗?
页:
[1]