QiuChenly 发表于 2024-8-10 21:24

IDA Pro 9.0 macOS ARM & Intel 破解

本帖最后由 QiuChenly 于 2024-8-11 03:23 编辑

一觉醒来, 发现Hexrays为了充分调动大家主观能动性, 主动公开了测试版的完整IDA Pro, 作为新手自然是第一时间要围观。

在T&G#上IDA PRO 群组中老外Tim的交流中, 心有所感, 气机交汇,有一道灵光从天灵盖中喷涌而出, 冥冥中有一双无形的大手控制着我编写Patch代码, 一身修为突破在即, 故将心得与各位共享。

安装包论坛很多人发了帖子,大家直接自寻。版本:Version 9.0.240807

0x00 授权文件:
位置: /Users/qiuchenly/.idapro/idalic.hexlic
内容:
{
"header": {
"version": 1
},
"signature": "who cares",
"payload": {
"name": "12345",
"email": "hello@example.com",
"licenses": [
{
"id": "48-0000-0000-00",
"license_type": "named",
"product": "IDA",
"seats": 1000,
"start_date": "2024-01-01",
"end_date": "2035-01-01",
"issued_on": "2024-01-01 00:00:00",
"owner": "QiuChenly",
"add_ons": [
{
"id": "40-0000-0000-00",
"code": "IDA",
"owner": "50-1122-3344-20",
"start_date": "2024-01-01",
"end_date": "2035-01-01"
},
{
"id": "40-0000-0000-00",
"code": "HEXRAYS",
"owner": "50-1122-3344-20",
"start_date": "2024-01-01",
"end_date": "2035-01-01"
},
{
"id": "50-0000-0000-00",
"code": "HEXRV",
"owner": "50-1122-3344-20",
"start_date": "2024-01-01",
"end_date": "2035-01-01"
},
{
"id": "50-0000-0000-01",
"code": "HEXRV64",
"owner": "50-1122-3344-21",
"start_date": "2024-01-01",
"end_date": "2035-01-01"
},
{
"id": "50-0000-0000-02",
"code": "HEXARC",
"owner": "50-1122-3344-22",
"start_date": "2024-01-01",
"end_date": "2035-01-01"
},
{
"id": "50-0000-0000-03",
"code": "HEXARC64",
"owner": "50-1122-3344-23",
"start_date": "2024-01-01",
"end_date": "2035-01-01"
},
{
"id": "50-0000-0000-04",
"code": "HEXX86",
"owner": "50-1122-3344-24",
"start_date": "2024-01-01",
"end_date": "2035-01-01"
},
{
"id": "50-0000-0000-05",
"code": "HEXX64",
"owner": "50-1122-3344-25",
"start_date": "2024-01-01",
"end_date": "2035-01-01"
},
{
"id": "50-0000-0000-06",
"code": "HEXARM",
"owner": "50-1122-3344-26",
"start_date": "2024-01-01",
"end_date": "2035-01-01"
},
{
"id": "50-0000-0000-07",
"code": "HEXARM64",
"owner": "50-1122-3344-27",
"start_date": "2024-01-01",
"end_date": "2035-01-01"
},
{
"id": "50-0000-0000-08",
"code": "HEXMIPS",
"owner": "50-1122-3344-28",
"start_date": "2024-01-01",
"end_date": "2035-01-01"
},
{
"id": "50-0000-0000-09",
"code": "HEXMIPS64",
"owner": "50-1122-3344-29",
"start_date": "2024-01-01",
"end_date": "2035-01-01"
},
{
"id": "50-0000-0000-10",
"code": "HEXPPC",
"owner": "50-1122-3344-30",
"start_date": "2024-01-01",
"end_date": "2035-01-01"
},
{
"id": "50-0000-0000-11",
"code": "HEXPPC64",
"owner": "50-1122-3344-31",
"start_date": "2024-01-01",
"end_date": "2035-01-01"
},
{
"id": "50-0000-0000-12",
"code": "HEXRV",
"owner": "50-1122-3344-32",
"start_date": "2024-01-01",
"end_date": "2035-01-01"
},
{
"id": "50-0000-0000-13",
"code": "HEXRV64",
"owner": "50-1122-3344-33",
"start_date": "2024-01-01",
"end_date": "2035-01-01"
}
],
"features": [
"hello world"
]
}
]
}
}

把这些内容保存为一个文件, 放到你的home用户目录下指定目录即可。如果JSON格式搞不定,直接到我仓库里下载。

0x01 破解点?

DobbyCodePatch(getImageAddressByIndex(getImageVMAddrSlideIndex("/Contents/MacOS/libida64.dylib"),
getAddress(0x100400625, 0x1003b1C0F)),
(uint8_t[]) {isX86() ? 0x84 : 0x35}, 1);

libida64.dylib 1字节破解:
Intel版本中IDA偏移地址处0x100400625。
ARM版本中偏移为0x1003b1C0F。

我们使用LLDB启动程序的时候, 你会发现程序会输出:

The file \"%s\" doesn't appear to be a valid license

搜索字符串发现:
v11 = sub_1030A7150(a1, a2, v23, a5, a6);
if ( a3 )
{
v14 = *a3;
v10 = v23;
*a3 = v23;
v23 = v14;
v15 = *(a3 + 8);
*(a3 + 8) = *&v23;
*&v23 = v15;
}
if ( v11 )
{
if ( a6 <= 1 )
sub_102CA8320(a6, "The file \"%s\" doesn't appear to be a valid license
file", v8, v10, v12, v13);
}
else
{
v11 = 0;
}
这里sub_1030A7150函数显然要返回0,他才会认为是有效的授权文件。

我们进去函数会发现这里有一个跳转非常可疑:
__int64 __fastcall sub_1030A7150(__int64 a1, __int64 a2, __int64 a3, unsigned
int a4, __int64 a5)
{
unsigned int v6; // ebx
void *v7; // rdi
char *v8; // r14
__int64 v9; // r15
char *v10; // r12
void *v12; // BYREF
__int64 v13; //

*v12 = 0LL;
v13 = 0LL;
v6 = 2;
if ( sub_1030A7400(v12, a3, a4, a5) )
v6 = sub_1030A5E20(a1, a2, v12, 0LL, a5);
v7 = v12;
if ( v12 )
{
v8 = v12;
if ( v12 )
{
v9 = 24LL;
do
{
v10 = v12;
jvalue_t_clear(v12 + v9);
qfree(*&v10);
v9 += 40LL;
--v8;
}
while ( v8 );
v7 = v12;
}
v12 = 0LL;
qfree(v7);
}
return v6;
}

这个函数sub_1030A7400看起来非常可疑, 道友且看:



a4 = 24LL;
*(_OWORD *)v24 = *(_OWORD *)"Missing \"signature\" key";
*(_QWORD *)(v24 + 15) = 0x79656B2022657275LL;
*(_BYTE *)(*a4 + 23) = 0;
goto LABEL_38;


可以看得出来这里是在检查Missing \"signature\" key授权文件中数据是否完整。
通过耐心收集,你会发现你可以收集到所有他需要的jsonkey,也就是上面那个授权文件内容的来源。

通过上面的分析我们知道sub_1030A7400一定要返回1才可以,所以这里我们需要patch一个判断逻辑让他既要满足返回1 也要读取出所有的json数据,否则他会提示你某些key没有读取到。


通过lldb,我们在这里发现:
if ( !(unsigned __int8)sub_25B120(v32, *v15) )
{
LABEL_31:
qfree(v32);
qfree(v34);
if ( !v17 )
goto LABEL_32;
LABEL_38:
LODWORD(v13) = 0;
goto LABEL_39;
}

这里存在一个goto LABEL_32;我们点过去看看:


LABEL_32:
LOBYTE(v13) = 1;
if ( a1 )
{
if ( v28 == 3 )
{
v21 = v29;
v22 = *a1;
*a1 = *v29;
v23 = *(_OWORD *)(a1 + 1);
a1 = v21;
a1 = v21;
*v21 = v22;
*(_OWORD *)(v21 + 1) = v23;
goto LABEL_39;
}
if ( !under_debugger )
interr(1282LL);
LABEL_44:
BUG();
}
LABEL_39:
qfree(v26);
jvalue_t_clear(&v28);
return (unsigned int)v13;

通过这里我们很显然看到只要让他满足if ( !v17 ),我等便顷刻修为暴增!

好!道✌️我要发力了!道友且为我护法, 待我一把抓住这个if,顷刻炼化!

只需要将jnz   loc_4006B5 这里对应的 0F 85 8B 00 00 00改为 0F 84 变为jz, 立时倒反天罡, 为我所用!


0x03 启动就崩溃?


T.G上的外国Tim大佬告诉我,这个异常只需要忽略即可,于是我便施法念咒, 写下:

// 这里是因为他的异常处理机制有问题 导致app产生了崩溃
// C++程序员魅力时刻
hookPtrWithSymbolName(@"", @"objc_addExceptionHandler", ret0, NULL);
hookPtrWithSymbolName(@"", @"objc_removeExceptionHandler", ret0, NULL);

0x04 后记
如果你有动手能力,不妨依我所言试试以上处理过程。
对于arm64上的弹窗崩溃,其实根据lldb的崩溃堆栈就知道了,改一个跳转让他也忽略错误即可。

DobbyCodePatch(getImageAddressByIndex(getImageVMAddrSlideIndexThrow("arm_mac_user64.dylib"),
                                    0x1000232B0),
               (uint8_t[]) {0x2C}, 1);

但是你也可以选择删除文件:/Applications/IDA Professional 9.0.app/Contents/MacOS/plugins/arm_mac_user64.dylib 成为一个怕事的胆小鬼。

你这一辈子,有没有为谁拼过一次命?
在命运面前, 你愿意成为一秒钟的英雄,还是一辈子的胆小鬼?

0x05 一键注入破解
https://github.com/QiuChenly/InjectLib



0x06 重新编译的插件
如何使用?解压到: /Users/用户目录/.idapro/plugins 然后重新打开IDA会自动加载。
1. Patching 多架构支持: 编译为通用架构二进制, 支持intel & arm64. 并根据github上的合并代码整合支持IDA 9.0




爱飞的猫 发表于 2024-8-11 08:13

兄弟你咋就把我忘了捏 {:1_937:}

你拿到 idalic.hexlic 的时候,我论坛 id 都在里面的

debug_cat 发表于 2024-8-12 09:48

debug_cat 发表于 2024-8-12 09:37
有没有大佬下载的附件中的plugins.zip,下载后这个压缩包里面的东西如何使用呢?

我尝试把压缩包下载,解压,整个文件夹放到/Users/用户目录/.idapro/plugins这个位置上面。
Intel 版本。
打开ida后有已下信息:```
/Users/os/.idapro/plugins/patching.py: ERROR: fail to load the dynamic library.
Traceback (most recent call last):
File "/Applications/IDA Professional 9.0.app/Contents/MacOS/python/3/ida_idaapi.py", line 573, in IDAPython_ExecScript
    exec(code, g)
File "/Users/os/.idapro/plugins/patching.py", line 42, in <module>
    import patching
File "/Users/os/.idapro/plugins/patching/__init__.py", line 1, in <module>
    from patching.core import PatchingCore
File "/Users/os/.idapro/plugins/patching/core.py", line 16, in <module>
    from patching.asm import *
File "/Users/os/.idapro/plugins/patching/asm.py", line 8, in <module>
    import patching.keystone as keystone
File "/Users/os/.idapro/plugins/patching/keystone/__init__.py", line 4, in <module>
    from .keystone import Ks, ks_version, ks_arch_supported, version_bind, debug, KsError, __version__
File "/Users/os/.idapro/plugins/patching/keystone/keystone.py", line 74, in <module>
    raise ImportError("ERROR: fail to load the dynamic library.")
ImportError: ERROR: fail to load the dynamic library.

```

/Users/os/.idapro/plugins
├── patching
└── patching.py

目录结构

Vvvvvoid 发表于 2024-8-11 08:38

本帖最后由 Vvvvvoid 于 2024-8-11 09:03 编辑

吃完早饭回来学习
坐等懒人整合版

wchh8888 发表于 2024-8-11 08:39

感谢你的分享!

风缘雪影 发表于 2024-8-11 08:51

下载试用,感谢!!!

smile789 发表于 2024-8-11 09:12

感谢分享!

ehu4ever 发表于 2024-8-11 09:18

好东西,   收了   

小草草 发表于 2024-8-11 09:26

好东西,   收了

ianlcc 发表于 2024-8-11 09:58

好棒的分享
谢谢大佬,下载来存着

gaoyanchen 发表于 2024-8-11 10:03

秋佬666666666
页: [1] 2 3 4 5 6 7 8 9
查看完整版本: IDA Pro 9.0 macOS ARM & Intel 破解