本次破解练习对象为Interface Inspector。程序运行截图如下。图为软件提示的注册界面。
也有其他的暴力破解方式,相对简单,笔者从注册本身入手,尝试完美破解。
0x1 代码分析
在Hopper中打开后,发现Interface Inspector使用了CocoaFob库来做注册认证。如下图。
和AquaticPrimeFramework类似,CocoaFob使用非对称的DSA算法,使用私钥Private key加密注册名称,可以得到注册码。程序里用对应公钥Public key对输入的注册名和注册码进行解密验证。DSA算法类似RSA,具备非对称性,无Private key和Public key对,不能推算出注册码。所以安全性比一般的key-gen要高。然而CocoaFob库是开源框架,可以找到它的源代码。这为完美破解提供了可能性。
0x2破解
和破解AquaticPrimeFramework的思路一样,用开源框架生成自制的DSA公钥、私钥,然后,替换掉程序中的DSA公钥。
首先看Interface Inspector中的DSA公钥。从[SMLicenseManager verifyLicenseWithName:code:]方法找到了拼接的DSA公钥。伪代码如下。
char +[SMLicenseManager verifyLicenseWithName:code:](void * self, void * _cmd, void * arg2, void * arg3) {
r14 = [arg2 retain];
var_-72 = [arg3 retain];
rax = [NSBundle mainBundle];
rax = [rax retain];
var_-88 = rax;
var_-96 = [[rax objectForInfoDictionaryKey:*_kCFBundleNameKey] retain];
var_-76 = 0x0;
rbx = [NSString stringWithFormat:@"%@,%@", rcx, r14];
[r14 release];
var_-64 = [rbx retain];
r13 = [[NSMutableString string] retain];
[r13 appendString:@"MIHwMIGoBgcqhkjOOAQBMIGcAkEA6DD7O2EnyLOV"];
[r13 appendString:@"INxN5Cb+p2VxYAdK69ekt"];
[r13 appendString:@"RUl\nn/QrCFjWB9k71OBZTXNHDsqbS"];
[r13 appendString:@"CXmQrRmc+OxghdlsEJ0Wbe/XQIVAJya"];
[r13 appendString:@"CiqLcY74\nRq1hRd"];
[r13 appendString:@"33dSgqa33vA"];
[r13 appendString:@"kAQSXj7klZuZg6edUcAPyqJtpympByQmSB"];
[r13 appendString:@"4of1KUEzkARHT\npFicnFhzpG1"];
[r13 appendString:@"HP4B+"];
[r13 appendString:@"UwIbh/JOwTjwElTrKi0tzwu/A0MAA"];
[r13 appendString:@"kAVeQplzB7Ovygl8ntn\nUcF+Rh260G"];
[r13 appendString:@"gbDWL5xZgPXPf39kHq"];
[r13 appendString:@"Twk1rbUFVIWUGdWo0FaBbuM7rnDal0jqT8aq\nZ"];
[r13 appendString:@"skm\n"];
rbx = [[NSString stringWithString:r13] retain];
r14 = [[CFobLicVerifier completePublicKeyPEM:rbx] retain];
var_-104 = r14;
[rbx release];
r15 = [[CFobLicVerifier alloc] init];
rcx = 0x0;
rbx = [r15 setPublicKey:r14 error:rcx];
r12 = [0x0 retain];
if (rbx != 0x0) {
var_-64 = var_-64;
rbx = [r15 verifyRegCode:var_-72 forName:rcx error:r12];
r14 = [r12 retain];
[r12 release];
var_-76 = rbx != 0x0 ? 0x1 : 0x0;
r12 = r14;
}
[r12 release];
[r15 release];
[var_-104 release];
[r13 release];
[var_-64 release];
[var_-96 release];
[var_-88 release];
[var_-72 release];
rax = var_-76 & 0xff;
return rax;
}
用Hex Fiend打开Interface Inspector,可以找到MIHwMIGoBgcqhkjOOAQBMIGcAkEA6DD7O2EnyLOV开头的字符串,这便是公钥在代码中的位置。使用自制的公钥,直接在相应位置替换掉此字符串。如下图所示。
替换前:
替换后:
然后,使用Hopper修改[SMLicenseManager verifyLicenseWithName:code:]和定义DSA公钥的数据段(见下图),导入自制的DSA公钥。
修改后,verifyLicenseWithName:code的伪代码如下。
char +[SMLicenseManager verifyLicenseWithName:code:](void * self, void * _cmd, void * arg2, void * arg3) {
r14 = [arg2 retain];
var_48 = [arg3 retain];
rax = [NSBundle mainBundle];
rax = [rax retain];
var_58 = rax;
var_60 = [[rax objectForInfoDictionaryKey:*_kCFBundleNameKey] retain];
var_4C = 0x0;
rbx = [NSString stringWithFormat:@"%@,%@", rcx, r14];
[r14 release];
var_40 = [rbx retain];
r13 = [[NSMutableString string] retain];
[r13 appendString:@"MIHxMIGoBgcqhkjOOAQBMIGcAkEAlkHhqwIttlbDZEK6mOY7s7EBjI/GFhhT/F7m\n4eA4vVefuIsdTmA5gBplebQ02k8JMPWaP0mV8hCDzcdIHMqrSwIVAPdSrKvB8U59\n+7I0X0wfm74v0WTzAkBwKLW3thX3IOPo4vjghDX/nHtJG3VXSmCTC7mFpv2nhXuz\nblSbboRAlMa/j0kl4vURsuVXlgvvWpCpgA0SSf0TA0QAAkEAh5RNl7/OdeCse…"];
rbx = [[NSString stringWithString:r13] retain];
r14 = [[CFobLicVerifier completePublicKeyPEM:rbx] retain];
var_68 = r14;
[rbx release];
r15 = [[CFobLicVerifier alloc] init];
rcx = 0x0;
rbx = [r15 setPublicKey:r14 error:rcx];
r12 = [0x0 retain];
if (rbx != 0x0) {
var_40 = var_40;
rbx = [r15 verifyRegCode:var_48 forName:rcx error:r12];
r14 = [r12 retain];
[r12 release];
var_4C = rbx != 0x0 ? 0x1 : 0x0;
r12 = r14;
}
[r12 release];
[r15 release];
[var_68 release];
[r13 release];
[var_40 release];
[var_60 release];
[var_58 release];
[var_48 release];
rax = var_4C & 0xff;
return rax;
}
0x3 程序验证
设输入的名称为XIao,用CocoaFob算出的注册码为:GAWAE-FD7CP-6M96F-YCNHW-EV9WN-VHEPV-ZDKGN-3KDAC-CQNMV-GGACQ-KR5UM-RYD25-JYRLN-6BNH3-K27Y。代入破解完的Interface Inspector。验证成功,:)!
