本帖最后由 QiuChenly 于 2024-8-11 03:23 编辑
一觉醒来, 发现Hexrays为了充分调动大家主观能动性, 主动公开了测试版的完整IDA Pro, 作为新手自然是第一时间要围观。
在T&G#上IDA PRO 群组中老外Tim的交流中, 心有所感, 气机交汇,有一道灵光从天灵盖中喷涌而出, 冥冥中有一双无形的大手控制着我编写Patch代码, 一身修为突破在即, 故将心得与各位共享。
安装包论坛很多人发了帖子,大家直接自寻。版本:Version 9.0.240807
0x00 授权文件:
位置: /Users/qiuchenly/.idapro/idalic.hexlic
内容:
[JavaScript] 纯文本查看 复制代码 {
"header": {
"version": 1
},
"signature": "who cares",
"payload": {
"name": "12345",
"email": "hello@example.com",
"licenses": [
{
"id": "48-0000-0000-00",
"license_type": "named",
"product": "IDA",
"seats": 1000,
"start_date": "2024-01-01",
"end_date": "2035-01-01",
"issued_on": "2024-01-01 00:00:00",
"owner": "QiuChenly",
"add_ons": [
{
"id": "40-0000-0000-00",
"code": "IDA",
"owner": "50-1122-3344-20",
"start_date": "2024-01-01",
"end_date": "2035-01-01"
},
{
"id": "40-0000-0000-00",
"code": "HEXRAYS",
"owner": "50-1122-3344-20",
"start_date": "2024-01-01",
"end_date": "2035-01-01"
},
{
"id": "50-0000-0000-00",
"code": "HEXRV",
"owner": "50-1122-3344-20",
"start_date": "2024-01-01",
"end_date": "2035-01-01"
},
{
"id": "50-0000-0000-01",
"code": "HEXRV64",
"owner": "50-1122-3344-21",
"start_date": "2024-01-01",
"end_date": "2035-01-01"
},
{
"id": "50-0000-0000-02",
"code": "HEXARC",
"owner": "50-1122-3344-22",
"start_date": "2024-01-01",
"end_date": "2035-01-01"
},
{
"id": "50-0000-0000-03",
"code": "HEXARC64",
"owner": "50-1122-3344-23",
"start_date": "2024-01-01",
"end_date": "2035-01-01"
},
{
"id": "50-0000-0000-04",
"code": "HEXX86",
"owner": "50-1122-3344-24",
"start_date": "2024-01-01",
"end_date": "2035-01-01"
},
{
"id": "50-0000-0000-05",
"code": "HEXX64",
"owner": "50-1122-3344-25",
"start_date": "2024-01-01",
"end_date": "2035-01-01"
},
{
"id": "50-0000-0000-06",
"code": "HEXARM",
"owner": "50-1122-3344-26",
"start_date": "2024-01-01",
"end_date": "2035-01-01"
},
{
"id": "50-0000-0000-07",
"code": "HEXARM64",
"owner": "50-1122-3344-27",
"start_date": "2024-01-01",
"end_date": "2035-01-01"
},
{
"id": "50-0000-0000-08",
"code": "HEXMIPS",
"owner": "50-1122-3344-28",
"start_date": "2024-01-01",
"end_date": "2035-01-01"
},
{
"id": "50-0000-0000-09",
"code": "HEXMIPS64",
"owner": "50-1122-3344-29",
"start_date": "2024-01-01",
"end_date": "2035-01-01"
},
{
"id": "50-0000-0000-10",
"code": "HEXPPC",
"owner": "50-1122-3344-30",
"start_date": "2024-01-01",
"end_date": "2035-01-01"
},
{
"id": "50-0000-0000-11",
"code": "HEXPPC64",
"owner": "50-1122-3344-31",
"start_date": "2024-01-01",
"end_date": "2035-01-01"
},
{
"id": "50-0000-0000-12",
"code": "HEXRV",
"owner": "50-1122-3344-32",
"start_date": "2024-01-01",
"end_date": "2035-01-01"
},
{
"id": "50-0000-0000-13",
"code": "HEXRV64",
"owner": "50-1122-3344-33",
"start_date": "2024-01-01",
"end_date": "2035-01-01"
}
],
"features": [
"hello world"
]
}
]
}
}
把这些内容保存为一个文件, 放到你的home用户目录下指定目录即可。如果JSON格式搞不定,直接到我仓库里下载。
0x01 破解点?
[Objective-C] 纯文本查看 复制代码 DobbyCodePatch(getImageAddressByIndex(getImageVMAddrSlideIndex("/Contents/MacOS/libida64.dylib"),
getAddress(0x100400625, 0x1003b1C0F)),
(uint8_t[]) {isX86() ? 0x84 : 0x35}, 1);
libida64.dylib 1字节破解:
Intel版本中IDA偏移地址处0x100400625。
ARM版本中偏移为0x1003b1C0F。
我们使用LLDB启动程序的时候, 你会发现程序会输出:
The file \"%s\" doesn't appear to be a valid license
搜索字符串发现:
[C] 纯文本查看 复制代码 v11 = sub_1030A7150(a1, a2, v23, a5, a6);
if ( a3 )
{
v14 = *a3;
v10 = v23[0];
*a3 = v23[0];
v23[0] = v14;
v15 = *(a3 + 8);
*(a3 + 8) = *&v23[1];
*&v23[1] = v15;
}
if ( v11 )
{
if ( a6[1] <= 1 )
sub_102CA8320(a6, "The file \"%s\" doesn't appear to be a valid license
file", v8, v10, v12, v13);
}
else
{
v11 = 0;
}
这里sub_1030A7150 函数显然要返回0,他才会认为是有效的授权文件。
我们进去函数会发现这里有一个跳转非常可疑:
[Objective-C] 纯文本查看 复制代码 __int64 __fastcall sub_1030A7150(__int64 a1, __int64 a2, __int64 a3, unsigned
int a4, __int64 a5)
{
unsigned int v6; // ebx
void *v7; // rdi
char *v8; // r14
__int64 v9; // r15
char *v10; // r12
void *v12[2]; // [rsp+0h] [rbp-48h] BYREF
__int64 v13; // [rsp+10h] [rbp-38h]
*v12 = 0LL;
v13 = 0LL;
v6 = 2;
if ( sub_1030A7400(v12, a3, a4, a5) )
v6 = sub_1030A5E20(a1, a2, v12, 0LL, a5);
v7 = v12[0];
if ( v12[0] )
{
v8 = v12[1];
if ( v12[1] )
{
v9 = 24LL;
do
{
v10 = v12[0];
jvalue_t_clear(v12[0] + v9);
qfree(*&v10[v9 - 24]);
v9 += 40LL;
--v8;
}
while ( v8 );
v7 = v12[0];
}
v12[1] = 0LL;
qfree(v7);
}
return v6;
}
这个函数sub_1030A7400看起来非常可疑, 道友且看:
[Objective-C] 纯文本查看 复制代码
a4[1] = 24LL;
*(_OWORD *)v24 = *(_OWORD *)"Missing \"signature\" key";
*(_QWORD *)(v24 + 15) = 0x79656B2022657275LL;
*(_BYTE *)(*a4 + 23) = 0;
goto LABEL_38;
可以看得出来这里是在检查Missing \"signature\" key授权文件中数据是否完整。
通过耐心收集,你会发现你可以收集到所有他需要的jsonkey,也就是上面那个授权文件内容的来源。
通过上面的分析我们知道sub_1030A7400一定要返回1才可以,所以这里我们需要patch一个判断逻辑让他既要满足返回1 也要读取出所有的json数据,否则他会提示你某些key没有读取到。
通过lldb,我们在这里发现:
[Objective-C] 纯文本查看 复制代码 if ( !(unsigned __int8)sub_25B120(v32, *v15) )
{
LABEL_31:
qfree(v32[0]);
qfree(v34);
if ( !v17 )
goto LABEL_32;
LABEL_38:
LODWORD(v13) = 0;
goto LABEL_39;
}
这里存在一个goto LABEL_32;我们点过去看看:
[C] 纯文本查看 复制代码 LABEL_32:
LOBYTE(v13) = 1;
if ( a1 )
{
if ( v28 == 3 )
{
v21 = v29;
v22 = *a1;
*a1 = *v29;
v23 = *(_OWORD *)(a1 + 1);
a1[1] = v21[1];
a1[2] = v21[2];
*v21 = v22;
*(_OWORD *)(v21 + 1) = v23;
goto LABEL_39;
}
if ( !under_debugger )
interr(1282LL);
LABEL_44:
BUG();
}
LABEL_39:
qfree(v26[0]);
jvalue_t_clear(&v28);
return (unsigned int)v13;
通过这里我们很显然看到只要让他满足if ( !v17 ),我等便顷刻修为暴增!
好!道✌️我要发力了!道友且为我护法, 待我一把抓住这个if,顷刻炼化!
只需要将 jnz loc_4006B5 这里对应的 0F 85 8B 00 00 00 改为 0F 84 变为jz, 立时倒反天罡, 为我所用!
0x03 启动就崩溃?
T.G上的外国Tim大佬告诉我,这个异常只需要忽略即可,于是我便施法念咒, 写下:
// 这里是因为他的异常处理机制有问题 导致app产生了崩溃
// C++程序员魅力时刻
hookPtrWithSymbolName(@"", @"objc_addExceptionHandler", ret0, NULL);
hookPtrWithSymbolName(@"", @"objc_removeExceptionHandler", ret0, NULL);
0x04 后记
如果你有动手能力,不妨依我所言试试以上处理过程。
对于arm64上的弹窗崩溃,其实根据lldb的崩溃堆栈就知道了,改一个跳转让他也忽略错误即可。
DobbyCodePatch(getImageAddressByIndex(getImageVMAddrSlideIndexThrow("arm_mac_user64.dylib"),
0x1000232B0),
(uint8_t[]) {0x2C}, 1);
但是你也可以选择删除文件:/Applications/IDA Professional 9.0.app/Contents/MacOS/plugins/arm_mac_user64.dylib 成为一个怕事的胆小鬼。
你这一辈子,有没有为谁拼过一次命?
在命运面前, 你愿意成为一秒钟的英雄,还是一辈子的胆小鬼?
0x05 一键注入破解
https://github.com/QiuChenly/InjectLib
0x06 重新编译的插件
如何使用?解压到: /Users/用户目录/.idapro/plugins 然后重新打开IDA会自动加载。
1. Patching 多架构支持: 编译为通用架构二进制, 支持intel & arm64. 并根据github上的合并代码整合支持IDA 9.0
plugins.zip
(2.94 MB, 下载次数: 524)
|