本帖最后由 24‘’ 于 2017-2-10 17:15 编辑
菜鸟一枚,想学习代码审计,听说要在mac下要搭建mamp+phpstorm+xdebug环境,无奈钱太少,就尝试破解下mamp pro,mamp也就是mac+apache+mysql+php集成环境软件包,给大家分享下 初始安装首先执行安装程序并打开mamp pro,会进行初始化,并设置过期时间为安装日期15天之后,目前是试用版
http://h3lit.com/wp-content/uploads/2017/01/14856708968954-1.jpg
http://h3lit.com/wp-content/uploads/2017/01/14856709050019.jpg
http://h3lit.com/wp-content/uploads/2017/01/14856709503208.jpg 时间设置为2020年时,重新启动程序会弹出demo expired 无法进入主程序
http://h3lit.com/wp-content/uploads/2017/01/15802789875077.jpg 下面开始破解过程首先根据上述弹窗字符串查找 "This demo version of MAMP PRO will work until %@.";" [Bash shell] 纯文本查看 复制代码 /Applications/MAMP PRO/MAMP PRO.app/Contents/Resources/en.lproj/Errors.strings
[Bash shell] 纯文本查看 复制代码 212 "key_DemoMessage" = "This demo version of MAMP PRO will work until %@."; 第212行可以看到弹窗字符串为key_DemoMessage
打开hopper,载入mamp pro执行程序
搜索字符串key_DemoMessage 找到函数[MAMPAppController part2:isStartup:]
这函数很长,大致逻辑查找注册文件,并判断是否合法以及过期时间,如果合法返回1,所以只要修改返回1就可以了(函数太长,就不贴了。贴下函数名) [C++] 纯文本查看 复制代码 char -[MAMPAppController part2:isStartup:](void * self, void * _cmd, char arg2, char arg3){}修改返回为1,汇编如下,很简单
[Bash shell] 纯文本查看 复制代码 mov eax,1
ret
http://h3lit.com/wp-content/uploads/2017/01/15802794797713.jpg 修改之后,保存可执行程序,执行会报错,弹窗之后程序会退出,不会进入主界面,如下所示,应该是有做检查
http://h3lit.com/wp-content/uploads/2017/01/15802795329686.jpg
继续在 [Bash shell] 纯文本查看 复制代码 /Applications/MAMP PRO/MAMP PRO.app/Contents/Resources/en.lproj/Errors.strings
查找字符串key_CorruptedPackageMessage,208、209行如下所示
[C++] 纯文本查看 复制代码 208 "key_CorruptedPackage" = "Oops, something went badly wrong!";
209 "key_CorruptedPackageMessage" = "Either you did not provide the necessary admin credentials or the MAMP PRO package could not be initialized correctly. You can either restart the application and try again or re-install the software.";
在hopper里面搜索字符串key_CorruptedPackageMessage,找到引用的函数[MAMPAppController applicationDidFinishLaunching:]
这段代码里面有五处引用key_CorruptedPackageMessage
前三处主要根据[MAMPAppController installHelper]函数返回为0时会先退出然后再弹出上述报错弹窗,
最后两处为sub_100037b2e(r14, @"3NP792379T", rdx) == 0x0 时会弹出报错弹窗
只要把这个两个地方退出操作注释掉,返回修改为1,就不会弹窗且退出了
[C#] 纯文本查看 复制代码 void -[MAMPAppController applicationDidFinishLaunching:](void * self, void * _cmd, void * arg2) {
rdx = arg2;
r13 = self;
var_30 = *___stack_chk_guard;
rbx = _objc_msgSend;
var_368 = [NSFileManager defaultManager];
if ([SMJClient isLatestVersionInstalled] == 0x0) {
rbx = _objc_msgSend;
r14 = @selector(stringWithFormat:);
rcx = @"de.appsolute.mampprohelper";
r15 = @selector(fileExistsAtPath:);
if (_objc_msgSend(var_368, r15, _objc_msgSend(@class(NSString), r14, @"/Library/LaunchDaemons/%@.plist", rcx)) != 0x0) {
rbx = _objc_msgSend;
rcx = @"de.appsolute.mampprohelper";
if (_objc_msgSend(var_368, r15, _objc_msgSend(@class(NSString), r14, @"/Library/PrivilegedHelperTools/%@", rcx), rcx) != 0x0) {
rdx = 0x0;
if ([r13 removeHelper:rdx] != 0x0) {//注意这里
rdx = 0x0;
if ([r13 installHelper:rdx] == 0x0) {
var_328 = (rbx)((rbx)(@class(NSBundle), @selector(mainBundle), 0x0), @selector(localizedStringForKey:value:table:), @"key_CorruptedPackage", @"", @"Error");
r13 = r13;
rcx = (rbx)((rbx)(@class(NSBundle), @selector(mainBundle), @"key_CorruptedPackage"), @selector(localizedStringForKey:value:table:), @"key_OK", @"", @"Error");
(rbx)(r13, @selector(showAlertOnMainThreadWithMessageText:defaultButton:alternateButton:otherButton:informativeTextWithFormat:), var_328, rcx, 0x0, 0x0, @"%@", (rbx)((rbx)(@class(NSBundle), @selector(mainBundle), @"key_OK"), @selector(localizedStringForKey:value:table:), @"key_CorruptedPackageMessage", @"", @"Error"), 0x0);
rdx = 0x0;
(rbx)(*_NSApp, @selector(terminate:), rdx);
rbx = rbx;
}
}
}
else {
rdx = 0x0;
if ([r13 installHelper:rdx] == 0x0) {//这里
var_328 = (rbx)((rbx)(@class(NSBundle), @selector(mainBundle), 0x0), @selector(localizedStringForKey:value:table:), @"key_CorruptedPackage", @"", @"Error");
r13 = r13;
rcx = (rbx)((rbx)(@class(NSBundle), @selector(mainBundle), @"key_CorruptedPackage"), @selector(localizedStringForKey:value:table:), @"key_OK", @"", @"Error");
(rbx)(r13, @selector(showAlertOnMainThreadWithMessageText:defaultButton:alternateButton:otherButton:informativeTextWithFormat:), var_328, rcx, 0x0, 0x0, @"%@", (rbx)((rbx)(@class(NSBundle), @selector(mainBundle), @"key_OK"), @selector(localizedStringForKey:value:table:), @"key_CorruptedPackageMessage", @"", @"Error"), 0x0);
rdx = 0x0;
(rbx)(*_NSApp, @selector(terminate:), rdx);
rbx = rbx;
}
}
}
else {
rdx = 0x0;
if ([r13 installHelper:rdx] == 0x0) {//还有这里
var_328 = (rbx)((rbx)(@class(NSBundle), @selector(mainBundle), 0x0), @selector(localizedStringForKey:value:table:), @"key_CorruptedPackage", @"", @"Error");
r13 = r13;
rcx = (rbx)((rbx)(@class(NSBundle), @selector(mainBundle), @"key_CorruptedPackage"), @selector(localizedStringForKey:value:table:), @"key_OK", @"", @"Error");
(rbx)(r13, @selector(showAlertOnMainThreadWithMessageText:defaultButton:alternateButton:otherButton:informativeTextWithFormat:), var_328, rcx, 0x0, 0x0, @"%@", (rbx)((rbx)(@class(NSBundle), @selector(mainBundle), @"key_OK"), @selector(localizedStringForKey:value:table:), @"key_CorruptedPackageMessage", @"", @"Error"), 0x0);
rdx = 0x0;
(rbx)(*_NSApp, @selector(terminate:), rdx);
rbx = rbx;
}
}
}
rax = (rbx)(@class(BITHockeyManager), @selector(sharedHockeyManager), rdx, rcx, 0x0);
rdx = @"0ace9f67559046f996bc558e62d58636";
(rbx)(rax, @selector(configureWithIdentifier:), rdx, rcx, 0x0);
rax = (rbx)(@class(BITHockeyManager), @selector(sharedHockeyManager), rdx, rcx, 0x0);
(rbx)(rax, @selector(startManager), rdx, rcx, 0x0);
(rbx)(r13, @selector(configuration), rdx, rcx, 0x0);
(rbx)(r13, @selector(serverCommunication), rdx, rcx, 0x0);
if (sub_1000b6487() < 0x1080) {
r15 = @selector(mainBundle);
var_328 = (rbx)((rbx)(@class(NSBundle), r15, 0x0), @selector(localizedStringForKey:value:table:), @"key_Error", @"", @"Error");
r13 = r13;
rcx = (rbx)((rbx)(@class(NSBundle), r15, @"key_Error"), @selector(localizedStringForKey:value:table:), @"key_OK", @"", @"Error");
(rbx)(r13, @selector(showAlertOnMainThreadWithMessageText:defaultButton:alternateButton:otherButton:informativeTextWithFormat:), var_328, rcx, 0x0, 0x0, @"%@", (rbx)((rbx)(@class(NSBundle), r15, @"key_OK"), @selector(localizedStringForKey:value:table:), @"key_osTooLow", @"", @"Error"), 0x0);
rdx = 0x0;
(rbx)(*_NSApp, @selector(terminate:), rdx);
}
else {
r15 = @selector(mainBundle);
}
var_378 = r15;
r15 = (rbx)((rbx)(@class(NSBundle), r15, rdx, rcx, 0x0), @selector(executablePath), rdx, rcx, 0x0);
r12 = rbx;
r14 = (rbx)((rbx)(r15, @selector(stringByDeletingLastPathComponent), rdx, rcx, 0x0), @selector(stringByAppendingPathComponent:), @"mamp_dyndns", rcx, 0x0);
rdx = @"15a0e0a8f49c6b4e05eef8ee5e34543d";
if (sub_100037b2e(r15, @"3NP792379T", rdx) != 0x0) {//注意这个返回
rdx = @"15a0e0a8f49c6b4e05eef8ee5e34543d";
if (sub_100037b2e(r14, @"3NP792379T", rdx) == 0x0) {
r13 = r13;
(r12)(r13, @selector(showAlertOnMainThreadWithMessageText:defaultButton:alternateButton:otherButton:informativeTextWithFormat:), (r12)((r12)(@class(NSBundle), var_378, rdx), @selector(localizedStringForKey:value:table:), @"key_CorruptedPackage", @"", @"Error"), (r12)((r12)(@class(NSBundle), var_378, @"key_CorruptedPackage"), @selector(localizedStringForKey:value:table:), @"key_OK", @"", @"Error"), 0x0, 0x0, @"%@", (r12)((r12)(@class(NSBundle), var_378, @"key_OK"), @selector(localizedStringForKey:value:table:), @"key_CorruptedPackageMessage", @"", @"Error"), 0x0);
(r12)(*_NSApp, @selector(terminate:), 0x0);
r12 = r12;
}
}
else {
r13 = r13;
(r12)(r13, @selector(showAlertOnMainThreadWithMessageText:defaultButton:alternateButton:otherButton:informativeTextWithFormat:), (r12)((r12)(@class(NSBundle), var_378, rdx), @selector(localizedStringForKey:value:table:), @"key_CorruptedPackage", @"", @"Error"), (r12)((r12)(@class(NSBundle), var_378, @"key_CorruptedPackage"), @selector(localizedStringForKey:value:table:), @"key_OK", @"", @"Error"), 0x0, 0x0, @"%@", (r12)((r12)(@class(NSBundle), var_378, @"key_OK"), @selector(localizedStringForKey:value:table:), @"key_CorruptedPackageMessage", @"", @"Error"), 0x0);
(r12)(*_NSApp, @selector(terminate:), 0x0);
r12 = r12;
}
先看[MAMPAppController installHelper]可以看到其中[rax waitUntilExit]退出操作
[C#] 纯文本查看 复制代码 char -[MAMPAppController installHelper:](void * self, void * _cmd, void * * arg2) {
rbx = arg2;
if (AuthorizationCreate(0x1, 0x0, 0x13, 0x0) != 0x0) {
if (rbx != 0x0) {
r14 = 0x0;
*rbx = [NSError errorWithDomain:@"de.appsolute.mamppro.installHelper" code:0xffffffffffffffff userInfo:0x0];
}
else {
r14 = 0x0;
}
}
else {
r14 = SMJobBless(*_kSMDomainSystemLaunchd, @"de.appsolute.mampprohelper", 0x0, rbx);
[NSString stringWithFormat:@"/Library/LaunchDaemons/%@.plist", @"de.appsolute.mampprohelper"];
rax = [NSArray arrayWithObjects:@"load"];
rax = [NSTask launchedTaskWithLaunchPath:@"/bin/launchctl" arguments:rax];
[rax waitUntilExit];
}
rax = sign_extend_64(r14);
return rax;
}
所以不让其执行退出操作,直接返回1,修改函数[MAMPAppController installHelper]返回为1
[C#] 纯文本查看 复制代码 mov eax,1
ret
http://h3lit.com/wp-content/uploads/2017/01/15802800339716.jpg 其次修改函数sub_100037b2e返回为1 http://h3lit.com/wp-content/uploads/2017/01/15802800948584.jpg 修复退出问题,保存之后运行,不会再退出了,可以进到主界面了,不过还会弹窗,提示注册、购买、及退出,还是无法进入程序,注意右上角的日期
http://h3lit.com/wp-content/uploads/2017/01/15802801748679.jpg 老路子,查找弹窗字符串,在91行找到
[Bash shell] 纯文本查看 复制代码 /Applications/MAMP PRO/MAMP PRO.app/Contents/Resources/en.lproj/Errors.strings [Bash shell] 纯文本查看 复制代码 91 "key_DemoExpired2Message" = "This demo version of MAMP PRO has expired.\n"; hopper中查找key_DemoExpired2Message,在[MAMPController demoExpired:]函数中找到引用字符串,大致功能应该是弹窗,点击之后再执行后续的购买,退出等操作,这个地方,直接注释掉,返回0,尝试一下
[C#] 纯文本查看 复制代码 void -[MAMPController demoExpired:](void * self, void * _cmd, void * arg2) {
var_40 = [[NSBundle mainBundle] localizedStringForKey:@"key_DemoExpiredTitle" value:@"" table:@"Error"];
var_38 = [[NSBundle mainBundle] localizedStringForKey:@"key_Quit" value:@"" table:@"Error"];
var_48 = [[NSBundle mainBundle] localizedStringForKey:@"key_Register" value:@"" table:@"Error"];
var_50 = [[NSBundle mainBundle] localizedStringForKey:@"key_BuyMampPro" value:@"" table:@"Misc"];
r14 = [[NSBundle mainBundle] localizedStringForKey:@"key_DemoExpired2Message" value:@"" table:@"Error"];
rbx = [[[NSAlert alloc] init] autorelease];
[rbx setMessageText:var_40];
[rbx setInformativeText:r14];
[rbx addButtonWithTitle:var_50];
[rbx addButtonWithTitle:var_48];
[rbx addButtonWithTitle:var_38];
[rbx setShowsSuppressionButton:0x0];
[rbx setAlertStyle:0x2];
rdi = rbx;
[rdi beginSheetModalForWindow:[self window] modalDelegate:self didEndSelector:@selector(sheetDidEnd:returnCode:contextInfo:) contextInfo:@"demoExpired"];
return;
}
修改返回为0
[Bash shell] 纯文本查看 复制代码 mov eax,0
ret
http://h3lit.com/wp-content/uploads/2017/01/15802803110751.jpg hopper将修改后的文件保存,就可以了,可以直接打开,在日期为2020年时也使用正常
http://h3lit.com/wp-content/uploads/2017/01/15802803554930.jpg 以上破解就算完成了
暂时可用了,还是菜鸟,objective-c的逻辑很多还没缕清,没学过objective-c,所以大致知道功能之后粗暴修改返回1或0了
不知道还有没有暗桩,不过暂时可用
http://h3lit.com/wp-content/uploads/2017/01/14856736673118.jpg
|