查看原文
其他

分析屏保区TOP1的一款MacOS软件

Mr.梵高 看雪学苑 2022-07-01


本文为看雪论坛优秀文章

看雪论坛作者ID:Mr.梵高


我最近下载了一个屏保软件,据说Mac屏保软件中排行Top 1的,最重要素材真的很好,惜需要付费才能下载更多素材。

如图,(支持正版,本文章仅供学习交流使用)点击下载会弹出购买窗口,
因为我已经破解完成没办法打开购买窗口,所以不能截图了。


界面功能比较简单,一个付费、一个素材库列表,未购买下载素材会提示付费。

所需工具:

1、HopperDisassember

2、Frida

3、class-dump


分析篇:

整体思路:

为了保证软件响应速度,一般来讲会员状态都会写入在本地,假如我们能找到软件写用户状态的地址,就可以完成复购校验了。

UI分析:

支付窗口有两个按钮,新用户购买和老用户恢复购买,这两个都可以作为我们的切入点,我选择的是”恢复购买“作为切入点,找到软件的二进制文件,所在路径:
/Applications/Live Wallpaper.app/Contents/MacOS/Live Wallpaper
预先通过class-dump -H Live Wallpaper  生成头文件,以备不时之需。

拖入到HopperDisassember中,用采用字符串搜索,"恢复购买“,发现找不到,猜测该软件采用了本地语言包的方式,进入到资源目录:/Applications/Live Wallpaper.app/Contents/Resources,
本地有一个文件:zh-Hans.lproj,通过名字判断出这是汉化包,进入到页面搜索:find ./ -name '*.strings' -print|xargs grep '恢复购买'


汉化包连类名都我们标记出来。

恢复的英文是:restore,这个函数应该是恢复购买的逻辑了,点击进去:


查看反汇编代码:
-[SiShiPurchaseWindowController restorePurchaseAction]:000000010002650c push rbp ; Objective C Implementation defined at 0x1001137f0 (instance method), Begin of try block, DATA XREF=0x1001137f0000000010002650d mov rbp, rsp0000000100026510 push r150000000100026512 push r140000000100026514 push r130000000100026516 push r120000000100026518 push rbx0000000100026519 sub rsp, 0x58// 调用 indicatorView方法,不重要000000010002651d mov r14, rdi0000000100026520 mov rsi, qword [0x100143648] ; argument "selector" for method _objc_msgSend, @selector(indicatorView)0000000100026527 mov r15, qword [_objc_msgSend_1000f4360] ; _objc_msgSend_1000f4360000000010002652e call r15 ; Jumps to 0x100174ec0 (_objc_msgSend), _objc_msgSend0000000100026531 mov rdi, rax ; argument "instance" for method imp___stubs__objc_retainAutoreleasedReturnValue0000000100026534 call imp___stubs__objc_retainAutoreleasedReturnValue ; objc_retainAutoreleasedReturnValue//调用 setHidden方法,不重要0000000100026539 mov rbx, rax000000010002653c mov rsi, qword [0x100142210] ; argument "selector" for method _objc_msgSend, @selector(setHidden:)0000000100026543 mov rdi, rax ; argument "instance" for method _objc_msgSend0000000100026546 xor edx, edx0000000100026548 call r15 ; Jumps to 0x100174ec0 (_objc_msgSend), _objc_msgSend000000010002654b mov rdi, rbx ; argument "instance" for method _objc_release000000010002654e call qword [_objc_release_1000f4368] ; _objc_release, _objc_release_1000f4368,_objc_release0000000100026554 lea rdi, qword [rbp+var_30] ; argument "addr" for method imp___stubs__objc_initWeak0000000100026558 mov rsi, r14 ; argument "value" for method imp___stubs__objc_initWeak000000010002655b call imp___stubs__objc_initWeak ; objc_initWeak//划重点,SiShiPurchaseHelper这个类0000000100026560 mov rdi, qword [objc_cls_ref_SiShiPurchaseHelper] ; argument "instance" for method _objc_msgSend, objc_cls_ref_SiShiPurchaseHelper0000000100026567 mov rsi, qword [0x100141dd8] ; argument "selector" for method _objc_msgSend, @selector(sharedInstance)000000010002656e call r15 ; End of try block started at 0x10002650c, Begin of try block (catch block at 0x10002664c), Jumps to 0x100174ec0 (_objc_msgSend), _objc_msgSend0000000100026571 mov rdi, rax ; End of try block started at 0x10002656e, Begin of try block, argument "instance" for method imp___stubs__objc_retainAutoreleasedReturnValue0000000100026574 call imp___stubs__objc_retainAutoreleasedReturnValue ; objc_retainAutoreleasedReturnValue0000000100026579 mov r15, rax000000010002657c mov rax, qword [__NSConcreteStackBlock_1000f41b8] ; __NSConcreteStackBlock_1000f41b80000000100026583 lea r14, qword [rbp+var_60]0000000100026587 mov qword [r14-0x20], rax000000010002658b mov r13d, 0xc20000000000000100026591 mov qword [r14-0x18], r130000000100026595 lea rax, qword [sub_100026660] ; sub_100026660000000010002659c mov qword [r14-0x10], rax00000001000265a0 lea rax, qword [0x1000f4e28] ; 0x1000f4e2800000001000265a7 mov qword [r14-8], rax00000001000265ab lea r12, qword [rbp+var_30]00000001000265af mov rdi, r14 ; argument "dest" for method imp___stubs__objc_copyWeak00000001000265b2 mov rsi, r12 ; argument "src" for method imp___stubs__objc_copyWeak00000001000265b5 call imp___stubs__objc_copyWeak ; objc_copyWeak00000001000265ba lea rbx, qword [rbp+var_38]00000001000265be mov rax, qword [__NSConcreteStackBlock_1000f41b8] ; __NSConcreteStackBlock_1000f41b800000001000265c5 mov qword [rbx-0x20], rax00000001000265c9 mov qword [rbx-0x18], r1300000001000265cd lea rax, qword [sub_100026691] ; sub_10002669100000001000265d4 mov qword [rbx-0x10], rax00000001000265d8 lea rax, qword [0x1000f4ef8] ; 0x1000f4ef800000001000265df mov qword [rbx-8], rax00000001000265e3 mov rdi, rbx ; argument "dest" for method imp___stubs__objc_copyWeak00000001000265e6 mov rsi, r12 ; argument "src" for method imp___stubs__objc_copyWeak00000001000265e9 call imp___stubs__objc_copyWeak ; objc_copyWeak//重点是这个方法 startRestore00000001000265ee mov rsi, qword [0x100143720] ; argument "selector" for method _objc_msgSend, @selector(startRestore:failedBlock:)00000001000265f5 lea rdx, qword [rbp+var_80] ; End of try block started at 0x100026571, Begin of try block (catch block at 0x100026637)00000001000265f9 lea rcx, qword [rbp+var_58]00000001000265fd mov rdi, r15 ; argument "instance" for method _objc_msgSend0000000100026600 call qword [_objc_msgSend_1000f4360] ; _objc_msgSend, _objc_msgSend_1000f4360,_objc_msgSend0000000100026606 mov rdi, r15 ; End of try block started at 0x1000265f5, Begin of try block, argument "instance" for method _objc_release0000000100026609 call qword [_objc_release_1000f4368] ; _objc_release, _objc_release_1000f4368,_objc_release000000010002660f mov rdi, rbx ; argument "instance" for method imp___stubs__objc_destroyWeak0000000100026612 call imp___stubs__objc_destroyWeak ; objc_destroyWeak0000000100026617 mov rdi, r14 ; argument "instance" for method imp___stubs__objc_destroyWeak000000010002661a call imp___stubs__objc_destroyWeak ; objc_destroyWeak000000010002661f lea rdi, qword [rbp+var_30] ; argument "instance" for method imp___stubs__objc_destroyWeak0000000100026623 call imp___stubs__objc_destroyWeak ; objc_destroyWeak0000000100026628 add rsp, 0x58000000010002662c pop rbx000000010002662d pop r12000000010002662f pop r130000000100026631 pop r140000000100026633 pop r150000000100026635 pop rbp0000000100026636 ret

通过汇编代码,知道重点在SiShiPurchaseHelper:startRestore 这个方法中,二话不说,进入到代码区,上面的汇编代码晦涩难懂,HopperDisassmber可以给我们生成伪代码,位置如下图:
这样就直观多了:
/* @class SiShiPurchaseHelper */-(void)startRestore:(void *)arg2 failedBlock:(void *)arg3 { r12 = [arg3 retain]; rbx = [arg2 retain]; [self setStartPurchase:0x1]; [self setCompeletedBlock:rbx]; [rbx release]; [self setFailedBlock:r12]; [r12 release]; rax = [SKPaymentQueue defaultQueue]; rax = [rax retain]; [rax restoreCompletedTransactions]; [rax release]; return;}

这里发现代码没办法跟进去了,通过查阅资料,SKPaymentQueue是一个APL在Mac下支持的lib库用于桌面的支付操作,所以一定有一个Delegate回调方法用于处理支付的校验,怎么找呢?

我们回到刚才生成的头文件文件夹下,执行Linux命令:ls *SK*,意思是查找所有包含SK字符串的头文件名:
OSSPlainTextAKSKPairCredentialProvider.hSKPaymentTransactionObserver-Protocol.hSKProductsRequestDelegate-Protocol.hSKRequestDelegate-Protocol.h

返回的内容如上,很明显,SKPaymentTransactionObserver-Protocol.h就是实现的协议了。
#import "NSObject-Protocol.h" @class NSArray, NSError, SKPayment, SKPaymentQueue, SKProduct; @protocol SKPaymentTransactionObserver- (void)paymentQueue:(SKPaymentQueue *)arg1 updatedTransactions:(NSArray *)arg2; @optional- (void)paymentQueue:(SKPaymentQueue *)arg1 didRevokeEntitlementsForProductIdentifiers:(- (void)paymentQueueDidChangeStorefront:(SKPaymentQueue *)arg1;- (BOOL)paymentQueue:(SKPaymentQueue *)arg1 shouldAddStorePayment:(SKPayment *)arg2 forP- (void)paymentQueue:(SKPaymentQueue *)arg1 updatedDownloads:(NSArray *)arg2;- (void)paymentQueueRestoreCompletedTransactionsFinished:(SKPaymentQueue *)arg1;- (void)paymentQueue:(SKPaymentQueue *)arg1 restoreCompletedTransactionsFailedWithError:- (void)paymentQueue:(SKPaymentQueue *)arg1 removedTransactions:(NSArray *)arg2;@end它实现了几个回调方法,不管它,在Hopper中搜索 paymentQueue,并生成伪代码:/* @class SiShiPurchaseHelper */-(void)paymentQueue:(void *)arg2 updatedTransactions:(void *)arg3 { rbx = self; rax = [arg3 retain]; var_150 = intrinsic_movaps(var_150, 0x0); *(int128_t *)(&var_150 + 0x10) = intrinsic_movaps(*(int128_t *)(&var_150 + 0x10), 0x0); *(int128_t *)(&var_150 + 0x20) = intrinsic_movaps(*(int128_t *)(&var_150 + 0x20), 0x0); *(int128_t *)(&var_150 + 0x30) = intrinsic_movaps(*(int128_t *)(&var_150 + 0x30), 0x0); var_B8 = rax; rax = [rax countByEnumeratingWithState:&var_150 objects:&var_B0 count:0x10]; var_D8 = rax; if (rax != 0x0) { var_100 = **(&var_150 + 0x10); var_C0 = rbx; do { r12 = 0x0; do { if (*var_140 != var_100) { objc_enumerationMutation(var_B8); } r14 = *(var_148 + r12 * 0x8); rax = [r14 transactionState]; if (rax != 0x3) { if (rax != 0x2) { if (rax == 0x1) { // 关键位置 [rbx completeTransaction:r14]; } } else { rax = [r14 error]; rax = [rax retain]; r14 = [rax code]; [rax release]; if (r14 == 0x2) { rbx = var_C0; [rbx purchaseFailedWithError:0x0]; } else { rbx = var_C0; [rbx purchaseFailedWithError:[[[[NSBundle mainBundle] retain] localizedStringForKey:@"Unlock failed" value:@"" table:0x0] retain]]; [rax release]; [rax release]; } } } else { [rbx completeTransaction:r14]; } r12 = r12 + 0x1; } while (r12 < var_D8); rax = [var_B8 countByEnumeratingWithState:&var_150 objects:&var_B0 count:0x10]; var_D8 = rax; } while (rax != 0x0); } var_30 = **___stack_chk_guard; [var_B8 release]; if (**___stack_chk_guard != var_30) { __stack_chk_fail(); } return;}

它实现了几个回调方法,不管它,在Hopper中搜索 completeTransaction,并生成伪代码:
/* @class SiShiPurchaseHelper */-(void)completeTransaction:(void *)arg2 { r14 = self; rax = [arg2 retain]; r15 = rax; rax = [rax payment]; rax = [rax retain]; r12 = rax; rax = [rax productIdentifier]; rax = [rax retain]; [rax release]; [r12 release]; if (rax != 0x0) { [r14 setCurrentTransaction:r15]; //关键方法: [r14 purchaseSuccess]; [r14 bornWenYuShan]; } [r15 release]; return;}

找到两个疑似关键方法:
[r14 purchaseSuccess];[r14 bornWenYuShan];

经过阅读代码,找到最终设置用户身份的函数bornWenYuShan
/* @class SiShiPurchaseHelper */-(void)bornWenYuShan { [self setIsVip:0x1]; rax = [NSUserDefaults standardUserDefaults]; rax = [rax retain]; [rax setBool:0x1 forKey:@"kSiShiIsVipString"]; [rax release]; rbx = [[NSNotificationCenter defaultCenter] retain]; [rbx postNotificationName:*0x1000f52b0 object:0x0]; [rbx release]; return;}

了解APL开发的童鞋都知道,[NSUserDefaults standardUserDefaults]是保存用户信息存储的接口。

[rax setBool:0x1 forKey:@"kSiShiIsVipString"];
写入值为YES。

经过以上分析,只要能写入这个代码重启软件应该就可以实现付费破解了。

整理思路:

如果我们要实现 completeTransaction 的调用,前面要修改多个if校验的逻辑,实在是麻烦,有没有简单有效的办法呢?

既然找到了 [SiShiPurchaseHelper bornWenYuShan]关键函数,那我们在点击”恢复购买“的按钮时直接执行它不就可以了,省去了多处的修改也易于操作和验证。

回到函数[SiShiPurchaseHelper startRestore:failedBlock:]位置:
掐头去尾只保留开始的入栈和出栈部分,也就是:
0000000100012910 push rbp ; Objective C Implementation defined at 0x10010f4d0 (instance method), DATA XREF=0x10010f4d00000000100012911 mov rbp, rsp0000000100012914 push r150000000100012916 push r140000000100012918 push r13000000010001291a push r12000000010001291c push rbx000000010001291d push rax ......中间的代码全部NOP掉 00000001000129bd pop rbx00000001000129be pop r1200000001000129c0 pop r1300000001000129c2 pop r1400000001000129c4 pop r1500000001000129c6 pop rbp00000001000129c7 jmp rax

NOP后,在第九行编写代码片,上面都加了注释便于理解。
// r14 = self000000010001291e mov r14, rdi// rbx = _objc_msgSend_1000f43600000000100012921 mov rbx, qword [_objc_msgSend_1000f4360] // msgSend函数的第一个参数:rsi = bornWenYuShan 0000000100012928 mov rsi, qword [0x100142d48] // msgSend函数的第二个参数:rdi = r14 000000010001292f mov rdi, r14 0000000100012932 call rbx //等于执行 msgSend(self,bornWenYuShan)

最终代码如图:


调用Hopper生成可执行文件覆盖源文件/Applications/Live Wallpaper.app/Contents/MacOS/Live Wallpaper 即可。

最后我们退出软件后发现打不开了?是代码改的有问题吗?并不是。

因为APL的所有软件必须签名,我们导出的的二进制文件必须要重新签名才可以执行,进入到/Applications/目录
执行以下命令进行签名即可:
sudo codesign --sign - --force --deep ./Live Wallpaper.app

有关签名的内容大家可自行Google脑补。

效果:首次安装后,在支付窗口点击“恢复购买” 重开软件,发现购买窗口没有了,随便选一个素材点击即可直接下载使用。

开发者不易,支持正版!




 


看雪ID:Mr.梵高

https://bbs.pediy.com/user-home-942743.htm

*本文由看雪论坛 Mr.梵高 原创,转载请注明来自看雪社区




# 往期推荐

1.某视频app的学习记录

2.Chrom V8分析入门——Google CTF2018 justintime分析

3.Typora 授权解密与剖析

4.内核漏洞学习-HEVD-StackOverflowGS

5.人人都可以拯救正版硬件受害者(Jlink提示Clone)

6.frida内存检索svc指令查找sendto和recvfrom进行hook抓包






球分享

球点赞

球在看



点击“阅读原文”,了解更多!

您可能也对以下帖子感兴趣

文章有问题?点此查看未经处理的缓存