I have been done six years before some memory hang, hang script. They are relatively low-level technology. During the past few years, learned some spare time off the compilation of knowledge was just thinking crack the game.
All technologies are black amateur self-taught, no teacher can ask, can only Baidu and his insight, more bitter force. Sometimes things do get a vomiting blood, want to hit the computer.
6 years that Windows hack tool:. Ida, ollydbg CE switch to Mac computers, but also want to use this for granted a few software. Baidu a lot, in addition to ollydbg, has a Mac version.
Then downloaded a mac version of IDA tools, just drag a few analyzes executable program a lot, but also good, very powerful.
I use this tool to crack encryption cocos2dx a lot of games, but also use this tool to crack the encryption nodejs company library.
All first place by a search string, and then navigate to the code, and then decompile, get the pseudo-C code. This approach has significant limitations.
This stuff is weak modify the code, requires a strong knowledge of assembler, have to know the instruction code code can be modified. We have to ensure byte length.
The key is not the most dynamic debugging, debugging a program crash. I get this stuff for a long time, the gas to vomit blood.
There is even a large amount of money to buy legal copies idea, look at this stuff can not debug on a mac.
A new dawn, inadvertently see the hopper tools. Then download a cracked version of the hopper 4.0.3
Dynamic debugging think about it, no matter how, but it also can not always debugging. Tip lldb been unable to start or do not have permission.
In desperation, I had to delete the cracked version, go to the official website to buy a genuine.
[The middle of an episode: it took me 685 ocean, the result of his mother's father does not give license so determined to send mail in the past asked. Here you can not use QQ mailbox.
Use only non-QQ-mail and talk to them, first letter email saying I use Alipay paid their fee, why did not receive orders licence, fill in the QQ mailbox.
Two in the afternoon to give me a reply, said that the need to pay shots. I'm busy at work during the day, 22:00 to see more than just respond to this, so the screenshots Alipay hair gone, 5:00 and more, they replied.
Also did not say why, only that solved the problem, let me check QQ mailbox again. Finally received the license file. From pay to get a license file, a full day and night]
Version Information attached a screenshot:
With the tool, you have to play his role, and acquire cleanmymac-x surgery.
Why should we break it? Because I spend money to buy a perpetual license cleanmyMac 3, but with the -X currently the latest version, so you want to upgrade, the result of his mother, but also money. Engaged in a very bad mood.
Really started to crack:
Cracking tools: hopper 4.5.12, charles
Crack Object: cleanmymac-x 4.4.3 Chinese version
1, file drag cleanmymac-X to the tool hopper 4.5.12, FIG.
2. search string, .php.
Why do you want to search it? Because I opened charles tool, enter the license string, verification of address is detected .php interface
3, this method using this jump string:
000000010050c055 db "https://activations.devmate.com/activation.php", 0 ; DATA XREF=sub_1003a3410+1621
Double-click sub_1003a3410 jumped into the
Decompile it, this function has a big lump. From start to finish sweep again, probably understand the logic flow.
Function of the first half, that is, the encrypted data you enter and organize the request header and request parameters, the request sent asynchronously.
I do not care how he encrypted, how to organize data sent out. I only care about the second half of the program that processes the data returned by the server.
Screenshot of the second half portion:
Dynamic debugging a lot to get from the network data is binary data, encryption should be handled. MSMutablelData is stored in [v3. Binary data network]
4, tracking results for a long time no one, ready to give up production of RI. Compare around here, a waste of time.
Cracking software are generally three ways:
a, a general inverse algorithm, engage in a RI out, so without modifying the source binaries can achieve the purpose of cracking.
b,直接修改二进制代码,直接跳过认证。
c,如果软件有试用期时间,动态直接找到读写试用期的位置,然后进行删除,然后无限试用
5,决定采用直接修改二进制代码,直接跳过认证的方式来破解这个软件。
再次所搜字符串 isactiv 得到结果:
6, 从上图结果可知,是否激活的标志取决于 sub_1003712a0方法,查找交叉引用找到sub_100372d90
修改这个方法直接,让0,变成1.
修改完后保存二进制文件:shiltf + Command + E
弹窗的意思是:
已经修改了已签名的应用程序。原有签名对生成的新的二进制文件无效。 要不要删除这个删除这个无效签名。
这里选择删除即可。【正确做法是: 保持无效签名】
7, 然后重新测试cleanmymac-x, 发现已经破解了,不会再有任何弹窗了。 但是会有一些清理不干净,是因为没有权限的原因, 没有签名也就没法赋予权限。
8,重新签名:
查看签名:
➜ dmg codesign -v CleanMyMac\ X.app CleanMyMac X.app: code object is not signed at all In architecture: x86_64
查找本机可用的签名:security find-identity -v -p codesigning
重新签名:codesign -f -s "签名" /path/to/app
/Library/Developer/CommandLineTools/usr/bin/codesign_allocate: file not in an order that can be processed (link edit information does not fill the __LINKEDIT segment): /Users/dengzhongqiang/Downloads/dmg/CleanMyMac X.app/Contents/MacOS/CleanMyMac-X CleanMyMac X.app: the codesign_allocate helper tool cannot be found or used
报错了。
出现这个问题并不是签名工具出错了,而是hopper生成二进制文件时去除签名信息过程中导致的LINKEDIT段错误。对比文件会发现出了自己修改的汇编代码还有别的数据一起被改掉了,并且被改掉的数据还是挺多的。要解决问题也很简单,生成可执行文件的时候不要去掉签名信息。重新导出一个版本
没破解前的签名:
➜ dmg codesign -dvvv /Applications/CleanMyMac\ X.app
Executable=/Applications/CleanMyMac X.app/Contents/MacOS/CleanMyMac-X
Identifier=com.macpaw.zh.CleanMyMac4
Format=app bundle with Mach-O thin (x86_64)
CodeDirectory v=20500 size=69061 flags=0x10000(runtime) hashes=2149+5 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha1=3f59bf294b4a40914c2f13f48c28ab99cd7f98a5
CandidateCDHash sha256=6890d759d07aa2cf1513b0e01070ac7617a44be3
Hash choices=sha1,sha256
CDHash=6890d759d07aa2cf1513b0e01070ac7617a44be3
Signature size=9003
Authority=Developer ID Application: MacPaw Inc. (S8EX82NJP6)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=Jun 14, 2019 at 7:46:17 PM
Info.plist entries=41
TeamIdentifier=S8EX82NJP6
Runtime Version=10.14.0
Sealed Resources version=2 rules=13 files=236
Internal requirements count=1 size=188
破解后的签名:和上面一摸一样。
重新签名:
➜ MacOS codesign -f -s "Mac Developer: Deng Zhongqiang (Z5472F3S63)" /Applications/CleanMyMac\ X.app
/Applications/CleanMyMac X.app: replacing existing signature
再查看重新签名的破解文件的签名:
➜ MacOS codesign -dvvv /Applications/CleanMyMac\ X.app
Executable=/Applications/CleanMyMac X.app/Contents/MacOS/CleanMyMac-X
Identifier=com.macpaw.zh.CleanMyMac4
Format=app bundle with Mach-O thin (x86_64)
CodeDirectory v=20200 size=68953 flags=0x0(none) hashes=2149+3 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha1=efb5f4497d7e8b7c5d5d271aadd02a9ac8547090
CandidateCDHash sha256=7792767bec80d69685747f1d343d6c332dff6f6c
Hash choices=sha1,sha256
CDHash=7792767bec80d69685747f1d343d6c332dff6f6c
Signature size=4782
Authority=Mac Developer: Deng Zhongqiang (Z5472F3S63)
Authority=Apple Worldwide Developer Relations Certification Authority
Authority=Apple Root CA
Signed Time=Jun 23, 2019 at 2:29:14 AM
Info.plist entries=41
TeamIdentifier=Q53X4QR364
Sealed Resources version=2 rules=13 files=236
Internal requirements count=1 size=188
===============
接近尾声:基本上可用把破解包发给别人用了。
1, 把破解包拷贝到dmg目录【目录名dmg自己随意】,
2, cd dmg
3, ln -s /Applications Applications
4 , 使用磁盘工具》 文件 》新建映像 》来自文件夹的映像 〉选择dmg
================
如果需要 cleanmyMac-x 4.4.3的破解包,请联系QQ:1246747572, 联系我时,请备注来意。
破解包需要你给一个20块红包,作为我的一点辛苦费。