zoukankan      html  css  js  c++  java
  • Synalyze It! Pro v1.11.2

    Synalyze It! Pro v1.11.2

    -------------------------------------------------------------------

    www.synalysis.net -> [link](http://www.synalysis.net)

    ![image](http://www.synalysis.net/_Media/screenshot1_med.png)

    试想一下...

    你有一个二进制文件,不知道它的内容。或者你有一个规范,但不希望他们手动解码某些软件创建的二进制文件。

    你曾经看着十六进制转储,并认为它是多么困难,使这有意义吗?而且要记住所有的比特和字节的意思?

    你来对地方了! Synalyze它!允许您为你的二进制文件创建交互式语法。不同于常规的十六进制编辑器或观众文件自动为您解读!二进制文件分析从未如此简单。

    此外Synalyze It!是Mac OS X上面一个全功能的十六进制编辑器,让您用几十种文字的编码编辑任意大小的文件,并解释字节含义。

    ### 主要功能:[link](http://www.synalysis.net/additional-features.html)

    **十六进制编辑**

    Synalyze It! allows editing of files of any size without delay. Even copying of data of any size via clipboard is possible.
    When you insert a string from the clipboard, the selected encoding is applied, of course. This enables you to convert text from one encoding to another easily.

    **计算检验字节**

    Compute various checksums for the selected bytes

    **数据可视化关系导出**

    Visualize your grammars by exporting to .dot (GrapzViz) files

    **数据视图**

    Display the selection in different number and color representations

    **打印预览**

    Print the hex view with or without text and mapped structures

    **保存选中字节**

    Selected bytes can be written to disk directly

    **跳到指定位置**

    Directly jump to a specific file offset (decimal or hex)

    **在工具栏中跳到指定位置**

    Jump to positions entering expressions

    **数据统计**

    Let Synalyze It! count the occurence of each byte in a file.

    **比较字节的不同编码值**

    Check the text encoding (ASCII/EBCDIC) of some hex values

    **增量文本搜索与编码选择**

    Search text incrementally using one of dozens of code pages

    **查找数值8-64 Bit signed/unsigned, little/big endian**

    Find a number in a file instantly and jump directly to the findings

    **查找字节序列匹配蒙版**

    Find all places in a file that match a certain bit mask

    **查找字符串**

    See all strings with a certain encoding

    Find all strings in a file like with the Unix strings command

    **使用脚本的可扩展语法高亮**

    Write Python or Lua scripts where the "static" grammar is not enough

    **语法支持强大的表达式**

    Structure and element sizes as well as repeat counts can contain complex formulas

    ---------------------------------------------------------------------------
    **1.试用过期后,打开后会有日志输出:**

    0xcb@cb.cn ~/Desktop> cd Synalyze It! Pro.app/Contents/MacOS/
    0xcb@cb.cn ~/D/S/C/MacOS> ./Synalyze It! Pro
    2015-06-11 00:07:35.804 Synalyze It! Pro[2844:507] Encountered error 'Invalid product key' ('91')
    2015-06-11 00:07:35.804 Synalyze It! Pro[2844:507] Encountered error 'Invalid product key' ('91')
    ---------------------------------------------------------------------------
    **2.所以先调试定位验证授权的位置,用`lldb`打开`Synalyze It! Pro`进行调试,在输出日志的方法`NSLogv`打断点,之后运行程序。断点断在:Foundation.Formwork的`0x7fff9349f2dd NSLogv` 位置。查看调用堆栈,根据方法名很容易找到弹出过期窗口的验证方法:`-[TurboActivateController showIfNotActivatedOrInTrial:] + 80`**

    0xcb@cb.cn ~/Desktop> lldb Synalyze It! Pro.app
    (lldb) target create "Synalyze It! Pro.app"
    Current executable set to 'Synalyze It! Pro.app' (x86_64).
    (lldb) br s -n NSLogv
    Breakpoint 1: where = Foundation`NSLogv, address = 0x00000000000442dd
    (lldb) r
    Process 2873 launched: '/Users/0xcb/Desktop/Synalyze It! Pro.app/Contents/ MacOS/Synalyze It! Pro' (x86_64)
    Process 2873 stopped
    * thread #1: tid = 0x11181, 0x00007fff9349f2dd Foundation`NSLogv, queue = 'com.apple.main-thread', stop reason = breakpoint 1.1
    frame #0: 0x00007fff9349f2dd Foundation`NSLogv
    Foundation`NSLogv:
    -> 0x7fff9349f2dd: pushq %rbp
    0x7fff9349f2de: movq %rsp, %rbp
    0x7fff9349f2e1: pushq %r15
    0x7fff9349f2e3: pushq %r14
    (lldb) bt
    * thread #1: tid = 0x11181, 0x00007fff9349f2dd Foundation`NSLogv, queue = 'com.apple.main-thread', stop reason = breakpoint 1.1
    * frame #0: 0x00007fff9349f2dd Foundation`NSLogv
    frame #1: 0x00000001000368fe Synalyze It! Pro`_LogTraceMessage + 51
    frame #2: 0x000000010006ffe5 Synalyze It! Pro`TraceMessage + 1064
    frame #3: 0x000000010006fb79 Synalyze It! Pro`TraceFatal + 185
    frame #4: 0x0000000100067f09 Synalyze It! Pro`-[TurboActivateController windowDidLoad] + 329
    frame #5: 0x00007fff95d063ac AppKit`-[NSWindowController _windowDidLoad] + 450
    frame #6: 0x00007fff95cecfa6 AppKit`-[NSWindowController window] + 110
    frame #7: 0x0000000100067ba3 Synalyze It! Pro`-[TurboActivateController transitionToTab:] + 32
    frame #8: 0x0000000100067db9 Synalyze It! Pro`-[TurboActivateController selectTabViewIndex] + 121
    frame #9: 0x0000000100068179 Synalyze It! Pro`-[TurboActivateController showWindow:] + 36
    frame #10: 0x000000010006820e Synalyze It! Pro`-[TurboActivateController showIfNotActivatedOrInTrial:] + 80
    frame #11: 0x0000000100035a74 Synalyze It! Pro`-[SynalyzeItApplicationDelegate applicationDidFinishLaunching:] + 587
    frame #12: 0x00007fff8ec54e0c CoreFoundation`__CFNOTIFICATIONCENTER_IS_CALLING_OUT_TO_AN_OBSERVER__ + 12
    frame #13: 0x00007fff8eb4882d CoreFoundation`_CFXNotificationPost + 2893
    frame #14: 0x00007fff9345ddda Foundation`-[NSNotificationCenter postNotificationName:object:userInfo:] + 68
    frame #15: 0x00007fff95a78b69 AppKit`-[NSApplication _postDidFinishNotification] + 289
    frame #16: 0x00007fff95a7889c AppKit`-[NSApplication _sendFinishLaunchingNotification] + 195
    frame #17: 0x00007fff95a75786 AppKit`-[NSApplication(NSAppleEventHandling) _handleAEOpenEvent:] + 570
    frame #18: 0x00007fff95a751db AppKit`-[NSApplication(NSAppleEventHandling) _handleCoreEvent:withReplyEvent:] + 242
    frame #19: 0x00007fff9347c52a Foundation`-[NSAppleEventManager dispatchRawAppleEvent:withRawReply:handlerRefCon:] + 294
    frame #20: 0x00007fff9347c39d Foundation`_NSAppleEventManagerGenericHandler + 106
    frame #21: 0x00007fff95791e1f AE`aeDispatchAppleEvent(AEDesc const*, AEDesc*, unsigned int, unsigned char*) + 381
    frame #22: 0x00007fff95791c32 AE`dispatchEventAndSendReply(AEDesc const*, AEDesc*) + 31
    frame #23: 0x00007fff95791b36 AE`aeProcessAppleEvent + 315
    frame #24: 0x00007fff97e39161 HIToolbox`AEProcessAppleEvent + 56
    frame #25: 0x00007fff95a710b6 AppKit`_DPSNextEvent + 1026
    frame #26: 0x00007fff95a7089b AppKit`-[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 122
    frame #27: 0x00007fff95a6499c AppKit`-[NSApplication run] + 553
    frame #28: 0x00007fff95a4f783 AppKit`NSApplicationMain + 940
    frame #29: 0x000000010006a155 Synalyze It! Pro`main + 97
    frame #30: 0x0000000100001934 Synalyze It! Pro`start + 52
    (lldb)
    **3.接下来查看该方法的汇编:`-[TurboActivateController showIfNotActivatedOrInTrial:] + 80`**

    (lldb) frame select 10
    frame #10: 0x000000010006820e Synalyze It! Pro`-[TurboActivateController showIfNotActivatedOrInTrial:] + 80
    Synalyze It! Pro`-[TurboActivateController showIfNotActivatedOrInTrial:] + 80:
    -> 0x10006820e: jmp 0x100068231 ; -[TurboActivateController showIfNotActivatedOrInTrial:] + 115
    0x100068210: leaq 0x191563d(%rip), %rcx ; "<unknown>"
    0x100068217: leaq 0x18fc6cc(%rip), %rdi ; "/Users/ape/projects/Synalyze-It/Cocoa/TurboActivateController.m"
    0x10006821e: leaq 0x1915665(%rip), %rdx ; "Encountered error '%s' ('%d')"
    (lldb) dis
    Synalyze It! Pro`-[TurboActivateController showIfNotActivatedOrInTrial:]:
    0x1000681be: pushq %rbp
    0x1000681bf: movq %rsp, %rbp
    0x1000681c2: pushq %rbx
    0x1000681c3: pushq %rax
    0x1000681c4: movq %rdi, %rbx
    0x1000681c7: movb $0x0, -0x9(%rbp)
    0x1000681cb: leaq -0x9(%rbp), %rdi
    0x1000681cf: callq 0x100069fce ; LicenseQueryActivatedOrInTrialTA
    0x1000681d4: movl %eax, %r8d
    0x1000681d7: testl %r8d, %r8d
    0x1000681da: je 0x1000681f5 ; -[TurboActivateController showIfNotActivatedOrInTrial:] + 55
    0x1000681dc: cmpl $0xda, %r8d
    0x1000681e3: ja 0x100068210 ; -[TurboActivateController showIfNotActivatedOrInTrial:] + 82
    0x1000681e5: movslq %r8d, %rax
    0x1000681e8: leaq 0x19b6201(%rip), %rcx ; GioMemFunctions + 88
    0x1000681ef: movq (%rcx,%rax,8), %rcx
    0x1000681f3: jmp 0x100068217 ; -[TurboActivateController showIfNotActivatedOrInTrial:] + 89
    0x1000681f5: cmpb $0x0, -0x9(%rbp)
    0x1000681f9: jne 0x100068231 ; -[TurboActivateController showIfNotActivatedOrInTrial:] + 115
    0x1000681fb: movq 0x19e6426(%rip), %rsi ; "showWindow:"
    0x100068202: movq %rbx, %rdi
    0x100068205: movq %rbx, %rdx
    0x100068208: callq *0x199d16a(%rip) ; (void *)0x00007fff94c85080: objc_msgSend
    -> 0x10006820e: jmp 0x100068231 ; -[TurboActivateController showIfNotActivatedOrInTrial:] + 115
    0x100068210: leaq 0x191563d(%rip), %rcx ; "<unknown>"
    0x100068217: leaq 0x18fc6cc(%rip), %rdi ; "/Users/ape/projects/Synalyze-It/Cocoa/TurboActivateController.m"
    0x10006821e: leaq 0x1915665(%rip), %rdx ; "Encountered error '%s' ('%d')"
    0x100068225: movl $0xe5, %esi
    0x10006822a: xorl %eax, %eax
    0x10006822c: callq 0x10006fac0 ; TraceFatal
    0x100068231: addq $0x8, %rsp
    0x100068235: popq %rbx
    0x100068236: popq %rbp
    0x100068237: retq
    (lldb)
    **4.找到可疑位置的方法调用:`0x1000681cf: callq 0x100069fce ; LicenseQueryActivatedOrInTrialTA`,进入查看:**

    (lldb) dis -s 0x100069fce -c 36
    Synalyze It! Pro`LicenseQueryActivatedOrInTrialTA:
    0x100069fce: pushq %rbp
    0x100069fcf: movq %rsp, %rbp
    0x100069fd2: pushq %r14
    0x100069fd4: pushq %rbx
    0x100069fd5: subq $0x10, %rsp
    0x100069fd9: movq %rdi, %r14
    0x100069fdc: movb $0x0, -0x11(%rbp)
    0x100069fe0: leaq -0x11(%rbp), %rdi
    0x100069fe4: callq 0x100069f83 ; LicenseQueryActivatedTA
    0x100069fe9: movl %eax, %ebx
    0x100069feb: testl %ebx, %ebx
    0x100069fed: je 0x10006a007 ; LicenseQueryActivatedOrInTrialTA + 57
    0x100069fef: cmpl $0xda, %ebx
    0x100069ff5: ja 0x10006a015 ; LicenseQueryActivatedOrInTrialTA + 71
    0x100069ff7: movslq %ebx, %rax
    0x100069ffa: leaq 0x19b43ef(%rip), %rcx ; GioMemFunctions + 88
    0x10006a001: movq (%rcx,%rax,8), %rcx
    0x10006a005: jmp 0x10006a01c ; LicenseQueryActivatedOrInTrialTA + 78
    0x10006a007: cmpb $0x0, -0x11(%rbp)
    0x10006a00b: je 0x10006a044 ; LicenseQueryActivatedOrInTrialTA + 118
    0x10006a00d: movb $0x1, (%r14)
    0x10006a011: xorl %ebx, %ebx
    0x10006a013: jmp 0x10006a039 ; LicenseQueryActivatedOrInTrialTA + 107
    0x10006a015: leaq 0x1913838(%rip), %rcx ; "<unknown>"
    0x10006a01c: leaq 0x18fb039(%rip), %rdi ; "/Users/ape/projects/Synalyze-It/c/LicensingTurbo.c"
    0x10006a023: leaq 0x1913860(%rip), %rdx ; "Encountered error '%s' ('%d')"
    0x10006a02a: movl $0x147, %esi
    0x10006a02f: xorl %eax, %eax
    0x10006a031: movl %ebx, %r8d
    0x10006a034: callq 0x10006fac0 ; TraceFatal
    0x10006a039: movl %ebx, %eax
    0x10006a03b: addq $0x10, %rsp
    0x10006a03f: popq %rbx
    0x10006a040: popq %r14
    0x10006a042: popq %rbp
    0x10006a043: retq
    (lldb)
    **5.明显的调用查询激活状态:`0x100069fe4: callq 0x100069f83 ; LicenseQueryActivatedTA`查看该方法的汇编:**

    (lldb) dis -s 0x100069f83 -c 28
    Synalyze It! Pro`LicenseQueryActivatedTA:
    0x100069f83: pushq %rbp
    0x100069f84: movq %rsp, %rbp
    0x100069f87: pushq %rbx
    0x100069f88: pushq %rax
    0x100069f89: movq %rdi, %rbx
    0x100069f8c: leaq 0x18fb102(%rip), %rdi ; "202385488551004732b6fe35.69803382"
    0x100069f93: callq 0x100443cc2 ; symbol stub for: IsActivated
    0x100069f98: cmpl $0x1, %eax
    0x100069f9b: jne 0x100069fa4 ; LicenseQueryActivatedTA + 33
    0x100069f9d: movb $0x0, (%rbx)
    0x100069fa0: xorl %ecx, %ecx
    0x100069fa2: jmp 0x100069fc5 ; LicenseQueryActivatedTA + 66
    0x100069fa4: testl %eax, %eax
    0x100069fa6: jne 0x100069faf ; LicenseQueryActivatedTA + 44
    0x100069fa8: movb $0x1, (%rbx)
    0x100069fab: xorl %ecx, %ecx
    0x100069fad: jmp 0x100069fc5 ; LicenseQueryActivatedTA + 66
    0x100069faf: movl $0x72, %ecx
    0x100069fb4: cmpl $0x19, %eax
    0x100069fb7: ja 0x100069fc5 ; LicenseQueryActivatedTA + 66
    0x100069fb9: cltq
    0x100069fbb: leaq 0x18a76be(%rip), %rcx ; alertNativeButtonIndexAndTypeToButtonIndex + 48
    0x100069fc2: movl (%rcx,%rax,4), %ecx
    0x100069fc5: movl %ecx, %eax
    0x100069fc7: addq $0x8, %rsp
    0x100069fcb: popq %rbx
    0x100069fcc: popq %rbp
    0x100069fcd: retq

    **6.找到方面及一个固定参数:`0x100069f93: callq 0x100443cc2 ; symbol stub for: IsActivated`。参数:"202385488551004732b6fe35.69803382",继续跟进:**

    (lldb) dis -s 0x100443cc2 -c 5
    Synalyze It! Pro`symbol stub for: IsActivated:
    0x100443cc2: jmpq *0x15c1b70(%rip) ; (void *)0x0000000101f75e18: IsActivated

    Synalyze It! Pro`symbol stub for: IsDateValid:
    0x100443cc8: jmpq *0x15c1b72(%rip) ; (void *)0x000000010044488e

    Synalyze It! Pro`symbol stub for: TrialDaysRemaining:
    0x100443cce: jmpq *0x15c1b74(%rip) ; (void *)0x0000000101f750b9: TrialDaysRemaining

    Synalyze It! Pro`symbol stub for: UseTrial:
    0x100443cd4: jmpq *0x15c1b76(%rip) ; (void *)0x0000000101f751f8: UseTrial

    Synalyze It! Pro`symbol stub for: NSDivideRect:
    0x100443cda: jmpq *0x15c1b78(%rip) ; (void *)0x00000001004448ac
    (lldb)

    **7.这里就到了符号表跳到系统符号了:查找 `IsActivated` 符号所在镜像。**

    (lldb) image lookup -r -n IsActivated
    1 match found in /Users/0xcb/Desktop/Synalyze It! Pro.app/Contents/MacOS/./libTurboActivate.dylib:
    Address: libTurboActivate.dylib[0x0000000000014e18] (libTurboActivate.dylib.__TEXT.__text + 79288)
    Summary: libTurboActivate.dylib`IsActivated
    (lldb)

    **8.得出结论,查询是否激活的调用在动态链接库`libTurboActivate.dylib`中:**

    ---------------------------------------------------------------------------

    **9.找到`libTurboActivate.dylib`库进行字符串查看:**

    0xcb@cb.cn ~/Desktop> cd Synalyze It! Pro.app/Contents/MacOS/
    0xcb@cb.cn ~/D/S/C/MacOS> ls
    Synalyze It! Pro TurboActivate.dat libTurboActivate.dylib
    0xcb@cb.cn ~/D/S/C/MacOS> strings libTurboActivate.dylib
    Could not create new curl instance
    TurboActivate/3.4.0.0 (http://wyday.com/limelm/)
    socks=
    http=
    (proxies != NULL) == (error == NULL)
    /Users/wyatt/source/turboactivate/Library/ProxyResolverMac.cpp
    resultPtr != NULL
    *resultPtr == NULL
    proxies != NULL
    expandedProxiesPtr != NULL
    *expandedProxiesPtr == NULL
    thisProxy != NULL
    CFGetTypeID(thisProxy) == CFDictionaryGetTypeID()
    proxyType != NULL
    CFGetTypeID(proxyType) == CFStringGetTypeID()
    scriptURL != NULL
    CFGetTypeID(scriptURL) == CFURLGetTypeID()
    com.apple.dts.CFProxySupportTool
    result != NULL
    false
    (err == noErr) == (*expandedProxiesPtr != NULL)
    scheme != NULL
    HTTP
    GetProxiesForURL
    CreateProxyListWithExpandedPACProxies
    ResultCallback
    /Users/wyatt/source/cryptopp/secblock.h
    m_register.size() > 0
    /Users/wyatt/source/cryptopp/modes.h
    !"ProcessRecoverableMessage() not implemented"
    /Users/wyatt/source/cryptopp/pubkey.h
    /Users/wyatt/source/cryptopp/filters.h
    /Users/wyatt/source/cryptopp/cryptlib.h
    ......
    ......
    其余略去
    ......

    **10.找到可用信息:http://wyday.com/limelm/,进入网站[link](http://wyday.com/limelm/)注册查看,下载该模块的sdk。之后自己编写一个同样接口的sdk,然后放入文件夹:`Synalyze It! Pro.app/Contents/MacOS/`下面,替换`libTurboActivate.dylib`之后即为已授权状态 :)**

    ---------------------------------------------------------------------------

    ####小结:本来是用Hopper Disassembler暴破修改libTurboActivate.dylib的几个方法的,之后搜索查看到字符串中该动态库的支持网站,顺藤摸瓜。理论上通杀之前所有版本:)

    -by 0xcb

    ---------------------------------------------------------------------------

    ---------------------------------------------------------------------------

  • 相关阅读:
    正则表达式的总结
    网络搭建的四种方式
    argparse的总结详情
    错误记录
    8x8点阵的原理及代码实现
    __pycache__的认识记录
    浏览器渲染原理及流程
    javascript 中 async/await 的用法
    浏览器的进程和线程
    JS 对象toString 和 valueof 方法
  • 原文地址:https://www.cnblogs.com/changbiao/p/4568248.html
Copyright © 2011-2022 走看看