网上传闻swf reader是破解最厉害的神器,可以内存抓取+doSWF反编译。所以去官网下了一个:
SWF_Reader_2.3
不出所料,demo版本没有反编译的功能。网上搜到一个哥们尝试了下:
http://blog.sina.com.cn/s/blog_6d0b766301011yv9.html
可是明显,按照做法,是破解不了的。估计换了算法,那只能用jd-gui去反编译这个jar了。
看到个关键文件:
d.a:
private static byte[] a(byte[] paramArrayOfByte) { byte[] arrayOfByte1 = { -21, 33, 76, 44, -11, -55, -90, 99, -79, 21, 34, -69 }; byte[] arrayOfByte2 = new byte[paramArrayOfByte.length - 512]; int i = 0; int j = 0; for (int k = 256; k < paramArrayOfByte.length - 256; k++) { int m = paramArrayOfByte[k]; arrayOfByte2[i] = (byte)(m ^ arrayOfByte1[j]); i++; j += 2; if (j >= arrayOfByte1.length) j = 1; j--; j--; } return arrayOfByte2; }
这段代码就是作者玩byte,自定义一个编码规则。
另外:
public static boolean isFull() { Object localObject = { "j", "i", "n", "d", "a", "r", "K", "e", "i", "n" }; int i = 0; for (int j = unique.length() - 1; j >= 0; j--) { if (unique.charAt(i) != localObject[j].charAt(0)) { Main.Main.a = c.c; break; } i++; }
这段代码,作者自己搞了个key的验证。所以我知道构造license.java的内容是:
public static void main(String[] args) { try { FileOutputStream ostream = new FileOutputStream("t.org"); ObjectOutputStream p = new ObjectOutputStream(ostream); Licence aa = new Licence(); aa.name = "pixysoft"; aa.surname = "pixysoft"; aa.nick = "pixysoft"; String bDate = "2099-06-08 12:00"; SimpleDateFormat formatter = new SimpleDateFormat("yyyy-MM-dd"); aa.buyDate = formatter.parse(bDate); aa.unique = "jindarKein"; p.writeObject(aa); p.flush(); ostream.close(); byte[] content = FileHelper.readToBytes("t.org"); for (byte b : content) { System.out.print((int) b + ","); } System.out.println(); byte[] dContent = new byte[content.length + 512]; for (int i = 0; i < 256; i++) { dContent[i] = 0; } for (int i = 0; i < content.length; i++) { dContent[i + 256] = content[i]; } for (int i = 256 + content.length; i < dContent.length; i++) { dContent[i] = 0; } content = a(dContent); for (byte b : content) { System.out.print((int) b + ","); } System.out.println(); dContent = new byte[content.length + 512]; for (int i = 0; i < 256; i++) { dContent[i] = 0; } for (int i = 0; i < content.length; i++) { dContent[i + 256] = content[i]; } for (int i = 256 + content.length; i < dContent.length; i++) { dContent[i] = 0; } // content = a(dContent); // for (byte b : content) // { // System.out.print((int) b + ","); // } // System.out.println(); FileHelper.write("licence.file", dContent); } catch (Exception e) { e.printStackTrace(); } } private static byte[] a(byte[] paramArrayOfByte) { byte[] arrayOfByte1 = { -21, 33, 76, 44, -11, -55, -90, 99, -79, 21, 34, -69 }; byte[] arrayOfByte2 = new byte[paramArrayOfByte.length - 512]; int i = 0; int j = 0; for (int k = 256; k < paramArrayOfByte.length - 256; k++) { int m = paramArrayOfByte[k]; arrayOfByte2[i] = (byte) (m ^ arrayOfByte1[j]); i++; j += 2; if (j >= arrayOfByte1.length) j = 1; j--; j--; } return arrayOfByte2; }
其实也很简单,作者自己做个了密码表,然后对byte进行位异或操作。另外前后加入了256个空byte。我只要对license的序列化进行一次异或,就能够被程序解析。
得到的licence.file放到jar文件目录,即可,选择unproject模式,能够开启所有的menu。