Synalyze It! Pro v1.11.2 破解过程+bin
本帖最后由 wx_f1Jji177 于 2015-6-11 10:43 编辑-------------------------------------------------------------------
#Synalyze It! Pro v1.11.2 目前最新,类似010Editor,具有数据模型、语法高亮、执行脚本等功能
------------------------------------------------------------------- -> (
你来对地方了! Synalyze它!允许您为你的二进制文件创建交互式语法。不同于常规的十六进制编辑器或观众文件自动为您解读!二进制文件分析从未如此简单。
此外Synalyze It!是Mac OS X上面一个全功能的十六进制编辑器,让您用几十种文字的编码编辑任意大小的文件,并解释字节含义。
### 主要功能:(
Synalyze It! allows editing of files of any size without delay. Even copying of data of any size via clipboard is possible.
When you insert a string from the clipboard, the selected encoding is applied, of course. This enables you to convert text from one encoding to another easily.
Compute various checksums for the selected bytes
Visualize your grammars by exporting to .dot (GrapzViz) files
Display the selection in different number and color representations
Print the hex view with or without text and mapped structures
Selected bytes can be written to disk directly
Directly jump to a specific file offset (decimal or hex)
Jump to positions entering expressions
Let Synalyze It! count the occurence of each byte in a file.
Check the text encoding (ASCII/EBCDIC) of some hex values
Search text incrementally using one of dozens of code pages
**查找数值8-64 Bit signed/unsigned, little/big endian**
Find a number in a file instantly and jump directly to the findings
Find all places in a file that match a certain bit mask
See all strings with a certain encoding
Find all strings in a file like with the Unix strings command
Write Python or Lua scripts where the "static" grammar is not enough
Structure and element sizes as well as repeat counts can contain complex formulas
[email protected] ~/Desktop> cd Synalyze\ It!\
[email protected] ~/D/S/C/MacOS> ./Synalyze\ It!\ Pro
2015-06-11 00:07:35.804 Synalyze It! Pro Encountered error 'Invalid product key' ('91')
2015-06-11 00:07:35.804 Synalyze It! Pro Encountered error 'Invalid product key' ('91')
**2.所以先调试定位验证授权的位置,用`lldb`打开`Synalyze It! Pro`进行调试,在输出日志的方法`NSLogv`打断点,之后运行程序。断点断在:Foundation.Formwork的`0x7fff9349f2dd NSLogv` 位置。查看调用堆栈,根据方法名很容易找到弹出过期窗口的验证方法:`- + 80`**
[email protected] ~/Desktop> lldb Synalyze\ It!\
(lldb) target create "Synalyze It!"
Current executable set to 'Synalyze It!' (x86_64).
(lldb) br s -n NSLogv
Breakpoint 1: where = Foundation`NSLogv, address = 0x00000000000442dd
(lldb) r
Process 2873 launched: '/Users/0xcb/Desktop/Synalyze It! MacOS/Synalyze It! Pro' (x86_64)
Process 2873 stopped
* thread #1: tid = 0x11181, 0x00007fff9349f2dd Foundation`NSLogv, queue = '', stop reason = breakpoint 1.1
frame #0: 0x00007fff9349f2dd Foundation`NSLogv
-> 0x7fff9349f2dd:pushq%rbp
0x7fff9349f2de:movq %rsp, %rbp
(lldb) bt
* thread #1: tid = 0x11181, 0x00007fff9349f2dd Foundation`NSLogv, queue = '', stop reason = breakpoint 1.1
* frame #0: 0x00007fff9349f2dd Foundation`NSLogv
frame #1: 0x00000001000368fe Synalyze It! Pro`_LogTraceMessage + 51
frame #2: 0x000000010006ffe5 Synalyze It! Pro`TraceMessage + 1064
frame #3: 0x000000010006fb79 Synalyze It! Pro`TraceFatal + 185
frame #4: 0x0000000100067f09 Synalyze It! Pro`- + 329
frame #5: 0x00007fff95d063ac AppKit`- + 450
frame #6: 0x00007fff95cecfa6 AppKit`- + 110
frame #7: 0x0000000100067ba3 Synalyze It! Pro`- + 32
frame #8: 0x0000000100067db9 Synalyze It! Pro`- + 121
frame #9: 0x0000000100068179 Synalyze It! Pro`- + 36
frame #10: 0x000000010006820e Synalyze It! Pro`- + 80
frame #11: 0x0000000100035a74 Synalyze It! Pro`- + 587
frame #12: 0x00007fff8ec54e0c CoreFoundation`__CFNOTIFICATIONCENTER_IS_CALLING_OUT_TO_AN_OBSERVER__ + 12
frame #13: 0x00007fff8eb4882d CoreFoundation`_CFXNotificationPost + 2893
frame #14: 0x00007fff9345ddda Foundation`- + 68
frame #15: 0x00007fff95a78b69 AppKit`- + 289
frame #16: 0x00007fff95a7889c AppKit`- + 195
frame #17: 0x00007fff95a75786 AppKit`- + 570
frame #18: 0x00007fff95a751db AppKit`- + 242
frame #19: 0x00007fff9347c52a Foundation`- + 294
frame #20: 0x00007fff9347c39d Foundation`_NSAppleEventManagerGenericHandler + 106
frame #21: 0x00007fff95791e1f AE`aeDispatchAppleEvent(AEDesc const*, AEDesc*, unsigned int, unsigned char*) + 381
frame #22: 0x00007fff95791c32 AE`dispatchEventAndSendReply(AEDesc const*, AEDesc*) + 31
frame #23: 0x00007fff95791b36 AE`aeProcessAppleEvent + 315
frame #24: 0x00007fff97e39161 HIToolbox`AEProcessAppleEvent + 56
frame #25: 0x00007fff95a710b6 AppKit`_DPSNextEvent + 1026
frame #26: 0x00007fff95a7089b AppKit`- + 122
frame #27: 0x00007fff95a6499c AppKit`- + 553
frame #28: 0x00007fff95a4f783 AppKit`NSApplicationMain + 940
frame #29: 0x000000010006a155 Synalyze It! Pro`main + 97
frame #30: 0x0000000100001934 Synalyze It! Pro`start + 52
**3.接下来查看该方法的汇编:`- + 80`**
(lldb) frame select 10
frame #10: 0x000000010006820e Synalyze It! Pro`- + 80
Synalyze It! Pro`- + 80:
-> 0x10006820e:jmp 0x100068231 ; - + 115
0x100068210:leaq 0x191563d(%rip), %rcx ; "<unknown>"
0x100068217:leaq 0x18fc6cc(%rip), %rdi ; "/Users/ape/projects/Synalyze-It/Cocoa/TurboActivateController.m"
0x10006821e:leaq 0x1915665(%rip), %rdx ; "Encountered error '%s' ('%d')"
(lldb) dis
Synalyze It! Pro`-:
0x1000681bf:movq %rsp, %rbp
0x1000681c4:movq %rdi, %rbx
0x1000681c7:movb $0x0, -0x9(%rbp)
0x1000681cb:leaq -0x9(%rbp), %rdi
0x1000681cf:callq0x100069fce ; LicenseQueryActivatedOrInTrialTA
0x1000681d4:movl %eax, %r8d
0x1000681d7:testl%r8d, %r8d
0x1000681da:je 0x1000681f5 ; - + 55
0x1000681dc:cmpl $0xda, %r8d
0x1000681e3:ja 0x100068210 ; - + 82
0x1000681e5:movslq %r8d, %rax
0x1000681e8:leaq 0x19b6201(%rip), %rcx ; GioMemFunctions + 88
0x1000681ef:movq (%rcx,%rax,8), %rcx
0x1000681f3:jmp 0x100068217 ; - + 89
0x1000681f5:cmpb $0x0, -0x9(%rbp)
0x1000681f9:jne 0x100068231 ; - + 115
0x1000681fb:movq 0x19e6426(%rip), %rsi ; "showWindow:"
0x100068202:movq %rbx, %rdi
0x100068205:movq %rbx, %rdx
0x100068208:callq*0x199d16a(%rip) ; (void *)0x00007fff94c85080: objc_msgSend
-> 0x10006820e:jmp 0x100068231 ; - + 115
0x100068210:leaq 0x191563d(%rip), %rcx ; "<unknown>"
0x100068217:leaq 0x18fc6cc(%rip), %rdi ; "/Users/ape/projects/Synalyze-It/Cocoa/TurboActivateController.m"
0x10006821e:leaq 0x1915665(%rip), %rdx ; "Encountered error '%s' ('%d')"
0x100068225:movl $0xe5, %esi
0x10006822a:xorl %eax, %eax
0x10006822c:callq0x10006fac0 ; TraceFatal
0x100068231:addq $0x8, %rsp
0x100068235:popq %rbx
0x100068236:popq %rbp
**4.找到可疑位置的方法调用:`0x1000681cf:callq0x100069fce ; LicenseQueryActivatedOrInTrialTA`,进入查看:**
(lldb) dis -s 0x100069fce -c 36
Synalyze It! Pro`LicenseQueryActivatedOrInTrialTA:
0x100069fcf:movq %rsp, %rbp
0x100069fd5:subq $0x10, %rsp
0x100069fd9:movq %rdi, %r14
0x100069fdc:movb $0x0, -0x11(%rbp)
0x100069fe0:leaq -0x11(%rbp), %rdi
0x100069fe4:callq0x100069f83 ; LicenseQueryActivatedTA
0x100069fe9:movl %eax, %ebx
0x100069feb:testl%ebx, %ebx
0x100069fed:je 0x10006a007 ; LicenseQueryActivatedOrInTrialTA + 57
0x100069fef:cmpl $0xda, %ebx
0x100069ff5:ja 0x10006a015 ; LicenseQueryActivatedOrInTrialTA + 71
0x100069ff7:movslq %ebx, %rax
0x100069ffa:leaq 0x19b43ef(%rip), %rcx ; GioMemFunctions + 88
0x10006a001:movq (%rcx,%rax,8), %rcx
0x10006a005:jmp 0x10006a01c ; LicenseQueryActivatedOrInTrialTA + 78
0x10006a007:cmpb $0x0, -0x11(%rbp)
0x10006a00b:je 0x10006a044 ; LicenseQueryActivatedOrInTrialTA + 118
0x10006a00d:movb $0x1, (%r14)
0x10006a011:xorl %ebx, %ebx
0x10006a013:jmp 0x10006a039 ; LicenseQueryActivatedOrInTrialTA + 107
0x10006a015:leaq 0x1913838(%rip), %rcx ; "<unknown>"
0x10006a01c:leaq 0x18fb039(%rip), %rdi ; "/Users/ape/projects/Synalyze-It/c/LicensingTurbo.c"
0x10006a023:leaq 0x1913860(%rip), %rdx ; "Encountered error '%s' ('%d')"
0x10006a02a:movl $0x147, %esi
0x10006a02f:xorl %eax, %eax
0x10006a031:movl %ebx, %r8d
0x10006a034:callq0x10006fac0 ; TraceFatal
0x10006a039:movl %ebx, %eax
0x10006a03b:addq $0x10, %rsp
0x10006a03f:popq %rbx
0x10006a040:popq %r14
0x10006a042:popq %rbp
**5.明显的调用查询激活状态:`0x100069fe4: callq0x100069f83 ; LicenseQueryActivatedTA`查看该方法的汇编:**
(lldb) dis -s 0x100069f83 -c 28
Synalyze It! Pro`LicenseQueryActivatedTA:
0x100069f84:movq %rsp, %rbp
0x100069f89:movq %rdi, %rbx
0x100069f8c:leaq 0x18fb102(%rip), %rdi ; "202385488551004732b6fe35.69803382"
0x100069f93:callq0x100443cc2 ; symbol stub for: IsActivated
0x100069f98:cmpl $0x1, %eax
0x100069f9b:jne 0x100069fa4 ; LicenseQueryActivatedTA + 33
0x100069f9d:movb $0x0, (%rbx)
0x100069fa0:xorl %ecx, %ecx
0x100069fa2:jmp 0x100069fc5 ; LicenseQueryActivatedTA + 66
0x100069fa4:testl%eax, %eax
0x100069fa6:jne 0x100069faf ; LicenseQueryActivatedTA + 44
0x100069fa8:movb $0x1, (%rbx)
0x100069fab:xorl %ecx, %ecx
0x100069fad:jmp 0x100069fc5 ; LicenseQueryActivatedTA + 66
0x100069faf:movl $0x72, %ecx
0x100069fb4:cmpl $0x19, %eax
0x100069fb7:ja 0x100069fc5 ; LicenseQueryActivatedTA + 66
0x100069fbb:leaq 0x18a76be(%rip), %rcx ; alertNativeButtonIndexAndTypeToButtonIndex + 48
0x100069fc2:movl (%rcx,%rax,4), %ecx
0x100069fc5:movl %ecx, %eax
0x100069fc7:addq $0x8, %rsp
0x100069fcb:popq %rbx
0x100069fcc:popq %rbp
**6.找到方面及一个固定参数:`0x100069f93:callq0x100443cc2 ; symbol stub for: IsActivated`。参数:"202385488551004732b6fe35.69803382",继续跟进:**
(lldb) dis -s 0x100443cc2 -c 5
Synalyze It! Pro`symbol stub for: IsActivated:
0x100443cc2:jmpq *0x15c1b70(%rip) ; (void *)0x0000000101f75e18: IsActivated
Synalyze It! Pro`symbol stub for: IsDateValid:
0x100443cc8:jmpq *0x15c1b72(%rip) ; (void *)0x000000010044488e
Synalyze It! Pro`symbol stub for: TrialDaysRemaining:
0x100443cce:jmpq *0x15c1b74(%rip) ; (void *)0x0000000101f750b9: TrialDaysRemaining
Synalyze It! Pro`symbol stub for: UseTrial:
0x100443cd4:jmpq *0x15c1b76(%rip) ; (void *)0x0000000101f751f8: UseTrial
Synalyze It! Pro`symbol stub for: NSDivideRect:
0x100443cda:jmpq *0x15c1b78(%rip) ; (void *)0x00000001004448ac
**7.这里就到了符号表跳到系统符号了:查找 `IsActivated` 符号所在镜像。**
(lldb) image lookup -r -n IsActivated
1 match found in /Users/0xcb/Desktop/Synalyze It!
Address: libTurboActivate.dylib (libTurboActivate.dylib.__TEXT.__text + 79288)
Summary: libTurboActivate.dylib`IsActivated
[email protected] ~/Desktop> cd Synalyze\ It!\
[email protected] ~/D/S/C/MacOS> ls
Synalyze It! Pro TurboActivate.dat libTurboActivate.dylib
[email protected] ~/D/S/C/MacOS> stringslibTurboActivate.dylib
Could not create new curl instance
TurboActivate/ (
(proxies != NULL) == (error == NULL)
resultPtr != NULL
*resultPtr == NULL
proxies != NULL
expandedProxiesPtr != NULL
*expandedProxiesPtr == NULL
thisProxy != NULL
CFGetTypeID(thisProxy) == CFDictionaryGetTypeID()
proxyType != NULL
CFGetTypeID(proxyType) == CFStringGetTypeID()
scriptURL != NULL
CFGetTypeID(scriptURL) == CFURLGetTypeID()
result != NULL
(err == noErr) == (*expandedProxiesPtr != NULL)
scheme != NULL
m_register.size() > 0
!"ProcessRecoverableMessage() not implemented"
**10.找到可用信息:,进入网站(注册查看,下载该模块的sdk。之后自己编写一个同样接口的sdk,然后放入文件夹:`Synalyze\ It!\`下面,替换`libTurboActivate.dylib`之后即为已授权状态 :)**
####小结:本来是用Hopper Disassembler暴破修改libTurboActivate.dylib的几个方法的,之后搜索查看到字符串中该动态库的支持网站,顺藤摸瓜。理论上通杀之前所有版本:)
**** Hidden Message *****授权使用的三方的sdk:
**** Hidden Message *****
居然还有这种软件,太高大上了! 不错!! 精华了~ 谢谢分享 佩服佩服 精品,感谢楼主 在中文版的吗
我去,一来就mac精华,以后IOS就是你的地盘了 支持下。。不错。。继续继续。。哈哈 这个必须支持,膜拜楼主大神~ 这么牛叉的工具,一定要试试,不愧为精华啊