Synalyze It! Pro v1.11.2 破解过程+bin
本帖最后由 wx_f1Jji177 于 2015-6-11 10:43 编辑-------------------------------------------------------------------
#Synalyze It! Pro v1.11.2 目前最新,类似010Editor,具有数据模型、语法高亮、执行脚本等功能
-------------------------------------------------------------------
www.synalysis.net -> (http://www.synalysis.net)
!(http://www.synalysis.net/_Media/screenshot1_med.png)
试想一下...
你有一个二进制文件,不知道它的内容。或者你有一个规范,但不希望他们手动解码某些软件创建的二进制文件。
你曾经看着十六进制转储,并认为它是多么困难,使这有意义吗?而且要记住所有的比特和字节的意思?
你来对地方了! Synalyze它!允许您为你的二进制文件创建交互式语法。不同于常规的十六进制编辑器或观众文件自动为您解读!二进制文件分析从未如此简单。
此外Synalyze It!是Mac OS X上面一个全功能的十六进制编辑器,让您用几十种文字的编码编辑任意大小的文件,并解释字节含义。
### 主要功能:(http://www.synalysis.net/additional-features.html)
**十六进制编辑**
Synalyze It! allows editing of files of any size without delay. Even copying of data of any size via clipboard is possible.
When you insert a string from the clipboard, the selected encoding is applied, of course. This enables you to convert text from one encoding to another easily.
**计算检验字节**
Compute various checksums for the selected bytes
**数据可视化关系导出**
Visualize your grammars by exporting to .dot (GrapzViz) files
**数据视图**
Display the selection in different number and color representations
**打印预览**
Print the hex view with or without text and mapped structures
**保存选中字节**
Selected bytes can be written to disk directly
**跳到指定位置**
Directly jump to a specific file offset (decimal or hex)
**在工具栏中跳到指定位置**
Jump to positions entering expressions
**数据统计**
Let Synalyze It! count the occurence of each byte in a file.
**比较字节的不同编码值**
Check the text encoding (ASCII/EBCDIC) of some hex values
**增量文本搜索与编码选择**
Search text incrementally using one of dozens of code pages
**查找数值8-64 Bit signed/unsigned, little/big endian**
Find a number in a file instantly and jump directly to the findings
**查找字节序列匹配蒙版**
Find all places in a file that match a certain bit mask
**查找字符串**
See all strings with a certain encoding
Find all strings in a file like with the Unix strings command
**使用脚本的可扩展语法高亮**
Write Python or Lua scripts where the "static" grammar is not enough
**语法支持强大的表达式**
Structure and element sizes as well as repeat counts can contain complex formulas
---------------------------------------------------------------------------
**1.试用过期后,打开后会有日志输出:**
[email protected] ~/Desktop> cd Synalyze\ It!\ Pro.app/Contents/MacOS/
[email protected] ~/D/S/C/MacOS> ./Synalyze\ It!\ Pro
2015-06-11 00:07:35.804 Synalyze It! Pro Encountered error 'Invalid product key' ('91')
2015-06-11 00:07:35.804 Synalyze It! Pro Encountered error 'Invalid product key' ('91')
---------------------------------------------------------------------------
**2.所以先调试定位验证授权的位置,用`lldb`打开`Synalyze It! Pro`进行调试,在输出日志的方法`NSLogv`打断点,之后运行程序。断点断在:Foundation.Formwork的`0x7fff9349f2dd NSLogv` 位置。查看调用堆栈,根据方法名很容易找到弹出过期窗口的验证方法:`- + 80`**
[email protected] ~/Desktop> lldb Synalyze\ It!\ Pro.app
(lldb) target create "Synalyze It! Pro.app"
Current executable set to 'Synalyze It! Pro.app' (x86_64).
(lldb) br s -n NSLogv
Breakpoint 1: where = Foundation`NSLogv, address = 0x00000000000442dd
(lldb) r
Process 2873 launched: '/Users/0xcb/Desktop/Synalyze It! Pro.app/Contents/ MacOS/Synalyze It! Pro' (x86_64)
Process 2873 stopped
* thread #1: tid = 0x11181, 0x00007fff9349f2dd Foundation`NSLogv, queue = 'com.apple.main-thread', stop reason = breakpoint 1.1
frame #0: 0x00007fff9349f2dd Foundation`NSLogv
Foundation`NSLogv:
-> 0x7fff9349f2dd:pushq%rbp
0x7fff9349f2de:movq %rsp, %rbp
0x7fff9349f2e1:pushq%r15
0x7fff9349f2e3:pushq%r14
(lldb) bt
* thread #1: tid = 0x11181, 0x00007fff9349f2dd Foundation`NSLogv, queue = 'com.apple.main-thread', stop reason = breakpoint 1.1
* frame #0: 0x00007fff9349f2dd Foundation`NSLogv
frame #1: 0x00000001000368fe Synalyze It! Pro`_LogTraceMessage + 51
frame #2: 0x000000010006ffe5 Synalyze It! Pro`TraceMessage + 1064
frame #3: 0x000000010006fb79 Synalyze It! Pro`TraceFatal + 185
frame #4: 0x0000000100067f09 Synalyze It! Pro`- + 329
frame #5: 0x00007fff95d063ac AppKit`- + 450
frame #6: 0x00007fff95cecfa6 AppKit`- + 110
frame #7: 0x0000000100067ba3 Synalyze It! Pro`- + 32
frame #8: 0x0000000100067db9 Synalyze It! Pro`- + 121
frame #9: 0x0000000100068179 Synalyze It! Pro`- + 36
frame #10: 0x000000010006820e Synalyze It! Pro`- + 80
frame #11: 0x0000000100035a74 Synalyze It! Pro`- + 587
frame #12: 0x00007fff8ec54e0c CoreFoundation`__CFNOTIFICATIONCENTER_IS_CALLING_OUT_TO_AN_OBSERVER__ + 12
frame #13: 0x00007fff8eb4882d CoreFoundation`_CFXNotificationPost + 2893
frame #14: 0x00007fff9345ddda Foundation`- + 68
frame #15: 0x00007fff95a78b69 AppKit`- + 289
frame #16: 0x00007fff95a7889c AppKit`- + 195
frame #17: 0x00007fff95a75786 AppKit`- + 570
frame #18: 0x00007fff95a751db AppKit`- + 242
frame #19: 0x00007fff9347c52a Foundation`- + 294
frame #20: 0x00007fff9347c39d Foundation`_NSAppleEventManagerGenericHandler + 106
frame #21: 0x00007fff95791e1f AE`aeDispatchAppleEvent(AEDesc const*, AEDesc*, unsigned int, unsigned char*) + 381
frame #22: 0x00007fff95791c32 AE`dispatchEventAndSendReply(AEDesc const*, AEDesc*) + 31
frame #23: 0x00007fff95791b36 AE`aeProcessAppleEvent + 315
frame #24: 0x00007fff97e39161 HIToolbox`AEProcessAppleEvent + 56
frame #25: 0x00007fff95a710b6 AppKit`_DPSNextEvent + 1026
frame #26: 0x00007fff95a7089b AppKit`- + 122
frame #27: 0x00007fff95a6499c AppKit`- + 553
frame #28: 0x00007fff95a4f783 AppKit`NSApplicationMain + 940
frame #29: 0x000000010006a155 Synalyze It! Pro`main + 97
frame #30: 0x0000000100001934 Synalyze It! Pro`start + 52
(lldb)
**3.接下来查看该方法的汇编:`- + 80`**
(lldb) frame select 10
frame #10: 0x000000010006820e Synalyze It! Pro`- + 80
Synalyze It! Pro`- + 80:
-> 0x10006820e:jmp 0x100068231 ; - + 115
0x100068210:leaq 0x191563d(%rip), %rcx ; "<unknown>"
0x100068217:leaq 0x18fc6cc(%rip), %rdi ; "/Users/ape/projects/Synalyze-It/Cocoa/TurboActivateController.m"
0x10006821e:leaq 0x1915665(%rip), %rdx ; "Encountered error '%s' ('%d')"
(lldb) dis
Synalyze It! Pro`-:
0x1000681be:pushq%rbp
0x1000681bf:movq %rsp, %rbp
0x1000681c2:pushq%rbx
0x1000681c3:pushq%rax
0x1000681c4:movq %rdi, %rbx
0x1000681c7:movb $0x0, -0x9(%rbp)
0x1000681cb:leaq -0x9(%rbp), %rdi
0x1000681cf:callq0x100069fce ; LicenseQueryActivatedOrInTrialTA
0x1000681d4:movl %eax, %r8d
0x1000681d7:testl%r8d, %r8d
0x1000681da:je 0x1000681f5 ; - + 55
0x1000681dc:cmpl $0xda, %r8d
0x1000681e3:ja 0x100068210 ; - + 82
0x1000681e5:movslq %r8d, %rax
0x1000681e8:leaq 0x19b6201(%rip), %rcx ; GioMemFunctions + 88
0x1000681ef:movq (%rcx,%rax,8), %rcx
0x1000681f3:jmp 0x100068217 ; - + 89
0x1000681f5:cmpb $0x0, -0x9(%rbp)
0x1000681f9:jne 0x100068231 ; - + 115
0x1000681fb:movq 0x19e6426(%rip), %rsi ; "showWindow:"
0x100068202:movq %rbx, %rdi
0x100068205:movq %rbx, %rdx
0x100068208:callq*0x199d16a(%rip) ; (void *)0x00007fff94c85080: objc_msgSend
-> 0x10006820e:jmp 0x100068231 ; - + 115
0x100068210:leaq 0x191563d(%rip), %rcx ; "<unknown>"
0x100068217:leaq 0x18fc6cc(%rip), %rdi ; "/Users/ape/projects/Synalyze-It/Cocoa/TurboActivateController.m"
0x10006821e:leaq 0x1915665(%rip), %rdx ; "Encountered error '%s' ('%d')"
0x100068225:movl $0xe5, %esi
0x10006822a:xorl %eax, %eax
0x10006822c:callq0x10006fac0 ; TraceFatal
0x100068231:addq $0x8, %rsp
0x100068235:popq %rbx
0x100068236:popq %rbp
0x100068237:retq
(lldb)
**4.找到可疑位置的方法调用:`0x1000681cf:callq0x100069fce ; LicenseQueryActivatedOrInTrialTA`,进入查看:**
(lldb) dis -s 0x100069fce -c 36
Synalyze It! Pro`LicenseQueryActivatedOrInTrialTA:
0x100069fce:pushq%rbp
0x100069fcf:movq %rsp, %rbp
0x100069fd2:pushq%r14
0x100069fd4:pushq%rbx
0x100069fd5:subq $0x10, %rsp
0x100069fd9:movq %rdi, %r14
0x100069fdc:movb $0x0, -0x11(%rbp)
0x100069fe0:leaq -0x11(%rbp), %rdi
0x100069fe4:callq0x100069f83 ; LicenseQueryActivatedTA
0x100069fe9:movl %eax, %ebx
0x100069feb:testl%ebx, %ebx
0x100069fed:je 0x10006a007 ; LicenseQueryActivatedOrInTrialTA + 57
0x100069fef:cmpl $0xda, %ebx
0x100069ff5:ja 0x10006a015 ; LicenseQueryActivatedOrInTrialTA + 71
0x100069ff7:movslq %ebx, %rax
0x100069ffa:leaq 0x19b43ef(%rip), %rcx ; GioMemFunctions + 88
0x10006a001:movq (%rcx,%rax,8), %rcx
0x10006a005:jmp 0x10006a01c ; LicenseQueryActivatedOrInTrialTA + 78
0x10006a007:cmpb $0x0, -0x11(%rbp)
0x10006a00b:je 0x10006a044 ; LicenseQueryActivatedOrInTrialTA + 118
0x10006a00d:movb $0x1, (%r14)
0x10006a011:xorl %ebx, %ebx
0x10006a013:jmp 0x10006a039 ; LicenseQueryActivatedOrInTrialTA + 107
0x10006a015:leaq 0x1913838(%rip), %rcx ; "<unknown>"
0x10006a01c:leaq 0x18fb039(%rip), %rdi ; "/Users/ape/projects/Synalyze-It/c/LicensingTurbo.c"
0x10006a023:leaq 0x1913860(%rip), %rdx ; "Encountered error '%s' ('%d')"
0x10006a02a:movl $0x147, %esi
0x10006a02f:xorl %eax, %eax
0x10006a031:movl %ebx, %r8d
0x10006a034:callq0x10006fac0 ; TraceFatal
0x10006a039:movl %ebx, %eax
0x10006a03b:addq $0x10, %rsp
0x10006a03f:popq %rbx
0x10006a040:popq %r14
0x10006a042:popq %rbp
0x10006a043:retq
(lldb)
**5.明显的调用查询激活状态:`0x100069fe4: callq0x100069f83 ; LicenseQueryActivatedTA`查看该方法的汇编:**
(lldb) dis -s 0x100069f83 -c 28
Synalyze It! Pro`LicenseQueryActivatedTA:
0x100069f83:pushq%rbp
0x100069f84:movq %rsp, %rbp
0x100069f87:pushq%rbx
0x100069f88:pushq%rax
0x100069f89:movq %rdi, %rbx
0x100069f8c:leaq 0x18fb102(%rip), %rdi ; "202385488551004732b6fe35.69803382"
0x100069f93:callq0x100443cc2 ; symbol stub for: IsActivated
0x100069f98:cmpl $0x1, %eax
0x100069f9b:jne 0x100069fa4 ; LicenseQueryActivatedTA + 33
0x100069f9d:movb $0x0, (%rbx)
0x100069fa0:xorl %ecx, %ecx
0x100069fa2:jmp 0x100069fc5 ; LicenseQueryActivatedTA + 66
0x100069fa4:testl%eax, %eax
0x100069fa6:jne 0x100069faf ; LicenseQueryActivatedTA + 44
0x100069fa8:movb $0x1, (%rbx)
0x100069fab:xorl %ecx, %ecx
0x100069fad:jmp 0x100069fc5 ; LicenseQueryActivatedTA + 66
0x100069faf:movl $0x72, %ecx
0x100069fb4:cmpl $0x19, %eax
0x100069fb7:ja 0x100069fc5 ; LicenseQueryActivatedTA + 66
0x100069fb9:cltq
0x100069fbb:leaq 0x18a76be(%rip), %rcx ; alertNativeButtonIndexAndTypeToButtonIndex + 48
0x100069fc2:movl (%rcx,%rax,4), %ecx
0x100069fc5:movl %ecx, %eax
0x100069fc7:addq $0x8, %rsp
0x100069fcb:popq %rbx
0x100069fcc:popq %rbp
0x100069fcd:retq
**6.找到方面及一个固定参数:`0x100069f93:callq0x100443cc2 ; symbol stub for: IsActivated`。参数:"202385488551004732b6fe35.69803382",继续跟进:**
(lldb) dis -s 0x100443cc2 -c 5
Synalyze It! Pro`symbol stub for: IsActivated:
0x100443cc2:jmpq *0x15c1b70(%rip) ; (void *)0x0000000101f75e18: IsActivated
Synalyze It! Pro`symbol stub for: IsDateValid:
0x100443cc8:jmpq *0x15c1b72(%rip) ; (void *)0x000000010044488e
Synalyze It! Pro`symbol stub for: TrialDaysRemaining:
0x100443cce:jmpq *0x15c1b74(%rip) ; (void *)0x0000000101f750b9: TrialDaysRemaining
Synalyze It! Pro`symbol stub for: UseTrial:
0x100443cd4:jmpq *0x15c1b76(%rip) ; (void *)0x0000000101f751f8: UseTrial
Synalyze It! Pro`symbol stub for: NSDivideRect:
0x100443cda:jmpq *0x15c1b78(%rip) ; (void *)0x00000001004448ac
(lldb)
**7.这里就到了符号表跳到系统符号了:查找 `IsActivated` 符号所在镜像。**
(lldb) image lookup -r -n IsActivated
1 match found in /Users/0xcb/Desktop/Synalyze It! Pro.app/Contents/MacOS/./libTurboActivate.dylib:
Address: libTurboActivate.dylib (libTurboActivate.dylib.__TEXT.__text + 79288)
Summary: libTurboActivate.dylib`IsActivated
(lldb)
**8.得出结论,查询是否激活的调用在动态链接库`libTurboActivate.dylib`中:**
---------------------------------------------------------------------------
**9.找到`libTurboActivate.dylib`库进行字符串查看:**
[email protected] ~/Desktop> cd Synalyze\ It!\ Pro.app/Contents/MacOS/
[email protected] ~/D/S/C/MacOS> ls
Synalyze It! Pro TurboActivate.dat libTurboActivate.dylib
[email protected] ~/D/S/C/MacOS> stringslibTurboActivate.dylib
Could not create new curl instance
TurboActivate/3.4.0.0 (http://wyday.com/limelm/)
socks=
http=
(proxies != NULL) == (error == NULL)
/Users/wyatt/source/turboactivate/Library/ProxyResolverMac.cpp
resultPtr != NULL
*resultPtr == NULL
proxies != NULL
expandedProxiesPtr != NULL
*expandedProxiesPtr == NULL
thisProxy != NULL
CFGetTypeID(thisProxy) == CFDictionaryGetTypeID()
proxyType != NULL
CFGetTypeID(proxyType) == CFStringGetTypeID()
scriptURL != NULL
CFGetTypeID(scriptURL) == CFURLGetTypeID()
com.apple.dts.CFProxySupportTool
result != NULL
false
(err == noErr) == (*expandedProxiesPtr != NULL)
scheme != NULL
HTTP
GetProxiesForURL
CreateProxyListWithExpandedPACProxies
ResultCallback
/Users/wyatt/source/cryptopp/secblock.h
m_register.size() > 0
/Users/wyatt/source/cryptopp/modes.h
!"ProcessRecoverableMessage() not implemented"
/Users/wyatt/source/cryptopp/pubkey.h
/Users/wyatt/source/cryptopp/filters.h
/Users/wyatt/source/cryptopp/cryptlib.h
......
......
其余略去
......
**10.找到可用信息:http://wyday.com/limelm/,进入网站(http://wyday.com/limelm/)注册查看,下载该模块的sdk。之后自己编写一个同样接口的sdk,然后放入文件夹:`Synalyze\ It!\ Pro.app/Contents/MacOS/`下面,替换`libTurboActivate.dylib`之后即为已授权状态 :)**
---------------------------------------------------------------------------
####小结:本来是用Hopper Disassembler暴破修改libTurboActivate.dylib的几个方法的,之后搜索查看到字符串中该动态库的支持网站,顺藤摸瓜。理论上通杀之前所有版本:)
---------------------------------------------------------------------------
整合好的直接可用的
**** Hidden Message *****授权使用的三方的sdk:
**** Hidden Message *****
---------------------------------------------------------------------------
居然还有这种软件,太高大上了! 不错!! 精华了~ 谢谢分享 佩服佩服 精品,感谢楼主 在中文版的吗
我去,一来就mac精华,以后IOS就是你的地盘了 支持下。。不错。。继续继续。。哈哈 这个必须支持,膜拜楼主大神~ 这么牛叉的工具,一定要试试,不愧为精华啊