如何完美破解CocoaFob License

本次破解练习对象为Interface Inspector。程序运行截图如下。图为软件提示的注册界面。

Snip20171105_5.png

也有其他的 暴力破解方式，相对简单，笔者从注册本身入手，尝试完美破解。

0x1 代码分析

在Hopper中打开后，发现Interface Inspector使用了CocoaFob库来做注册认证。如下图。

Snip20171105_10.png

和AquaticPrimeFramework类似，CocoaFob使用非对称的DSA算法，使用私钥Private key加密注册名称，可以得到注册码。程序里用对应公钥Public key对输入的注册名和注册码进行解密验证。DSA算法类似RSA，具备非对称性，无Private key和Public key对，不能推算出注册码。所以安全性比一般的key-gen要高。然而CocoaFob库是开源框架，可以找到它的源代码。这为完美破解提供了可能性。

0x2破解

和破解AquaticPrimeFramework的思路一样，用开源框架生成自制的DSA公钥、私钥，然后，替换掉程序中的DSA公钥。

首先看Interface Inspector中的DSA公钥。从[SMLicenseManager verifyLicenseWithName:code:]方法找到了拼接的DSA公钥。伪代码如下。

char +[SMLicenseManager verifyLicenseWithName:code:](void * self, void * _cmd, void * arg2, void * arg3) {
    r14 = [arg2 retain];
    var_-72 = [arg3 retain];
    rax = [NSBundle mainBundle];
    rax = [rax retain];
    var_-88 = rax;
    var_-96 = [[rax objectForInfoDictionaryKey:*_kCFBundleNameKey] retain];
    var_-76 = 0x0;
    rbx = [NSString stringWithFormat:@"%@,%@", rcx, r14];
    [r14 release];
    var_-64 = [rbx retain];
    r13 = [[NSMutableString string] retain];
    [r13 appendString:@"MIHwMIGoBgcqhkjOOAQBMIGcAkEA6DD7O2EnyLOV"];
    [r13 appendString:@"INxN5Cb+p2VxYAdK69ekt"];
    [r13 appendString:@"RUl\nn/QrCFjWB9k71OBZTXNHDsqbS"];
    [r13 appendString:@"CXmQrRmc+OxghdlsEJ0Wbe/XQIVAJya"];
    [r13 appendString:@"CiqLcY74\nRq1hRd"];
    [r13 appendString:@"33dSgqa33vA"];
    [r13 appendString:@"kAQSXj7klZuZg6edUcAPyqJtpympByQmSB"];
    [r13 appendString:@"4of1KUEzkARHT\npFicnFhzpG1"];
    [r13 appendString:@"HP4B+"];
    [r13 appendString:@"UwIbh/JOwTjwElTrKi0tzwu/A0MAA"];
    [r13 appendString:@"kAVeQplzB7Ovygl8ntn\nUcF+Rh260G"];
    [r13 appendString:@"gbDWL5xZgPXPf39kHq"];
    [r13 appendString:@"Twk1rbUFVIWUGdWo0FaBbuM7rnDal0jqT8aq\nZ"];
    [r13 appendString:@"skm\n"];
    rbx = [[NSString stringWithString:r13] retain];
    r14 = [[CFobLicVerifier completePublicKeyPEM:rbx] retain];
    var_-104 = r14;
    [rbx release];
    r15 = [[CFobLicVerifier alloc] init];
    rcx = 0x0;
    rbx = [r15 setPublicKey:r14 error:rcx];
    r12 = [0x0 retain];
    if (rbx != 0x0) {
            var_-64 = var_-64;
            rbx = [r15 verifyRegCode:var_-72 forName:rcx error:r12];
            r14 = [r12 retain];
            [r12 release];
            var_-76 = rbx != 0x0 ? 0x1 : 0x0;
            r12 = r14;
    }
    [r12 release];
    [r15 release];
    [var_-104 release];
    [r13 release];
    [var_-64 release];
    [var_-96 release];
    [var_-88 release];
    [var_-72 release];
    rax = var_-76 & 0xff;
    return rax;
}

用Hex Fiend打开Interface Inspector，可以找到MIHwMIGoBgcqhkjOOAQBMIGcAkEA6DD7O2EnyLOV开头的字符串，这便是公钥在代码中的位置。使用自制的公钥，直接在相应位置替换掉此字符串。如下图所示。

替换前：

Snip20171102_5.png

替换后：

Snip20171105_6.png

然后，使用Hopper修改[SMLicenseManager verifyLicenseWithName:code:]和定义DSA公钥的数据段（见下图），导入自制的DSA公钥。

Snip20171105_8.png

修改后，verifyLicenseWithName:code的伪代码如下。

char +[SMLicenseManager verifyLicenseWithName:code:](void * self, void * _cmd, void * arg2, void * arg3) {
    r14 = [arg2 retain];
    var_48 = [arg3 retain];
    rax = [NSBundle mainBundle];
    rax = [rax retain];
    var_58 = rax;
    var_60 = [[rax objectForInfoDictionaryKey:*_kCFBundleNameKey] retain];
    var_4C = 0x0;
    rbx = [NSString stringWithFormat:@"%@,%@", rcx, r14];
    [r14 release];
    var_40 = [rbx retain];
    r13 = [[NSMutableString string] retain];
    [r13 appendString:@"MIHxMIGoBgcqhkjOOAQBMIGcAkEAlkHhqwIttlbDZEK6mOY7s7EBjI/GFhhT/F7m\n4eA4vVefuIsdTmA5gBplebQ02k8JMPWaP0mV8hCDzcdIHMqrSwIVAPdSrKvB8U59\n+7I0X0wfm74v0WTzAkBwKLW3thX3IOPo4vjghDX/nHtJG3VXSmCTC7mFpv2nhXuz\nblSbboRAlMa/j0kl4vURsuVXlgvvWpCpgA0SSf0TA0QAAkEAh5RNl7/OdeCse…"];
    rbx = [[NSString stringWithString:r13] retain];
    r14 = [[CFobLicVerifier completePublicKeyPEM:rbx] retain];
    var_68 = r14;
    [rbx release];
    r15 = [[CFobLicVerifier alloc] init];
    rcx = 0x0;
    rbx = [r15 setPublicKey:r14 error:rcx];
    r12 = [0x0 retain];
    if (rbx != 0x0) {
            var_40 = var_40;
            rbx = [r15 verifyRegCode:var_48 forName:rcx error:r12];
            r14 = [r12 retain];
            [r12 release];
            var_4C = rbx != 0x0 ? 0x1 : 0x0;
            r12 = r14;
    }
    [r12 release];
    [r15 release];
    [var_68 release];
    [r13 release];
    [var_40 release];
    [var_60 release];
    [var_58 release];
    [var_48 release];
    rax = var_4C & 0xff;
    return rax;
}

0x3 程序验证

设输入的名称为XIao，用CocoaFob算出的注册码为：GAWAE-FD7CP-6M96F-YCNHW-EV9WN-VHEPV-ZDKGN-3KDAC-CQNMV-GGACQ-KR5UM-RYD25-JYRLN-6BNH3-K27Y。代入破解完的Interface Inspector。验证成功，：）！

Snip20171105_4.png