avatar

目录
Linux程序破解与反破解

Linux程序破解与反破解

1. 许可证密钥位于二进制文件内

cpp
1.c

#include <string.h>
#include <stdio.h>

int main(int argc, char *argv[]) {
if(argc==2) {
printf("Checking License: %s\n", argv[1]);
if(strcmp(argv[1], "AAAA-Z10N-42-OK")==0) {
printf("Access Granted!\n");
} else {
printf("WRONG!\n");
}
} else {
printf("Usage: <key>\n");
}
return 0;
}
Code
cat 1.c
gcc 1.c –o test1
./test1 AAAA-Z10N-42-OK

Crack: strings test1

扰乱密钥加密

cpp
#include <string.h>
#include <stdio.h>

int main(int argc, char *argv[])
{
if(argc==2)
{
printf("Checking License: %s\n", argv[1]);
int sum = 0;
for (int i = 0; i < strlen(argv[1]); i++)
{
sum+= (int)argv[1][i]; //ASCII累加
}
printf("Value: %d\n", sum);
if(sum==916)
{
printf("Access Granted!\n");
}
else
{
printf("WRONG!\n");
}
}
else
{
printf("Usage: <key>\n");
}
return 0;
}
python
keygen2.py

#!/usr/bin/python
#coding=utf-8
import random
import sys

def check_key(key):
char_sum = 0
for c in key:
char_sum += ord(c)
sys.stdout.write("{0:3} | {1} \r".format(char_sum, key)) # print
sys.stdout.flush() # 一秒输出一行
return char_sum

key = ""
while True:
key += random.choice("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_")
s = check_key(key)
if s > 916:
key = ""
elif s==916:
print "Found valid key: {0}".format(key)
Code
将输入key的ASCII累加,与注册码魔术值比较,达到隐藏密钥的效果

使用FUZZ进行反调试

python
#!/usr/bin/python
#coding=utf-8
import random
import os

os.system("cp test2 test2_fuzz")

def flip_byte(in_bytes):
i = random.randint(0,len(in_bytes))
c = chr(random.randint(0,0xFF))
return in_bytes[:i]+c+in_bytes[i+1:] # 随机字符

def copy_binary():
with open("test2", "rb") as orig_f, open("test2_fuzz", "wb") as new_f: # 二进制复制
new_f.write(flip_byte(orig_f.read()))

def compare(fn1, fn2): # 检查fuzz文件能否运行
with open(fn1) as f1, open(fn2) as f2:
return f1.read()==f2.read()

def check_output(): # 检查文件是否存在
os.system("(./test2_fuzz ; ./test2_fuzz AAAA-Z10N-42-OK) > fuzz_output")
return compare("orig_output", "fuzz_output")


def check_gdb():
os.system("echo disassemble main | gdb test2_fuzz > fuzz_gdb") # 重定向到新文件
return compare("orig_gdb", "fuzz_gdb")
'''
def check_radare():
os.system('echo -e "aaa\ns sym.main\npdf" | radare2 test2_fuzz > fuzz_radare')
return compare("orig_radare", "fuzz_radare")
'''
while True:
copy_binary()
if check_output() and not check_gdb(): # and not check_radare():
print "FOUND POSSIBLE FAIL\n\n\n"
os.system("tail fuzz_gdb")
# os.system("tail fuzz_radare")
raw_input()
Code
输出orig二进制文件

(./test2_fuzz ; ./test2_fuzz AAAA-Z10N-42-OK) > orig_output
echo disassemble main | gdb test2_fuzz > orig_gdb

Fuzz
./fuzz.py

验证
gdb test2_fuzz
disassemble main
文章作者: kabeor
文章链接: https://kabeor.github.io/Linux%E7%A8%8B%E5%BA%8F%E7%A0%B4%E8%A7%A3%E4%B8%8E%E5%8F%8D%E7%A0%B4%E8%A7%A3/
版权声明: 本博客所有文章除特别声明外,均采用 CC BY-NC-SA 4.0 许可协议。转载请注明来自 K's House

评论