作者:舵手
申明:如轉(zhuǎn)載請(qǐng)保證文章的完整性
來源:www.aygfsteel.com/galaxyp/
軟件下載:www.e-t.com
軟件簡介:
??? Jshrink extracts the minimal set of Java class files for an application, removes unused code and data,
obfuscates symbolic names, finalizes code for optimized execution, and stores the results in a Java archive
.jar file.???
??? Jshrink typically reduces program size by 30-40%. Jshrink obfuscated code is much harder to comprehend
when decompiled, a claim that can be readily verified using Jshrink’s built-in Java decompiler. What at first
glance seems to be meaningful names in Jshrink obfuscated code are often reused system names, a Jshrink
obfuscation technique called semantic recycling.
??? 一直沒怎么用過,閑來無聊想研究下它的功能,用jshrink打開一個(gè)class文件雙擊提示“Missing license key, see www.e-t.com/jshrink.html to request evaluation license”,以前申請(qǐng)了一個(gè)試用的license key,恢復(fù)過系統(tǒng),早丟了。java寫的,反編譯出來看看,解壓jar,并反編譯所有的class文件,類被混淆過,這里要注意的是,有些方法混淆后名稱和類名一樣,但千萬不要把它當(dāng)作構(gòu)造函數(shù),否則可能會(huì)帶來一點(diǎn)麻煩。在整個(gè)源代碼中查找上面的報(bào)錯(cuò)字符串,居然沒找到。在解壓后的目錄里找了一下,發(fā)現(xiàn)I.gif挺可懷,打開一看果然是加密了的東東,并不是gif文件,在I.I.class反編譯源代碼中果然發(fā)現(xiàn)了I.gif,如下:
InputStream inputstream = (new I()).getClass().getResourceAsStream("" + 'I' + '.' + 'g' + 'i' + 'f');
??? 即然建立輸入流讀取方文件,肯定有解密過程,分析原代碼后寫出一個(gè)解密代碼:
import java.io.InputStream;
public class I
{
?static byte COWY[];
??? static String append[] = new String[256];
??? static int close[] = new int[256];
?public String td(int i)
??? {
??????? int j = i & 0xff;
??????? if(close[j] != i)
??????? {
??????????? close[j] = i;
??????????? if(i < 0)
??????????????? i &= 0xffff;
??????????? String s = new String(COWY, i, COWY[i - 1] & 0xff);
??????????? append[j] = s;
??????? }
??System.out.println(append[j]);
??????? return append[j];
??? }
?public static void main(String[] args)
?{
??try
??????? {
??????????? InputStream inputstream = (new I()).getClass().getResourceAsStream("" + 'I' + '.' + 'g' + 'i' + 'f');
???? //這里他用'I' + '.' + 'g' + 'i' + 'f',如果我們直接查找I.gif,肯定沒有結(jié)果,所以當(dāng)搜索I.gif沒找到時(shí),
???? //一定要試試這種方法,還有數(shù)組形式存放。
??????????? if(inputstream != null)
??????????? {
??????????????? int i = inputstream.read() << 16 | inputstream.read() << 8 | inputstream.read();
??????????????? COWY = new byte[i];
??????????????? int j = 0;
??????????????? byte byte0 = (byte)i;
??????????????? byte abyte0[] = COWY;
??????????????? while(i != 0)
??????????????? {
??????????????????? int k = inputstream.read(abyte0, j, i);
??????????????????? if(k == -1)
??????????????????????? break;
??????????????????? i -= k;
??????????????????? for(k += j; j < k; j++)
??????????????????????? abyte0[j] ^= byte0;
??????????????? }
??????????????? inputstream.close();
??????????? }
??????? }
??????? catch(Exception exception) { }
??
??I i = new I();
??for (int j=0; j<7200; j++ )//為什么這個(gè)j最大值為7200,因?yàn)榇蟾挪榭戳艘幌略创a中調(diào)
??//用I.I.I()這個(gè)方法的最大值就是這個(gè),試圖加大后,拋出異常。
??{
???System.out.print(j+":");
???i.td(j);
??}
?}
}
??? 當(dāng)上面的循環(huán)體里j為4088時(shí)字符串是Missing license key, see www.e-t.com/
jshrink.html to request evaluation license,在整個(gè)原代碼是搜索4088,發(fā)現(xiàn)只在A.class中有,
?switch(getViewRect)
??????? {
??????? case -1:
??????? case 0: // '\0'
??????????? return true;
??????? case 1: // '\001'
??????????? getChildCount();
??????????? getJarEntry(I.I.I(4088));
???? //Missing license key, see www.e-t.com/jshrink.html to request evaluation license
???? //I.I.I(4088)返回的串
??????????? return false;
??????? case 2: // '\002'
??????????? getChildCount();
??????????? getJarEntry(I.I.I(4168));
???? //Evaluation license key has expired, purchase new key at www.e-t.com/jshrink.html
???? //I.I.I(4168)返回的串
??????????? return false;
??????? case 3: // '\003'
??????????? getChildCount();
??????????? getJarEntry(I.I.I(4249));
???? //Invalid license key
???? //I.I.I(4249)返回的串
??????????? return false;
??????? case 4: // '\004'
??????????? getJarEntry(I.I.I(4269));
???? //Internal error verifying license key
???? //I.I.I(4269)返回的串
??????????? return false;
??????? }
??????? return false;
??? 不想分析注冊(cè)key詳細(xì)算法,暴破試一下,把上面每個(gè)case子句里的代碼變?yōu)?return true; 可能問題就能解決,用十六進(jìn)制編輯器打開A.class,查找03AC,連續(xù)五個(gè)在一起,改為04AC,現(xiàn)在程序已經(jīng)可以正常運(yùn)行,只是還有無License的提示對(duì)話框,那么把04AC(前面已修改)前的十個(gè)四字節(jié),如:2AB7016B2A110FF8B8056DB7003A全改為00,相當(dāng)于匯編里的nop保存打包,運(yùn)行就再?zèng)]有提示對(duì)話框了。這樣不完全暴破就已經(jīng)成功,之所以說不完全是因?yàn)檫€有Z.class有類A.class的功能,讀取I.gif文件并解密,我們并沒有對(duì)A.class這個(gè)類的調(diào)用做跟蹤分析,這樣很有可能還有一些地方有限制而我們沒有破除掉。
??? 沒什么技術(shù)性,但能為菜鳥破JAVA程序提示一點(diǎn)思路。今天搜了一下,才發(fā)現(xiàn)這個(gè)早有人已經(jīng)寫出注冊(cè)機(jī)了,牛人多多。不過想研究暴破的可以從下面下載本人修改過的和原版程序:
鏈接暫時(shí)不再提供