GalaxyPilot —— D.S


                  生命不熄,戰(zhàn)斗不止
          數(shù)據(jù)加載中……

          Jshrink的破解過程

          作者:舵手
          申明:如轉(zhuǎn)載請(qǐng)保證文章的完整性
          來源:www.aygfsteel.com/galaxyp/
          軟件下載:www.e-t.com

          軟件簡介:
          ??? Jshrink extracts the minimal set of Java class files for an application, removes unused code and data,
          obfuscates symbolic names, finalizes code for optimized execution, and stores the results in a Java archive
          .jar file.???
          ??? Jshrink typically reduces program size by 30-40%. Jshrink obfuscated code is much harder to comprehend
          when decompiled, a claim that can be readily verified using Jshrink’s built-in Java decompiler. What at first
          glance seems to be meaningful names in Jshrink obfuscated code are often reused system names, a Jshrink
          obfuscation technique called semantic recycling.

          ??? 一直沒怎么用過,閑來無聊想研究下它的功能,用jshrink打開一個(gè)class文件雙擊提示“Missing license key, see www.e-t.com/jshrink.html to request evaluation license”,以前申請(qǐng)了一個(gè)試用的license key,恢復(fù)過系統(tǒng),早丟了。java寫的,反編譯出來看看,解壓jar,并反編譯所有的class文件,類被混淆過,這里要注意的是,有些方法混淆后名稱和類名一樣,但千萬不要把它當(dāng)作構(gòu)造函數(shù),否則可能會(huì)帶來一點(diǎn)麻煩。在整個(gè)源代碼中查找上面的報(bào)錯(cuò)字符串,居然沒找到。在解壓后的目錄里找了一下,發(fā)現(xiàn)I.gif挺可懷,打開一看果然是加密了的東東,并不是gif文件,在I.I.class反編譯源代碼中果然發(fā)現(xiàn)了I.gif,如下:
          InputStream inputstream = (new I()).getClass().getResourceAsStream("" + 'I' + '.' + 'g' + 'i' + 'f');
          ??? 即然建立輸入流讀取方文件,肯定有解密過程,分析原代碼后寫出一個(gè)解密代碼:
          import java.io.InputStream;
          public class I
          {
          ?static byte COWY[];
          ??? static String append[] = new String[256];
          ??? static int close[] = new int[256];

          ?public String td(int i)
          ??? {
          ??????? int j = i & 0xff;
          ??????? if(close[j] != i)
          ??????? {
          ??????????? close[j] = i;
          ??????????? if(i < 0)
          ??????????????? i &= 0xffff;
          ??????????? String s = new String(COWY, i, COWY[i - 1] & 0xff);
          ??????????? append[j] = s;
          ??????? }
          ??System.out.println(append[j]);
          ??????? return append[j];
          ??? }

          ?public static void main(String[] args)
          ?{
          ??try
          ??????? {
          ??????????? InputStream inputstream = (new I()).getClass().getResourceAsStream("" + 'I' + '.' + 'g' + 'i' + 'f');
          ???? //這里他用'I' + '.' + 'g' + 'i' + 'f',如果我們直接查找I.gif,肯定沒有結(jié)果,所以當(dāng)搜索I.gif沒找到時(shí),
          ???? //一定要試試這種方法,還有數(shù)組形式存放。
          ??????????? if(inputstream != null)
          ??????????? {
          ??????????????? int i = inputstream.read() << 16 | inputstream.read() << 8 | inputstream.read();
          ??????????????? COWY = new byte[i];
          ??????????????? int j = 0;
          ??????????????? byte byte0 = (byte)i;
          ??????????????? byte abyte0[] = COWY;
          ??????????????? while(i != 0)
          ??????????????? {
          ??????????????????? int k = inputstream.read(abyte0, j, i);
          ??????????????????? if(k == -1)
          ??????????????????????? break;
          ??????????????????? i -= k;
          ??????????????????? for(k += j; j < k; j++)
          ??????????????????????? abyte0[j] ^= byte0;

          ??????????????? }
          ??????????????? inputstream.close();
          ??????????? }
          ??????? }
          ??????? catch(Exception exception) { }
          ??
          ??I i = new I();
          ??for (int j=0; j<7200; j++ )//為什么這個(gè)j最大值為7200,因?yàn)榇蟾挪榭戳艘幌略创a中調(diào)
          ??//用I.I.I()這個(gè)方法的最大值就是這個(gè),試圖加大后,拋出異常。
          ??{
          ???System.out.print(j+":");
          ???i.td(j);
          ??}
          ?}
          }
          ??? 當(dāng)上面的循環(huán)體里j為4088時(shí)字符串是Missing license key, see www.e-t.com/
          jshrink.html to request evaluation license,在整個(gè)原代碼是搜索4088,發(fā)現(xiàn)只在A.class中有,
          ?switch(getViewRect)
          ??????? {
          ??????? case -1:
          ??????? case 0: // '\0'
          ??????????? return true;

          ??????? case 1: // '\001'
          ??????????? getChildCount();
          ??????????? getJarEntry(I.I.I(4088));
          ???? //Missing license key, see www.e-t.com/jshrink.html to request evaluation license
          ???? //I.I.I(4088)返回的串
          ??????????? return false;

          ??????? case 2: // '\002'
          ??????????? getChildCount();
          ??????????? getJarEntry(I.I.I(4168));
          ???? //Evaluation license key has expired, purchase new key at www.e-t.com/jshrink.html
          ???? //I.I.I(4168)返回的串
          ??????????? return false;

          ??????? case 3: // '\003'
          ??????????? getChildCount();
          ??????????? getJarEntry(I.I.I(4249));
          ???? //Invalid license key
          ???? //I.I.I(4249)返回的串
          ??????????? return false;

          ??????? case 4: // '\004'
          ??????????? getJarEntry(I.I.I(4269));
          ???? //Internal error verifying license key
          ???? //I.I.I(4269)返回的串
          ??????????? return false;
          ??????? }
          ??????? return false;
          ??? 不想分析注冊(cè)key詳細(xì)算法,暴破試一下,把上面每個(gè)case子句里的代碼變?yōu)?return true; 可能問題就能解決,用十六進(jìn)制編輯器打開A.class,查找03AC,連續(xù)五個(gè)在一起,改為04AC,現(xiàn)在程序已經(jīng)可以正常運(yùn)行,只是還有無License的提示對(duì)話框,那么把04AC(前面已修改)前的十個(gè)四字節(jié),如:2AB7016B2A110FF8B8056DB7003A全改為00,相當(dāng)于匯編里的nop保存打包,運(yùn)行就再?zèng)]有提示對(duì)話框了。這樣不完全暴破就已經(jīng)成功,之所以說不完全是因?yàn)檫€有Z.class有類A.class的功能,讀取I.gif文件并解密,我們并沒有對(duì)A.class這個(gè)類的調(diào)用做跟蹤分析,這樣很有可能還有一些地方有限制而我們沒有破除掉。
          ??? 沒什么技術(shù)性,但能為菜鳥破JAVA程序提示一點(diǎn)思路。今天搜了一下,才發(fā)現(xiàn)這個(gè)早有人已經(jīng)寫出注冊(cè)機(jī)了,牛人多多。不過想研究暴破的可以從下面下載本人修改過的和原版程序:
          鏈接暫時(shí)不再提供

          posted on 2006-03-24 13:14 舵手 閱讀(2988) 評(píng)論(1)  編輯  收藏

          評(píng)論

          # re: Jshrink的破解過程  回復(fù)  更多評(píng)論   

          能夠提供一個(gè)klassmaster的正式破解嗎?
          2006-09-28 22:50 | core2

          只有注冊(cè)用戶登錄后才能發(fā)表評(píng)論。

          網(wǎng)站導(dǎo)航:
           
          主站蜘蛛池模板: 芜湖县| 霸州市| 精河县| 玛多县| 黄龙县| 兴化市| 阿拉善右旗| 左贡县| 蓝山县| 伊吾县| 白城市| 康定县| 喀什市| 锦州市| 三明市| 沙田区| 烟台市| 襄城县| 怀集县| 合阳县| 大埔区| 宁强县| 万源市| 惠东县| 嫩江县| 九龙城区| 双柏县| 义马市| 饶阳县| 个旧市| 林甸县| 定安县| 抚顺市| 眉山市| 定襄县| 怀远县| 驻马店市| 景洪市| 民勤县| 城市| 乡宁县|