一次反向工程的尝试

lwnxx

Delish是一个Delicious的插件，可以生成页面快照。又是一启动就要求购买的模式，还有12天的试用期。良好的软件设计，优秀的界面，典型的注册模式－经典的反向工程目标：

                               
登录/注册后可看大图

首先：otx Delish.app > Delish.otx
查看这个文件：mate Delish.otx。很快找到了这样的东西：-(BOOL)[LicenseController checkLicense]

很不错，这样就可以开始gdb了：
liwn:MacOS liweinan$ gdb Delish
GNU gdb 6.3.50-20050815 (Apple version gdb-962) (Sat Jul 26 08:14:40 UTC 2008)
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-apple-darwin"...Reading symbols for shared libraries ............... done
(gdb) b [LicenseController checkLicense]
Breakpoint 1 at 0xc6cd
(gdb) run
Starting program: /Users/liweinan/Desktop/Delish.app/Contents/MacOS/Delish
Reading symbols for shared libraries +++++++++++++........................................................................................... done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries .. done

Breakpoint 1, 0x0000c6cd in -[LicenseController checkLicense] ()

接下来结合Delish.otx中的内容看一下：
+0 0000c6c9  55   pushl   %ebp
+1 0000c6ca  89e5   movl   %esp,%ebp
+3 0000c6cc  53   pushl   %ebx
+4 0000c6cd  83ec24   subl   $0x24,%esp
+7 0000c6d0  a134360100   movl   0x00013634,%eax     licenseIsValid
   +12 0000c6d5  89442404   movl   %eax,0x04(%esp)
   +16 0000c6d9  8b4508   movl   0x08(%ebp),%eax
   +19 0000c6dc  890424   movl   %eax,(%esp)
   +22 0000c6df  e8c5990000   calll   0x000160a9     -[(%esp,1) licenseIsValid]
   +27 0000c6e4  84c0   testb   %al,%al
   +29 0000c6e6  0f8580010000   jnel   0x0000c86c
......

于是：
(gdb) b *0x0000c6e4
Breakpoint 3 at 0xc6e4
(gdb) c
Continuing.

Breakpoint 3, 0x0000c6e4 in -[LicenseController checkLicense] ()
(gdb) stepi
0x0000c6e6 in -[LicenseController checkLicense] ()
(gdb)
0x0000c6ec in -[LicenseController checkLicense] ()
(gdb) jump *0x0000c86c
Continuing at 0xc86c.
Reading symbols for shared libraries . done
2008-12-07 10:27:24.917 Delish[26015:813] Succeeded! Received 178 bytes of data
Reading symbols for shared libraries . done
2008-12-07 10:27:24.980 Delish[26015:813] delicious last update = str=2008-12-06T10:32:20Z (2008-12-06T10:32:20ZGMT)  lastRefresh:2008-12-06 19:26:24 +0800, 1
2008-12-07 10:27:24.980 Delish[26015:813] Refreshing from cache - /Users/liweinan/Library/Application Support/Delish/posts.xml
Reading symbols for shared libraries . done
Reading symbols for shared libraries .. done
Reading symbols for shared libraries ... done

注册框消失：

                               
登录/注册后可看大图

游戏到这里就可以结束了，再写下去就非法了。

要说的是：MacOS的反盗版技术和M$平台相比，落后好远啊。

coredump

原帖由 lwnxx 于 22-12-2008 15:25 发表

                               
登录/注册后可看大图

要说的是：MacOS的反盗版技术和M$平台相比，落后好远啊。

不赞同这句话，之所以可以用gdb跳过注册步骤一是因为ObjC是默认包含所有元数据和符号，二是因为人家作者压根没有真的想把注册做绝。这只能解释为Mac平台正版率高，不用费尽心机的防盗版，否则啥加壳，代码混淆之类的都是平台无关的技术，不分啥MS还是Mac的。

lwnxx

哈哈，是啊。只不过M$上的盗版太凶了，这些小软件的作者，一般都不太在意反反向工程吧。反正俺要是去了澳洲，买软件肯定给人家钱的，哈哈。