Binary Ninja 5.1 许可分析
目录
Binary Ninja 5.1.8005 Personal
VirusTotal - File - 5f4c10ab04474192764fd39b6309bcdb74bf31ad3f1fb488c0e14463ba975be4
通过网盘分享的文件:binaryninjacore.dll_patch等2个文件
链接: https://pan.baidu.com/s/1d6ItvD4rETnBq9XBmZ_BHw?pwd=ikun 提取码: ikun
check_lic_1810E63F0
char check_lic_1810E63F0()
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
if ( byte_18A2379E9 )
return 1;
v91 = (_Mtx_t)&unk_18A237990;
v92 = 0;
v1 = Mtx_lock((_Mtx_t)&unk_18A237990);
if ( v1 )
{
std::_Throw_C_error(v1);
LABEL_239:
sub_180CC11B0(pExceptionObject, &Buf2);
CxxThrowException(pExceptionObject, (_ThrowInfo *)&_TI2_AVruntime_error_std__);
}
v92 = 1;
if ( !::BN_LICENSE )
{
if ( getenv("BN_LICENSE") )
{
env = getenv("BN_LICENSE");
v3 = (void (__fastcall ***)(_QWORD, __int64))new_186615100(0x38ui64);
v96 = v3;
if ( v3 )
{
v4 = 0xFFFFFFFFFFFFFFFFui64;
do
++v4;
while ( env[v4] );
BN_LICENSE = sub_180C394F0((__int64)v3, env, v4);
}
else
{
BN_LICENSE = 0i64;
}
::BN_LICENSE = BN_LICENSE;
goto LABEL_43;
}
v6 = (_QWORD *)sub_1810E8080((__int64)&v148);
if ( v6[3] >= 0x10ui64 )
v6 = (_QWORD *)*v6;
sub_180C5D460(v97, v6, 0i64);
if ( si128.m128i_i64[1] >= 0x10ui64 )
error_1819AD2A0(v148);
si128 = _mm_load_si128((const __m128i *)&xmmword_186773BF0);
LOBYTE(v148) = 0;
if ( !sub_180C5D5D0((__int64)v97)
|| (n0x1000000 = sub_180C5D590((__int64)v97), n0x1000000_1 = n0x1000000, n0x1000000 > 0x1000000) )
{
LABEL_20:
sub_180C5D4F0(v97);
Mtx_unlock((_Mtx_t)&unk_18A237990);
return 0;
}
sub_180C395A0((__int64)v165, n0x1000000 + 1);
if ( sub_180C5D5E0(v97, v166, 0i64, n0x1000000_1) != n0x1000000_1 )
{
sub_180C39600((__int64)v165);
goto LABEL_20;
}
p_i = 0i64;
v113 = 0i64;
sub_180612970(&p_i, v166, n0x1000000_1);
p_i_1 = (__int64)&p_i;
if ( v113.m128i_i64[1] >= 0x10ui64 )
p_i_1 = p_i;
v10 = v113.m128i_i64[0] + p_i_1;
p_i_2 = (__int64)&p_i;
if ( v113.m128i_i64[1] >= 0x10ui64 )
p_i_2 = p_i;
i_1 = (char *)(v113.m128i_i64[0] + p_i_2);
i_2 = (char *)&p_i;
if ( v113.m128i_i64[1] >= 0x10ui64 )
i_2 = (char *)p_i;
if ( i_2 != i_1 )
{
do
{
if ( *i_2 < 0 )
break;
++i_2;
}
while ( i_2 != i_1 );
if ( i_2 != i_1 )
{
for ( i = i_2 + 1; i != i_1; ++i )
{
if ( *i >= 0 )
*i_2++ = *i;
}
}
}
sub_18062E390(&p_i, &v96, i_2, v10);
v15 = new_186615100(0x38ui64);
v100 = (__int64)v15;
if ( v15 )
{
p_p_i = &p_i;
if ( v113.m128i_i64[1] >= 0x10ui64 )
p_p_i = (__int128 *)p_i;
BN_LICENSE_1 = sub_180C394F0((__int64)v15, p_p_i, v113.m128i_u64[0]);
}
else
{
BN_LICENSE_1 = 0i64;
}
::BN_LICENSE = BN_LICENSE_1;
if ( v113.m128i_i64[1] >= 0x10ui64 )
error_1819AD2A0(p_i);
v113 = _mm_load_si128((const __m128i *)&xmmword_186773BF0);
LOBYTE(p_i) = 0;
sub_180C39600((__int64)v165);
sub_180C5D4F0(v97);
}
LABEL_43:
v18 = sub_18067DE30(v111);
v19 = (*(__int64 (__fastcall **)(_QWORD *))(*v18 + 8i64))(v18);
v100 = v19;
sub_18067FCC0(v111);
sub_18067EDE0(v103, 0i64);
v146 = 0i64;
v147 = _mm_load_si128((const __m128i *)&xmmword_186773BF0);
LOBYTE(v146) = 0;
if ( !(*(unsigned __int8 (__fastcall **)(__int64, _QWORD, _QWORD, char *, __int128 *))(*(_QWORD *)v19 + 8i64))(
v19,
*(_QWORD *)(::BN_LICENSE + 0x10),
*(_QWORD *)(::BN_LICENSE + 0x10) + *(_QWORD *)::BN_LICENSE,
v103,
&v146) )
goto LABEL_239;
sub_180686DE0((__int64)v103, (__int64)v101);
sub_18068A820((__int64)v103, (__int64)v105);
while ( !sub_18068D320((__int64)v101, (__int64)v105) )
{
v20 = sub_18068A1E0(v101);
_180680EF0 = json_get_180680EF0(v20, "product");
json_value_tostring_1806867E0(_180680EF0, product);
_180680EF0_1 = json_get_180680EF0(v20, "email");
json_value_tostring_1806867E0(_180680EF0_1, email);
_180680EF0_2 = json_get_180680EF0(v20, "serial");
json_value_tostring_1806867E0(_180680EF0_2, serial);
_180680EF0_3 = json_get_180680EF0(v20, "created");
json_value_tostring_1806867E0(_180680EF0_3, created);
_180680EF0_4 = json_get_180680EF0(v20, "type");
json_value_tostring_1806867E0(_180680EF0_4, type);
_180680EF0_5 = json_get_180680EF0(v20, "count");
count = json_value_toint_1806862F0((char *)_180680EF0_5);
_180680EF0_6 = json_get_180680EF0(v20, "data");
json_value_tostring_1806867E0(_180680EF0_6, data);
sub_180C39C10(v168, data);
_180680EF0_7 = json_get_180680EF0(v20, "signature");
v30 = json_value_tostring_1806867E0(_180680EF0_7, signature);
sub_180C39C10(v167, v30);
if ( n0x10 >= 0x10 )
error_1819AD2A0(signature[0]);
signature[2] = 0i64;
n0x10 = 0xFi64;
LOBYTE(signature[0]) = 0;
if ( (unsigned __int8)sub_18068D510(v20, "expiresEpoch") )
{
_180680EF0_8 = json_get_180680EF0(v20, "expiresEpoch");
v32 = sub_180686960(_180680EF0_8);
}
else
{
v32 = 0i64;
}
if ( v168[0] != 0x118 )
{
sub_180CC11B0(pExceptionObject_1, &Buf2);
CxxThrowException(pExceptionObject_1, (_ThrowInfo *)&_TI2_AVruntime_error_std__);
}
v33 = (_OWORD *)v168[2];
lic_data_1 = lic_data;
n2 = 2i64;
do
{
*(_OWORD *)lic_data_1 = *v33;
*((_OWORD *)lic_data_1 + 1) = v33[1];
*((_OWORD *)lic_data_1 + 2) = v33[2];
*((_OWORD *)lic_data_1 + 3) = v33[3];
*((_OWORD *)lic_data_1 + 4) = v33[4];
*((_OWORD *)lic_data_1 + 5) = v33[5];
*((_OWORD *)lic_data_1 + 6) = v33[6];
lic_data_1 += 0x80;
*((_OWORD *)lic_data_1 + 0xFFFFFFFF) = v33[7];
v33 += 8;
--n2;
}
while ( n2 );
*(_OWORD *)lic_data_1 = *v33;
*((_QWORD *)lic_data_1 + 2) = *((_QWORD *)v33 + 2);
x_sprintf_180676E70(count_str, 0x20ui64, "%d", count);
sub_180C39570(v150);
product_1 = product;
if ( n0x10_1 >= 0x10 )
product_1 = (void **)product[0];
BNAppendDataBufferContents_0(v150, product_1, Size);
sub_180C39900(v150, 0i64);
email_1 = email;
if ( n0x10_2 >= 0x10 )
email_1 = (unsigned __int64 *)email[0];
BNAppendDataBufferContents_0(v150, email_1, Size_2);
sub_180C39900(v150, 0i64);
serial_1 = serial;
if ( n0x10_3 >= 0x10 )
serial_1 = (unsigned __int64 *)serial[0];
BNAppendDataBufferContents_0(v150, serial_1, Size_1);
sub_180C39900(v150, 0i64);
created_1 = created;
if ( n0x10_4 >= 0x10 )
created_1 = (unsigned __int64 *)created[0];
BNAppendDataBufferContents_0(v150, created_1, v130);
sub_180C39900(v150, 0i64);
type_1 = type;
if ( n0x10_5 >= 0x10 )
type_1 = (unsigned __int64 *)type[0];
BNAppendDataBufferContents_0(v150, type_1, Size_3);
sub_180C39900(v150, 0i64);
v41 = 0xFFFFFFFFFFFFFFFFui64;
do
++v41;
while ( count_str[v41] );
BNAppendDataBufferContents_0(v150, count_str, v41);
sub_180C39900(v150, 0i64);
data_1 = data;
if ( n0x10_6 >= 0x10 )
data_1 = (unsigned __int64 *)data[0];
BNAppendDataBufferContents_0(v150, data_1, v127);
v43 = (_DWORD *)j_new_186615100(0x128i64);
// xored pub key
*v43 = 0x45F8F074;
v43[1] = 0x6EFF7F74;
v43[2] = 0xE1B1F46E;
v43[3] = 0x66F87FB3;
v43[4] = 0x64F97745;
v43[5] = 0x67F673C6;
v43[6] = 0x6DF8F074;
v43[7] = 0x66F8F046;
v43[8] = 0xF995A444;
v43[9] = 0x947FAE8C;
v43[0xA] = 0xDF4B1A9F;
v43[0xB] = 0x36FC14FB;
v43[0xC] = 0x93DE7727;
v43[0xD] = 0x5CE043A8;
v43[0xE] = 0x86C7062D;
v43[0xF] = 0xD65222A2;
v43[0x10] = 0x69A55E6;
v43[0x11] = 0x957A71F4;
v43[0x12] = 0x6D911479;
v43[0x13] = 0xDF4A6C2C;
v43[0x14] = 0xF6863898;
v43[0x15] = 0x91CB9515;
v43[0x16] = 0x490C590;
v43[0x17] = 0xE8D36095;
v43[0x18] = 0xC8AEB1C;
v43[0x19] = 0x7B68099A;
v43[0x1A] = 0x83AC58DB;
v43[0x1B] = 0x17CD869;
v43[0x1C] = 0xD9BADF8F;
v43[0x1D] = 0x5FD6692C;
v43[0x1E] = 0x253A3B51;
v43[0x1F] = 0x92086BB8;
v43[0x20] = 0x33BDA0D7;
v43[0x21] = 0xCAEE6F30;
v43[0x22] = 0x540F53B6;
v43[0x23] = 0x8FB4DEE1;
v43[0x24] = 0x51FB841A;
v43[0x25] = 0x51008A6C;
v43[0x26] = 0x7E9213C8;
v43[0x27] = 0xA3FBA50D;
v43[0x28] = 0x7AB82F5D;
v43[0x29] = 0x7CD66891;
v43[0x2A] = 0x457A2BC0;
v43[0x2B] = 0x88A771DD;
v43[0x2C] = 0x84E7CC2C;
v43[0x2D] = 0xB85DE039;
v43[0x2E] = 0xF5A1FD31;
v43[0x2F] = 0x520FD88C;
v43[0x30] = 0xCA5E74E0;
v43[0x31] = 0x6446EC0B;
v43[0x32] = 0xBDBD7CAF;
v43[0x33] = 0x9742290C;
v43[0x34] = 0x5E014FDC;
v43[0x35] = 0x8FF33064;
v43[0x36] = 0x5B238660;
v43[0x37] = 0xF290A38D;
v43[0x38] = 0x16A61171;
v43[0x39] = 0xB580C015;
v43[0x3A] = 0xC5413635;
v43[0x3B] = 0x854F17DE;
v43[0x3C] = 0x9A56B9C8;
v43[0x3D] = 0xB9C6D99F;
v43[0x3E] = 0x8609B9C0;
v43[0x3F] = 0xCCD13CBB;
v43[0x40] = 0xAE876B21;
v43[0x41] = 0xAA8470B9;
v43[0x42] = 0xE7D1873E;
v43[0x43] = 0x12CB66FB;
v43[0x44] = 0xE5FE5D3C;
v43[0x45] = 0x20C27687;
v43[0x46] = 0x5B4F7646;
v43[0x47] = 0xC8828E04;
v43[0x48] = 0x66FA7077;
v43[0x49] = 0x67F97344;
pubkey_data = 0i64;
v88 = 0i64;
for ( j = 0i64; j < 0x126; ++j )
{
v45 = (v43[j >> 2] ^ 0x67F97244u) >> (8 * (j & 3));
v85[0] = v45;
if ( *((_QWORD *)&pubkey_data + 1) == v88 )
{
sub_1810E5F40((const void **)&pubkey_data, *((_BYTE **)&pubkey_data + 1), v85);
}
else
{
**((_BYTE **)&pubkey_data + 1) = v45;
++*((_QWORD *)&pubkey_data + 1);
}
v19 = v100;
}
BNFreeDataReferences_0(v43);
pubkey_1818D6FC0 = (void (__fastcall ***)(_QWORD, __int64))load_pubkey_1818D6FC0((__int64 *)&pubkey_data);
pubkey_1818D6FC0_1 = pubkey_1818D6FC0;
v151 = 0i64;
v152 = 0i64;
n0xF = 0xFi64;
LOBYTE(v151) = 0;
n0xE = 0xEi64;
n0xF_1 = 0xFi64;
strcpy(EMSA3(SHA_256), "EMSA3(SHA-256)");
v133 = 0;
sub_181812A20((__int64)v102, (__int64)pubkey_1818D6FC0, (__int64)EMSA3(SHA_256), 0, (__int64)&v151);
if ( n0xF_1 >= 0x10 )
{
v47 = *(void **)EMSA3(SHA_256);
if ( n0xF_1 + 1 >= 0x1000 )
{
v47 = *(void **)(*(_QWORD *)EMSA3(SHA_256) - 8i64);
if ( (unsigned __int64)(*(_QWORD *)EMSA3(SHA_256) - (_QWORD)v47 - 8i64) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_BNFreeDataReferences_0_0(v47);
}
n0xE = 0i64;
n0xF_1 = 0xFi64;
EMSA3(SHA_256)[0] = 0;
if ( n0xF >= 0x10 )
{
v48 = (void *)v151;
if ( n0xF + 1 >= 0x1000 )
{
v48 = *(void **)(v151 - 8);
if ( (unsigned __int64)(v151 - (_QWORD)v48 - 8) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_BNFreeDataReferences_0_0(v48);
}
v152 = 0i64;
n0xF = 0xFi64;
LOBYTE(v151) = 0;
sub_181914880(v102);
if ( !(unsigned __int8)PK_Verifier_181881660(v102, v167[2], v167[0]) )
{
sub_180CC11B0(pExceptionObject_2, &Buf2);
CxxThrowException(pExceptionObject_2, (_ThrowInfo *)&_TI2_AVruntime_error_std__);
}
v154 = 0i64;
v155 = 0i64;
n0xF_2 = 0xFi64;
LOBYTE(v154) = 0;
v140 = 0i64;
n3 = 3i64;
n0xF_3 = 0xFi64;
LOWORD(v140) = *(_WORD *)"MD5";
WORD1(v140) = (unsigned __int8)Buf2__3[2];
hash_181893160(&md5, (const void **)&v140, &v154);
if ( n0xF_3 >= 0x10 )
{
v49 = (void *)v140;
if ( n0xF_3 + 1 >= 0x1000 )
{
v49 = *(void **)(v140 - 8);
if ( (unsigned __int64)(v140 - (_QWORD)v49 - 8) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_BNFreeDataReferences_0_0(v49);
}
n3 = 0i64;
n0xF_3 = 0xFi64;
LOBYTE(v140) = 0;
if ( n0xF_2 >= 0x10 )
{
v50 = (void *)v154;
if ( n0xF_2 + 1 >= 0x1000 )
{
v50 = *(void **)(v154 - 8);
if ( (unsigned __int64)(v154 - (_QWORD)v50 - 8) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_BNFreeDataReferences_0_0(v50);
}
v155 = 0i64;
n0xF_2 = 0xFi64;
LOBYTE(v154) = 0;
(*(void (__fastcall **)(__int64, char *, __int64))(*(_QWORD *)md5 + 0x10i64))(md5, lic_data, 0x100i64);
hash_final_18070BF20(md5, &lic_data_md5);
v157 = 0i64;
v158 = 0i64;
n0xF_4 = 0xFi64;
LOBYTE(v157) = 0;
v143 = 0i64;
n3_1 = 3i64;
n0xF_5 = 0xFi64;
LOWORD(v143) = *(_WORD *)"RC4";
WORD1(v143) = (unsigned __int8)asc_1867A7E04[2];
rc4_181894420(&rc4, (__int64)&v143, &v157);
if ( n0xF_5 >= 0x10 )
{
v51 = (void *)v143;
if ( n0xF_5 + 1 >= 0x1000 )
{
v51 = *(void **)(v143 - 8);
if ( (unsigned __int64)(v143 - (_QWORD)v51 - 8) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_BNFreeDataReferences_0_0(v51);
}
n3_1 = 0i64;
n0xF_5 = 0xFi64;
LOBYTE(v143) = 0;
if ( n0xF_4 >= 0x10 )
{
v52 = (void *)v157;
if ( n0xF_4 + 1 >= 0x1000 )
{
v52 = *(void **)(v157 - 8);
if ( (unsigned __int64)(v157 - (_QWORD)v52 - 8) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_BNFreeDataReferences_0_0(v52);
}
v158 = 0i64;
n0xF_4 = 0xFi64;
LOBYTE(v157) = 0;
rc4_set_key_181907DE0((__int64)rc4, (__int64)lic_data_md5, v94 - (_QWORD)lic_data_md5);
// 18840F0
// sub_1818840F0
((void (__fastcall *)(void (__fastcall ***)(_QWORD, __int64), char *, char *, __int64))(*rc4)[5])(
rc4,
v170,
datarc4_dec,
0x18i64);
invalid_serial_sha256_data_sz = invalid_serial_sha256_data_sz_18A237AF8;
invalid_serial_sha256_data = invalid_serial_sha256_data_18A237AF0;
v160 = 0i64;
v161 = 0i64;
n0xF_6 = 0xFi64;
LOBYTE(v160) = 0;
v137 = 0;
n7 = 7i64;
n0xF_7 = 0xFi64;
qmemcpy(sha256_1, "SHA-25", 6); // sha256
*(_QWORD *)&sha256_1[6] = (unsigned __int8)Buf2__6[6];
hash_181893160(&sha256, (const void **)sha256_1, &v160);
if ( n0xF_7 >= 0x10 )
{
sha256_2 = *(void **)sha256_1;
if ( n0xF_7 + 1 >= 0x1000 )
{
sha256_2 = *(void **)(*(_QWORD *)sha256_1 - 8i64);
if ( (unsigned __int64)(*(_QWORD *)sha256_1 - (_QWORD)sha256_2 - 8i64) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_BNFreeDataReferences_0_0(sha256_2);
}
n7 = 0i64;
n0xF_7 = 0xFi64;
sha256_1[0] = 0;
if ( n0xF_6 >= 0x10 )
{
v56 = (void *)v160;
if ( n0xF_6 + 1 >= 0x1000 )
{
v56 = *(void **)(v160 - 8);
if ( (unsigned __int64)(v160 - (_QWORD)v56 - 8) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_BNFreeDataReferences_0_0(v56);
}
v161 = 0i64;
n0xF_6 = 0xFi64;
LOBYTE(v160) = 0;
serial_2 = serial;
if ( n0x10_3 >= 0x10 )
serial_2 = (unsigned __int64 *)serial[0];
(*(void (__fastcall **)(__int64, unsigned __int64 *, size_t))(*(_QWORD *)sha256 + 0x10i64))(
sha256,
serial_2,
Size_1);
hash_final_18070BF20(sha256, &v98);
//检验serial的sha256 值是否匹配内置的黑名单
for ( k = 0; k < invalid_serial_sha256_data_sz; ++k )
{
v59 = 0x20 * k;
if ( *(_QWORD *)v98 == *(_QWORD *)(v59 + invalid_serial_sha256_data)
&& *(_QWORD *)(v98 + 8) == *(_QWORD *)(v59 + invalid_serial_sha256_data + 8)
&& *(_QWORD *)(v98 + 0x10) == *(_QWORD *)(v59 + invalid_serial_sha256_data + 0x10) )
{
sub_180CC11B0(pExceptionObject_3, &Buf2);
CxxThrowException(pExceptionObject_3, (_ThrowInfo *)&_TI2_AVruntime_error_std__);
}
}
serial_3 = serial;
if ( n0x10_3 >= 0x10 )
serial_3 = (unsigned __int64 *)serial[0];
sub_18062D700((unsigned __int64 *)&vec_serial_18A03F3E8, serial_3, Size_1);
email_2 = email;
if ( n0x10_2 >= 0x10 )
email_2 = (unsigned __int64 *)email[0];
sub_18062D700((unsigned __int64 *)&vec_email_18A03F408, email_2, Size_2);
Buf1_5 = product;
if ( n0x10_1 >= 0x10 )
Buf1_5 = (void **)product[0];
sub_18062D700((unsigned __int64 *)&vec_product_18A03F428, Buf1_5, Size);
type_2 = type;
if ( n0x10_5 >= 0x10 )
type_2 = (unsigned __int64 *)type[0];
sub_18062D700((unsigned __int64 *)&vec_type_18A03F448, type_2, Size_3);
::count = count;
qword_18A2379E0 = v32;
v64 = &unk_18A2379F0;
lic_data_2 = lic_data;
n2_1 = 2i64;
do
{
*v64 = *(_OWORD *)lic_data_2;
v64[1] = *((_OWORD *)lic_data_2 + 1);
v64[2] = *((_OWORD *)lic_data_2 + 2);
v64[3] = *((_OWORD *)lic_data_2 + 3);
v64[4] = *((_OWORD *)lic_data_2 + 4);
v64[5] = *((_OWORD *)lic_data_2 + 5);
v64[6] = *((_OWORD *)lic_data_2 + 6);
v64 += 8;
v64[0xFFFFFFFF] = *((_OWORD *)lic_data_2 + 7);
lic_data_2 += 0x80;
--n2_1;
}
while ( n2_1 );
product_2 = product;
v68 = n0x10_1 >= 0x10;
Buf1_3 = (void **)product[0];
if ( n0x10_1 >= 0x10 )
product_2 = (void **)product[0];
n0x15 = Size;
if ( Size == 0xC )
{
v71 = memcmp(product_2, "Binary Ninja", 0xCui64);
valid_product_18A2379EA = ::valid_product_18A2379EA;
if ( !v71 )
valid_product_18A2379EA = 1;
::valid_product_18A2379EA = valid_product_18A2379EA;
}
Buf1_1 = product;
if ( v68 )
Buf1_1 = Buf1_3;
if ( n0x15 == 0x15 && !memcmp(Buf1_1, "Binary Ninja Personal", 0x15ui64) )
{
if ( !::valid_product_18A2379EA )
{
sub_180CC11B0(pExceptionObject_4, &Buf2);
CxxThrowException(pExceptionObject_4, (_ThrowInfo *)&_TI2_AVruntime_error_std__);
}
psub_180981EC0 = (__int64 (__fastcall *)())sub_180981EC0;
nullsub = (__int64 (__fastcall *)(_QWORD, _QWORD, _QWORD))sub_180904F90;
if ( !byte_18A2379E8 )
{
v148 = 0i64;
si128.m128i_i64[0] = 0i64;
si128.m128i_i64[1] = 0xFi64;
LOBYTE(v148) = 0;
p_i = 0i64;
v113.m128i_i64[0] = 3i64;
v113.m128i_i64[1] = 0xFi64;
LOWORD(p_i) = *(_WORD *)"RC4";
WORD1(p_i) = (unsigned __int8)asc_1867A7E04[2];
v74 = rc4_181894420(&v96, (__int64)&p_i, &v148);
if ( &rc4 != (void (__fastcall ****)(_QWORD, __int64))v74 )
{
rc4_2 = *v74;
*v74 = 0i64;
rc4_1 = rc4;
rc4 = (void (__fastcall ***)(_QWORD, __int64))rc4_2;
if ( rc4_1 )
(**rc4_1)(rc4_1, 1i64);
}
if ( v96 )
(**v96)(v96, 1i64);
if ( v113.m128i_i64[1] >= 0x10ui64 )
{
i_4 = (void *)p_i;
if ( (unsigned __int64)(v113.m128i_i64[1] + 1) >= 0x1000 )
{
i_4 = *(void **)(p_i - 8);
if ( (unsigned __int64)(p_i - (_QWORD)i_4 - 8) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_BNFreeDataReferences_0_0(i_4);
}
v113.m128i_i64[0] = 0i64;
v113.m128i_i64[1] = 0xFi64;
LOBYTE(p_i) = 0;
if ( si128.m128i_i64[1] >= 0x10ui64 )
{
v78 = (void *)v148;
if ( (unsigned __int64)(si128.m128i_i64[1] + 1) >= 0x1000 )
{
v78 = *(void **)(v148 - 8);
if ( (unsigned __int64)(v148 - (_QWORD)v78 - 8) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_BNFreeDataReferences_0_0(v78);
}
rc4_3 = (__int64)rc4;
v80 = sub_1819ADFB0(0x18ui64);
v97[0] = v80;
v97[2] = v80 + 0x18;
v81 = (_BYTE *)v80;
datarc4_dec_1 = datarc4_dec;
do
*v81++ = *datarc4_dec_1++;
while ( datarc4_dec_1 != count_str );
v97[1] = v81;
rc4_set_key_181907DE0(rc4_3, v80, (unsigned __int64)&v81[-v80]);
if ( v80 )
error_1819AD2A0(v80);
((void (__fastcall *)(void (__fastcall ***)(_QWORD, __int64), void *, void *, __int64))(*rc4)[5])(
rc4,
&unk_18A03F4D0,
&unk_18A03F4D0,
0x452i64);
byte_18A2379E8 = 1;
}
byte_18A2379E9 = 1;
if ( (_QWORD)v98 )
{
sub_18189A450((void *)v98, v99 - v98, 1i64);
v98 = 0i64;
v99 = 0i64;
}
if ( sha256 )
(*(void (__fastcall **)(__int64, __int64))(*(_QWORD *)sha256 + 8i64))(sha256, 1i64);
if ( rc4 )
(**rc4)(rc4, 1i64);
if ( lic_data_md5 )
{
sub_18189A450(lic_data_md5, v95 - (_QWORD)lic_data_md5, 1i64);
lic_data_md5 = 0i64;
v94 = 0i64;
v95 = 0i64;
}
if ( md5 )
(*(void (__fastcall **)(__int64, __int64))(*(_QWORD *)md5 + 8i64))(md5, 1i64);
sub_1818219B0(v102);
if ( pubkey_1818D6FC0 )
(**pubkey_1818D6FC0)(pubkey_1818D6FC0, 1i64);
pubkey_data_1 = (void *)pubkey_data;
if ( (_QWORD)pubkey_data )
{
if ( (unsigned __int64)(v88 - pubkey_data) >= 0x1000 )
{
pubkey_data_1 = *(void **)(pubkey_data - 8);
if ( (unsigned __int64)(pubkey_data - (_QWORD)pubkey_data_1 - 8) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_BNFreeDataReferences_0_0(pubkey_data_1);
pubkey_data = 0i64;
v88 = 0i64;
}
sub_180C39600((__int64)v150);
sub_180C39600((__int64)v167);
sub_180C39600((__int64)v168);
if ( n0x10_6 >= 0x10 )
error_1819AD2A0(data[0]);
v127 = 0i64;
n0x10_6 = 0xFi64;
LOBYTE(data[0]) = 0;
if ( n0x10_5 >= 0x10 )
error_1819AD2A0(type[0]);
Size_3 = 0i64;
n0x10_5 = 0xFi64;
LOBYTE(type[0]) = 0;
if ( n0x10_4 >= 0x10 )
error_1819AD2A0(created[0]);
v130 = 0i64;
n0x10_4 = 0xFi64;
LOBYTE(created[0]) = 0;
if ( n0x10_3 >= 0x10 )
error_1819AD2A0(serial[0]);
Size_1 = 0i64;
n0x10_3 = 0xFi64;
LOBYTE(serial[0]) = 0;
if ( n0x10_2 >= 0x10 )
error_1819AD2A0(email[0]);
Size_2 = 0i64;
n0x10_2 = 0xFi64;
LOBYTE(email[0]) = 0;
if ( n0x10_1 >= 0x10 )
error_1819AD2A0((unsigned __int64)product[0]);
Size = 0i64;
n0x10_1 = 0xFi64;
LOBYTE(product[0]) = 0;
if ( v147.m128i_i64[1] >= 0x10ui64 )
error_1819AD2A0(v146);
v147 = _mm_load_si128((const __m128i *)&xmmword_186773BF0);
LOBYTE(v146) = 0;
sub_180680110(v103);
if ( v19 )
(**(void (__fastcall ***)(__int64, __int64))v19)(v19, 1i64);
if ( v92 )
Mtx_unlock(v91);
return 1;
}
if ( (_QWORD)v98 )
{
sub_18189A450((void *)v98, v99 - v98, 1i64);
v98 = 0i64;
v99 = 0i64;
}
if ( sha256 )
(*(void (__fastcall **)(__int64, __int64))(*(_QWORD *)sha256 + 8i64))(sha256, 1i64);
if ( rc4 )
(**rc4)(rc4, 1i64);
if ( lic_data_md5 )
{
sub_18189A450(lic_data_md5, v95 - (_QWORD)lic_data_md5, 1i64);
lic_data_md5 = 0i64;
v94 = 0i64;
v95 = 0i64;
}
if ( md5 )
(*(void (__fastcall **)(__int64, __int64))(*(_QWORD *)md5 + 8i64))(md5, 1i64);
sub_1818219B0(v102);
if ( pubkey_1818D6FC0 )
(**pubkey_1818D6FC0)(pubkey_1818D6FC0, 1i64);
pubkey_data_2 = (void *)pubkey_data;
if ( (_QWORD)pubkey_data )
{
if ( (unsigned __int64)(v88 - pubkey_data) >= 0x1000 )
{
pubkey_data_2 = *(void **)(pubkey_data - 8);
if ( (unsigned __int64)(pubkey_data - (_QWORD)pubkey_data_2 - 8) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_BNFreeDataReferences_0_0(pubkey_data_2);
pubkey_data = 0i64;
v88 = 0i64;
}
sub_180C39600((__int64)v150);
sub_180C39600((__int64)v167);
sub_180C39600((__int64)v168);
if ( n0x10_6 >= 0x10 )
error_1819AD2A0(data[0]);
v127 = 0i64;
n0x10_6 = 0xFi64;
LOBYTE(data[0]) = 0;
if ( n0x10_5 >= 0x10 )
error_1819AD2A0(type[0]);
Size_3 = 0i64;
n0x10_5 = 0xFi64;
LOBYTE(type[0]) = 0;
if ( n0x10_4 >= 0x10 )
error_1819AD2A0(created[0]);
v130 = 0i64;
n0x10_4 = 0xFi64;
LOBYTE(created[0]) = 0;
if ( n0x10_3 >= 0x10 )
error_1819AD2A0(serial[0]);
Size_1 = 0i64;
n0x10_3 = 0xFi64;
LOBYTE(serial[0]) = 0;
if ( n0x10_2 >= 0x10 )
error_1819AD2A0(email[0]);
Size_2 = 0i64;
n0x10_2 = 0xFi64;
LOBYTE(email[0]) = 0;
if ( n0x10_1 >= 0x10 )
error_1819AD2A0((unsigned __int64)product[0]);
sub_18068CF70(v101);
}
if ( v147.m128i_i64[1] >= 0x10ui64 )
error_1819AD2A0(v146);
v147 = _mm_load_si128((const __m128i *)&xmmword_186773BF0);
LOBYTE(v146) = 0;
sub_180680110(v103);
if ( v19 )
(**(void (__fastcall ***)(__int64, __int64))v19)(v19, 1i64);
if ( v92 )
Mtx_unlock(v91);
return 0;
}
PK_Verifier_181881660签名验证
使用 加密库Botan
Botan: Botan::PK_Verifier Class Reference
__int64 __fastcall PK_Verifier_181881660(__int64 **a1, __int64 a2, __int64 a3)
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
v6 = *((_DWORD *)a1 + 2);
if ( !v6 )
return (*(__int64 (__fastcall **)(__int64 *))(**a1 + 8))(*a1);
if ( v6 != 1 )
{
sub_180617970(v47, "PK_Verifier: Invalid signature format enum");
sub_18180DAC0(pExceptionObject_1, v47);
CxxThrowException(pExceptionObject_1, (_ThrowInfo *)&_TI3_AVInternal_Error_Botan__);
}
v27 = 0i64;
v28 = 0i64;
v31[0] = 0i64;
v31[1] = 0xFF00i64;
*(_OWORD *)v32 = 0i64;
v33 = 0i64;
v35 = 0i64;
v8 = new_186615100(0x28ui64);
v46 = v8;
if ( v8 )
v9 = sub_181809500(v8, a2, a3);
else
v9 = 0i64;
v35 = v9;
v34 = v9;
sub_18190C210(v31, v40, 0x10i64);
if ( !a1[2] || !a1[3] )
sub_181847CF0(
(unsigned int)"m_parts != 0 && m_part_size != 0",
(unsigned int)&Buf2,
(unsigned int)"check_signature",
(unsigned int)"C:\\jenkins\\workspace\\ja-stable-multibranch_stable_5.1\\build\\botan\\botan\\botan_all.cpp",
0x7842);
v10 = 0i64;
while ( !(*(unsigned __int8 (__fastcall **)(__int64))(*(_QWORD *)v44 + 0x18i64))(v44) || n0xFF00 != 0xFF00 )
{
*(_OWORD *)v36 = 0i64;
v37 = 0i64;
v38 = 0xFFFFFFFFFFFFFFFFui64;
v39 = 1;
sub_18189C410(v40, v36, 2i64);
v23 = (_QWORD *)sub_1818AEC70(v47, v36, a1[3]);
sub_1817E81B0(&v27, *((_QWORD *)&v27 + 1), *v23, v23[1] - *v23);
v24 = v47[0];
if ( v47[0] )
{
memset(v47[0], 0, v48 - (unsigned __int64)v47[0]);
free(v24);
v47[0] = 0i64;
v47[1] = 0i64;
v48 = 0i64;
}
v10 = (__int64 *)((char *)v10 + 1);
v25 = v36[0];
if ( v36[0] )
{
memset(v36[0], 0, (v37 - (unsigned __int64)v36[0]) & 0xFFFFFFFFFFFFFFF8ui64);
free(v25);
}
}
v11 = a1[2];
if ( v10 != v11 )
{
sub_180617970(v47, "PK_Verifier: signature size invalid");
sub_1818097A0(pExceptionObject, v47);
CxxThrowException(pExceptionObject, (_ThrowInfo *)&_TI4_AVDecoding_Error_Botan__);
}
sub_1818AA420(&v29, &v27, v11, a1[3]);
v12 = (_BYTE *)v29;
v13 = *((_QWORD *)&v29 + 1) - v29;
if ( *((_QWORD *)&v29 + 1) - (_QWORD)v29 != a3 )
goto LABEL_42;
v26 = 0;
if ( v13 )
{
v14 = a2 - v29;
do
{
v26 |= *v12 ^ v12[v14];
++v12;
--v13;
}
while ( v13 );
}
if ( v26 )
{
LABEL_42:
sub_180617970(v47, "PK_Verifier: signature is not the canonical DER encoding");
sub_1818097A0(pExceptionObject_2, v47);
CxxThrowException(pExceptionObject_2, (_ThrowInfo *)&_TI4_AVDecoding_Error_Botan__);
}
v15 = *a1;
v16 = **a1;
v17 = (char *)v27;
v18 = (*(__int64 (__fastcall **)(__int64 *, _QWORD, _QWORD))(v16 + 8))(v15, v27, *((_QWORD *)&v27 + 1) - v27);
v19 = (void *)v29;
if ( (_QWORD)v29 )
{
if ( (unsigned __int64)(v30 - v29) >= 0x1000 )
{
v19 = *(void **)(v29 - 8);
if ( (unsigned __int64)(v29 - (_QWORD)v19 - 8) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_BNFreeDataReferences_0_0(v19);
v29 = 0i64;
v30 = 0i64;
}
if ( v45 )
(*(void (__fastcall **)(__int64, __int64))(*(_QWORD *)v45 + 0x30i64))(v45, 1i64);
buf_1 = buf;
if ( buf )
{
memset(buf, 0, *((_QWORD *)&v43 + 1) - (_QWORD)buf);
free(buf_1);
buf = 0i64;
v43 = 0i64;
}
if ( v35 )
(*(void (__fastcall **)(__int64, __int64))(*(_QWORD *)v35 + 0x30i64))(v35, 1i64);
v21 = v32[0];
if ( v32[0] )
{
memset(v32[0], 0, v33 - (unsigned __int64)v32[0]);
free(v21);
*(_OWORD *)v32 = 0i64;
v33 = 0i64;
}
if ( !v17 )
return v18;
v22 = v17;
if ( (unsigned __int64)(v28 - (_QWORD)v17) >= 0x1000 )
{
v17 = (char *)*((_QWORD *)v17 + 0xFFFFFFFF);
if ( (unsigned __int64)(v22 - v17 - 8) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_BNFreeDataReferences_0_0(v17);
return v18;
}
patch
方案一:patch PK_Verifier_181881660
00007FFBE9D41660 | B0 01 | mov al,1 | PK_Verifier
00007FFBE9D41662 | C3 | ret |
方案二:patch 内置公钥
内置公钥进行了xor加密,可以针对指定位置进行patch
00007FFBE95A6C0A | C700 74F0F845 | mov dword ptr ds:[rax],45F8F074 |
00007FFBE95A6C10 | C740 04 747FFF | mov dword ptr ds:[rax+4],6EFF7F74 |
00007FFBE95A6C17 | C740 08 6EF4B1 | mov dword ptr ds:[rax+8],E1B1F46E |
00007FFBE95A6C1E | C740 0C B37FF8 | mov dword ptr ds:[rax+C],66F87FB3 |
00007FFBE95A6C25 | C740 10 4577F9 | mov dword ptr ds:[rax+10],64F97745 |
00007FFBE95A6C2C | C740 14 C673F6 | mov dword ptr ds:[rax+14],67F673C6 |
00007FFBE95A6C33 | C740 18 74F0F8 | mov dword ptr ds:[rax+18],6DF8F074 |
00007FFBE95A6C3A | C740 1C 46F0F8 | mov dword ptr ds:[rax+1C],66F8F046 |
00007FFBE95A6C41 | C740 20 44A495 | mov dword ptr ds:[rax+20],F995A444 |
00007FFBE95A6C48 | C740 24 8CAE7F | mov dword ptr ds:[rax+24],947FAE8C |
00007FFBE95A6C4F | C740 28 9F1A4B | mov dword ptr ds:[rax+28],DF4B1A9F |
00007FFBE95A6C56 | C740 2C FB14FC | mov dword ptr ds:[rax+2C],36FC14FB |
00007FFBE95A6C5D | C740 30 2777DE | mov dword ptr ds:[rax+30],93DE7727 |
00007FFBE95A6C64 | C740 34 A843E0 | mov dword ptr ds:[rax+34],5CE043A8 |
00007FFBE95A6C6B | C740 38 2D06C7 | mov dword ptr ds:[rax+38],86C7062D |
00007FFBE95A6C72 | C740 3C A22252 | mov dword ptr ds:[rax+3C],D65222A2 |
00007FFBE95A6C79 | C740 40 E6559A | mov dword ptr ds:[rax+40],69A55E6 |
00007FFBE95A6C80 | C740 44 F4717A | mov dword ptr ds:[rax+44],957A71F4 |
00007FFBE95A6C87 | C740 48 791491 | mov dword ptr ds:[rax+48],6D911479 |
00007FFBE95A6C8E | C740 4C 2C6C4A | mov dword ptr ds:[rax+4C],DF4A6C2C |
00007FFBE95A6C95 | C740 50 983886 | mov dword ptr ds:[rax+50],F6863898 |
00007FFBE95A6C9C | C740 54 1595CB | mov dword ptr ds:[rax+54],91CB9515 |
00007FFBE95A6CA3 | C740 58 90C590 | mov dword ptr ds:[rax+58],490C590 |
00007FFBE95A6CAA | C740 5C 9560D3 | mov dword ptr ds:[rax+5C],E8D36095 |
00007FFBE95A6CB1 | C740 60 1CEB8A | mov dword ptr ds:[rax+60],C8AEB1C |
00007FFBE95A6CB8 | C740 64 9A0968 | mov dword ptr ds:[rax+64],7B68099A |
00007FFBE95A6CBF | C740 68 DB58AC | mov dword ptr ds:[rax+68],83AC58DB |
00007FFBE95A6CC6 | C740 6C 69D87C | mov dword ptr ds:[rax+6C],17CD869 |
00007FFBE95A6CCD | C740 70 8FDFBA | mov dword ptr ds:[rax+70],D9BADF8F |
00007FFBE95A6CD4 | C740 74 2C69D6 | mov dword ptr ds:[rax+74],5FD6692C |
00007FFBE95A6CDB | C740 78 513B3A | mov dword ptr ds:[rax+78],253A3B51 |
00007FFBE95A6CE2 | C740 7C B86B08 | mov dword ptr ds:[rax+7C],92086BB8 |
00007FFBE95A6CE9 | C780 80000000 | mov dword ptr ds:[rax+80],33BDA0D7 |
00007FFBE95A6CF3 | C780 84000000 | mov dword ptr ds:[rax+84],CAEE6F30 |
00007FFBE95A6CFD | C780 88000000 | mov dword ptr ds:[rax+88],540F53B6 |
00007FFBE95A6D07 | C780 8C000000 | mov dword ptr ds:[rax+8C],8FB4DEE1 |
00007FFBE95A6D11 | C780 90000000 | mov dword ptr ds:[rax+90],51FB841A |
00007FFBE95A6D1B | C780 94000000 | mov dword ptr ds:[rax+94],51008A6C |
00007FFBE95A6D25 | C780 98000000 | mov dword ptr ds:[rax+98],7E9213C8 |
00007FFBE95A6D2F | C780 9C000000 | mov dword ptr ds:[rax+9C],A3FBA50D |
00007FFBE95A6D39 | C780 A0000000 | mov dword ptr ds:[rax+A0],7AB82F5D |
00007FFBE95A6D43 | C780 A4000000 | mov dword ptr ds:[rax+A4],7CD66891 |
00007FFBE95A6D4D | C780 A8000000 | mov dword ptr ds:[rax+A8],457A2BC0 |
00007FFBE95A6D57 | C780 AC000000 | mov dword ptr ds:[rax+AC],88A771DD |
00007FFBE95A6D61 | C780 B0000000 | mov dword ptr ds:[rax+B0],84E7CC2C |
00007FFBE95A6D6B | C780 B4000000 | mov dword ptr ds:[rax+B4],B85DE039 |
00007FFBE95A6D75 | C780 B8000000 | mov dword ptr ds:[rax+B8],F5A1FD31 |
00007FFBE95A6D7F | C780 BC000000 | mov dword ptr ds:[rax+BC],520FD88C |
00007FFBE95A6D89 | C780 C0000000 | mov dword ptr ds:[rax+C0],CA5E74E0 |
00007FFBE95A6D93 | C780 C4000000 | mov dword ptr ds:[rax+C4],6446EC0B |
00007FFBE95A6D9D | C780 C8000000 | mov dword ptr ds:[rax+C8],BDBD7CAF |
00007FFBE95A6DA7 | C780 CC000000 | mov dword ptr ds:[rax+CC],9742290C |
00007FFBE95A6DB1 | C780 D0000000 | mov dword ptr ds:[rax+D0],5E014FDC |
00007FFBE95A6DBB | C780 D4000000 | mov dword ptr ds:[rax+D4],8FF33064 |
00007FFBE95A6DC5 | C780 D8000000 | mov dword ptr ds:[rax+D8],5B238660 |
00007FFBE95A6DCF | C780 DC000000 | mov dword ptr ds:[rax+DC],F290A38D |
00007FFBE95A6DD9 | C780 E0000000 | mov dword ptr ds:[rax+E0],16A61171 |
00007FFBE95A6DE3 | C780 E4000000 | mov dword ptr ds:[rax+E4],B580C015 |
00007FFBE95A6DED | C780 E8000000 | mov dword ptr ds:[rax+E8],C5413635 |
00007FFBE95A6DF7 | C780 EC000000 | mov dword ptr ds:[rax+EC],854F17DE |
00007FFBE95A6E01 | C780 F0000000 | mov dword ptr ds:[rax+F0],9A56B9C8 |
00007FFBE95A6E0B | C780 F4000000 | mov dword ptr ds:[rax+F4],B9C6D99F |
00007FFBE95A6E15 | C780 F8000000 | mov dword ptr ds:[rax+F8],8609B9C0 |
00007FFBE95A6E1F | C780 FC000000 | mov dword ptr ds:[rax+FC],CCD13CBB |
00007FFBE95A6E29 | C780 00010000 | mov dword ptr ds:[rax+100],AE876B21 |
00007FFBE95A6E33 | C780 04010000 | mov dword ptr ds:[rax+104],AA8470B9 |
00007FFBE95A6E3D | C780 08010000 | mov dword ptr ds:[rax+108],E7D1873E |
00007FFBE95A6E47 | C780 0C010000 | mov dword ptr ds:[rax+10C],12CB66FB |
00007FFBE95A6E51 | C780 10010000 | mov dword ptr ds:[rax+110],E5FE5D3C |
00007FFBE95A6E5B | C780 14010000 | mov dword ptr ds:[rax+114],20C27687 |
00007FFBE95A6E65 | C780 18010000 | mov dword ptr ds:[rax+118],5B4F7646 |
00007FFBE95A6E6F | C780 1C010000 | mov dword ptr ds:[rax+11C],C8828E04 |
00007FFBE95A6E79 | C780 20010000 | mov dword ptr ds:[rax+120],66FA7077 |
00007FFBE95A6E83 | C780 24010000 | mov dword ptr ds:[rax+124],67F97344 |
00007FFBE95A6E8D | 0F57C0 | xorps xmm0,xmm0 |
00007FFBE95A6E90 | F3:0F7F4424 40 | movdqu xmmword ptr ss:[rsp+40],xmm0 |
00007FFBE95A6E96 | 4C:896C24 50 | mov qword ptr ss:[rsp+50],r13 |
00007FFBE95A6E9B | 49:8BF5 | mov rsi,r13 |
00007FFBE95A6E9E | 66:90 | nop |
00007FFBE95A6EA0 | 48:81FE 260100 | cmp rsi,126 |
00007FFBE95A6EA7 | 73 5F | jae binaryninjacore.7FFBE95A6F08 |
00007FFBE95A6EA9 | 48:8BC6 | mov rax,rsi |
00007FFBE95A6EAC | 48:C1E8 02 | shr rax,2 |
00007FFBE95A6EB0 | 8B1483 | mov edx,dword ptr ds:[rbx+rax*4] |
00007FFBE95A6EB3 | 81F2 4472F967 | xor edx,67F97244 |
00007FFBE95A6EB9 | 40:0FB6CE | movzx ecx,sil |
00007FFBE95A6EBD | 80E1 03 | and cl,3 |
00007FFBE95A6EC0 | C0E1 03 | shl cl,3 |
00007FFBE95A6EC3 | D3EA | shr edx,cl |
00007FFBE95A6EC5 | 885424 30 | mov byte ptr ss:[rsp+30],dl |
00007FFBE95A6EC9 | 48:8B4424 48 | mov rax,qword ptr ss:[rsp+48] |
00007FFBE95A6ECE | 48:3B4424 50 | cmp rax,qword ptr ss:[rsp+50] |
00007FFBE95A6ED3 | 74 14 | je binaryninjacore.7FFBE95A6EE9 |
00007FFBE95A6ED5 | 8810 | mov byte ptr ds:[rax],dl |
00007FFBE95A6ED7 | 48:FF4424 48 | inc qword ptr ss:[rsp+48] |
00007FFBE95A6EDC | 48:FFC6 | inc rsi |
00007FFBE95A6EDF | 48:8BBC24 C800 | mov rdi,qword ptr ss:[rsp+C8] |
00007FFBE95A6EE7 | EB B7 | jmp binaryninjacore.7FFBE95A6EA0 |
00007FFBE95A6EE9 | 4C:8D4424 30 | lea r8,qword ptr ss:[rsp+30] |
00007FFBE95A6EEE | 48:8BD0 | mov rdx,rax |
00007FFBE95A6EF1 | 48:8D4C24 40 | lea rcx,qword ptr ss:[rsp+40] |
00007FFBE95A6EF6 | E8 45F0FFFF | call binaryninjacore.7FFBE95A5F40 |
00007FFBE95A6EFB | 48:FFC6 | inc rsi |
00007FFBE95A6EFE | 48:8BBC24 C800 | mov rdi,qword ptr ss:[rsp+C8] |
00007FFBE95A6F06 | EB 98 | jmp binaryninjacore.7FFBE95A6EA0 |
00007FFBE95A6F08 | 48:8BCB | mov rcx,rbx |
00007FFBE95A6F0B | E8 BCF15205 | call binaryninjacore.7FFBEEAD60CC |
00007FFBE95A6F10 | 48:8D4C24 40 | lea rcx,qword ptr ss:[rsp+40] |内置公钥
00007FFBE95A6F15 | E8 A6007F00 | call <binaryninjacore.import_key> |load_pubkey_1818D6FC0
00007FFBE95A6F1A | 48:8BD8 | mov rbx,rax |
或者hook load_pubkey_1818D6FC0 ,动态修改公钥
py
import base64
import hashlib
import json
import random
from Crypto.Cipher import ARC4
from Crypto.PublicKey import RSA
from Crypto.Signature import pkcs1_15
from Crypto.Util.number import long_to_bytes,bytes_to_long
from Crypto.Hash import SHA256
from datetime import datetime, timezone
def get_time_str():
# 获取当前 UTC 时间并格式化为 ISO 字符串
utc_now = datetime.now(timezone.utc)
iso_str = utc_now.isoformat(timespec='milliseconds') # 保留毫秒精度
# print(iso_str) # 输出类似:2025-07-04T19:59:19.123+00:00
return iso_str
def gen_licdata():
randdata=random.randbytes(0x100)
k=hashlib.md5(randdata).digest()
rc4=ARC4.new(key=k)
#从 AMPED Keygen 中拷贝,可能与更新相关
# (nj后面将9C2AAA09A4E2252B0BA125DB1E1CD272207D97CCA8446899 设置为key(key长度0x18)解密byte_18A03F4D0[0x452])
rc4data=bytes.fromhex('9C2AAA09A4E2252B0BA125DB1E1CD272207D97CCA8446899')
encdta=rc4.encrypt(rc4data)
# print('rc4enc:',encdta.hex())
ret=base64.standard_b64encode(randdata+encdta)
# print('data:',ret)
return ret
def gen_signature(msg,pri_data=bytes.fromhex('''308204A30201000282010100D2BF8069B298618B54272B13CE402C37826D906FA0DB47C916E304D61CFE847306AD1763A332A6FACBEF133DE5E634B333739EFFFE9F7513F7C38CDF4EB7CE27B56B728424F9410DB4CD3AB33D2A367123470D62324211876D83C15B59FB7A4D5A74E56F9E443DBEFF30289D3E4F84E58E6AB23AD4F43870034605E68EDF1FF90256AA027C6102981B8A7742C3DCFC536A4D98C4E22702F2BFFDE2985E232A2446D5750E20EDD27E59FA2475CFF2882CA33347209F62DED6965D85B03BDE6E02B99F680F33B7DC08F8730C0BCE62256FCA5613213A1182C00A36A9D496629D15C1B604550F97388C2DFD60CC8DC15CF5D61A829167CE07F9798168C92D6037470203010001028201005BC7FDC74A79D58565C5571BDD87921A2CA9C5ACEFCB7FD4622CC536F052A1E12C67A6978483F337A727FBE3C9A33B914D978D87E45E9290FB26C54B9D4F2C2F9BF16AE284EDAE78A72477EB867843547B6E1EB484B9C4438C1CC4D1217B855479D00DF9D1DDDB5C3A6BC14C55CE30CCFE7C96194C13FE1E3E36B92C234DA5F0B362663B5B353949FF83F3987080A20326CC8A4FC5E51FF5A91026BB72F1BF4EAA5EB893892E2AC6FEB828EC2D093F992589D7EDEE5DA8EA94C6F8EA61E1FF1D3686EE2B97859E0123CF438F457C97860C04263380EE82C84DB0CADCE121C93F5AD1EB0A802C7ABFF14B4265805CAC6C37F4BF4E17B034E29F3DE64EA98450CD02818100FFDC7E6D1275D1956316116CD79CD5A44F76A6284DD3C35E5A607C1C612D454BFB94DFF5EE63DDB695C8E3A9E398D188A25100959C632DBD3A23FC31F975484D1531151AA7CD6711C960018E366F1507FEB787757464F7E2F05AD097DAD9C8D34BAB3BD584948C7DABD750B3F9B651C3FCDE7133232CA2228F7880410A7FC89502818100D2DCBF521CC7FC91AE554A7ADE811CA07356C50227EC07A4DB06A2B681E29CA8F4D54A7D40D7DFAA38A1B6F03D9E4ACFBEF7C7AC45A6496C94BFD8FA0FB1C2528097AAACFDD0FAA5C9CD42A010018CB04A488A6437B5F4328B30D2FBE9290AA3C9937DD1DB92DFAE4431FC690B7EF879FFDDBAD9D3784A5869C6D8039B249D6B028181009A9EF0540FE4DD7C2EBE2657A5512516BFE2CEF4EA5B7FE4642F8CB145D4AADD093365C8E480BB7ADCB7E34546C29255C4E9B8B5B1258A7DA1461FE13F84ADE5CF59B30C41BDF27CA03A819624B52A7B8365FBD97236964B31BF5FF1751349B6CF32B2DD0CDB0CAFE18A243E2F390BDEA9D0EF8DDCC2DB5491695BF0725CD8A50281802101306917DC2DAA57D13DD131969FF67557358AFAD8B4F196DED9051C1B6E4DFBD48ECE402209FE48D2F7216F63A16E17040D9AE763F9C6271A484A0BBED51DB8C7048E03447C970A99383E7982E4948B6C034D6072F88018CD5198E08BEE006902CF04D40B8F3B65AD3546F3E7B1D8D6B5CC13604849CAC0F3C0C7FFB6A175028180616C870F1920FD24DEBE793A273591CB3E858962A9A93022AF36FB15CEF57F3C3EE101F1A8AF206DF757EC7A7EBD99D7E1C5B18870EB8B66E78F3FA005E4431D71B25F350103C2E68BC4474DF3BDAC57F8D9327304C65E5069DDB25C178615D1A3B264B22B8826E33D21F4CD50433FD6210ED5699741FB219E75F6DD8F5DB714''')):
if isinstance(msg,str):
msg=msg.encode()
prik=RSA.import_key(pri_data)
# print('kg d:',prik.d)
# print('kg n:',prik.n)
# print('kg e:',prik.e)
sig=pkcs1_15.new(prik)
signature=sig.sign(SHA256.new(msg))
ret=base64.standard_b64encode(signature)
return ret
def kg(count:int,email:str,serial_hexstr:str=random.randbytes(0x10).hex()):
lic={}
lic["product"]= "Binary Ninja Personal"
lic["email"]= email
lic["serial"]= serial_hexstr
lic["created"]=get_time_str()
lic["type"]= "User"
lic["count"]=count
lic["data"]=gen_licdata().decode()
msg='\x00'.join((lic["product"],lic["email"],lic["serial"],lic["created"],lic["type"],str(lic["count"]),lic["data"]))
lic["signature"]= gen_signature(msg).decode()
s=json.dumps(lic,indent=0)
lic_text='[\n%s\n]'%s
return lic_text
def nj_xor(data:bytes,xor_key=bytes([0x44,0x72,0xf9,0x67])):
result=[]
for i, byte_val in enumerate(data):
xor_byte = xor_key[i % 4]
processed_byte = byte_val ^ xor_byte
result.append(processed_byte)
return bytes(result)
def print_rsakey_info():
#公私密钥拷贝自 AMPED Keygen
pri_data=bytes.fromhex('''308204A30201000282010100D2BF8069B298618B54272B13CE402C37826D906FA0DB47C916E304D61CFE847306AD1763A332A6FACBEF133DE5E634B333739EFFFE9F7513F7C38CDF4EB7CE27B56B728424F9410DB4CD3AB33D2A367123470D62324211876D83C15B59FB7A4D5A74E56F9E443DBEFF30289D3E4F84E58E6AB23AD4F43870034605E68EDF1FF90256AA027C6102981B8A7742C3DCFC536A4D98C4E22702F2BFFDE2985E232A2446D5750E20EDD27E59FA2475CFF2882CA33347209F62DED6965D85B03BDE6E02B99F680F33B7DC08F8730C0BCE62256FCA5613213A1182C00A36A9D496629D15C1B604550F97388C2DFD60CC8DC15CF5D61A829167CE07F9798168C92D6037470203010001028201005BC7FDC74A79D58565C5571BDD87921A2CA9C5ACEFCB7FD4622CC536F052A1E12C67A6978483F337A727FBE3C9A33B914D978D87E45E9290FB26C54B9D4F2C2F9BF16AE284EDAE78A72477EB867843547B6E1EB484B9C4438C1CC4D1217B855479D00DF9D1DDDB5C3A6BC14C55CE30CCFE7C96194C13FE1E3E36B92C234DA5F0B362663B5B353949FF83F3987080A20326CC8A4FC5E51FF5A91026BB72F1BF4EAA5EB893892E2AC6FEB828EC2D093F992589D7EDEE5DA8EA94C6F8EA61E1FF1D3686EE2B97859E0123CF438F457C97860C04263380EE82C84DB0CADCE121C93F5AD1EB0A802C7ABFF14B4265805CAC6C37F4BF4E17B034E29F3DE64EA98450CD02818100FFDC7E6D1275D1956316116CD79CD5A44F76A6284DD3C35E5A607C1C612D454BFB94DFF5EE63DDB695C8E3A9E398D188A25100959C632DBD3A23FC31F975484D1531151AA7CD6711C960018E366F1507FEB787757464F7E2F05AD097DAD9C8D34BAB3BD584948C7DABD750B3F9B651C3FCDE7133232CA2228F7880410A7FC89502818100D2DCBF521CC7FC91AE554A7ADE811CA07356C50227EC07A4DB06A2B681E29CA8F4D54A7D40D7DFAA38A1B6F03D9E4ACFBEF7C7AC45A6496C94BFD8FA0FB1C2528097AAACFDD0FAA5C9CD42A010018CB04A488A6437B5F4328B30D2FBE9290AA3C9937DD1DB92DFAE4431FC690B7EF879FFDDBAD9D3784A5869C6D8039B249D6B028181009A9EF0540FE4DD7C2EBE2657A5512516BFE2CEF4EA5B7FE4642F8CB145D4AADD093365C8E480BB7ADCB7E34546C29255C4E9B8B5B1258A7DA1461FE13F84ADE5CF59B30C41BDF27CA03A819624B52A7B8365FBD97236964B31BF5FF1751349B6CF32B2DD0CDB0CAFE18A243E2F390BDEA9D0EF8DDCC2DB5491695BF0725CD8A50281802101306917DC2DAA57D13DD131969FF67557358AFAD8B4F196DED9051C1B6E4DFBD48ECE402209FE48D2F7216F63A16E17040D9AE763F9C6271A484A0BBED51DB8C7048E03447C970A99383E7982E4948B6C034D6072F88018CD5198E08BEE006902CF04D40B8F3B65AD3546F3E7B1D8D6B5CC13604849CAC0F3C0C7FFB6A175028180616C870F1920FD24DEBE793A273591CB3E858962A9A93022AF36FB15CEF57F3C3EE101F1A8AF206DF757EC7A7EBD99D7E1C5B18870EB8B66E78F3FA005E4431D71B25F350103C2E68BC4474DF3BDAC57F8D9327304C65E5069DDB25C178615D1A3B264B22B8826E33D21F4CD50433FD6210ED5699741FB219E75F6DD8F5DB714''')
pub_data=bytes.fromhex('''30820122300D06092A864886F70D01010105000382010F003082010A0282010100D2BF8069B298618B54272B13CE402C37826D906FA0DB47C916E304D61CFE847306AD1763A332A6FACBEF133DE5E634B333739EFFFE9F7513F7C38CDF4EB7CE27B56B728424F9410DB4CD3AB33D2A367123470D62324211876D83C15B59FB7A4D5A74E56F9E443DBEFF30289D3E4F84E58E6AB23AD4F43870034605E68EDF1FF90256AA027C6102981B8A7742C3DCFC536A4D98C4E22702F2BFFDE2985E232A2446D5750E20EDD27E59FA2475CFF2882CA33347209F62DED6965D85B03BDE6E02B99F680F33B7DC08F8730C0BCE62256FCA5613213A1182C00A36A9D496629D15C1B604550F97388C2DFD60CC8DC15CF5D61A829167CE07F9798168C92D6037470203010001''')
# nj_pubkeydata=bytes.fromhex('''30820122300D06092A864886F70D01010105000382010F003082010A0282010100D66C9EC8DC86F3DB68B2B8BF660551630527F4EC31193B69743EE1E650ABB1A2276361B00383F23D66680A681EB3B8DC4A7F9151E732F6D4B76963D1122A8F5899736BDE7B911C9F2A55E42DAA8566CBAD43BE681B2F381549C342FC19F1F593D24454741D17ADF221F633A5AC4DE85EF6023628F8F9368C616B1949D702C4195D411DD51A2F1B8459832299035EEF68BE1EE37D92A4DF758F5892C8AAF635A406A7AD4F9EBF03EB0E44DA485BBBF0983DF83920420AE824F4DA3CC9D1699535635F7151B279D27144B8A29A65B6E28CCBAFFDDBAB3FDE84CBF0E1FF4E28AB65197EC9FD027DCD7AF52880BF143275782F0782C3043B470204B63C40FC7BAF330203010001''')
# xor key 0x67F97244
nj_pubkey_xordata=bytes.fromhex('''74f0f845747fff6e6ef4b1e1b37ff8664577f964c673f66774f0f86d46f0f86644a495f98cae7f949f1a4bdffb14fc362777de93a843e05c2d06c786a22252d6e6559a06f4717a957914916d2c6c4adf983886f61595cb9190c590049560d3e81ceb8a0c9a09687bdb58ac8369d87c018fdfbad92c69d65f513b3a25b86b0892d7a0bd33306feecab6530f54e1deb48f1a84fb516c8a0051c813927e0da5fba35d2fb87a9168d67cc02b7a45dd71a7882ccce78439e05db831fda1f58cd80f52e0745eca0bec4664af7cbdbd0c294297dc4f015e6430f38f6086235b8da390f27111a61615c080b5353641c5de174f85c8b9569a9fd9c6b9c0b90986bb3cd1cc216b87aeb97084aa3e87d1e7fb66cb123c5dfee58776c22046764f5b048e82c87770fa664473f967''')
nj_pubkeydata=nj_xor(nj_pubkey_xordata)[:0x126]
nj_pubk=RSA.import_key(nj_pubkeydata)
print('nj e:',nj_pubk.e)
print('nj n:',nj_pubk.n)
print('\n\n')
pub_key=RSA.import_key(pub_data)
print('kg e:',pub_key.e)
print('kg n:',pub_key.n)
print('\n\n')
prik=RSA.import_key(pri_data)
print('kg d:',prik.d)
print('kg n:',prik.n)
print('kg e:',prik.e)
pass
if __name__=='__main__':
#print_rsakey_info()
lic_path='license.dat'
save=True
count=123
email="ikun@ikunkun.com"
text=kg(count,email)
print('lic==>')
print(text)
if save:
with open(lic_path,'w',encoding='utf8') as f:
f.write(text)
ps
[Default] Failed to get update info: Update authentication failed: License not found.
更新是指定不可用的,不继续分析
浙公网安备 33010602011771号