Synalyze It! Pro v1.11.2

Synalyze It! Pro v1.11.2

-------------------------------------------------------------------

www.synalysis.net -> [link](http://www.synalysis.net)


试想一下...

你有一个二进制文件，不知道它的内容。或者你有一个规范，但不希望他们手动解码某些软件创建的二进制文件。

你曾经看着十六进制转储，并认为它是多么困难，使这有意义吗？而且要记住所有的比特和字节的意思？

你来对地方了！ Synalyze它！允许您为你的二进制文件创建交互式语法。不同于常规的十六进制编辑器或观众文件自动为您解读！二进制文件分析从未如此简单。

此外Synalyze It！是Mac OS X上面一个全功能的十六进制编辑器，让您用几十种文字的编码编辑任意大小的文件，并解释字节含义。

### 主要功能：[link](http://www.synalysis.net/additional-features.html)

**十六进制编辑**

Synalyze It! allows editing of files of any size without delay. Even copying of data of any size via clipboard is possible.
When you insert a string from the clipboard, the selected encoding is applied, of course. This enables you to convert text from one encoding to another easily.

**计算检验字节**

Compute various checksums for the selected bytes

**数据可视化关系导出**

Visualize your grammars by exporting to .dot (GrapzViz) files

**数据视图**

Display the selection in different number and color representations

**打印预览**

Print the hex view with or without text and mapped structures

**保存选中字节**

Selected bytes can be written to disk directly

**跳到指定位置**

Directly jump to a specific file offset (decimal or hex)

**在工具栏中跳到指定位置**

Jump to positions entering expressions

**数据统计**

Let Synalyze It! count the occurence of each byte in a file.

**比较字节的不同编码值**

Check the text encoding (ASCII/EBCDIC) of some hex values

**增量文本搜索与编码选择**

Search text incrementally using one of dozens of code pages

**查找数值8-64 Bit signed/unsigned, little/big endian**

Find a number in a file instantly and jump directly to the findings

**查找字节序列匹配蒙版**

Find all places in a file that match a certain bit mask

**查找字符串**

See all strings with a certain encoding

Find all strings in a file like with the Unix strings command

**使用脚本的可扩展语法高亮**

Write Python or Lua scripts where the "static" grammar is not enough

**语法支持强大的表达式**

Structure and element sizes as well as repeat counts can contain complex formulas

---------------------------------------------------------------------------
**1.试用过期后，打开后会有日志输出：**

0xcb@cb.cn ~/Desktop> cd Synalyze\ It!\ Pro.app/Contents/MacOS/
0xcb@cb.cn ~/D/S/C/MacOS> ./Synalyze\ It!\ Pro
2015-06-11 00:07:35.804 Synalyze It! Pro[2844:507] Encountered error 'Invalid product key' ('91')
2015-06-11 00:07:35.804 Synalyze It! Pro[2844:507] Encountered error 'Invalid product key' ('91')
---------------------------------------------------------------------------
**2.所以先调试定位验证授权的位置，用`lldb`打开`Synalyze It! Pro`进行调试,在输出日志的方法`NSLogv`打断点，之后运行程序。断点断在：Foundation.Formwork的`0x7fff9349f2dd NSLogv` 位置。查看调用堆栈，根据方法名很容易找到弹出过期窗口的验证方法：`-[TurboActivateController showIfNotActivatedOrInTrial:] + 80`**

0xcb@cb.cn ~/Desktop> lldb Synalyze\ It!\ Pro.app
(lldb) target create "Synalyze It! Pro.app"
Current executable set to 'Synalyze It! Pro.app' (x86_64).
(lldb) br s -n NSLogv
Breakpoint 1: where = Foundation`NSLogv, address = 0x00000000000442dd
(lldb) r
Process 2873 launched: '/Users/0xcb/Desktop/Synalyze It! Pro.app/Contents/ MacOS/Synalyze It! Pro' (x86_64)
Process 2873 stopped
* thread #1: tid = 0x11181, 0x00007fff9349f2dd Foundation`NSLogv, queue = 'com.apple.main-thread', stop reason = breakpoint 1.1
frame #0: 0x00007fff9349f2dd Foundation`NSLogv
Foundation`NSLogv:
-> 0x7fff9349f2dd: pushq %rbp
0x7fff9349f2de: movq %rsp, %rbp
0x7fff9349f2e1: pushq %r15
0x7fff9349f2e3: pushq %r14
(lldb) bt
* thread #1: tid = 0x11181, 0x00007fff9349f2dd Foundation`NSLogv, queue = 'com.apple.main-thread', stop reason = breakpoint 1.1
* frame #0: 0x00007fff9349f2dd Foundation`NSLogv
frame #1: 0x00000001000368fe Synalyze It! Pro`_LogTraceMessage + 51
frame #2: 0x000000010006ffe5 Synalyze It! Pro`TraceMessage + 1064
frame #3: 0x000000010006fb79 Synalyze It! Pro`TraceFatal + 185
frame #4: 0x0000000100067f09 Synalyze It! Pro`-[TurboActivateController windowDidLoad] + 329
frame #5: 0x00007fff95d063ac AppKit`-[NSWindowController _windowDidLoad] + 450
frame #6: 0x00007fff95cecfa6 AppKit`-[NSWindowController window] + 110
frame #7: 0x0000000100067ba3 Synalyze It! Pro`-[TurboActivateController transitionToTab:] + 32
frame #8: 0x0000000100067db9 Synalyze It! Pro`-[TurboActivateController selectTabViewIndex] + 121
frame #9: 0x0000000100068179 Synalyze It! Pro`-[TurboActivateController showWindow:] + 36
frame #10: 0x000000010006820e Synalyze It! Pro`-[TurboActivateController showIfNotActivatedOrInTrial:] + 80
frame #11: 0x0000000100035a74 Synalyze It! Pro`-[SynalyzeItApplicationDelegate applicationDidFinishLaunching:] + 587
frame #12: 0x00007fff8ec54e0c CoreFoundation`__CFNOTIFICATIONCENTER_IS_CALLING_OUT_TO_AN_OBSERVER__ + 12
frame #13: 0x00007fff8eb4882d CoreFoundation`_CFXNotificationPost + 2893
frame #14: 0x00007fff9345ddda Foundation`-[NSNotificationCenter postNotificationName:object:userInfo:] + 68
frame #15: 0x00007fff95a78b69 AppKit`-[NSApplication _postDidFinishNotification] + 289
frame #16: 0x00007fff95a7889c AppKit`-[NSApplication _sendFinishLaunchingNotification] + 195
frame #17: 0x00007fff95a75786 AppKit`-[NSApplication(NSAppleEventHandling) _handleAEOpenEvent:] + 570
frame #18: 0x00007fff95a751db AppKit`-[NSApplication(NSAppleEventHandling) _handleCoreEvent:withReplyEvent:] + 242
frame #19: 0x00007fff9347c52a Foundation`-[NSAppleEventManager dispatchRawAppleEvent:withRawReply:handlerRefCon:] + 294
frame #20: 0x00007fff9347c39d Foundation`_NSAppleEventManagerGenericHandler + 106
frame #21: 0x00007fff95791e1f AE`aeDispatchAppleEvent(AEDesc const*, AEDesc*, unsigned int, unsigned char*) + 381
frame #22: 0x00007fff95791c32 AE`dispatchEventAndSendReply(AEDesc const*, AEDesc*) + 31
frame #23: 0x00007fff95791b36 AE`aeProcessAppleEvent + 315
frame #24: 0x00007fff97e39161 HIToolbox`AEProcessAppleEvent + 56
frame #25: 0x00007fff95a710b6 AppKit`_DPSNextEvent + 1026
frame #26: 0x00007fff95a7089b AppKit`-[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 122
frame #27: 0x00007fff95a6499c AppKit`-[NSApplication run] + 553
frame #28: 0x00007fff95a4f783 AppKit`NSApplicationMain + 940
frame #29: 0x000000010006a155 Synalyze It! Pro`main + 97
frame #30: 0x0000000100001934 Synalyze It! Pro`start + 52
(lldb)
**3.接下来查看该方法的汇编：`-[TurboActivateController showIfNotActivatedOrInTrial:] + 80`**

(lldb) frame select 10
frame #10: 0x000000010006820e Synalyze It! Pro`-[TurboActivateController showIfNotActivatedOrInTrial:] + 80
Synalyze It! Pro`-[TurboActivateController showIfNotActivatedOrInTrial:] + 80:
-> 0x10006820e: jmp 0x100068231 ; -[TurboActivateController showIfNotActivatedOrInTrial:] + 115
0x100068210: leaq 0x191563d(%rip), %rcx ; "<unknown>"
0x100068217: leaq 0x18fc6cc(%rip), %rdi ; "/Users/ape/projects/Synalyze-It/Cocoa/TurboActivateController.m"
0x10006821e: leaq 0x1915665(%rip), %rdx ; "Encountered error '%s' ('%d')"
(lldb) dis
Synalyze It! Pro`-[TurboActivateController showIfNotActivatedOrInTrial:]:
0x1000681be: pushq %rbp
0x1000681bf: movq %rsp, %rbp
0x1000681c2: pushq %rbx
0x1000681c3: pushq %rax
0x1000681c4: movq %rdi, %rbx
0x1000681c7: movb $0x0, -0x9(%rbp)
0x1000681cb: leaq -0x9(%rbp), %rdi
0x1000681cf: callq 0x100069fce ; LicenseQueryActivatedOrInTrialTA
0x1000681d4: movl %eax, %r8d
0x1000681d7: testl %r8d, %r8d
0x1000681da: je 0x1000681f5 ; -[TurboActivateController showIfNotActivatedOrInTrial:] + 55
0x1000681dc: cmpl $0xda, %r8d
0x1000681e3: ja 0x100068210 ; -[TurboActivateController showIfNotActivatedOrInTrial:] + 82
0x1000681e5: movslq %r8d, %rax
0x1000681e8: leaq 0x19b6201(%rip), %rcx ; GioMemFunctions + 88
0x1000681ef: movq (%rcx,%rax,8), %rcx
0x1000681f3: jmp 0x100068217 ; -[TurboActivateController showIfNotActivatedOrInTrial:] + 89
0x1000681f5: cmpb $0x0, -0x9(%rbp)
0x1000681f9: jne 0x100068231 ; -[TurboActivateController showIfNotActivatedOrInTrial:] + 115
0x1000681fb: movq 0x19e6426(%rip), %rsi ; "showWindow:"
0x100068202: movq %rbx, %rdi
0x100068205: movq %rbx, %rdx
0x100068208: callq *0x199d16a(%rip) ; (void *)0x00007fff94c85080: objc_msgSend
-> 0x10006820e: jmp 0x100068231 ; -[TurboActivateController showIfNotActivatedOrInTrial:] + 115
0x100068210: leaq 0x191563d(%rip), %rcx ; "<unknown>"
0x100068217: leaq 0x18fc6cc(%rip), %rdi ; "/Users/ape/projects/Synalyze-It/Cocoa/TurboActivateController.m"
0x10006821e: leaq 0x1915665(%rip), %rdx ; "Encountered error '%s' ('%d')"
0x100068225: movl $0xe5, %esi
0x10006822a: xorl %eax, %eax
0x10006822c: callq 0x10006fac0 ; TraceFatal
0x100068231: addq $0x8, %rsp
0x100068235: popq %rbx
0x100068236: popq %rbp
0x100068237: retq
(lldb)
**4.找到可疑位置的方法调用：`0x1000681cf: callq 0x100069fce ; LicenseQueryActivatedOrInTrialTA`，进入查看：**

(lldb) dis -s 0x100069fce -c 36
Synalyze It! Pro`LicenseQueryActivatedOrInTrialTA:
0x100069fce: pushq %rbp
0x100069fcf: movq %rsp, %rbp
0x100069fd2: pushq %r14
0x100069fd4: pushq %rbx
0x100069fd5: subq $0x10, %rsp
0x100069fd9: movq %rdi, %r14
0x100069fdc: movb $0x0, -0x11(%rbp)
0x100069fe0: leaq -0x11(%rbp), %rdi
0x100069fe4: callq 0x100069f83 ; LicenseQueryActivatedTA
0x100069fe9: movl %eax, %ebx
0x100069feb: testl %ebx, %ebx
0x100069fed: je 0x10006a007 ; LicenseQueryActivatedOrInTrialTA + 57
0x100069fef: cmpl $0xda, %ebx
0x100069ff5: ja 0x10006a015 ; LicenseQueryActivatedOrInTrialTA + 71
0x100069ff7: movslq %ebx, %rax
0x100069ffa: leaq 0x19b43ef(%rip), %rcx ; GioMemFunctions + 88
0x10006a001: movq (%rcx,%rax,8), %rcx
0x10006a005: jmp 0x10006a01c ; LicenseQueryActivatedOrInTrialTA + 78
0x10006a007: cmpb $0x0, -0x11(%rbp)
0x10006a00b: je 0x10006a044 ; LicenseQueryActivatedOrInTrialTA + 118
0x10006a00d: movb $0x1, (%r14)
0x10006a011: xorl %ebx, %ebx
0x10006a013: jmp 0x10006a039 ; LicenseQueryActivatedOrInTrialTA + 107
0x10006a015: leaq 0x1913838(%rip), %rcx ; "<unknown>"
0x10006a01c: leaq 0x18fb039(%rip), %rdi ; "/Users/ape/projects/Synalyze-It/c/LicensingTurbo.c"
0x10006a023: leaq 0x1913860(%rip), %rdx ; "Encountered error '%s' ('%d')"
0x10006a02a: movl $0x147, %esi
0x10006a02f: xorl %eax, %eax
0x10006a031: movl %ebx, %r8d
0x10006a034: callq 0x10006fac0 ; TraceFatal
0x10006a039: movl %ebx, %eax
0x10006a03b: addq $0x10, %rsp
0x10006a03f: popq %rbx
0x10006a040: popq %r14
0x10006a042: popq %rbp
0x10006a043: retq
(lldb)
**5.明显的调用查询激活状态：`0x100069fe4: callq 0x100069f83 ; LicenseQueryActivatedTA`查看该方法的汇编：**

(lldb) dis -s 0x100069f83 -c 28
Synalyze It! Pro`LicenseQueryActivatedTA:
0x100069f83: pushq %rbp
0x100069f84: movq %rsp, %rbp
0x100069f87: pushq %rbx
0x100069f88: pushq %rax
0x100069f89: movq %rdi, %rbx
0x100069f8c: leaq 0x18fb102(%rip), %rdi ; "202385488551004732b6fe35.69803382"
0x100069f93: callq 0x100443cc2 ; symbol stub for: IsActivated
0x100069f98: cmpl $0x1, %eax
0x100069f9b: jne 0x100069fa4 ; LicenseQueryActivatedTA + 33
0x100069f9d: movb $0x0, (%rbx)
0x100069fa0: xorl %ecx, %ecx
0x100069fa2: jmp 0x100069fc5 ; LicenseQueryActivatedTA + 66
0x100069fa4: testl %eax, %eax
0x100069fa6: jne 0x100069faf ; LicenseQueryActivatedTA + 44
0x100069fa8: movb $0x1, (%rbx)
0x100069fab: xorl %ecx, %ecx
0x100069fad: jmp 0x100069fc5 ; LicenseQueryActivatedTA + 66
0x100069faf: movl $0x72, %ecx
0x100069fb4: cmpl $0x19, %eax
0x100069fb7: ja 0x100069fc5 ; LicenseQueryActivatedTA + 66
0x100069fb9: cltq
0x100069fbb: leaq 0x18a76be(%rip), %rcx ; alertNativeButtonIndexAndTypeToButtonIndex + 48
0x100069fc2: movl (%rcx,%rax,4), %ecx
0x100069fc5: movl %ecx, %eax
0x100069fc7: addq $0x8, %rsp
0x100069fcb: popq %rbx
0x100069fcc: popq %rbp
0x100069fcd: retq

**6.找到方面及一个固定参数：`0x100069f93: callq 0x100443cc2 ; symbol stub for: IsActivated`。参数："202385488551004732b6fe35.69803382"，继续跟进：**

(lldb) dis -s 0x100443cc2 -c 5
Synalyze It! Pro`symbol stub for: IsActivated:
0x100443cc2: jmpq *0x15c1b70(%rip) ; (void *)0x0000000101f75e18: IsActivated

Synalyze It! Pro`symbol stub for: IsDateValid:
0x100443cc8: jmpq *0x15c1b72(%rip) ; (void *)0x000000010044488e

Synalyze It! Pro`symbol stub for: TrialDaysRemaining:
0x100443cce: jmpq *0x15c1b74(%rip) ; (void *)0x0000000101f750b9: TrialDaysRemaining

Synalyze It! Pro`symbol stub for: UseTrial:
0x100443cd4: jmpq *0x15c1b76(%rip) ; (void *)0x0000000101f751f8: UseTrial

Synalyze It! Pro`symbol stub for: NSDivideRect:
0x100443cda: jmpq *0x15c1b78(%rip) ; (void *)0x00000001004448ac
(lldb)

**7.这里就到了符号表跳到系统符号了：查找 `IsActivated` 符号所在镜像。**

(lldb) image lookup -r -n IsActivated
1 match found in /Users/0xcb/Desktop/Synalyze It! Pro.app/Contents/MacOS/./libTurboActivate.dylib:
Address: libTurboActivate.dylib[0x0000000000014e18] (libTurboActivate.dylib.__TEXT.__text + 79288)
Summary: libTurboActivate.dylib`IsActivated
(lldb)

**8.得出结论，查询是否激活的调用在动态链接库`libTurboActivate.dylib`中：**

---------------------------------------------------------------------------

**9.找到`libTurboActivate.dylib`库进行字符串查看：**

0xcb@cb.cn ~/Desktop> cd Synalyze\ It!\ Pro.app/Contents/MacOS/
0xcb@cb.cn ~/D/S/C/MacOS> ls
Synalyze It! Pro TurboActivate.dat libTurboActivate.dylib
0xcb@cb.cn ~/D/S/C/MacOS> strings libTurboActivate.dylib
Could not create new curl instance
TurboActivate/3.4.0.0 (http://wyday.com/limelm/)
socks=
http=
(proxies != NULL) == (error == NULL)
/Users/wyatt/source/turboactivate/Library/ProxyResolverMac.cpp
resultPtr != NULL
*resultPtr == NULL
proxies != NULL
expandedProxiesPtr != NULL
*expandedProxiesPtr == NULL
thisProxy != NULL
CFGetTypeID(thisProxy) == CFDictionaryGetTypeID()
proxyType != NULL
CFGetTypeID(proxyType) == CFStringGetTypeID()
scriptURL != NULL
CFGetTypeID(scriptURL) == CFURLGetTypeID()
com.apple.dts.CFProxySupportTool
result != NULL
false
(err == noErr) == (*expandedProxiesPtr != NULL)
scheme != NULL
HTTP
GetProxiesForURL
CreateProxyListWithExpandedPACProxies
ResultCallback
/Users/wyatt/source/cryptopp/secblock.h
m_register.size() > 0
/Users/wyatt/source/cryptopp/modes.h
!"ProcessRecoverableMessage() not implemented"
/Users/wyatt/source/cryptopp/pubkey.h
/Users/wyatt/source/cryptopp/filters.h
/Users/wyatt/source/cryptopp/cryptlib.h
......
......
其余略去
......

**10.找到可用信息：http://wyday.com/limelm/，进入网站[link](http://wyday.com/limelm/)注册查看，下载该模块的sdk。之后自己编写一个同样接口的sdk，然后放入文件夹：`Synalyze\ It!\ Pro.app/Contents/MacOS/`下面，替换`libTurboActivate.dylib`之后即为已授权状态 ：）**

---------------------------------------------------------------------------

####小结：本来是用Hopper Disassembler暴破修改libTurboActivate.dylib的几个方法的，之后搜索查看到字符串中该动态库的支持网站，顺藤摸瓜。理论上通杀之前所有版本：）

-by 0xcb

---------------------------------------------------------------------------

---------------------------------------------------------------------------