标题: 小议JEB3逆向工程 创建: 2020-06-05 12:32 更新: 链接: https://scz.617.cn/misc/202006051232.txt https://www.52pojie.cn/thread-1194011-1-1.html 2020.6.1有个JEB Pro 3.19.1.202005071620被放出来了,小钻风说可能是信用卡欺 诈弄来的。当时给他弄了个传统keygen对付着用,第二天他说有人放出另一种keygen, 可以离线算注册码,就是许可证密钥(License key)。这事我以前没干过,有点意思。 以调试方式启动JEB3,用Eclipse Attach。 点击"Manual Key Generation",看到"许可证数据(License data)"。在Eclipse中 Suspend JVM,主线程调用栈回溯是: org.eclipse.swt.internal.win32.OS.WaitMessage() line: not available [native method] org.eclipse.swt.widgets.Display.sleep() line: 4528 com.pnfsoftware.jeb.rcpclient.util.SwtUtil.sleep(org.eclipse.swt.widgets.Display) line: 52 com.pnfsoftware.jeb.rcpclient.dialogs.LicenseKeyDialog(com.pnfsoftware.jeb.rcpclient.dialogs.JebDialog).open() line: 395 com.pnfsoftware.jeb.rcpclient.dialogs.LicenseKeyDialog.open() line: 50 com.pnfsoftware.jeb.rcpclient.dialogs.LicenseKeyAutoDialog$3.widgetSelected(org.eclipse.swt.events.SelectionEvent) line: 190 org.eclipse.swt.widgets.TypedListener.handleEvent(org.eclipse.swt.widgets.Event) line: 252 org.eclipse.swt.widgets.EventTable.sendEvent(org.eclipse.swt.widgets.Event) line: 89 org.eclipse.swt.widgets.Display.sendEvent(org.eclipse.swt.widgets.EventTable, org.eclipse.swt.widgets.Event) line: 4105 org.eclipse.swt.widgets.Button(org.eclipse.swt.widgets.Widget).sendEvent(org.eclipse.swt.widgets.Event) line: 1037 org.eclipse.swt.widgets.Display.runDeferredEvents() line: 3922 org.eclipse.swt.widgets.Display.readAndDispatch() line: 3524 com.pnfsoftware.jeb.rcpclient.dialogs.LicenseKeyAutoDialog(com.pnfsoftware.jeb.rcpclient.dialogs.JebDialog).open() line: 394 com.pnfsoftware.jeb.rcpclient.dialogs.LicenseKeyAutoDialog.open() line: 83 com.pnfsoftware.jeb.rcpclient.RcpClientContext.retrieveLicenseKey(java.lang.String) line: 1699 com.pnfsoftware.jeb.rcpclient.RcpClientContext(com.pnfsoftware.jeb.client.AbstractClientContext).prepareCheckLicenseKey() line: 736 com.pnfsoftware.jeb.rcpclient.RcpClientContext(com.pnfsoftware.jeb.client.AbstractClientContext).start() line: 442 com.pnfsoftware.jeb.rcpclient.RcpClientContext.start() line: 1522 com.pnfsoftware.jeb.rcpclient.RcpClientContext.onApplicationReady(com.pnfsoftware.jeb.rcpclient.extensions.app.App) line: 1212 com.pnfsoftware.jeb.rcpclient.JebApp.onApplicationReady() line: 73 com.pnfsoftware.jeb.rcpclient.JebApp(com.pnfsoftware.jeb.rcpclient.extensions.app.App).run() line: 186 com.pnfsoftware.jeb.rcpclient.Launcher.main(java.lang.String[]) line: 35 -------------------------------------------------------------------------- /* * com.pnfsoftware.jeb.rcpclient.RcpClientContext.retrieveLicenseKey(String) : String */ public String retrieveLicenseKey(String licdata) -------------------------------------------------------------------------- 这个函数负责弹框显示"许可证数据(License data)",形参licdata就是对话框里的 数字串。 -------------------------------------------------------------------------- /* * com.pnfsoftware.jeb.client.AbstractClientContext.prepareCheckLicenseKey() : void */ private void prepareCheckLicenseKey() { ip.RF(); String str1 = this.pm.getString(".LicenseKey"); int[] arrayOfInt = new int[1]; int i = 0; if (!Strings.isBlank(str1)) { long[] arrayOfLong1 = ek.Ql(); for (long l2 : arrayOfLong1) { Fp localFp2 = new Fp(l2); if (localFp2.RF(str1, arrayOfInt)) { i = 1; break; } } } if (i == 0) { ip.Ql(); /* * 733行,返回MachineId */ long l1 = ek.RF(); /* * 734行 */ Fp localFp1 = new Fp(l1); /* * 735行,返回"许可证数据(License data)" */ String str2 = localFp1.RF(); /* * 736行,str2即"许可证数据(License data)",str1即"许可证密钥(License key)" */ str1 = retrieveLicenseKey(str2); ip.RF(); if (!localFp1.RF(str1, arrayOfInt)) { logger.info(S.s(437), new Object[0]); terminate(); } this.pm.setString(".LicenseKey", str1.trim()); } Licensing.setLicenseTimestamp(arrayOfInt[0]); int j = Licensing.getExpirationTimestamp(); if (j != 0) { if ((j < 0) || (getStartTimestamp() >= j)) { this.pm.setBoolean(".SupportExpired", Boolean.valueOf(true)); notifySupportExpired(); } else if (this.pm.getBoolean(".SupportExpired")) { this.pm.setBoolean(".SupportExpired", Boolean.valueOf(false)); } } } -------------------------------------------------------------------------- /* * com.pnfsoftware.jebglobal.Fp */ public class Fp { /* * MachineId */ private long RF; /* * 设置MachineId */ public Fp(long paramLong) { this.RF = paramLong; } /* * 返回"许可证数据(License data)" */ public String RF() { try { ByteArrayOutputStream localByteArrayOutputStream = new ByteArrayOutputStream(); LEDataOutputStream localLEDataOutputStream = new LEDataOutputStream(localByteArrayOutputStream); localLEDataOutputStream.writeLong(this.RF); localLEDataOutputStream.close(); /* * 41行,localByteArrayOutputStream.toByteArray()等于8字节little-endian序 * 的MachineId * * this.RF也是MachineId * * 返回"许可证数据(License data)" */ byte[] arrayOfByte = wR.RF(this.RF, localByteArrayOutputStream.toByteArray(), null); /* * 42行,对RC4结果进一步处理,就是格式化输出,没有数学变换 */ return wR.RF(arrayOfByte); } catch (Exception localException) {} return ""; } -------------------------------------------------------------------------- com.pnfsoftware.jebglobal.wR.RF(long, byte[], int[]) line: 104 com.pnfsoftware.jebglobal.Fp.RF() line: 41 [local variables unavailable] com.pnfsoftware.jeb.rcpclient.RcpClientContext(com.pnfsoftware.jeb.client.AbstractClientContext).prepareCheckLicenseKey() line: 735 [local variables unavailable] com.pnfsoftware.jeb.rcpclient.RcpClientContext(com.pnfsoftware.jeb.client.AbstractClientContext).start() line: 442 com.pnfsoftware.jeb.rcpclient.RcpClientContext.start() line: 1522 com.pnfsoftware.jeb.rcpclient.RcpClientContext.onApplicationReady(com.pnfsoftware.jeb.rcpclient.extensions.app.App) line: 1212 com.pnfsoftware.jeb.rcpclient.JebApp.onApplicationReady() line: 73 com.pnfsoftware.jeb.rcpclient.JebApp(com.pnfsoftware.jeb.rcpclient.extensions.app.App).run() line: 186 com.pnfsoftware.jeb.rcpclient.Launcher.main(java.lang.String[]) line: 35 -------------------------------------------------------------------------- /* * com.pnfsoftware.jebglobal.wR.RF(long, byte[], int[]) : byte[] */ public static byte[] RF(long paramLong, byte[] paramArrayOfByte, int[] paramArrayOfInt) { try { if (paramArrayOfByte == null) { return null; } ByteArrayOutputStream localByteArrayOutputStream = new ByteArrayOutputStream(); LEDataOutputStream localLEDataOutputStream = new LEDataOutputStream(localByteArrayOutputStream); localLEDataOutputStream.writeInt(64 + paramArrayOfByte.length); /* * 113行,随机数 */ localLEDataOutputStream.writeInt(UL.nextInt()); localLEDataOutputStream.writeInt(5); /* * 116行,占坑,后面会回填CRC32 */ localLEDataOutputStream.writeInt(0); localLEDataOutputStream.writeInt(Licensing.user_id); localLEDataOutputStream.writeLong(Licensing.license_id); /* * 120行,MachineId */ localLEDataOutputStream.writeLong(paramLong); localLEDataOutputStream.writeInt(Licensing.build_type); localLEDataOutputStream.writeInt(AbstractContext.app_ver.getMajor()); localLEDataOutputStream.writeInt(AbstractContext.app_ver.getMinor()); localLEDataOutputStream.writeInt(AbstractContext.app_ver.getBuildid()); localLEDataOutputStream.writeLong(AbstractContext.app_ver.getTimestamp()); int i = (int)((System.currentTimeMillis() - Tk) / 1000L); localLEDataOutputStream.writeInt(i); /* * 131行 * * com.pnfsoftware.jebglobal.wR.Az() : int */ int j = Az(); localLEDataOutputStream.writeInt(j); /* * 135行,随机数 */ int k = UL.nextInt(); localLEDataOutputStream.writeInt(k); /* * 138行,MachineId */ localLEDataOutputStream.write(paramArrayOfByte); localLEDataOutputStream.close(); byte[] arrayOfByte1 = localByteArrayOutputStream.toByteArray(); ByteBuffer localByteBuffer = ByteBuffer.wrap(arrayOfByte1); localByteBuffer.order(ByteOrder.LITTLE_ENDIAN); localByteBuffer.putInt(0, arrayOfByte1.length - 8); /* * 145行,计算[0x10:]的CRC32,回填相应字段 */ localByteBuffer.putInt(12, Hash.calculateCRC32(Arrays.copyOfRange(arrayOfByte1, 16, arrayOfByte1.length))); byte[] arrayOfByte2 = new byte[16]; for (int m = 0; m < 8; m++) { arrayOfByte2[m] = arrayOfByte1[m]; } for (m = 8; m < 16; m++) { arrayOfByte2[m] = RF[(m - 8)]; } /* * 154行,RC4() */ xS.RF(arrayOfByte2, arrayOfByte1, 8, arrayOfByte1.length); if ((paramArrayOfInt != null) && (paramArrayOfInt.length >= 1)) { paramArrayOfInt[0] = k; } return arrayOfByte1; } catch (Exception localException) {} return null; } -------------------------------------------------------------------------- /* * RC4() */ com.pnfsoftware.jebglobal.xS.RF(byte[], byte[], int, int) : void -------------------------------------------------------------------------- 对前述xS.RF()的第2形参尝试手工解码: -------------------------------------------------------------------------- 48 00 00 00 // +0x0 64 + 8 05 05 6e 1d // +0x4 随机数 05 00 00 00 // +0x8 固定值5 4a 56 83 5f // +0xc 后面所有数据的CRC32 06 58 76 3e // +0x10 // User ID: 1047943174 9b b9 d0 17 50 fe da 00 // +0x14 // License ID: 61641164873316763 xx xx xx xx xx xx xx xx // +0x1c MachineId ... // +0x24 (后略) -------------------------------------------------------------------------- RC4是流式对称加密算法,从out[]解密出in[],即可得到LicenseId、MachineId。 简化版调用关系: -------------------------------------------------------------------------- RcpClientContext.start // 3.19.1.202005071620 AbstractClientContext.start // RcpClientContext:1522 AbstractClientContext.prepareCheckLicenseKey // AbstractClientContext:442 ek.RF // AbstractClientContext:733 // 返回MachineId Fp.RF // AbstractClientContext:735 // 返回"许可证数据(License data)"的String形式 // 对话框中显示之 wR.RF // Fp:41 // 返回"许可证数据(License data)"的byte[]形式 xS.RF // wR:154 // RC4()/PrivateTransform() RcpClientContext.retrieveLicenseKey // AbstractClientContext:736 // 形参是"许可证数据(License data)"的String形式 -------------------------------------------------------------------------- 这种离线keygen确实更通用,参与运算的LicenseId、MachineId都从LicenseData解 密获取,同时适用于Windows、Linux、Mac,不需要关心MachineId的数据源在不同OS 上的获取方式。 说一下过期时间的事。JEB3的这个过期时间我不确认是否真地影响过期后的继续使用, 曾经有过不同的情况,比如只影响升级,不影响继续使用。如果真影响过期后的继续 使用,可能得动态Patch一个类: com.pnfsoftware.jeb.client.Licensing 具体是这个函数: com.pnfsoftware.jeb.client.Licensing.getExpirationTimestamp() : int 该函数中用到常量86400,将之改成864000,则过期时间变成"2030-05-30"。不要贪 心地改成8640000,否则过期时间回绕到1984。 $ fc /b old new 00000034: 01 0D 00000035: 51 2F 00000036: 80 00 可以用你喜欢的任一动态Patch技术去完成内存中的常量修改,不建议静态Patch。 感慨一句,JEB2真是我的伤心之地,以至于每看到一个新版JEB出场,都要长叹一声, 欲语还休。