"MyEclipse 2015" reverse hack record Series "1" (Pure Research)

Statement

• My Eclipse 2015 program is copyright GENUITEC, l.l.c all.
• The registration code, activation code, etc. of My Eclipse 2015 are authorized by GENUITEC, L.L.C and its paid users.
• Based on the interest of reverse engineering, this paper studies the software protection mechanism.
• Full source code and cracked patches will not be released.
• Where the authorization information will be directly inferred. Code processing
• This article is for my Eclipse Stable 2.0 or CL version

background

In the last two blog posts, we examined two major ways of reversing:

• Static analysis See: Clion Registration code algorithm reverse analysis record
• Dynamic commissioning See also: Dynamic Debug JetBrains clion Transcript

In this article, we will focus on the above two ways to break my Eclipse 2015 registration, activation algorithm and software protection mechanism.

First look at the results,Bling authorized to 2099 :

Activate by :

familiarity with the software itself

Because I was not familiar with my Eclipse, I looked for a long time to find the prompt authorization information interface where, Khan a first!

The converse itself, is from the lane to the Youdao, wherein the pleasure lies in the exploration itself, not the result.

To reverse a thing, must first familiar with its layout, mechanism, otherwise the reverse can only be empty talk.

• My Eclipse Software is too large, light installation package about 1.3G, and the domestic Baidu network disk download, odd slow.
• The My Eclipse plugin is large enough to find the key packages, LIB, and code snippets, which are slightly more complex and cumbersome.
• Because the software specification is significantly higher than the clion level, so the difficulty is heavy, at least in the implementation of dynamic debugging requires special processing.

Plug-in Mega:

When faced with an elephant, to overcome it, you need to endure, you need to observe its every move, and then to attack.

parsing class Load Information

Here, using our familiar verbose Dafa, analyze the class load information and narrow the target.
At the same time, the collection of class loading information, in the subsequent jar包 analysis, but also frequent to look at, looking for.

About main :

About license/licence :

Once you find or suspect some avenues, come here and look at the jar surrounding information of the key classes in the package to get a good grasp of the features of the software and avoid the need to work hard.

Create a static analysis environment Analyzing startup Information

Modify the My Eclipse installation directory to *.ini specify our own to java/jre/jvm facilitate the use of tools such as Jinfo .

View vm options and command line args :

Through the analysis, from $ME_HOME/plugins/org.eclipse.equinox.launcher_1.3.0.v20140415-2008.jar the beginning, try to start the program.

As its name, really is a launcher/loader , although the program started up, but want to be in 注册授权信息/My Eclipse Subscription Info the vicinity of such a program, and show the source code, this is still far from enough.

Creating a Code retrieval Environment

In order to be able to fully grasp the invocation path of a key class, method, to facilitate our backtracking or to explore important information, we usually use the following methods:

• Decompile the source code, fully modify at the key point, print the call stack.
• Use static AOP or hooks to insert our debugger.
• Use code as text processing to take advantage of sed/grep/less such tools, as well as file indexing capabilities, to facilitate large-scale critical code searches.
• Attaching the target process directly with the debugger, to display the source code, often requires US -g to generate debug information, which is limited under the protection mechanism of my eclipse, but this is where we need to break through.
• Leverage the analytical techniques provided by the IDE 查找使用/正向依赖/反向依赖 .
• Use dump to dump critical code snippets or class information from the target process and revert to the source code.

In short, the flexible combination of the above methods, the purpose is to fully in my eclipse this elephant body maneuvers, take what I need.

unzip the jar package and decompile the class as a Java file

The jar package is compressed in zip format, so we can also use it unzip to decompress.

In order to get a better anti-compilation effect, we do not use this time jd , in the Bo master installation of the Intellij IDEA Lib, there is an fern flower anti-compilation tool, which is also IDEA the default anti-compiler, we use it, there are interested things can search under, seemingly with a great mine craft source.

decompile, first compile the package that needs to be deserialized into a file, for example genuitec.jar.txt , and then create a simple script to batch it:

Decompression similar, do not map, we use unzip , you can also use the jar/编程 way to achieve decompression, of course, if you are not too tired, more than 1000 jar package, you can also manually unzip ^ ^.

${jar}-d${out_dir}

Build an index

Conditional can be used solr/lucene to do, here we take advantage of the IDE's indexing ability, very simple, all of the Java files We are interested in, throw into the IDE:

Then, you can easily search for the Class/java file we need:

Of course, you can also search by path:

Although because of the complexity of the various dependencies, it is difficult to complete the repair, can not fully compile and use semantic search and other means, but this step, for us to fully occupy the information and search to lay a solid foundation, with the information described earlier verbose , we can be critical code, class, path, symbol search, jump, greatly enhance our analytical efficiency.

Create a dynamic debugging environment

In the static phase, our analytical ability is limited, understand a software operating mechanism, the better way is to debug it.

However, we are faced with an elephant of my eclipse, even to give you complete source code, it is difficult to analyze clearly, so we have to use repair, interception and other means to reduce the scope of our dynamic debugging, reducing the difficulty.

Described above, is based on our static analysis, and static analysis, need to do a lot of work, tedious, fine, sometimes very annoying, let you have rm -rf / the impulse, at this time, on the quiet, you do is reverse work, is from No road, create the road, patience and adjust the mood is a must do one thing, This time, listen to no brain of the Divine Comedy, as soon as reset his own irritability, because behind, there are many unknown difficulties waiting for you to challenge.

OK, here in our anti-compiled Java code, pick a place of interest, a little bit of change, compiled into a class file, replace the corresponding jar package, and then use the previous article launcher to run a look at it!

I rub it, what the hell is this thing?

Something: The integrity verification technique used by My Eclipse 2015, combined with digital signatures, to achieve the purpose of the detection code being modified.

Really annoying, it seems not CLion so good, quiet, think about ideas.

Let's speculate on the call stack for this cue box:

    java     -> main     -> initialize     -> ..     -> integrationCheck     -> alert("骚年，你动了我的代码！")

Well, surely you already know what I'm talking about.

Use backtracking to analyze the integrity verification mechanism and see what it does.

Breaking software Integrity verification protection build your own wheels, pinpoint search: Finder

Now that the code has been modified, there is an error, where does dynamic debugging start?

As an engineer, the point that you can change the world is that you can build the wheels as needed.

This time, we have two ways:

1. or from a static environment to search for error hints
2. Build your own wheels to search for bug tips.

Why do you need to build your own wheels?

• Construction of static environment and its time-consuming
• Complex reverse target, easy to omit static analysis
• Easy to follow patch operation

Look at the wheels we need at this time:

Yes, we need it in the jar package, in the ZIP package, in the folder, in the class file:

• Find the file format we are interested in
• Find a byte fingerprint

• Print all the information we need

  As follows:

At this time, our search ability is as follows:

1. Verbose information.
2. The path, symbol, and file search provided by the static environment.
3. Finder that provides file fingerprint, byte signature search.
4. The run-time information provided by the serviceability agent.

Erase Integrity Verification Code

Before erasing, one of My Eclipse's Integrity validation codes is as follows:

After Erasure, the following:

My eclipsed 2015 integrity verification, scattered in multiple jar packages of multiple classes, or omitted, one is to be patient, the second is to rely on the finder's byte fingerprint search, while cooperating with the static environment analysis.
Here, the idea is very important, the rest of you are good at not good at doing deliberately ^ ^.

build your own wheels, file Patch: Patcher

Now, we need to erase the validated code, replace the original code, and delete, add something, here you can do it manually, after all, the jar package is the ZIP format, you can also do patch programs.

Consider the main purpose of your patch program:

1. It is not possible to patch in place at once and need to be patched more than once. Write the program to do, the configuration can be completed automatically. (Save time)
2. Output the necessary debugging information to facilitate diagnosis. (worry)
3. Automate the crack process. (Labor-saving)

As follows:

Debugging information:

let the program fly.

Having done the above steps, basically, you can do whatever you like.

Now, let's run the program to make sure that our small-scope changes are working as expected:

Integrity verification protection has broken through, but there is also registration protection, as shown in, it seems, the reverse journey is still far away?

So, how to hack registration protection?
The next article is announced.

Writing is not easy, if you think this article is good for you or bo you a smile, leave a message, click a recommendation:]

Copyright NOTICE: This article for Bo Master original article, without Bo Master permission not reproduced.

"MyEclipse 2015" reverse hack record Series "1" (Pure Research)