Linux程序破解与反破解

1. 许可证密钥位于二进制文件内

cpp

1.c

#include <string.h>
#include <stdio.h>

int main(int argc, char *argv[]) {
        if(argc==2) {
        printf("Checking License: %s\n", argv[1]);
        if(strcmp(argv[1], "AAAA-Z10N-42-OK")==0) {
            printf("Access Granted!\n");
        } else {
            printf("WRONG!\n");
        }
    } else {
        printf("Usage: <key>\n");
    }
    return 0;
}

Code

cat 1.c
gcc 1.c –o test1
./test1 AAAA-Z10N-42-OK

Crack：  strings test1

扰乱密钥加密

cpp

#include <string.h>
#include <stdio.h>

int main(int argc, char *argv[]) 
{
    if(argc==2) 
    {
        printf("Checking License: %s\n", argv[1]);
        int sum = 0;
        for (int i = 0; i < strlen(argv[1]); i++) 
            {
                sum+= (int)argv[1][i];  //ASCII累加
            }
        printf("Value: %d\n", sum);
        if(sum==916) 
        {
            printf("Access Granted!\n");
        } 
        else 
        {
            printf("WRONG!\n");
        }
    } 
    else 
    {
        printf("Usage: <key>\n");
    }
    return 0;
}

python

keygen2.py

#!/usr/bin/python
#coding=utf-8
import random
import sys

def check_key(key):
    char_sum = 0
    for c in key:
        char_sum += ord(c)
    sys.stdout.write("{0:3} | {1}      \r".format(char_sum, key))    # print
    sys.stdout.flush()                                               # 一秒输出一行
    return char_sum

key = ""
while True:
    key += random.choice("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_")
    s = check_key(key)
    if s > 916:
        key = ""
    elif s==916:
        print "Found valid key: {0}".format(key)

Code

将输入key的ASCII累加，与注册码魔术值比较，达到隐藏密钥的效果

使用FUZZ进行反调试

python

#!/usr/bin/python
#coding=utf-8
import random
import os

os.system("cp test2 test2_fuzz")

def flip_byte(in_bytes):
    i = random.randint(0,len(in_bytes))
    c = chr(random.randint(0,0xFF))
    return in_bytes[:i]+c+in_bytes[i+1:]         # 随机字符

def copy_binary():
    with open("test2", "rb") as orig_f, open("test2_fuzz", "wb") as new_f:   # 二进制复制
        new_f.write(flip_byte(orig_f.read()))

def compare(fn1, fn2):                                          # 检查fuzz文件能否运行
    with open(fn1) as f1, open(fn2) as f2:
        return f1.read()==f2.read()

def check_output():                                                           # 检查文件是否存在
    os.system("(./test2_fuzz ; ./test2_fuzz AAAA-Z10N-42-OK) > fuzz_output")
    return compare("orig_output", "fuzz_output")


def check_gdb():
    os.system("echo disassemble main | gdb test2_fuzz > fuzz_gdb")           # 重定向到新文件
    return compare("orig_gdb", "fuzz_gdb")
'''
def check_radare():
    os.system('echo -e "aaa\ns sym.main\npdf" | radare2 test2_fuzz > fuzz_radare')
    return compare("orig_radare", "fuzz_radare")
'''
while True:
    copy_binary()
    if check_output() and not check_gdb(): # and not check_radare():
        print "FOUND POSSIBLE FAIL\n\n\n"
        os.system("tail fuzz_gdb")
        # os.system("tail fuzz_radare")
        raw_input()

Code

输出orig二进制文件

     (./test2_fuzz  ; ./test2_fuzz  AAAA-Z10N-42-OK)  >  orig_output
     echo disassemble main | gdb test2_fuzz > orig_gdb

Fuzz
     ./fuzz.py

验证
    gdb test2_fuzz
    disassemble main