看雪论坛
发新帖

[原创] Thunder.app 2.x 逆向分析,实现免登录 + 会员加速

狗一条 2017-3-15 11:25 2714

    

本主题帖已收到 0 次赞赏,累计¥0.00
最新回复 (13)
MsScotch 2017-3-15 12:08
2
感谢分享 下载支持
eastlhu 2017-3-15 14:40
3
感谢干货!!
mldonkey 2017-3-25 16:55
4

    测试下,希望不要介意

notwenhua 2017-3-31 17:36
5
帖子内容呢??
蛋蛋好疼 2017-3-31 18:17
6
被删了吗
CRoot 2017-3-31 18:47
7
貌似升级被吞了?
bluegatar 2017-4-6 16:06
8
好可惜,希望内容可以恢复
qunwang 2017-4-9 20:49
9
为啥看不到?
ChengQing 2017-4-26 11:41
10
来晚喽。干货没有喽
rrrfff 2017-4-26 12:00
11
https://blog.chichou.me/某软件防篡改分析-2e8d891bacb2
hackbs 2017-5-3 15:54
12
看不到文章。
ChiChou 2017-5-5 10:27
13
#!/usr/bin/env python3
# requires XCode
import subprocess, sys, os, hashlib, plistlib
package = '/Applications/Thunder.app/Contents'
executable = os.path.join(package, 'MacOS/Thunder')
plugins_dir = os.path.join(package, 'BrowserPlugins')
def backup():
    from shutil import copyfile
    backup = executable + '.bak'
    if os.path.isfile(backup):
        print('Backup found, maybe the file has already been patched.')
        sys.exit(-1)
    copyfile(executable, backup)
def patch_exec():
    try:
        output = subprocess.check_output(['nm', executable])
    except:
        print('Failed to execute nm, please install XCode.')
        sys.exit(-1)
    ret_1 = b'\x48\xc7\xc0\x01\x00\x00\x00\xc3'
    ret_0 = b'\x48\x31\xc0\xc3'
    ret = b'\xc3'
    patches = {
        ret_1: [
            '-[LocalTask isValidLixianTask]',
            '-[UserController isVip]',
            '-[UserController isPlatinum]',
            '-[UserController isDiamond]',
            '-[UserController isLogined]'
        ],
        ret_0: [
            '-[AutoLiveUpdateController _shouldCheckUpdate:]',
        ],
        ret: [
            '-[MainWndCtrl checkUpdate:]'
        ]
    }
    lookup = {}
    for code, symbols in patches.items():
        for symbol in symbols:
            lookup[symbol] = code
    base = None
    output = output.decode('utf8')
    with open(executable, 'r+b') as f:
        for line in output.splitlines():
            if '__mh_execute_header' in line:
                base, *_ = line.split()
                base = int(base, 16)
        if not base:
            print('Failed to retrive base address')
            sys.exit(-1)
        for line in output.splitlines():
            if not len(lookup):
                break
            for symbol, code in lookup.items():
                if symbol in line:
                    addr, *_ = line.split()
                    addr = int(addr, 16)
                    offset = addr - base
                    f.seek(offset, 0)
                    f.write(code)  # patch function
                    print('%s has been patched.' % symbol)
                    lookup.pop(symbol)
                    break
    print('remove signature')
    args = ['codesign', executable, '--remove-signature']
    try:
        subprocess.check_output(args)
    except:
        print('failed to remove signature, try run following command manually:')
        print(' '.join(args))
    print('Successfully patched %s' % executable)
def patch_self_check():
    m = hashlib.md5()
    with open(executable, 'rb+') as f:
        while True:
            buf = f.read(1)
            if not buf:
                break
            m.update(buf)
            f.seek(1023, 1)
    digest = m.digest()
    lookup = (15, 4, 6, 3, 1, 0, 7, 8, 2, 11, 10, 13, 12, 14, 9, 5)
    hexdigest = ''.join(['%0.2X' % digest[index] for index in lookup])
    dirname = os.path.join(plugins_dir, hexdigest)
    if not os.path.isdir(dirname):
        os.mkdir(dirname)
def clear_quit_flag():
    plist_path = os.path.join(os.environ.get(
        'HOME'), 'Library/Preferences/com.xunlei.Thunder.plist')
    with open(plist_path, 'rb+') as f:
        pref = plistlib.load(f)
        force_quit = pref.get('ForceQuit')
        if force_quit:
            pref.update({'ForceQuit': True})
            plistlib.dump(pref, f)
            print('Clear quit flag')
if __name__ == '__main__':
    backup()
    patch_exec()
    patch_self_check()
    clear_quit_flag()


顺带去除检查更新。解析符号和偏移使用了 nm,需要安装 Xcode

everettjf 2017-5-5 13:25
14
膜拜
返回



©2000-2017 看雪学院 | Based on Xiuno BBS | 知道创宇带宽支持 | 微信公众号:ikanxue
Time: 0.014, SQL: 13 / 京ICP备10040895号-17