首页
论坛
课程
招聘
雪    币: 867
活跃值: 活跃值 (27)
能力值: ( LV3,RANK:20 )
在线值:
发帖
回帖
粉丝

[商业保护] [调试逆向] [原创]小破一款使用LimeLM(TurboActivate)验证的视频分析软件

2019-11-13 16:28 1484

[商业保护] [调试逆向] [原创]小破一款使用LimeLM(TurboActivate)验证的视频分析软件

2019-11-13 16:28
1484
  最近从网上发现一款视频分析软件,不妨设为xx Analyzer,功能挺强,然而是试用版,每5分钟左右弹出一个警告窗口,而且只有3天试用期限,很快就不能用了。于是想看看能不能迅速破掉它,如果很麻烦就算了,因为只用几次,不会常用,没必要花太多时间。



  软件是64位的,没加壳,太棒了,直接IDA打开,调试运行,无反调试,成功启动。程序窗口找到注册菜单,打开激活窗口:



  好像还挺麻烦,首先需要一个序列号,然后要得到证书才能激活。看样子序列号还分两种,延长试用期的和正式激活的。先不管它,随便输个序列号试试:



  报错“Invalid product key.”。在IDA里直接找串,很快找到了:



  顺藤摸瓜找到相关代码:



  下断点,动态调试,断住后往回跟,慢慢找到下面代码:




  TA_IsGenuineEx和TA_IsActivated里面判断序列号的格式是否正确,应该跟激活有关系,往里跟了跟感觉有点复杂,回过头来看看这俩函数哪来的,TurboActivate.dll,没见过,查查是干啥的,这一查不得了,看着真是厉害呀。

  TurboActivate是wyDay公司的LimeLM产品下的模块,专业的在线激活工具。咱们到它的网站上看看:

  https://wyday.com/limelm/features/why/

  Poorly designed licensing systems simply send an “OK” or “Not OK” message when fake-activating instead of doing it properly by cryptographically signing the hardware “fingerprint”. This “OK”/“Not OK” behavior is incorrect and depends on how well the licensing can hide the response from the end-user. In other words this is snake oil. If your licensing system fake-activates by hiding an “OK” response then this fake-activation will be copied onto the hundreds or thousands of cloned hard drives. Thus, the company gets thousands of free copies of your software.

  Fitting with our philosophy of LimeLM (simplicity for you and your customers) we take an entirely different direction. TurboActivate dynamically chooses the best hardware-ID based on the actual computer hardware. We have researched which are the best components to "lock" the computer to and we don't make you worry about what works and what doesn't.

  大概意思就是别人家的系统就是蛇油(印度神油,大忽悠),我们的最好了。






  这东西需要在线注册帐号,生成证书,提供认证,看得我怕怕的,这要折腾下去,时间得花不少。

  不过这种基于成熟模块或设备的软件保护,经常有个很严重很严重很严重的问题,就是调用方法。如果只是简单的判断了下返回的结果,那么改几个跳转就能解决问题,就像一个钢铁堡垒,地基不稳,轰然倒塌。那么这个软件呢,咱们试试看。

  从官网看到了TA_IsActivated()、TA_IsGenuine()、TA_IsGenuineEx()三个函数的介绍:

  TA_IsActivated() checks if the user is activated without contacting any servers (no internet connection needed ever). It does this by verifying the cryptographically signed "computer fingerprint".

  TA_IsGenuine() contacts the LimeLM servers to see if the user is still activated (checks for revoked product keys, etc.) and whether features have changed. This function requires an active internet connection to succeed (or else you get a TA_E_INET return code).

  TA_IsGenuineEx() is a mix of the best parts of TA_IsActivated() and TA_IsGenuine(). In TA_IsGenuineEx() you can specify how often to check with the LimeLM servers and all other times it verifies the activation locally.

  看来TA_IsActivated()和TA_IsGenuineEx()就是关键函数,直接修改下面3个跳转试试:




  再打开注册窗口看看:



  成了,居然这么容易。再试试功能,没问题,弹出窗口也没了,就这么搞定了。超乎想象!



  如果做个假的TurboActivate.dll,始终返回正确的值,那这样简单验证的软件都可以轻松秒掉了。

  不管了,xxAnalyzer能用行了,就这样吧。



2020,给你一个诚意满满的夏令营!

最新回复 (1)
雪    币:
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
wx_段付江 活跃值 2020-3-13 09:47
2
0
yes
最后于 2020-3-13 22:13 被wx_段付江编辑 ,原因:
游客
登录 | 注册 方可回帖
返回