GalaxyPilot —— D.S

作者：舵手
申明：如轉載請保證文章的完整性
來源：www.tkk7.com/galaxyp/
軟件下載:www.e-t.com

軟件簡介:
??? Jshrink extracts the minimal set of Java class files for an application, removes unused code and data,
obfuscates symbolic names, finalizes code for optimized execution, and stores the results in a Java archive
.jar file.???
??? Jshrink typically reduces program size by 30-40%. Jshrink obfuscated code is much harder to comprehend
when decompiled, a claim that can be readily verified using Jshrink’s built-in Java decompiler. What at first
glance seems to be meaningful names in Jshrink obfuscated code are often reused system names, a Jshrink
obfuscation technique called semantic recycling.

??? 一直沒怎么用過，閑來無聊想研究下它的功能，用jshrink打開一個class文件雙擊提示“Missing license key, see www.e-t.com/jshrink.html to request evaluation license”，以前申請了一個試用的license key，恢復過系統，早丟了。java寫的，反編譯出來看看,解壓jar，并反編譯所有的class文件，類被混淆過，這里要注意的是，有些方法混淆后名稱和類名一樣，但千萬不要把它當作構造函數，否則可能會帶來一點麻煩。在整個源代碼中查找上面的報錯字符串，居然沒找到。在解壓后的目錄里找了一下，發現I.gif挺可懷，打開一看果然是加密了的東東，并不是gif文件，在I.I.class反編譯源代碼中果然發現了I.gif，如下：
InputStream inputstream = (new I()).getClass().getResourceAsStream("" + 'I' + '.' + 'g' + 'i' + 'f');
??? 即然建立輸入流讀取方文件，肯定有解密過程，分析原代碼后寫出一個解密代碼：
import java.io.InputStream;
public class I
{
?static byte COWY[];
??? static String append[] = new String[256];
??? static int close[] = new int[256];

?public String td(int i)
??? {
??????? int j = i & 0xff;
??????? if(close[j] != i)
??????? {
??????????? close[j] = i;
??????????? if(i < 0)
??????????????? i &= 0xffff;
??????????? String s = new String(COWY, i, COWY[i - 1] & 0xff);
??????????? append[j] = s;
??????? }
??System.out.println(append[j]);
??????? return append[j];
??? }

?public static void main(String[] args)
?{
??try
??????? {
??????????? InputStream inputstream = (new I()).getClass().getResourceAsStream("" + 'I' + '.' + 'g' + 'i' + 'f');
???? //這里他用'I' + '.' + 'g' + 'i' + 'f',如果我們直接查找I.gif,肯定沒有結果，所以當搜索I.gif沒找到時，
???? //一定要試試這種方法，還有數組形式存放。
??????????? if(inputstream != null)
??????????? {
??????????????? int i = inputstream.read() << 16 | inputstream.read() << 8 | inputstream.read();
??????????????? COWY = new byte[i];
??????????????? int j = 0;
??????????????? byte byte0 = (byte)i;
??????????????? byte abyte0[] = COWY;
??????????????? while(i != 0)
??????????????? {
??????????????????? int k = inputstream.read(abyte0, j, i);
??????????????????? if(k == -1)
??????????????????????? break;
??????????????????? i -= k;
??????????????????? for(k += j; j < k; j++)
??????????????????????? abyte0[j] ^= byte0;

??????????????? }
??????????????? inputstream.close();
??????????? }
??????? }
??????? catch(Exception exception) { }
??
??I i = new I();
??for (int j=0; j<7200; j++ )//為什么這個j最大值為7200,因為大概查看了一下源代碼中調
??//用I.I.I()這個方法的最大值就是這個,試圖加大后，拋出異常。
??{
???System.out.print(j+":");
???i.td(j);
??}
?}
}
??? 當上面的循環體里j為4088時字符串是Missing license key, see www.e-t.com/
jshrink.html to request evaluation license，在整個原代碼是搜索4088，發現只在A.class中有，
?switch(getViewRect)
??????? {
??????? case -1:
??????? case 0: // '\0'
??????????? return true;

??????? case 1: // '\001'
??????????? getChildCount();
??????????? getJarEntry(I.I.I(4088));
???? //Missing license key, see www.e-t.com/jshrink.html to request evaluation license
???? //I.I.I(4088)返回的串
??????????? return false;

??????? case 2: // '\002'
??????????? getChildCount();
??????????? getJarEntry(I.I.I(4168));
???? //Evaluation license key has expired, purchase new key at www.e-t.com/jshrink.html
???? //I.I.I(4168)返回的串
??????????? return false;

??????? case 3: // '\003'
??????????? getChildCount();
??????????? getJarEntry(I.I.I(4249));
???? //Invalid license key
???? //I.I.I(4249)返回的串
??????????? return false;

??????? case 4: // '\004'
??????????? getJarEntry(I.I.I(4269));
???? //Internal error verifying license key
???? //I.I.I(4269)返回的串
??????????? return false;
??????? }
??????? return false;
??? 不想分析注冊key詳細算法，暴破試一下，把上面每個case子句里的代碼變為 return true; 可能問題就能解決，用十六進制編輯器打開A.class,查找03AC,連續五個在一起，改為04AC,現在程序已經可以正常運行，只是還有無License的提示對話框，那么把04AC(前面已修改)前的十個四字節,如：2AB7016B2A110FF8B8056DB7003A全改為00，相當于匯編里的nop保存打包，運行就再沒有提示對話框了。這樣不完全暴破就已經成功，之所以說不完全是因為還有Z.class有類A.class的功能，讀取I.gif文件并解密，我們并沒有對A.class這個類的調用做跟蹤分析，這樣很有可能還有一些地方有限制而我們沒有破除掉。
??? 沒什么技術性，但能為菜鳥破JAVA程序提示一點思路。今天搜了一下，才發現這個早有人已經寫出注冊機了，牛人多多。不過想研究暴破的可以從下面下載本人修改過的和原版程序：
鏈接暫時不再提供