图片 10

动用调节台获取天气预告,如何完善破解CocoaFob

By admin in 编程 on 2019年5月6日

本例子主要是使用由中央气象局网站()提供的JSON
API,其实现思路如下:

本次破解练习对象为Interface
Inspector。程序运行截图如下。图为软件提示的注册界面。

1、访问获取省份(包含直辖市、自治区等,以下简称省份)的网址(),返回对应的省份名称(name)、代码(code)等,如下图所示:

图片 1

图片 2

Snip20171105_5.png

2、根据以上返回的代码(code),将代码拼接在网址(
AGD
(广东省),则拼接后的网址为,以此获得对应的城市名称(city)、代码(code),如下图所示:

也有其他的暴力破解方式,相对简单,笔者从注册本身入手,尝试完美破解。

 图片 3

0x1 代码分析

在Hopper中打开后,发现Interface
Inspector使用了CocoaFob库来做注册认证。如下图。

图片 4

Snip20171105_10.png

和AquaticPrimeFramework类似,CocoaFob使用非对称的DSA算法,使用私钥Private
key加密注册名称,可以得到注册码。程序里用对应公钥Public
key对输入的注册名和注册码进行解密验证。DSA算法类似RSA,具备非对称性,无Private
key和Public
key对,不能推算出注册码。所以安全性比一般的key-gen要高。然而CocoaFob库是开源框架,可以找到它的源代码。这为完美破解提供了可能性。

3、根据以上返回的代码,将代码拼接在网址(
59287 (广州),则拼接后的网址为,以此获得对应的天气信息,如下图所示:

0x2破解

和破解AquaticPrimeFramework的思路一样,用开源框架生成自制的DSA公钥、私钥,然后,替换掉程序中的DSA公钥。

首先看Interface Inspector中的DSA公钥。从[SMLicenseManager
verifyLicenseWithName:code:]方法找到了拼接的DSA公钥。伪代码如下。

char +[SMLicenseManager verifyLicenseWithName:code:](void * self, void * _cmd, void * arg2, void * arg3) {
    r14 = [arg2 retain];
    var_-72 = [arg3 retain];
    rax = [NSBundle mainBundle];
    rax = [rax retain];
    var_-88 = rax;
    var_-96 = [[rax objectForInfoDictionaryKey:*_kCFBundleNameKey] retain];
    var_-76 = 0x0;
    rbx = [NSString stringWithFormat:@"%@,%@", rcx, r14];
    [r14 release];
    var_-64 = [rbx retain];
    r13 = [[NSMutableString string] retain];
    [r13 appendString:@"MIHwMIGoBgcqhkjOOAQBMIGcAkEA6DD7O2EnyLOV"];
    [r13 appendString:@"INxN5Cb+p2VxYAdK69ekt"];
    [r13 appendString:@"RUl\nn/QrCFjWB9k71OBZTXNHDsqbS"];
    [r13 appendString:@"CXmQrRmc+OxghdlsEJ0Wbe/XQIVAJya"];
    [r13 appendString:@"CiqLcY74\nRq1hRd"];
    [r13 appendString:@"33dSgqa33vA"];
    [r13 appendString:@"kAQSXj7klZuZg6edUcAPyqJtpympByQmSB"];
    [r13 appendString:@"4of1KUEzkARHT\npFicnFhzpG1"];
    [r13 appendString:@"HP4B+"];
    [r13 appendString:@"UwIbh/JOwTjwElTrKi0tzwu/A0MAA"];
    [r13 appendString:@"kAVeQplzB7Ovygl8ntn\nUcF+Rh260G"];
    [r13 appendString:@"gbDWL5xZgPXPf39kHq"];
    [r13 appendString:@"Twk1rbUFVIWUGdWo0FaBbuM7rnDal0jqT8aq\nZ"];
    [r13 appendString:@"skm\n"];
    rbx = [[NSString stringWithString:r13] retain];
    r14 = [[CFobLicVerifier completePublicKeyPEM:rbx] retain];
    var_-104 = r14;
    [rbx release];
    r15 = [[CFobLicVerifier alloc] init];
    rcx = 0x0;
    rbx = [r15 setPublicKey:r14 error:rcx];
    r12 = [0x0 retain];
    if (rbx != 0x0) {
            var_-64 = var_-64;
            rbx = [r15 verifyRegCode:var_-72 forName:rcx error:r12];
            r14 = [r12 retain];
            [r12 release];
            var_-76 = rbx != 0x0 ? 0x1 : 0x0;
            r12 = r14;
    }
    [r12 release];
    [r15 release];
    [var_-104 release];
    [r13 release];
    [var_-64 release];
    [var_-96 release];
    [var_-88 release];
    [var_-72 release];
    rax = var_-76 & 0xff;
    return rax;
}

用Hex Fiend打开Interface
Inspector,可以找到MIHwMIGoBgcqhkjOOAQBMIGcAkEA6DD7O2EnyLOV开头的字符串,这便是公钥在代码中的位置。使用自制的公钥,直接在相应位置替换掉此字符串。如下图所示。

替换前:

图片 5

Snip20171102_5.png

替换后:

图片 6

Snip20171105_6.png

然后,使用Hopper修改[SMLicenseManager
verifyLicenseWithName:code:]和定义DSA公钥的数据段(见下图),导入自制的DSA公钥。

图片 7

Snip20171105_8.png

修改后,verifyLicenseWithName:code的伪代码如下。

char +[SMLicenseManager verifyLicenseWithName:code:](void * self, void * _cmd, void * arg2, void * arg3) {
    r14 = [arg2 retain];
    var_48 = [arg3 retain];
    rax = [NSBundle mainBundle];
    rax = [rax retain];
    var_58 = rax;
    var_60 = [[rax objectForInfoDictionaryKey:*_kCFBundleNameKey] retain];
    var_4C = 0x0;
    rbx = [NSString stringWithFormat:@"%@,%@", rcx, r14];
    [r14 release];
    var_40 = [rbx retain];
    r13 = [[NSMutableString string] retain];
    [r13 appendString:@"MIHxMIGoBgcqhkjOOAQBMIGcAkEAlkHhqwIttlbDZEK6mOY7s7EBjI/GFhhT/F7m\n4eA4vVefuIsdTmA5gBplebQ02k8JMPWaP0mV8hCDzcdIHMqrSwIVAPdSrKvB8U59\n+7I0X0wfm74v0WTzAkBwKLW3thX3IOPo4vjghDX/nHtJG3VXSmCTC7mFpv2nhXuz\nblSbboRAlMa/j0kl4vURsuVXlgvvWpCpgA0SSf0TA0QAAkEAh5RNl7/OdeCse…"];
    rbx = [[NSString stringWithString:r13] retain];
    r14 = [[CFobLicVerifier completePublicKeyPEM:rbx] retain];
    var_68 = r14;
    [rbx release];
    r15 = [[CFobLicVerifier alloc] init];
    rcx = 0x0;
    rbx = [r15 setPublicKey:r14 error:rcx];
    r12 = [0x0 retain];
    if (rbx != 0x0) {
            var_40 = var_40;
            rbx = [r15 verifyRegCode:var_48 forName:rcx error:r12];
            r14 = [r12 retain];
            [r12 release];
            var_4C = rbx != 0x0 ? 0x1 : 0x0;
            r12 = r14;
    }
    [r12 release];
    [r15 release];
    [var_68 release];
    [r13 release];
    [var_40 release];
    [var_60 release];
    [var_58 release];
    [var_48 release];
    rax = var_4C & 0xff;
    return rax;
}

 图片 8

0x3 程序验证

设输入的名称为XIao,用CocoaFob算出的注册码为:GAWAE-FD7CP-6M96F-YCNHW-EV9WN-VHEPV-ZDKGN-3KDAC-CQNMV-GGACQ-KR5UM-RYD25-JYRLN-6BNH3-K27Y。代入破解完的Interface
Inspector。验证成功,:)!

图片 9

Snip20171105_4.png

4、本例子使用的技术为 HttpWebRequest类、HttpWebResponse类及Newtonsoft.Json.JsonConvert类的使用,自己有不懂的,请自行进行百度;

5、源代码如下:

using Newtonsoft.Json;
using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Net;

namespace Weather
{
    class Program
    {
        static void Main(string[] args)
        {
            HttpWebRequest request = WebRequest.CreateHttp(@"http://www.nmc.gov.cn/f/rest/province");
            try
            {
                HttpWebResponse response = request.GetResponse() as HttpWebResponse;
                Stream stream = response.GetResponseStream();
                StreamReader reader = new StreamReader(stream);
                string content = reader.ReadToEnd();
                List<Province> provinceResult = JsonConvert.DeserializeObject<List<Province>>(content);
                Dictionary<string, string> proviceNamedict = new Dictionary<string, string>();
                Console.WriteLine("省及直辖市:");
                provinceResult.ForEach(x =>
                {
                    proviceNamedict.Add(x.name, x.code);
                    Console.WriteLine(x.name);
                });
                string provice;
                while (true)
                {
                    Console.Write("请输入需要查询的省或直辖市:");
                    provice = Console.ReadLine();
                    if (proviceNamedict.Keys.Contains(provice)) break;
                }
                Console.Clear();
                request = WebRequest.CreateHttp($"http://www.nmc.gov.cn/f/rest/province/{proviceNamedict[provice]}");
                response = request.GetResponse() as HttpWebResponse;
                stream = response.GetResponseStream();
                reader = new StreamReader(stream);
                content = reader.ReadToEnd();
                List<City> cityResult = JsonConvert.DeserializeObject<List<City>>(content);
                Dictionary<string, string> cityNamedict = new Dictionary<string, string>();
                Console.WriteLine("城市:");
                cityResult.ForEach(x =>
                {
                    cityNamedict.Add(x.city, x.code);
                    Console.WriteLine(x.city);
                });
                string city;
                while (true)
                {
                    Console.Write("请输入需要查询的城市:");
                    city = Console.ReadLine();
                    if (cityNamedict.Keys.Contains(city)) break;
                }
                request = WebRequest.CreateHttp($"http://www.nmc.gov.cn/f/rest/real/{cityNamedict[city]}");
                response = request.GetResponse() as HttpWebResponse;
                stream = response.GetResponseStream();
                reader = new StreamReader(stream);
                content = reader.ReadToEnd();
                Detail detailResult = JsonConvert.DeserializeObject<Detail>(content);
                Console.WriteLine(new string('-', 50));
                Console.WriteLine("详细情况如下:");
                Console.WriteLine($"{detailResult.station.province},{detailResult.station.city} 发布时间:{detailResult.publish_time}");
                Console.WriteLine($"温度:{detailResult.weather.temperature}℃ 温差:{detailResult.weather.temperatureDiff}℃ 气压:{detailResult.weather.airpressure}hPa 湿度:{detailResult.weather.humidity}% 雨量:{detailResult.weather.rain}mm");
                Console.WriteLine($"天气状况:{detailResult.weather.info}");
                Console.WriteLine($"风向:{detailResult.wind.direct} {detailResult.wind.power} 风速:{detailResult.wind.speed}m/s");
                Console.WriteLine(new string('-', 50));
            }
            catch(WebException ex)
            {
                Console.WriteLine(ex.Message);
            }
            Console.WriteLine("按任何键退出...");
            Console.ReadKey();
        }
    }

    class Province
    {
        public string code { set; get; }
        public string name { set; get; }
        public string url { set; get; }
    }

    class City
    {
        public string url { set; get; }
        public string code { set; get; }
        public string city { set; get; }
        public string province { set; get; }
    }

    class Detail
    {
        public City station { set; get; }
        public string publish_time { set; get; }
        public Weather weather { set; get; }
        public Wind wind { set; get; }
        public Warn warn { set; get; }
    }

    class Weather
    {
        public float temperature { set; get; }
        public float temperatureDiff { set; get; }
        public float airpressure { set; get; }
        public float humidity { set; get; }
        public float rain { set; get; }
        public float rcomfort { set; get; }
        public float icomfort { set; get; }
        public string info { set; get; }
        public string img { set; get; }
        public float feelst { set; get; }
    }

    class Wind
    {
        public string direct { set; get; }
        public string power { set; get; }
        public float speed { set; get; }
    }
    class Warn
    {
        public string alert { set; get; }
        public string pic { set; get; }
        public string province { set; get; }
        public string city { set; get; }
        public string url { set; get; }
        public string issuecontent { set; get; }
        public string fmeans { set; get; }
    }
}

6、运行效果如下:

图片 10

7、源代码与可执行应用程序如下:

源代码:https://pan.baidu.com/s/1pM98VnP

可执行应用程序:https://pan.baidu.com/s/1i6mK8xn

 

发表评论

电子邮件地址不会被公开。 必填项已用*标注

网站地图xml地图
Copyright @ 2010-2020 澳门新葡亰官网app 版权所有