Hopper v4 For Linux Crack

去官网看了下发现 Hopper v4 的 Linux 版本也可以下载了,于是下载试用了下。

搜索字符串“Try the Demo”发现函数 ShowLicenseDialog (0x00000000004f9b30) 中存在调用:

00000000004f9d87    mov    rbx, qword [r14+0x80] ; CODE XREF=ShowLicenseDialog+557, ShowLicenseDialog+577
00000000004f9d8e    lea    rsi, qword [_ZTSSt11_Mutex_baseILN9__gnu_cxx12_Lock_policyE2EE+2549] ; "LicenseDialog"
00000000004f9d95    lea    rdx, qword [_ZTSSt11_Mutex_baseILN9__gnu_cxx12_Lock_policyE2EE+3179] ; "Try the Demo"
00000000004f9d9c    lea    r15, qword [rsp+0x50+var_40]
00000000004f9da1    xor    ecx, ecx
00000000004f9da3    mov    r8d, 0xffffffff
00000000004f9da9    mov    rdi, r15
00000000004f9dac    call   j__ZN16QCoreApplication9translateEPKcS1_S1_i

gdb 调试,在该函数设置断点。启动后触发端点,回溯如下:

Breakpoint * 0x4f9b30
pwndbg> bt
#0  0x00000000004f9b30 in  ()
#1  0x00000000004f920c in  ()
#2  0x00000000004f46b2 in  ()
#3  0x00000000005f5101 in  ()
#4  0x00000000005fb35f in  ()
#5  0x0000000000549491 in  ()
#6  0x00007ffff515b159 in dispatch_main_queue_drain_np () at /opt/hopper-v4/lib/libdispatch.so.1
...

中间几个是 Qt 的相关设置,最后定位到:

00000000005f50e9    call   CheckLicense        ; CODE XREF=sub_5f5090+20, sub_5f5090+35
00000000005f50ee    test   al, al
00000000005f50f0    jne    loc_5f513c
00000000005f50f2    lea    rbx, qword [rsp+0x70+var_70]
00000000005f50f6    mov    rdi, rbx            ; argument #1 for method sub_4f4670
00000000005f50f9    mov    rsi, r15
00000000005f50fc    call   sub_4f4670
00000000005f5101    mov    rax, qword [rsp+0x70+var_70]
00000000005f5105    mov    rax, qword [rax+0x1a8]

0x00000000005f50fc 处的调用向上看,发现典型的 test/jne,确定 CheckLicense (0x00000000004f7660) 就是真正的校验函数,patch 如下:

00000000004f7660    mov    eax, 0x1            ; CODE XREF=sub_5bd550+1013, sub_5f5090+89, sub_5f5090+129, sub_5f9760+15, sub_5f99a0+8, sub_5f9b00+8, sub_5f9c60+8
00000000004f7665    ret

爆破大法好;)