fix typo
This commit is contained in:
somebasj
parent
08da459350
commit
07e4bea946
|
|
@ -1,8 +1,10 @@
|
|||
# patch prl_disp_app
|
||||
# prl_disp_service
|
||||
|
||||
## 2. patch Signature::SignCheckerImpl
|
||||
crack for 18.0.1 53567
|
||||
|
||||
### 2.1 find vtable
|
||||
## 1. patch Signature::SignCheckerImpl
|
||||
|
||||
### 1.1 find vtable
|
||||
|
||||
#### x86_64
|
||||
|
||||
|
|
@ -13,7 +15,7 @@ __const:00000001009B2A70
|
|||
__const:00000001009B2A78 A8 2A 9B 00 01 00 00 00 dq offset _ZTIN9Signature15SignCheckerImplE ; `typeinfo for'Signature::SignCheckerImpl
|
||||
__const:00000001009B2A80 00 0B 5B 00 01 00 00 00 dq offset sub_1005B0B00
|
||||
__const:00000001009B2A88 10 0B 5B 00 01 00 00 00 dq offset sub_1005B0B10
|
||||
__const:00000001009B2A90 80 07 5B 00 01 00 00 00 dq offset sub_1005B0780
|
||||
__const:00000001009B2A90 80 07 5B 00 01 00 00 00 dq offset sub_1005B0780 ; <--- Verify function, patch return 1
|
||||
```
|
||||
|
||||
#### arm64
|
||||
|
|
@ -25,10 +27,10 @@ __const:0000000100988520
|
|||
__const:0000000100988528 58 85 98 00 01 00 00 00 DCQ _ZTIN9Signature15SignCheckerImplE ; `typeinfo for'Signature::SignCheckerImpl
|
||||
__const:0000000100988530 28 E9 5D 00 01 00 00 00 DCQ nullsub_201
|
||||
__const:0000000100988538 2C E9 5D 00 01 00 00 00 DCQ j___ZdlPv_267
|
||||
__const:0000000100988540 84 E5 5D 00 01 00 00 00 DCQ sub_1005DE584
|
||||
__const:0000000100988540 84 E5 5D 00 01 00 00 00 DCQ sub_1005DE584 ; <--- Verify function, patch return 1
|
||||
```
|
||||
|
||||
### 2.2 patch function `sub_1005B0780`
|
||||
### 1.2 patch function `sub_1005B0780`
|
||||
|
||||
#### x86_64
|
||||
|
||||
|
|
@ -267,180 +269,3 @@ __text:00000001007B3A14 20 00 80 D2 MOV
|
|||
__text:00000001007B3A18 C0 03 5F D6 RET
|
||||
__text:00000001007B3A18 ; End of function sub_1007B3A14
|
||||
```
|
||||
|
||||
## 3. add write licenses.json
|
||||
|
||||
1. use step 2 code space (0x1007C9284) add shellcode write license data
|
||||
|
||||
### x86_64
|
||||
|
||||
opcode
|
||||
|
||||
```
|
||||
41 57 41 56 41 55 41 54 53 48 81 EC 38 04 00 00
|
||||
4C 89 85 B8 FB FF FF 48 89 8D B0 FB FF FF 48 89
|
||||
95 A8 FB FF FF 41 89 F4 48 89 FB 48 8B 05 7A 70
|
||||
1C 00 48 8B 00 48 89 45 D0 48 8B 0D B4 83 27 00
|
||||
48 8D 15 C4 2A 15 00 45 31 F6 48 8D BD D0 FB FF
|
||||
FF BE 00 04 00 00 31 C0 E8 73 CA 01 00 48 C7 85
|
||||
C0 FB FF FF 00 00 00 00 48 8D 3D 8A 2A 15 00 BE
|
||||
01 00 00 00 E8 3F C4 01 00 85 C0 74 29 48 8B 05
|
||||
28 70 1C 00 48 8B 00 48 3B 45 D0 0F 85 58 02 00
|
||||
00 44 89 F0 48 81 C4 38 04 00 00 5B 41 5C 41 5D
|
||||
41 5E 41 5F 5D C3 48 8B 05 4F 70 1C 00 48 8B 38
|
||||
48 8D 35 42 2A 15 00 BA 11 00 00 00 31 C9 E8 FD
|
||||
82 01 00 48 85 C0 74 B5 49 89 C7 48 89 C7 E8 BD
|
||||
82 01 00 49 89 C5 4C 89 FF E8 BC 81 01 00 4D 85
|
||||
ED 74 9A 48 8D 95 C0 FB FF FF 4C 89 EF 31 F6 E8
|
||||
A4 86 01 00 49 89 DF 89 C3 4C 89 EF E8 99 81 01
|
||||
00 85 DB 0F 85 74 FF FF FF 4C 8B
|
||||
```
|
||||
|
||||
patch
|
||||
|
||||
```
|
||||
55 48 89 E5 53 56 52 48 8D 3D 3F 00 00 00 48 8D
|
||||
35 65 00 00 00 E8 24 C6 01 00 49 89 C6 48 8D 3D
|
||||
58 00 00 00 BE 8E 00 00 00 BA 01 00 00 00 4C 89
|
||||
F1 E8 62 C6 01 00 4C 89 F7 E8 E8 C5 01 00 4C 89
|
||||
F7 E8 C2 C5 01 00 5A 5E E9 84 68 F9 FF 2F 4C 69
|
||||
62 72 61 72 79 2F 50 72 65 66 65 72 65 6E 63 65
|
||||
73 2F 50 61 72 61 6C 6C 65 6C 73 2F 6C 69 63 65
|
||||
6E 73 65 73 2E 6A 73 6F 6E 00 77 00 7B 22 6C 69
|
||||
63 65 6E 73 65 22 3A 22 7B 5C 22 70 72 6F 64 75
|
||||
63 74 5F 76 65 72 73 69 6F 6E 5C 22 3A 5C 22 31
|
||||
38 2E 2A 5C 22 2C 5C 22 65 64 69 74 69 6F 6E 5C
|
||||
22 3A 32 2C 5C 22 70 6C 61 74 66 6F 72 6D 5C 22
|
||||
3A 33 2C 5C 22 70 72 6F 64 75 63 74 5C 22 3A 37
|
||||
2C 5C 22 6F 66 66 6C 69 6E 65 5C 22 3A 74 72 75
|
||||
65 2C 5C 22 63 70 75 5F 6C 69 6D 69 74 5C 22 3A
|
||||
33 32 2C 5C 22 72 61 6D 5F 6C 69 6D 69 74 5C 22
|
||||
3A 31 33 31 30 37 32 7D 22 7D 00
|
||||
```
|
||||
|
||||
after
|
||||
|
||||
```
|
||||
__text:00000001007C9284 write_fake_lic proc near ; CODE XREF: __text:InitFunc_0↑j
|
||||
__text:00000001007C9284 ; __text:loc_10075FB50↑j
|
||||
__text:00000001007C9284 55 push rbp
|
||||
__text:00000001007C9285 48 89 E5 mov rbp, rsp
|
||||
__text:00000001007C9288 53 push rbx
|
||||
__text:00000001007C9289 56 push rsi
|
||||
__text:00000001007C928A 52 push rdx
|
||||
__text:00000001007C928B 48 8D 3D 3F 00 00 00 lea rdi, aLibraryPrefere_2 ; "/Library/Preferences/Parallels/licenses"...
|
||||
__text:00000001007C9292 48 8D 35 65 00 00 00 lea rsi, aW_1 ; "w"
|
||||
__text:00000001007C9299 E8 24 C6 01 00 call _fopen
|
||||
__text:00000001007C929E 49 89 C6 mov r14, rax
|
||||
__text:00000001007C92A1 48 8D 3D 58 00 00 00 lea rdi, aLicenseProduct_0 ; "{\"license\":\"{\\\"product_version\\\""...
|
||||
__text:00000001007C92A8 BE 8E 00 00 00 mov esi, 8Eh ; size_t
|
||||
__text:00000001007C92AD BA 01 00 00 00 mov edx, 1 ; size_t
|
||||
__text:00000001007C92B2 4C 89 F1 mov rcx, r14 ; FILE *
|
||||
__text:00000001007C92B5 E8 62 C6 01 00 call _fwrite
|
||||
__text:00000001007C92BA 4C 89 F7 mov rdi, r14 ; FILE *
|
||||
__text:00000001007C92BD E8 E8 C5 01 00 call _fflush
|
||||
__text:00000001007C92C2 4C 89 F7 mov rdi, r14 ; FILE *
|
||||
__text:00000001007C92C5 E8 C2 C5 01 00 call _fclose
|
||||
__text:00000001007C92CA 5A pop rdx
|
||||
__text:00000001007C92CB 5E pop rsi
|
||||
__text:00000001007C92CC E9 84 68 F9 FF jmp sub_10075FB55
|
||||
__text:00000001007C92CC write_fake_lic endp
|
||||
__text:00000001007C92CC
|
||||
__text:00000001007C92CC ; ---------------------------------------------------------------------------
|
||||
__text:00000001007C92D1 ; const char aLibraryPrefere_2[]
|
||||
__text:00000001007C92D1 2F 4C 69 62 72 61 72 79+aLibraryPrefere_2 db '/Library/Preferences/Parallels/licenses.json',0
|
||||
__text:00000001007C92D1 2F 50 72 65 66 65 72 65+ ; DATA XREF: write_fake_lic+7↑o
|
||||
__text:00000001007C92FE ; const char aW_1[]
|
||||
__text:00000001007C92FE 77 00 aW_1 db 'w',0 ; DATA XREF: write_fake_lic+E↑o
|
||||
__text:00000001007C9300 7B 22 6C 69 63 65 6E 73+aLicenseProduct_0 db '{"license":"{\"product_version\":\"18.*\",\"edition\":2,\"platfor'
|
||||
__text:00000001007C9300 65 22 3A 22 7B 5C 22 70+ ; CODE XREF: __text:00000001007C9487↓j
|
||||
__text:00000001007C9300 72 6F 64 75 63 74 5F 76+ ; __text:00000001007C9568↓j
|
||||
__text:00000001007C9300 65 72 73 69 6F 6E 5C 22+ ; DATA XREF: ...
|
||||
__text:00000001007C9300 3A 5C 22 31 38 2E 2A 5C+ db 'm\":3,\"product\":7,\"offline\":true,\"cpu_limit\":32,\"ram_limit'
|
||||
__text:00000001007C9300 22 2C 5C 22 65 64 69 74+ db '\":131072}"}',0
|
||||
```
|
||||
|
||||
### arm64
|
||||
|
||||
opcode
|
||||
|
||||
```
|
||||
```
|
||||
|
||||
patch
|
||||
|
||||
```
|
||||
```
|
||||
|
||||
after
|
||||
|
||||
```
|
||||
```
|
||||
|
||||
2. find string xref "licenses.json"
|
||||
|
||||
### x86_64
|
||||
|
||||
```
|
||||
__text:000000010075FB50 55 push rbp
|
||||
__text:000000010075FB51 48 89 E5 mov rbp, rsp
|
||||
__text:000000010075FB54 53 push rbx
|
||||
__text:000000010075FB55 48 83 EC 28 sub rsp, 28h
|
||||
__text:000000010075FB59 48 89 FB mov rbx, rdi
|
||||
__text:000000010075FB5C 48 8D 3D CD F9 10 00 lea rdi, a12 ; "%1/%2"
|
||||
__text:000000010075FB63 BE 05 00 00 00 mov esi, 5 ; char *
|
||||
__text:000000010075FB68 E8 09 3D 08 00 call __ZN7QString16fromAscii_helperEPKci ; QString::fromAscii_helper(char const*,int)
|
||||
__text:000000010075FB6D 48 89 45 E0 mov [rbp+var_20], rax
|
||||
__text:000000010075FB71 48 8D 7D E8 lea rdi, [rbp+var_18]
|
||||
__text:000000010075FB75 E8 26 F4 FF FF call sub_10075EFA0
|
||||
__text:000000010075FB7A 48 8D 7D D8 lea rdi, [rbp+var_28]
|
||||
__text:000000010075FB7E 48 8D 75 E0 lea rsi, [rbp+var_20]
|
||||
__text:000000010075FB82 48 8D 55 E8 lea rdx, [rbp+var_18]
|
||||
__text:000000010075FB86 31 C9 xor ecx, ecx
|
||||
__text:000000010075FB88 41 B8 20 00 00 00 mov r8d, 20h ; ' '
|
||||
__text:000000010075FB8E E8 5B 55 08 00 call __ZNK7QString3argERKS_i5QChar ; QString::arg(QString const&,int,QChar)
|
||||
__text:000000010075FB93 48 8D 3D 89 83 19 00 lea rdi, aLicensesJson ; "licenses.json"
|
||||
__text:000000010075FB9A BE 0D 00 00 00 mov esi, 0Dh ; char *
|
||||
__text:000000010075FB9F E8 D2 3C 08 00 call __ZN7QString16fromAscii_helperEPKci ; QString::fromAscii_helper(char const*,int)
|
||||
__text:000000010075FBA4 48 89 45 F0 mov [rbp+var_10], rax
|
||||
__text:000000010075FBA8 48 8D 75 D8 lea rsi, [rbp+var_28]
|
||||
__text:000000010075FBAC 48 8D 55 F0 lea rdx, [rbp+var_10]
|
||||
__text:000000010075FBB0 48 89 DF mov rdi, rbx
|
||||
__text:000000010075FBB3 31 C9 xor ecx, ecx
|
||||
__text:000000010075FBB5 41 B8 20 00 00 00 mov r8d, 20h ; ' '
|
||||
__text:000000010075FBBB E8 2E 55 08 00 call __ZNK7QString3argERKS_i5QChar ; QString::arg(QString const&,int,QChar)
|
||||
__text:000000010075FBC0 48 8B 7D F0 mov rdi, [rbp+var_10]
|
||||
__text:000000010075FBC4 8B 07 mov eax, [rdi]
|
||||
__text:000000010075FBC6 83 F8 FF cmp eax, 0FFFFFFFFh
|
||||
__text:000000010075FBC9 74 1D jz short loc_10075FBE8
|
||||
__text:000000010075FBCB 85 C0 test eax, eax
|
||||
__text:000000010075FBCD 74 0A jz short loc_10075FBD9
|
||||
__text:000000010075FBCF F0 83 2F 01 lock sub dword ptr [rdi], 1
|
||||
__text:000000010075FBD3 75 13 jnz short loc_10075FBE8
|
||||
__text:000000010075FBD5 48 8B 7D F0 mov rdi, [rbp+var_10]
|
||||
```
|
||||
|
||||
opcode
|
||||
|
||||
```
|
||||
55 48 89 E5 53 48 83 EC 28 48 89 FB 48 8D 3D CD
|
||||
F9 10 00 BE 05 00 00 00 E8 09 3D 08 00 48 89 45
|
||||
E0 48 8D 7D E8 E8 26 F4 FF FF 48 8D 7D D8 48 8D
|
||||
75 E0 48 8D 55 E8 31 C9 41 B8 20 00 00 00 E8 5B
|
||||
```
|
||||
|
||||
patch
|
||||
|
||||
```
|
||||
E9 2F 97 06 00
|
||||
```
|
||||
|
||||
after
|
||||
|
||||
```
|
||||
__text:000000010075FB50 E9 2F 97 06 00 jmp write_fake_lic
|
||||
```
|
||||
|
||||
### arm64
|
||||
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue