[iOS Hacker] 破解 dyjit.so 的授权使用时间

定位到 dyjit.so 验证授权时间的函数是 _erfgergtergtetgrwehgryhrrjhtuj，其中判断的时间为时间戳 1544544000，2018 年 12 月 12 日，伪代码如下：

int __fastcall erfgergtergtetgrwehgryhrrjhtuj(int a1)
{
  int v1; // r8
  void *v2; // r6
  void *v3; // r0
  void *v4; // r4
  void *v5; // r0
  void *v6; // r0
  double v7; // r4
  int v8; // r1
  void *v9; // r0
  const char *v10; // r1
  int v11; // r0
  void *v12; // r4
  void *v13; // r5
  int v14; // r0
  void *v15; // r4
  int v16; // r5
  int v17; // r0
  int result; // r0
  const __CFString *v19; // [sp+4h] [bp-2Ch]
  const __CFString *v20; // [sp+8h] [bp-28h]
  void *v21; // [sp+Ch] [bp-24h]
  void *v22; // [sp+10h] [bp-20h]
  int v23; // [sp+14h] [bp-1Ch]

  v1 = a1;
  v2 = objc_msgSend(&OBJC_CLASS___NSDate, "date");
  v3 = objc_msgSend(&OBJC_CLASS___NSDateFormatter, "alloc");
  v4 = objc_msgSend(v3, "init");
  objc_msgSend(v4, "setDateStyle:", 2);
  objc_msgSend(v4, "setTimeStyle:", 1);
  objc_msgSend(v4, "setDateFormat:", CFSTR("YYYY-MM-dd HH:mm:ss"));
  v5 = objc_msgSend(v4, "stringFromDate:", v2);
  v6 = objc_msgSend(v4, "dateFromString:", v5);
  LODWORD(v7) = objc_msgSend(v6, "timeIntervalSince1970");
  HIDWORD(v7) = v8;
  v9 = objc_msgSend(&OBJC_CLASS___NSString, "stringWithFormat:", CFSTR("%d"), 1544544000);
  if ( (signed int)v7 >= (signed int)objc_msgSend(v9, "longLongValue") )
  {
    v10 = "请升级最新版";
    goto LABEL_5;
  }
  if ( access("/Library/MobileSubstrate/DynamicLibraries/LuaJitTK.dylib", 0) )
  {
    v10 = "插件不完整,运行失败";
LABEL_5:
    toast(v1, v10);
    goto LABEL_7;
  }
  v11 = luaL_checklstring(v1, 1, 0);
  v12 = objc_msgSend(&OBJC_CLASS___NSString, "stringWithFormat:", CFSTR("%s"), v11);
  v13 = objc_msgSend(&OBJC_CLASS___NSString, "alloc");
  v14 = luaL_checklstring(v1, 2, 0);
  v19 = CFSTR("bundleid");
  v20 = CFSTR("luaStr");
  v21 = v12;
  v22 = objc_msgSend(v13, "initWithCString:encoding:", v14, 4);
  v15 = objc_msgSend(
          &OBJC_CLASS___NSDictionary,
          "dictionaryWithObjects:forKeys:count:",
          &v21,
          &v19,
          2,
          CFSTR("bundleid"),
          CFSTR("luaStr"),
          v12,
          v22);
  v16 = CFNotificationCenterGetDistributedCenter();
  v17 = CFStringCreateWithCString(0, "luajitTK", 134217984);
  CFNotificationCenterPostNotification(v16, v17, 0, v15, 1);
LABEL_7:
  result = __stack_chk_guard - v23;
  if ( __stack_chk_guard == v23 )
    result = 1;
  return result;
}

int __fastcall erfgergtergtetgrwehgryhrrjhtuj(int a1)

{

int v1; // r8

void *v2; // r6

void *v3; // r0

void *v4; // r4

void *v5; // r0

void *v6; // r0

double v7; // r4

int v8; // r1

void *v9; // r0

const char *v10; // r1

int v11; // r0

void *v12; // r4

void *v13; // r5

int v14; // r0

void *v15; // r4

int v16; // r5

int v17; // r0

int result; // r0

const __CFString *v19; // [sp+4h] [bp-2Ch]

const __CFString *v20; // [sp+8h] [bp-28h]

void *v21; // [sp+Ch] [bp-24h]

void *v22; // [sp+10h] [bp-20h]

int v23; // [sp+14h] [bp-1Ch]

v1 = a1;

v2 = objc_msgSend(&OBJC_CLASS___NSDate, "date");

v3 = objc_msgSend(&OBJC_CLASS___NSDateFormatter, "alloc");

v4 = objc_msgSend(v3, "init");

objc_msgSend(v4, "setDateStyle:", 2);

objc_msgSend(v4, "setTimeStyle:", 1);

objc_msgSend(v4, "setDateFormat:", CFSTR("YYYY-MM-dd HH:mm:ss"));

v5 = objc_msgSend(v4, "stringFromDate:", v2);

v6 = objc_msgSend(v4, "dateFromString:", v5);

LODWORD(v7) = objc_msgSend(v6, "timeIntervalSince1970");

HIDWORD(v7) = v8;

v9 = objc_msgSend(&OBJC_CLASS___NSString, "stringWithFormat:", CFSTR("%d"), 1544544000);

if ( (signed int)v7 >= (signed int)objc_msgSend(v9, "longLongValue") )

{

v10 = "请升级最新版";

goto LABEL_5;

}

if ( access("/Library/MobileSubstrate/DynamicLibraries/LuaJitTK.dylib", 0) )

{

v10 = "插件不完整,运行失败";

LABEL_5:

toast(v1, v10);

goto LABEL_7;

}

v11 = luaL_checklstring(v1, 1, 0);

v12 = objc_msgSend(&OBJC_CLASS___NSString, "stringWithFormat:", CFSTR("%s"), v11);

v13 = objc_msgSend(&OBJC_CLASS___NSString, "alloc");

v14 = luaL_checklstring(v1, 2, 0);

v19 = CFSTR("bundleid");

v20 = CFSTR("luaStr");

v21 = v12;

v22 = objc_msgSend(v13, "initWithCString:encoding:", v14, 4);

v15 = objc_msgSend(

&OBJC_CLASS___NSDictionary,

"dictionaryWithObjects:forKeys:count:",

&v21,

&v19,

CFSTR("bundleid"),

CFSTR("luaStr"),

v12,

v22);

v16 = CFNotificationCenterGetDistributedCenter();

v17 = CFStringCreateWithCString(0, "luajitTK", 134217984);

CFNotificationCenterPostNotification(v16, v17, 0, v15, 1);

LABEL_7:

result = __stack_chk_guard - v23;

if ( __stack_chk_guard == v23 )

result = 1;

return result;

}

1544544000 对应的十六进制就是 0x5C0FDF00，操作的汇编代码是：
movw r3, #0xDF00
movt r3, #0x5C0F

如下图：

将过期时间改成 1644544000，也就是 2022/2/11 过期，对应的十六进为 0x6205C000，使用 Hopper 修改汇编代码为：

movw r3, #0xC000
movt r3, #0x6205

保存成为 dyjit_cracked.so, 完美解决。

转载请注明：exchen's blog » [iOS Hacker] 破解 dyjit.so 的授权使用时间

[iOS Hacker] 破解 dyjit.so 的授权使用时间

与本文相关的文章

Hi，您需要填写昵称和邮箱！