BetterZip 5.2 MacOS漏洞分析
这是Mac下面一个压缩App,这是分析日志,如有侵权请联系我,秒删。
App的验证使用了RSA,1024。首先使用openssl工具生成private-key和public-key,长度1024.
将public-key转成base64字符串。
通过Hopper Disassembler打开app,将Intel架构和arm架构的二进制文件分别导出分开处理,处理完成后可以用lipo重新组合成Fat文件。
使用010Editor打开这些文件,搜索:
"LS0tLS1"
这是app内置的public-key,使用起那么生成的自己的public-key的base64字符串更换之。保存。
再使用Hopper Disassembler打开这个文件,搜索:
codesign
你会找到一个函数,这个函数用于校验内嵌的public-key。直接跳过错误报告相关代码即可。然后接下来就是使用魔法了:
// // base64 encoding and decoding with C++. // Version: 2.rc.08 (release candidate) // #ifndef BASE64_H_C0CE2A47_D10E_42C9_A27C_C883944E704A #define BASE64_H_C0CE2A47_D10E_42C9_A27C_C883944E704A #include <string> #if __cplusplus >= 201703L #include <string_view> #endif // __cplusplus >= 201703L std::string base64_encode (std::string const& s, bool url = false); std::string base64_encode_pem (std::string const& s); std::string base64_encode_mime(std::string const& s); std::string base64_decode(std::string const& s, bool remove_linebreaks = false); std::string base64_encode(unsigned char const*, size_t len, bool url = false); #if __cplusplus >= 201703L // // Interface with std::string_view rather than const std::string& // Requires C++17 // Provided by Yannic Bonenberger (https://github.com/Yannic) // std::string base64_encode (std::string_view s, bool url = false); std::string base64_encode_pem (std::string_view s); std::string base64_encode_mime(std::string_view s); std::string base64_decode(std::string_view s, bool remove_linebreaks = false); #endif // __cplusplus >= 201703L #endif /* BASE64_H_C0CE2A47_D10E_42C9_A27C_C883944E704A */
/* base64.cpp and base64.h base64 encoding and decoding with C++. More information at https://renenyffenegger.ch/notes/development/Base64/Encoding-and-decoding-base-64-with-cpp Version: 2.rc.08 (release candidate) Copyright (C) 2004-2017, 2020, 2021 René Nyffenegger This source code is provided 'as-is', without any express or implied warranty. In no event will the author be held liable for any damages arising from the use of this software. Permission is granted to anyone to use this software for any purpose, including commercial applications, and to alter it and redistribute it freely, subject to the following restrictions: 1. The origin of this source code must not be misrepresented; you must not claim that you wrote the original source code. If you use this source code in a product, an acknowledgment in the product documentation would be appreciated but is not required. 2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original source code. 3. This notice may not be removed or altered from any source distribution. René Nyffenegger rene.nyffenegger@adp-gmbh.ch */ #include "base64.h" #include <algorithm> #include <stdexcept> // // Depending on the url parameter in base64_chars, one of // two sets of base64 characters needs to be chosen. // They differ in their last two characters. // static const char* base64_chars[2] = { "ABCDEFGHIJKLMNOPQRSTUVWXYZ" "abcdefghijklmnopqrstuvwxyz" "0123456789" "+/", "ABCDEFGHIJKLMNOPQRSTUVWXYZ" "abcdefghijklmnopqrstuvwxyz" "0123456789" "-_"}; static unsigned int pos_of_char(const unsigned char chr) { // // Return the position of chr within base64_encode() // if (chr >= 'A' && chr <= 'Z') return chr - 'A'; else if (chr >= 'a' && chr <= 'z') return chr - 'a' + ('Z' - 'A') + 1; else if (chr >= '0' && chr <= '9') return chr - '0' + ('Z' - 'A') + ('z' - 'a') + 2; else if (chr == '+' || chr == '-') return 62; // Be liberal with input and accept both url ('-') and non-url ('+') base 64 characters ( else if (chr == '/' || chr == '_') return 63; // Ditto for '/' and '_' else // // 2020-10-23: Throw std::exception rather than const char* //(Pablo Martin-Gomez, https://github.com/Bouska) // throw std::runtime_error("Input is not valid base64-encoded data."); } static std::string insert_linebreaks(std::string str, size_t distance) { // // Provided by https://github.com/JomaCorpFX, adapted by me. // if (!str.length()) { return ""; } size_t pos = distance; while (pos < str.size()) { str.insert(pos, "\n"); pos += distance + 1; } return str; } template <typename String, unsigned int line_length> static std::string encode_with_line_breaks(String s) { return insert_linebreaks(base64_encode(s, false), line_length); } template <typename String> static std::string encode_pem(String s) { return encode_with_line_breaks<String, 64>(s); } template <typename String> static std::string encode_mime(String s) { return encode_with_line_breaks<String, 76>(s); } template <typename String> static std::string encode(String s, bool url) { return base64_encode(reinterpret_cast<const unsigned char*>(s.data()), s.length(), url); } std::string base64_encode(unsigned char const* bytes_to_encode, size_t in_len, bool url) { size_t len_encoded = (in_len +2) / 3 * 4; unsigned char trailing_char = url ? '.' : '='; // // Choose set of base64 characters. They differ // for the last two positions, depending on the url // parameter. // A bool (as is the parameter url) is guaranteed // to evaluate to either 0 or 1 in C++ therefore, // the correct character set is chosen by subscripting // base64_chars with url. // const char* base64_chars_ = base64_chars[url]; std::string ret; ret.reserve(len_encoded); unsigned int pos = 0; while (pos < in_len) { ret.push_back(base64_chars_[(bytes_to_encode[pos + 0] & 0xfc) >> 2]); if (pos+1 < in_len) { ret.push_back(base64_chars_[((bytes_to_encode[pos + 0] & 0x03) << 4) + ((bytes_to_encode[pos + 1] & 0xf0) >> 4)]); if (pos+2 < in_len) { ret.push_back(base64_chars_[((bytes_to_encode[pos + 1] & 0x0f) << 2) + ((bytes_to_encode[pos + 2] & 0xc0) >> 6)]); ret.push_back(base64_chars_[ bytes_to_encode[pos + 2] & 0x3f]); } else { ret.push_back(base64_chars_[(bytes_to_encode[pos + 1] & 0x0f) << 2]); ret.push_back(trailing_char); } } else { ret.push_back(base64_chars_[(bytes_to_encode[pos + 0] & 0x03) << 4]); ret.push_back(trailing_char); ret.push_back(trailing_char); } pos += 3; } return ret; } template <typename String> static std::string decode(String encoded_string, bool remove_linebreaks) { // // decode(…) is templated so that it can be used with String = const std::string& // or std::string_view (requires at least C++17) // if (encoded_string.empty()) return std::string(); if (remove_linebreaks) { std::string copy(encoded_string); copy.erase(std::remove(copy.begin(), copy.end(), '\n'), copy.end()); return base64_decode(copy, false); } size_t length_of_string = encoded_string.length(); size_t pos = 0; // // The approximate length (bytes) of the decoded string might be one or // two bytes smaller, depending on the amount of trailing equal signs // in the encoded string. This approximation is needed to reserve // enough space in the string to be returned. // size_t approx_length_of_decoded_string = length_of_string / 4 * 3; std::string ret; ret.reserve(approx_length_of_decoded_string); while (pos < length_of_string) { // // Iterate over encoded input string in chunks. The size of all // chunks except the last one is 4 bytes. // // The last chunk might be padded with equal signs or dots // in order to make it 4 bytes in size as well, but this // is not required as per RFC 2045. // // All chunks except the last one produce three output bytes. // // The last chunk produces at least one and up to three bytes. // size_t pos_of_char_1 = pos_of_char(encoded_string[pos+1] ); // // Emit the first output byte that is produced in each chunk: // ret.push_back(static_cast<std::string::value_type>( ( (pos_of_char(encoded_string[pos+0]) ) << 2 ) + ( (pos_of_char_1 & 0x30 ) >> 4))); if ( ( pos + 2 < length_of_string ) && // Check for data that is not padded with equal signs (which is allowed by RFC 2045) encoded_string[pos+2] != '=' && encoded_string[pos+2] != '.' // accept URL-safe base 64 strings, too, so check for '.' also. ) { // // Emit a chunk's second byte (which might not be produced in the last chunk). // unsigned int pos_of_char_2 = pos_of_char(encoded_string[pos+2] ); ret.push_back(static_cast<std::string::value_type>( (( pos_of_char_1 & 0x0f) << 4) + (( pos_of_char_2 & 0x3c) >> 2))); if ( ( pos + 3 < length_of_string ) && encoded_string[pos+3] != '=' && encoded_string[pos+3] != '.' ) { // // Emit a chunk's third byte (which might not be produced in the last chunk). // ret.push_back(static_cast<std::string::value_type>( ( (pos_of_char_2 & 0x03 ) << 6 ) + pos_of_char(encoded_string[pos+3]) )); } } pos += 4; } return ret; } std::string base64_decode(std::string const& s, bool remove_linebreaks) { return decode(s, remove_linebreaks); } std::string base64_encode(std::string const& s, bool url) { return encode(s, url); } std::string base64_encode_pem (std::string const& s) { return encode_pem(s); } std::string base64_encode_mime(std::string const& s) { return encode_mime(s); } #if __cplusplus >= 201703L // // Interface with std::string_view rather than const std::string& // Requires C++17 // Provided by Yannic Bonenberger (https://github.com/Yannic) // std::string base64_encode(std::string_view s, bool url) { return encode(s, url); } std::string base64_encode_pem(std::string_view s) { return encode_pem(s); } std::string base64_encode_mime(std::string_view s) { return encode_mime(s); } std::string base64_decode(std::string_view s, bool remove_linebreaks) { return decode(s, remove_linebreaks); } #endif // __cplusplus >= 201703L
#include <cstdlib> #include <ctime> #include <openssl/rsa.h> #include <openssl/pem.h> std::string gen_raw_license(const std::string& name) { srand((unsigned)time(NULL)); /* # 一共有好几种抬头,但是最大长度都是0x10(16) # __MAS_BetterZp2_ // 临时许可证 # __MIB_BZ-Friend_ # __MIB_T # __MIB_BetterZip_ # 只有是这些中的某一个才是合法的注册码 */ // 16 std::string key("__MIB_BZ-Friend_"); // 7 int value = rand(); char valueTemp[64]; sprintf(valueTemp, "%d", value); key += std::string(valueTemp).substr(0, 7); // 1 key += " "; // 10 key += "2050-12-31"; // 1 key += " "; // 4 license count key += "1000"; // 2 key += " "; // your name key += name; return key; } // 公钥 这个公钥的base64需要写入到betterzip的可执行文件中去 const std::string pk = std::string("-----BEGIN PUBLIC KEY-----\n") + "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDTlCZFucurE+QNupniPUXz5RwN\n" + "dhRAplB+jd51U4NTcpDl4AL3LppKdRxEyt4FlvLiE66tmonEJTc4BcaRurxxXOuY\n" + "+0IS4l28FynYT/yDpdoiop0Jf2NCa8V5nCBISKp1Lgvz7AbHBw+3KNCF1UdrOeRs\n" + "r/GBOSXosmTzPMRUNwIDAQAB\n" + "-----END PUBLIC KEY-----"; // 私钥 =》 这个公钥和私钥通过openssl生成 长度1024 const std::string sk = std::string("-----BEGIN RSA PRIVATE KEY-----\n") + "MIICXAIBAAKBgQDTlCZFucurE+QNupniPUXz5RwNdhRAplB+jd51U4NTcpDl4AL3\n"+ "LppKdRxEyt4FlvLiE66tmonEJTc4BcaRurxxXOuY+0IS4l28FynYT/yDpdoiop0J\n"+ "f2NCa8V5nCBISKp1Lgvz7AbHBw+3KNCF1UdrOeRsr/GBOSXosmTzPMRUNwIDAQAB\n"+ "AoGALyDC3akjCrplhAFaoaBQYqFX/E+e9z+Uknv7X1r416+fQvUA9Bo3V/p6D4C4\n"+ "r7oN4/nKYPUZVs2LXTk8H93ed2IikcevB4vnHgO3ym5vt+KyrmCemwyV/rbA5kg5\n"+ "sDvMqXJr2/FfQtLR3GLumZJN2r5Hcq1Kgo3tgx7gsoZm4JECQQDxCoSeyWPuyQKx\n"+ "3aHWJkVybmHD5d6HuFFyaM4pOAOXaGrtkZSrh3c+NJhAuW62d+oE8kwCNymz74G5\n"+ "Pq+5yRftAkEA4LWOGKAeidLFM2RON3DFMNDH3KEB4C9144SilzVr6dDEOgBqdCya\n"+ "+vazx2J0OV8Bm5ocqtTBOT4ZmD7BXtTQMwJASEwYVSwgnjmKZmEMrpfSEq2LA2AK\n"+ "K/kb7M4EsBZN9XbrQ5B74CsEmBLca+VykKZM+ejW5X84MfEvnqlvubDYTQJBAKAv\n"+ "7OcTJhH8JcY4CCYvhvMAsqlOQecODk0t3TZLx+z7fRcX+stsjOLBAXHudon7d0r0\n"+ "duE1H7Vt1pMYkYLH1M8CQEZ76ME68DE7DkTPhBvPL22O898Kt89bCen68EVv3kl8\n"+ "7k4XsAGrLldX6xvV/oeLDI+uRiYqZylS2PFY3XcT3f8=\n"+ "-----END RSA PRIVATE KEY-----"; std::string decrypt_string(const void* data, size_t length) { BIO* bio = BIO_new_mem_buf(pk.c_str(), (int)pk.size()); RSA* rsa = NULL; PEM_read_bio_RSA_PUBKEY(bio, &rsa, 0, 0); char buf[1024] = {0}; int ret = RSA_public_decrypt(0x80, (const unsigned char*)data, (unsigned char*)buf, rsa, RSA_PKCS1_PADDING); if(ret == -1) { BIO_free(bio); printf("decrypt error:%d\n", ret); return "Error"; } BIO_free(bio); std::string str = buf; return buf; } std::string encrypt_string(const std::string& str) { RSA* rsa = NULL; BIO* bio = BIO_new_mem_buf(sk.c_str(), (int)sk.size()); PEM_read_bio_RSAPrivateKey(bio, &rsa, 0,0); assert(rsa!=NULL); char buf[1024]; int ret = RSA_private_encrypt((int)str.length(), (const unsigned char *)str.data(), (unsigned char*)buf, rsa, RSA_PKCS1_PADDING); if(ret == -1) { BIO_free(bio); printf("decrypt error:%d\n", ret); return "Error"; } BIO_free(bio); std::string str2 = base64_encode((unsigned char const*)buf, ret); return str2; } std::string gen_license(const std::string& name) { std::string rawKey = gen_raw_license(name); return encrypt_string(rawKey); }
