定位到 dyjit.so 验证授权时间的函数是 _erfgergtergtetgrwehgryhrrjhtuj,其中判断的时间为时间戳 1544544000,2018 年 12 月 12 日,伪代码如下:
- int __fastcall erfgergtergtetgrwehgryhrrjhtuj(int a1)
- {
- int v1; // r8
- void *v2; // r6
- void *v3; // r0
- void *v4; // r4
- void *v5; // r0
- void *v6; // r0
- double v7; // r4
- int v8; // r1
- void *v9; // r0
- const char *v10; // r1
- int v11; // r0
- void *v12; // r4
- void *v13; // r5
- int v14; // r0
- void *v15; // r4
- int v16; // r5
- int v17; // r0
- int result; // r0
- const __CFString *v19; // [sp+4h] [bp-2Ch]
- const __CFString *v20; // [sp+8h] [bp-28h]
- void *v21; // [sp+Ch] [bp-24h]
- void *v22; // [sp+10h] [bp-20h]
- int v23; // [sp+14h] [bp-1Ch]
-
- v1 = a1;
- v2 = objc_msgSend(&OBJC_CLASS___NSDate, "date");
- v3 = objc_msgSend(&OBJC_CLASS___NSDateFormatter, "alloc");
- v4 = objc_msgSend(v3, "init");
- objc_msgSend(v4, "setDateStyle:", 2);
- objc_msgSend(v4, "setTimeStyle:", 1);
- objc_msgSend(v4, "setDateFormat:", CFSTR("YYYY-MM-dd HH:mm:ss"));
- v5 = objc_msgSend(v4, "stringFromDate:", v2);
- v6 = objc_msgSend(v4, "dateFromString:", v5);
- LODWORD(v7) = objc_msgSend(v6, "timeIntervalSince1970");
- HIDWORD(v7) = v8;
- v9 = objc_msgSend(&OBJC_CLASS___NSString, "stringWithFormat:", CFSTR("%d"), 1544544000);
- if ( (signed int)v7 >= (signed int)objc_msgSend(v9, "longLongValue") )
- {
- v10 = "请升级最新版";
- goto LABEL_5;
- }
- if ( access("/Library/MobileSubstrate/DynamicLibraries/LuaJitTK.dylib", 0) )
- {
- v10 = "插件不完整,运行失败";
- LABEL_5:
- toast(v1, v10);
- goto LABEL_7;
- }
- v11 = luaL_checklstring(v1, 1, 0);
- v12 = objc_msgSend(&OBJC_CLASS___NSString, "stringWithFormat:", CFSTR("%s"), v11);
- v13 = objc_msgSend(&OBJC_CLASS___NSString, "alloc");
- v14 = luaL_checklstring(v1, 2, 0);
- v19 = CFSTR("bundleid");
- v20 = CFSTR("luaStr");
- v21 = v12;
- v22 = objc_msgSend(v13, "initWithCString:encoding:", v14, 4);
- v15 = objc_msgSend(
- &OBJC_CLASS___NSDictionary,
- "dictionaryWithObjects:forKeys:count:",
- &v21,
- &v19,
- 2,
- CFSTR("bundleid"),
- CFSTR("luaStr"),
- v12,
- v22);
- v16 = CFNotificationCenterGetDistributedCenter();
- v17 = CFStringCreateWithCString(0, "luajitTK", 134217984);
- CFNotificationCenterPostNotification(v16, v17, 0, v15, 1);
- LABEL_7:
- result = __stack_chk_guard - v23;
- if ( __stack_chk_guard == v23 )
- result = 1;
- return result;
- }
复制代码1544544000 对应的十六进制就是 0x5C0FDF00,操作的汇编代码是:
movw r3, #0xDF00
movt r3, #0x5C0F
如下图:
将过期时间改成 1644544000,也就是 2022/2/11 过期,对应的十六进为 0x6205C000,使用 Hopper 修改汇编代码为: movw r3, #0xC000
movt r3, #0x6205 保存成为 dyjit_cracked.so, 完美解决。
|