-
-
[原创]arthas利器举例
-
发表于: 2020-1-14 21:52
-
上一篇抛砖引玉,没有任何回复,现在再来一块砖,简单实用例子,让大家看到它的威力。大家应该都知道burpsuite,估计有许多用过破解版的,最出名的它的破解工具就是surferxyz的burp-loader-keygen。这个工具没有混淆,可以很容易反编译看到它的源代码,不像其他破解工具都是很变态的混淆,根本无法查看到破解原理。这款破解工具强大的地方在于,它的代码放到你的面前,你却看不懂它的破解原理,比起混淆的保护,这个在智商上进行的了强大的碾压,所以不得不佩服这些搞破解人的大脑。
另一个发布这个破解工具的网站,有人说
是的,burp的算法包含rsa1024,由于私钥无法解密出来,所以keygen的破解办法是替换公钥,loader做的方法就是每次启动替换,引用TheCjw/LCG的说明:公钥在经过两层AES/ECB加密的class里,loader使用占坑java.math.BigInteger的方式Patch公钥。
占坑来patch公钥,听着很简单,但是什么原理
http://scz.617.cn:8/misc/201909271517.txt
这个网站分析的全面点,是修改了BigInteger的compareTo方法,下面我们用arthas来验证一下
我们先看一些其他的,最后再看compareTo方法
看一下启动过程
[arthas@14545]$ thread 1 "main" Id=1 WAITING on burp.joh@420589cd at java.lang.Object.wait(Native Method) - waiting on burp.joh@420589cd at java.lang.Object.wait(Object.java:502) at burp.joh.b(Unknown Source) at burp.xvd.a(Unknown Source) at burp.xvd.b(Unknown Source) at burp.kag.a(Unknown Source) at burp.mcc.a(Unknown Source) at burp.hli.c(Unknown Source) at burp.hli.l(Unknown Source) at burp.StartBurp.main(Unknown Source) Affect(row-cnt:0) cost in 69 ms.
可以看到从main方法的启动流程。
下面直接看一下compareTo方法
[arthas@14545]$ trace java.math.BigInteger compareTo No class or method is affected, try: 1. sm CLASS_NAME METHOD_NAME to make sure the method you are tracing actually exists (it might be in your parent class). 2. reset CLASS_NAME and try again, your method body might be too large. 3. check arthas log: /home/googlewell/logs/arthas/arthas.log 4. visit https://github.com/alibaba/arthas/issues/47 for more details.
发现不行,不是类不存在,而是系统类,一般是jdk自带的类,因为安全原因,默认不允许,我们来开启它
[arthas@14545]$ options unsafe true NAME BEFORE-VALUE AFTER-VALUE ----------------------------------- unsafe false true
下面开始监听
[arthas@14545]$ trace java.math.BigInteger compareTo Press Q or Ctrl+C to abort. Affect(class-cnt:1 , method-cnt:2) cost in 82 ms.
程序开始监听,我们需要做的就是触发,只需要在下面输入注册吗,注册码不要乱写,要符合规则,不然到不了compareTo方法,我们直接从keygen复制一个。burpsuite我是普通方式打开的,没有通过keygen的命令,所以这里是验证不通过的。
我们点击next之后
[arthas@14545]$ trace java.math.BigInteger compareTo Press Q or Ctrl+C to abort. Affect(class-cnt:1 , method-cnt:2) cost in 82 ms. `---ts=2020-01-14 21:38:14;thread_name=AWT-EventQueue-0;id=14;is_daemon=false;priority=6;TCCL=null `---[1.690403ms] java.math.BigInteger:compareTo() `---ts=2020-01-14 21:38:14;thread_name=AWT-EventQueue-0;id=14;is_daemon=false;priority=6;TCCL=null `---[0.0716ms] java.math.BigInteger:compareTo()
发现并不是我们想要的结果,因为只有compareTo方法,没有调用流程。这里是我们搞错命令用法了,这个命令是方法内部调用路径,也就是我们跟踪到一个方法,想看这个方法里面调用其他方法的情况,这个compareTo没有内部方法了。stack输出当前方法被调用的调用路径,这个才是看被调用的,也就是我们知道这个方法,想看看谁在调用它,顺藤摸瓜。
[arthas@14545]$ stack java.math.BigInteger compareTo Press Q or Ctrl+C to abort. Affect(class-cnt:1 , method-cnt:2) cost in 47 ms.
然后我们再次触发一下看结果
[arthas@14545]$ stack java.math.BigInteger compareTo Press Q or Ctrl+C to abort. Affect(class-cnt:1 , method-cnt:2) cost in 47 ms. ts=2020-01-14 21:44:19;thread_name=AWT-EventQueue-0;id=14;is_daemon=false;priority=6;TCCL=null @java.math.BigInteger.compareTo() at java.math.BigInteger.modPow(BigInteger.java:2498) at burp.pyk.b(null:-1) at burp.pyk.a(null:-1) at sun.reflect.NativeMethodAccessorImpl.invoke0(NativeMethodAccessorImpl.java:-2) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at burp.tye.a(null:-1) at sun.reflect.NativeMethodAccessorImpl.invoke0(NativeMethodAccessorImpl.java:-2) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at burp.ygc.b(null:-1) at sun.reflect.NativeMethodAccessorImpl.invoke0(NativeMethodAccessorImpl.java:-2) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at burp.och.a(null:-1) at sun.reflect.NativeMethodAccessorImpl.invoke0(NativeMethodAccessorImpl.java:-2) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at burp.tzg.b(null:-1) at sun.reflect.NativeMethodAccessorImpl.invoke0(NativeMethodAccessorImpl.java:-2) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at burp.eqe.b(null:-1) at sun.reflect.NativeMethodAccessorImpl.invoke0(NativeMethodAccessorImpl.java:-2) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at burp.r6d.a(null:-1) at sun.reflect.NativeMethodAccessorImpl.invoke0(NativeMethodAccessorImpl.java:-2) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at burp.nxb.a(null:-1) at sun.reflect.NativeMethodAccessorImpl.invoke0(NativeMethodAccessorImpl.java:-2) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at burp.qyf.a(null:-1) at sun.reflect.NativeMethodAccessorImpl.invoke0(NativeMethodAccessorImpl.java:-2) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at burp.r4h.a(null:-1) at sun.reflect.NativeMethodAccessorImpl.invoke0(NativeMethodAccessorImpl.java:-2) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at burp.bvc.a(null:-1) at burp.q0d.b(null:-1) at burp.k1f.b(null:-1) at burp.mod.a(null:-1) at burp.rpc.actionPerformed(null:-1) at javax.swing.AbstractButton.fireActionPerformed(AbstractButton.java:2022) at javax.swing.AbstractButton$Handler.actionPerformed(AbstractButton.java:2348) at javax.swing.DefaultButtonModel.fireActionPerformed(DefaultButtonModel.java:402) at javax.swing.DefaultButtonModel.setPressed(DefaultButtonModel.java:259) at javax.swing.plaf.basic.BasicButtonListener.mouseReleased(BasicButtonListener.java:252) at java.awt.Component.processMouseEvent(Component.java:6539) at javax.swing.JComponent.processMouseEvent(JComponent.java:3324) at java.awt.Component.processEvent(Component.java:6304) at java.awt.Container.processEvent(Container.java:2239) at java.awt.Component.dispatchEventImpl(Component.java:4889) at java.awt.Container.dispatchEventImpl(Container.java:2297) at java.awt.Component.dispatchEvent(Component.java:4711) at java.awt.LightweightDispatcher.retargetMouseEvent(Container.java:4904) at java.awt.LightweightDispatcher.processMouseEvent(Container.java:4535) at java.awt.LightweightDispatcher.dispatchEvent(Container.java:4476) at java.awt.Container.dispatchEventImpl(Container.java:2283) at java.awt.Window.dispatchEventImpl(Window.java:2746) at java.awt.Component.dispatchEvent(Component.java:4711) at java.awt.EventQueue.dispatchEventImpl(EventQueue.java:760) at java.awt.EventQueue.access$500(EventQueue.java:97) at java.awt.EventQueue$3.run(EventQueue.java:709) at java.awt.EventQueue$3.run(EventQueue.java:703) at java.security.AccessController.doPrivileged(AccessController.java:-2) at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:74) at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:84) at java.awt.EventQueue$4.run(EventQueue.java:733) at java.awt.EventQueue$4.run(EventQueue.java:731) at java.security.AccessController.doPrivileged(AccessController.java:-2) at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:74) at java.awt.EventQueue.dispatchEvent(EventQueue.java:730) at java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:205) at java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:116) at java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:105) at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:101) at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:93) at java.awt.EventDispatchThread.run(EventDispatchThread.java:82) ts=2020-01-14 21:44:19;thread_name=AWT-EventQueue-0;id=14;is_daemon=false;priority=6;TCCL=null @java.math.BigInteger.compareTo() at burp.pyk.b(null:-1) at burp.pyk.a(null:-1) at sun.reflect.NativeMethodAccessorImpl.invoke0(NativeMethodAccessorImpl.java:-2) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at burp.tye.a(null:-1) at sun.reflect.NativeMethodAccessorImpl.invoke0(NativeMethodAccessorImpl.java:-2) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at burp.ygc.b(null:-1) at sun.reflect.NativeMethodAccessorImpl.invoke0(NativeMethodAccessorImpl.java:-2) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at burp.och.a(null:-1) at sun.reflect.NativeMethodAccessorImpl.invoke0(NativeMethodAccessorImpl.java:-2) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at burp.tzg.b(null:-1) at sun.reflect.NativeMethodAccessorImpl.invoke0(NativeMethodAccessorImpl.java:-2) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at burp.eqe.b(null:-1) at sun.reflect.NativeMethodAccessorImpl.invoke0(NativeMethodAccessorImpl.java:-2) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at burp.r6d.a(null:-1) at sun.reflect.NativeMethodAccessorImpl.invoke0(NativeMethodAccessorImpl.java:-2) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at burp.nxb.a(null:-1) at sun.reflect.NativeMethodAccessorImpl.invoke0(NativeMethodAccessorImpl.java:-2) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at burp.qyf.a(null:-1) at sun.reflect.NativeMethodAccessorImpl.invoke0(NativeMethodAccessorImpl.java:-2) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at burp.r4h.a(null:-1) at sun.reflect.NativeMethodAccessorImpl.invoke0(NativeMethodAccessorImpl.java:-2) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at burp.bvc.a(null:-1) at burp.q0d.b(null:-1) at burp.k1f.b(null:-1) at burp.mod.a(null:-1) at burp.rpc.actionPerformed(null:-1) at javax.swing.AbstractButton.fireActionPerformed(AbstractButton.java:2022) at javax.swing.AbstractButton$Handler.actionPerformed(AbstractButton.java:2348) at javax.swing.DefaultButtonModel.fireActionPerformed(DefaultButtonModel.java:402) at javax.swing.DefaultButtonModel.setPressed(DefaultButtonModel.java:259) at javax.swing.plaf.basic.BasicButtonListener.mouseReleased(BasicButtonListener.java:252) at java.awt.Component.processMouseEvent(Component.java:6539) at javax.swing.JComponent.processMouseEvent(JComponent.java:3324) at java.awt.Component.processEvent(Component.java:6304) at java.awt.Container.processEvent(Container.java:2239) at java.awt.Component.dispatchEventImpl(Component.java:4889) at java.awt.Container.dispatchEventImpl(Container.java:2297) at java.awt.Component.dispatchEvent(Component.java:4711) at java.awt.LightweightDispatcher.retargetMouseEvent(Container.java:4904) at java.awt.LightweightDispatcher.processMouseEvent(Container.java:4535) at java.awt.LightweightDispatcher.dispatchEvent(Container.java:4476) at java.awt.Container.dispatchEventImpl(Container.java:2283) at java.awt.Window.dispatchEventImpl(Window.java:2746) at java.awt.Component.dispatchEvent(Component.java:4711) at java.awt.EventQueue.dispatchEventImpl(EventQueue.java:760) at java.awt.EventQueue.access$500(EventQueue.java:97) at java.awt.EventQueue$3.run(EventQueue.java:709) at java.awt.EventQueue$3.run(EventQueue.java:703) at java.security.AccessController.doPrivileged(AccessController.java:-2) at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:74) at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:84) at java.awt.EventQueue$4.run(EventQueue.java:733) at java.awt.EventQueue$4.run(EventQueue.java:731) at java.security.AccessController.doPrivileged(AccessController.java:-2) at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:74) at java.awt.EventQueue.dispatchEvent(EventQueue.java:730) at java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:205) at java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:116) at java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:105) at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:101) at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:93) at java.awt.EventDispatchThread.run(EventDispatchThread.java:82)
如我们所愿,整个调用流程已经呈现出来了。
再看看watch吧,我这里就直接触发了,可以看到传的参数和返回结果了
[arthas@14545]$ watch java.math.BigInteger compareTo '{params,returnObj}' -n 10 -x
Press Q or Ctrl+C to abort.
Affect(class-cnt:1 , method-cnt:2) cost in 101 ms.
ts=2020-01-14 21:50:59; [cost=0.107528ms] result=@ArrayList[
@Object[][
@BigInteger[124738629534480032973221216538446528303324575633925115212696965608841776943873720505095613202508269959066436906898784998205530829923162983974106352433716894871489982902326093509712908876797725225107031946484660556100953152081279303345068843665216479965336584403210268895718334124563877785956530028295178054013],
],
@Integer[1],
]
ts=2020-01-14 21:50:59; [cost=0.855678ms] result=@ArrayList[
@Object[][
@BigInteger[41887057529670892417099675184988823562189446071931346590373401386382187010757776789530261107642241481765573564399372026635531434277689713893077238342140188697599815518285985173986994924529248330562438026019370691558401708440269202550454278192107132107963242024598323484846578375305324833393290098477915413311],
],
@Integer[-1],
]这里只是介绍利器的用法,不做其他分析了。
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
最后于 2020-1-14 21:56
被guduzhe编辑
,原因: 错别字
