去除试用版ioncube_encoder_xxx_64的14天限制
ionCube,一款PHP加密工具。有试用版Encoder,Decoder是免费的。
$ php -c php.ini -f hello.php
Hello World
$ ./ioncube_encoder_xxx_64 hello.php -o hello_enc.php
Error: The Encoder evaluation period has expired.一个月前还可以试用ionCube Encoder,中间去支持其他逆向工程的活儿,回来再测
就提示试用结束。
在"ioncube_encoder_evaluation/EVALUATION-README.txt"中看到
--------------------------------------------------------------------------
* WHAT IS DIFFERENT IN THE EVALUATION VERSION?
All features of the evaluation Encoder are fully functional, however:
1) Encoded files will expire after 36 hours, or sooner if you encode files to
expire earlier. Files can be encoded again to continue testing.
2) Encoded files contain a PHP comment to show they are encoded by the
evaluation Encoder. This text does not alter operation of encoded files,
and is not present in the release version.
* HOW LONG IS THE EVALUATION PERIOD?
The evaluation version will be functional for 14 days.
--------------------------------------------------------------------------意思是hello_enc.php只有36小时可用,试用版Encoder本身只有14天可用,先剁后者。strace -v -i -f -ff -o ioncube_encoder_xxx_64.log ./ioncube_encoder_xxx_64 hello.php -o hello_enc.php
在strace日志中看到,用exit_group(101)退出gdb -q -nx -x /tmp/gdbinit_x64.txt -x "/tmp/ShellPipeCommand.py" -x "/tmp/GetOffset.py" -ex 'display/5i $pc' ./ioncube_encoder_xxx_64
info files
b *0x4046a8
r hello.php -o hello_enc.php目标ELF没有_start符号,只能用地址设断。命中_start()后增设断点
catch syscall exit_group
(gdb) c
Continuing.
Error: The Encoder evaluation period has expired.
Catchpoint 2 (call to syscall exit_group), 0x00007ffff75ccc99 in _exit () from /lib64/libc.so.6
1: x/5i $pc
=> 0x7ffff75ccc99 <_exit+57>: cmp rax,0xfffffffffffff000
0x7ffff75ccc9f <_exit+63>: jbe 0x7ffff75ccc80 <_exit+32>
0x7ffff75ccca1 <_exit+65>: mov esi,eax
0x7ffff75ccca3 <_exit+67>: neg esi
0x7ffff75ccca5 <_exit+69>: mov DWORD PTR fs:[r10],esi
(gdb) bt
#0 0x00007ffff75ccc99 in _exit () from /lib64/libc.so.6
#1 0x00007ffff7540cfb in __run_exit_handlers () from /lib64/libc.so.6
#2 0x00007ffff7540d87 in exit () from /lib64/libc.so.6
#3 0x000000000040e13f in ?? ()
#4 0x00000000004116ef in ?? ()
#5 0x00007ffff7529555 in __libc_start_main () from /lib64/libc.so.6
#6 0x00000000004046d1 in ?? ()
...
(gdb) info proc mappings
process 22078
Mapped address spaces:
Start Addr End Addr Size Offset objfile
0x400000 0x540000 0x140000 0x0 /home/scz/src/php/ioncube_encoder_xxx_64
...
0x744000 0x771000 0x2d000 0x0 [heap]
...
0x7ffff7507000 0x7ffff76cb000 0x1c4000 0x0 /usr/lib64/libc-2.17.so
...先输出过期提示再退出。"b _exit"断不下来,因为ld-.so抢先提供了符号_exit,
我们需要断libc中的_exit()。
(gdb) info symbol _exit
_exit in section .text of /lib64/ld-linux-x86-64.so.2从strace日志看,只有一个write(2,x),还可以设断
catch syscall write不用针对句柄设条件断点。
(gdb) bt
#0 0x00007ffff75f6a90 in __write_nocancel () from /lib64/libc.so.6
#1 0x00007ffff75812f3 in _IO_new_file_write () from /lib64/libc.so.6
#2 0x00007ffff7581b90 in __GI__IO_file_xsputn () from /lib64/libc.so.6
#3 0x00007ffff757605b in fputs () from /lib64/libc.so.6
#4 0x000000000040d1e2 in ?? ()
#5 0x000000000040e01c in ?? ()
#6 0x00000000004116d5 in ?? ()
#7 0x00007ffff7529555 in __libc_start_main () from /lib64/libc.so.6
#8 0x00000000004046d1 in ?? ()
...
(gdb) i r rdi
rdi 0x2 2
(gdb) x/s *(char**)0x744ca0
0x76cb50: "Error: The Encoder evaluation period has expired.\n"过期提示被加密混淆后存放在ELF中,strings直接找不到,一种简单的反静态分析手
段。
通过前述两组调用栈回溯在IDA中定位位于main()中的关键调用:
(gdb) x/1i 0x410eb7
0x410eb7: call 0x4de4d0
(gdb) x/7i 0x4de6b4
0x4de6b4: jne 0x4de6c4
0x4de6b6: add rsp,0x88
0x4de6bd: pop rbx
0x4de6be: pop rbp
0x4de6bf: pop r12
0x4de6c1: pop r13
0x4de6c3: ret凭经验判断0x4de4d0处的函数在做过期检查,该函数中有肉眼可见的MD5特征常量,
但我未细究函数代码逻辑;0x4de6c3是其返回点,在返回点处让eax恒为0,应该能避
免过期退出。gdb -q -nx -x /tmp/gdbinit_x64.txt -x "/tmp/ShellPipeCommand.py" -x "/tmp/GetOffset.py" -ex 'display/5i $pc' ./ioncube_encoder_xxx_64
b *0x4de6c3
commands $bpnum
silent
set $eax=0
c
end
r hello.php -o hello_enc.php测试经ionCube加密过的hello_enc.php,无误。
$ php -c php.ini -f hello_enc.php
Hello World静态Patch试用版ioncube_encoder_xxx_64
$ rasm2 -a x86 -b 64 -s intel -o 0x4de6b4 "xor eax,eax"
31c0
$ rasm2 -a x86 -b 64 -s intel -o 0x4de6b4 -D 31c0
0x004de6b4 2 31c0 xor eax, eax
$ fc /b old new
000DE6B4: 75 31
000DE6B5: 0E C0
$ ./ioncube_encoder_xxx_64_scz some.php -o some_enc.php如有类似需求,理解逆向思路后自行Patch相应版本Encoder,切勿直接照搬。
版权属于:飞花堂
原文链接:https://scz.617.cn/web/202104141608.txt
本文链接:https://www.lvtao.net/tool/ioncube-encoder-crack.html
转载时须注明出处及本声明
