GenyMotion is a very popular android emulator around the world,so we need to do something for it.I want to show you some ideas for reversing this software.

The methods outlined in this article are only suggestions,it’s not a real crack.and i’ll introduce some useful method for ghidra.

Now,let’s start.

1.Change The License About Register Time.

Open the ghidra reverse engineer,load the genymotion application in the path /Applications/Genymotion.app/Contents/MacOS/genymotion.You need open the diretory in finding,drag and drop the file to the ghidra’s windows.

Search the string ‘expire’. (Search —> For Strings)

The result is:

Take a look at string “License about to expire”

Right click to copy the address “10015f2b4” for further use.(Copy–>Copy Columns–>Location)

Click ‘g'(or Navigation –> Go To… ) go to the address we found.

Right click to show the reference to this address or this function to step over.(References –> Show References to…)

we’ll see it’s jump to a new address “1000317e8”

This address is in the function as below,you could analyse this function to complete something.

                     ********************************************************                      FUNCTION                       ********************************************************undefined FUN_1000f6460()undefined       AL:1         <RETURN>FUN_1000f6460                             XREF[5]:   FUN_1000f4c90:1000f4f33(c), FUN_1000f51b0:1000f51b5(c), FUN_1000f5510:1000f5519(c), FUN_1000f6770:1000f67a9(c), FUN_1000f68a0:1000f68bd(c)  1000f6460 55            PUSH      RBP1000f6461 48 89 e5      MOV       RBP,RSP1000f6464 41 57         PUSH      R151000f6466 41 56         PUSH      R141000f6468 53            PUSH      RBX1000f6469 48 83 ec      SUB       RSP,0x38381000f646d 49 89 ff      MOV       R15,RDI1000f6470 48 8d 5d      LEA       RBX,[RBP + -0x28]d81000f6474 48 89 df      MOV       RDI,RBX1000f6477 e8 f8 ea      CALL      __stubs::__ZN9QDateTime18currentDateTimeU  undefined __ZN9QDateTime18cu03 001000f647c 4d 69 77      IMUL      R14,qword ptr [R15 + 0x58],0x3e858 e8 03 00 001000f6484 48 89 df      MOV       RDI,RBX1000f6487 e8 0a f0      CALL      __stubs::__ZNK9QDateTime17toMSecsSinceEpo  undefined __ZNK9QDateTime17t03 001000f648c 48 89 c3      MOV       RBX,RAX1000f648f 49 8d 7f      LEA       RDI,[R15 + 0x30]301000f6493 e8 fe ef      CALL      __stubs::__ZNK9QDateTime17toMSecsSinceEpo  undefined __ZNK9QDateTime17t03 001000f6498 48 29 d8      SUB       RAX,RBX1000f649b 4c 01 f0      ADD       RAX,R141000f649e 48 3d 87      CMP       RAX,0x138713 00 001000f64a4 0f 8f b2      JG        LAB_1000f655c00 00 001000f64aa c7 45 b0      MOV       dword ptr [RBP + -0x50],0x202 00 00 001000f64b1 c7 45 c4      MOV       dword ptr [RBP + -0x3c],0x000 00 00 001000f64b8 48 c7 45      MOV       qword ptr [RBP + -0x44],0x0bc 00 00 00 001000f64c0 48 c7 45      MOV       qword ptr [RBP + -0x4c],0x0b4 00 00 00 001000f64c8 48 8d 05      LEA       RAX,[s_default_10015e50f]                  = "default"40 80 06 001000f64cf 48 89 45      MOV       qword ptr [RBP + -0x38],RAX=>s_default_10  = "default"c81000f64d3 48 8d 7d      LEA       RDI,[RBP + -0x30]d01000f64d7 48 8d 75      LEA       RSI,[RBP + -0x50]b01000f64db e8 34 ed      CALL      __stubs::__ZNK14QMessageLogger5debugEv     undefined __ZNK14QMessageLog03 001000f64e0 4c 8b 75      MOV       R14,qword ptr [RBP + -0x30]d01000f64e4 48 8d 35      LEA       RSI,[s_License_has_expired_100163e44]      = "License has expired"59 d9 06 001000f64eb 48 8d 7d      LEA       RDI,[RBP + -0x20]e01000f64ef ba 13 00      MOV       EDX,0x1300 001000f64f4 e8 0d e9      CALL      __stubs::__ZN7QString15fromUtf8_helperEPK  undefined __ZN7QString15from03 001000f64f9 48 8d 75      LEA       RSI,[RBP + -0x20]e01000f64fd 4c 89 f7      MOV       RDI,R141000f6500 e8 99 e4      CALL      __stubs::__ZN11QTextStreamlsERK7QString    undefined __ZN11QTextStreaml03 001000f6505 48 8b 7d      MOV       RDI,qword ptr [RBP + -0x20]e01000f6509 8b 07         MOV       EAX,dword ptr [RDI]1000f650b 83 f8 ff      CMP       EAX,-0x11000f650e 74 25         JZ        LAB_1000f65351000f6510 85 c0         TEST      EAX,EAX1000f6512 74 12         JZ        LAB_1000f65261000f6514 b8 ff ff      MOV       EAX,0xffffffffff ff1000f6519 f0            LOCK1000f651a 0f c1 07      XADD      dword ptr [RDI],EAX1000f651d 83 f8 01      CMP       EAX,0x11000f6520 75 13         JNZ       LAB_1000f65351000f6522 48 8b 7d      MOV       RDI,qword ptr [RBP + -0x20]e0

We could use the same method to analyse the other string,such as “License has expired”,”license.expired”. and so on.

2.Change The Jump Condition

Track the string “License_has_expired”.

1. Address 100163e44

                         s_License_has_expired_100163e44           XREF[2]:   FUN_1000f6460:1000f64e4(*),
FUN_10010a810:10010b949(*)  100163e44 4c 69 63      ds        "License has expired"65 6e 73 65 20 68

We could found two calls for this function.

2. Address 1000f64e4 in the function below,it’s caculate for expire time.

                         ********************************************************                      FUNCTION                       ********************************************************undefined FUN_1000f6460()undefined       AL:1         <RETURN>FUN_1000f6460                             XREF[5]:   FUN_1000f4c90:1000f4f33(c), FUN_1000f51b0:1000f51b5(c), FUN_1000f5510:1000f5519(c), FUN_1000f6770:1000f67a9(c), FUN_1000f68a0:1000f68bd(c)  1000f6460 55            PUSH      RBP1000f6461 48 89 e5      MOV       RBP,RSP1000f6464 41 57         PUSH      R151000f6466 41 56         PUSH      R141000f6468 53            PUSH      RBX1000f6469 48 83 ec      SUB       RSP,0x38381000f646d 49 89 ff      MOV       R15,RDI1000f6470 48 8d 5d      LEA       RBX,[RBP + -0x28]d81000f6474 48 89 df      MOV       RDI,RBX1000f6477 e8 f8 ea      CALL      __stubs::__ZN9QDateTime18currentDateTimeU  undefined __ZN9QDateTime18cu03 001000f647c 4d 69 77      IMUL      R14,qword ptr [R15 + 0x58],0x3e858 e8 03 00 001000f6484 48 89 df      MOV       RDI,RBX1000f6487 e8 0a f0      CALL      __stubs::__ZNK9QDateTime17toMSecsSinceEpo  undefined __ZNK9QDateTime17t03 001000f648c 48 89 c3      MOV       RBX,RAX1000f648f 49 8d 7f      LEA       RDI,[R15 + 0x30]301000f6493 e8 fe ef      CALL      __stubs::__ZNK9QDateTime17toMSecsSinceEpo  undefined __ZNK9QDateTime17t03 001000f6498 48 29 d8      SUB       RAX,RBX1000f649b 4c 01 f0      ADD       RAX,R141000f649e 48 3d 87      CMP       RAX,0x138713 00 001000f64a4 0f 8f b2      JG        LAB_1000f655c00 00 001000f64aa c7 45 b0      MOV       dword ptr [RBP + -0x50],0x202 00 00 001000f64b1 c7 45 c4      MOV       dword ptr [RBP + -0x3c],0x000 00 00 001000f64b8 48 c7 45      MOV       qword ptr [RBP + -0x44],0x0bc 00 00 00 001000f64c0 48 c7 45      MOV       qword ptr [RBP + -0x4c],0x0b4 00 00 00 001000f64c8 48 8d 05      LEA       RAX,[s_default_10015e50f]                  = "default"40 80 06 001000f64cf 48 89 45      MOV       qword ptr [RBP + -0x38],RAX=>s_default_10  = "default"c81000f64d3 48 8d 7d      LEA       RDI,[RBP + -0x30]d01000f64d7 48 8d 75      LEA       RSI,[RBP + -0x50]b01000f64db e8 34 ed      CALL      __stubs::__ZNK14QMessageLogger5debugEv     undefined __ZNK14QMessageLog03 001000f64e0 4c 8b 75      MOV       R14,qword ptr [RBP + -0x30]d01000f64e4 48 8d 35      LEA       RSI,[s_License_has_expired_100163e44]      = "License has expired"59 d9 06 001000f64eb 48 8d 7d      LEA       RDI,[RBP + -0x20]e01000f64ef ba 13 00      MOV       EDX,0x1300 001000f64f4 e8 0d e9      CALL      __stubs::__ZN7QString15fromUtf8_helperEPK  undefined __ZN7QString15from03 001000f64f9 48 8d 75      LEA       RSI,[RBP + -0x20]e01000f64fd 4c 89 f7      MOV       RDI,R141000f6500 e8 99 e4      CALL      __stubs::__ZN11QTextStreamlsERK7QString    undefined __ZN11QTextStreaml03 001000f6505 48 8b 7d      MOV       RDI,qword ptr [RBP + -0x20]e01000f6509 8b 07         MOV       EAX,dword ptr [RDI]1000f650b 83 f8 ff      CMP       EAX,-0x11000f650e 74 25         JZ        LAB_1000f65351000f6510 85 c0         TEST      EAX,EAX1000f6512 74 12         JZ        LAB_1000f65261000f6514 b8 ff ff      MOV       EAX,0xffffffffff ff1000f6519 f0            LOCK1000f651a 0f c1 07      XADD      dword ptr [RDI],EAX1000f651d 83 f8 01      CMP       EAX,0x11000f6520 75 13         JNZ       LAB_1000f65351000f6522 48 8b 7d      MOV       RDI,qword ptr [RBP + -0x20]e0

C code is below:

void FUN_1000f6460(long lParm1)

{
int iVar1;
long lVar2;
long lVar3;
long lVar4;
ulong uVar5;
ulong uVar6;
ulong uVar7;
undefined4 uStack88;
undefined8 uStack84;
undefined8 uStack76;
undefined4 uStack68;
char *pcStack64;
long lStack56;
undefined auStack48 [8];
int *piStack40;

__ZN9QDateTime18currentDateTimeUtcEv(auStack48);
lVar2 = *(long *)(lParm1 + 0x58);
lVar3 = __ZNK9QDateTime17toMSecsSinceEpochEv(auStack48);
lVar4 = __ZNK9QDateTime17toMSecsSinceEpochEv(lParm1 + 0x30);
uVar5 = (lVar4 – lVar3) + lVar2 * 1000;
if (4999 < (long)uVar5) { uVar6 = (uVar5 >> 0x3f) + uVar5 >> 1;
uVar7 = 0x7fffffff;
if ((long)uVar5 < 0xfffffffe) {
uVar7 = uVar6 & 0xffffffff;
}
__ZN6QTimer11setIntervalEi(lParm1 + 0x88,uVar7,0xfffffffe,uVar6);
__ZN6QTimer5startEv(lParm1 + 0x88);
goto LAB_1000f6590;
}
uStack88 = 2;
uStack68 = 0;
uStack76 = 0;
uStack84 = 0;
pcStack64 = “default”;
__ZNK14QMessageLogger5debugEv(&lStack56,&uStack88);
lVar2 = lStack56;
__ZN7QString15fromUtf8_helperEPKci(&piStack40,”License has expired”,0x13);
__ZN11QTextStreamlsERK7QString(lVar2,&piStack40);
if (piStack40 != -1) { if (piStack40 != 0) {
LOCK();
iVar1 = *piStack40;
*piStack40 = piStack40 + -1; if (iVar1 != 1) goto LAB_1000f6535; } __ZN10QArrayData10deallocateEPS_mm(piStack40,2,8); } LAB_1000f6535: if ((char *)(lStack56 + 0x20) != 0) {
__ZN11QTextStreamlsEc(lStack56,0x20);
}
__ZN6QDebugD1Ev(&lStack56);
FUN_100114240(lParm1);
LAB_1000f6590:
__ZN9QDateTimeD1Ev(auStack48);
return;
}

3. Address 1000f64a4:Change “JG” to “JL”,skip the “License_has_expired” function(You could use byte edit method too)

reference:http://faydoc.tripod.com/cpu/jg.htm

7C cb JL rel8 Jump short if less (SF<>OF)
7F cb JG rel8 Jump short if greater (ZF=0 and SF=OF) 
 1000f64a4 0f 8f b2      JG        LAB_1000f655c00 00 00

Right click this address,choose “Patch Instruction” command to change the code to edit mode.

Change ‘JG’ to ‘JL’,Continue to click ‘Enter’.

The other address in step 1,use the same method to change the jump condition.

4.Export the programme after changed.
Choose the ‘File’ menu,click ‘Export Program…’ command.

Set the export format to ‘Binary’.

Choose the ‘Output file’ path,click ‘ok’ button to complete.

All was done.

转载于:https://www.cnblogs.com/heycomputer/articles/10829291.html

Use Ghidra To Reverse GenyMotion—Suggestion相关推荐

  1. Anroid 逆向工具

    Anroid 逆向工具 静态分析 JEB - The Interactive Android Decompiler. GDA - GGJoy Dex Analysizer(GDA),国内第一款也是唯一 ...

  2. nsa构架_我如何使用NSA的Ghidra解决了一个简单的CrackMe挑战

    nsa构架 by Denis Nuțiu 丹尼斯·努尤(Denis Nuțiu) 我如何使用NSA的Ghidra解决了一个简单的CrackMe挑战 (How I solved a simple Cra ...

  3. picoCTF,Reverse Engineering,逆向类,42/55

    picoCTF,Reverse Engineering,42/55 2019 picoCTF 01.vault-door-training,50分 02.vault-door-1,100分 03.va ...

  4. 206. Reverse Linked List

    Reverse a singly linked list. 反转单链表 C++(9ms):  迭代 1 /** 2 * Definition for singly-linked list. 3 * s ...

  5. LeetCode 7. Reverse Integer

    问题链接 LeetCode 7 题目解析 给定一个32位有符号整数,求其反转数字. 解题思路 如果是简单反转的话,那这道题就太简单了.题目要求判断溢出问题,32位int类型的范围是-214748364 ...

  6. CUDA Samples: approximate image reverse

    以下CUDA sample是分别用C++和CUDA实现的对图像进行某种类似reverse的操作,并对其中使用到的CUDA函数进行了解说,各个文件内容如下: common.hpp: #ifndef FB ...

  7. C++中std::reverse和std::reverse_copy的使用

    std::reverse:反转排序容器内指定范围中的元素. std::reverse_copy与std::reverse唯一的区别是:reverse_copy会将结果拷贝到另外一个容器中,而不影响原容 ...

  8. leetcode Reverse Linked List

    Reverse a singly linked list 对于这种可以修改值的,把值逆序就可以了....用vector存,然后逆序读. 都忘了指针怎么赋值初始化了.*p=&head; 1 /* ...

  9. 启动Genymotion时报错Failed to initialize backend EGL display

    在启动Genymotion的时候报错: video card说的是显卡,你的显卡可能不支持  OpenGL2.0,或者你装的驱动有问题. 解决办法:将驱动重新安装一下. 可直接下载一个如"驱 ...

最新文章

  1. 众测 Nebula Graph | 捉虫计划已开启,这项有礼
  2. python sin_Python sin() 函数
  3. 整理面试中的逻辑思维题
  4. 这届产品经理也太太太太难了吧!
  5. SQL Server表结构和数据导入到MySQL
  6. oracle强制执行计划,OBA技能2-Oracle执行计划顺序表连接
  7. thread_LockSupport
  8. vue 表单 input text
  9. 【转】惹恼程序员的十件事
  10. Java函数replaceAll 的使用
  11. GP数据库锁表如何解锁
  12. 服务器FPM日志出现seems busy (you may need to increase pm.start_servers解决办法
  13. Cocos Creator
  14. ubuntu 18.04安装 vmware 15
  15. windows自带录屏_电脑录屏有哪些快捷键?设置帮助电脑快速录屏
  16. Ubuntu 搜狗拼音安装详细步骤
  17. presto时间转换、时间加减、时间差
  18. 服务器被攻击的几种常见类型
  19. 十八般武艺!移动应用开发者必备的18款利器
  20. 红石电路吧计算机教程,我的世界红石基本逻辑门制作教程

热门文章

  1. 从零开始玩人工智能-人脸 API-03
  2. php 二叉树 与赫夫曼树
  3. winSockets编程(二)socket函数
  4. 价值6.11亿美元的入侵工具无人问津
  5. iOS 关于.tbd与.dylib用法
  6. mysql timeout知多少
  7. 读取pandas修改单列数据类型
  8. Baidu小窥(一)
  9. TCP 三次握手与四次挥手
  10. 希尔排序及C语言实现