IDEA Mybatis Plugin3 之后的破解方法(转)

发表于 | 阅读次数:
字数统计: 1,149

本文破解方法适用于Mybatis Plugin 3 之后的版本。

大致思路

新版的Mybatis Plugin采用zkm混淆了,反编译不能直接看到代码实现,破解难度大大增加。
zkm混淆的大概思路就是将源代码中的包名、类名重新编排。源代码类中直接赋值的字符串,混淆后变为通过静态代码块、构造函数、组合调用其他方法来初始化。反编译后将代码简单修改还是能够得出原文的字符串的。

工具准备

  1. procyon-decompiler
  2. 文本内容搜索工具,类Unix系统可以直接通过grep命令
  3. javassist(字节码修改工具)

破解方法

反编译jar

1
2
3
4
5
6
7
8
9
10
11
12
13
java -jar procyon-decompiler-0.5.30.jar -o output/ ~/Desktop/iMybatis-3.154.jar
...此处省略N行...
Decompiling com/s7/mybatis/a/c...
Decompiling com/s7/mybatis/a/d...
Decompiling com/s7/mybatis/a/a...
Decompiling com/s7/mybatis/a/e...
Decompiling com/s7/mybatis/a/f...
Decompiling com/s7/mybatis/a/g...
Decompiling com/s7/mybatis/a/b...
Decompiling com/s7/mybatis/b/h...
Decompiling com/s7/mybatis/b/t...
...此处省略N行...

寻找线索

由于插件的注册是要走网络的,可以搜索反编译的代码中与网络相关的一些包名,常见的工具类名。
例如:httpURLSocket等等,找到一个线索类,剩下的就是体力活了,从该类进行关联阅读基本就可以得出注册的逻辑了。

搜索反编译后的文本关键字

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
grep -R 'http' output
output/com/s7/mybatis/e/ar.java:import org.apache.http.util.EntityUtils;
output/com/s7/mybatis/e/ar.java:import org.apache.http.client.methods.HttpUriRequest;
output/com/s7/mybatis/e/ar.java:import org.apache.http.conn.socket.LayeredConnectionSocketFactory;
output/com/s7/mybatis/e/ar.java:import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
output/com/s7/mybatis/e/ar.java:import org.apache.http.ssl.SSLContextBuilder;
output/com/s7/mybatis/e/ar.java:import org.apache.http.impl.client.HttpClients;
output/com/s7/mybatis/e/ar.java:import org.apache.http.HttpEntity;
output/com/s7/mybatis/e/ar.java:import org.apache.http.entity.StringEntity;
output/com/s7/mybatis/e/ar.java:import org.apache.http.entity.ContentType;
output/com/s7/mybatis/e/ar.java:import org.apache.http.client.config.RequestConfig;
output/com/s7/mybatis/e/ar.java:import org.apache.http.client.methods.HttpPost;
output/com/s7/mybatis/e/ar.java:        final HttpPost httpPost = new HttpPost(this.a.b);
output/com/s7/mybatis/e/ar.java:        httpPost.setConfig(RequestConfig.custom().setConnectTimeout(20000).setConnectionRequestTimeout(20000).setSocketTimeout(20000).build());
output/com/s7/mybatis/e/ar.java:        httpPost.setEntity((HttpEntity)new StringEntity(G.b.a(jsonObject), ContentType.APPLICATION_JSON));
output/com/s7/mybatis/e/ar.java:        final String string = EntityUtils.toString(HttpClients.custom().setSSLSocketFactory((LayeredConnectionSocketFactory)new SSLConnectionSocketFactory(new SSLContextBuilder().loadTrustMaterial((KeyStore)null, ar::lambda$execute$0).build())).build().execute((HttpUriRequest)httpPost).getEntity());

到这里是不是看到了一丝线索?剩下的就是顺着这个线索类,阅读反编译的源代码来猜测大致的逻辑就可以了。procyon-decompiler有的类可能会解析失败,这就需要把常用的反编译工具组合起来分析。
例如:JD-GUILuyten,详情可以看我的另一篇博文:IDEA Iedis Plugin 2.41 破解方法
不多说了,直接给出最终代码~

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
import javassist.ClassPool;
import javassist.CtClass;
import javassist.CtMethod;
import javassist.NotFoundException;
import org.junit.Test;
/**
 * Created by fengyiwei on 2017/11/05.
 */
public class CrackMyBatisIdeaPlugin3154 {
    public ClassPool pool = ClassPool.getDefault();
    @Test
    public void test() throws NotFoundException {
        pool.insertClassPath("/Users/fengyiwei/Desktop/iMybatis-3.154.jar");
        CtClass m = pool.get("com.s7.mybatis.e.m");
        CtClass ar = pool.get("com.s7.mybatis.e.ar");
        CtClass h = pool.get("com.s7.mybatis.e.h");
        CtClass S = pool.get("com.s7.mybatis.e.S");
        CtClass an = pool.get("com.s7.mybatis.e.an");
        CtClass ao = pool.get("com.s7.mybatis.e.ao");
        pool.importPackage("com.google.gson.JsonObject;");
        pool.importPackage("com.intellij.openapi.diagnostic.Logger;");
        pool.importPackage("com.intellij.openapi.project.Project;");
        try {
            // productId
            // productVersion
            // sha
            // valid
            CtMethod ct = m.getDeclaredMethod("a", new CtClass[]{pool.get("java.lang.String")});
            ct.setBody("{" +
                    "       com.google.gson.JsonObject var3 = new com.google.gson.JsonObject();\n" +
                    "       var3.addProperty(\"productId\", Integer.valueOf(1));\n" +
                    "       var3.addProperty(\"productVersion\", \"3.154\");\n" +
                    "       return true;\n" +
                    "   }");
            ct = ar.getDeclaredMethod("a", new CtClass[]{pool.get("com.google.gson.JsonObject")});
            ct.setBody("{" +
                    "       com.google.gson.JsonObject v3 = new com.google.gson.JsonObject();\n" +
                    "       v3.addProperty(\"valid\", \"true\");\n" +
                    "       return v3;\n" +
                    "   }");
            ct = h.getDeclaredMethod("onSuccess");
            ct.setBody("{com.s7.mybatis.e.ao.h(\"Success\");}");
            ct = h.getDeclaredMethod("onThrowable");
            ct.setBody("{ }");
            ct = S.getDeclaredMethod("a");
            ct.setBody("{ return com.s7.mybatis.e.ao.g(\"1111111\"); }");
            ct = an.getDeclaredMethod("l");
            ct.setBody("{" +
                    "       com.google.gson.JsonObject jsonObject = new com.google.gson.JsonObject();\n" +
                    "       jsonObject.addProperty(\"pid\", com.s7.mybatis.e.an.d());\n" +
                    "       jsonObject.addProperty(\"userId\", com.s7.mybatis.e.an.e());\n" +
                    "       jsonObject.addProperty(\"version\", com.s7.mybatis.e.ac.b());\n" +
                    "       return jsonObject;" +
                    "   }");
            ct = ao.getDeclaredMethod("d");
            ct.setBody("{" +
                    "       com.google.gson.JsonObject jsonObject = com.s7.mybatis.e.an.l();\n" +
                    "       jsonObject.addProperty(\"license\", \"Cracked_By_Freeway\");\n" +
                    "       return new com.s7.mybatis.e.j(true, \"Freeway\");" +
                    "   }");
            ct = ao.getDeclaredMethod("b", new CtClass[]{});
            ct.setBody("{" +
                    "       return new com.s7.mybatis.e.ai(false, 365, true, true);" +
                    "   }");
            ct = ao.getDeclaredMethod("a", new CtClass[]{});
            ct.setBody("{" +
                    "       if (com.s7.mybatis.e.an.c().compareAndSet(false, true)) {\n" +
                    "           new Thread(new com.s7.mybatis.e.af()).start();" +
                    "       }" +
                    "   }");
            m.writeFile("/Users/fengyiwei/Desktop/");
            ar.writeFile("/Users/fengyiwei/Desktop/");
            h.writeFile("/Users/fengyiwei/Desktop/");
            S.writeFile("/Users/fengyiwei/Desktop/");
            an.writeFile("/Users/fengyiwei/Desktop/");
            ao.writeFile("/Users/fengyiwei/Desktop/");
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}

切勿用于非法用途,转载自https://www.awei.org/2017/11/08/idea-mybatis-plugin-3-21-po-jie-fang-fa/, 感谢原作者。

Enjoy it ? Donate me !
欣赏此文?求鼓励,求支持!