MyMacsAppCrack icon indicating copy to clipboard operation
MyMacsAppCrack copied to clipboard

Published 20 hours ago verified publisher icon QiuChenlyOpenSource

请教关于arm版pd18.3修改问题

Open nszy007 opened this issue 1 year ago • 2 comments

当前我操作步骤如下: 1.我已经通过x64的补丁找到2个对应函数的地址 2.将install_parallels.sh脚本中注入dylib部分暂时注释,其他照旧执行 3.写了一个python脚本,主要用来启动pd,然后循环判断进程“prl_disp_service”是否启动成功了,如果成功了则利用frida注入js脚本。 4.js脚本内容尝试过用frida的api来hook函数返回值,也试过直接修改函数头的代码,但最终启动完成后pd均显示为未激活,破解失败。 麻烦大佬帮忙分析下我这个步骤和思路有没有什么问题呢? 下面是python脚本的内容

# -*- coding: utf-8 -*-

import frida
import sys
import os
import subprocess

jspath = "hookpd.js"                                             #定义frida脚本路径 

def get_javascript(filepath):
    code = ''
    with open(filepath, 'r') as file:
        code = code + file.read()
    return code


# 启动MacOS程序
os.system('open /Applications/Parallels\ Desktop.app')

# 检查进程名称是否存在
while True:
    process_name = 'prl_disp_service'
    ps_output = subprocess.check_output(['ps', '-A'])
    if bytes(process_name, 'utf-8') in ps_output:
        print(f'{process_name} process is running')
        # 附加到进程并执行Frida脚本
        session = frida.attach(process_name)
        javascript = get_javascript(jspath)
        script = session.create_script(javascript)
        script.load()
        break
    else:
        print(f'{process_name} process is not running')

sys.stdin.read()

下面是js脚本的内容:

function patchsignchecker(){
    var module = Process.findModuleByName('prl_disp_service');
    var patchaddress = module.base.add(0x5e1000);
    console.log("patchsignchecker is " + patchaddress);
    Memory.patchCode(patchaddress, 8, function (codeAddress) {
        var writer = new Arm64Writer(codeAddress);
        // mov       x0, #0x1
        writer.putInstruction(0x200080D2);
        // ret
        writer.putInstruction(0xC0035FD6);
        writer.flush();
        Memory.dump();
    });
    var size = 32;

    var data = Memory.readByteArray(patchaddress, size);
    console.log(hexdump(data, {
    offset: 0,
    length: size,
    header: true,
    ansi: true
    }));
}

function patchcodesign(){
    var module = Process.findModuleByName('prl_disp_service');
    var patchaddress = module.base.add(0x7b67d4);
    console.log("patchcodesign is " + patchaddress);
    Memory.patchCode(patchaddress, 8, function (codeAddress) {
        var writer = new Arm64Writer(codeAddress);
        // mov       x0, #0x1
        writer.putInstruction(0x200080D2);
        // ret
        writer.putInstruction(0xC0035FD6);
        writer.flush();
    });
    var size = 32;
    var data = Memory.readByteArray(patchaddress, size);
    console.log(hexdump(data, {
    offset: 0,
    length: size,
    header: true,
    ansi: true
    }));
}


function main() {
    patchsignchecker();
    patchcodesign();
}

setImmediate(main, 0);

patch的第一个函数位置: image

patch的第二个函数位置: image

nszy007 avatar Jun 06 '23 14:06 nszy007