desktop icon indicating copy to clipboard operation
desktop copied to clipboard

Published 20 hours ago verified publisher icon parsify-dev

License is still easily circumvented

Open ptrcnull opened this issue 3 years ago • 10 comments

Describe the issue User can use DevTools and override the return value of function requesting https://api.parsify.app/api/status/ to true.

Device (please complete the following information):

  • OS: Linux
  • Version: 1.9.0

Additional context Suggested solution: rewrite license check in C/C++ and load it as a native module.

ptrcnull avatar Jan 12 '22 13:01 ptrcnull

@ptrcnull Thanks again for reporting this! I just release version 1.9.1 with the suggested suggestion of yours implemented. Mind checking whether that fixes the issue?

xxczaki avatar Jan 13 '22 14:01 xxczaki

This... doesn't really change anything, provided that the module is named parsify-license and the function it exports is literally named isValid. It's still trivial to locate and patch out.

ptrcnull avatar Jan 13 '22 16:01 ptrcnull

Turns out current licensing mechanism needs only 6 lines of Python to patch out:

with open("app.asar", "rb+") as file:
    data = file.read()
    start = data.index(b"const i=async")
    length = data[start:].index(b";") + 1
    file.seek(start)
    file.write(b"const i=_=>true" + b" " * (length - 16))

I would consider this a critical issue that needs to be patched as soon as possible.

ptrcnull avatar Jan 15 '22 20:01 ptrcnull

@ptrcnull Right, in 1.9.2 I reverted the failed attempt to patch this. I tried another approach this time - mind taking a look? I uploaded .deb and .AppImage here:

https://wormhole.app/5X0JB#V-nNLsjQe3AHX_2M_AzxMw

Note that there is a high change nothing will function correctly 😄

xxczaki avatar Jan 16 '22 15:01 xxczaki

It looks like whatever you're using to load .node files actually uses process.dlopen and by analysing the binaries there's one giant string that's present in all of them - sPrj8fKKYUeHPHtinzxG9WUDLJ3ooV7QNjTEhUdspzdpLdbmJw.

By replacing the function that uses dlopen with module.exports.sPrj8fKKYUeHPHtinzxG9WUDLJ3ooV7QNjTEhUdspzdpLdbmJw = _ => true, the checks can still be omitted.

EDIT: also, it looks like the old function that makes the request from JS is still in the code, but unused; not a security vulnerability though

ptrcnull avatar Jan 16 '22 15:01 ptrcnull

I changed the way .node files are imported (don't know if it's better or not though):

https://wormhole.app/4Xoe1#-D7gQ3zBGewJPQIFPwnlpQ

EDIT: also, it looks like the old function that makes the request from JS is still in the code, but unused; not a security vulnerability though

Yeah, forgot to remove it.

xxczaki avatar Jan 16 '22 17:01 xxczaki

Just a nitpick, but you might consider building Linux modules as static, so they work on systems that don't use GNU libc.

ptrcnull avatar Jan 16 '22 17:01 ptrcnull

As for the latest version - it looks better, only thing I could suggest now is certificate pinning.

ptrcnull avatar Jan 17 '22 13:01 ptrcnull

I've made some changes regarding the way the license is validated. However, I still need to think more about how to strengthen the whole thing to be harder to circumvent. Thus, I will leave this issue open for now.

xxczaki avatar Apr 22 '22 18:04 xxczaki

The only change in the previous command to patch the license are the auto-generated variable names - the license check mechanism still hasn't changed in 2.0.0-rc3

You can try this one: sed -i 's|var t=i(e);return n(t)|return {default:_=>11}|' /opt/Parsify\ Desktop/resources/app.asar

ptrcnull avatar Apr 23 '22 05:04 ptrcnull

sed -i 's/)).valid/))||true/'

...*rolls eyes*

ptrcnull avatar Apr 13 '23 21:04 ptrcnull