Pinpoint 破解

Pinpoint 破解

软件安装

1
2
3
4
5
su ubuntu
cd ~/
chmod +x release-centos-6-x64-2.6.0.6-complete-20210125133037.run
./release-centos-6-x64-2.6.0.6-complete-20210125133037.run

1
pcli

环境配置

1
2
3
4
5
6
7
sudo apt-get install cmake
wget https://github.com/zrax/pycdc/archive/refs/heads/master.zip
unzip master.zip
cd pycdc-master
cmake CMakeLists.txt
make
sudo make install
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
[ 82%] Building CXX object CMakeFiles/pycxx.dir/bytes/python_39.cpp.o
[ 85%] Linking CXX static library libpycxx.a
[ 85%] Built target pycxx
Scanning dependencies of target pycdc
[ 87%] Building CXX object CMakeFiles/pycdc.dir/pycdc.cpp.o
[ 90%] Building CXX object CMakeFiles/pycdc.dir/ASTree.cpp.o
[ 92%] Building CXX object CMakeFiles/pycdc.dir/ASTNode.cpp.o
[ 95%] Linking CXX executable pycdc
[ 95%] Built target pycdc
Scanning dependencies of target pycdas
[ 97%] Building CXX object CMakeFiles/pycdas.dir/pycdas.cpp.o
[100%] Linking CXX executable pycdas
[100%] Built target pycdas
➜  pycdc-master sudo make install
[ 85%] Built target pycxx
[ 95%] Built target pycdc
[100%] Built target pycdas
Install the project...
-- Install configuration: ""
-- Installing: /usr/local/bin/pycdas
-- Installing: /usr/local/bin/pycdc
➜  pycdc-master

license文件上传接口:/platform/upload_file

image-20210924161642048

全局搜索Need valid license file无结果。于是搜索upload_file

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
➜  pinpoint find . -type f|xargs grep -a 'upload_file' 2>/dev/null |awk -F ':' '{print $1}'|sort|uniq
./pp-platform/pp_service/celery/celery_tasks.pyc
./pp-platform/report/services/local_reports_manager.pyc
./pp-platform/src/models/pinpoint_task.pyc
./pp-platform/src/views/main_blueprint.pyc
./third-party/Python3.6/lib/python3.6/distutils/command/__pycache__/upload.cpython-36.opt-1.pyc
./third-party/Python3.6/lib/python3.6/distutils/command/__pycache__/upload.cpython-36.opt-2.pyc
./third-party/Python3.6/lib/python3.6/distutils/command/__pycache__/upload.cpython-36.pyc
./third-party/Python3.6/lib/python3.6/distutils/command/upload.py
./third-party/Python3.6/lib/python3.6/site-packages/pip/_vendor/distlib/index.py
./third-party/Python3.6/lib/python3.6/site-packages/pip/_vendor/distlib/__pycache__/index.cpython-36.pyc
./third-party/Python3.6/lib/python3.6/site-packages/setuptools/command/__pycache__/upload_docs.cpython-36.pyc
./third-party/Python3.6/lib/python3.6/site-packages/setuptools/command/upload_docs.py
./third-party/Python3.6/lib/python3.6/site-packages/setuptools/_distutils/command/__pycache__/upload.cpython-36.pyc
./third-party/Python3.6/lib/python3.6/site-packages/setuptools/_distutils/command/upload.py
./web/platform/js/b8fe9eeb4d9ede3e17f8.js

image-20210924162024199

1
uncompyle6 ./pp-platform/src/views/main_blueprint.pyc

image-20210924162124919

1
pycdas ./pp-platform/src/views/main_blueprint.pyc
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
[Code]
File Name: /tmp/.cache/pp-platform/1eeee29886d99e482e50f6e68b59916a/install/src/views/main_blueprint.py
Object Name: upload_file
Arg Count: 0
KW Only Arg Count: 0
Locals: 7
Stack Size: 4
Flags: 0x00000013 (CO_OPTIMIZED | CO_NEWLOCALS | CO_NESTED)
[Names]
    'jsonify'
    'HTTPStatus'
    'INTERNAL_SERVER_ERROR'
    'REQUEST_FORMAT_ERR_MSG'
    'request'
    'files'
    'filename'
    'secure_filename'
    '_MainBlueprintManager__platform_manager'
    'tmp_dir'
    'os'
    'path'
    'join'
    'name'
    'isdir'
    'makedirs'
    'save'
    'validate_file'
    'OK'
[Var Names]
    'format_err_res'
    'file'
    'filename'
    'tmp_dir'
    'upload_dir'
    'file_path'
    'res'
[Free Vars]
    'self'
[Cell Vars]
[Constants]
    None
    (
        'code'
        'errmsg'
    )
    'file'
    'upload'
    448
    (
        'mode'
    )
    (
        'code'
        'data'
    )
[Disassembly]
    0       LOAD_GLOBAL             0: jsonify
    2       LOAD_GLOBAL             1: HTTPStatus
    4       LOAD_ATTR               2: INTERNAL_SERVER_ERROR
    6       LOAD_GLOBAL             3: REQUEST_FORMAT_ERR_MSG
    8       LOAD_CONST              1: ('code', 'errmsg')
    10      CALL_FUNCTION_KW        2
    12      STORE_FAST              0: format_err_res
    14      LOAD_CONST              2: 'file'
    16      LOAD_GLOBAL             4: request
    18      LOAD_ATTR               5: files
    20      COMPARE_OP              7 (not in)
    22      POP_JUMP_IF_FALSE       28
    24      LOAD_FAST               0: format_err_res
    26      RETURN_VALUE
    28      LOAD_GLOBAL             4: request
    30      LOAD_ATTR               5: files
    32      LOAD_CONST              2: 'file'
    34      BINARY_SUBSCR
    36      STORE_FAST              1: file
    38      LOAD_FAST               1: file
    40      POP_JUMP_IF_FALSE       158
    42      LOAD_FAST               1: file
    44      LOAD_ATTR               6: filename
    46      POP_JUMP_IF_FALSE       158
    48      LOAD_GLOBAL             7: secure_filename
    50      LOAD_FAST               1: file
    52      LOAD_ATTR               6: filename
    54      CALL_FUNCTION           1
    56      STORE_FAST              2: filename
    58      LOAD_DEREF              0: self
    60      LOAD_ATTR               8: _MainBlueprintManager__platform_manager
    62      LOAD_ATTR               9: tmp_dir
    64      STORE_FAST              3: tmp_dir
    66      LOAD_GLOBAL             10: os
    68      LOAD_ATTR               11: path
    70      LOAD_ATTR               12: join
    72      LOAD_FAST               3: tmp_dir
    74      LOAD_ATTR               13: name
    76      LOAD_CONST              3: 'upload'
    78      CALL_FUNCTION           2
    80      STORE_FAST              4: upload_dir
    82      LOAD_GLOBAL             10: os
    84      LOAD_ATTR               11: path
    86      LOAD_ATTR               14: isdir
    88      LOAD_FAST               4: upload_dir
    90      CALL_FUNCTION           1
    92      POP_JUMP_IF_TRUE        108
    94      LOAD_GLOBAL             10: os
    96      LOAD_ATTR               15: makedirs
    98      LOAD_FAST               4: upload_dir
    100     LOAD_CONST              4: 448
    102     LOAD_CONST              5: ('mode',)
    104     CALL_FUNCTION_KW        2
    106     POP_TOP
    108     LOAD_GLOBAL             10: os
    110     LOAD_ATTR               11: path
    112     LOAD_ATTR               12: join
    114     LOAD_FAST               4: upload_dir
    116     LOAD_FAST               2: filename
    118     CALL_FUNCTION           2
    120     STORE_FAST              5: file_path
    122     LOAD_FAST               1: file
    124     LOAD_ATTR               16: save
    126     LOAD_FAST               5: file_path
    128     CALL_FUNCTION           1
    130     POP_TOP
    132     LOAD_DEREF              0: self
    134     LOAD_ATTR               8: _MainBlueprintManager__platform_manager
    136     LOAD_ATTR               17: validate_file
    138     LOAD_FAST               5: file_path
    140     CALL_FUNCTION           1
    142     STORE_FAST              6: res
    144     LOAD_GLOBAL             0: jsonify
    146     LOAD_GLOBAL             1: HTTPStatus
    148     LOAD_ATTR               18: OK
    150     LOAD_FAST               6: res
    152     LOAD_CONST              6: ('code', 'data')
    154     CALL_FUNCTION_KW        2
    156     RETURN_VALUE
    158     LOAD_FAST               0: format_err_res
    160     RETURN_VALUE
    162     LOAD_CONST              0: None
    164     RETURN_VALUE
'MainBlueprintManager.define_license_manager_routes.<locals>.upload_file'

upload_file会调用_MainBlueprintManager__platform_manager.validate_file()

validate_file定义在文件./pp-platform/src/services/pp_platform_manager.pyc中,同样无法使用uncompyle6反编译。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
[Code]
File Name: /tmp/.cache/pp-platform/1eeee29886d99e482e50f6e68b59916a/install/src/services/pp_platform_manager.py
Object Name: validate_file
Arg Count: 1
KW Only Arg Count: 0
Locals: 10
Stack Size: 17
Flags: 0x00000043 (CO_OPTIMIZED | CO_NEWLOCALS | CO_NOFREE)
[Names]
    'get_os_buf_limit'
    'pp_service.consts'
    'm'
    'join'
    'os'
    'path'
    'PP_DATA_PATH'
    'isfile'
    'shutil'
    'move'
    'Path'
    'PLATFORM_APP_ROOT_PATH'
    'exists'
    'copy'
    'str'
    'OSError'
    'logger'
    'exception'
    'remove'
[Var Names]
    'file_path'
    'l'
    '_'
    'm'
    'msg'
    'flag'
    'new_path'
    'static_download_dir'
    'download_file'
    'e'
[Free Vars]
[Cell Vars]
[Constants]
    None
    0
    (
        'm'
    )
    ''
    False
    [Code]
        File Name: /tmp/.cache/pp-platform/1eeee29886d99e482e50f6e68b59916a/install/src/services/pp_platform_manager.py
        Object Name: <listcomp>
        Arg Count: 1
        KW Only Arg Count: 0
        Locals: 2
        Stack Size: 4
        Flags: 0x00000053 (CO_OPTIMIZED | CO_NEWLOCALS | CO_NESTED | CO_NOFREE)
        [Names]
            'chr'
        [Var Names]
            '.0'
            'c'
        [Free Vars]
        [Cell Vars]
        [Constants]
        [Disassembly]
            0       BUILD_LIST              0
            2       LOAD_FAST               0: .0
            4       FOR_ITER                12 (to 18)
            6       STORE_FAST              1: c
            8       LOAD_GLOBAL             0: chr
            10      LOAD_FAST               1: c
            12      CALL_FUNCTION           1
            14      LIST_APPEND             2
            16      JUMP_ABSOLUTE           4
            18      RETURN_VALUE
    'PPPlatformManager.validate_file.<locals>.<listcomp>'
    [Code]
        File Name: /tmp/.cache/pp-platform/1eeee29886d99e482e50f6e68b59916a/install/src/services/pp_platform_manager.py
        Object Name: <listcomp>
        Arg Count: 1
        KW Only Arg Count: 0
        Locals: 2
        Stack Size: 4
        Flags: 0x00000053 (CO_OPTIMIZED | CO_NEWLOCALS | CO_NESTED | CO_NOFREE)
        [Names]
            'chr'
        [Var Names]
            '.0'
            'c'
        [Free Vars]
        [Cell Vars]
        [Constants]
        [Disassembly]
            0       BUILD_LIST              0
            2       LOAD_FAST               0: .0
            4       FOR_ITER                12 (to 18)
            6       STORE_FAST              1: c
            8       LOAD_GLOBAL             0: chr
            10      LOAD_FAST               1: c
            12      CALL_FUNCTION           1
            14      LIST_APPEND             2
            16      JUMP_ABSOLUTE           4
            18      RETURN_VALUE
    1
    True
    [Code]
        File Name: /tmp/.cache/pp-platform/1eeee29886d99e482e50f6e68b59916a/install/src/services/pp_platform_manager.py
        Object Name: <listcomp>
        Arg Count: 1
        KW Only Arg Count: 0
        Locals: 2
        Stack Size: 4
        Flags: 0x00000053 (CO_OPTIMIZED | CO_NEWLOCALS | CO_NESTED | CO_NOFREE)
        [Names]
            'chr'
        [Var Names]
            '.0'
            'c'
        [Free Vars]
        [Cell Vars]
        [Constants]
        [Disassembly]
            0       BUILD_LIST              0
            2       LOAD_FAST               0: .0
            4       FOR_ITER                12 (to 18)
            6       STORE_FAST              1: c
            8       LOAD_GLOBAL             0: chr
            10      LOAD_FAST               1: c
            12      CALL_FUNCTION           1
            14      LIST_APPEND             2
            16      JUMP_ABSOLUTE           4
            18      RETURN_VALUE
    4
    '.bak'
    'pp_service'
    'jobs'
    'nginx_static'
    'download'
    [Code]
        File Name: /tmp/.cache/pp-platform/1eeee29886d99e482e50f6e68b59916a/install/src/services/pp_platform_manager.py
        Object Name: <listcomp>
        Arg Count: 1
        KW Only Arg Count: 0
        Locals: 2
        Stack Size: 4
        Flags: 0x00000053 (CO_OPTIMIZED | CO_NEWLOCALS | CO_NESTED | CO_NOFREE)
        [Names]
            'chr'
        [Var Names]
            '.0'
            'c'
        [Free Vars]
        [Cell Vars]
        [Constants]
        [Disassembly]
            0       BUILD_LIST              0
            2       LOAD_FAST               0: .0
            4       FOR_ITER                12 (to 18)
            6       STORE_FAST              1: c
            8       LOAD_GLOBAL             0: chr
            10      LOAD_FAST               1: c
            12      CALL_FUNCTION           1
            14      LIST_APPEND             2
            16      JUMP_ABSOLUTE           4
            18      RETURN_VALUE
    (
        'flag'
        'msg'
    )
[Disassembly]
    0       LOAD_GLOBAL             0: get_os_buf_limit
    2       LOAD_FAST               0: file_path
    4       CALL_FUNCTION           1
    6       UNPACK_SEQUENCE         2
    8       STORE_FAST              1: l
    10      STORE_FAST              2: _
    12      LOAD_CONST              1: 0
    14      LOAD_CONST              2: ('m',)
    16      IMPORT_NAME             1: pp_service.consts
    18      IMPORT_FROM             2: m
    20      STORE_FAST              3: m
    22      POP_TOP
    24      LOAD_CONST              3: ''
    26      STORE_FAST              4: msg
    28      LOAD_CONST              4: False
    30      STORE_FAST              5: flag
    32      LOAD_FAST               1: l
    34      LOAD_CONST              4: False
    36      COMPARE_OP              8 (is)
    38      POP_JUMP_IF_FALSE       66
    40      LOAD_CONST              3: ''
    42      LOAD_ATTR               3: join
    44      LOAD_CONST              5: <CODE> <listcomp>
    46      LOAD_CONST              6: 'PPPlatformManager.validate_file.<locals>.<listcomp>'
    48      MAKE_FUNCTION           0
    50      LOAD_FAST               3: m
    52      LOAD_CONST              1: 0
    54      BINARY_SUBSCR
    56      GET_ITER
    58      CALL_FUNCTION           1
    60      CALL_FUNCTION           1
    62      STORE_FAST              4: msg
    64      JUMP_FORWARD            38 (to 104)
    66      LOAD_FAST               1: l
    68      LOAD_CONST              0: None
    70      COMPARE_OP              8 (is)
    72      POP_JUMP_IF_FALSE       100
    74      LOAD_CONST              3: ''
    76      LOAD_ATTR               3: join
    78      LOAD_CONST              7: <CODE> <listcomp>
    80      LOAD_CONST              6: 'PPPlatformManager.validate_file.<locals>.<listcomp>'
    82      MAKE_FUNCTION           0
    84      LOAD_FAST               3: m
    86      LOAD_CONST              8: 1
    88      BINARY_SUBSCR
    90      GET_ITER
    92      CALL_FUNCTION           1
    94      CALL_FUNCTION           1
    96      STORE_FAST              4: msg
    98      JUMP_FORWARD            4 (to 104)
    100     LOAD_CONST              9: True
    102     STORE_FAST              5: flag
    104     LOAD_FAST               5: flag
    106     POP_JUMP_IF_FALSE       312
    110     LOAD_GLOBAL             4: os
    112     LOAD_ATTR               5: path
    114     LOAD_ATTR               3: join
    116     LOAD_GLOBAL             6: PP_DATA_PATH
    118     LOAD_CONST              3: ''
    120     LOAD_ATTR               3: join
    122     LOAD_CONST              10: <CODE> <listcomp>
    124     LOAD_CONST              6: 'PPPlatformManager.validate_file.<locals>.<listcomp>'
    126     MAKE_FUNCTION           0
    128     LOAD_FAST               3: m
    130     LOAD_CONST              11: 4
    132     BINARY_SUBSCR
    134     GET_ITER
    136     CALL_FUNCTION           1
    138     CALL_FUNCTION           1
    140     CALL_FUNCTION           2
    142     STORE_FAST              6: new_path
    144     LOAD_GLOBAL             4: os
    146     LOAD_ATTR               5: path
    148     LOAD_ATTR               7: isfile
    150     LOAD_FAST               6: new_path
    152     CALL_FUNCTION           1
    154     POP_JUMP_IF_FALSE       174
    156     LOAD_GLOBAL             8: shutil
    158     LOAD_ATTR               9: move
    160     LOAD_FAST               6: new_path
    162     LOAD_FAST               6: new_path
    164     FORMAT_VALUE            0
    166     LOAD_CONST              12: '.bak'
    168     BUILD_STRING            2
    170     CALL_FUNCTION           2
    172     POP_TOP
    174     LOAD_GLOBAL             8: shutil
    176     LOAD_ATTR               9: move
    178     LOAD_FAST               0: file_path
    180     LOAD_FAST               6: new_path
    182     CALL_FUNCTION           2
    184     POP_TOP
    186     LOAD_GLOBAL             10: Path
    188     LOAD_GLOBAL             11: PLATFORM_APP_ROOT_PATH
    190     LOAD_CONST              13: 'pp_service'
    192     LOAD_CONST              14: 'jobs'
    194     LOAD_CONST              15: 'nginx_static'
    196     LOAD_CONST              16: 'download'
    198     CALL_FUNCTION           5
    200     STORE_FAST              7: static_download_dir
    202     LOAD_GLOBAL             10: Path
    204     LOAD_FAST               7: static_download_dir
    206     LOAD_CONST              3: ''
    208     LOAD_ATTR               3: join
    210     LOAD_CONST              17: <CODE> <listcomp>
    212     LOAD_CONST              6: 'PPPlatformManager.validate_file.<locals>.<listcomp>'
    214     MAKE_FUNCTION           0
    216     LOAD_FAST               3: m
    218     LOAD_CONST              11: 4
    220     BINARY_SUBSCR
    222     GET_ITER
    224     CALL_FUNCTION           1
    226     CALL_FUNCTION           1
    228     CALL_FUNCTION           2
    230     STORE_FAST              8: download_file
    232     LOAD_FAST               8: download_file
    234     LOAD_ATTR               12: exists
    236     CALL_FUNCTION           0
    238     POP_JUMP_IF_FALSE       322
    242     SETUP_EXCEPT            20 (to 264)
    244     LOAD_GLOBAL             8: shutil
    246     LOAD_ATTR               13: copy
    248     LOAD_FAST               6: new_path
    250     LOAD_GLOBAL             14: str
    252     LOAD_FAST               8: download_file
    254     CALL_FUNCTION           1
    256     CALL_FUNCTION           2
    258     POP_TOP
    260     POP_BLOCK
    262     JUMP_FORWARD            46 (to 310)
    264     DUP_TOP
    266     LOAD_GLOBAL             15: OSError
    268     COMPARE_OP              10 (<EXCEPTION MATCH>)
    270     POP_JUMP_IF_FALSE       308
    274     POP_TOP
    276     STORE_FAST              9: e
    278     POP_TOP
    280     SETUP_FINALLY           16 (to 298)
    282     LOAD_GLOBAL             16: logger
    284     LOAD_ATTR               17: exception
    286     LOAD_FAST               9: e
    288     CALL_FUNCTION           1
    290     POP_TOP
    292     POP_BLOCK
    294     POP_EXCEPT
    296     LOAD_CONST              0: None
    298     LOAD_CONST              0: None
    300     STORE_FAST              9: e
    302     DELETE_FAST             9: e
    304     END_FINALLY
    306     JUMP_FORWARD            2 (to 310)
    308     END_FINALLY
    310     JUMP_FORWARD            10 (to 322)
    312     LOAD_GLOBAL             4: os
    314     LOAD_ATTR               18: remove
    316     LOAD_FAST               0: file_path
    318     CALL_FUNCTION           1
    320     POP_TOP
    322     LOAD_FAST               5: flag
    324     LOAD_FAST               4: msg
    326     LOAD_CONST              18: ('flag', 'msg')
    328     BUILD_CONST_KEY_MAP     2
    330     RETURN_VALUE

关键函数get_os_buf_limit,仅看这个函数名并不能猜测它的功能。

这个函数在文件./pp-platform/pp_service/utils.pyc中定义,这个文件居然可以用uncompyle6反编译成功。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
def get_os_buf_limit(env=None):
    from pp_service.consts import m
    RES_LEN = 9
    ERROR_RES = (None, [None] * RES_LEN)
    if windows:
        return ERROR_RES
    else:
        if env is None:
            from common.consts import PP_DATA_PATH
            p = os.path.join(PP_DATA_PATH, '*') + ''.join([chr(c) for c in m[2]])
            os_env = glob.glob(p)
            if os_env:
                env = os_env[0]
            else:
                return ERROR_RES
        so = os.path.join(PP_ROOT_PATH, 'lib', 'libdhl.so')
        r = []
        lib = None
        try:
            try:
                lib = ctypes.cdll.LoadLibrary(so)
                if not os.path.isfile(env):
                    return ERROR_RES
                result = ctypes.c_uint16(1)
                result_p = ctypes.c_void_p(ctypes.addressof(result))
                ret = lib.get_attribute(ctypes.c_char_p(env.encode(encoding=PREFERRED_ENCODING, errors='surrogateescape')), 0, result_p, 2)
                if ret == 0:
                    r.append(result.value)
                else:
                    r.append(None)
                ret = lib.cs(env.encode(encoding=PREFERRED_ENCODING, errors='surrogateescape'))
                if ret != 1:
                    return ERROR_RES
                default_size = 10001603
                tmp_size1 = ctypes.c_ulonglong(lib.f_1(env.encode(encoding=PREFERRED_ENCODING, errors='surrogateescape'))).value
                r.append(None)
                tmp_size2 = ctypes.c_ulonglong(lib.f_2(env.encode(encoding=PREFERRED_ENCODING, errors='surrogateescape'))).value
                r.append(False)
                for i in (1, 3, 4, 5, 6, 7):
                    result = ctypes.create_string_buffer(1024)
                    ret = lib.get_attribute(ctypes.c_char_p(env.encode(encoding=PREFERRED_ENCODING, errors='surrogateescape')), i, result, len(result))
                    if ret == 0:
                        r.append(result.value.decode())
                    else:
                        r.append(None)

                tmp_size3 = ctypes.c_ulonglong(lib.f_3(env.encode(encoding=PREFERRED_ENCODING, errors='surrogateescape'))).value
                r_len = len(r)
                if len(r) < RES_LEN:
                    r.extend([None] * (RES_LEN - r_len))
                tmp_size4 = ctypes.c_ulonglong(lib.f_4(env.encode(encoding=PREFERRED_ENCODING, errors='surrogateescape'))).value
                tmp_size5 = ctypes.c_ulonglong(lib.f_5(env.encode(encoding=PREFERRED_ENCODING, errors='surrogateescape'))).value
                tmp_size6 = ctypes.c_ulonglong(lib.f_6(env.encode(encoding=PREFERRED_ENCODING, errors='surrogateescape'))).value
                if all(size == default_size for size in (tmp_size1, tmp_size2, tmp_size3, tmp_size4, tmp_size5, tmp_size6)):
                    r[2] = True
                else:
                    r[2] = None
                if not r[2]:
                    return (
                     None, r)
            except Exception as e:
                if DEBUG:
                    raise e
                return ERROR_RES

        finally:
            if lib:
                try:
                    libdl = ctypes.cdll.LoadLibrary('libdl.so.2')
                    libdl.dlclose(ctypes.c_void_p(lib._handle))
                    del lib
                except Exception:
                    pass

        return (
         True, r)

实际上是调用了so中的函数。env就是license文件的路径。

1
2
3
4
5
6
7
8
if env is None:
    from common.consts import PP_DATA_PATH
    p = os.path.join(PP_DATA_PATH, '*') + ''.join([chr(c) for c in m[2]])
    os_env = glob.glob(p)
    if os_env:
        env = os_env[0]
    else:
        return ERROR_RES

根据这段代码发现开发者将关键字符串都进行了转换,保存在consts,使用时需要转码。

1
2
3
4
5
6
7
8
# ./pp-platform/pp_service/consts.pyc
m = [
    [ 84, 104, 101, 32, 108, 105, 99, 101, 110, 115, 101, 32, 102, 105, 108, 101, 32, 105, 115, 32, 101, 120, 112, 105, 114, 101, 100], 
    [ 78, 101, 101, 100, 32, 118, 97, 108, 105, 100, 32, 108, 105, 99, 101, 110, 115, 101, 32, 102, 105, 108, 101], 
    [ 46, 108, 105, 99], 
    [ 37, 89, 45, 37, 109, 45, 37, 100], 
    [ 115, 98, 114, 101, 108, 108, 97, 46, 108, 105, 99]
]

image-20210924164525015

Patch urils.py 实现破解:

1
2
def get_os_buf_limit(env=None):
    return (True, [1024, None, True, '20990101235959', 'enterprise', '123456@qq.com', 'TEST', 'TEST', 'TEST'])

image-20210924165723001

解决uncompyle6反编译失败

image-20210926104621987

1
Parse error at or near `STORE_ANNOTATION' instruction at offset 484

根据报错信息可以确定是在反编译STORE_ANNOTATION指令时发生错误。

Python3.6.3指令表(Python-3.6.3/Include/opcode.h):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
/* Instruction opcodes for compiled code */
#define POP_TOP                   1
#define ROT_TWO                   2
#define ROT_THREE                 3
#define DUP_TOP                   4
#define DUP_TOP_TWO               5
#define NOP                       9
#define UNARY_POSITIVE           10
#define UNARY_NEGATIVE           11
#define UNARY_NOT                12
#define UNARY_INVERT             15
#define BINARY_MATRIX_MULTIPLY   16
#define INPLACE_MATRIX_MULTIPLY  17
#define BINARY_POWER             19
#define BINARY_MULTIPLY          20
#define BINARY_MODULO            22
#define BINARY_ADD               23
#define BINARY_SUBTRACT          24
#define BINARY_SUBSCR            25
#define BINARY_FLOOR_DIVIDE      26
#define BINARY_TRUE_DIVIDE       27
#define INPLACE_FLOOR_DIVIDE     28
#define INPLACE_TRUE_DIVIDE      29
#define GET_AITER                50
#define GET_ANEXT                51
#define BEFORE_ASYNC_WITH        52
#define INPLACE_ADD              55
#define INPLACE_SUBTRACT         56
#define INPLACE_MULTIPLY         57
#define INPLACE_MODULO           59
#define STORE_SUBSCR             60
#define DELETE_SUBSCR            61
#define BINARY_LSHIFT            62
#define BINARY_RSHIFT            63
#define BINARY_AND               64
#define BINARY_XOR               65
#define BINARY_OR                66
#define INPLACE_POWER            67
#define GET_ITER                 68
#define GET_YIELD_FROM_ITER      69
#define PRINT_EXPR               70
#define LOAD_BUILD_CLASS         71
#define YIELD_FROM               72
#define GET_AWAITABLE            73
#define INPLACE_LSHIFT           75
#define INPLACE_RSHIFT           76
#define INPLACE_AND              77
#define INPLACE_XOR              78
#define INPLACE_OR               79
#define BREAK_LOOP               80
#define WITH_CLEANUP_START       81
#define WITH_CLEANUP_FINISH      82
#define RETURN_VALUE             83
#define IMPORT_STAR              84
#define SETUP_ANNOTATIONS        85
#define YIELD_VALUE              86
#define POP_BLOCK                87
#define END_FINALLY              88
#define POP_EXCEPT               89
#define HAVE_ARGUMENT            90
#define STORE_NAME               90
#define DELETE_NAME              91
#define UNPACK_SEQUENCE          92
#define FOR_ITER                 93
#define UNPACK_EX                94
#define STORE_ATTR               95
#define DELETE_ATTR              96
#define STORE_GLOBAL             97
#define DELETE_GLOBAL            98
#define LOAD_CONST              100
#define LOAD_NAME               101
#define BUILD_TUPLE             102
#define BUILD_LIST              103
#define BUILD_SET               104
#define BUILD_MAP               105
#define LOAD_ATTR               106
#define COMPARE_OP              107
#define IMPORT_NAME             108
#define IMPORT_FROM             109
#define JUMP_FORWARD            110
#define JUMP_IF_FALSE_OR_POP    111
#define JUMP_FORWARD            110
#define JUMP_IF_FALSE_OR_POP    111
#define JUMP_IF_TRUE_OR_POP     112
#define JUMP_ABSOLUTE           113
#define POP_JUMP_IF_FALSE       114
#define POP_JUMP_IF_TRUE        115
#define LOAD_GLOBAL             116
#define CONTINUE_LOOP           119
#define SETUP_LOOP              120
#define SETUP_EXCEPT            121
#define SETUP_FINALLY           122
#define LOAD_FAST               124
#define STORE_FAST              125
#define DELETE_FAST             126
#define STORE_ANNOTATION        127
#define RAISE_VARARGS           130
#define CALL_FUNCTION           131
#define MAKE_FUNCTION           132
#define BUILD_SLICE             133
#define LOAD_CLOSURE            135
#define LOAD_DEREF              136
#define STORE_DEREF             137
#define DELETE_DEREF            138
#define CALL_FUNCTION_KW        141
#define CALL_FUNCTION_EX        142
#define SETUP_WITH              143
#define EXTENDED_ARG            144
#define LIST_APPEND             145
#define SET_ADD                 146
#define MAP_ADD                 147
#define LOAD_CLASSDEREF         148
#define BUILD_LIST_UNPACK       149
#define BUILD_MAP_UNPACK        150
#define BUILD_MAP_UNPACK_WITH_CALL 151
#define BUILD_TUPLE_UNPACK      152
#define BUILD_SET_UNPACK        153
#define SETUP_ASYNC_WITH        154
#define FORMAT_VALUE            155
#define BUILD_CONST_KEY_MAP     156
#define BUILD_STRING            157
#define BUILD_TUPLE_UNPACK_WITH_CALL 158

根据指令序列,可以定位到STORE_ANNOTATION指令的位置。

1
2
3
STORE_ANNOTATION 127 0x7f
LOAD_ATTR 106 0x6a
LOAD_NAME 101 0x65

image-20210926105735402

尝试将0x7f替换成其他指令后(如0x01),反编译成功。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
def define_license_manager_routes(self):
    @self.blueprint.route('/upload_file', methods=['POST'])
    @login_access
    def upload_file():
        format_err_res = jsonify(code=(HTTPStatus.INTERNAL_SERVER_ERROR), errmsg=REQUEST_FORMAT_ERR_MSG)
        if 'file' not in request.files:
            return format_err_res
        else:
            file = request.files['file']
            if file:
                if file.filename:
                    filename = secure_filename(file.filename)
                    tmp_dir = self._MainBlueprintManager__platform_manager.tmp_dir
                    upload_dir = os.path.join(tmp_dir.name, 'upload')
                    if not os.path.isdir(upload_dir):
                        os.makedirs(upload_dir, mode=448)
                    file_path = os.path.join(upload_dir, filename)
                    file.save(file_path)
                    res = self._MainBlueprintManager__platform_manager.validate_file(file_path)
                    return jsonify(code=(HTTPStatus.OK), data=res)
            return format_err_res
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
# 
from pp_service.utils import get_os_buf_limit

@staticmethod
def validate_file(file_path):
    l, _ = get_os_buf_limit(file_path)
    from pp_service.consts import m
    msg = ''
    flag = False
    if l is False:
        msg = ''.join([chr(c) for c in m[0]])
    else:
        if l is None:
            msg = ''.join([chr(c) for c in m[1]])
        else:
            flag = True
        if flag:
            new_path = os.path.join(PP_DATA_PATH, ''.join([chr(c) for c in m[4]]))
            if os.path.isfile(new_path):
                shutil.move(new_path, f"{new_path}.bak")
        else:
            shutil.move(file_path, new_path)
            static_download_dir = Path(PLATFORM_APP_ROOT_PATH, 'pp_service', 'jobs', 'nginx_static', 'download')
            download_file = Path(static_download_dir, ''.join([chr(c) for c in m[4]]))
            if download_file.exists():
                try:
                    shutil.copy(new_path, str(download_file))
                except OSError as e:
                    logger.exception(e)

            else:
                os.remove(file_path)
    return {'flag':flag, 'msg':msg}

除了utils.pyc, 还有一个jar文件(~/pinpoint/cafedragon/lib/cafedragon_tools_deploy.jar)中也有校验license文件的代码。

image-20220620160616519

1
2
3
4
5
6
7
8
9
10
11
12
13
14
package com.sbrella.cafedragon.tools;

...

public class Cafec {
  private static final FluentLogger logger = FluentLogger.forEnclosingClass();
 
  
  public static void main(String[] paramArrayOfString) {
    if (!aj.bB()) {
      ((FluentLogger.Api)logger.atSevere()).log("Invalid license, exiting.");
      System.exit(1);
    } 
    ....
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
package com.sbrella.cafedragon;

import com.sbrella.Installer;
import dhl.Utilities;
import java.util.concurrent.ThreadLocalRandom;
import org.bytedeco.javacpp.LLVM;

public class aj {
  public static synchronized boolean bB() {
    try {
      String str = (new Installer()).SelectLicensePath();
      return (Utilities.f_1(str) == 10001603L && 
        Utilities.f_2(str) == 10001603L && 
        Utilities.f_3(str) == 10001603L && 
        Utilities.f_4(str) == 10001603L && 
        Utilities.f_5(str) == 10001603L && 
        Utilities.f_6(str) == 10001603L);
    } catch (Exception exception) {
      return false;
    } 
  }
  
  public static synchronized void bC() {
    try {
      String str = (new Installer()).GetLicensePath();
      boolean bool = (Utilities.is_valid(str) && Utilities.check_timestamp(str)) ? true : false;
      if (!bool)
        LLVM.LLVMExcited(); 
    } catch (Exception exception) {
      LLVM.LLVMExcited();
    } 
  }
  
  public static synchronized void bD() {
    ThreadLocalRandom threadLocalRandom = ThreadLocalRandom.current();
    if (threadLocalRandom.nextInt() % 2 == 0) {
      bE();
      return;
    } 
    bC();
  }
  
  public static void bE() {}
}

破解

方法一

在有一个许可证的情况下,修改系统时间,无限试用。

1
2
timedatectl set-ntp false
date -s "20210925 16:00:50"

方法二

Patch utils.pyccafedragon_tools_deploy.jar

image-20220620155100354

1
2
3
4
5
6
rm -f ~/pinpoint/pp-platform/pp_service/utils.pyc
rm -f ~/pinpoint/cafedragon/lib/cafedragon_tools_deploy.jar

wget https://static-1256168285.cos.ap-chengdu.myqcloud.com/utils.py -O ~/pinpoint/pp-platform/pp_service/utils.py
wget https://static-1256168285.cos.ap-chengdu.myqcloud.com/cafedragon_tools_deploy.jar -O ~/pinpoint/cafedragon/lib/cafedragon_tools_deploy.jar