Downie 4(免Patch激活)

Posted on | |

Downie 4(免Patch激活)

仅供学习用途,如有问题,可通知删除

照例搜索license、activate等关键词,发现存在如下调用关系:

Downie4→./Frameworks/Licensing.framework/Versions/A/Licensing→./Frameworks/Paddle.framework/Versions/A/Paddle

激活是使用的Paddle框架,使用之前破解Slidepad的方法,将

__ZN50Mbo2vpZRt70hoVLvg82RPKlyFkAbc42qmI9cr1Ijdl3az21uFs50zAHVUIXt181HCSHHi4ZdpRtuulbrXCoxOrIjMpLODxEbm3430iEv

__ZN50Mbo2vpZRt70hoVLvg82RPKlyFkAbc42qmI9cr1Ijdl3az21uFs50ws2sBh2azITg3jJVgjLkLNxIq37v5veSWtlTYJdNNB1ZIAdzxCEv

两个函数返回值设为1后,运行时发生崩溃。

转变思路,多个软件都使用Paddle作为激活框架,是否存在通用破解方法。搜索一圈后发现发现这个帖子:

https://www.chinapyg.com/thread-82491-1-1.html

帖子内容中未介绍破解思路,但是提供了一个切入点,Paddle的文档

https://developer.paddle.com/reference/5e80fcd84c35b-mac-sdk-setup

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
// Your Paddle SDK Config from the Vendor Dashboard
NSString *myPaddleVendorID = @"12345";
NSString *myPaddleProductID = @"678910";
NSString *myPaddleAPIKey = @"1234abc5678defg";

// Default Product Config in case we're unable to reach our servers on first run
PADProductConfiguration *defaultProductConfig = [[PADProductConfiguration alloc] init];
defaultProductConfig.productName = @"My v4 Product";
defaultProductConfig.vendorName = @"My Company";

// Initialize the SDK singleton with the config
Paddle *paddle = [Paddle sharedInstanceWithVendorID:myPaddleVendorID
                                             apiKey:myPaddleAPIKey
                                          productID:myPaddleProductID
                                      configuration:defaultProductConfig
                                           delegate:nil];
								
// Initialize the Product you'd like to work with	  
PADProduct *paddleProduct = [[PADProduct alloc] initWithProductID:myPaddleProductID
                                                      productType:PADProductTypeSDKProduct
                                                    configuration:defaultProductConfig];

// Ask the Product to get its latest state and info from the Paddle Platform

Paddle初始化时需要提供vendorid、productid、apikey。

1
2
3
4
5
6
7
8
9
10
// Create the Product we want to work with
PADProduct *paddleProduct = [[PADProduct alloc] initWithProductID:@"12345"
                                                      productType:PADProductTypeSDKProduct
                                                    configuration:nil];

// Refresh to ensure we've got up to date information locally for the product
// Remote values will supersede local
[paddleProduct refresh:^(NSDictionary * _Nullable productDelta, NSError * _Nullable error) {
    [paddle showProductAccessDialogWithProduct:paddleProduct];
}];

仅提供激活窗口调用接口。

直接抓包分析

https://v3.paddleapi.com/3.2/license/activate

请求中包含输入的email和license_key,以及上文提供的Paddle在初始化时使用的vendorid,另外application_identifier和api_key不同软件值不同。

Untitled

输入错误的license_key,该接口返回错误信息,现在需要一份正确的license返回一个激活成功的应答包报文。正好之前买过一款使用Paddle的其他软件,用那份license_key试一下,拿到如下报文:

Untitled

修改product_id为你想要激活软件的productid,使用以上数据替换activate的应答包即可激活。

激活流程:

  • 安装Downie 4
  • 打开激活窗口,输入邮箱和许可证,例如“AAAAAAA-AAAAAAA-AAAAAAA-AAAAAAA-AAAAAAA”
  • 抓包,将接口https://v3.paddleapi.com/3.2/license/activate的返回值替换为以下内容 
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    {
        "success": true,
        "response": {
            "activation_id": "4570000",//随意
            "user_id": "49430000",//随意
            "expires": false,
            "expiry_date": null,
            "product_id": "583749",//产品id确定
            "type": "activation_license",
            "allowed_uses": "3",
            "times_used": "1"
        }
    }